ItEr45S20RFControlesRelacionadosPermismos: Forbid access to edition and scheduling pages for users without permissions over an order.
Pages couldn't be accessed because they weren't listed, but this patch improves the security.
This commit is contained in:
Jacobo Aragunde Pérez
Javier Moran Rua
parent
2960a3adbd
commit
ad5376aebc
3 changed files with 58 additions and 9 deletions
|
|
@ -117,4 +117,6 @@ public interface IOrderModel {
|
|||
|
||||
List<Order> getFilterOrders(OrderPredicate predicate);
|
||||
|
||||
boolean userCanRead(Order order, String loginName);
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -491,14 +491,22 @@ public class OrderCRUDController extends GenericForwardComposer {
|
|||
}
|
||||
|
||||
public void schedule(Order order) {
|
||||
if (order.isScheduled()) {
|
||||
planningControllerEntryPoints.goToScheduleOf(order);
|
||||
}else{
|
||||
if(orderModel.userCanRead(order, SecurityUtils.getSessionUserLoginName())) {
|
||||
if (order.isScheduled()) {
|
||||
planningControllerEntryPoints.goToScheduleOf(order);
|
||||
}else{
|
||||
try {
|
||||
Messagebox.show(_("The order has no scheduled elements"),
|
||||
_("Information"), Messagebox.OK, Messagebox.INFORMATION);
|
||||
} catch (InterruptedException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
try {
|
||||
Messagebox
|
||||
.show(_("The order has no scheduled elements"),
|
||||
_("Information"), Messagebox.OK,
|
||||
Messagebox.INFORMATION);
|
||||
Messagebox.show(_("You don't have read access to this order"),
|
||||
_("Information"), Messagebox.OK, Messagebox.INFORMATION);
|
||||
} catch (InterruptedException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
|
|
@ -512,8 +520,18 @@ public class OrderCRUDController extends GenericForwardComposer {
|
|||
private Runnable onUp;
|
||||
|
||||
public void goToEditForm(Order order) {
|
||||
showOrderElementFilter();
|
||||
planningControllerEntryPoints.goToOrderDetails(order);
|
||||
if(orderModel.userCanRead(order, SecurityUtils.getSessionUserLoginName())) {
|
||||
showOrderElementFilter();
|
||||
planningControllerEntryPoints.goToOrderDetails(order);
|
||||
}
|
||||
else {
|
||||
try {
|
||||
Messagebox.show(_("You don't have read access to this order"),
|
||||
_("Information"), Messagebox.OK, Messagebox.INFORMATION);
|
||||
} catch (InterruptedException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void initEdit(Order order) {
|
||||
|
|
|
|||
|
|
@ -146,6 +146,9 @@ public class OrderModel implements IOrderModel {
|
|||
@Autowired
|
||||
private IUserDAO userDAO;
|
||||
|
||||
@Autowired
|
||||
private IOrderAuthorizationDAO orderAuthorizationDAO;
|
||||
|
||||
private List<Order> orderList = new ArrayList<Order>();
|
||||
|
||||
|
||||
|
|
@ -691,4 +694,30 @@ public class OrderModel implements IOrderModel {
|
|||
return filterOrderList;
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional(readOnly = true)
|
||||
public boolean userCanRead(Order order, String loginName) {
|
||||
if (SecurityUtils.isUserInRole(UserRole.ROLE_READ_ALL_ORDERS) ||
|
||||
SecurityUtils.isUserInRole(UserRole.ROLE_EDIT_ALL_ORDERS)) {
|
||||
return true;
|
||||
}
|
||||
try {
|
||||
User user = userDAO.findByLoginName(loginName);
|
||||
for(OrderAuthorization authorization :
|
||||
orderAuthorizationDAO.listByOrderUserAndItsProfiles(order, user)) {
|
||||
if(authorization.getAuthorizationType() ==
|
||||
OrderAuthorizationType.READ_AUTHORIZATION ||
|
||||
authorization.getAuthorizationType() ==
|
||||
OrderAuthorizationType.WRITE_AUTHORIZATION) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
catch(InstanceNotFoundException e) {
|
||||
//this case shouldn't happen, because it would mean that there isn't a logged user
|
||||
//anyway, if it happenned we don't allow the user to pass
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue