Přidána metoda pro select položek schválených požadavků, které má
přihlášený uživatel právo zobrazit. Přidány komentáře do tříd pro vyhodnocování přístupových práv. refs #136
This commit is contained in:
@@ -0,0 +1,16 @@
|
|||||||
|
package info.bukova.isspst.data;
|
||||||
|
|
||||||
|
import info.bukova.isspst.security.RequirementFilterEvaluator;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Pomocné rozhraní pro filtrování záznamů pře vyhodnocovač prav {@link RequirementFilterEvaluator}.
|
||||||
|
*
|
||||||
|
* @author pepa
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public interface FilterableRequirement {
|
||||||
|
|
||||||
|
Workgroup getCentre();
|
||||||
|
Workgroup getWorkgroup();
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,56 @@
|
|||||||
|
package info.bukova.isspst.data;
|
||||||
|
|
||||||
|
public class JoinedItem implements FilterableRequirement {
|
||||||
|
|
||||||
|
private RequirementItem item;
|
||||||
|
private Workgroup workgroup;
|
||||||
|
private Workgroup centre;
|
||||||
|
private User ownedBy;
|
||||||
|
|
||||||
|
public JoinedItem(RequirementItem item, Workgroup workgroup,
|
||||||
|
Workgroup centre, User owner) {
|
||||||
|
super();
|
||||||
|
this.item = item;
|
||||||
|
this.workgroup = workgroup;
|
||||||
|
this.centre = centre;
|
||||||
|
this.ownedBy = owner;
|
||||||
|
}
|
||||||
|
|
||||||
|
public JoinedItem(RequirementItem item) {
|
||||||
|
super();
|
||||||
|
this.item = item;
|
||||||
|
}
|
||||||
|
|
||||||
|
public RequirementItem getItem() {
|
||||||
|
return item;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setItem(RequirementItem item) {
|
||||||
|
this.item = item;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Workgroup getWorkgroup() {
|
||||||
|
return workgroup;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setWorkgroup(Workgroup workgroup) {
|
||||||
|
this.workgroup = workgroup;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Workgroup getCentre() {
|
||||||
|
return centre;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setCentre(Workgroup centre) {
|
||||||
|
this.centre = centre;
|
||||||
|
}
|
||||||
|
|
||||||
|
public User getOwnedBy() {
|
||||||
|
return ownedBy;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setOwnedBy(User owner) {
|
||||||
|
this.ownedBy = owner;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
@@ -9,7 +9,6 @@ import javax.persistence.CascadeType;
|
|||||||
import javax.persistence.Column;
|
import javax.persistence.Column;
|
||||||
import javax.persistence.Entity;
|
import javax.persistence.Entity;
|
||||||
import javax.persistence.FetchType;
|
import javax.persistence.FetchType;
|
||||||
import javax.persistence.JoinColumn;
|
|
||||||
import javax.persistence.OneToMany;
|
import javax.persistence.OneToMany;
|
||||||
import javax.persistence.Table;
|
import javax.persistence.Table;
|
||||||
|
|
||||||
@@ -17,8 +16,7 @@ import javax.persistence.Table;
|
|||||||
@Table(name = "REQUIREMENT")
|
@Table(name = "REQUIREMENT")
|
||||||
public class Requirement extends RequirementBase
|
public class Requirement extends RequirementBase
|
||||||
{
|
{
|
||||||
@OneToMany(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
