← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 13613: secure create, update, delete parts of apps web-api with ALL or M_dhis-web-maintenance-appmanager

 

------------------------------------------------------------
revno: 13613
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2014-01-07 14:11:40 +0100
message:
  secure create, update, delete parts of apps web-api with ALL or M_dhis-web-maintenance-appmanager
modified:
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AppController.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AppController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AppController.java	2014-01-07 12:49:31 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AppController.java	2014-01-07 13:11:40 +0000
@@ -40,6 +40,7 @@
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.ResourceLoader;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.util.StreamUtils;
@@ -83,6 +84,7 @@
 
     @RequestMapping( value = RESOURCE_PATH, method = RequestMethod.POST )
     @ResponseStatus( HttpStatus.NO_CONTENT )
+    @PreAuthorize( "hasRole('ALL') or hasRole('M_dhis-web-maintenance-appmanager')" )
     public void installApp( @RequestParam( "file" ) MultipartFile file, HttpServletRequest request ) throws IOException
     {
         File tempFile = File.createTempFile( "IMPORT_", "_ZIP" );
@@ -97,12 +99,14 @@
 
     @RequestMapping( value = RESOURCE_PATH, method = RequestMethod.PUT )
     @ResponseStatus( HttpStatus.NO_CONTENT )
+    @PreAuthorize( "hasRole('ALL') or hasRole('M_dhis-web-maintenance-appmanager')" )
     public void reloadApps()
     {
         appManager.reloadApps();
     }
 
     @RequestMapping( value = "/apps/{app}/**", method = RequestMethod.GET )
+    @PreAuthorize( "hasRole('ALL') or hasRole('M_dhis-web-maintenance-appmanager')" )
     public void renderApp( @PathVariable( "app" ) String app, HttpServletRequest request, HttpServletResponse response ) throws IOException, NotFoundException
     {
         Iterable<Resource> locations = Lists.newArrayList(
@@ -143,6 +147,7 @@
     }
 
     @RequestMapping( value = "/apps/{app}", method = RequestMethod.DELETE )
+    @PreAuthorize( "hasRole('ALL') or hasRole('M_dhis-web-maintenance-appmanager')" )
     public void deleteApp( @PathVariable( "app" ) String app, HttpServletRequest request, HttpServletResponse response ) throws NotFoundException
     {
         if ( !appManager.exists( app ) )