dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 19670: Add acl check for dashboards/dashboardItems

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Thu, 16 Jul 2015 07:54:44 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 19670
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Thu 2015-07-16 14:53:57 +0700
message:
  Add acl check for dashboards/dashboardItems
modified:
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardController.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardController.java	2015-07-16 07:26:29 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardController.java	2015-07-16 07:53:57 +0000
@@ -37,6 +37,7 @@
 import org.hisp.dhis.dxf2.common.JacksonUtils;
 import org.hisp.dhis.dxf2.webmessage.WebMessageException;
 import org.hisp.dhis.hibernate.exception.DeleteAccessDeniedException;
+import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException;
 import org.hisp.dhis.schema.descriptors.DashboardItemSchemaDescriptor;
 import org.hisp.dhis.schema.descriptors.DashboardSchemaDescriptor;
 import org.hisp.dhis.webapi.utils.WebMessageUtils;
@@ -107,6 +108,11 @@
             throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + uid ) );
         }
 
+        if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) )
+        {
+            throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." );
+        }
+
         Dashboard newDashboard = JacksonUtils.fromJson( request.getInputStream(), Dashboard.class );
 
         dashboard.setName( newDashboard.getName() ); // TODO Name only for now
@@ -148,6 +154,11 @@
             throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + uid ) );
         }
 
+        if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) )
+        {
+            throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." );
+        }
+
         DashboardItem item = JacksonUtils.fromJson( request.getInputStream(), DashboardItem.class );
 
         dashboardService.mergeDashboardItem( item );
@@ -164,6 +175,18 @@
     public void postJsonItemContent( HttpServletResponse response, HttpServletRequest request,
         @PathVariable String dashboardUid, @RequestParam String type, @RequestParam( "id" ) String contentUid ) throws Exception
     {
+        Dashboard dashboard = dashboardService.getDashboard( dashboardUid );
+
+        if ( dashboard == null )
+        {
+            throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + dashboardUid) );
+        }
+
+        if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) )
+        {
+            throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." );
+        }
+
         DashboardItem item = dashboardService.addItemContent( dashboardUid, type, contentUid );
 
         if ( item == null )
@@ -188,6 +211,11 @@
             throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + dashboardUid ) );
         }
 
+        if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) )
+        {
+            throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." );
+        }
+
         if ( dashboard.moveItem( itemUid, position ) )
         {
             dashboardService.updateDashboard( dashboard );
@@ -207,6 +235,11 @@
             throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + dashboardUid ) );
         }
 
+        if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) )
+        {
+            throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." );
+        }
+
         DashboardItem item = dashboardService.getDashboardItem( itemUid );
 
         if ( item == null )
@@ -234,6 +267,11 @@
             throw new WebMessageException( WebMessageUtils.notFound( "Dashboard does not exist: " + dashboardUid ) );
         }
 
+        if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) )
+        {
+            throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." );
+        }
+
         DashboardItem item = dashboard.getItemByUid( itemUid );
 
         if ( item == null )