hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity

Deserializer: improved test code coverage for IGNORE field access

Browse Source
This commit is contained in:
Michael Hoennig
2019-05-16 20:25:02 +02:00
parent f9b68df901
commit e7cb3622f3
4 changed files with 106 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/main/java/org/hostsharing/hsadminng/service/accessfilter/JSonAccessFilter.java
View File

@ -82,13 +82,16 @@ abstract class JSonAccessFilter<T extends AccessMappings> {
final Class<?> parentDtoClass = ReflectionUtil.<T> determineGenericInterfaceParameter(parentDtoLoader, rawType, 0);
final Long parentId = ReflectionUtil.getValue(dto, parentIdField);
if (parentId == null) {
return emptySet();
}
final Set<Role> rolesOnParent = getLoginUserDirectRolesFor(parentDtoClass, parentId);
final Object parentEntity = loadDto(parentDtoLoader, parentId);
return union(rolesOnParent, getLoginUserRoleOnAncestorIfHigher(parentEntity));
}
private Set<Role> getLoginUserDirectRolesFor(final Class<?> dtoClass, final Long id) {
private Set<Role> getLoginUserDirectRolesFor(final Class<?> dtoClass, final long id) {
if (!SecurityUtils.isAuthenticated()) {
return emptySet();
}

57
src/main/java/org/hostsharing/hsadminng/service/accessfilter/JsonDeserializerWithAccessFilter.java
View File

@ -199,38 +199,47 @@ public abstract class JsonDeserializerWithAccessFilter<T extends AccessMappings>
private void checkAccessToWrittenFields(final T currentDto) {
updatingFields.forEach(
field -> {
// TODO this ugly code needs cleanup
if (!field.equals(selfIdField)) {
final Set<Role> roles = getLoginUserRoles();
if (isInitAccess()) {
if (!isAllowedToInit(roles, field)) {
if (!field.equals(parentIdField)) {
throw new BadRequestAlertException(
"Initialization of field " + toDisplay(field)
+ " prohibited for current user role(s): "
+ Joiner.on("+").join(roles),
toDisplay(field),
"initializationProhibited");
} else {
throw new BadRequestAlertException(
"Referencing field " + toDisplay(field)
+ " prohibited for current user role(s): "
+ Joiner.on("+").join(roles),
toDisplay(field),
"referencingProhibited");
}
}
} else if (!Role.toBeIgnoredForUpdates(field) && !isAllowedToUpdate(getLoginUserRoles(), field)) {
throw new BadRequestAlertException(
"Update of field " + toDisplay(field) + " prohibited for current user role(s): "
+ Joiner.on("+").join(roles),
toDisplay(field),
"updateProhibited");
validateInitAccess(field, roles);
} else {
validateUpdateAccess(field, roles);
}
}
});
}
private void validateInitAccess(Field field, Set<Role> roles) {
if (!Role.toBeIgnoredForUpdates(field) && !isAllowedToInit(roles, field)) {
if (!field.equals(parentIdField)) {
throw new BadRequestAlertException(
"Initialization of field " + toDisplay(field)
+ " prohibited for current user role(s): "
+ Joiner.on("+").join(roles),
toDisplay(field),
"initializationProhibited");
} else {
throw new BadRequestAlertException(
"Referencing field " + toDisplay(field)
+ " prohibited for current user role(s): "
+ Joiner.on("+").join(roles),
toDisplay(field),
"referencingProhibited");
}
}
}
private void validateUpdateAccess(Field field, Set<Role> roles) {
if (!Role.toBeIgnoredForUpdates(field) && !isAllowedToUpdate(getLoginUserRoles(), field)) {
throw new BadRequestAlertException(
"Update of field " + toDisplay(field) + " prohibited for current user role(s): "
+ Joiner.on("+").join(roles),
toDisplay(field),
"updateProhibited");
}
}
private boolean isAllowedToInit(final Set<Role> roles, final Field field) {
for (Role role : roles) {
if (role.isAllowedToInit(field)) {