some more permission related things

src/main/kotlin/com/restapi/Main.kt

@@ -187,7 +187,12 @@ fun main(args: Array<String>) {
                     )
                     put("/{id}", FleetCtrl::update, Roles(Role.Explicit("ROLE_FLEET_CREATE")))
                     post(
-                        "/getAll", FleetCtrl::getAll, Roles(Role.Explicit("ROLE_FLEET_CREATE", "ROLE_FLEET_VIEW"))
+                        "/getAll", FleetCtrl::getAll, Roles(Role.Explicit(
+                            "ROLE_FLEET_CREATE",
+                            "ROLE_FLEET_VIEW",
+                            "ROLE_EXPENSE_CREATE",
+                            "ROLE_EXPENSE_VIEW",
+                        ))
                     )
                     delete("/{id}", FleetCtrl::delete, Roles(Role.Explicit("ROLE_FLEET_CREATE")))
                 }
@@ -291,7 +296,7 @@ fun main(args: Array<String>) {
                 }
             }
 
-            get("/{entity}", Entities::getAll, Roles(adminRole, viewRole, appAdmin) )
+            get("/{entity}", Entities::getAll)
             post("/{entity}/next", Entities::getNextSeqNo, Roles(adminRole, viewRole, appAdmin))
             get("/{entity}/{id}", Entities::view, Roles(adminRole, viewRole, appAdmin))
             post("/{entity}/search", Entities::search, Roles(adminRole, viewRole, appAdmin))

src/main/kotlin/com/restapi/controllers/Entities.kt

@@ -6,6 +6,8 @@ import com.fasterxml.jackson.databind.JsonDeserializer
 import com.fasterxml.jackson.databind.JsonNode
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize
 import com.restapi.domain.*
+import com.restapi.domain.Session.currentRoles
+import com.restapi.domain.Session.currentUser
 import com.restapi.domain.Session.database
 import com.restapi.domain.Session.findDataModelByEntityAndUniqId
 import com.restapi.domain.Session.objectMapper
@@ -136,6 +138,8 @@ object Entities {
         verifyKeys(sql.params)
 
         val entity = ctx.pathParam("entity").lowercase()
+        val noCreatedFilter = currentRoles().contains("ROLE_ADMIN") || sql.createdBy.isNullOrEmpty()
+        val createdFilter = if (noCreatedFilter) "" else "and created_by = :cBy"
         val searchJsonMap = sql.params.map { e -> Pair(e.key, e.value.getValue()) }.toMap()
         val fl = database.find(DataModel::class.java)
             .setRawSql(
@@ -163,6 +167,7 @@ object Entities {
                 where entity_name = :e
                   and created_at between :from and :to
                   and data @> cast(:search as jsonb)
+                  $createdFilter
                   order by sysPk
             """.trimIndent()
                 ).create()
@@ -171,6 +176,12 @@ object Entities {
             .setParameter("to", sql.dateRange.last().plusDays(1))
             .setParameter("e", entity)
             .setParameter("search", objectMapper.writeValueAsString(searchJsonMap))
+            .apply {
+                if (!noCreatedFilter) {
+                    logger.warn("Set Created By Filter to ${currentUser()}")
+                    setParameter("cBy", currentUser())
+                }
+            }
             .findList()
 
         logger.warn("Search jsonMap [$searchJsonMap] => ${fl.size} entries")
@@ -358,6 +369,7 @@ object Entities {
 
 data class SearchParams(
     val params: Map<String, QueryParam> = mapOf(),
+    val createdBy: String?,
     val dateRange: List<LocalDate> = listOf(LocalDate.now().minusDays(7), LocalDate.now())
 )