Přidáno oprávnění pro úpravy neschválených požadavků.

refs #129
multitenant
Josef Rokos 10 years ago
parent b92c0ddd35
commit 840feae566

@ -86,13 +86,16 @@ public class Constants {
public final static String PERM_SHOW_WORKGROUP_REQ = "PERM_SHOW_WORKGROUP_REQ"; public final static String PERM_SHOW_WORKGROUP_REQ = "PERM_SHOW_WORKGROUP_REQ";
public final static String PERM_SHOW_CENTRE_REQ = "PERM_SHOW_CENTRE_REQ"; public final static String PERM_SHOW_CENTRE_REQ = "PERM_SHOW_CENTRE_REQ";
public final static String PERM_SHOW_ALL_REQ = "PERM_SHOW_ALL_REQ"; public final static String PERM_SHOW_ALL_REQ = "PERM_SHOW_ALL_REQ";
public final static String PERM_EDIT_NEW = "PERM_EDIT_NEW";
public final static Permission SPECIAL_PERMISSIONS[] = { public final static Permission SPECIAL_PERMISSIONS[] = {
new Permission(PERM_EDIT_NEW, "Upravit neschválené", MOD_REQUIREMENTS, PermissionType.GLOBAL),
new Permission(PERM_SHOW_WORKGROUP_REQ, "Zobrazení požadavků komise", MOD_REQUIREMENTS, PermissionType.WORKGROUP), new Permission(PERM_SHOW_WORKGROUP_REQ, "Zobrazení požadavků komise", MOD_REQUIREMENTS, PermissionType.WORKGROUP),
new Permission(PERM_SHOW_CENTRE_REQ, "Zobrazení požadavků střediska", MOD_REQUIREMENTS, PermissionType.CENTRE), new Permission(PERM_SHOW_CENTRE_REQ, "Zobrazení požadavků střediska", MOD_REQUIREMENTS, PermissionType.CENTRE),
new Permission(PERM_SHOW_ALL_REQ, "Zobrazení všech požadavků", MOD_REQUIREMENTS, PermissionType.GLOBAL), new Permission(PERM_SHOW_ALL_REQ, "Zobrazení všech požadavků", MOD_REQUIREMENTS, PermissionType.GLOBAL),
new Permission(PERM_APPROVE, "Schválení", MOD_REQUIREMENTS, PermissionType.WORKGROUP), new Permission(PERM_APPROVE, "Schválení", MOD_REQUIREMENTS, PermissionType.WORKGROUP),
new Permission(PERM_EDIT_NEW, "Upravit neschválené", MOD_TRIPREQUIREMENTS, PermissionType.GLOBAL),
new Permission(PERM_SHOW_WORKGROUP_REQ, "Zobrazení požadavků komise", MOD_TRIPREQUIREMENTS, PermissionType.WORKGROUP), new Permission(PERM_SHOW_WORKGROUP_REQ, "Zobrazení požadavků komise", MOD_TRIPREQUIREMENTS, PermissionType.WORKGROUP),
new Permission(PERM_SHOW_CENTRE_REQ, "Zobrazení požadavků střediska", MOD_TRIPREQUIREMENTS, PermissionType.CENTRE), new Permission(PERM_SHOW_CENTRE_REQ, "Zobrazení požadavků střediska", MOD_TRIPREQUIREMENTS, PermissionType.CENTRE),
new Permission(PERM_SHOW_ALL_REQ, "Zobrazení všech požadavků", MOD_TRIPREQUIREMENTS, PermissionType.GLOBAL), new Permission(PERM_SHOW_ALL_REQ, "Zobrazení všech požadavků", MOD_TRIPREQUIREMENTS, PermissionType.GLOBAL),

@ -0,0 +1,43 @@
package info.bukova.isspst.security;
import info.bukova.isspst.Constants;
import info.bukova.isspst.Module;
import info.bukova.isspst.data.Role;
import java.util.List;
import org.springframework.security.core.Authentication;
public abstract class AbstractModuleEvaluator implements Evaluator {
@SuppressWarnings("unchecked")
protected boolean hasModulePermission(Authentication authentication, Class<?> serviceClass, String permission) {
List<Role> roles = (List<Role>) authentication.getAuthorities();
String moduleId = "";
String perm = permission;
for (Module m : Constants.MODULES) {
if (m.getServiceClass() != null && m.getServiceClass().isAssignableFrom(serviceClass)) {
moduleId = m.getId();
break;
}
}
perm += "_" + moduleId;
for (int i = 0; i < roles.size(); i++) {
if (!(roles.get(i) instanceof Role)) {
return false;
}
if (roles.get(i).getAuthority().equals(perm)) {
return true;
}
if (roles.get(i).getAuthority().equals(Constants.ROLE_ADMIN)) {
return true;
}
}
return false;
}
}

