Mercurial > lada > lada-server
changeset 802:b04e55896104
Authorize messwert, kommentar and status.
| author | Raimund Renkert <raimund.renkert@intevation.de> |
|---|---|
| date | Thu, 19 Nov 2015 16:54:09 +0100 |
| parents | d0510a89e701 |
| children | 183396bac3fa |
| files | src/main/java/de/intevation/lada/rest/KommentarMService.java src/main/java/de/intevation/lada/rest/MesswertService.java src/main/java/de/intevation/lada/rest/StatusService.java |
| diffstat | 3 files changed, 78 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/src/main/java/de/intevation/lada/rest/KommentarMService.java Thu Nov 19 16:53:30 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/KommentarMService.java Thu Nov 19 16:54:09 2015 +0100 @@ -24,6 +24,7 @@ import javax.ws.rs.core.UriInfo; import de.intevation.lada.model.land.LKommentarM; +import de.intevation.lada.model.land.LMessung; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; import de.intevation.lada.util.auth.Authorization; @@ -103,9 +104,26 @@ ) { MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - return defaultRepo.getAll(LKommentarM.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 699, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 699, null); + } + } + QueryBuilder<LKommentarM> builder = new QueryBuilder<LKommentarM>( defaultRepo.entityManager("land"), @@ -134,12 +152,22 @@ @Context HttpServletRequest request, @PathParam("id") String id ) { + Response response = + defaultRepo.getById(LKommentarM.class, Integer.valueOf(id), "land"); + LKommentarM kommentar = (LKommentarM)response.getData(); + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + kommentar.getMessungsId(), + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(messung.getId(), LMessung.class)) { + return new Response(false, 699, null); + } + } + return authorization.filter( request, - defaultRepo.getById( - LKommentarM.class, - Integer.valueOf(id), - "land"), + response, LKommentarM.class); }
--- a/src/main/java/de/intevation/lada/rest/MesswertService.java Thu Nov 19 16:53:30 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/MesswertService.java Thu Nov 19 16:54:09 2015 +0100 @@ -31,6 +31,7 @@ import de.intevation.lada.lock.LockConfig; import de.intevation.lada.lock.LockType; import de.intevation.lada.lock.ObjectLocker; +import de.intevation.lada.model.land.LMessung; import de.intevation.lada.model.land.LMesswert; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; @@ -138,10 +139,25 @@ ) { MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - logger.debug("get all"); - return defaultRepo.getAll(LMesswert.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 698, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 697, null); + } + } QueryBuilder<LMesswert> builder = new QueryBuilder<LMesswert>( defaultRepo.entityManager("land"), @@ -173,6 +189,15 @@ Response response = defaultRepo.getById(LMesswert.class, Integer.valueOf(id), "land"); LMesswert messwert = (LMesswert)response.getData(); + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + messwert.getMessungsId(), + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(messung.getId(), LMessung.class)) { + return new Response(false, 699, null); + } + } Violation violation = validator.validate(messwert); if (violation.hasErrors() || violation.hasWarnings()) { response.setErrors(violation.getErrors());
--- a/src/main/java/de/intevation/lada/rest/StatusService.java Thu Nov 19 16:53:30 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/StatusService.java Thu Nov 19 16:54:09 2015 +0100 @@ -132,9 +132,26 @@ ) { MultivaluedMap<String, String> params = info.getQueryParameters(); if (params.isEmpty() || !params.containsKey("messungsId")) { - return defaultRepo.getAll(LStatusProtokoll.class, "land"); + return new Response(false, 699, null); } String messungId = params.getFirst("messungsId"); + int id; + try { + id = Integer.valueOf(messungId); + } + catch(NumberFormatException nfe) { + return new Response(false, 698, null); + } + LMessung messung = defaultRepo.getByIdPlain( + LMessung.class, + id, + "land"); + if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { + if (!authorization.isAuthorized(id, LMessung.class)) { + return new Response(false, 697, null); + } + } + QueryBuilder<LStatusProtokoll> builder = new QueryBuilder<LStatusProtokoll>( defaultRepo.entityManager("land"),