# HG changeset patch
# User Tom Gottfried <tom@intevation.de>
# Date 1464193314 -7200
# Node ID 4657811fd133483f3a0590554a8d17471009282f
# Parent  539eb174bf23d9deda07ce24c5a4a00963443011
Allow a user only to manipulate Ort with own Netzbetreiber.

diff -r 539eb174bf23 -r 4657811fd133 src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java
--- a/src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java	Wed May 25 18:10:14 2016 +0200
+++ b/src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java	Wed May 25 18:21:54 2016 +0200
@@ -12,6 +12,7 @@
 
 import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
+import de.intevation.lada.model.stamm.Ort;
 
 public class NetzbetreiberAuthorizer extends BaseAuthorizer {
 
@@ -41,7 +42,11 @@
             method == RequestMethod.PUT ||
             method == RequestMethod.DELETE) &&
             (userInfo.getFunktionenForNetzbetreiber(id).contains(4) ||
-             clazz.getName().equals("de.intevation.lada.model.stamm.Ort"));
+            // XXX: this currently allows any user, regardless of function,
+            // to manipulate and delete any ort of his own netzbetreiber!
+             clazz.getName().equals("de.intevation.lada.model.stamm.Ort") &&
+             userInfo.getNetzbetreiber().contains(
+                 ((Ort)data).getNetzbetreiberId()));
     }
 
     @Override