Protect entry points methods in expenses sheet window
Entry points can only be used by ROLE_BOUND_USER. Moreover an extra checking has been added in the edit entry point to check that the expense sheet is personal and it belongs to the worker bound to current user. FEA: ItEr76S30PermissionsEnhancements
This commit is contained in:
Manuel Rego Casasnovas
parent
bfd6e56ceb
commit
ffe537ca7b
3 changed files with 43 additions and 4 deletions
|
|
@ -115,7 +115,7 @@ public class ExpenseSheetCRUDController extends
|
|||
.register(this, page);
|
||||
}
|
||||
|
||||
private void checkUserHasProperRoleOrSendForbiddenCode() throws IOException {
|
||||
private void checkUserHasProperRoleOrSendForbiddenCode() {
|
||||
HttpServletRequest request = (HttpServletRequest) Executions
|
||||
.getCurrent().getNativeRequest();
|
||||
Map<String, String> matrixParams = MatrixParameters.extract(request);
|
||||
|
|
@ -123,13 +123,21 @@ public class ExpenseSheetCRUDController extends
|
|||
// If it doesn't come from a entry point
|
||||
if (matrixParams.isEmpty()) {
|
||||
if (!SecurityUtils.isSuperuserOrUserInRoles(UserRole.ROLE_EXPENSES)) {
|
||||
HttpServletResponse response = (HttpServletResponse) Executions
|
||||
.getCurrent().getNativeResponse();
|
||||
response.sendError(HttpServletResponse.SC_FORBIDDEN);
|
||||
sendForbiddenStatusCodeInHttpServletResponse();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private void sendForbiddenStatusCodeInHttpServletResponse() {
|
||||
try {
|
||||
HttpServletResponse response = (HttpServletResponse) Executions
|
||||
.getCurrent().getNativeResponse();
|
||||
response.sendError(HttpServletResponse.SC_FORBIDDEN);
|
||||
} catch (IOException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void save() throws ValidationException {
|
||||
expenseSheetModel.confirmSave();
|
||||
|
|
@ -609,6 +617,10 @@ public class ExpenseSheetCRUDController extends
|
|||
|
||||
@Override
|
||||
public void goToCreatePersonalExpenseSheet() {
|
||||
if (!SecurityUtils.isUserInRole(UserRole.ROLE_BOUND_USER)) {
|
||||
sendForbiddenStatusCodeInHttpServletResponse();
|
||||
}
|
||||
|
||||
state = CRUDControllerState.CREATE;
|
||||
initCreate(true);
|
||||
showEditWindow();
|
||||
|
|
@ -627,6 +639,11 @@ public class ExpenseSheetCRUDController extends
|
|||
|
||||
@Override
|
||||
public void goToEditPersonalExpenseSheet(ExpenseSheet expenseSheet) {
|
||||
if (!SecurityUtils.isUserInRole(UserRole.ROLE_BOUND_USER)
|
||||
|| !expenseSheetModel
|
||||
.isPersonalAndBelognsToCurrentUser(expenseSheet)) {
|
||||
sendForbiddenStatusCodeInHttpServletResponse();
|
||||
}
|
||||
goToEditForm(expenseSheet);
|
||||
fromUserDashboard = true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -359,4 +359,19 @@ public class ExpenseSheetModel extends IntegrationEntityModel implements IExpens
|
|||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
@Transactional(readOnly = true)
|
||||
public boolean isPersonalAndBelognsToCurrentUser(ExpenseSheet expenseSheet) {
|
||||
if (!expenseSheet.isPersonal()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
SortedSet<ExpenseSheetLine> expenseSheetLines = getFromDB(expenseSheet)
|
||||
.getExpenseSheetLines();
|
||||
Resource resource = expenseSheetLines.iterator().next().getResource();
|
||||
|
||||
User user = UserUtil.getUserFromSession();
|
||||
return user.getWorker().getId().equals(resource.getId());
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -86,4 +86,11 @@ public interface IExpenseSheetModel extends IIntegrationEntityModel {
|
|||
|
||||
void keepSortedExpenseSheetLines(ExpenseSheetLine expenseSheetLine, LocalDate newDate);
|
||||
|
||||
/**
|
||||
* Returns <code>true</code> if the {@link ExpenseSheet} is
|
||||
* <strong>personal</strong> and belongs to the worker associated to current
|
||||
* user.
|
||||
*/
|
||||
boolean isPersonalAndBelognsToCurrentUser(ExpenseSheet expenseSheet);
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue