Mercurial > lada > lada-server
view src/main/java/de/intevation/lada/util/auth/ProbeIdAuthorizer.java @ 1292:588f6deae24a
Fix authorization for OrtszuordnungMp and friends.
Setting readonly equal to owner implied an owner cannot edit its own
objects. That was probably not intended. As many of the conditionals
actually evaluated to doing nothing, those were removed.
| author | Tom Gottfried <tom@intevation.de> |
|---|---|
| date | Wed, 08 Feb 2017 19:56:01 +0100 |
| parents | 186d602e031a |
| children |
line wrap: on
line source
/* Copyright (C) 2013 by Bundesamt fuer Strahlenschutz * Software engineering by Intevation GmbH * * This file is Free Software under the GNU GPL (v>=3) * and comes with ABSOLUTELY NO WARRANTY! Check out * the documentation coming with IMIS-Labordaten-Application for details. */ package de.intevation.lada.util.auth; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.util.ArrayList; import java.util.List; import de.intevation.lada.model.land.Probe; import de.intevation.lada.model.stammdaten.MessStelle; import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; public class ProbeIdAuthorizer extends BaseAuthorizer { @Override public <T> boolean isAuthorized( Object data, RequestMethod method, UserInfo userInfo, Class<T> clazz ) { Method m; try { m = clazz.getMethod("getProbeId"); } catch (NoSuchMethodException | SecurityException e1) { return false; } Integer id; try { id = (Integer) m.invoke(data); } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e ) { return false; } Probe probe = repository.getByIdPlain(Probe.class, id, "land"); return !isProbeReadOnly(id) && getAuthorization(userInfo, probe); } @SuppressWarnings("unchecked") @Override public <T> Response filter( Response data, UserInfo userInfo, Class<T> clazz ) { if (data.getData() instanceof List<?>) { List<Object> objects = new ArrayList<Object>(); for (Object object :(List<Object>)data.getData()) { objects.add(setAuthData(userInfo, object, clazz)); } data.setData(objects); } else { Object object = data.getData(); data.setData(setAuthData(userInfo, object, clazz)); } return data; } /** * Authorize a single data object that has a probeId Attribute. * * @param userInfo The user information. * @param data The Response object containing the data. * @param clazz The data object class. * @return A Response object containing the data. */ private <T> Object setAuthData( UserInfo userInfo, Object data, Class<T> clazz ) { try { Method getProbeId = clazz.getMethod("getProbeId"); Integer id = null; if (getProbeId != null) { id = (Integer) getProbeId.invoke(data); } else { return null; } Probe probe = (Probe)repository.getById(Probe.class, id, "land").getData(); boolean readOnly = true; boolean owner = false; MessStelle mst = repository.getByIdPlain(MessStelle.class, probe.getMstId(), "stamm"); if (!userInfo.getNetzbetreiber().contains( mst.getNetzbetreiberId())) { owner = false; readOnly = true; } else { if (userInfo.belongsTo(probe.getMstId(), probe.getLaborMstId())) { owner = true; } else { owner = false; } readOnly = this.isProbeReadOnly(id); } Method setOwner = clazz.getMethod("setOwner", boolean.class); Method setReadonly = clazz.getMethod("setReadonly", boolean.class); setOwner.invoke(data, owner); setReadonly.invoke(data, readOnly); } catch (NoSuchMethodException | SecurityException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) { return null; } return data; } }