From ffe537ca7bad373c9f28a244978d4867217cf65f Mon Sep 17 00:00:00 2001
From: Manuel Rego Casasnovas <rego@igalia.com>
Date: Wed, 20 Jun 2012 08:39:14 +0200
Subject: [PATCH] Protect entry points methods in expenses sheet window

Entry points can only be used by ROLE_BOUND_USER.

Moreover an extra checking has been added in the edit entry point to check that
the expense sheet is personal and it belongs to the worker bound to current
user.

FEA: ItEr76S30PermissionsEnhancements
---
 .../ExpenseSheetCRUDController.java           | 25 ++++++++++++++++---
 .../web/expensesheet/ExpenseSheetModel.java   | 15 +++++++++++
 .../web/expensesheet/IExpenseSheetModel.java  |  7 ++++++
 3 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetCRUDController.java b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetCRUDController.java
index 79dd9c512..e246bc0c5 100644
--- a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetCRUDController.java
+++ b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetCRUDController.java
@@ -115,7 +115,7 @@ public class ExpenseSheetCRUDController extends
                 .register(this, page);
     }
 
-    private void checkUserHasProperRoleOrSendForbiddenCode() throws IOException {
+    private void checkUserHasProperRoleOrSendForbiddenCode() {
         HttpServletRequest request = (HttpServletRequest) Executions
                 .getCurrent().getNativeRequest();
         Map<String, String> matrixParams = MatrixParameters.extract(request);
@@ -123,13 +123,21 @@ public class ExpenseSheetCRUDController extends
         // If it doesn't come from a entry point
         if (matrixParams.isEmpty()) {
             if (!SecurityUtils.isSuperuserOrUserInRoles(UserRole.ROLE_EXPENSES)) {
-                HttpServletResponse response = (HttpServletResponse) Executions
-                        .getCurrent().getNativeResponse();
-                response.sendError(HttpServletResponse.SC_FORBIDDEN);
+                sendForbiddenStatusCodeInHttpServletResponse();
             }
         }
     }
 
+    private void sendForbiddenStatusCodeInHttpServletResponse() {
+        try {
+            HttpServletResponse response = (HttpServletResponse) Executions
+                    .getCurrent().getNativeResponse();
+            response.sendError(HttpServletResponse.SC_FORBIDDEN);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
     @Override
     public void save() throws ValidationException {
         expenseSheetModel.confirmSave();
@@ -609,6 +617,10 @@ public class ExpenseSheetCRUDController extends
 
     @Override
     public void goToCreatePersonalExpenseSheet() {
+        if (!SecurityUtils.isUserInRole(UserRole.ROLE_BOUND_USER)) {
+            sendForbiddenStatusCodeInHttpServletResponse();
+        }
+
         state = CRUDControllerState.CREATE;
         initCreate(true);
         showEditWindow();
@@ -627,6 +639,11 @@ public class ExpenseSheetCRUDController extends
 
     @Override
     public void goToEditPersonalExpenseSheet(ExpenseSheet expenseSheet) {
+        if (!SecurityUtils.isUserInRole(UserRole.ROLE_BOUND_USER)
+                || !expenseSheetModel
+                        .isPersonalAndBelognsToCurrentUser(expenseSheet)) {
+            sendForbiddenStatusCodeInHttpServletResponse();
+        }
         goToEditForm(expenseSheet);
         fromUserDashboard = true;
     }
diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetModel.java b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetModel.java
index d8a5da6d3..fbc395581 100644
--- a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetModel.java
+++ b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/ExpenseSheetModel.java
@@ -359,4 +359,19 @@ public class ExpenseSheetModel extends IntegrationEntityModel implements IExpens
         }
     }
 
+    @Override
+    @Transactional(readOnly = true)
+    public boolean isPersonalAndBelognsToCurrentUser(ExpenseSheet expenseSheet) {
+        if (!expenseSheet.isPersonal()) {
+            return false;
+        }
+
+        SortedSet<ExpenseSheetLine> expenseSheetLines = getFromDB(expenseSheet)
+                .getExpenseSheetLines();
+        Resource resource = expenseSheetLines.iterator().next().getResource();
+
+        User user = UserUtil.getUserFromSession();
+        return user.getWorker().getId().equals(resource.getId());
+    }
+
 }
\ No newline at end of file
diff --git a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/IExpenseSheetModel.java b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/IExpenseSheetModel.java
index c5fd8bbeb..498214204 100644
--- a/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/IExpenseSheetModel.java
+++ b/libreplan-webapp/src/main/java/org/libreplan/web/expensesheet/IExpenseSheetModel.java
@@ -86,4 +86,11 @@ public interface IExpenseSheetModel extends IIntegrationEntityModel {
 
     void keepSortedExpenseSheetLines(ExpenseSheetLine expenseSheetLine, LocalDate newDate);
 
+    /**
+     * Returns <code>true</code> if the {@link ExpenseSheet} is
+     * <strong>personal</strong> and belongs to the worker associated to current
+     * user.
+     */
+    boolean isPersonalAndBelognsToCurrentUser(ExpenseSheet expenseSheet);
+
 }