Skip to content
Snippets Groups Projects
Commit 41d8ffbe authored by Tor-Einar Skog's avatar Tor-Einar Skog
Browse files

Bugfix: Hiding private forecasts from anyone but the owner and superusers/orgadmins

parent 2ac258db
Branches
Tags
1 merge request!17Develop
...@@ -109,6 +109,24 @@ public class ForecastBean { ...@@ -109,6 +109,24 @@ public class ForecastBean {
return q.getResultList(); return q.getResultList();
} }
/**
*
* @param forecastConfiguration
* @param user
* @return
*/
public boolean isUserAuthorizedForForecastConfiguration(ForecastConfiguration forecastConfiguration, VipsLogicUser user)
{
// Public forecasts are always OK for everyone to view
if(!forecastConfiguration.getIsPrivate())
{
return true;
}
// Private forecasts are only viewable by owner or super users / orgadmins
return user != null && (user.isSuperUser() || user.isOrganizationAdmin() || user.getUserId().equals( forecastConfiguration.getVipsLogicUserId().getUserId()));
}
public boolean isUserAuthorizedForForecastConfiguration(Long forecastConfigurationId, String userUUID) public boolean isUserAuthorizedForForecastConfiguration(Long forecastConfigurationId, String userUUID)
{ {
// Authentication // Authentication
...@@ -125,7 +143,7 @@ public class ForecastBean { ...@@ -125,7 +143,7 @@ public class ForecastBean {
} }
UUID uUUID = UUID.fromString(userUUID); UUID uUUID = UUID.fromString(userUUID);
VipsLogicUser user = SessionControllerGetter.getUserBean().findVipsLogicUser(uUUID); VipsLogicUser user = SessionControllerGetter.getUserBean().findVipsLogicUser(uUUID);
if(user == null || user.getUserId().equals( fc.getVipsLogicUserId())) if(user == null || ! user.getUserId().equals( fc.getVipsLogicUserId().getUserId()))
{ {
return false; return false;
} }
...@@ -956,11 +974,11 @@ public class ForecastBean { ...@@ -956,11 +974,11 @@ public class ForecastBean {
} }
/** /**
* Finds the forecast configuration summaries for a given organization * Finds the forecast configuration summaries for a given organization and that this user has access to
* @param organizationId * @param organizationId
* @return * @return
*/ */
public List<ForecastConfiguration> getForecastConfigurationSummaries(Integer organizationId) public List<ForecastConfiguration> getForecastConfigurationSummaries(Integer organizationId, VipsLogicUser user)
{ {
List<ForecastSummary> summaries = em.createNamedQuery("ForecastSummary.findByOrganizationId") List<ForecastSummary> summaries = em.createNamedQuery("ForecastSummary.findByOrganizationId")
.setParameter("organizationId", em.find(Organization.class, organizationId)) .setParameter("organizationId", em.find(Organization.class, organizationId))
...@@ -976,7 +994,11 @@ public class ForecastBean { ...@@ -976,7 +994,11 @@ public class ForecastBean {
if(mappedSummaries.size() > 0) if(mappedSummaries.size() > 0)
{ {
List<ForecastConfiguration> configurations = em.createNamedQuery("ForecastConfiguration.findByForecastConfigurationIds").setParameter("forecastConfigurationIds", mappedSummaries.keySet()).getResultList(); List<ForecastConfiguration> configurations = em.createNamedQuery("ForecastConfiguration.findByForecastConfigurationIds").setParameter("forecastConfigurationIds", mappedSummaries.keySet()).getResultList();
// Do some authorization.
configurations = configurations.stream().filter(fc -> this.isUserAuthorizedForForecastConfiguration(fc, user)).collect(Collectors.toList());
configurations.forEach((conf) -> { configurations.forEach((conf) -> {
conf.setForecastSummaries(mappedSummaries.get(conf.getForecastConfigurationId())); conf.setForecastSummaries(mappedSummaries.get(conf.getForecastConfigurationId()));
}); });
return configurations; return configurations;
......
...@@ -234,10 +234,21 @@ public class LogicService { ...@@ -234,10 +234,21 @@ public class LogicService {
public Response getForecastSummaries( public Response getForecastSummaries(
@PathParam("organizationId") Integer organizationId, @PathParam("organizationId") Integer organizationId,
@QueryParam("cropOrganismId") List<Integer> cropOrganismIds, @QueryParam("cropOrganismId") List<Integer> cropOrganismIds,
@QueryParam("includeOrganizationIds") String includeOrganizationIds @QueryParam("includeOrganizationIds") String includeOrganizationIds,
@QueryParam("userUUID") String userUUID
) )
{ {
List<ForecastConfiguration> summaries = SessionControllerGetter.getForecastBean().getForecastConfigurationSummaries(organizationId);
VipsLogicUser user = null;
try
{
UUID uUUID = UUID.fromString(userUUID);
user = SessionControllerGetter.getUserBean().findVipsLogicUser(uUUID);
}
catch(NullPointerException | IllegalArgumentException ex) {}
List<ForecastConfiguration> summaries = SessionControllerGetter.getForecastBean().getForecastConfigurationSummaries(organizationId, user);
if(includeOrganizationIds != null) if(includeOrganizationIds != null)
{ {
String[] includeOrgIdStrs = includeOrganizationIds.split(","); String[] includeOrgIdStrs = includeOrganizationIds.split(",");
...@@ -250,7 +261,7 @@ public class LogicService { ...@@ -250,7 +261,7 @@ public class LogicService {
{ {
continue; continue;
} }
summaries.addAll(SessionControllerGetter.getForecastBean().getForecastConfigurationSummaries(includeOrgId)); summaries.addAll(SessionControllerGetter.getForecastBean().getForecastConfigurationSummaries(includeOrgId, user));
} }
catch(NumberFormatException ex){} catch(NumberFormatException ex){}
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment