changeset 833:fa922101a462

Refactored Authorization. * Introduced "authorizer" * Attribute and datatype depended authorization
author Raimund Renkert <raimund.renkert@intevation.de>
date Fri, 08 Jan 2016 12:05:26 +0100
parents 59c51da59b30
children cb1cfc8c81ed
files src/main/java/de/intevation/lada/importer/laf/LafWriter.java src/main/java/de/intevation/lada/rest/KommentarMService.java src/main/java/de/intevation/lada/rest/MesswertService.java src/main/java/de/intevation/lada/rest/ProbeService.java src/main/java/de/intevation/lada/rest/StatusService.java src/main/java/de/intevation/lada/util/auth/Authorization.java src/main/java/de/intevation/lada/util/auth/Authorizer.java src/main/java/de/intevation/lada/util/auth/BaseAuthorizer.java src/main/java/de/intevation/lada/util/auth/DefaultAuthorization.java src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java src/main/java/de/intevation/lada/util/auth/MessungIdAuthorizer.java src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java src/main/java/de/intevation/lada/util/auth/ProbeAuthorizer.java src/main/java/de/intevation/lada/util/auth/ProbeIdAuthorizer.java src/main/java/de/intevation/lada/util/auth/TestAuthorization.java
diffstat 16 files changed, 679 insertions(+), 499 deletions(-) [+]
line wrap: on
line diff
--- a/src/main/java/de/intevation/lada/importer/laf/LafWriter.java	Fri Dec 18 18:01:00 2015 +0100
+++ b/src/main/java/de/intevation/lada/importer/laf/LafWriter.java	Fri Jan 08 12:05:26 2016 +0100
@@ -85,7 +85,7 @@
      * @return success
      */
     public boolean writeProbe(UserInfo userInfo, LProbe probe, ProbeTranslation probeTranslation) {
-        if (!authorization.isAuthorized(userInfo, probe)) {
+        if (!authorization.isAuthorized(userInfo, probe, LProbe.class)) {
             errors.add(new ReportItem("auth", "not authorized", 699));
             return false;
         }
--- a/src/main/java/de/intevation/lada/rest/KommentarMService.java	Fri Dec 18 18:01:00 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/KommentarMService.java	Fri Jan 08 12:05:26 2016 +0100
@@ -118,10 +118,8 @@
             LMessung.class,
             id,
             "land");
-        if (!authorization.isAuthorized(authorization.getInfo(request), messung)) {
-            if (!authorization.isAuthorized(id, LMessung.class)) {
-                return new Response(false, 699, null);
-            }
+        if (!authorization.isAuthorized(request, messung, RequestMethod.GET, LMessung.class)) {
+            return new Response(false, 699, null);
         }
 
         QueryBuilder<LKommentarM> builder =
@@ -159,10 +157,8 @@
             LMessung.class,
             kommentar.getMessungsId(),
             "land");
-        if (!authorization.isAuthorized(authorization.getInfo(request), messung)) {
-            if (!authorization.isAuthorized(messung.getId(), LMessung.class)) {
-                return new Response(false, 699, null);
-            }
+        if (!authorization.isAuthorized(request, messung, RequestMethod.GET, LMessung.class)) {
+            return new Response(false, 699, null);
         }
 
         return authorization.filter(
--- a/src/main/java/de/intevation/lada/rest/MesswertService.java	Fri Dec 18 18:01:00 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/MesswertService.java	Fri Jan 08 12:05:26 2016 +0100
@@ -153,10 +153,13 @@
             LMessung.class,
             id,
             "land");
-        if (!authorization.isAuthorized(authorization.getInfo(request), messung)) {
-            if (!authorization.isAuthorized(id, LMessung.class)) {
-                return new Response(false, 697, null);
-            }
+        if (!authorization.isAuthorized(
+                request,
+                messung,
+                RequestMethod.GET,
+                LMessung.class)
+        ) {
+            return new Response(false, 697, null);
         }
         QueryBuilder<LMesswert> builder =
             new QueryBuilder<LMesswert>(
@@ -193,10 +196,13 @@
             LMessung.class,
             messwert.getMessungsId(),
             "land");
-        if (!authorization.isAuthorized(authorization.getInfo(request), messung)) {
-            if (!authorization.isAuthorized(messung.getId(), LMessung.class)) {
-                return new Response(false, 699, null);
-            }
+        if (!authorization.isAuthorized(
+            request,
+            messung,
+            RequestMethod.GET,
+            LMessung.class)
+        ) {
+            return new Response(false, 699, null);
         }
         Violation violation = validator.validate(messwert);
         if (violation.hasErrors() || violation.hasWarnings()) {
--- a/src/main/java/de/intevation/lada/rest/ProbeService.java	Fri Dec 18 18:01:00 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/ProbeService.java	Fri Jan 08 12:05:26 2016 +0100
@@ -238,13 +238,13 @@
                 boolean readOnly =