|
@OneToMany(fetch = FetchType.EAGER, mappedBy = "requirement", cascade = CascadeType.ALL)
|
||||||
@JoinColumn(name = "REQUIREMENT_ID")
|
|
||||||
private List<RequirementItem> items;
|
private List<RequirementItem> items;
|
||||||
|
|
||||||
@Column(name = "DELIVERYDATE")
|
@Column(name = "DELIVERYDATE")
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ import org.hibernate.annotations.LazyCollection;
|
|||||||
import org.hibernate.annotations.LazyCollectionOption;
|
import org.hibernate.annotations.LazyCollectionOption;
|
||||||
|
|
||||||
@MappedSuperclass
|
@MappedSuperclass
|
||||||
public class RequirementBase extends BaseData {
|
public class RequirementBase extends BaseData implements FilterableRequirement {
|
||||||
|
|
||||||
@ManyToOne(fetch = FetchType.LAZY)
|
@ManyToOne(fetch = FetchType.LAZY)
|
||||||
@JoinColumn(name = "TYPE_ID")
|
@JoinColumn(name = "TYPE_ID")
|
||||||
|
|||||||
@@ -24,6 +24,10 @@ public class RequirementItem
|
|||||||
@ManyToOne(fetch = FetchType.LAZY)
|
@ManyToOne(fetch = FetchType.LAZY)
|
||||||
@JoinColumn(name = "REQSUBJECT_ID")
|
@JoinColumn(name = "REQSUBJECT_ID")
|
||||||
private RequirementSubject reqSubject;
|
private RequirementSubject reqSubject;
|
||||||
|
|
||||||
|
@ManyToOne
|
||||||
|
@JoinColumn(name = "REQUIREMENT_ID")
|
||||||
|
private Requirement requirement;
|
||||||
|
|
||||||
@Column(name = "CODE")
|
@Column(name = "CODE")
|
||||||
private String code;
|
private String code;
|
||||||
@@ -162,4 +166,14 @@ public class RequirementItem
|
|||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public Requirement getRequirement()
|
||||||
|
{
|
||||||
|
return requirement;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setRequirement(Requirement requirement)
|
||||||
|
{
|
||||||
|
this.requirement = requirement;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -6,6 +6,12 @@ import info.bukova.isspst.data.RequirementState;
|
|||||||
|
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Abstraktní třída pro vyhodnocení práv editace nových požadavků.
|
||||||
|
*
|
||||||
|
* @author pepa
|
||||||
|
*
|
||||||
|
*/
|
||||||
public abstract class AbstractRequirementEvaluator extends AbstractModuleEvaluator implements Evaluator {
|
public abstract class AbstractRequirementEvaluator extends AbstractModuleEvaluator implements Evaluator {
|
||||||
|
|
||||||
protected abstract Class<?> getServiceClass();
|
protected abstract Class<?> getServiceClass();
|
||||||
|
|||||||
@@ -1,9 +1,26 @@
|
|||||||
package info.bukova.isspst.security;
|
package info.bukova.isspst.security;
|
||||||
|
|
||||||
|
import org.springframework.security.access.prepost.PostFilter;
|
||||||
|
import org.springframework.security.access.prepost.PreAuthorize;
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Rozhraní vyhodnocovačů práv.
|
||||||
|
*
|
||||||
|
* @author pepa
|
||||||
|
*
|
||||||
|
*/
|
||||||
public interface Evaluator {
|
public interface Evaluator {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Metoda se zavolá pro vyhodnocení práv k danému objektu. Volá ji Spring security
|
||||||
|
* na základě anotace {@link PreAuthorize}, případně {@link PostFilter}.
