Mercurial > lada > lada-server
view src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java @ 1345:883ab3a6f525 tip
changed version to 2.7-SNAPSHOT after release2.6.2 for default branch
author | Marco Lechner, Bundesamt fuer Strahlenschutz, SW 2.1 <mlechner@bfs.de> |
---|---|
date | Fri, 07 Apr 2017 11:14:37 +0200 |
parents | 7730d9cfc22e |
children |
line wrap: on
line source
/* Copyright (C) 2013 by Bundesamt fuer Strahlenschutz * Software engineering by Intevation GmbH * * This file is Free Software under the GNU GPL (v>=3) * and comes with ABSOLUTELY NO WARRANTY! Check out * the documentation coming with IMIS-Labordaten-Application for details. */ package de.intevation.lada.util.auth; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; public class NetzbetreiberAuthorizer extends BaseAuthorizer { @Override public <T> boolean isAuthorized( Object data, RequestMethod method, UserInfo userInfo, Class<T> clazz ) { Method m; try { m = clazz.getMethod("getNetzbetreiberId"); } catch (NoSuchMethodException | SecurityException e1) { return false; } String id; try { id = (String) m.invoke(data); } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e ) { return false; } return (method == RequestMethod.POST || method == RequestMethod.PUT || method == RequestMethod.DELETE ) && ( userInfo.getFunktionenForNetzbetreiber(id).contains(4) // XXX: this currently allows any user, regardless of function, // to manipulate and delete any ort of his own netzbetreiber! || clazz.getName().equals("de.intevation.lada.model.stammdaten.Ort") && userInfo.getNetzbetreiber().contains(id) ); } @Override public <T> Response filter( Response data, UserInfo userInfo, Class<T> clazz ) { return data; } }