                     authorization.isReadOnly((Integer)entry.get("id"));
                 entry.put("readonly", readOnly);
-                UserInfo ui = authorization.getInfo(request);
                 QueryBuilder<LProbe> builder = new QueryBuilder<LProbe>(
                     defaultRepo.entityManager("land"), LProbe.class);
                 builder.and("id", (Integer)entry.get("id"));
                 Response r = defaultRepo.filter(builder.getQuery(), "land");
                 List<LProbe> probe = (List<LProbe>)r.getData();
-                entry.put("owner", authorization.isAuthorized(ui, probe.get(0)));
+                entry.put("owner", authorization.isAuthorized(
+                    request, probe.get(0), RequestMethod.GET, LProbe.class));
             }
             return new Response(true, 200, subList, result.size());
         }
--- a/src/main/java/de/intevation/lada/rest/StatusService.java	Fri Dec 18 18:01:00 2015 +0100
+++ b/src/main/java/de/intevation/lada/rest/StatusService.java	Fri Jan 08 12:05:26 2016 +0100
@@ -146,10 +146,12 @@
             LMessung.class,
             id,
             "land");
-        if (!authorization.isAuthorized(authorization.getInfo(request), messung)) {
-            if (!authorization.isAuthorized(id, LMessung.class)) {
-                return new Response(false, 697, null);
-            }
+        if (!authorization.isAuthorized(
+            request,
+            messung,
+            RequestMethod.GET,
+            LMessung.class)) {
+            return new Response(false, 697, null);
         }
 
         QueryBuilder<LStatusProtokoll> builder =
@@ -227,14 +229,6 @@
         @Context HttpServletRequest request,
         LStatusProtokoll status
     ) {
-        if (!authorization.isAuthorized(
-                request,
-                status,
-                RequestMethod.POST,
-                LStatusProtokoll.class)
-        ) {
-            return new Response(false, 699, null);
-        }
         UserInfo userInfo = authorization.getInfo(request);
         LMessung messung = defaultRepo.getByIdPlain(
             LMessung.class, status.getMessungsId(), "land");
--- a/src/main/java/de/intevation/lada/util/auth/Authorization.java	Fri Dec 18 18:01:00 2015 +0100
+++ b/src/main/java/de/intevation/lada/util/auth/Authorization.java	Fri Jan 08 12:05:26 2016 +0100
@@ -20,7 +20,7 @@
     public <T> Response filter(Object source, Response data, Class<T> clazz);
     public <T> boolean isAuthorized(
         Object source, Object data, RequestMethod method, Class<T> clazz);
-    public <T> boolean isAuthorized(int id, Class<T> clazz);
-    public boolean isAuthorized(UserInfo userInfo, Object data);
+    //public <T> boolean isAuthorized(int id, Class<T> clazz);
+    public <T> boolean isAuthorized(UserInfo userInfo, Object data, Class<T> clazz);
     boolean isReadOnly(Integer probeId);
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/main/java/de/intevation/lada/util/auth/Authorizer.java	Fri Jan 08 12:05:26 2016 +0100
@@ -0,0 +1,18 @@
+package de.intevation.lada.util.auth;
+
+import de.intevation.lada.util.rest.RequestMethod;
+import de.intevation.lada.util.rest.Response;
+
+public interface Authorizer {
+
+    public <T> boolean isAuthorized(
+        Object data,
+        RequestMethod method,
+        UserInfo userInfo,
+        Class<T> clazz);
+
+    public <T> Response filter(
+        Response data,
+        UserInfo userInfo,
+        Class<T> clazz);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/main/java/de/intevation/lada/util/auth/BaseAuthorizer.java	Fri Jan 08 12:05:26 2016 +0100
@@ -0,0 +1,83 @@
+package de.intevation.lada.util.auth;
+
+import java.util.List;
+
+import javax.inject.Inject;
+import javax.persistence.EntityManager;
+
+import de.intevation.lada.model.land.LMessung;
+import de.intevation.lada.model.land.LProbe;
+import de.intevation.lada.model.land.LStatusProtokoll;
+import de.intevation.lada.util.annotation.RepositoryConfig;
+import de.intevation.lada.util.data.QueryBuilder;
+import de.intevation.lada.util.data.Repository;
+import de.intevation.lada.util.data.RepositoryType;
+import de.intevation.lada.util.rest.Response;
+
+public abstract class BaseAuthorizer implements Authorizer {
+
+    /**
+     * The Repository used to read from Database.
+     */
+    @Inject
+    @RepositoryConfig(type=RepositoryType.RO)
+    protected Repository repository;
+
+    /**
+     * Get the authorization of a single probe.
+     *
+     * @param userInfo  The user information.
+     * @param probe     The probe to authorize.
+     */
+    protected boolean getAuthorization(UserInfo userInfo, LProbe probe) {
+        if (userInfo.getMessstellen().contains(probe.getMstId())) {
+            return true;
+        }
+        else {
+            return false;
+        }
+    }
+
+    /**
+     * Test whether a probe is readonly.
+     *
+     * @param probeId   The probe Id.
+     * @return True if the probe is readonly.
+     */
+    public boolean isProbeReadOnly(Integer probeId) {
+        EntityManager manager = repository.entityManager("land");
+        QueryBuilder<LMessung> builder =
+            new QueryBuilder<LMessung>(
+                manager,
+                LMessung.class);
+        builder.and("probeId", probeId);
+        Response response = repository.filter(builder.getQuery(), "land");
+        @SuppressWarnings("unchecked")
+        List<LMessung> messungen = (List<LMessung>) response.getData();
+        for (int i = 0; i < messungen.size(); i++) {
+            if (messungen.get(i).getStatus() == null) {
+                return false;
+            }
+            LStatusProtokoll status = repository.getByIdPlain(
+                LStatusProtokoll.class, messungen.get(i).getStatus(), "land");
+            if (status.getStatusWert() != 0 && status.getStatusWert() != 4) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public boolean isMessungReadOnly(Integer messungsId) {
+        LMessung messung =
+            repository.getByIdPlain(LMessung.class, messungsId, "land");
+        if (messung.getStatus() == null) {
+            return false;
+        }
+        LStatusProtokoll status = repository.getByIdPlain(
+            LStatusProtokoll.class,
+            messung.getStatus(),
+            "land");
+        return (status.getStatusWert() != 0 && status.getStatusWert() != 4);
+    }
+
+}
--- a/src/main/java/de/intevation/lada/util/auth/DefaultAuthorization.java	Fri Dec 18 18:01:00 2015 +0100
+++ b/src/main/java/de/intevation/lada/util/auth/DefaultAuthorization.java	Fri Jan 08 12:05:26 2016 +0100
@@ -83,12 +83,11 @@
      * @return true
      */
     @Override
-    public boolean isAuthorized(UserInfo userInfo, Object data) {
+    public <T> boolean isAuthorized(
+        UserInfo userInfo,
+        Object data,
+        Class<T> clazz) {
         return true;
     }
 
-    @Override
-    public <T> boolean isAuthorized(int id, Class<T> clazz) {
-        return true;
-    }
 }
--- a/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java	Fri Dec 18 18:01:00 2015 +0100
+++ b/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java	Fri Jan 08 12:05:26 2016 +0100
@@ -7,23 +7,30 @@
  */
 package de.intevation.lada.util.auth;
 
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
+import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 import javax.persistence.EntityManager;
 import javax.servlet.http.HttpServletRequest;
 
-import org.apache.log4j.Logger;
-
+import de.intevation.lada.model.land.LKommentarM;
+import de.intevation.lada.model.land.LKommentarP;
 import de.intevation.lada.model.land.LMessung;
+import de.intevation.lada.model.land.LMesswert;
+import de.intevation.lada.model.land.LOrtszuordnung;
 import de.intevation.lada.model.land.LProbe;
 import de.intevation.lada.model.land.LStatusProtokoll;
+import de.intevation.lada.model.land.LZusatzWert;
 import de.intevation.lada.model.stamm.Auth;
-import de.intevation.lada.model.stamm.AuthLstUmw;
+import de.intevation.lada.model.stamm.DatensatzErzeuger;
+import de.intevation.lada.model.stamm.MessprogrammKategorie;
+import de.intevation.lada.model.stamm.Ort;
+import de.intevation.lada.model.stamm.Probenehmer;
 import de.intevation.lada.util.annotation.AuthorizationConfig;
 import de.intevation.lada.util.annotation.RepositoryConfig;
 import de.intevation.lada.util.data.QueryBuilder;
@@ -41,18 +48,38 @@
 public class HeaderAuthorization implements Authorization {
 
     /**
-     * The logger used in this class.
-     */
-    @Inject
-    private Logger logger;
-
-    /**
      * The Repository used to read from Database.
      */
     @Inject
     @RepositoryConfig(type=RepositoryType.RO)
     private Repository repository;
 
+    @SuppressWarnings("rawtypes")
+    private Map<Class, Authorizer> authorizers;
+    @Inject ProbeAuthorizer probeAuthorizer;
+    @Inject MessungAuthorizer messungAuthorizer;
+    @Inject ProbeIdAuthorizer pIdAuthorizer;
+    @Inject MessungIdAuthorizer mIdAuthorizer;
+    @Inject NetzbetreiberAuthorizer netzAuthorizer;
+
+    @SuppressWarnings("rawtypes")
+    @PostConstruct
+    public void init() {
+        authorizers = new HashMap<Class, Authorizer>();
+        authorizers.put(LProbe.class, probeAuthorizer);
+        authorizers.put(LMessung.class, messungAuthorizer);
+        authorizers.put(LOrtszuordnung.class, pIdAuthorizer);
+        authorizers.put(LKommentarP.class, pIdAuthorizer);
+        authorizers.put(LZusatzWert.class, pIdAuthorizer);
+        authorizers.put(LKommentarM.class, mIdAuthorizer);
+        authorizers.put(LMesswert.class, mIdAuthorizer);
+        authorizers.put(LStatusProtokoll.class, mIdAuthorizer);
+        authorizers.put(Probenehmer.class, netzAuthorizer);
+        authorizers.put(DatensatzErzeuger.class, netzAuthorizer);
+        authorizers.put(MessprogrammKategorie.class, netzAuthorizer);
+        authorizers.put(Ort.class, netzAuthorizer);
+    }
+
     /**
      * Request user informations using the HttpServletRequest.
      *
@@ -89,44 +116,12 @@
         if (userInfo == null) {
             return data;
         }
-        if (clazz == LProbe.class) {
-            return this.authorizeProbe(userInfo, data);
-        }
-        if (clazz == LMessung.class) {
-            return this.authorizeMessung(userInfo, data);
-        }
-        Method[] methods = clazz.getMethods();
-        for (Method method: methods) {
-            if (method.getName().equals("getProbeId")) {
-                return this.authorizeWithProbeId(userInfo, data, clazz);
-            }
-            if (method.getName().equals("getMessungsId")) {
-                return this.authorizeWithMessungsId(userInfo, data, clazz);
-            }
+        Authorizer authorizer = authorizers.get(clazz);
+        //This is a hack... Allows wildcard for unknown classes.
