# HG changeset patch # User Raimund Renkert # Date 1447948532 -3600 # Node ID 183396bac3face6c3385079a86ec0f5dc6d92b07 # Parent b04e55896104c60983b5be14cac4158d6f96981d# Parent 2059ac26fd49bee6cbbe4f1467b5386fff8717e0 merged. diff -r 2059ac26fd49 -r 183396bac3fa src/main/java/de/intevation/lada/rest/KommentarMService.java --- a/src/main/java/de/intevation/lada/rest/KommentarMService.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/KommentarMService.java Thu Nov 19 16:55:32 2015 +0100 @@ -24,6 +24,7 @@ import javax.ws.rs.core.UriInfo; import de.intevation.lada.model.land.LKommentarM; +import de.intevation.lada.model.land.LMessung; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; import de.intevation.lada.util.auth.Authorization; @@ -103,9 +104,26 @@ ) { MultivaluedMap params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - return defaultRepo.getAll(LKommentarM.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 699, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 699, null); + } + } + QueryBuilder builder = new QueryBuilder( defaultRepo.entityManager("land"), @@ -134,12 +152,22 @@ @Context HttpServletRequest request, @PathParam("id") String id ) { + Response response = + defaultRepo.getById(LKommentarM.class, Integer.valueOf(id), "land"); + LKommentarM kommentar = (LKommentarM)response.getData(); + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + kommentar.getMessungsId(), + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(messung.getId(), LMessung.class)) { + return new Response(false, 699, null); + } + } + return authorization.filter( request, - defaultRepo.getById( - LKommentarM.class, - Integer.valueOf(id), - "land"), + response, LKommentarM.class); } diff -r 2059ac26fd49 -r 183396bac3fa src/main/java/de/intevation/lada/rest/MesswertService.java --- a/src/main/java/de/intevation/lada/rest/MesswertService.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/MesswertService.java Thu Nov 19 16:55:32 2015 +0100 @@ -31,6 +31,7 @@ import de.intevation.lada.lock.LockConfig; import de.intevation.lada.lock.LockType; import de.intevation.lada.lock.ObjectLocker; +import de.intevation.lada.model.land.LMessung; import de.intevation.lada.model.land.LMesswert; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; @@ -138,10 +139,25 @@ ) { MultivaluedMap params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - logger.debug("get all"); - return defaultRepo.getAll(LMesswert.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 698, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 697, null); + } + } QueryBuilder builder = new QueryBuilder( defaultRepo.entityManager("land"), @@ -173,6 +189,15 @@ Response response = defaultRepo.getById(LMesswert.class, Integer.valueOf(id), "land"); LMesswert messwert = (LMesswert)response.getData(); + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + messwert.getMessungsId(), + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(messung.getId(), LMessung.class)) { + return new Response(false, 699, null); + } + } Violation violation = validator.validate(messwert); if (violation.hasErrors() || violation.hasWarnings()) { response.setErrors(violation.getErrors()); diff -r 2059ac26fd49 -r 183396bac3fa src/main/java/de/intevation/lada/rest/StatusService.java --- a/src/main/java/de/intevation/lada/rest/StatusService.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/StatusService.java Thu Nov 19 16:55:32 2015 +0100 @@ -132,9 +132,26 @@ ) { MultivaluedMap params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - return defaultRepo.getAll(LStatusProtokoll.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 698, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 697, null); + } + } + QueryBuilder builder = new QueryBuilder( defaultRepo.entityManager("land"), diff -r 2059ac26fd49 -r 183396bac3fa src/main/java/de/intevation/lada/util/auth/Authorization.java --- a/src/main/java/de/intevation/lada/util/auth/Authorization.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/Authorization.java Thu Nov 19 16:55:32 2015 +0100 @@ -20,6 +20,7 @@ public Response filter(Object source, Response data, Class clazz); public boolean isAuthorized( Object source, Object data, RequestMethod method, Class clazz); + public boolean isAuthorized(int id, Class clazz); public boolean isAuthorized(UserInfo userInfo, Object data); boolean isReadOnly(Integer probeId); } diff -r 2059ac26fd49 -r 183396bac3fa src/main/java/de/intevation/lada/util/auth/DefaultAuthorization.java --- a/src/main/java/de/intevation/lada/util/auth/DefaultAuthorization.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/DefaultAuthorization.java Thu Nov 19 16:55:32 2015 +0100 @@ -86,4 +86,9 @@ public boolean isAuthorized(UserInfo userInfo, Object data) { return true; } + + @Override + public boolean isAuthorized(int id, Class clazz) { + return true; + } } diff -r 2059ac26fd49 -r 183396bac3fa src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java --- a/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java Thu Nov 19 16:55:32 2015 +0100 @@ -107,6 +107,28 @@ return data; } + @Override + public boolean isAuthorized(int id, Class clazz) { + if (clazz == LMessung.class) { + LMessung messung = repository.getByIdPlain( + LMessung.class, + id, + "land"); + if (messung.getStatus() == null) { + return false; + } + LStatusProtokoll status = repository.getByIdPlain( + LStatusProtokoll.class, + messung.getStatus(), + "land"); + if (status.getStatusWert() == 0) { + return false; + } + return true; + } + return false; + } + /** * Check whether a user is authorized to operate on the given data. * @@ -190,7 +212,14 @@ messung.getProbeId(), "land"); LProbe probe = (LProbe)pResponse.getData(); - return !this.isMessungReadOnly(messung) && + if (messung.getStatus() == null) { + return false; + } + LStatusProtokoll status = repository.getByIdPlain( + LStatusProtokoll.class, + messung.getStatus(), + "land"); + return status.getStatusWert() == 0 && getAuthorization(userInfo, probe); } } @@ -595,6 +624,10 @@ if (data instanceof LProbe) { return getAuthorization(userInfo, (LProbe)data); } + else if (data instanceof LMessung) { + LProbe probe = repository.getByIdPlain(LProbe.class, ((LMessung)data).getProbeId(), "land"); + return getAuthorization(userInfo, probe); + } return false; } diff -r 2059ac26fd49 -r 183396bac3fa src/main/java/de/intevation/lada/util/auth/TestAuthorization.java --- a/src/main/java/de/intevation/lada/util/auth/TestAuthorization.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/TestAuthorization.java Thu Nov 19 16:55:32 2015 +0100 @@ -58,4 +58,9 @@ return false; } + @Override + public boolean isAuthorized(int id, Class clazz) { + return true; + } + }