diff --git a/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/IOrderModel.java b/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/IOrderModel.java index 648d73801..708766031 100644 --- a/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/IOrderModel.java +++ b/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/IOrderModel.java @@ -117,4 +117,6 @@ public interface IOrderModel { List getFilterOrders(OrderPredicate predicate); + boolean userCanRead(Order order, String loginName); + } diff --git a/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/OrderCRUDController.java b/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/OrderCRUDController.java index abe13f8c9..b7b9561ce 100644 --- a/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/OrderCRUDController.java +++ b/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/OrderCRUDController.java @@ -491,14 +491,22 @@ public class OrderCRUDController extends GenericForwardComposer { } public void schedule(Order order) { - if (order.isScheduled()) { - planningControllerEntryPoints.goToScheduleOf(order); - }else{ + if(orderModel.userCanRead(order, SecurityUtils.getSessionUserLoginName())) { + if (order.isScheduled()) { + planningControllerEntryPoints.goToScheduleOf(order); + }else{ + try { + Messagebox.show(_("The order has no scheduled elements"), + _("Information"), Messagebox.OK, Messagebox.INFORMATION); + } catch (InterruptedException e) { + throw new RuntimeException(e); + } + } + } + else { try { - Messagebox - .show(_("The order has no scheduled elements"), - _("Information"), Messagebox.OK, - Messagebox.INFORMATION); + Messagebox.show(_("You don't have read access to this order"), + _("Information"), Messagebox.OK, Messagebox.INFORMATION); } catch (InterruptedException e) { throw new RuntimeException(e); } @@ -512,8 +520,18 @@ public class OrderCRUDController extends GenericForwardComposer { private Runnable onUp; public void goToEditForm(Order order) { - showOrderElementFilter(); - planningControllerEntryPoints.goToOrderDetails(order); + if(orderModel.userCanRead(order, SecurityUtils.getSessionUserLoginName())) { + showOrderElementFilter(); + planningControllerEntryPoints.goToOrderDetails(order); + } + else { + try { + Messagebox.show(_("You don't have read access to this order"), + _("Information"), Messagebox.OK, Messagebox.INFORMATION); + } catch (InterruptedException e) { + throw new RuntimeException(e); + } + } } public void initEdit(Order order) { diff --git a/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/OrderModel.java b/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/OrderModel.java index b8a70c654..f29e0da3c 100644 --- a/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/OrderModel.java +++ b/navalplanner-webapp/src/main/java/org/navalplanner/web/orders/OrderModel.java @@ -146,6 +146,9 @@ public class OrderModel implements IOrderModel { @Autowired private IUserDAO userDAO; + @Autowired + private IOrderAuthorizationDAO orderAuthorizationDAO; + private List orderList = new ArrayList(); @@ -691,4 +694,30 @@ public class OrderModel implements IOrderModel { return filterOrderList; } + @Override + @Transactional(readOnly = true) + public boolean userCanRead(Order order, String loginName) { + if (SecurityUtils.isUserInRole(UserRole.ROLE_READ_ALL_ORDERS) || + SecurityUtils.isUserInRole(UserRole.ROLE_EDIT_ALL_ORDERS)) { + return true; + } + try { + User user = userDAO.findByLoginName(loginName); + for(OrderAuthorization authorization : + orderAuthorizationDAO.listByOrderUserAndItsProfiles(order, user)) { + if(authorization.getAuthorizationType() == + OrderAuthorizationType.READ_AUTHORIZATION || + authorization.getAuthorizationType() == + OrderAuthorizationType.WRITE_AUTHORIZATION) { + return true; + } + } + } + catch(InstanceNotFoundException e) { + //this case shouldn't happen, because it would mean that there isn't a logged user + //anyway, if it happenned we don't allow the user to pass + } + return false; + } + }