[Lada-commits] [PATCH] Fix authorization for OrtszuordnungMp and friends

Wald Commits scm-commit at wald.intevation.org
Wed Feb 8 19:59:25 CET 2017 

# HG changeset patch
# User Tom Gottfried <tom at intevation.de>
# Date 1486580161 -3600
# Node ID 588f6deae24aeaf7414520b6d77a269d5ee961f9
# Parent  d48e1636fb0b4a28cf6c56cb3992eba9135d2908
Fix authorization for OrtszuordnungMp and friends.

Setting readonly equal to owner implied an owner cannot edit its own
objects. That was probably not intended. As many of the conditionals
actually evaluated to doing nothing, those were removed.

diff -r d48e1636fb0b -r 588f6deae24a src/main/java/de/intevation/lada/util/auth/MessprogrammIdAuthorizer.java
--- a/src/main/java/de/intevation/lada/util/auth/MessprogrammIdAuthorizer.java	Wed Feb 08 18:32:09 2017 +0100
+++ b/src/main/java/de/intevation/lada/util/auth/MessprogrammIdAuthorizer.java	Wed Feb 08 19:56:01 2017 +0100
@@ -13,7 +13,6 @@
 import java.util.List;
 
 import de.intevation.lada.model.land.Messprogramm;
-import de.intevation.lada.model.stammdaten.MessStelle;
 import de.intevation.lada.util.rest.RequestMethod;
 import de.intevation.lada.util.rest.Response;
 
@@ -91,26 +90,17 @@
             else {
                 return null;
             }
-            Messprogramm messprogramm =
-                (Messprogramm)repository.getById(Messprogramm.class, id, "land").getData();
+            Messprogramm messprogramm = repository.getByIdPlain(
+                Messprogramm.class, id, "land");
 
-            boolean readOnly = true;
             boolean owner = false;
-            MessStelle mst = repository.getByIdPlain(MessStelle.class, messprogramm.getMstId(), "stamm");
-            if (!userInfo.getNetzbetreiber().contains(
-                    mst.getNetzbetreiberId())) {
-                owner = false;
-                readOnly = true;
+            if (userInfo.belongsTo(
+                    messprogramm.getMstId(),
+                    messprogramm.getLaborMstId())
+            ) {
+                owner = true;
             }
-            else {
-                if (userInfo.belongsTo(messprogramm.getMstId(), messprogramm.getLaborMstId())) {
-                    owner = true;
-                }
-                else {
-                    owner = false;
-                }
-                readOnly = owner;
-            }
+            boolean readOnly = !owner;
 
             Method setOwner = clazz.getMethod("setOwner", boolean.class);
             Method setReadonly = clazz.getMethod("setReadonly", boolean.class);

More information about the Lada-commits mailing list