@ -0,0 +1,30 @@
package info.bukova.isspst.security;
import info.bukova.isspst.Constants;
import info.bukova.isspst.data.RequirementBase;
import info.bukova.isspst.data.RequirementState;
import org.springframework.security.core.Authentication;
public abstract class AbstractRequirementEvaluator extends AbstractModuleEvaluator implements Evaluator {
protected abstract Class<?> getServiceClass();
@Override
public boolean evaluate(Authentication authentication,
Object targetDomainObject, String permission) {
if (!hasModulePermission(authentication, getServiceClass(), permission)) {
return false;
}
RequirementBase req = (RequirementBase) targetDomainObject;
if (permission.equals(Constants.PERM_EDIT_NEW)) {
return req.getState() == RequirementState.NEW;
}
return true;
}
}

@ -6,6 +6,8 @@ import info.bukova.isspst.data.PermissionType;
import java.io.Serializable; import java.io.Serializable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
@ -15,6 +17,8 @@ public class IsPermissionEvaluator implements PermissionEvaluator {
@Autowired @Autowired
private EvaluatorsHolder evalHolder; private EvaluatorsHolder evalHolder;
private static final Logger logger = LoggerFactory.getLogger(IsPermissionEvaluator.class);
@Override @Override
public boolean hasPermission(Authentication authentication, public boolean hasPermission(Authentication authentication,
Object targetDomainObject, Object permission) { Object targetDomainObject, Object permission) {
@ -26,12 +30,18 @@ public class IsPermissionEvaluator implements PermissionEvaluator {
} }
} }
if (((String)permission).isEmpty()) {
return true;
}
Evaluator eval = evalHolder.getForObject(targetDomainObject, appPermission != null && appPermission.getType() != PermissionType.GLOBAL); Evaluator eval = evalHolder.getForObject(targetDomainObject, appPermission != null && appPermission.getType() != PermissionType.GLOBAL);
if (eval != null) { if (eval != null) {
return eval.evaluate(authentication, targetDomainObject, (String)permission); return eval.evaluate(authentication, targetDomainObject, (String)permission);
} }
logger.warn("Evaluator for " + targetDomainObject.getClass().getName() + "not registred.");
return false; return false;
} }

@ -0,0 +1,13 @@
package info.bukova.isspst.security;
import info.bukova.isspst.services.requirement.RequirementService;
public class RequirementEvaluator extends AbstractRequirementEvaluator
implements Evaluator {
@Override
protected Class<?> getServiceClass() {
return RequirementService.class;
}
}

@ -1,46 +1,14 @@
package info.bukova.isspst.security; package info.bukova.isspst.security;
import info.bukova.isspst.Constants;
import info.bukova.isspst.Module;
import info.bukova.isspst.data.Role;
import java.util.List;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
public class ServiceEvaluator implements Evaluator { public class ServiceEvaluator extends AbstractModuleEvaluator implements Evaluator {
@SuppressWarnings("unchecked")
@Override @Override
public boolean evaluate(Authentication authentication, public boolean evaluate(Authentication authentication,
Object targetDomainObject, String permission) { Object targetDomainObject, String permission) {
List<Role> roles = (List<Role>) authentication.getAuthorities(); return hasModulePermission(authentication, targetDomainObject.getClass(), permission);
String moduleId = "";
String perm = permission;
for (Module m : Constants.MODULES) {
if (m.getServiceClass() != null && m.getServiceClass().isAssignableFrom(targetDomainObject.getClass())) {
moduleId = m.getId();
break;
}
}
perm += "_" + moduleId;
for (int i = 0; i < roles.size(); i++) {
if (!(roles.get(i) instanceof Role)) {
return false;
}
if (roles.get(i).getAuthority().equals(perm)) {
return true;
}
if (roles.get(i).getAuthority().equals(Constants.ROLE_ADMIN)) {
return true;
}
}
return false;
} }
} }

