Mercurial > lada > lada-server
changeset 1292:588f6deae24a
Fix authorization for OrtszuordnungMp and friends.
Setting readonly equal to owner implied an owner cannot edit its own
objects. That was probably not intended. As many of the conditionals
actually evaluated to doing nothing, those were removed.
| author | Tom Gottfried <tom@intevation.de> |
|---|---|
| date | Wed, 08 Feb 2017 19:56:01 +0100 |
| parents | d48e1636fb0b |
| children | 559d230cbecb |
| files | src/main/java/de/intevation/lada/util/auth/MessprogrammIdAuthorizer.java |
| diffstat | 1 files changed, 8 insertions(+), 18 deletions(-) [+] |
line wrap: on
line diff
--- a/src/main/java/de/intevation/lada/util/auth/MessprogrammIdAuthorizer.java Wed Feb 08 18:32:09 2017 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/MessprogrammIdAuthorizer.java Wed Feb 08 19:56:01 2017 +0100 @@ -13,7 +13,6 @@ import java.util.List; import de.intevation.lada.model.land.Messprogramm; -import de.intevation.lada.model.stammdaten.MessStelle; import de.intevation.lada.util.rest.RequestMethod; import de.intevation.lada.util.rest.Response; @@ -91,26 +90,17 @@ else { return null; } - Messprogramm messprogramm = - (Messprogramm)repository.getById(Messprogramm.class, id, "land").getData(); + Messprogramm messprogramm = repository.getByIdPlain( + Messprogramm.class, id, "land"); - boolean readOnly = true; boolean owner = false; - MessStelle mst = repository.getByIdPlain(MessStelle.class, messprogramm.getMstId(), "stamm"); - if (!userInfo.getNetzbetreiber().contains( - mst.getNetzbetreiberId())) { - owner = false; - readOnly = true; + if (userInfo.belongsTo( + messprogramm.getMstId(), + messprogramm.getLaborMstId()) + ) { + owner = true; } - else { - if (userInfo.belongsTo(messprogramm.getMstId(), messprogramm.getLaborMstId())) { - owner = true; - } - else { - owner = false; - } - readOnly = owner; - } + boolean readOnly = !owner; Method setOwner = clazz.getMethod("setOwner", boolean.class); Method setReadonly = clazz.getMethod("setReadonly", boolean.class);