diff --git a/src/main/java/info/bukova/isspst/Constants.java b/src/main/java/info/bukova/isspst/Constants.java index ef86eeb2..fcd0793f 100644 --- a/src/main/java/info/bukova/isspst/Constants.java +++ b/src/main/java/info/bukova/isspst/Constants.java @@ -86,13 +86,16 @@ public class Constants { public final static String PERM_SHOW_WORKGROUP_REQ = "PERM_SHOW_WORKGROUP_REQ"; public final static String PERM_SHOW_CENTRE_REQ = "PERM_SHOW_CENTRE_REQ"; public final static String PERM_SHOW_ALL_REQ = "PERM_SHOW_ALL_REQ"; + public final static String PERM_EDIT_NEW = "PERM_EDIT_NEW"; public final static Permission SPECIAL_PERMISSIONS[] = { + new Permission(PERM_EDIT_NEW, "Upravit neschválené", MOD_REQUIREMENTS, PermissionType.GLOBAL), new Permission(PERM_SHOW_WORKGROUP_REQ, "Zobrazení požadavků komise", MOD_REQUIREMENTS, PermissionType.WORKGROUP), new Permission(PERM_SHOW_CENTRE_REQ, "Zobrazení požadavků střediska", MOD_REQUIREMENTS, PermissionType.CENTRE), new Permission(PERM_SHOW_ALL_REQ, "Zobrazení všech požadavků", MOD_REQUIREMENTS, PermissionType.GLOBAL), new Permission(PERM_APPROVE, "Schválení", MOD_REQUIREMENTS, PermissionType.WORKGROUP), + new Permission(PERM_EDIT_NEW, "Upravit neschválené", MOD_TRIPREQUIREMENTS, PermissionType.GLOBAL), new Permission(PERM_SHOW_WORKGROUP_REQ, "Zobrazení požadavků komise", MOD_TRIPREQUIREMENTS, PermissionType.WORKGROUP), new Permission(PERM_SHOW_CENTRE_REQ, "Zobrazení požadavků střediska", MOD_TRIPREQUIREMENTS, PermissionType.CENTRE), new Permission(PERM_SHOW_ALL_REQ, "Zobrazení všech požadavků", MOD_TRIPREQUIREMENTS, PermissionType.GLOBAL), diff --git a/src/main/java/info/bukova/isspst/security/AbstractModuleEvaluator.java b/src/main/java/info/bukova/isspst/security/AbstractModuleEvaluator.java new file mode 100644 index 00000000..d8a4faab --- /dev/null +++ b/src/main/java/info/bukova/isspst/security/AbstractModuleEvaluator.java @@ -0,0 +1,43 @@ +package info.bukova.isspst.security; + +import info.bukova.isspst.Constants; +import info.bukova.isspst.Module; +import info.bukova.isspst.data.Role; + +import java.util.List; + +import org.springframework.security.core.Authentication; + +public abstract class AbstractModuleEvaluator implements Evaluator { + + @SuppressWarnings("unchecked") + protected boolean hasModulePermission(Authentication authentication, Class serviceClass, String permission) { + List roles = (List) authentication.getAuthorities(); + String moduleId = ""; + String perm = permission; + + for (Module m : Constants.MODULES) { + if (m.getServiceClass() != null && m.getServiceClass().isAssignableFrom(serviceClass)) { + moduleId = m.getId(); + break; + } + } + + perm += "_" + moduleId; + + for (int i = 0; i < roles.size(); i++) { + if (!(roles.get(i) instanceof Role)) { + return false; + } + if (roles.get(i).getAuthority().equals(perm)) { + return true; + } + if (roles.get(i).getAuthority().equals(Constants.ROLE_ADMIN)) { + return true; + } + } + + return false; + } + +} diff --git a/src/main/java/info/bukova/isspst/security/AbstractRequirementEvaluator.java b/src/main/java/info/bukova/isspst/security/AbstractRequirementEvaluator.java new file mode 100644 index 00000000..e5cb6daf --- /dev/null +++ b/src/main/java/info/bukova/isspst/security/AbstractRequirementEvaluator.java @@ -0,0 +1,30 @@ +package info.bukova.isspst.security; + +import info.bukova.isspst.Constants; +import info.bukova.isspst.data.RequirementBase; +import info.bukova.isspst.data.RequirementState; + +import org.springframework.security.core.Authentication; + +public abstract class AbstractRequirementEvaluator extends AbstractModuleEvaluator implements Evaluator { + + protected abstract Class getServiceClass(); + + @Override + public boolean