ItEr44S14CUAsignarUsuarioAProxectoPlanificacionItEr43S19: Implemented restriction on edition of orders.

Now only authorized users or those with the role EDIT_ALL_ORDERS will
be able to edit an order. The remaining users will be able to open the
edition interface but they will find the save buttons disabled.
TODO: disable all the fields in the edition interface so they can't be
modified.

navalplanner-webapp/src/main/java/org/navalplanner/web/users/IOrderAuthorizationModel.java

@@ -51,4 +51,6 @@ public interface IOrderAuthorizationModel {
 
     void removeOrderAuthorization(OrderAuthorization orderAuthorization);
 
+    boolean userCanWrite(String loginName);
+
 }

navalplanner-webapp/src/main/java/org/navalplanner/web/users/OrderAuthorizationController.java

@@ -36,9 +36,11 @@ import org.navalplanner.business.users.entities.UserRole;
 import org.navalplanner.web.common.IMessagesForUser;
 import org.navalplanner.web.common.Level;
 import org.navalplanner.web.common.Util;
+import org.navalplanner.web.security.SecurityUtils;
 import org.zkoss.zk.ui.Component;
 import org.zkoss.zk.ui.util.GenericForwardComposer;
 import org.zkoss.zul.Comboitem;
+import org.zkoss.zul.api.Button;
 
 /**
  * Controller for CRUD actions over an {@link OrderAuthorization}
@@ -69,6 +71,7 @@ public class OrderAuthorizationController extends GenericForwardComposer{
 
     public void initEdit(Order order) {
         orderAuthorizationModel.initEdit(order);
+        checkWritePermissions();
         Util.reloadBindings(window);
     }
 
@@ -149,4 +152,19 @@ public class OrderAuthorizationController extends GenericForwardComposer{
             ((Button)window.getFellowIfAny("save_and_continue")).setDisabled(true);
         }
     }
+
+    /**
+     * Checks the write permissions of the current user on this Order and enables/disables
+     * the save buttons accordingly.
+     */
+    private void checkWritePermissions() {
+        if(orderAuthorizationModel.userCanWrite(SecurityUtils.getSessionUserLoginName())) {
+            ((Button)window.getFellowIfAny("save")).setDisabled(false);
+            ((Button)window.getFellowIfAny("save_and_continue")).setDisabled(false);
+        }
+        else {
+            ((Button)window.getFellowIfAny("save")).setDisabled(true);
+            ((Button)window.getFellowIfAny("save_and_continue")).setDisabled(true);
+        }
+    }
 }

navalplanner-webapp/src/main/java/org/navalplanner/web/users/OrderAuthorizationModel.java

@@ -18,6 +18,7 @@ import org.navalplanner.business.users.entities.Profile;
 import org.navalplanner.business.users.entities.ProfileOrderAuthorization;
 import org.navalplanner.business.users.entities.User;
 import org.navalplanner.business.users.entities.UserOrderAuthorization;
+import org.navalplanner.business.users.entities.UserRole;
 import org.navalplanner.web.security.SecurityUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.config.BeanDefinition;
@@ -202,6 +203,31 @@ public class OrderAuthorizationModel implements IOrderAuthorizationModel {
         }
     }
 
+    @Override
+    @Transactional(readOnly = true)
+    public boolean userCanWrite(String loginName) {
+        if (SecurityUtils.isUserInRole(UserRole.ROLE_EDIT_ALL_ORDERS)) {
+            return true;
+        }
+        else {
+            User user;
+            try {
+                user = userDAO.findByLoginName(loginName);
+            }
+            catch(InstanceNotFoundException e) {
+                return false;
+            }
+            List<OrderAuthorization> authorizations = dao.listByUserAndItsProfiles(user);
+            for(OrderAuthorization authorization : authorizations) {
+                if (authorization.getOrder().getId().equals(order.getId()) &&
+                    authorization.getAuthorizationType() == OrderAuthorizationType.WRITE_AUTHORIZATION) {
+                        return true;
+                }
+            }
+            return false;
+        }
+    }
+
     private ProfileOrderAuthorization createProfileOrderAuthorization(
             Order order, Profile profile) {
         ProfileOrderAuthorization orderAuthorization =

navalplanner-webapp/src/main/webapp/orders/_edition.zul

@@ -172,9 +172,9 @@
     </tabbox>
     <hbox>
         <button label="${i18n:_('Save')}" onClick="controller.saveAndExit()"
-            sclass="save-button global-action" />
+            sclass="save-button global-action" disabled="true" id="save" />
         <button label="${i18n:_('Save &amp; Continue')}" onClick="controller.saveAndContinue()"
-            sclass="saveandcontinue-button global-action" />
+            sclass="saveandcontinue-button global-action" disabled="true" id="save_and_continue" />
         <button label="${i18n:_('Cancel')}" onClick="controller.cancel()"
             sclass="cancel-button global-action" />
     </hbox>