# HG changeset patch # User Raimund Renkert # Date 1372845777 -7200 # Node ID 30d2aad7371e57120e81639b79871b22fe7e1d98 # Parent a305412206a3b916fd0c44c7e2a7d92268477aee Updated authorization in LMessung service filter. diff -r a305412206a3 -r 30d2aad7371e src/main/java/de/intevation/lada/rest/LMessungService.java --- a/src/main/java/de/intevation/lada/rest/LMessungService.java Wed Jul 03 11:55:28 2013 +0200 +++ b/src/main/java/de/intevation/lada/rest/LMessungService.java Wed Jul 03 12:02:57 2013 +0200 @@ -61,26 +61,26 @@ @Produces("text/json") public Response filter( @Context UriInfo info, - @Context HttpHeaders header + @Context HttpHeaders headers ) { try { - AuthenticationResponse auth = - authentication.authorizedGroups(header); - QueryBuilder builder = - new QueryBuilder( - repository.getEntityManager(), - LMessung.class); - builder.or("netzbetreiberId", auth.getNetzbetreiber()); + if (!authentication.isAuthorizedUser(headers)) { + return new Response(false, 699, new ArrayList()); + } MultivaluedMap params = info.getQueryParameters(); - if (params.isEmpty()) { - repository.filter(builder.getQuery()); + if (params.isEmpty() || !(params.containsKey("probeId"))) { + return new Response(false, 609, new ArrayList()); } - QueryBuilder pBuilder = builder.getEmptyBuilder(); - if (params.containsKey("probeId")) { - pBuilder.and("probeId", params.getFirst("probeId")); - builder.and(pBuilder); + String probeId = params.getFirst("probeId"); + if (authentication.hasAccess(headers, probeId)) { + QueryBuilder builder = + new QueryBuilder( + repository.getEntityManager(), + LMessung.class); + builder.and("probeId", probeId); + return repository.filter(builder.getQuery()); } - return repository.filter(builder.getQuery()); + return new Response(false, 698, new ArrayList()); } catch(AuthenticationException ae) { return new Response(false, 699, new ArrayList());