+        if (authorizer == null) {
+            return data;
         }
-        return data;
-    }
-
-    @Override
-    public <T> boolean isAuthorized(int id, Class<T> clazz) {
-        if (clazz == LMessung.class) {
-            LMessung messung = repository.getByIdPlain(
-                LMessung.class,
-                id,
-                "land");
-            if (messung.getStatus() == null) {
-                return false;
-            }
-            LStatusProtokoll status = repository.getByIdPlain(
-                LStatusProtokoll.class,
-                messung.getStatus(),
-                "land");
-            if (status.getStatusWert() == 0) {
-                return false;
-            }
-            return true;
-        }
-        return false;
+        return authorizer.filter(data, userInfo, clazz);
     }
 
     /**
@@ -149,97 +144,12 @@
         if (userInfo == null) {
             return false;
         }
-        if (clazz == LProbe.class) {
-            LProbe probe = (LProbe)data;
-            if (method == RequestMethod.POST) {
-                return getAuthorization(userInfo, probe);
-            }
-            else if (method == RequestMethod.PUT ||
-                     method == RequestMethod.DELETE) {
-                return !isReadOnly(probe.getId());
-            }
-            else {
-                return false;
-            }
-        }
-        else if (clazz == LMessung.class) {
-            LMessung messung = (LMessung)data;
-            Response response =
-                repository.getById(LProbe.class, messung.getProbeId(), "land");
-            LProbe probe = (LProbe)response.getData();
-            if (method == RequestMethod.POST) {
-                return getAuthorization(userInfo, probe);
-            }
-            else if (method == RequestMethod.PUT ||
-                     method == RequestMethod.DELETE) {
-                return !this.isMessungReadOnly(messung) &&
-                    getAuthorization(userInfo, probe);
-            }
-        }
-        else {
-            Method[] methods = clazz.getMethods();
-            for (Method m: methods) {
-                if (m.getName().equals("getProbeId")) {
-                    Integer id;
-                    try {
-                        id = (Integer) m.invoke(data);
-                    } catch (IllegalAccessException | IllegalArgumentException
-                            | InvocationTargetException e) {
-                        logger.warn(e.getCause() + ": " + e.getMessage());
-                        return false;
-                    }
-                    Response response =
-                        repository.getById(LProbe.class, id, "land");
-                    LProbe probe = (LProbe)response.getData();
-                    return !isReadOnly(id) && getAuthorization(userInfo, probe);
-
-                }
-                if (m.getName().equals("getMessungsId")) {
-                    Integer id;
-                    try {
-                        id = (Integer) m.invoke(data);
-                    } catch (IllegalAccessException | IllegalArgumentException
-                            | InvocationTargetException e) {
-                        logger.warn(e.getCause() + ": " + e.getMessage());
-                        return false;
-                    }
-                    Response mResponse =
-                        repository.getById(LMessung.class, id, "land");
-                    LMessung messung = (LMessung)mResponse.getData();
-                    Response pResponse =
-                        repository.getById(
-                            LProbe.class,
-                            messung.getProbeId(),
-                            "land");
-                    LProbe probe = (LProbe)pResponse.getData();
-                    if (messung.getStatus() == null) {
-                        return false;
-                    }
-                    LStatusProtokoll status = repository.getByIdPlain(
-                        LStatusProtokoll.class,
-                        messung.getStatus(),
-                        "land");
-                    return status.getStatusWert() == 0 &&
-                        getAuthorization(userInfo, probe);
-                }
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Get the authorization of a single probe.
-     *
-     * @param userInfo  The user information.
-     * @param probe     The probe to authorize.
-     */
-    private boolean getAuthorization(UserInfo userInfo, LProbe probe) {
-        if (userInfo.getMessstellen().contains(probe.getMstId())) {
+        Authorizer authorizer = authorizers.get(clazz);
+        //This is a hack... Allows wildcard for unknown classes.
+        if (authorizer == null) {
             return true;
         }
-        else {
-            return false;
-        }
+        return authorizer.isAuthorized(data, method, userInfo, clazz);
     }
 
     /**
@@ -285,304 +195,6 @@
     }
 
     /**
-     * Authorize data that has a messungsId Attribute.
-     *
-     * @param userInfo  The user information.
-     * @param data      The Response object containing the data.
-     * @param clazz     The data object class.
-     * @return A Response object containing the data.
-     */
-    @SuppressWarnings("unchecked")
-    private <T> Response authorizeWithMessungsId(
-        UserInfo userInfo,
-        Response data,
-        Class<T> clazz
-    ) {
-        if (data.getData() instanceof List<?>) {
-            List<Object> objects = new ArrayList<Object>();
-            for (Object object :(List<Object>)data.getData()) {
-                objects.add(authorizeSingleWithMessungsId(userInfo, object, clazz));
-            }
-            data.setData(objects);
-        }
-        else {
-            Object object = data.getData();
-            data.setData(authorizeSingleWithMessungsId(userInfo, object, clazz));
-        }
-        return data;
-    }
-
-    /**
-     * Authorize data that has a probeId Attribute.
-     *
-     * @param userInfo  The user information.
-     * @param data      The Response object containing the data.
-     * @param clazz     The data object class.
-     * @return A Response object containing the data.
-     */
-    @SuppressWarnings("unchecked")
-    private <T> Response authorizeWithProbeId(
-        UserInfo userInfo,
-        Response data,
-        Class<T> clazz
-    ) {
-        if (data.getData() instanceof List<?>) {
-            List<Object> objects = new ArrayList<Object>();
-            for (Object object :(List<Object>)data.getData()) {
-                objects.add(authorizeSingleWithProbeId(
-                    userInfo,
-                    object,
-                    clazz));
-            }
-            data.setData(objects);
-        }
-        else {
-            Object object = data.getData();
-            data.setData(authorizeSingleWithProbeId(userInfo, object, clazz));
-        }
-        return data;
-    }
-
-    /**
-     * Authorize a single data object that has a messungsId Attribute.
-     *
-     * @param userInfo  The user information.
-     * @param data      The Response object containing the data.
-     * @param clazz     The data object class.
-     * @return A Response object containing the data.
-     */
-    private <T> Object authorizeSingleWithMessungsId(
-        UserInfo userInfo,
-        Object data,
-        Class<T> clazz
-    ) {
-        try {
-            Method getMessungsId = clazz.getMethod("getMessungsId");
-            Integer id = (Integer)getMessungsId.invoke(data);
-            LMessung messung =
-                (LMessung)repository.getById(
-                    LMessung.class, id, "land").getData();
-            LProbe probe =
-                (LProbe)repository.getById(
-                    LProbe.class, messung.getProbeId(), "land").getData();
-
-            boolean readOnly = true;
-            boolean owner = false;
-            if (!userInfo.getNetzbetreiber().contains(
-                    probe.getNetzbetreiberId())) {
-                owner = false;
-                readOnly = true;
-            }
-            else {
-                if (userInfo.getMessstellen().contains(probe.getMstId())) {
-                    owner = true;
-                }
-                else {
-                    owner = false;
-                }
-                readOnly = this.isMessungReadOnly(messung);
-            }
-
-            Method setOwner = clazz.getMethod("setOwner", boolean.class);
-            Method setReadonly = clazz.getMethod("setReadonly", boolean.class);
-            setOwner.invoke(data, owner);
-            setReadonly.invoke(data, readOnly);
-        } catch (NoSuchMethodException | SecurityException
-            | IllegalAccessException | IllegalArgumentException
-            | InvocationTargetException e) {
-            return null;
-        }
-        return data;
-    }
-
-    /**
-     * Authorize a single data object that has a probeId Attribute.
