# HG changeset patch # User Tom Gottfried # Date 1464787508 -7200 # Node ID ad69878b7280499e9ffd378af43d16d83d6222a4 # Parent 3c1b1631e4741365de3e6e58d90bf292fb5b45a8 Authorize status change only for matching user. Matching means belonging to the MessStelle respectively Netzbetreiber of the probe. diff -r 3c1b1631e474 -r ad69878b7280 db_schema/stammdaten_schema.sql --- a/db_schema/stammdaten_schema.sql Mon May 30 16:11:24 2016 +0200 +++ b/db_schema/stammdaten_schema.sql Wed Jun 01 15:25:08 2016 +0200 @@ -140,7 +140,7 @@ CREATE TABLE mess_stelle ( id character varying(5) PRIMARY KEY, - netzbetreiber_id character varying(2), + netzbetreiber_id character varying(2) NOT NULL, beschreibung character varying(300), mess_stelle character varying(60), mst_typ character varying(1), diff -r 3c1b1631e474 -r ad69878b7280 src/main/java/de/intevation/lada/rest/StatusService.java --- a/src/main/java/de/intevation/lada/rest/StatusService.java Mon May 30 16:11:24 2016 +0200 +++ b/src/main/java/de/intevation/lada/rest/StatusService.java Wed Jun 01 15:25:08 2016 +0200 @@ -35,6 +35,7 @@ import de.intevation.lada.model.land.LMessung; import de.intevation.lada.model.land.LProbe; import de.intevation.lada.model.land.LStatusProtokoll; +import de.intevation.lada.model.stamm.MessStelle; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; import de.intevation.lada.util.auth.Authorization; @@ -237,6 +238,7 @@ return new Response(false, 697, null); } + // Is user authorized to edit status at all? Response r = authorization.filter( request, new Response(true, 200, messung), @@ -245,8 +247,7 @@ if (filteredMessung.getStatusEdit() == false) { return new Response(false, 699, null); } - boolean next = false; - boolean change = false; + if (messung.getStatus() == null) { status.setStatusStufe(1); } @@ -254,11 +255,12 @@ LStatusProtokoll currentStatus = defaultRepo.getByIdPlain( LStatusProtokoll.class, messung.getStatus(), "land"); + String probeMstId = defaultRepo.getByIdPlain( + LProbe.class, + messung.getProbeId(), + "land").getMstId(); + if (currentStatus.getStatusWert() == 4) { - LProbe probe = defaultRepo.getByIdPlain( - LProbe.class, - messung.getProbeId(), - "land"); if (status.getStatusWert() == 4 && userInfo.getMessstellen().contains( currentStatus.getErzeuger()) @@ -269,9 +271,9 @@ status.setStatusStufe(currentStatus.getStatusStufe()); } else if ( - userInfo.getFunktionenForMst(probe.getMstId()) + userInfo.getFunktionenForMst(probeMstId) .contains(1) - && probe.getMstId().equals(status.getErzeuger()) + && probeMstId.equals(status.getErzeuger()) ) { status.setStatusStufe(1); } @@ -280,23 +282,52 @@ } } else { - for (int i = 0; - i < userInfo.getFunktionenForMst(status.getErzeuger()).size(); - i++ + boolean next = false; // Do we advance to next 'stufe'? + boolean change = false; // Do we change status on same 'stufe'? + + // XXX: It's assumed here, that MessStelle:function is a + // 1:1-relationship, which is not enforced by the model + // (there is no such constraint in stammdaten.auth). + // Thus, next and change will be set based + // on whichever function is the first match, which is + // not necessary the users intention, if he has more than + // one function for the matching Messstelle. + + // XXX: It's assumed here, that an 'Erzeuger' is an instance + // of 'Messstelle', but the model does not enforce it! + for (Integer function : + userInfo.getFunktionenForMst(status.getErzeuger()) ) { - if (userInfo.getFunktionenForMst(status.getErzeuger()) - .get(i).equals(currentStatus.getStatusStufe() + 1) - && currentStatus.getStatusWert() != 0 - ) { + if (function.equals(currentStatus.getStatusStufe() + 1) + && currentStatus.getStatusWert() != 0) { next = true; } - else if (userInfo.getFunktionenForMst( - status.getErzeuger()).get(i) == - currentStatus.getStatusStufe() - ) { + else if (function == currentStatus.getStatusStufe()) { + if (currentStatus.getStatusStufe() == 1 + && !status.getErzeuger().equals(probeMstId)) { + logger.debug( + "Messstelle does not match for change"); + return new Response(false, 699, null); + } + + String pNetzbetreiber = defaultRepo.getByIdPlain( + LProbe.class, + messung.getProbeId(), + "land").getNetzbetreiberId(); + String sNetzbetreiber = defaultRepo.getByIdPlain( + MessStelle.class, + status.getErzeuger(), + "stamm").getNetzbetreiberId(); + if (currentStatus.getStatusStufe() == 2 + && !pNetzbetreiber.equals(sNetzbetreiber)){ + logger.debug( + "Netzbetreiber does not match for change"); + return new Response(false, 699, null); + } change = true; } } + if (change && status.getStatusWert() == 4 && status.getStatusStufe() > 1 diff -r 3c1b1631e474 -r ad69878b7280 src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java --- a/src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java Mon May 30 16:11:24 2016 +0200 +++ b/src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java Wed Jun 01 15:25:08 2016 +0200 @@ -88,12 +88,14 @@ messung.setStatusEdit(false); return messung; } + if (userInfo.belongsTo(probe.getMstId(), probe.getLaborMstId())) { messung.setOwner(true); } else { messung.setOwner(false); } + if (messung.getStatus() == null) { messung.setReadonly(false); messung.setStatusEdit(false);