Commit @bd17dce299900ab0ba1f2d01846c706de18d9987

Changsung Kim 2015-01-06

fixes a bug that site admin does not have group admin authorization.

* Issue
    - Logics for site admin authroization are omitted in organization codes.
    - Some validations does not check authroizations and have bugs.

* Solution
    - Bugs are fixed and site admin authroization logics are added.

Private-issue: 1855

@bd17dce299900ab0ba1f2d01846c706de18d9987

9751305

bd17dce

app/controllers/OrganizationApp.java

--- app/controllers/OrganizationApp.java

+++ app/controllers/OrganizationApp.java


 package controllers;
 
 import controllers.annotation.AnonymousCheck;
-import controllers.annotation.IsAllowed;
 import models.*;
 import models.enumeration.Operation;
 import models.enumeration.RequestState;

 import javax.validation.ConstraintViolation;
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 import static play.data.Form.form;
 import static utils.LogoUtil.*;

         }
 
         User currentUser = UserApp.currentUser();
-        if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) {
+        if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) {
             flash(Constants.WARNING, "organization.member.needManagerRole");
             return redirect(routes.OrganizationApp.members(organizationName));
         }

             flash(Constants.WARNING, "organization.member.needManagerRole");
             return okWithLocation(routes.OrganizationApp.members(organizationName).url());
         }
-        if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1) {
-            flash(Constants.WARNING, "organization.member.atLeastOneAdmin");
-            return okWithLocation(routes.OrganizationApp.members(organizationName).url());
+
+        if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1
+                && roleForm.get().id.equals(RoleType.ORG_MEMBER.roleType())) {
+                    flash(Constants.WARNING, "organization.member.atLeastOneAdmin");
+                    return okWithLocation(routes.OrganizationApp.members(organizationName).url());
         }
 
         return null;

             return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true);
         }
 
-        if (OrganizationUser.isAdmin(organization.id, UserApp.currentUser().id)) {
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.LEAVE)) {
             if (OrganizationUser.findAdminsOf(organization).size() == 1) {
                 return new ValidationResult(forbidden(getJsonErrorMsg("organization.member.atLeastOneAdmin")), true);
             }

         }
 
         User currentUser = UserApp.currentUser();
-        if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) {
+        if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) {
             return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization));
         }
 

         Organization organization = Organization.find.byId(modifiedOrganization.id);
         if (organization == null) {
             return notFound(ErrorViews.NotFound.render("organization.member.unknownOrganization"));
+        }
+
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.UPDATE)) {
+            flash(Constants.WARNING, "organization.member.needManagerRole");
+            return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization));
         }
 
         if (isDuplicateName(organization, modifiedOrganization)) {

         if (organization == null) {
             return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true);
         }
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.DELETE)) {
+            return new ValidationResult(notFound(getJsonErrorMsg("organization.member.needManagerRole")), true);
+        }
         if (organization.projects != null && organization.projects.size() > 0) {
             return new ValidationResult(notFound(getJsonErrorMsg("organization.delete.impossible.project.exist")), true);
         }

9751305

bd17dce

app/views/error/forbidden_organization.scala.html

--- app/views/error/forbidden_organization.scala.html

+++ app/views/error/forbidden_organization.scala.html


 * See the License for the specific language governing permissions and
 * limitations under the License.
 **@
-@(messageKey:String = "error.forbidden", organization: Organization)
+@(messageKey:String = "error.forbidden", org: Organization)
 
-@siteLayout(organization.name, utils.MenuType.NONE) {
-    <div class="site-breadcrumb-outer">
-        <div class="site-breadcrumb-inner">
+@organizationLayout(org.name, utils.MenuType.NONE, org) {
+    @organization.header(org)
+    @organization.menu(org)
+
+    <div class="page-wrap-outer">
+        <div class="project-page-wrap">
             <div class="error-wrap">
                 <i class="ico ico-err2"></i>
                 <p>@Messages(messageKey)</p>

9751305

bd17dce

app/views/organization/menu.scala.html

--- app/views/organization/menu.scala.html

+++ app/views/organization/menu.scala.html


         </ul>
         <div class="project-setting">
             <ul class="project-menu-nav">
-                @if(OrganizationUser.isAdmin(org, UserApp.currentUser)) {
+                @if(OrganizationUser.isAdmin(org, UserApp.currentUser) || UserApp.currentUser().isSiteManager) {
                     <li class="">
                         <a href="@routes.OrganizationApp.settingForm(org.name)">
                             <i class="yobicon-cog"></i>
                             <span class="blind">@Messages("menu.admin")</span>
-
                         </a>
                     <li>
                 }