-     *
-     * @param userInfo  The user information.
-     * @param data      The Response object containing the data.
-     * @param clazz     The data object class.
-     * @return A Response object containing the data.
-     */
-    private <T> Object authorizeSingleWithProbeId(
-        UserInfo userInfo,
-        Object data,
-        Class<T> clazz
-    ) {
-        try {
-            Method getProbeId = clazz.getMethod("getProbeId");
-            Integer id = null;
-            if (getProbeId != null) {
-                id = (Integer) getProbeId.invoke(data);
-            }
-            else {
-                return null;
-            }
-            LProbe probe =
-                (LProbe)repository.getById(LProbe.class, id, "land").getData();
-
-            boolean readOnly = true;
-            boolean owner = false;
-            if (!userInfo.getNetzbetreiber().contains(
-                    probe.getNetzbetreiberId())) {
-                owner = false;
-                readOnly = true;
-            }
-            else {
-                if (userInfo.getMessstellen().contains(probe.getMstId())) {
-                    owner = true;
-                }
-                else {
-                    owner = false;
-                }
-                readOnly = this.isReadOnly(id);
-            }
-
-            Method setOwner = clazz.getMethod("setOwner", boolean.class);
-            Method setReadonly = clazz.getMethod("setReadonly", boolean.class);
-            setOwner.invoke(data, owner);
-            setReadonly.invoke(data, readOnly);
-        } catch (NoSuchMethodException | SecurityException
-            | IllegalAccessException | IllegalArgumentException
-            | InvocationTargetException e) {
-            return null;
-        }
-        return data;
-    }
-
-    /**
-     * Authorize probe objects.
-     *
-     * @param userInfo  The user information.
-     * @param data      The Response object containing the probe objects.
-     * @return A Response object containing the data.
-     */
-    @SuppressWarnings("unchecked")
-    private Response authorizeProbe(UserInfo userInfo, Response data) {
-        if (data.getData() instanceof List<?>) {
-            List<LProbe> proben = new ArrayList<LProbe>();
-            for (LProbe probe :(List<LProbe>)data.getData()) {
-                proben.add(authorizeSingleProbe(userInfo, probe));
-            }
-            data.setData(proben);
-        }
-        else if (data.getData() instanceof LProbe) {
-            LProbe probe = (LProbe)data.getData();
-            data.setData(authorizeSingleProbe(userInfo, probe));
-        }
-        return data;
-    }
-
-    /**
-     * Authorize a sinle probe object.
-     *
-     * @param userInfo  The user information.
-     * @param probe     The probe object.
-     * @return The probe.
-     */
-    private LProbe authorizeSingleProbe(UserInfo userInfo, LProbe probe) {
-        if (!userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) {
-            probe.setOwner(false);
-            probe.setReadonly(true);
-            return probe;
-        }
-        if (userInfo.getMessstellen().contains(probe.getMstId())) {
-            probe.setOwner(true);
-        }
-        else {
-            probe.setOwner(false);
-        }
-        probe.setReadonly(this.isReadOnly(probe.getId()));
-        return probe;
-    }
-
-    /**
-     * Authorize messung objects.
-     *
-     * @param userInfo  The user information.
-     * @param data      The Response object containing the messung objects.
-     * @return A Response object containing the data.
-     */
-    @SuppressWarnings("unchecked")
-    private Response authorizeMessung(UserInfo userInfo, Response data) {
-        if (data.getData() instanceof List<?>) {
-            List<LMessung> messungen = new ArrayList<LMessung>();
-            for (LMessung messung :(List<LMessung>)data.getData()) {
-                messungen.add(authorizeSingleMessung(userInfo, messung));
-            }
-            data.setData(messungen);
-        }
-        else if (data.getData() instanceof LMessung) {
-            LMessung messung = (LMessung)data.getData();
-            data.setData(authorizeSingleMessung(userInfo, messung));
-        }
-        return data;
-    }
-
-    /**
-     * Authorize a sinle messung object.
-     *
-     * @param userInfo  The user information.
-     * @param messung     The messung object.
-     * @return The messung.
-     */
-    private LMessung authorizeSingleMessung(
-        UserInfo userInfo,
-        LMessung messung
-    ) {
-        LProbe probe =
-            (LProbe)repository.getById(
-                LProbe.class, messung.getProbeId(), "land").getData();
-        if (!userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) {
-            messung.setOwner(false);
-            messung.setReadonly(true);
-            return messung;
-        }
-        if (userInfo.getMessstellen().contains(probe.getMstId())) {
-            messung.setOwner(true);
-        }
-        else {
-            messung.setOwner(false);
-        }
-        if (messung.getStatus() == null) {
-            messung.setReadonly(false);
-        }
-        else {
-            LStatusProtokoll status = repository.getByIdPlain(
-                LStatusProtokoll.class,
-                messung.getStatus(),
-                "land");
-            messung.setReadonly(
-                status.getStatusWert() != 0 && status.getStatusWert() != 4);
-        }
-
-        boolean statusEdit = false;
-        if (userInfo.getFunktionen().contains(3)) {
-            QueryBuilder<AuthLstUmw> lstFilter = new QueryBuilder<AuthLstUmw>(
-                repository.entityManager("stamm"),
-                AuthLstUmw.class);
-            lstFilter.or("lstId", userInfo.getMessstellen());
-            List<AuthLstUmw> lsts =
-                repository.filterPlain(lstFilter.getQuery(), "stamm");
-            for (int i = 0; i < lsts.size(); i++) {
-                if (lsts.get(i).getUmwId().equals(probe.getUmwId())) {
-                    statusEdit = true;
-                }
-            }
-        }
-        else if (userInfo.getFunktionen().contains(2) &&
-            userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) {
-            statusEdit = true;
-        }
-        else if (userInfo.getFunktionen().contains(1) &&
-            userInfo.getMessstellen().contains(probe.getMstId())) {
-            statusEdit = true;
-        }
-        messung.setStatusEdit(statusEdit);
-
-        return messung;
-    }
-
-    /**
      * Test whether a probe is readonly.
