# HG changeset patch
# User Tom Gottfried <tom@intevation.de>
# Date 1475242068 -7200
# Node ID 703b370c3b349e29fd23bc5b1f3bd53be20ca7eb
# Parent  02915a07e186c74aa1987a4927deed2fae92bcdf
Authorize generation of Probe objects by Messprogramm.

diff -r 02915a07e186 -r 703b370c3b34 src/main/java/de/intevation/lada/factory/ProbeFactory.java
--- a/src/main/java/de/intevation/lada/factory/ProbeFactory.java	Fri Sep 30 15:24:04 2016 +0200
+++ b/src/main/java/de/intevation/lada/factory/ProbeFactory.java	Fri Sep 30 15:27:48 2016 +0200
@@ -200,20 +200,7 @@
      *
      * @return List of probe objects.
      */
-    public List<LProbe> create(String id, Long from, Long to) {
-        QueryBuilder<Messprogramm> builder =
-            new QueryBuilder<Messprogramm>(
-                    repository.entityManager("land"),
-                    Messprogramm.class);
-        builder.and("id", id);
-        Response response = repository.filter(builder.getQuery(), "land");
-        @SuppressWarnings("unchecked")
-        List<Messprogramm> messprogramme =
-            (List<Messprogramm>)response.getData();
-        if (messprogramme == null || messprogramme.isEmpty()) {
-            return null;
-        }
-        Messprogramm messprogramm = messprogramme.get(0);
+    public List<LProbe> create(Messprogramm messprogramm, Long from, Long to) {
         Calendar start = Calendar.getInstance();
         start.setTimeInMillis(from);
         Calendar end = Calendar.getInstance();
diff -r 02915a07e186 -r 703b370c3b34 src/main/java/de/intevation/lada/rest/ProbeService.java
--- a/src/main/java/de/intevation/lada/rest/ProbeService.java	Fri Sep 30 15:24:04 2016 +0200
+++ b/src/main/java/de/intevation/lada/rest/ProbeService.java	Fri Sep 30 15:27:48 2016 +0200
@@ -39,6 +39,7 @@
 import de.intevation.lada.lock.ObjectLocker;
 import de.intevation.lada.model.land.LProbe;
 import de.intevation.lada.model.land.ProbeTranslation;
+import de.intevation.lada.model.land.Messprogramm;
 import de.intevation.lada.query.QueryTools;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
@@ -366,7 +367,24 @@
         @Context HttpServletRequest request,
         JsonObject object
     ) {
-        String id = object.get("id").toString();
+        int id = object.getInt("id");
+        Messprogramm messprogramm = repository.getByIdPlain(
+            Messprogramm.class, id, "land");
+        if (messprogramm == null) {
+            return new Response(false, 600, null);
+        }
+
+        /* Allow generation of Probe objects only for a Messprogramm
+         * that would be allowed to be changed. */
+        if (!authorization.isAuthorized(
+                request,
+                messprogramm,
+                RequestMethod.PUT,
+                Messprogramm.class)
+        ) {
+            return new Response(false, 699, null);
+        }
+
         long start = 0;
         long end = 0;
         try {
@@ -380,7 +398,7 @@
             return new Response(false, 662, null);
         }
         List<LProbe> proben = factory.create(
-            id,
+            messprogramm,
             start,
             end);
         return new Response(true, 200, proben);