← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 21814: Don't allow resizing of dashboards if it is only shared to you with read-only permissions

 

------------------------------------------------------------
revno: 21814
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2016-01-26 15:55:27 +0700
message:
  Don't allow resizing of dashboards if it is only shared to you with read-only permissions
modified:
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardItemStore.java
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardService.java
  dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/hibernate/HibernateDashboardItemStore.java
  dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/impl/DefaultDashboardService.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardItemController.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardItemStore.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardItemStore.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardItemStore.java	2016-01-26 08:55:27 +0000
@@ -50,4 +50,6 @@
     int countReportDashboardItems( Report report );
 
     int countDocumentDashboardItems( Document document );
+
+    Dashboard getDashboardFromDashboardItem( DashboardItem dashboardItem );
 }

=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardService.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/dashboard/DashboardService.java	2016-01-26 08:55:27 +0000
@@ -74,7 +74,9 @@
     void updateDashboardItem( DashboardItem item );
     
     DashboardItem getDashboardItem( String uid );
-    
+
+    Dashboard getDashboardFromDashboardItem( DashboardItem dashboardItem );
+
     void deleteDashboardItem( DashboardItem item );
     
     int countMapDashboardItems( Map map );

=== modified file 'dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/hibernate/HibernateDashboardItemStore.java'
--- dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/hibernate/HibernateDashboardItemStore.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/hibernate/HibernateDashboardItemStore.java	2016-01-26 08:55:27 +0000
@@ -31,6 +31,7 @@
 import org.hibernate.Query;
 import org.hisp.dhis.chart.Chart;
 import org.hisp.dhis.common.hibernate.HibernateIdentifiableObjectStore;
+import org.hisp.dhis.dashboard.Dashboard;
 import org.hisp.dhis.dashboard.DashboardItem;
 import org.hisp.dhis.dashboard.DashboardItemStore;
 import org.hisp.dhis.document.Document;
@@ -88,4 +89,13 @@
 
         return ((Long) query.uniqueResult()).intValue();
     }
+
+    @Override
+    public Dashboard getDashboardFromDashboardItem( DashboardItem dashboardItem )
+    {
+        Query query = getQuery( "from Dashboard d where :item in elements(d.items)" );
+        query.setEntity( "item", dashboardItem );
+
+        return (Dashboard) query.uniqueResult();
+    }
 }

=== modified file 'dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/impl/DefaultDashboardService.java'
--- dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/impl/DefaultDashboardService.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-services/dhis-service-reporting/src/main/java/org/hisp/dhis/dashboard/impl/DefaultDashboardService.java	2016-01-26 08:55:27 +0000
@@ -28,11 +28,7 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-import static org.hisp.dhis.common.IdentifiableObjectUtils.getUids;
-
-import java.util.HashSet;
-import java.util.Set;
-
+import com.google.common.collect.Sets;
 import org.hisp.dhis.chart.Chart;
 import org.hisp.dhis.common.IdentifiableObjectManager;
 import org.hisp.dhis.common.hibernate.HibernateIdentifiableObjectStore;
@@ -54,7 +50,10 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;
 
-import com.google.common.collect.Sets;
+import java.util.HashSet;
+import java.util.Set;
+
+import static org.hisp.dhis.common.IdentifiableObjectUtils.getUids;
 
 /**
  * Note: The remove associations methods must be altered if caching is introduced.
@@ -306,6 +305,12 @@
     }
 
     @Override
+    public Dashboard getDashboardFromDashboardItem( DashboardItem dashboardItem )
+    {
+        return dashboardItemStore.getDashboardFromDashboardItem( dashboardItem );
+    }
+
+    @Override
     public void deleteDashboardItem( DashboardItem item )
     {
         dashboardItemStore.delete( item );

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardItemController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardItemController.java	2016-01-04 02:27:49 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/DashboardItemController.java	2016-01-26 08:55:27 +0000
@@ -29,12 +29,13 @@
  */
 
 import com.google.common.collect.Lists;
-
 import org.hisp.dhis.common.Pager;
+import org.hisp.dhis.dashboard.Dashboard;
 import org.hisp.dhis.dashboard.DashboardItem;
 import org.hisp.dhis.dashboard.DashboardItemShape;
 import org.hisp.dhis.dashboard.DashboardService;
 import org.hisp.dhis.dxf2.webmessage.WebMessageException;
+import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException;
 import org.hisp.dhis.query.Order;
 import org.hisp.dhis.schema.descriptors.DashboardItemSchemaDescriptor;
 import org.hisp.dhis.webapi.utils.WebMessageUtils;
@@ -48,7 +49,6 @@
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
 import java.util.List;
 
 /**
@@ -95,6 +95,13 @@
             throw new WebMessageException( WebMessageUtils.notFound( "Dashboard item does not exist: " + uid ) );
         }
 
+        Dashboard dashboard = dashboardService.getDashboardFromDashboardItem( item );
+
+        if ( !aclService.canUpdate( currentUserService.getCurrentUser(), dashboard ) )
+        {
+            throw new UpdateAccessDeniedException( "You don't have the proper permissions to update this dashboard." );
+        }
+
         item.setShape( shape );
 
         dashboardService.updateDashboardItem( item );