Mercurial > lada > lada-server
diff src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java @ 957:4657811fd133
Allow a user only to manipulate Ort with own Netzbetreiber.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Wed, 25 May 2016 18:21:54 +0200 |
parents | b09a1da741c4 |
children | 391ef3356b60 |
line wrap: on
line diff
--- a/src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java Wed May 25 18:10:14 2016 +0200 +++ b/src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java Wed May 25 18:21:54 2016 +0200 @@ -12,6 +12,7 @@ import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; +import de.intevation.lada.model.stamm.Ort; public class NetzbetreiberAuthorizer extends BaseAuthorizer { @@ -41,7 +42,11 @@ method == RequestMethod.PUT || method == RequestMethod.DELETE) && (userInfo.getFunktionenForNetzbetreiber(id).contains(4) || - clazz.getName().equals("de.intevation.lada.model.stamm.Ort")); + // XXX: this currently allows any user, regardless of function, + // to manipulate and delete any ort of his own netzbetreiber! + clazz.getName().equals("de.intevation.lada.model.stamm.Ort") && + userInfo.getNetzbetreiber().contains( + ((Ort)data).getNetzbetreiberId())); } @Override