Mercurial > hg > AnnotationManagerN4J
diff src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java @ 105:7417f5915181 default tip
check admin permission before changing permissions.
Enum for typesafe actions.
author | casties |
---|---|
date | Fri, 10 Feb 2017 15:45:35 +0100 |
parents | 9140017e8962 |
children |
line wrap: on
line diff
--- a/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java Fri Feb 10 15:02:32 2017 +0100 +++ b/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java Fri Feb 10 15:45:35 2017 +0100 @@ -56,6 +56,7 @@ import de.mpiwg.itgroup.annotations.Actor; import de.mpiwg.itgroup.annotations.Annotation; +import de.mpiwg.itgroup.annotations.Annotation.Action; import de.mpiwg.itgroup.annotations.Annotation.FragmentTypes; import de.mpiwg.itgroup.annotations.Group; import de.mpiwg.itgroup.annotations.Person; @@ -679,29 +680,32 @@ /* * permissions */ - if (jo.has("permissions")) { - JSONObject permissions = jo.getJSONObject("permissions"); - if (permissions.has("admin")) { - JSONArray perms = permissions.getJSONArray("admin"); - Actor actor = getActorFromPermissions(perms); - annot.setAdminPermission(actor); - } - if (permissions.has("delete")) { - JSONArray perms = permissions.getJSONArray("delete"); - Actor actor = getActorFromPermissions(perms); - annot.setDeletePermission(actor); - } - if (permissions.has("update")) { - JSONArray perms = permissions.getJSONArray("update"); - Actor actor = getActorFromPermissions(perms); - annot.setUpdatePermission(actor); - } - if (permissions.has("read")) { - JSONArray perms = permissions.getJSONArray("read"); - Actor actor = getActorFromPermissions(perms); - annot.setReadPermission(actor); - } - } + if (jo.has("permissions")) { + // change permissions only if user has admin permission + if (annot.isActionAllowed(Action.admin, authUser, getAnnotationStore())) { + JSONObject permissions = jo.getJSONObject("permissions"); + if (permissions.has("admin")) { + JSONArray perms = permissions.getJSONArray("admin"); + Actor actor = getActorFromPermissions(perms); + annot.setAdminPermission(actor); + } + if (permissions.has("delete")) { + JSONArray perms = permissions.getJSONArray("delete"); + Actor actor = getActorFromPermissions(perms); + annot.setDeletePermission(actor); + } + if (permissions.has("update")) { + JSONArray perms = permissions.getJSONArray("update"); + Actor actor = getActorFromPermissions(perms); + annot.setUpdatePermission(actor); + } + if (permissions.has("read")) { + JSONArray perms = permissions.getJSONArray("read"); + Actor actor = getActorFromPermissions(perms); + annot.setReadPermission(actor); + } + } + } /* * tags