diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/orders/IOrderModel.java b/libreplan-webapp/src/main/java/org/libreplan/web/orders/IOrderModel.java index b4261dbde..d8c3d7fbb 100644 --- a/libreplan-webapp/src/main/java/org/libreplan/web/orders/IOrderModel.java +++ b/libreplan-webapp/src/main/java/org/libreplan/web/orders/IOrderModel.java @@ -123,7 +123,7 @@ public interface IOrderModel extends IIntegrationEntityModel { boolean userCanRead(Order order, String loginName); - boolean userCanWrite(Order order, String loginName); + boolean userCanWrite(Order order); boolean isAlreadyInUse(OrderElement orderElement); diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/orders/OrderCRUDController.java b/libreplan-webapp/src/main/java/org/libreplan/web/orders/OrderCRUDController.java index b49bea2c6..ab9434b69 100644 --- a/libreplan-webapp/src/main/java/org/libreplan/web/orders/OrderCRUDController.java +++ b/libreplan-webapp/src/main/java/org/libreplan/web/orders/OrderCRUDController.java @@ -821,7 +821,7 @@ public class OrderCRUDController extends GenericForwardComposer { } public void confirmRemove(Order order) { - if(orderModel.userCanWrite(order, SecurityUtils.getSessionUserLoginName())) { + if (orderModel.userCanWrite(order)) { try { int status = Messagebox.show(_("Confirm deleting {0}. Are you sure?", order.getName()), "Delete", Messagebox.OK | Messagebox.CANCEL, Messagebox.QUESTION); @@ -1237,7 +1237,7 @@ public class OrderCRUDController extends GenericForwardComposer { } private void appendButtonDelete(final Hbox hbox, final Order order) { - if(orderModel.userCanWrite(order, SecurityUtils.getSessionUserLoginName())) { + if (orderModel.userCanWrite(order)) { Button buttonDelete = new Button(); buttonDelete.setSclass("icono"); buttonDelete.setImage("/common/img/ico_borrar1.png"); @@ -1452,8 +1452,7 @@ public class OrderCRUDController extends GenericForwardComposer { private void updateDisabilitiesOnInterface() { Order order = orderModel.getOrder(); - boolean permissionForWriting = orderModel.userCanWrite(order, - SecurityUtils.getSessionUserLoginName()); + boolean permissionForWriting = orderModel.userCanWrite(order); boolean isInStoredState = order.getState() == OrderStatusEnum.STORED; boolean isInitiallyStored = orderModel.getPlanningState() .getSavedOrderState() == OrderStatusEnum.STORED; diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/orders/OrderModel.java b/libreplan-webapp/src/main/java/org/libreplan/web/orders/OrderModel.java index 965695647..ea29d4eec 100644 --- a/libreplan-webapp/src/main/java/org/libreplan/web/orders/OrderModel.java +++ b/libreplan-webapp/src/main/java/org/libreplan/web/orders/OrderModel.java @@ -796,31 +796,8 @@ public class OrderModel extends IntegrationEntityModel implements IOrderModel { @Override @Transactional(readOnly = true) - public boolean userCanWrite(Order order, String loginName) { - if (SecurityUtils - .isSuperuserOrUserInRoles(UserRole.ROLE_EDIT_ALL_PROJECTS)) { - return true; - } - if (order.isNewObject() - & SecurityUtils - .isSuperuserOrUserInRoles(UserRole.ROLE_CREATE_PROJECTS)) { - return true; - } - try { - User user = userDAO.findByLoginName(loginName); - for(OrderAuthorization authorization : - orderAuthorizationDAO.listByOrderUserAndItsProfiles(order, user)) { - if(authorization.getAuthorizationType() == - OrderAuthorizationType.WRITE_AUTHORIZATION) { - return true; - } - } - } - catch(InstanceNotFoundException e) { - //this case shouldn't happen, because it would mean that there isn't a logged user - //anyway, if it happenned we don't allow the user to pass - } - return false; + public boolean userCanWrite(Order order) { + return SecurityUtils.loggedUserCanWrite(order); } @Override diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/planner/order/SaveCommandBuilder.java b/libreplan-webapp/src/main/java/org/libreplan/web/planner/order/SaveCommandBuilder.java index bb5032a14..36e80e68b 100644 --- a/libreplan-webapp/src/main/java/org/libreplan/web/planner/order/SaveCommandBuilder.java +++ b/libreplan-webapp/src/main/java/org/libreplan/web/planner/order/SaveCommandBuilder.java @@ -93,6 +93,7 @@ import org.libreplan.web.common.MessagesForUser; import org.libreplan.web.common.concurrentdetection.ConcurrentModificationHandling; import org.libreplan.web.planner.TaskElementAdapter; import org.libreplan.web.planner.order.PlanningStateCreator.PlanningState; +import org.libreplan.web.security.SecurityUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Scope; @@ -367,10 +368,12 @@ public class SaveCommandBuilder { // Reset timer of warning on leaving page ConfirmCloseUtil.resetConfirmClose(); if (Executions.getCurrent() != null) { - ConfirmCloseUtil - .setConfirmClose( - Executions.getCurrent().getDesktop(), - _("You are about to leave the planning edition, unsaved changes will be lost.")); + if (SecurityUtils.loggedUserCanWrite(state.getOrder())) { + ConfirmCloseUtil + .setConfirmClose( + Executions.getCurrent().getDesktop(), + _("You are about to leave the planning edition, unsaved changes will be lost.")); + } } } diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/planner/tabs/MultipleTabsPlannerController.java b/libreplan-webapp/src/main/java/org/libreplan/web/planner/tabs/MultipleTabsPlannerController.java index 440b570a5..9cc20d977 100644 --- a/libreplan-webapp/src/main/java/org/libreplan/web/planner/tabs/MultipleTabsPlannerController.java +++ b/libreplan-webapp/src/main/java/org/libreplan/web/planner/tabs/MultipleTabsPlannerController.java @@ -213,8 +213,7 @@ public class MultipleTabsPlannerController implements Composer, ConfirmCloseUtil.resetConfirmClose(); break; case ORDER: - if (SecurityUtils - .isSuperuserOrUserInRoles(UserRole.ROLE_PLANNING)) { + if (SecurityUtils.loggedUserCanWrite(mode.getOrder())) { ConfirmCloseUtil .setConfirmClose( desktop, diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/security/SecurityUtils.java b/libreplan-webapp/src/main/java/org/libreplan/web/security/SecurityUtils.java index 226eb8847..59dae51b4 100644 --- a/libreplan-webapp/src/main/java/org/libreplan/web/security/SecurityUtils.java +++ b/libreplan-webapp/src/main/java/org/libreplan/web/security/SecurityUtils.java @@ -22,13 +22,18 @@ package org.libreplan.web.security; import java.security.Principal; +import java.util.List; import javax.servlet.http.HttpServletRequest; +import org.jfree.util.Log; import org.libreplan.business.common.IOnTransaction; import org.libreplan.business.common.Registry; import org.libreplan.business.common.exceptions.InstanceNotFoundException; +import org.libreplan.business.orders.entities.Order; import org.libreplan.business.users.entities.OrderAuthorization; +import org.libreplan.business.users.entities.OrderAuthorizationType; +import org.libreplan.business.users.entities.User; import org.libreplan.business.users.entities.UserRole; import org.libreplan.web.users.services.CustomUser; import org.springframework.security.Authentication; @@ -142,4 +147,38 @@ public final class SecurityUtils { }); } + public final static boolean loggedUserCanWrite(Order order) { + if (isSuperuserOrUserInRoles(UserRole.ROLE_EDIT_ALL_PROJECTS)) { + return true; + } + if (order.isNewObject() + && isSuperuserOrUserInRoles(UserRole.ROLE_CREATE_PROJECTS)) { + return true; + } + + User user; + try { + CustomUser loggedUser = getLoggedUser(); + if (loggedUser == null) { + return false; + } + user = Registry.getUserDAO().findByLoginName( + loggedUser.getUsername()); + } catch (InstanceNotFoundException e) { + Log.warn("Logged user not found in database", e); + return false; + } + + List orderAuthorizations = Registry + .getOrderAuthorizationDAO().listByOrderUserAndItsProfiles( + order, user); + for (OrderAuthorization authorization : orderAuthorizations) { + if (authorization.getAuthorizationType().equals( + OrderAuthorizationType.WRITE_AUTHORIZATION)) { + return true; + } + } + return false; + } + }