evaluate(Authentication authentication, + Object targetDomainObject, String permission) { + + if (!hasModulePermission(authentication, getServiceClass(), permission)) { + return false; + } + + RequirementBase req = (RequirementBase) targetDomainObject; + + if (permission.equals(Constants.PERM_EDIT_NEW)) { + return req.getState() == RequirementState.NEW; + } + + return true; + } + +} diff --git a/src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java b/src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java index 3454bf27..15c1ee80 100644 --- a/src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java +++ b/src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java @@ -6,6 +6,8 @@ import info.bukova.isspst.data.PermissionType; import java.io.Serializable; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.core.Authentication; @@ -14,6 +16,8 @@ public class IsPermissionEvaluator implements PermissionEvaluator { @Autowired private EvaluatorsHolder evalHolder; + + private static final Logger logger = LoggerFactory.getLogger(IsPermissionEvaluator.class); @Override public boolean hasPermission(Authentication authentication, @@ -26,12 +30,18 @@ public class IsPermissionEvaluator implements PermissionEvaluator { } } + if (((String)permission).isEmpty()) { + return true; + } + Evaluator eval = evalHolder.getForObject(targetDomainObject, appPermission != null && appPermission.getType() != PermissionType.GLOBAL); if (eval != null) { return eval.evaluate(authentication, targetDomainObject, (String)permission); } + logger.warn("Evaluator for " + targetDomainObject.getClass().getName() + "not registred."); + return false; } diff --git a/src/main/java/info/bukova/isspst/security/RequirementEvaluator.java b/src/main/java/info/bukova/isspst/security/RequirementEvaluator.java new file mode 100644 index 00000000..f7a9d703 --- /dev/null +++ b/src/main/java/info/bukova/isspst/security/RequirementEvaluator.java @@ -0,0 +1,13 @@ +package info.bukova.isspst.security; + +import info.bukova.isspst.services.requirement.RequirementService; + +public class RequirementEvaluator extends AbstractRequirementEvaluator + implements Evaluator { + + @Override + protected Class getServiceClass() { + return RequirementService.class; + } + +} diff --git a/src/main/java/info/bukova/isspst/security/ServiceEvaluator.java b/src/main/java/info/bukova/isspst/security/ServiceEvaluator.java index 26545acf..bb673fcb 100644 --- a/src/main/java/info/bukova/isspst/security/ServiceEvaluator.java +++ b/src/main/java/info/bukova/isspst/security/ServiceEvaluator.java @@ -1,46 +1,14 @@ package info.bukova.isspst.security; -import info.bukova.isspst.Constants; -import info.bukova.isspst.Module; -import info.bukova.isspst.data.Role; - -import java.util.List; - import org.springframework.security.core.Authentication; -public class ServiceEvaluator implements Evaluator { +public class ServiceEvaluator extends AbstractModuleEvaluator implements Evaluator { - @SuppressWarnings("unchecked") @Override public boolean evaluate(Authentication authentication, Object targetDomainObject, String permission) { - List roles = (List) authentication.getAuthorities(); - String moduleId = ""; - String perm = permission; - - for (Module m : Constants.MODULES) { - if (m.getServiceClass() != null && m.getServiceClass().isAssignableFrom(targetDomainObject.getClass())) { - moduleId = m.getId(); - break; - } - } - - perm += "_" + moduleId; - - for (int i = 0; i < roles.size(); i++) { - if (!