Add check to avoid bound users to go directly (via URL) to expenses page

FEA: ItEr76S30PermissionsEnhancements
2012-06-19 18:23:06 +02:00 · 2012-06-19 18:23:06 +02:00 · bfd6e56ceb
commit bfd6e56ceb
parent 19ace553f2
1 changed files with 24 additions and 0 deletions
--- a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetCRUDController.java
+++ b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetCRUDController.java
@ -21,12 +21,17 @@ package org.libreplan.web.expensesheet;

 import static org.libreplan.web.I18nHelper._;

+import java.io.IOException;
 import java.math.BigDecimal;
 import java.util.ConcurrentModificationException;
 import java.util.Date;
 import java.util.List;
+import java.util.Map;
 import java.util.SortedSet;

+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
 import org.apache.commons.logging.LogFactory;
 import org.joda.time.LocalDate;
 import org.libreplan.business.common.exceptions.InstanceNotFoundException;
@ -36,11 +41,14 @@ import org.libreplan.business.expensesheet.entities.ExpenseSheetLine;
 import org.libreplan.business.orders.entities.Order;
 import org.libreplan.business.orders.entities.OrderElement;
 import org.libreplan.business.resources.entities.Resource;
+import org.libreplan.business.users.entities.UserRole;
 import org.libreplan.web.common.BaseCRUDController;
 import org.libreplan.web.common.Level;
 import org.libreplan.web.common.Util;
 import org.libreplan.web.common.components.bandboxsearch.BandboxSearch;
 import org.libreplan.web.common.entrypoints.IURLHandlerRegistry;
+import org.libreplan.web.common.entrypoints.MatrixParameters;
+import org.libreplan.web.security.SecurityUtils;
 import org.libreplan.web.users.services.CustomTargetUrlResolver;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.zkoss.zk.ui.Component;
@ -102,10 +110,26 @@ public class ExpenseSheetCRUDController extends
    @Override
    public void doAfterCompose(Component comp) throws Exception {
        super.doAfterCompose(comp);
+        checkUserHasProperRoleOrSendForbiddenCode();
        URLHandlerRegistry.getRedirectorFor(IExpenseSheetCRUDController.class)
                .register(this, page);
    }

+    private void checkUserHasProperRoleOrSendForbiddenCode() throws IOException {
+        HttpServletRequest request = (HttpServletRequest) Executions
+                .getCurrent().getNativeRequest();
+        Map<String, String> matrixParams = MatrixParameters.extract(request);
+
+        // If it doesn't come from a entry point
+        if (matrixParams.isEmpty()) {
+            if (!SecurityUtils.isSuperuserOrUserInRoles(UserRole.ROLE_EXPENSES)) {
+                HttpServletResponse response = (HttpServletResponse) Executions
+                        .getCurrent().getNativeResponse();
+                response.sendError(HttpServletResponse.SC_FORBIDDEN);
+            }
+        }
+    }
+
    @Override
    public void save() throws ValidationException {
        expenseSheetModel.confirmSave();