|
||||||
|
*
|
||||||
|
* @param authentication objekt přihlášeného uživatele
|
||||||
|
* @param targetDomainObject objekt ke kterému se vyhodnocují práva
|
||||||
|
* @param permission práva potřebná k vykonání anotované metody
|
||||||
|
* @return true, pokud je dovoleno metodu vykonat
|
||||||
|
*/
|
||||||
public boolean evaluate(Authentication authentication,
|
public boolean evaluate(Authentication authentication,
|
||||||
Object targetDomainObject, String permission);
|
Object targetDomainObject, String permission);
|
||||||
|
|
||||||
|
|||||||
@@ -2,6 +2,31 @@ package info.bukova.isspst.security;
|
|||||||
|
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
|
import org.springframework.security.access.prepost.PostFilter;
|
||||||
|
import org.springframework.security.access.prepost.PreAuthorize;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Kontainer vyhodnocovačů práv. Nastavuje se přes Spring kontext:
|
||||||
|
* <pre>
|
||||||
|
* {@code
|
||||||
|
* <bean id="evalHolder" class="info.bukova.isspst.security.EvaluatorsHolder">
|
||||||
|
* <property name="globalEvaluators">
|
||||||
|
* <map>
|
||||||
|
* <entry key="#{T(info.bukova.isspst.services.Service)}" value-ref="serviceEval"/>
|
||||||
|
* <entry key="#{T(info.bukova.isspst.data.Requirement)}" value-ref="reqEditEval"/>
|
||||||
|
* <entry key="#{T(info.bukova.isspst.data.TripRequirement)}" value-ref="tripReqEditEval"/>
|
||||||
|
* <entry key="#{T(info.bukova.isspst.data.User)}" value-ref="userEvaluator"/>
|
||||||
|
* </map>
|
||||||
|
* </property>
|
||||||
|
* .......
|
||||||
|
* }
|
||||||
|
* </pre>
|
||||||
|
* Vyhodnocovače jsou registrovány pro třídy jejichž některé metody podléhají kontrole práv - mají
|
||||||
|
* anotace {@link PreAuthorize} nebo {@link PostFilter}
|
||||||
|
*
|
||||||
|
* @author pepa
|
||||||
|
*
|
||||||
|
*/
|
||||||
public class EvaluatorsHolder {
|
public class EvaluatorsHolder {
|
||||||
|
|
||||||
private Map<Class<?>, Evaluator> globalEvaluators;
|
private Map<Class<?>, Evaluator> globalEvaluators;
|
||||||
@@ -15,6 +40,13 @@ public class EvaluatorsHolder {
|
|||||||
this.specialEvaluators = specialEvaluators;
|
this.specialEvaluators = specialEvaluators;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Podle třídy/rozhraní předaného objektu vrátí instanci vyhodnocovače.
|
||||||
|
*
|
||||||
|
* @param object objekt, ve kterém se provádí kontrola práv
|
||||||
|
* @param special true, pokud se má kontrolovat speciální oprávnění vstažené ke středisku/komisi
|
||||||
|
* @return instanci vyhodnocovače {@link Evaluator}. Pokud třída objektu nemá zaregistrovaný vyhodnocovač, vrací null.
|
||||||
|
*/
|
||||||
public Evaluator getForObject(Object object, boolean special) {
|
public Evaluator getForObject(Object object, boolean special) {
|
||||||
Map<Class<?>, Evaluator> evals;
|
Map<Class<?>, Evaluator> evals;
|
||||||
|
|
||||||
|
|||||||
@@ -1,9 +1,9 @@
|
|||||||
package info.bukova.isspst.security;
|
package info.bukova.isspst.security;
|
||||||
|
|
||||||
import info.bukova.isspst.Constants;
|
import info.bukova.isspst.Constants;
|
||||||
|
import info.bukova.isspst.data.FilterableRequirement;
|
||||||
import info.bukova.isspst.data.Permission;
|
import info.bukova.isspst.data.Permission;
|
||||||
import info.bukova.isspst.data.PermissionType;
|
import info.bukova.isspst.data.PermissionType;
|
||||||
import info.bukova.isspst.data.RequirementBase;
|
|
||||||
import info.bukova.isspst.data.Role;
|
import info.bukova.isspst.data.Role;
|
||||||
import info.bukova.isspst.data.User;
|
import info.bukova.isspst.data.User;
|
||||||
import info.bukova.isspst.data.Workgroup;
|
import info.bukova.isspst.data.Workgroup;
|
||||||
@@ -11,8 +11,17 @@ import info.bukova.isspst.services.workgroups.WorkgroupService;
|
|||||||
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.springframework.security.access.prepost.PostFilter;
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filtr kolekce objektů {@link FilterableRequirement}. Podle role, kterou má uživatel
|
||||||
|
* na středisku/komisi ve které je požadavek, se vyhodnotí, zda má uživatel právo ho
|
||||||
|
* zobrazit. Požití s anotací {@link PostFilter}.