Add a comment

Open 0
Closed 0

List

...	...	@@ -21,7 +21,6 @@
21	21	package controllers;
22	22
23	23	import controllers.annotation.AnonymousCheck;
24		-import controllers.annotation.IsAllowed;
25	24	import models.*;
26	25	import models.enumeration.Operation;
27	26	import models.enumeration.RequestState;
...	...	@@ -46,10 +45,7 @@
46	45	import javax.validation.ConstraintViolation;
47	46	import java.io.IOException;
48	47	import java.security.NoSuchAlgorithmException;
49		-import java.util.Date;
50		-import java.util.HashMap;
51		-import java.util.Map;
52		-import java.util.Set;
	48	+import java.util.*;
53	49
54	50	import static play.data.Form.form;
55	51	import static utils.LogoUtil.*;
...	...	@@ -152,7 +148,7 @@
152	148	}
153	149
154	150	User currentUser = UserApp.currentUser();
155		- if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) {
	151	+ if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) {
156	152	flash(Constants.WARNING, "organization.member.needManagerRole");
157	153	return redirect(routes.OrganizationApp.members(organizationName));
158	154	}
...	...	@@ -243,9 +239,11 @@
243	239	flash(Constants.WARNING, "organization.member.needManagerRole");
244	240	return okWithLocation(routes.OrganizationApp.members(organizationName).url());
245	241	}
246		- if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1) {
247		- flash(Constants.WARNING, "organization.member.atLeastOneAdmin");
248		- return okWithLocation(routes.OrganizationApp.members(organizationName).url());
	242	+
	243	+ if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1
	244	+ && roleForm.get().id.equals(RoleType.ORG_MEMBER.roleType())) {
	245	+ flash(Constants.WARNING, "organization.member.atLeastOneAdmin");
	246	+ return okWithLocation(routes.OrganizationApp.members(organizationName).url());
249	247	}
250	248
251	249	return null;
...	...	@@ -270,7 +268,7 @@
270	268	return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true);
271	269	}
272	270
273		- if (OrganizationUser.isAdmin(organization.id, UserApp.currentUser().id)) {
	271	+ if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.LEAVE)) {
274	272	if (OrganizationUser.findAdminsOf(organization).size() == 1) {
275	273	return new ValidationResult(forbidden(getJsonErrorMsg("organization.member.atLeastOneAdmin")), true);
276	274	}
...	...	@@ -303,7 +301,7 @@
303	301	}
304	302
305	303	User currentUser = UserApp.currentUser();
306		- if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) {
	304	+ if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) {
307	305	return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization));
308	306	}
309	307
...	...	@@ -361,6 +359,11 @@
361	359	Organization organization = Organization.find.byId(modifiedOrganization.id);
362	360	if (organization == null) {
363	361	return notFound(ErrorViews.NotFound.render("organization.member.unknownOrganization"));
	362	+ }
	363	+
	364	+ if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.UPDATE)) {
	365	+ flash(Constants.WARNING, "organization.member.needManagerRole");
	366	+ return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization));
364	367	}
365	368
366	369	if (isDuplicateName(organization, modifiedOrganization)) {
...	...	@@ -435,6 +438,9 @@
435	438	if (organization == null) {
436	439	return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true);
437	440	}
	441	+ if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.DELETE)) {
	442	+ return new ValidationResult(notFound(getJsonErrorMsg("organization.member.needManagerRole")), true);
	443	+ }
438	444	if (organization.projects != null && organization.projects.size() > 0) {
439	445	return new ValidationResult(notFound(getJsonErrorMsg("organization.delete.impossible.project.exist")), true);
440	446	}

...	...	@@ -31,12 +31,11 @@
31	31	</ul>
32	32	<div class="project-setting">
33	33	<ul class="project-menu-nav">
34		- @if(OrganizationUser.isAdmin(org, UserApp.currentUser)) {
	34	+ @if(OrganizationUser.isAdmin(org, UserApp.currentUser) \|\| UserApp.currentUser().isSiteManager) {
35	35	<li class="">
36	36	<a href="@routes.OrganizationApp.settingForm(org.name)">
37	37	<i class="yobicon-cog"></i>
38	38	<span class="blind">@Messages("menu.admin")</span>
39		-
40	39	</a>
41	40	<li>
42	41	}

...	...	@@ -18,11 +18,14 @@
18	18	* See the License for the specific language governing permissions and
19	19	* limitations under the License.
20	20	**@
21		-@(messageKey:String = "error.forbidden", organization: Organization)
	21	+@(messageKey:String = "error.forbidden", org: Organization)
22	22
23		-@siteLayout(organization.name, utils.MenuType.NONE) {
24		- <div class="site-breadcrumb-outer">
25		- <div class="site-breadcrumb-inner">
	23	+@organizationLayout(org.name, utils.MenuType.NONE, org) {
	24	+ @organization.header(org)
	25	+ @organization.menu(org)
	26	+
	27	+ <div class="page-wrap-outer">
	28	+ <div class="project-page-wrap">
26	29	<div class="error-wrap">
27	30	<i class="ico ico-err2"></i>
28	31	<p>@Messages(messageKey)</p>

Delete comment