      *
      * @param probeId   The probe Id.
@@ -620,25 +232,16 @@
      * @return True if the user is authorized else returns false.
      */
     @Override
-    public boolean isAuthorized(UserInfo userInfo, Object data) {
-        if (data instanceof LProbe) {
-            return getAuthorization(userInfo, (LProbe)data);
-        }
-        else if (data instanceof LMessung) {
-            LProbe probe = repository.getByIdPlain(LProbe.class, ((LMessung)data).getProbeId(), "land");
-            return getAuthorization(userInfo, probe);
+    public <T> boolean isAuthorized(
+        UserInfo userInfo,
+        Object data,
+        Class<T> clazz
+    ) {
+        Authorizer authorizer = authorizers.get(clazz);
+        //This is a hack... Allows wildcard for unknown classes.
+        if (authorizer == null) {
+            return true;
         }
-        return false;
-    }
-
-    private boolean isMessungReadOnly(LMessung messung) {
-        if (messung.getStatus() == null) {
-            return false;
-        }
-        LStatusProtokoll status = repository.getByIdPlain(
-            LStatusProtokoll.class,
-            messung.getStatus(),
-            "land");
-        return (status.getStatusWert() != 0 && status.getStatusWert() != 4);
+        return authorizer.isAuthorized(data, RequestMethod.GET, userInfo, clazz);
     }
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java	Fri Jan 08 12:05:26 2016 +0100
@@ -0,0 +1,120 @@
+package de.intevation.lada.util.auth;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import de.intevation.lada.model.land.LMessung;
+import de.intevation.lada.model.land.LProbe;
+import de.intevation.lada.model.land.LStatusProtokoll;
+import de.intevation.lada.model.stamm.AuthLstUmw;
+import de.intevation.lada.util.data.QueryBuilder;
+import de.intevation.lada.util.rest.RequestMethod;
+import de.intevation.lada.util.rest.Response;
+
+public class MessungAuthorizer extends BaseAuthorizer {
+
+    @Override
+    public <T> boolean isAuthorized(
+        Object data,
+        RequestMethod method,
+        UserInfo userInfo,
+        Class<T> clazz
+    ) {
+        LMessung messung = (LMessung)data;
+        Response response =
+            repository.getById(LProbe.class, messung.getProbeId(), "land");
+        LProbe probe = (LProbe)response.getData();
+        if (method == RequestMethod.PUT ||
+                 method == RequestMethod.DELETE) {
+            return !this.isMessungReadOnly(messung.getId()) &&
+                getAuthorization(userInfo, probe);
+        }
+        return getAuthorization(userInfo, probe);
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public <T> Response filter(
+        Response data,
+        UserInfo userInfo,
+        Class<T> clazz
+    ) {
+        if (data.getData() instanceof List<?>) {
+            List<LMessung> messungen = new ArrayList<LMessung>();
+            for (LMessung messung :(List<LMessung>)data.getData()) {
+                messungen.add(setAuthData(userInfo, messung));
+            }
+            data.setData(messungen);
+        }
+        else if (data.getData() instanceof LMessung) {
+            LMessung messung = (LMessung)data.getData();
+            data.setData(setAuthData(userInfo, messung));
+        }
+        return data;
+    }
+
+    /**
+     * Authorize a sinle messung object.
+     *
+     * @param userInfo  The user information.
+     * @param messung     The messung object.
+     * @return The messung.
+     */
+    private LMessung setAuthData(
+        UserInfo userInfo,
+        LMessung messung
+    ) {
+        LProbe probe =
+            (LProbe)repository.getById(
+                LProbe.class, messung.getProbeId(), "land").getData();
+        if (!userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) {
+            messung.setOwner(false);
+            messung.setReadonly(true);
+            return messung;
+        }
+        if (userInfo.getMessstellen().contains(probe.getMstId())) {
+            messung.setOwner(true);
+        }
+        else {
+            messung.setOwner(false);
+        }
+        if (messung.getStatus() == null) {
+            messung.setReadonly(false);
+        }
+        else {
+            LStatusProtokoll status = repository.getByIdPlain(
+                LStatusProtokoll.class,
+                messung.getStatus(),
+                "land");
+            messung.setReadonly(
+                status.getStatusWert() != 0 && status.getStatusWert() != 4);
+        }
+
+        boolean statusEdit = false;
+        if (userInfo.getFunktionen().contains(3)) {
+            QueryBuilder<AuthLstUmw> lstFilter = new QueryBuilder<AuthLstUmw>(
+                repository.entityManager("stamm"),
+                AuthLstUmw.class);
+            lstFilter.or("lstId", userInfo.getMessstellen());
+            List<AuthLstUmw> lsts =
+                repository.filterPlain(lstFilter.getQuery(), "stamm");
+            for (int i = 0; i < lsts.size(); i++) {
+                if (lsts.get(i).getUmwId().equals(probe.getUmwId())) {
+                    statusEdit = true;
+                }
+            }
+        }
+        else if (userInfo.getFunktionen().contains(2) &&
+            userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) {
+            statusEdit = true;
+        }
+        else if (userInfo.getFunktionen().contains(1) &&
+            userInfo.getMessstellen().contains(probe.getMstId())) {
+            statusEdit = true;
+        }
+        messung.setStatusEdit(statusEdit);
+
+        return messung;
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/main/java/de/intevation/lada/util/auth/MessungIdAuthorizer.java	Fri Jan 08 12:05:26 2016 +0100
@@ -0,0 +1,131 @@
+package de.intevation.lada.util.auth;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.List;
+
+import de.intevation.lada.model.land.LMessung;
+import de.intevation.lada.model.land.LProbe;
+import de.intevation.lada.model.land.LStatusProtokoll;
+import de.intevation.lada.util.rest.RequestMethod;
+import de.intevation.lada.util.rest.Response;
+
+public class MessungIdAuthorizer extends BaseAuthorizer {
+
+    @Override
+    public <T> boolean isAuthorized(
+        Object data,
+        RequestMethod method,
+        UserInfo userInfo,
+        Class<T> clazz
+    ) {
+        Method m;
+        try {
+            m = clazz.getMethod("getMessungsId");
+        } catch (NoSuchMethodException | SecurityException e1) {
+            return false;
+        }
+        Integer id;
+        try {