|
||||||
|
*
|
||||||
|
* @author pepa
|
||||||
|
*
|
||||||
|
*/
|
||||||
public class RequirementFilterEvaluator implements Evaluator {
|
public class RequirementFilterEvaluator implements Evaluator {
|
||||||
|
|
||||||
private WorkgroupService wgService;
|
private WorkgroupService wgService;
|
||||||
@@ -21,11 +30,19 @@ public class RequirementFilterEvaluator implements Evaluator {
|
|||||||
this.wgService = wgService;
|
this.wgService = wgService;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* @see info.bukova.isspst.security.Evaluator#evaluate(org.springframework.security.core.Authentication, java.lang.Object, java.lang.String)
|
||||||
|
* @param authentication objekt přihlášeného uživatele
|
||||||
|
* @param targetDomainObject objekt požadavku
|
||||||
|
* @param permission oprávnění nutné k zobrazení
|
||||||
|
*
|
||||||
|
*/
|
||||||
@Override
|
@Override
|
||||||
public boolean evaluate(Authentication authentication,
|
public boolean evaluate(Authentication authentication,
|
||||||
Object targetDomainObject, String permission) {
|
Object targetDomainObject, String permission) {
|
||||||
|
|
||||||
RequirementBase req = (RequirementBase) targetDomainObject;
|
FilterableRequirement req = (FilterableRequirement) targetDomainObject;
|
||||||
Workgroup reqWg;
|
Workgroup reqWg;
|
||||||
|
|
||||||
if (!(authentication.getPrincipal() instanceof User)) {
|
if (!(authentication.getPrincipal() instanceof User)) {
|
||||||
|
|||||||
@@ -2,6 +2,12 @@ package info.bukova.isspst.security;
|
|||||||
|
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Vyhodnocuje základní práva modulů - číst, upravit, přidat, mazat.
|
||||||
|
*
|
||||||
|
* @author pepa
|
||||||
|
*
|
||||||
|
*/
|
||||||
public class ServiceEvaluator extends AbstractModuleEvaluator implements Evaluator {
|
public class ServiceEvaluator extends AbstractModuleEvaluator implements Evaluator {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|||||||
@@ -5,6 +5,12 @@ import info.bukova.isspst.data.User;
|
|||||||
|
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Vyhodnocuje právo k editaci vlastního záznamu uživatele
|
||||||
|
*
|
||||||
|
* @author pepa
|
||||||
|
*
|
||||||
|
*/
|
||||||
public class UserEvaluator implements Evaluator {
|
public class UserEvaluator implements Evaluator {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|||||||
@@ -12,6 +12,14 @@ import java.util.List;
|
|||||||
|
|
||||||
import org.springframework.security.core.Authentication;
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Vyhodnocovač práv vstahujících se ke členství ve středisku nebo komisi.
|
||||||
|
* Pokud má uživatel v některém ze středisek/komisí jichž je členem zadané
|
||||||
|
* oprávnění, je vyhodnoceno jako true a anotovaná metoda se provede.