@ -0,0 +1,13 @@
package info.bukova.isspst.security;
import info.bukova.isspst.services.requirement.TripRequirementService;
public class TripRequirementEvaluator extends AbstractRequirementEvaluator
implements Evaluator {
@Override
protected Class<?> getServiceClass() {
return TripRequirementService.class;
}
}

@ -26,7 +26,7 @@ public class AbstractOwnedService<T extends OwnedDataModel> extends AbstractServ
@Override @Override
@Transactional @Transactional
@PreAuthorize("hasPermission(this, 'PERM_EDIT')") @PreAuthorize("hasPermission(this, 'PERM_EDIT') or hasPermission(#entity, this.getUpdateEntityPermission())")
public void update(T entity) { public void update(T entity) {
validate(entity); validate(entity);
entity.setModifiedBy(getLoggedInUser()); entity.setModifiedBy(getLoggedInUser());

@ -52,6 +52,10 @@ public abstract class AbstractService<T extends DataModel> implements Service<T>
this.dao = dao; this.dao = dao;
} }
public String getUpdateEntityPermission() {
return "";
}
@Override @Override
@PreAuthorize("hasPermission(this, 'PERM_ADD')") @PreAuthorize("hasPermission(this, 'PERM_ADD')")
public final T create() { public final T create() {
@ -69,7 +73,7 @@ public abstract class AbstractService<T extends DataModel> implements Service<T>
@Override @Override
@Transactional @Transactional
@PreAuthorize("hasPermission(this, 'PERM_EDIT')") @PreAuthorize("hasPermission(this, 'PERM_EDIT') or hasPermission(#entity, this.getUpdateEntityPermission())")
public void update(T entity) { public void update(T entity) {
validate(entity); validate(entity);
entity.setModified(new Date()); entity.setModified(new Date());

@ -1,5 +1,6 @@
package info.bukova.isspst.services.requirement; package info.bukova.isspst.services.requirement;
import info.bukova.isspst.Constants;
import info.bukova.isspst.data.AuthItem; import info.bukova.isspst.data.AuthItem;
import info.bukova.isspst.data.JobMapping; import info.bukova.isspst.data.JobMapping;
import info.bukova.isspst.data.RequirementBase; import info.bukova.isspst.data.RequirementBase;
@ -208,7 +209,7 @@ public abstract class RequirementBaseServiceImpl<T extends RequirementBase> exte
entity.setState(e.getState()); entity.setState(e.getState());
entity.getAuthorization().add(auth); entity.getAuthorization().add(auth);
this.update(e); super.update(e);
this.sendToApprovers(e); this.sendToApprovers(e);
@ -321,4 +322,10 @@ public abstract class RequirementBaseServiceImpl<T extends RequirementBase> exte
Query q = dao.getQuery("from " + dao.getEntityName() + " as tr join fetch tr.ownedBy order by tr.numser"); Query q = dao.getQuery("from " + dao.getEntityName() + " as tr join fetch tr.ownedBy order by tr.numser");
return q.list(); return q.list();
} }
@Override
public String getUpdateEntityPermission() {
return Constants.PERM_EDIT_NEW;
}
} }

@ -89,10 +89,16 @@
<constructor-arg ref="workgroupServiceNoTx"/> <constructor-arg ref="workgroupServiceNoTx"/>
</bean> </bean>
<bean id="reqEditEval" class="info.bukova.isspst.security.RequirementEvaluator"/>
<bean id="tripReqEditEval" class="info.bukova.isspst.security.TripRequirementEvaluator"/>
<bean id="evalHolder" class="info.bukova.isspst.security.EvaluatorsHolder"> <bean id="evalHolder" class="info.bukova.isspst.security.EvaluatorsHolder">
<property name="globalEvaluators"> <property name="globalEvaluators">
<map> <map>
<entry key="#{T(info.bukova.isspst.services.Service)}" value-ref="serviceEval"/> <entry key="#{T(info.bukova.isspst.services.Service)}" value-ref="serviceEval"/>
<entry key="#{T(info.bukova.isspst.data.Requirement)}" value-ref="reqEditEval"/>
<entry key="#{T(info.bukova.isspst.data.TripRequirement)}" value-ref="tripReqEditEval"/>
</map> </map>
</property> </property>
<property name="specialEvaluators"> <property name="specialEvaluators">

Loading…
Cancel
Save