+            id = (Integer) m.invoke(data);
+        } catch (IllegalAccessException |
+            IllegalArgumentException |
+            InvocationTargetException e
+        ) {
+            return false;
+        }
+        LMessung messung = repository.getByIdPlain(LMessung.class, id, "land");
+        LProbe probe = repository.getByIdPlain(
+            LProbe.class,
+            messung.getProbeId(),
+            "land");
+        if (messung.getStatus() == null) {
+            return false;
+        }
+        LStatusProtokoll status = repository.getByIdPlain(
+            LStatusProtokoll.class,
+            messung.getStatus(),
+            "land");
+        return (method == RequestMethod.POST ||
+                method == RequestMethod.PUT ||
+                method == RequestMethod.DELETE ||
+                status.getStatusWert() != 0) &&
+            getAuthorization(userInfo, probe);
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public <T> Response filter(
+        Response data,
+        UserInfo userInfo,
+        Class<T> clazz
+    ) {
+        if (data.getData() instanceof List<?>) {
+            List<Object> objects = new ArrayList<Object>();
+            for (Object object :(List<Object>)data.getData()) {
+                objects.add(setAuthData(userInfo, object, clazz));
+            }
+            data.setData(objects);
+        }
+        else {
+            Object object = data.getData();
+            data.setData(setAuthData(userInfo, object, clazz));
+        }
+        return data;
+    }
+
+    /**
+     * Authorize a single data object that has a messungsId Attribute.
+     *
+     * @param userInfo  The user information.
+     * @param data      The Response object containing the data.
+     * @param clazz     The data object class.
+     * @return A Response object containing the data.
+     */
+    private <T> Object setAuthData(
+        UserInfo userInfo,
+        Object data,
+        Class<T> clazz
+    ) {
+        try {
+            Method getMessungsId = clazz.getMethod("getMessungsId");
+            Integer id = (Integer)getMessungsId.invoke(data);
+            LMessung messung = repository.getByIdPlain(
+                LMessung.class,
+                id,
+                "land");
+            LProbe probe = repository.getByIdPlain(
+                LProbe.class,
+                messung.getProbeId(),
+                "land");
+
+            boolean readOnly = true;
+            boolean owner = false;
+            if (!userInfo.getNetzbetreiber().contains(
+                    probe.getNetzbetreiberId())) {
+                owner = false;
+                readOnly = true;
+            }
+            else {
+                if (userInfo.getMessstellen().contains(probe.getMstId())) {
+                    owner = true;
+                }
+                else {
+                    owner = false;
+                }
+                readOnly = this.isMessungReadOnly(messung.getId());
+            }
+
+            Method setOwner = clazz.getMethod("setOwner", boolean.class);
+            Method setReadonly = clazz.getMethod("setReadonly", boolean.class);
+            setOwner.invoke(data, owner);
+            setReadonly.invoke(data, readOnly);
+        } catch (NoSuchMethodException | SecurityException
+            | IllegalAccessException | IllegalArgumentException
+            | InvocationTargetException e) {
+            return null;
+        }
+        return data;
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java	Fri Jan 08 12:05:26 2016 +0100
@@ -0,0 +1,49 @@
+package de.intevation.lada.util.auth;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+
+import de.intevation.lada.util.rest.RequestMethod;
+import de.intevation.lada.util.rest.Response;
+
+public class NetzbetreiberAuthorizer extends BaseAuthorizer {
+
+    @Override
+    public <T> boolean isAuthorized(
+        Object data,
+        RequestMethod method,
+        UserInfo userInfo,
+        Class<T> clazz
+    ) {
+        Method m;
+        try {
+            m = clazz.getMethod("getNetzbetreiberId");
+        } catch (NoSuchMethodException | SecurityException e1) {
+            return false;
+        }
+        String id;
+        try {
+            id = (String) m.invoke(data);
+        } catch (IllegalAccessException |
+            IllegalArgumentException |
+            InvocationTargetException e
+        ) {
+            return false;
+        }
+        return (method == RequestMethod.POST ||
+            method == RequestMethod.PUT ||
+            method == RequestMethod.DELETE) &&
+            userInfo.getNetzbetreiber().contains(id) &&
+            userInfo.getFunktionen().contains(4);
+    }
+
+    @Override
+    public <T> Response filter(
+        Response data,
+        UserInfo userInfo,
+        Class<T> clazz
+    ) {
+        return data;
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/main/java/de/intevation/lada/util/auth/ProbeAuthorizer.java	Fri Jan 08 12:05:26 2016 +0100
@@ -0,0 +1,73 @@
+package de.intevation.lada.util.auth;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import de.intevation.lada.model.land.LProbe;
+import de.intevation.lada.util.rest.RequestMethod;
+import de.intevation.lada.util.rest.Response;
+
+public class ProbeAuthorizer extends BaseAuthorizer {
+
+    @Override
+    public <T> boolean isAuthorized(
+        Object data,
+        RequestMethod method,
+        UserInfo userInfo,
+        Class<T> clazz
+    ) {
+        LProbe probe = (LProbe)data;
+        if (method == RequestMethod.POST) {
+            return getAuthorization(userInfo, probe);
+        }
+        else if (method == RequestMethod.PUT ||
+                 method == RequestMethod.DELETE) {
+            return !isProbeReadOnly(probe.getId());
+        }
+        return false;
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public <T> Response filter(
+        Response data,
+        UserInfo userInfo,
+        Class<T> clazz
+    ) {
+        if (data.getData() instanceof List<?>) {
+            List<LProbe> proben = new ArrayList<LProbe>();
+            for (LProbe probe :(List<LProbe>)data.getData()) {
+                proben.add(setAuthData(userInfo, probe));
+            }
+            data.setData(proben);
+        }
+        else if (data.getData() instanceof LProbe) {
+            LProbe probe = (LProbe)data.getData();
+            data.setData(setAuthData(userInfo, probe));
+        }
+        return data;
+    }
+
+    /**
+     * Set authorization data for the current probe object.