|
||||||
|
*
|
||||||
|
* @author pepa
|
||||||
|
*
|
||||||
|
*/
|
||||||
public class WorkgroupAwareServiceEvaluator implements Evaluator {
|
public class WorkgroupAwareServiceEvaluator implements Evaluator {
|
||||||
|
|
||||||
private WorkgroupService wgService;
|
private WorkgroupService wgService;
|
||||||
|
|||||||
@@ -1,8 +1,11 @@
|
|||||||
package info.bukova.isspst.services.requirement;
|
package info.bukova.isspst.services.requirement;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import info.bukova.isspst.data.JoinedItem;
|
||||||
import info.bukova.isspst.data.Requirement;
|
import info.bukova.isspst.data.Requirement;
|
||||||
|
|
||||||
public interface RequirementService extends RequirementBaseService<Requirement>
|
public interface RequirementService extends RequirementBaseService<Requirement>
|
||||||
{
|
{
|
||||||
|
public List<JoinedItem> getItemsForOrder();
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,15 +1,23 @@
|
|||||||
package info.bukova.isspst.services.requirement;
|
package info.bukova.isspst.services.requirement;
|
||||||
|
|
||||||
import info.bukova.isspst.Constants;
|
import info.bukova.isspst.Constants;
|
||||||
|
import info.bukova.isspst.data.JoinedItem;
|
||||||
import info.bukova.isspst.data.Requirement;
|
import info.bukova.isspst.data.Requirement;
|
||||||
|
import info.bukova.isspst.data.RequirementItem;
|
||||||
import info.bukova.isspst.data.RequirementState;
|
import info.bukova.isspst.data.RequirementState;
|
||||||
import info.bukova.isspst.data.User;
|
import info.bukova.isspst.data.User;
|
||||||
import info.bukova.isspst.data.Workflow;
|
import info.bukova.isspst.data.Workflow;
|
||||||
|
import info.bukova.isspst.data.Workgroup;
|
||||||
|
|
||||||
|
import java.util.ArrayList;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.hibernate.Query;
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.security.access.prepost.PostFilter;
|
||||||
|
import org.springframework.security.access.prepost.PreAuthorize;
|
||||||
|
import org.springframework.transaction.annotation.Transactional;
|
||||||
|
|
||||||
public class RequirementServiceImpl extends
|
public class RequirementServiceImpl extends
|
||||||
RequirementBaseServiceImpl<Requirement> implements RequirementService,
|
RequirementBaseServiceImpl<Requirement> implements RequirementService,
|
||||||
@@ -46,4 +54,23 @@ public class RequirementServiceImpl extends
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
|
@Override
|
||||||
|
@Transactional
|
||||||
|
@PreAuthorize("hasPermission(this, 'PERM_SHOW_CENTRE_REQ')")
|
||||||
|
@PostFilter("hasPermission(filterObject, 'PERM_SHOW_CENTRE_REQ')")
|
||||||
|
public List<JoinedItem> getItemsForOrder() {
|
||||||
|
List<Workgroup> wgList = workgroupService.getUserCentres(getLoggedInUser());
|
||||||
|
Query q = dao.getQuery("select item from RequirementItem item left join item.requirement rq join rq.centre c where rq.kind is not null and rq.state = :state and c in (:wgList)");
|
||||||
|
q.setParameterList("wgList", wgList);
|
||||||
|
q.setParameter("state", RequirementState.APPROVED);
|
||||||
|
List<JoinedItem> items = new ArrayList<JoinedItem>();
|
||||||
|
|
||||||
|
for (RequirementItem it : (List<RequirementItem>)q.list()) {
|
||||||
|
items.add(new JoinedItem(it, it.getRequirement().getWorkgroup(), it.getRequirement().getCentre(), it.getRequirement().getOwnedBy()));
|
||||||
|
}
|
||||||
|
|
||||||
|
return items;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -108,6 +108,7 @@
|
|||||||
<map>
|
<map>
|
||||||
<entry key="#{T(info.bukova.isspst.services.Service)}" value-ref="wgServiceEval"/>
|
<entry key="#{T(info.bukova.isspst.services.Service)}" value-ref="wgServiceEval"/>
|
||||||
<entry key="#{T(info.bukova.isspst.data.RequirementBase)}" value-ref="requirementEval"/>
|
<entry key="#{T(info.bukova.isspst.data.RequirementBase)}" value-ref="requirementEval"/>
|
||||||
|
<entry key="#{T(info.bukova.isspst.data.JoinedItem)}" value-ref="requirementEval"/>
|
||||||
</map>
|
</map>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|||||||
Reference in New Issue
Block a user