From 41d8ffbeb287642cb4304e7e165bc72b1601a2b3 Mon Sep 17 00:00:00 2001
From: Tor-Einar Skog <tor-einar.skog@nibio.no>
Date: Tue, 20 Aug 2019 14:37:32 +0200
Subject: [PATCH] Bugfix: Hiding private forecasts from anyone but the owner
and superusers/orgadmins
---
.../controller/session/ForecastBean.java | 28 +++++++++++++++++--
.../vips/logic/service/LogicService.java | 17 +++++++++--
2 files changed, 39 insertions(+), 6 deletions(-)
diff --git a/src/main/java/no/nibio/vips/logic/controller/session/ForecastBean.java b/src/main/java/no/nibio/vips/logic/controller/session/ForecastBean.java
index e04a3067..d8054832 100755
--- a/src/main/java/no/nibio/vips/logic/controller/session/ForecastBean.java
+++ b/src/main/java/no/nibio/vips/logic/controller/session/ForecastBean.java
@@ -109,6 +109,24 @@ public class ForecastBean {
return q.getResultList();
}
+ /**
+ *
+ * @param forecastConfiguration
+ * @param user
+ * @return
+ */
+ public boolean isUserAuthorizedForForecastConfiguration(ForecastConfiguration forecastConfiguration, VipsLogicUser user)
+ {
+ // Public forecasts are always OK for everyone to view
+ if(!forecastConfiguration.getIsPrivate())
+ {
+ return true;
+ }
+ // Private forecasts are only viewable by owner or super users / orgadmins
+ return user != null && (user.isSuperUser() || user.isOrganizationAdmin() || user.getUserId().equals( forecastConfiguration.getVipsLogicUserId().getUserId()));
+ }
+
+
public boolean isUserAuthorizedForForecastConfiguration(Long forecastConfigurationId, String userUUID)
{
// Authentication
@@ -125,7 +143,7 @@ public class ForecastBean {
}
UUID uUUID = UUID.fromString(userUUID);
VipsLogicUser user = SessionControllerGetter.getUserBean().findVipsLogicUser(uUUID);
- if(user == null || user.getUserId().equals( fc.getVipsLogicUserId()))
+ if(user == null || ! user.getUserId().equals( fc.getVipsLogicUserId().getUserId()))
{
return false;
}
@@ -956,11 +974,11 @@ public class ForecastBean {
}
/**
- * Finds the forecast configuration summaries for a given organization
+ * Finds the forecast configuration summaries for a given organization and that this user has access to
* @param organizationId
* @return
*/
- public List<ForecastConfiguration> getForecastConfigurationSummaries(Integer organizationId)
+ public List<ForecastConfiguration> getForecastConfigurationSummaries(Integer organizationId, VipsLogicUser user)
{
List<ForecastSummary> summaries = em.createNamedQuery("ForecastSummary.findByOrganizationId")
.setParameter("organizationId", em.find(Organization.class, organizationId))
@@ -976,7 +994,11 @@ public class ForecastBean {
if(mappedSummaries.size() > 0)
{
List<ForecastConfiguration> configurations = em.createNamedQuery("ForecastConfiguration.findByForecastConfigurationIds").setParameter("forecastConfigurationIds", mappedSummaries.keySet()).getResultList();
+ // Do some authorization.
+ configurations = configurations.stream().filter(fc -> this.isUserAuthorizedForForecastConfiguration(fc, user)).collect(Collectors.toList());
+
configurations.forEach((conf) -> {
+
conf.setForecastSummaries(mappedSummaries.get(conf.getForecastConfigurationId()));
});
return configurations;
diff --git a/src/main/java/no/nibio/vips/logic/service/LogicService.java b/src/main/java/no/nibio/vips/logic/service/LogicService.java
index 8b96c8ff..becb9264 100755
--- a/src/main/java/no/nibio/vips/logic/service/LogicService.java
+++ b/src/main/java/no/nibio/vips/logic/service/LogicService.java
@@ -234,10 +234,21 @@ public class LogicService {
public Response getForecastSummaries(
@PathParam("organizationId") Integer organizationId,
@QueryParam("cropOrganismId") List<Integer> cropOrganismIds,
- @QueryParam("includeOrganizationIds") String includeOrganizationIds
+ @QueryParam("includeOrganizationIds") String includeOrganizationIds,
+ @QueryParam("userUUID") String userUUID
)
{
- List<ForecastConfiguration> summaries = SessionControllerGetter.getForecastBean().getForecastConfigurationSummaries(organizationId);
+
+ VipsLogicUser user = null;
+ try
+ {
+ UUID uUUID = UUID.fromString(userUUID);
+ user = SessionControllerGetter.getUserBean().findVipsLogicUser(uUUID);
+ }
+ catch(NullPointerException | IllegalArgumentException ex) {}
+
+ List<ForecastConfiguration> summaries = SessionControllerGetter.getForecastBean().getForecastConfigurationSummaries(organizationId, user);
+
if(includeOrganizationIds != null)
{
String[] includeOrgIdStrs = includeOrganizationIds.split(",");
@@ -250,7 +261,7 @@ public class LogicService {
{
continue;
}
- summaries.addAll(SessionControllerGetter.getForecastBean().getForecastConfigurationSummaries(includeOrgId));
+ summaries.addAll(SessionControllerGetter.getForecastBean().getForecastConfigurationSummaries(includeOrgId, user));
}
catch(NumberFormatException ex){}
}
--
GitLab