Changsung Kim 2015-01-06
fixes a bug that site admin does not have group admin authorization.
* Issue
    - Logics for site admin authroization are omitted in organization codes.
    - Some validations does not check authroizations and have bugs.

* Solution
    - Bugs are fixed and site admin authroization logics are added.

Private-issue: 1855
@bd17dce299900ab0ba1f2d01846c706de18d9987
app/controllers/OrganizationApp.java
--- app/controllers/OrganizationApp.java
+++ app/controllers/OrganizationApp.java
@@ -21,7 +21,6 @@
 package controllers;
 
 import controllers.annotation.AnonymousCheck;
-import controllers.annotation.IsAllowed;
 import models.*;
 import models.enumeration.Operation;
 import models.enumeration.RequestState;
@@ -46,10 +45,7 @@
 import javax.validation.ConstraintViolation;
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 import static play.data.Form.form;
 import static utils.LogoUtil.*;
@@ -152,7 +148,7 @@
         }
 
         User currentUser = UserApp.currentUser();
-        if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) {
+        if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) {
             flash(Constants.WARNING, "organization.member.needManagerRole");
             return redirect(routes.OrganizationApp.members(organizationName));
         }
@@ -243,9 +239,11 @@
             flash(Constants.WARNING, "organization.member.needManagerRole");
             return okWithLocation(routes.OrganizationApp.members(organizationName).url());
         }
-        if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1) {
-            flash(Constants.WARNING, "organization.member.atLeastOneAdmin");
-            return okWithLocation(routes.OrganizationApp.members(organizationName).url());
+
+        if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1
+                && roleForm.get().id.equals(RoleType.ORG_MEMBER.roleType())) {
+                    flash(Constants.WARNING, "organization.member.atLeastOneAdmin");
+                    return okWithLocation(routes.OrganizationApp.members(organizationName).url());
         }
 
         return null;
@@ -270,7 +268,7 @@
             return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true);
         }
 
-        if (OrganizationUser.isAdmin(organization.id, UserApp.currentUser().id)) {
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.LEAVE)) {
             if (OrganizationUser.findAdminsOf(organization).size() == 1) {
                 return new ValidationResult(forbidden(getJsonErrorMsg("organization.member.atLeastOneAdmin")), true);
             }
@@ -303,7 +301,7 @@
         }
 
         User currentUser = UserApp.currentUser();
-        if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) {
+        if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) {
             return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization));
         }
 
@@ -361,6 +359,11 @@
         Organization organization = Organization.find.byId(modifiedOrganization.id);
         if (organization == null) {
             return notFound(ErrorViews.NotFound.render("organization.member.unknownOrganization"));
+        }
+
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.UPDATE)) {
+            flash(Constants.WARNING, "organization.member.needManagerRole");
+            return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization));
         }
 
         if (isDuplicateName(organization, modifiedOrganization)) {
@@ -435,6 +438,9 @@
         if (organization == null) {
             return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true);
         }
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.DELETE)) {
+            return new ValidationResult(notFound(getJsonErrorMsg("organization.member.needManagerRole")), true);
+        }
         if (organization.projects != null && organization.projects.size() > 0) {
             return new ValidationResult(notFound(getJsonErrorMsg("organization.delete.impossible.project.exist")), true);
         }
app/views/error/forbidden_organization.scala.html
--- app/views/error/forbidden_organization.scala.html
+++ app/views/error/forbidden_organization.scala.html
@@ -18,11 +18,14 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 **@
-@(messageKey:String = "error.forbidden", organization: Organization)
+@(messageKey:String = "error.forbidden", org: Organization)
 
-@siteLayout(organization.name, utils.MenuType.NONE) {
-    <div class="site-breadcrumb-outer">
-        <div class="site-breadcrumb-inner">
+@organizationLayout(org.name, utils.MenuType.NONE, org) {
+    @organization.header(org)
+    @organization.menu(org)
+
+    <div class="page-wrap-outer">
+        <div class="project-page-wrap">
             <div class="error-wrap">
                 <i class="ico ico-err2"></i>
                 <p>@Messages(messageKey)</p>
app/views/organization/menu.scala.html
--- app/views/organization/menu.scala.html
+++ app/views/organization/menu.scala.html
@@ -31,12 +31,11 @@
         </ul>
         <div class="project-setting">
             <ul class="project-menu-nav">
-                @if(OrganizationUser.isAdmin(org, UserApp.currentUser)) {
+                @if(OrganizationUser.isAdmin(org, UserApp.currentUser) || UserApp.currentUser().isSiteManager) {
                     <li class="">
                         <a href="@routes.OrganizationApp.settingForm(org.name)">
                             <i class="yobicon-cog"></i>
                             <span class="blind">@Messages("menu.admin")</span>
-
                         </a>
                     <li>
                 }
Add a comment
List