# HG changeset patch # User Raimund Renkert # Date 1447948449 -3600 # Node ID b04e55896104c60983b5be14cac4158d6f96981d # Parent d0510a89e70111015465f903d71ec2a0660b0ac3 Authorize messwert, kommentar and status. diff -r d0510a89e701 -r b04e55896104 src/main/java/de/intevation/lada/rest/KommentarMService.java --- a/src/main/java/de/intevation/lada/rest/KommentarMService.java Thu Nov 19 16:53:30 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/KommentarMService.java Thu Nov 19 16:54:09 2015 +0100 @@ -24,6 +24,7 @@ import javax.ws.rs.core.UriInfo; import de.intevation.lada.model.land.LKommentarM; +import de.intevation.lada.model.land.LMessung; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; import de.intevation.lada.util.auth.Authorization; @@ -103,9 +104,26 @@ ) { MultivaluedMap params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - return defaultRepo.getAll(LKommentarM.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 699, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 699, null); + } + } + QueryBuilder builder = new QueryBuilder( defaultRepo.entityManager("land"), @@ -134,12 +152,22 @@ @Context HttpServletRequest request, @PathParam("id") String id ) { + Response response = + defaultRepo.getById(LKommentarM.class, Integer.valueOf(id), "land"); + LKommentarM kommentar = (LKommentarM)response.getData(); + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + kommentar.getMessungsId(), + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(messung.getId(), LMessung.class)) { + return new Response(false, 699, null); + } + } + return authorization.filter( request, - defaultRepo.getById( - LKommentarM.class, - Integer.valueOf(id), - "land"), + response, LKommentarM.class); } diff -r d0510a89e701 -r b04e55896104 src/main/java/de/intevation/lada/rest/MesswertService.java --- a/src/main/java/de/intevation/lada/rest/MesswertService.java Thu Nov 19 16:53:30 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/MesswertService.java Thu Nov 19 16:54:09 2015 +0100 @@ -31,6 +31,7 @@ import de.intevation.lada.lock.LockConfig; import de.intevation.lada.lock.LockType; import de.intevation.lada.lock.ObjectLocker; +import de.intevation.lada.model.land.LMessung; import de.intevation.lada.model.land.LMesswert; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; @@ -138,10 +139,25 @@ ) { MultivaluedMap params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - logger.debug("get all"); - return defaultRepo.getAll(LMesswert.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 698, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 697, null); + } + } QueryBuilder builder = new QueryBuilder( defaultRepo.entityManager("land"), @@ -173,6 +189,15 @@ Response response = defaultRepo.getById(LMesswert.class, Integer.valueOf(id), "land"); LMesswert messwert = (LMesswert)response.getData(); + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + messwert.getMessungsId(), + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(messung.getId(), LMessung.class)) { + return new Response(false, 699, null); + } + } Violation violation = validator.validate(messwert); if (violation.hasErrors() || violation.hasWarnings()) { response.setErrors(violation.getErrors()); diff -r d0510a89e701 -r b04e55896104 src/main/java/de/intevation/lada/rest/StatusService.java --- a/src/main/java/de/intevation/lada/rest/StatusService.java Thu Nov 19 16:53:30 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/StatusService.java Thu Nov 19 16:54:09 2015 +0100 @@ -132,9 +132,26 @@ ) { MultivaluedMap params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - return defaultRepo.getAll(LStatusProtokoll.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 698, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 697, null); + } + } + QueryBuilder builder = new QueryBuilder( defaultRepo.entityManager("land"),