From 283cab8d238087caac070db9425229fbf7f20ada Mon Sep 17 00:00:00 2001
From: Manuel Rego Casasnovas <rego@igalia.com>
Date: Thu, 25 Oct 2012 12:52:56 +0200
Subject: [PATCH] Add filter by order authorizations in project status report

If you just filter by labels/criteria and you don't choose any specific project.
You were able to see tasks from projects that you are not allowed to read. Now
this is fixed.

FEA: ItEr77S09WBSReport
---
 .../web/reports/ProjectStatusReportModel.java | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/reports/ProjectStatusReportModel.java b/libreplan-webapp/src/main/java/org/libreplan/web/reports/ProjectStatusReportModel.java
index 39f5c3e21..d38a5389a 100644
--- a/libreplan-webapp/src/main/java/org/libreplan/web/reports/ProjectStatusReportModel.java
+++ b/libreplan-webapp/src/main/java/org/libreplan/web/reports/ProjectStatusReportModel.java
@@ -38,6 +38,7 @@ import org.libreplan.business.requirements.entities.IndirectCriterionRequirement
 import org.libreplan.business.resources.daos.ICriterionDAO;
 import org.libreplan.business.resources.entities.Criterion;
 import org.libreplan.business.scenarios.IScenarioManager;
+import org.libreplan.business.users.daos.IOrderAuthorizationDAO;
 import org.libreplan.business.workingday.EffortDuration;
 import org.libreplan.web.security.SecurityUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -68,6 +69,9 @@ public class ProjectStatusReportModel implements IProjectStatusReportModel {
     @Autowired
     private IOrderElementDAO orderElementDAO;
 
+    @Autowired
+    private IOrderAuthorizationDAO orderAuthorizationDAO;
+
     @Autowired
     private IScenarioManager scenarioManager;
 
@@ -112,11 +116,13 @@ public class ProjectStatusReportModel implements IProjectStatusReportModel {
                         each).getOrderVersionFor(
                         scenarioManager.getCurrent()));
             }
+
+            orderElements = filterByOrderAuthorizations(orderElements);
         }
 
         List<ProjectStatusReportDTO> dtos = new ArrayList<ProjectStatusReportDTO>();
-        for (OrderElement child : orderElements) {
-            dtos.add(calculateDTO(child, order == null));
+        for (OrderElement element : orderElements) {
+            dtos.add(calculateDTO(element, order == null));
         }
 
         calculateTotalDTO(order, dtos);
@@ -285,6 +291,19 @@ public class ProjectStatusReportModel implements IProjectStatusReportModel {
         return result;
     }
 
+    private List<OrderElement> filterByOrderAuthorizations(
+            List<OrderElement> orderElements) {
+        List<Order> orders = getOrders();
+
+        List<OrderElement> result = new ArrayList<OrderElement>();
+        for (OrderElement each : orderElements) {
+            if (orders.contains(orderDAO.loadOrderAvoidingProxyFor(each))) {
+                result.add(each);
+            }
+        }
+        return result;
+    }
+
     private EffortDuration addIfNotNull(EffortDuration total,
             EffortDuration other) {
         if (other == null) {