Mercurial > lada > lada-server

changeset 957:4657811fd133

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Allow a user only to manipulate Ort with own Netzbetreiber.
author Tom Gottfried <tom@intevation.de>
date Wed, 25 May 2016 18:21:54 +0200
parents 539eb174bf23
children ac7985874392
files src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java
diffstat 1 files changed, 6 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java	Wed May 25 18:10:14 2016 +0200
+++ b/src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java	Wed May 25 18:21:54 2016 +0200
@@ -12,6 +12,7 @@
 
 import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
+import de.intevation.lada.model.stamm.Ort;
 
 public class NetzbetreiberAuthorizer extends BaseAuthorizer {
 
@@ -41,7 +42,11 @@
             method == RequestMethod.PUT ||
             method == RequestMethod.DELETE) &&
             (userInfo.getFunktionenForNetzbetreiber(id).contains(4) ||
-             clazz.getName().equals("de.intevation.lada.model.stamm.Ort"));
+            // XXX: this currently allows any user, regardless of function,
+            // to manipulate and delete any ort of his own netzbetreiber!
+             clazz.getName().equals("de.intevation.lada.model.stamm.Ort") &&
+             userInfo.getNetzbetreiber().contains(
+                 ((Ort)data).getNetzbetreiberId()));
     }
 
     @Override
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)