+     *
+     * @param userInfo  The user information.
+     * @param probe     The probe object.
+     * @return The probe.
+     */
+    private LProbe setAuthData(UserInfo userInfo, LProbe probe) {
+        if (!userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) {
+            probe.setOwner(false);
+            probe.setReadonly(true);
+            return probe;
+        }
+        if (userInfo.getMessstellen().contains(probe.getMstId())) {
+            probe.setOwner(true);
+        }
+        else {
+            probe.setOwner(false);
+        }
+        probe.setReadonly(this.isProbeReadOnly(probe.getId()));
+        return probe;
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/main/java/de/intevation/lada/util/auth/ProbeIdAuthorizer.java	Fri Jan 08 12:05:26 2016 +0100
@@ -0,0 +1,114 @@
+package de.intevation.lada.util.auth;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.List;
+
+import de.intevation.lada.model.land.LProbe;
+import de.intevation.lada.util.rest.RequestMethod;
+import de.intevation.lada.util.rest.Response;
+
+public class ProbeIdAuthorizer extends BaseAuthorizer {
+
+    @Override
+    public <T> boolean isAuthorized(
+        Object data,
+        RequestMethod method,
+        UserInfo userInfo,
+        Class<T> clazz
+    ) {
+        Method m;
+        try {
+            m = clazz.getMethod("getProbeId");
+        } catch (NoSuchMethodException | SecurityException e1) {
+            return false;
+        }
+        Integer id;
+        try {
+            id = (Integer) m.invoke(data);
+        } catch (IllegalAccessException |
+            IllegalArgumentException |
+            InvocationTargetException e
+        ) {
+            return false;
+        }
+        LProbe probe =
+            repository.getByIdPlain(LProbe.class, id, "land");
+        return !isProbeReadOnly(id) && getAuthorization(userInfo, probe);
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public <T> Response filter(
+        Response data,
+        UserInfo userInfo,
+        Class<T> clazz
+    ) {
+        if (data.getData() instanceof List<?>) {
+            List<Object> objects = new ArrayList<Object>();
+            for (Object object :(List<Object>)data.getData()) {
+                objects.add(setAuthData(userInfo, object, clazz));
+            }
+            data.setData(objects);
+        }
+        else {
+            Object object = data.getData();
+            data.setData(setAuthData(userInfo, object, clazz));
+        }
+        return data;
+    }
+    /**
+     * Authorize a single data object that has a probeId Attribute.
+     *
+     * @param userInfo  The user information.
+     * @param data      The Response object containing the data.
+     * @param clazz     The data object class.
+     * @return A Response object containing the data.
+     */
+    private <T> Object setAuthData(
+        UserInfo userInfo,
+        Object data,
+        Class<T> clazz
+    ) {
+        try {
+            Method getProbeId = clazz.getMethod("getProbeId");
+            Integer id = null;
+            if (getProbeId != null) {
+                id = (Integer) getProbeId.invoke(data);
+            }
+            else {
+                return null;
+            }
+            LProbe probe =
+                (LProbe)repository.getById(LProbe.class, id, "land").getData();
+
+            boolean readOnly = true;
+            boolean owner = false;
+            if (!userInfo.getNetzbetreiber().contains(
+                    probe.getNetzbetreiberId())) {
+                owner = false;
+                readOnly = true;
+            }
+            else {
+                if (userInfo.getMessstellen().contains(probe.getMstId())) {
+                    owner = true;
+                }
+                else {
+                    owner = false;
+                }
+                readOnly = this.isProbeReadOnly(id);
+            }
+
+            Method setOwner = clazz.getMethod("setOwner", boolean.class);
+            Method setReadonly = clazz.getMethod("setReadonly", boolean.class);
+            setOwner.invoke(data, owner);
+            setReadonly.invoke(data, readOnly);
+        } catch (NoSuchMethodException | SecurityException
+            | IllegalAccessException | IllegalArgumentException
+            | InvocationTargetException e) {
+            return null;
+        }
+        return data;
+    }
+}
--- a/src/main/java/de/intevation/lada/util/auth/TestAuthorization.java	Fri Dec 18 18:01:00 2015 +0100
+++ b/src/main/java/de/intevation/lada/util/auth/TestAuthorization.java	Fri Jan 08 12:05:26 2016 +0100
@@ -49,7 +49,7 @@
     }
 
     @Override
-    public boolean isAuthorized(UserInfo userInfo, Object data) {
+    public <T> boolean isAuthorized(UserInfo userInfo, Object data, Class<T> clazz) {
         return true;
     }
 
@@ -57,10 +57,4 @@
     public boolean isReadOnly(Integer probeId) {
         return false;
     }
-
-    @Override
-    public <T> boolean isAuthorized(int id, Class<T> clazz) {
-        return true;
-    }
-
 }
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)