changeset 1292:588f6deae24a

Fix authorization for OrtszuordnungMp and friends. Setting readonly equal to owner implied an owner cannot edit its own objects. That was probably not intended. As many of the conditionals actually evaluated to doing nothing, those were removed.
author Tom Gottfried <tom@intevation.de>
date Wed, 08 Feb 2017 19:56:01 +0100
parents d48e1636fb0b
children 559d230cbecb
files src/main/java/de/intevation/lada/util/auth/MessprogrammIdAuthorizer.java
diffstat 1 files changed, 8 insertions(+), 18 deletions(-) [+]
line wrap: on
line diff
--- a/src/main/java/de/intevation/lada/util/auth/MessprogrammIdAuthorizer.java	Wed Feb 08 18:32:09 2017 +0100
+++ b/src/main/java/de/intevation/lada/util/auth/MessprogrammIdAuthorizer.java	Wed Feb 08 19:56:01 2017 +0100
@@ -13,7 +13,6 @@
 import java.util.List;
 
 import de.intevation.lada.model.land.Messprogramm;
-import de.intevation.lada.model.stammdaten.MessStelle;
 import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
 
@@ -91,26 +90,17 @@
             else {
                 return null;
             }
-            Messprogramm messprogramm =
-                (Messprogramm)repository.getById(Messprogramm.class, id, "land").getData();
+            Messprogramm messprogramm = repository.getByIdPlain(
+                Messprogramm.class, id, "land");
 
-            boolean readOnly = true;
             boolean owner = false;
-            MessStelle mst = repository.getByIdPlain(MessStelle.class, messprogramm.getMstId(), "stamm");
-            if (!userInfo.getNetzbetreiber().contains(
-                    mst.getNetzbetreiberId())) {
-                owner = false;
-                readOnly = true;
+            if (userInfo.belongsTo(
+                    messprogramm.getMstId(),
+                    messprogramm.getLaborMstId())
+            ) {
+                owner = true;
             }
-            else {
-                if (userInfo.belongsTo(messprogramm.getMstId(), messprogramm.getLaborMstId())) {
-                    owner = true;
-                }
-                else {
-                    owner = false;
-                }
-                readOnly = owner;
-            }
+            boolean readOnly = !owner;
 
             Method setOwner = clazz.getMethod("setOwner", boolean.class);
             Method setReadonly = clazz.getMethod("setReadonly", boolean.class);
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)