diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetCRUDController.java b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetCRUDController.java index 79dd9c512..e246bc0c5 100644 --- a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetCRUDController.java +++ b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetCRUDController.java @@ -115,7 +115,7 @@ public class ExpenseSheetCRUDController extends .register(this, page); } - private void checkUserHasProperRoleOrSendForbiddenCode() throws IOException { + private void checkUserHasProperRoleOrSendForbiddenCode() { HttpServletRequest request = (HttpServletRequest) Executions .getCurrent().getNativeRequest(); Map matrixParams = MatrixParameters.extract(request); @@ -123,13 +123,21 @@ public class ExpenseSheetCRUDController extends // If it doesn't come from a entry point if (matrixParams.isEmpty()) { if (!SecurityUtils.isSuperuserOrUserInRoles(UserRole.ROLE_EXPENSES)) { - HttpServletResponse response = (HttpServletResponse) Executions - .getCurrent().getNativeResponse(); - response.sendError(HttpServletResponse.SC_FORBIDDEN); + sendForbiddenStatusCodeInHttpServletResponse(); } } } + private void sendForbiddenStatusCodeInHttpServletResponse() { + try { + HttpServletResponse response = (HttpServletResponse) Executions + .getCurrent().getNativeResponse(); + response.sendError(HttpServletResponse.SC_FORBIDDEN); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + @Override public void save() throws ValidationException { expenseSheetModel.confirmSave(); @@ -609,6 +617,10 @@ public class ExpenseSheetCRUDController extends @Override public void goToCreatePersonalExpenseSheet() { + if (!SecurityUtils.isUserInRole(UserRole.ROLE_BOUND_USER)) { + sendForbiddenStatusCodeInHttpServletResponse(); + } + state = CRUDControllerState.CREATE; initCreate(true); showEditWindow(); @@ -627,6 +639,11 @@ public class ExpenseSheetCRUDController extends @Override public void goToEditPersonalExpenseSheet(ExpenseSheet expenseSheet) { + if (!SecurityUtils.isUserInRole(UserRole.ROLE_BOUND_USER) + || !expenseSheetModel + .isPersonalAndBelognsToCurrentUser(expenseSheet)) { + sendForbiddenStatusCodeInHttpServletResponse(); + } goToEditForm(expenseSheet); fromUserDashboard = true; } diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetModel.java b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetModel.java index d8a5da6d3..fbc395581 100644 --- a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetModel.java +++ b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetModel.java @@ -359,4 +359,19 @@ public class ExpenseSheetModel extends IntegrationEntityModel implements IExpens } } + @Override + @Transactional(readOnly = true) + public boolean isPersonalAndBelognsToCurrentUser(ExpenseSheet expenseSheet) { + if (!expenseSheet.isPersonal()) { + return false; + } + + SortedSet expenseSheetLines = getFromDB(expenseSheet) + .getExpenseSheetLines(); + Resource resource = expenseSheetLines.iterator().next().getResource(); + + User user = UserUtil.getUserFromSession(); + return user.getWorker().getId().equals(resource.getId()); + } + } \ No newline at end of file diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/IExpenseSheetModel.java b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/IExpenseSheetModel.java index c5fd8bbeb..498214204 100644 --- a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/IExpenseSheetModel.java +++ b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/IExpenseSheetModel.java @@ -86,4 +86,11 @@ public interface IExpenseSheetModel extends IIntegrationEntityModel { void keepSortedExpenseSheetLines(ExpenseSheetLine expenseSheetLine, LocalDate newDate); + /** + * Returns true if the {@link ExpenseSheet} is + * personal and belongs to the worker associated to current + * user. + */ + boolean isPersonalAndBelognsToCurrentUser(ExpenseSheet expenseSheet); + }