Mercurial > lada > lada-server
view src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java @ 1292:588f6deae24a
Fix authorization for OrtszuordnungMp and friends.
Setting readonly equal to owner implied an owner cannot edit its own
objects. That was probably not intended. As many of the conditionals
actually evaluated to doing nothing, those were removed.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Wed, 08 Feb 2017 19:56:01 +0100 |
parents | 186d602e031a |
children |
line wrap: on
line source
/* Copyright (C) 2013 by Bundesamt fuer Strahlenschutz * Software engineering by Intevation GmbH * * This file is Free Software under the GNU GPL (v>=3) * and comes with ABSOLUTELY NO WARRANTY! Check out * the documentation coming with IMIS-Labordaten-Application for details. */ package de.intevation.lada.util.auth; import java.util.ArrayList; import java.util.List; import de.intevation.lada.model.land.Messung; import de.intevation.lada.model.land.Probe; import de.intevation.lada.model.land.StatusProtokoll; import de.intevation.lada.model.stammdaten.AuthLstUmw; import de.intevation.lada.model.stammdaten.MessStelle; import de.intevation.lada.model.stammdaten.StatusKombi; import de.intevation.lada.util.data.QueryBuilder; import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; public class MessungAuthorizer extends BaseAuthorizer { @Override public <T> boolean isAuthorized( Object data, RequestMethod method, UserInfo userInfo, Class<T> clazz ) { Messung messung = (Messung)data; Response response = repository.getById(Probe.class, messung.getProbeId(), "land"); Probe probe = (Probe)response.getData(); if (method == RequestMethod.PUT || method == RequestMethod.DELETE) { return !this.isMessungReadOnly(messung.getId()) && getAuthorization(userInfo, probe); } if (method == RequestMethod.POST) { return getAuthorization(userInfo, probe); } StatusProtokoll status = repository.getByIdPlain( StatusProtokoll.class, messung.getStatus(), "land"); StatusKombi kombi = repository.getByIdPlain( StatusKombi.class, status.getStatusKombi(), "stamm"); return kombi.getStatusWert().getId() > 0 || getAuthorization(userInfo, probe); } @SuppressWarnings("unchecked") @Override public <T> Response filter( Response data, UserInfo userInfo, Class<T> clazz ) { if (data.getData() instanceof List<?>) { List<Messung> messungen = new ArrayList<Messung>(); for (Messung messung :(List<Messung>)data.getData()) { messungen.add(setAuthData(userInfo, messung)); } data.setData(messungen); } else if (data.getData() instanceof Messung) { Messung messung = (Messung)data.getData(); data.setData(setAuthData(userInfo, messung)); } return data; } /** * Authorize a sinle messung object. * * @param userInfo The user information. * @param messung The messung object. * @return The messung. */ private Messung setAuthData( UserInfo userInfo, Messung messung ) { Probe probe = (Probe)repository.getById( Probe.class, messung.getProbeId(), "land").getData(); MessStelle mst = repository.getByIdPlain(MessStelle.class, probe.getMstId(), "stamm"); if (!userInfo.getNetzbetreiber().contains(mst.getNetzbetreiberId()) && !userInfo.getFunktionen().contains(3)) { messung.setOwner(false); messung.setReadonly(true); messung.setStatusEdit(false); return messung; } if (userInfo.belongsTo(probe.getMstId(), probe.getLaborMstId())) { messung.setOwner(true); } else { messung.setOwner(false); } if (messung.getStatus() == null) { messung.setReadonly(false); messung.setStatusEdit(false); } else { StatusProtokoll status = repository.getByIdPlain( StatusProtokoll.class, messung.getStatus(), "land"); StatusKombi kombi = repository.getByIdPlain( StatusKombi.class, status.getStatusKombi(), "stamm"); int stufe = kombi.getStatusStufe().getId(); int wert = kombi.getStatusWert().getId(); messung.setReadonly(wert != 0 && wert != 4); boolean statusEdit = false; /* Does the user belong to an appropriate 'Leitstelle' to edit status? */ if (userInfo.getFunktionen().contains(3)) { QueryBuilder<AuthLstUmw> lstFilter = new QueryBuilder<AuthLstUmw>( repository.entityManager("stamm"), AuthLstUmw.class); lstFilter.or("mstId", userInfo.getMessstellen()); List<AuthLstUmw> lsts = repository.filterPlain(lstFilter.getQuery(), "stamm"); for (int i = 0; i < lsts.size(); i++) { if (lsts.get(i).getUmwId().equals(probe.getUmwId()) && (stufe == 2 || stufe == 3) ) { statusEdit = true; } } } // Has the user the right to edit status for the 'Netzbetreiber'? if (userInfo.getFunktionenForNetzbetreiber( mst.getNetzbetreiberId()).contains(2) && (stufe == 1 || stufe == 2) && wert >= 1 ) { statusEdit = true; } // Has the user the right to edit status for the 'Messstelle'? if (userInfo.getFunktionenForMst(probe.getMstId()).contains(1) && (stufe <= 1 || wert == 4) ) { statusEdit = true; } messung.setStatusEdit(statusEdit); } return messung; } }