dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #28827
[Branch ~dhis2-devs-core/dhis2/trunk] Rev 14463: update sharingService to block delete/update if the user doesn't have the required authorities, t...
------------------------------------------------------------
revno: 14463
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Thu 2014-03-27 05:04:56 +0100
message:
update sharingService to block delete/update if the user doesn't have the required authorities, this also applies to object the user owns
modified:
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultSharingService.java
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultSharingService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultSharingService.java 2014-03-27 01:16:51 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultSharingService.java 2014-03-27 04:04:56 +0000
@@ -38,6 +38,7 @@
import org.hisp.dhis.user.UserGroupAccess;
import org.springframework.beans.factory.annotation.Autowired;
+import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
@@ -132,13 +133,47 @@
@Override
public boolean canUpdate( User user, IdentifiableObject object )
{
- return canWrite( user, object );
+ Schema schema = schemaService.getSchema( object.getClass() );
+
+ if ( schema == null || !schema.isShareable() )
+ {
+ return false;
+ }
+
+ if ( schema.getAuthorityByType( AuthorityType.UPDATE ).isEmpty() )
+ {
+ return canWrite( user, object );
+ }
+
+ Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+ return canAccess( authorities, schema.getAuthorityByType( AuthorityType.UPDATE ) ) && canWrite( user, object );
}
@Override
public boolean canDelete( User user, IdentifiableObject object )
{
- return canWrite( user, object );
+ Schema schema = schemaService.getSchema( object.getClass() );
+
+ if ( schema == null || !schema.isShareable() )
+ {
+ return false;
+ }
+
+ if ( schema.getAuthorityByType( AuthorityType.DELETE ).isEmpty() )
+ {
+ return canWrite( user, object );
+ }
+
+ Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+ return canAccess( authorities, schema.getAuthorityByType( AuthorityType.DELETE ) ) && canWrite( user, object );
+ }
+
+ private boolean canAccess( Collection<String> userAuthorities, Collection<String> requiredAuthorities )
+ {
+ return containsAny( userAuthorities, SHARING_OVERRIDE_AUTHORITIES ) ||
+ containsAny( userAuthorities, requiredAuthorities );
}
@Override