Mercurial > lada > lada-server
changeset 803:183396bac3fa
merged.
| author | Raimund Renkert <raimund.renkert@intevation.de> |
|---|---|
| date | Thu, 19 Nov 2015 16:55:32 +0100 |
| parents | b04e55896104 (diff) 2059ac26fd49 (current diff) |
| children | 8249a76a1f6d a549700c338d |
| files | |
| diffstat | 7 files changed, 123 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/src/main/java/de/intevation/lada/rest/KommentarMService.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/KommentarMService.java Thu Nov 19 16:55:32 2015 +0100 @@ -24,6 +24,7 @@ import javax.ws.rs.core.UriInfo; import de.intevation.lada.model.land.LKommentarM; +import de.intevation.lada.model.land.LMessung; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; import de.intevation.lada.util.auth.Authorization; @@ -103,9 +104,26 @@ ) { MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - return defaultRepo.getAll(LKommentarM.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 699, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 699, null); + } + } + QueryBuilder<LKommentarM> builder = new QueryBuilder<LKommentarM>( defaultRepo.entityManager("land"), @@ -134,12 +152,22 @@ @Context HttpServletRequest request, @PathParam("id") String id ) { + Response response = + defaultRepo.getById(LKommentarM.class, Integer.valueOf(id), "land"); + LKommentarM kommentar = (LKommentarM)response.getData(); + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + kommentar.getMessungsId(), + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(messung.getId(), LMessung.class)) { + return new Response(false, 699, null); + } + } + return authorization.filter( request, - defaultRepo.getById( - LKommentarM.class, - Integer.valueOf(id), - "land"), + response, LKommentarM.class); }
--- a/src/main/java/de/intevation/lada/rest/MesswertService.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/MesswertService.java Thu Nov 19 16:55:32 2015 +0100 @@ -31,6 +31,7 @@ import de.intevation.lada.lock.LockConfig; import de.intevation.lada.lock.LockType; import de.intevation.lada.lock.ObjectLocker; +import de.intevation.lada.model.land.LMessung; import de.intevation.lada.model.land.LMesswert; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; @@ -138,10 +139,25 @@ ) { MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - logger.debug("get all"); - return defaultRepo.getAll(LMesswert.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 698, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 697, null); + } + } QueryBuilder<LMesswert> builder = new QueryBuilder<LMesswert>( defaultRepo.entityManager("land"), @@ -173,6 +189,15 @@ Response response = defaultRepo.getById(LMesswert.class, Integer.valueOf(id), "land"); LMesswert messwert = (LMesswert)response.getData(); + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + messwert.getMessungsId(), + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(messung.getId(), LMessung.class)) { + return new Response(false, 699, null); + } + } Violation violation = validator.validate(messwert); if (violation.hasErrors() || violation.hasWarnings()) { response.setErrors(violation.getErrors());
--- a/src/main/java/de/intevation/lada/rest/StatusService.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/StatusService.java Thu Nov 19 16:55:32 2015 +0100 @@ -132,9 +132,26 @@ ) { MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - return defaultRepo.getAll(LStatusProtokoll.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 698, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 697, null); + } + } + QueryBuilder<LStatusProtokoll> builder = new QueryBuilder<LStatusProtokoll>( defaultRepo.entityManager("land"),
--- a/src/main/java/de/intevation/lada/util/auth/Authorization.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/Authorization.java Thu Nov 19 16:55:32 2015 +0100 @@ -20,6 +20,7 @@ public <T> Response filter(Object source, Response data, Class<T> clazz); public <T> boolean isAuthorized( Object source, Object data, RequestMethod method, Class<T> clazz); + public <T> boolean isAuthorized(int id, Class<T> clazz); public boolean isAuthorized(UserInfo userInfo, Object data); boolean isReadOnly(Integer probeId); }
--- a/src/main/java/de/intevation/lada/util/auth/DefaultAuthorization.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/DefaultAuthorization.java Thu Nov 19 16:55:32 2015 +0100 @@ -86,4 +86,9 @@ public boolean isAuthorized(UserInfo userInfo, Object data) { return true; } + + @Override + public <T> boolean isAuthorized(int id, Class<T> clazz) { + return true; + } }
--- a/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java Thu Nov 19 16:55:32 2015 +0100 @@ -107,6 +107,28 @@ return data; } + @Override + public <T> boolean isAuthorized(int id, Class<T> clazz) { + if (clazz == LMessung.class) { + LMessung messung = repository.getByIdPlain( + LMessung.class, + id, + "land"); + if (messung.getStatus() == null) { + return false; + } + LStatusProtokoll status = repository.getByIdPlain( + LStatusProtokoll.class, + messung.getStatus(), + "land"); + if (status.getStatusWert() == 0) { + return false; + } + return true; + } + return false; + } + /** * Check whether a user is authorized to operate on the given data. * @@ -190,7 +212,14 @@ messung.getProbeId(), "land"); LProbe probe = (LProbe)pResponse.getData(); - return !this.isMessungReadOnly(messung) && + if (messung.getStatus() == null) { + return false; + } + LStatusProtokoll status = repository.getByIdPlain( + LStatusProtokoll.class, + messung.getStatus(), + "land"); + return status.getStatusWert() == 0 && getAuthorization(userInfo, probe); } } @@ -595,6 +624,10 @@ if (data instanceof LProbe) { return getAuthorization(userInfo, (LProbe)data); } + else if (data instanceof LMessung) { + LProbe probe = repository.getByIdPlain(LProbe.class, ((LMessung)data).getProbeId(), "land"); + return getAuthorization(userInfo, probe); + } return false; }
--- a/src/main/java/de/intevation/lada/util/auth/TestAuthorization.java Thu Nov 19 12:13:10 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/TestAuthorization.java Thu Nov 19 16:55:32 2015 +0100 @@ -58,4 +58,9 @@ return false; } + @Override + public <T> boolean isAuthorized(int id, Class<T> clazz) { + return true; + } + }