[Lada-commits] [PATCH 2 of 2] Allow a user only to manipulate Ort with own Netzbetreiber
Wald Commits
scm-commit at wald.intevation.org
Wed May 25 19:29:18 CEST 2016
# HG changeset patch
# User Tom Gottfried <tom at intevation.de>
# Date 1464193314 -7200
# Node ID 4657811fd133483f3a0590554a8d17471009282f
# Parent 539eb174bf23d9deda07ce24c5a4a00963443011
Allow a user only to manipulate Ort with own Netzbetreiber.
diff -r 539eb174bf23 -r 4657811fd133 src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java
--- a/src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java Wed May 25 18:10:14 2016 +0200
+++ b/src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java Wed May 25 18:21:54 2016 +0200
@@ -12,6 +12,7 @@
import de.intevation.lada.util.rest.RequestMethod;
import de.intevation.lada.util.rest.Response;
+import de.intevation.lada.model.stamm.Ort;
public class NetzbetreiberAuthorizer extends BaseAuthorizer {
@@ -41,7 +42,11 @@
method == RequestMethod.PUT ||
method == RequestMethod.DELETE) &&
(userInfo.getFunktionenForNetzbetreiber(id).contains(4) ||
- clazz.getName().equals("de.intevation.lada.model.stamm.Ort"));
+ // XXX: this currently allows any user, regardless of function,
+ // to manipulate and delete any ort of his own netzbetreiber!
+ clazz.getName().equals("de.intevation.lada.model.stamm.Ort") &&
+ userInfo.getNetzbetreiber().contains(
+ ((Ort)data).getNetzbetreiberId()));
}
@Override
More information about the Lada-commits
mailing list