dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 21092: EventController: check if user has access to program and orgunit (including search in all authori...

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Tue, 17 Nov 2015 15:44:27 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 21092
committer: Abyot Asalefew Gizaw <abyota@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2015-11-17 16:43:39 +0100
message:
  EventController: check if user has access to program and orgunit (including search in all authority) before exposing events.
modified:
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java
  dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/events/event/AbstractEventService.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/event/EventController.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java	2015-11-17 03:38:58 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java	2015-11-17 15:43:39 +0000
@@ -47,6 +47,7 @@
 import org.hisp.dhis.dataelement.CategoryOptionGroupSet;
 import org.hisp.dhis.dataelement.DataElementCategory;
 import org.hisp.dhis.dataset.DataSet;
+import org.hisp.dhis.program.Program;
 import org.hisp.dhis.schema.PropertyType;
 import org.hisp.dhis.schema.annotation.Property;
 import org.hisp.dhis.schema.annotation.PropertyRange;
@@ -273,6 +274,23 @@
         return dataSets;
     }
 
+    
+    /**
+     * Returns a set of the programs for all user authority groups
+     * of this user credentials.
+     */
+    public Set<Program> getAllPrograms()
+    {
+        Set<Program> programs = new HashSet<>();
+
+        for ( UserAuthorityGroup group : userAuthorityGroups )
+        {
+            programs.addAll( group.getPrograms() );
+        }
+
+        return programs;
+    }
+    
     /**
      * Indicates whether this user credentials can issue the given user authority
      * group. First the given authority group must not be null. Second this

=== modified file 'dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/events/event/AbstractEventService.java'
--- dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/events/event/AbstractEventService.java	2015-11-02 01:57:54 +0000
+++ dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/events/event/AbstractEventService.java	2015-11-17 15:43:39 +0000
@@ -85,6 +85,7 @@
 import org.hisp.dhis.trackedentitydatavalue.TrackedEntityDataValueService;
 import org.hisp.dhis.user.CurrentUserService;
 import org.hisp.dhis.user.User;
+import org.hisp.dhis.user.UserCredentials;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.Assert;
@@ -504,6 +505,8 @@
         OrganisationUnitSelectionMode orgUnitSelectionMode, String trackedEntityInstance, Date startDate, Date endDate,
         EventStatus status, Date lastUpdated, DataElementCategoryOptionCombo attributeCoc, IdSchemes idSchemes, Integer page, Integer pageSize, boolean totalPages, boolean skipPaging, boolean includeAttributes )
     {
+        UserCredentials userCredentials = currentUserService.getCurrentUser().getUserCredentials();
+        
         EventSearchParams params = new EventSearchParams();
 
         Program pr = programService.getProgram( program );
@@ -526,6 +529,24 @@
         {
             throw new IllegalQueryException( "Org unit is specified but does not exist: " + orgUnit );
         }
+        
+        if( ou != null && !organisationUnitService.isInUserHierarchy( ou ) )
+        {                
+            if( !userCredentials.isAuthorized( "F_TRACKED_ENTITY_INSTANCE_SEARCH_IN_ALL_ORGUNITS" ) ) 
+            {
+                throw new IllegalQueryException( "User has no access to organisation unit: " + ou.getUid() );
+            }
+        }
+        
+        if( pr == null &&  userCredentials.getAllPrograms().size() == 0 )
+        {
+            throw new IllegalQueryException( "User has no access to programs");
+        }
+        
+        if( pr != null && userCredentials.getAllPrograms().contains( pr ) )
+        {
+            throw new IllegalQueryException( "User has no access to program: " + pr.getUid() );
+        }        
 
         TrackedEntityInstance tei = entityInstanceService.getTrackedEntityInstance( trackedEntityInstance );
 
@@ -864,12 +885,31 @@
         event.setDueDate( DateUtils.getLongDateString( programStageInstance.getDueDate() ) );
         event.setStoredBy( programStageInstance.getCompletedUser() );
 
-        if ( programStageInstance.getOrganisationUnit() != null )
+        UserCredentials userCredentials = currentUserService.getCurrentUser().getUserCredentials();
+        
+        OrganisationUnit ou = programStageInstance.getOrganisationUnit();
+        
+        if ( ou != null )
+        {             
+            if( !organisationUnitService.isInUserHierarchy( ou ) )
+            {                
+                if( !userCredentials.isAuthorized( "F_TRACKED_ENTITY_INSTANCE_SEARCH_IN_ALL_ORGUNITS" ) ) 
+                {
+                    throw new IllegalQueryException( "User has no access to organisation unit: " + ou.getUid() );
+                }
+            }
+            
+            event.setOrgUnit( ou.getUid() );
+        }
+        
+        Program program = programStageInstance.getProgramInstance().getProgram();
+        
+        if( !userCredentials.getAllPrograms().contains( program ) )
         {
-            event.setOrgUnit( programStageInstance.getOrganisationUnit().getUid() );
+            throw new IllegalQueryException( "User has no access to program: " + program.getUid() );
         }
-
-        event.setProgram( programStageInstance.getProgramInstance().getProgram().getUid() );
+        
+        event.setProgram( program.getUid() );        
         event.setEnrollment( programStageInstance.getProgramInstance().getUid() );
         event.setProgramStage( programStageInstance.getProgramStage().getUid() );
 
@@ -1278,5 +1318,5 @@
     private DataElement getDataElement( String dataElementId )
     {
         return dataElementCache.get( dataElementId, new IdentifiableObjectCallable<>( manager, DataElement.class, dataElementId ) );
-    }
+    }    
 }

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/event/EventController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/event/EventController.java	2015-11-16 20:38:13 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/event/EventController.java	2015-11-17 15:43:39 +0000
@@ -389,8 +389,7 @@
         if( uid == null)
         {
             throw new WebMessageException( WebMessageUtils.conflict( "DataElement must be of type file" ) );
-        }
-        
+        }        
 
         FileResource fileResource = fileResourceService.getFileResource( uid );