Fixed permissions in order to set confirm close dialogue properly

FEA: ItEr77S03Community

libreplan-webapp/src/main/java/org/libreplan/web/orders/IOrderModel.java

@@ -123,7 +123,7 @@ public interface IOrderModel extends IIntegrationEntityModel {
 
     boolean userCanRead(Order order, String loginName);
 
-    boolean userCanWrite(Order order, String loginName);
+    boolean userCanWrite(Order order);
 
     boolean isAlreadyInUse(OrderElement orderElement);
 

libreplan-webapp/src/main/java/org/libreplan/web/orders/OrderCRUDController.java

@@ -821,7 +821,7 @@ public class OrderCRUDController extends GenericForwardComposer {
     }
 
     public void confirmRemove(Order order) {
-        if(orderModel.userCanWrite(order, SecurityUtils.getSessionUserLoginName())) {
+        if (orderModel.userCanWrite(order)) {
             try {
                 int status = Messagebox.show(_("Confirm deleting {0}. Are you sure?", order.getName()),
                         "Delete", Messagebox.OK | Messagebox.CANCEL, Messagebox.QUESTION);
@@ -1237,7 +1237,7 @@ public class OrderCRUDController extends GenericForwardComposer {
     }
 
     private void appendButtonDelete(final Hbox hbox, final Order order) {
-        if(orderModel.userCanWrite(order, SecurityUtils.getSessionUserLoginName())) {
+        if (orderModel.userCanWrite(order)) {
             Button buttonDelete = new Button();
             buttonDelete.setSclass("icono");
             buttonDelete.setImage("/common/img/ico_borrar1.png");
@@ -1452,8 +1452,7 @@ public class OrderCRUDController extends GenericForwardComposer {
     private void updateDisabilitiesOnInterface() {
         Order order = orderModel.getOrder();
 
-        boolean permissionForWriting = orderModel.userCanWrite(order,
-                SecurityUtils.getSessionUserLoginName());
+        boolean permissionForWriting = orderModel.userCanWrite(order);
         boolean isInStoredState = order.getState() == OrderStatusEnum.STORED;
         boolean isInitiallyStored = orderModel.getPlanningState()
                 .getSavedOrderState() == OrderStatusEnum.STORED;

libreplan-webapp/src/main/java/org/libreplan/web/orders/OrderModel.java

@@ -796,31 +796,8 @@ public class OrderModel extends IntegrationEntityModel implements IOrderModel {
 
     @Override
     @Transactional(readOnly = true)
-    public boolean userCanWrite(Order order, String loginName) {
-        if (SecurityUtils
-                .isSuperuserOrUserInRoles(UserRole.ROLE_EDIT_ALL_PROJECTS)) {
-            return true;
-        }
-        if (order.isNewObject()
-                & SecurityUtils
-                        .isSuperuserOrUserInRoles(UserRole.ROLE_CREATE_PROJECTS)) {
-            return true;
-        }
-        try {
-            User user = userDAO.findByLoginName(loginName);
-            for(OrderAuthorization authorization :
-                    orderAuthorizationDAO.listByOrderUserAndItsProfiles(order, user)) {
-                if(authorization.getAuthorizationType() ==
-                        OrderAuthorizationType.WRITE_AUTHORIZATION) {
-                    return true;
-                }
-            }
-        }
-        catch(InstanceNotFoundException e) {
-            //this case shouldn't happen, because it would mean that there isn't a logged user
-            //anyway, if it happenned we don't allow the user to pass
-        }
-        return false;
+    public boolean userCanWrite(Order order) {
+        return SecurityUtils.loggedUserCanWrite(order);
     }
 
     @Override

libreplan-webapp/src/main/java/org/libreplan/web/planner/order/SaveCommandBuilder.java

@@ -93,6 +93,7 @@ import org.libreplan.web.common.MessagesForUser;
 import org.libreplan.web.common.concurrentdetection.ConcurrentModificationHandling;
 import org.libreplan.web.planner.TaskElementAdapter;
 import org.libreplan.web.planner.order.PlanningStateCreator.PlanningState;
+import org.libreplan.web.security.SecurityUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Scope;
@@ -367,10 +368,12 @@ public class SaveCommandBuilder {
             // Reset timer of warning on leaving page
             ConfirmCloseUtil.resetConfirmClose();
             if (Executions.getCurrent() != null) {
-                ConfirmCloseUtil
-                        .setConfirmClose(
-                                Executions.getCurrent().getDesktop(),
-                                _("You are about to leave the planning edition, unsaved changes will be lost."));
+                if (SecurityUtils.loggedUserCanWrite(state.getOrder())) {
+                    ConfirmCloseUtil
+                            .setConfirmClose(
+                                    Executions.getCurrent().getDesktop(),
+                                    _("You are about to leave the planning edition, unsaved changes will be lost."));
+                }
             }
 
         }

libreplan-webapp/src/main/java/org/libreplan/web/planner/tabs/MultipleTabsPlannerController.java

@@ -213,8 +213,7 @@ public class MultipleTabsPlannerController implements Composer,
                     ConfirmCloseUtil.resetConfirmClose();
                     break;
                 case ORDER:
-                    if (SecurityUtils
-                            .isSuperuserOrUserInRoles(UserRole.ROLE_PLANNING)) {
+                    if (SecurityUtils.loggedUserCanWrite(mode.getOrder())) {
                         ConfirmCloseUtil
                                 .setConfirmClose(
                                         desktop,

libreplan-webapp/src/main/java/org/libreplan/web/security/SecurityUtils.java

@@ -22,13 +22,18 @@
 package org.libreplan.web.security;
 
 import java.security.Principal;
+import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.jfree.util.Log;
 import org.libreplan.business.common.IOnTransaction;
 import org.libreplan.business.common.Registry;
 import org.libreplan.business.common.exceptions.InstanceNotFoundException;
+import org.libreplan.business.orders.entities.Order;
 import org.libreplan.business.users.entities.OrderAuthorization;
+import org.libreplan.business.users.entities.OrderAuthorizationType;
+import org.libreplan.business.users.entities.User;
 import org.libreplan.business.users.entities.UserRole;
 import org.libreplan.web.users.services.CustomUser;
 import org.springframework.security.Authentication;
@@ -142,4 +147,38 @@ public final class SecurityUtils {
                 });
     }
 
+    public final static boolean loggedUserCanWrite(Order order) {
+        if (isSuperuserOrUserInRoles(UserRole.ROLE_EDIT_ALL_PROJECTS)) {
+            return true;
+        }
+        if (order.isNewObject()
+                && isSuperuserOrUserInRoles(UserRole.ROLE_CREATE_PROJECTS)) {
+            return true;
+        }
+
+        User user;
+        try {
+            CustomUser loggedUser = getLoggedUser();
+            if (loggedUser == null) {
+                return false;
+            }
+            user = Registry.getUserDAO().findByLoginName(
+                    loggedUser.getUsername());
+        } catch (InstanceNotFoundException e) {
+            Log.warn("Logged user not found in database", e);
+            return false;
+        }
+
+        List<OrderAuthorization> orderAuthorizations = Registry
+                .getOrderAuthorizationDAO().listByOrderUserAndItsProfiles(
+                        order, user);
+        for (OrderAuthorization authorization : orderAuthorizations) {
+            if (authorization.getAuthorizationType().equals(
+                    OrderAuthorizationType.WRITE_AUTHORIZATION)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
 }