From ecba31619c56a1b76e266cffb1f0124a4ba3dba4 Mon Sep 17 00:00:00 2001 From: Manuel Rego Casasnovas Date: Wed, 20 Jun 2012 08:58:23 +0200 Subject: [PATCH] Protect monthly timesheet page depending on user roles The page cannot be used without entry points and depending on the entry point used one role or other will be required. FEA: ItEr76S30PermissionsEnhancements --- .../dashboard/MonthlyTimesheetController.java | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/users/dashboard/MonthlyTimesheetController.java b/libreplan-webapp/src/main/java/org/libreplan/web/users/dashboard/MonthlyTimesheetController.java index 58c747b84..eb4095781 100644 --- a/libreplan-webapp/src/main/java/org/libreplan/web/users/dashboard/MonthlyTimesheetController.java +++ b/libreplan-webapp/src/main/java/org/libreplan/web/users/dashboard/MonthlyTimesheetController.java @@ -24,12 +24,15 @@ import static org.libreplan.web.planner.tabs.MultipleTabsPlannerController.BREAD import java.util.ArrayList; import java.util.List; +import java.util.Map; import javax.annotation.Resource; +import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang.StringUtils; import org.joda.time.LocalDate; import org.libreplan.business.orders.entities.OrderElement; +import org.libreplan.business.users.entities.UserRole; import org.libreplan.business.workingday.EffortDuration; import org.libreplan.web.common.IMessagesForUser; import org.libreplan.web.common.Level; @@ -39,6 +42,8 @@ import org.libreplan.web.common.components.bandboxsearch.BandboxSearch; import org.libreplan.web.common.entrypoints.EntryPointsHandler; import org.libreplan.web.common.entrypoints.EntryPointsHandler.ICapture; import org.libreplan.web.common.entrypoints.IURLHandlerRegistry; +import org.libreplan.web.common.entrypoints.MatrixParameters; +import org.libreplan.web.security.SecurityUtils; import org.libreplan.web.users.services.CustomTargetUrlResolver; import org.springframework.util.Assert; import org.zkoss.zk.ui.Component; @@ -464,10 +469,23 @@ public class MonthlyTimesheetController extends GenericForwardComposer setBreadcrumbs(comp); messagesForUser = new MessagesForUser(messagesContainer); + checkUserComesFromEntryPointsOrSendForbiddenCode(); + URLHandlerRegistry.getRedirectorFor(IMonthlyTimesheetController.class) .register(this, page); } + private void checkUserComesFromEntryPointsOrSendForbiddenCode() { + HttpServletRequest request = (HttpServletRequest) Executions + .getCurrent().getNativeRequest(); + Map matrixParams = MatrixParameters.extract(request); + + // If it doesn't come from a entry point + if (matrixParams.isEmpty()) { + Util.sendForbiddenStatusCodeInHttpServletResponse(); + } + } + private void setBreadcrumbs(Component comp) { Component breadcrumbs = comp.getPage().getFellow("breadcrumbs"); if (breadcrumbs.getChildren() != null) { @@ -483,6 +501,10 @@ public class MonthlyTimesheetController extends GenericForwardComposer @Override public void goToCreateOrEditForm(LocalDate date) { + if (!SecurityUtils.isUserInRole(UserRole.ROLE_BOUND_USER)) { + Util.sendForbiddenStatusCodeInHttpServletResponse(); + } + monthlyTimesheetModel.initCreateOrEdit(date); initTimesheet(date); } @@ -490,6 +512,10 @@ public class MonthlyTimesheetController extends GenericForwardComposer @Override public void goToCreateOrEditFormForResource(LocalDate date, org.libreplan.business.resources.entities.Resource resource) { + if (!SecurityUtils.isSuperuserOrUserInRoles(UserRole.ROLE_TIMESHEETS)) { + Util.sendForbiddenStatusCodeInHttpServletResponse(); + } + monthlyTimesheetModel.initCreateOrEdit(date, resource); initTimesheet(date); }