dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 14463: update sharingService to block delete/update if the user doesn't have the required authorities, t...

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Thu, 27 Mar 2014 04:05:36 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 14463
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Thu 2014-03-27 05:04:56 +0100
message:
  update sharingService to block delete/update if the user doesn't have the required authorities, this also applies to object the user owns
modified:
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultSharingService.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultSharingService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultSharingService.java	2014-03-27 01:16:51 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultSharingService.java	2014-03-27 04:04:56 +0000
@@ -38,6 +38,7 @@
 import org.hisp.dhis.user.UserGroupAccess;
 import org.springframework.beans.factory.annotation.Autowired;
 
+import java.util.Collection;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -132,13 +133,47 @@
     @Override
     public boolean canUpdate( User user, IdentifiableObject object )
     {
-        return canWrite( user, object );
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        if ( schema.getAuthorityByType( AuthorityType.UPDATE ).isEmpty() )
+        {
+            return canWrite( user, object );
+        }
+
+        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+        return canAccess( authorities, schema.getAuthorityByType( AuthorityType.UPDATE ) ) && canWrite( user, object );
     }
 
     @Override
     public boolean canDelete( User user, IdentifiableObject object )
     {
-        return canWrite( user, object );
+        Schema schema = schemaService.getSchema( object.getClass() );
+
+        if ( schema == null || !schema.isShareable() )
+        {
+            return false;
+        }
+
+        if ( schema.getAuthorityByType( AuthorityType.DELETE ).isEmpty() )
+        {
+            return canWrite( user, object );
+        }
+
+        Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+        return canAccess( authorities, schema.getAuthorityByType( AuthorityType.DELETE ) ) && canWrite( user, object );
+    }
+
+    private boolean canAccess( Collection<String> userAuthorities, Collection<String> requiredAuthorities )
+    {
+        return containsAny( userAuthorities, SHARING_OVERRIDE_AUTHORITIES ) ||
+            containsAny( userAuthorities, requiredAuthorities );
     }
 
     @Override