[Lada-commits] [PATCH 3 of 3] Authorize status change only for matching user
Wald Commits
scm-commit at wald.intevation.org
Wed Jun 1 15:29:05 CEST 2016
# HG changeset patch
# User Tom Gottfried <tom at intevation.de>
# Date 1464787508 -7200
# Node ID ad69878b7280499e9ffd378af43d16d83d6222a4
# Parent 3c1b1631e4741365de3e6e58d90bf292fb5b45a8
Authorize status change only for matching user.
Matching means belonging to the MessStelle respectively
Netzbetreiber of the probe.
diff -r 3c1b1631e474 -r ad69878b7280 db_schema/stammdaten_schema.sql
--- a/db_schema/stammdaten_schema.sql Mon May 30 16:11:24 2016 +0200
+++ b/db_schema/stammdaten_schema.sql Wed Jun 01 15:25:08 2016 +0200
@@ -140,7 +140,7 @@
CREATE TABLE mess_stelle (
id character varying(5) PRIMARY KEY,
- netzbetreiber_id character varying(2),
+ netzbetreiber_id character varying(2) NOT NULL,
beschreibung character varying(300),
mess_stelle character varying(60),
mst_typ character varying(1),
diff -r 3c1b1631e474 -r ad69878b7280 src/main/java/de/intevation/lada/rest/StatusService.java
--- a/src/main/java/de/intevation/lada/rest/StatusService.java Mon May 30 16:11:24 2016 +0200
+++ b/src/main/java/de/intevation/lada/rest/StatusService.java Wed Jun 01 15:25:08 2016 +0200
@@ -35,6 +35,7 @@
import de.intevation.lada.model.land.LMessung;
import de.intevation.lada.model.land.LProbe;
import de.intevation.lada.model.land.LStatusProtokoll;
+import de.intevation.lada.model.stamm.MessStelle;
import de.intevation.lada.util.annotation.AuthorizationConfig;
import de.intevation.lada.util.annotation.RepositoryConfig;
import de.intevation.lada.util.auth.Authorization;
@@ -237,6 +238,7 @@
return new Response(false, 697, null);
}
+ // Is user authorized to edit status at all?
Response r = authorization.filter(
request,
new Response(true, 200, messung),
@@ -245,8 +247,7 @@
if (filteredMessung.getStatusEdit() == false) {
return new Response(false, 699, null);
}
- boolean next = false;
- boolean change = false;
+
if (messung.getStatus() == null) {
status.setStatusStufe(1);
}
@@ -254,11 +255,12 @@
LStatusProtokoll currentStatus = defaultRepo.getByIdPlain(
LStatusProtokoll.class, messung.getStatus(), "land");
+ String probeMstId = defaultRepo.getByIdPlain(
+ LProbe.class,
+ messung.getProbeId(),
+ "land").getMstId();
+
if (currentStatus.getStatusWert() == 4) {
- LProbe probe = defaultRepo.getByIdPlain(
- LProbe.class,
- messung.getProbeId(),
- "land");
if (status.getStatusWert() == 4
&& userInfo.getMessstellen().contains(
currentStatus.getErzeuger())
@@ -269,9 +271,9 @@
status.setStatusStufe(currentStatus.getStatusStufe());
}
else if (
- userInfo.getFunktionenForMst(probe.getMstId())
+ userInfo.getFunktionenForMst(probeMstId)
.contains(1)
- && probe.getMstId().equals(status.getErzeuger())
+ && probeMstId.equals(status.getErzeuger())
) {
status.setStatusStufe(1);
}
@@ -280,23 +282,52 @@
}
}
else {
- for (int i = 0;
- i < userInfo.getFunktionenForMst(status.getErzeuger()).size();
- i++
+ boolean next = false; // Do we advance to next 'stufe'?
+ boolean change = false; // Do we change status on same 'stufe'?
+
+ // XXX: It's assumed here, that MessStelle:function is a
+ // 1:1-relationship, which is not enforced by the model
+ // (there is no such constraint in stammdaten.auth).
+ // Thus, next and change will be set based
+ // on whichever function is the first match, which is
+ // not necessary the users intention, if he has more than
+ // one function for the matching Messstelle.
+
+ // XXX: It's assumed here, that an 'Erzeuger' is an instance
+ // of 'Messstelle', but the model does not enforce it!
+ for (Integer function :
+ userInfo.getFunktionenForMst(status.getErzeuger())
) {
- if (userInfo.getFunktionenForMst(status.getErzeuger())
- .get(i).equals(currentStatus.getStatusStufe() + 1)
- && currentStatus.getStatusWert() != 0
- ) {
+ if (function.equals(currentStatus.getStatusStufe() + 1)
+ && currentStatus.getStatusWert() != 0) {
next = true;
}
- else if (userInfo.getFunktionenForMst(
- status.getErzeuger()).get(i) ==
- currentStatus.getStatusStufe()
- ) {
+ else if (function == currentStatus.getStatusStufe()) {
+ if (currentStatus.getStatusStufe() == 1
+ && !status.getErzeuger().equals(probeMstId)) {
+ logger.debug(
+ "Messstelle does not match for change");
+ return new Response(false, 699, null);
+ }
+
+ String pNetzbetreiber = defaultRepo.getByIdPlain(
+ LProbe.class,
+ messung.getProbeId(),
+ "land").getNetzbetreiberId();
+ String sNetzbetreiber = defaultRepo.getByIdPlain(
+ MessStelle.class,
+ status.getErzeuger(),
+ "stamm").getNetzbetreiberId();
+ if (currentStatus.getStatusStufe() == 2
+ && !pNetzbetreiber.equals(sNetzbetreiber)){
+ logger.debug(
+ "Netzbetreiber does not match for change");
+ return new Response(false, 699, null);
+ }
change = true;
}
}
+
if (change &&
status.getStatusWert() == 4 &&
status.getStatusStufe() > 1
diff -r 3c1b1631e474 -r ad69878b7280 src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java
--- a/src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java Mon May 30 16:11:24 2016 +0200
+++ b/src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java Wed Jun 01 15:25:08 2016 +0200
@@ -88,12 +88,14 @@
messung.setStatusEdit(false);
return messung;
}
+
if (userInfo.belongsTo(probe.getMstId(), probe.getLaborMstId())) {
messung.setOwner(true);
}
else {
messung.setOwner(false);
}
+
if (messung.getStatus() == null) {
messung.setReadonly(false);
messung.setStatusEdit(false);
More information about the Lada-commits
mailing list