(roles.get(i) instanceof Role)) { - return false; - } - if (roles.get(i).getAuthority().equals(perm)) { - return true; - } - if (roles.get(i).getAuthority().equals(Constants.ROLE_ADMIN)) { - return true; - } - } - - return false; + return hasModulePermission(authentication, targetDomainObject.getClass(), permission); } } diff --git a/src/main/java/info/bukova/isspst/security/TripRequirementEvaluator.java b/src/main/java/info/bukova/isspst/security/TripRequirementEvaluator.java new file mode 100644 index 00000000..4601abc5 --- /dev/null +++ b/src/main/java/info/bukova/isspst/security/TripRequirementEvaluator.java @@ -0,0 +1,13 @@ +package info.bukova.isspst.security; + +import info.bukova.isspst.services.requirement.TripRequirementService; + +public class TripRequirementEvaluator extends AbstractRequirementEvaluator + implements Evaluator { + + @Override + protected Class getServiceClass() { + return TripRequirementService.class; + } + +} diff --git a/src/main/java/info/bukova/isspst/services/AbstractOwnedService.java b/src/main/java/info/bukova/isspst/services/AbstractOwnedService.java index e1cbd3b0..12c8d592 100644 --- a/src/main/java/info/bukova/isspst/services/AbstractOwnedService.java +++ b/src/main/java/info/bukova/isspst/services/AbstractOwnedService.java @@ -26,7 +26,7 @@ public class AbstractOwnedService extends AbstractServ @Override @Transactional - @PreAuthorize("hasPermission(this, 'PERM_EDIT')") + @PreAuthorize("hasPermission(this, 'PERM_EDIT') or hasPermission(#entity, this.getUpdateEntityPermission())") public void update(T entity) { validate(entity); entity.setModifiedBy(getLoggedInUser()); diff --git a/src/main/java/info/bukova/isspst/services/AbstractService.java b/src/main/java/info/bukova/isspst/services/AbstractService.java index 469cdc05..e01699e2 100644 --- a/src/main/java/info/bukova/isspst/services/AbstractService.java +++ b/src/main/java/info/bukova/isspst/services/AbstractService.java @@ -52,6 +52,10 @@ public abstract class AbstractService implements Service this.dao = dao; } + public String getUpdateEntityPermission() { + return ""; + } + @Override @PreAuthorize("hasPermission(this, 'PERM_ADD')") public final T create() { @@ -69,7 +73,7 @@ public abstract class AbstractService implements Service @Override @Transactional - @PreAuthorize("hasPermission(this, 'PERM_EDIT')") + @PreAuthorize("hasPermission(this, 'PERM_EDIT') or hasPermission(#entity, this.getUpdateEntityPermission())") public void update(T entity) { validate(entity); entity.setModified(new Date()); diff --git a/src/main/java/info/bukova/isspst/services/requirement/RequirementBaseServiceImpl.java b/src/main/java/info/bukova/isspst/services/requirement/RequirementBaseServiceImpl.java index aeaf4dc9..b0b22ad4 100644 --- a/src/main/java/info/bukova/isspst/services/requirement/RequirementBaseServiceImpl.java +++ b/src/main/java/info/bukova/isspst/services/requirement/RequirementBaseServiceImpl.java @@ -1,5 +1,6 @@ package info.bukova.isspst.services.requirement; +import info.bukova.isspst.Constants; import info.bukova.isspst.data.AuthItem; import info.bukova.isspst.data.JobMapping; import info.bukova.isspst.data.RequirementBase; @@ -208,7 +209,7 @@ public abstract class RequirementBaseServiceImpl exte entity.setState(e.getState()); entity.getAuthorization().add(auth); - this.update(e); + super.update(e); this.sendToApprovers(e); @@ -321,4 +322,10 @@ public abstract class RequirementBaseServiceImpl exte Query q = dao.getQuery("from " + dao.getEntityName() + " as tr join fetch tr.ownedBy order by tr.numser"); return q.list(); } + + @Override + public String getUpdateEntityPermission() { + return Constants.PERM_EDIT_NEW; + } + } diff --git a/src/main/webapp/WEB-INF/spring/root-context.xml b/src/main/webapp/WEB-INF/spring/root-context.xml index 66350175..3c375429 100644 --- a/src/main/webapp/WEB-INF/spring/root-context.xml +++ b/src/main/webapp/WEB-INF/spring/root-context.xml @@ -89,10 +89,16 @@ + + + + + +