raimund@849: /* Copyright (C) 2013 by Bundesamt fuer Strahlenschutz
raimund@849:  * Software engineering by Intevation GmbH
raimund@849:  *
raimund@849:  * This file is Free Software under the GNU GPL (v>=3)
raimund@849:  * and comes with ABSOLUTELY NO WARRANTY! Check out
raimund@849:  * the documentation coming with IMIS-Labordaten-Application for details.
raimund@849:  */
raimund@833: package de.intevation.lada.util.auth;
raimund@833: 
raimund@833: import java.lang.reflect.InvocationTargetException;
raimund@833: import java.lang.reflect.Method;
raimund@833: 
raimund@833: import de.intevation.lada.util.rest.RequestMethod;
raimund@833: import de.intevation.lada.util.rest.Response;
raimund@833: 
raimund@833: public class NetzbetreiberAuthorizer extends BaseAuthorizer {
raimund@833: 
raimund@833:     @Override
raimund@833:     public <T> boolean isAuthorized(
raimund@833:         Object data,
raimund@833:         RequestMethod method,
raimund@833:         UserInfo userInfo,
raimund@833:         Class<T> clazz
raimund@833:     ) {
raimund@833:         Method m;
raimund@833:         try {
raimund@833:             m = clazz.getMethod("getNetzbetreiberId");
raimund@833:         } catch (NoSuchMethodException | SecurityException e1) {
raimund@833:             return false;
raimund@833:         }
raimund@833:         String id;
raimund@833:         try {
raimund@833:             id = (String) m.invoke(data);
raimund@833:         } catch (IllegalAccessException |
raimund@833:             IllegalArgumentException |
raimund@833:             InvocationTargetException e
raimund@833:         ) {
raimund@833:             return false;
raimund@833:         }
tom@1088:         return (method == RequestMethod.POST
tom@1088:             || method == RequestMethod.PUT
tom@1088:             || method == RequestMethod.DELETE
tom@1088:         ) && (
tom@1088:             userInfo.getFunktionenForNetzbetreiber(id).contains(4)
tom@957:             // XXX: this currently allows any user, regardless of function,
tom@957:             // to manipulate and delete any ort of his own netzbetreiber!
raimund@1142:             || clazz.getName().equals("de.intevation.lada.model.stammdaten.Ort")
tom@1088:             && userInfo.getNetzbetreiber().contains(id)
tom@1088:         );
raimund@833:     }
raimund@833: 
raimund@833:     @Override
raimund@833:     public <T> Response filter(
raimund@833:         Response data,
raimund@833:         UserInfo userInfo,
raimund@833:         Class<T> clazz
raimund@833:     ) {
raimund@833:         return data;
raimund@833:     }
raimund@833: 
raimund@833: }