changeset 965:ad69878b7280

Authorize status change only for matching user. Matching means belonging to the MessStelle respectively Netzbetreiber of the probe.
author Tom Gottfried <tom@intevation.de>
date Wed, 01 Jun 2016 15:25:08 +0200
parents 3c1b1631e474
children bc44dcda6f69
files db_schema/stammdaten_schema.sql src/main/java/de/intevation/lada/rest/StatusService.java src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java
diffstat 3 files changed, 53 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/db_schema/stammdaten_schema.sql	Mon May 30 16:11:24 2016 +0200
+++ b/db_schema/stammdaten_schema.sql	Wed Jun 01 15:25:08 2016 +0200
@@ -140,7 +140,7 @@
 
 CREATE TABLE mess_stelle (
     id character varying(5) PRIMARY KEY,
-    netzbetreiber_id character varying(2),
+    netzbetreiber_id character varying(2) NOT NULL,
     beschreibung character varying(300),
     mess_stelle character varying(60),
     mst_typ character varying(1),
--- a/src/main/java/de/intevation/lada/rest/StatusService.java	Mon May 30 16:11:24 2016 +0200
+++ b/src/main/java/de/intevation/lada/rest/StatusService.java	Wed Jun 01 15:25:08 2016 +0200
@@ -35,6 +35,7 @@
 import de.intevation.lada.model.land.LMessung;
 import de.intevation.lada.model.land.LProbe;
 import de.intevation.lada.model.land.LStatusProtokoll;
+import de.intevation.lada.model.stamm.MessStelle;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
 import de.intevation.lada.util.auth.Authorization;
@@ -237,6 +238,7 @@
             return new Response(false, 697, null);
         }
 
+        // Is user authorized to edit status at all?
         Response r = authorization.filter(
             request,
             new Response(true, 200, messung),
@@ -245,8 +247,7 @@
         if (filteredMessung.getStatusEdit() == false) {
             return new Response(false, 699, null);
         }
-        boolean next = false;
-        boolean change = false;
+
         if (messung.getStatus() == null) {
             status.setStatusStufe(1);
         }
@@ -254,11 +255,12 @@
             LStatusProtokoll currentStatus = defaultRepo.getByIdPlain(
                 LStatusProtokoll.class, messung.getStatus(), "land");
 
+            String probeMstId = defaultRepo.getByIdPlain(
+                LProbe.class,
+                messung.getProbeId(),
+                "land").getMstId();
+
             if (currentStatus.getStatusWert() == 4) {
-                LProbe probe = defaultRepo.getByIdPlain(
-                    LProbe.class,
-                    messung.getProbeId(),
-                    "land");
                 if (status.getStatusWert() == 4
                     && userInfo.getMessstellen().contains(
                         currentStatus.getErzeuger())
@@ -269,9 +271,9 @@
                     status.setStatusStufe(currentStatus.getStatusStufe());
                 }
                 else if (
-                    userInfo.getFunktionenForMst(probe.getMstId())
+                    userInfo.getFunktionenForMst(probeMstId)
                         .contains(1)
-                    && probe.getMstId().equals(status.getErzeuger())
+                    && probeMstId.equals(status.getErzeuger())
                 ) {
                     status.setStatusStufe(1);
                 }
@@ -280,23 +282,52 @@
                 }
             }
             else {
-                for (int i = 0;
-                    i < userInfo.getFunktionenForMst(status.getErzeuger()).size();
-                    i++
+                boolean next = false; // Do we advance to next 'stufe'?
+                boolean change = false; // Do we change status on same 'stufe'?
+
+                // XXX: It's assumed here, that MessStelle:function is a
+                // 1:1-relationship, which is not enforced by the model
+                // (there is no such constraint in stammdaten.auth).
+                // Thus, next and change will be set based
+                // on whichever function is the first match, which is
+                // not necessary the users intention, if he has more than
+                // one function for the matching Messstelle.
+
+                // XXX: It's assumed here, that an 'Erzeuger' is an instance
+                // of 'Messstelle', but the model does not enforce it!
+                for (Integer function :
+                         userInfo.getFunktionenForMst(status.getErzeuger())
                 ) {
-                    if (userInfo.getFunktionenForMst(status.getErzeuger())
-                            .get(i).equals(currentStatus.getStatusStufe() + 1)
-                        && currentStatus.getStatusWert() != 0
-                    ) {
+                    if (function.equals(currentStatus.getStatusStufe() + 1)
+                        && currentStatus.getStatusWert() != 0) {
                         next = true;
                     }
-                    else if (userInfo.getFunktionenForMst(
-                        status.getErzeuger()).get(i) ==
-                            currentStatus.getStatusStufe()
-                    ) {
+                    else if (function == currentStatus.getStatusStufe()) {
+                        if (currentStatus.getStatusStufe() == 1
+                            && !status.getErzeuger().equals(probeMstId)) {
+                            logger.debug(
+                                "Messstelle does not match for change");
+                            return new Response(false, 699, null);
+                        }
+
+                        String pNetzbetreiber = defaultRepo.getByIdPlain(
+                            LProbe.class,
+                            messung.getProbeId(),
+                            "land").getNetzbetreiberId();
+                        String sNetzbetreiber = defaultRepo.getByIdPlain(
+                            MessStelle.class,
+                            status.getErzeuger(),
+                            "stamm").getNetzbetreiberId();
+                        if (currentStatus.getStatusStufe() == 2
+                            && !pNetzbetreiber.equals(sNetzbetreiber)){
+                            logger.debug(
+                                "Netzbetreiber does not match for change");
+                            return new Response(false, 699, null);
+                        }
                         change = true;
                     }
                 }
+
                 if (change &&
                     status.getStatusWert() == 4 &&
                     status.getStatusStufe() > 1
--- a/src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java	Mon May 30 16:11:24 2016 +0200
+++ b/src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java	Wed Jun 01 15:25:08 2016 +0200
@@ -88,12 +88,14 @@
             messung.setStatusEdit(false);
             return messung;
         }
+
         if (userInfo.belongsTo(probe.getMstId(), probe.getLaborMstId())) {
             messung.setOwner(true);
         }
         else {
             messung.setOwner(false);
         }
+
         if (messung.getStatus() == null) {
             messung.setReadonly(false);
             messung.setStatusEdit(false);
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)