Mercurial > hg > AnnotationManagerN4J

diff src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java @ 105:7417f5915181 default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
check admin permission before changing permissions. Enum for typesafe actions.
author casties
date Fri, 10 Feb 2017 15:45:35 +0100
parents 9140017e8962
children
line wrap: on
line diff
--- a/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java	Fri Feb 10 15:02:32 2017 +0100
+++ b/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java	Fri Feb 10 15:45:35 2017 +0100
@@ -56,6 +56,7 @@
 
 import de.mpiwg.itgroup.annotations.Actor;
 import de.mpiwg.itgroup.annotations.Annotation;
+import de.mpiwg.itgroup.annotations.Annotation.Action;
 import de.mpiwg.itgroup.annotations.Annotation.FragmentTypes;
 import de.mpiwg.itgroup.annotations.Group;
 import de.mpiwg.itgroup.annotations.Person;
@@ -679,29 +680,32 @@
         /*
          * permissions
          */
-        if (jo.has("permissions")) {
-            JSONObject permissions = jo.getJSONObject("permissions");
-            if (permissions.has("admin")) {
-                JSONArray perms = permissions.getJSONArray("admin");
-                Actor actor = getActorFromPermissions(perms);
-                annot.setAdminPermission(actor);
-            }
-            if (permissions.has("delete")) {
-                JSONArray perms = permissions.getJSONArray("delete");
-                Actor actor = getActorFromPermissions(perms);
-                annot.setDeletePermission(actor);
-            }
-            if (permissions.has("update")) {
-                JSONArray perms = permissions.getJSONArray("update");
-                Actor actor = getActorFromPermissions(perms);
-                annot.setUpdatePermission(actor);
-            }
-            if (permissions.has("read")) {
-                JSONArray perms = permissions.getJSONArray("read");
-                Actor actor = getActorFromPermissions(perms);
-                annot.setReadPermission(actor);
-            }
-        }
+		if (jo.has("permissions")) {
+			// change permissions only if user has admin permission
+			if (annot.isActionAllowed(Action.admin, authUser, getAnnotationStore())) {
+				JSONObject permissions = jo.getJSONObject("permissions");
+				if (permissions.has("admin")) {
+					JSONArray perms = permissions.getJSONArray("admin");
+					Actor actor = getActorFromPermissions(perms);
+					annot.setAdminPermission(actor);
+				}
+				if (permissions.has("delete")) {
+					JSONArray perms = permissions.getJSONArray("delete");
+					Actor actor = getActorFromPermissions(perms);
+					annot.setDeletePermission(actor);
+				}
+				if (permissions.has("update")) {
+					JSONArray perms = permissions.getJSONArray("update");
+					Actor actor = getActorFromPermissions(perms);
+					annot.setUpdatePermission(actor);
+				}
+				if (permissions.has("read")) {
+					JSONArray perms = permissions.getJSONArray("read");
+					Actor actor = getActorFromPermissions(perms);
+					annot.setReadPermission(actor);
+				}
+			}
+		}
 
         /*
          * tags