This is an automated email from the git hooks/post-receive script. New commit to branch develop in repository coselmar. See http://git.codelutin.com/coselmar.git commit 78b17b9621323d355d56c65f8564b56c09144f32 Author: Yannick Martel <martel@©odelutin.com> Date: Tue Jan 20 15:11:55 2015 +0100 supervisor is able to edit client profile --- .../coselmar/services/v1/UsersWebService.java | 27 ++++++++++++++++------ .../main/webapp/views/users/supervisorUsers.html | 16 ++++++++++--- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java b/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java index 4f31179..77c55b1 100644 --- a/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java +++ b/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java @@ -75,9 +75,12 @@ public class UsersWebService extends CoselmarWebServiceSupport { String authorization = getContext().getHeader("Authorization"); UserWebToken userWebToken = checkAuthentication(authorization); - // Who is allowed here ? Admin and user himself - if (!StringUtils.equals(userWebToken.getRole(), CoselmarUserRole.ADMIN.name()) - && !StringUtils.equals(userWebToken.getUserId(), userId)) { + // Who is allowed here ? Admin and user himself and Supervisor if user wanted is client + boolean isAdmin = StringUtils.equals(userWebToken.getRole(), CoselmarUserRole.ADMIN.name()); + boolean isSupervisor = StringUtils.equals(userWebToken.getRole(), CoselmarUserRole.SUPERVISOR.name()); + boolean isHimself = StringUtils.equals(userWebToken.getUserId(), userId); + + if (!isAdmin && !isSupervisor && !isHimself) { if (log.isDebugEnabled()) { String message = String.format("A non admin user try to see account details with shortId '%s'", userId); log.debug(message); @@ -89,6 +92,15 @@ public class UsersWebService extends CoselmarWebServiceSupport { String fullId = CoselmarUser.class.getCanonicalName() + getPersistenceContext().getTopiaIdFactory().getSeparator() + userId; CoselmarUser user = getCoselmarUserDao().forTopiaIdEquals(fullId).findUnique(); + + if (isSupervisor && user.getRole() != CoselmarUserRole.CLIENT) { + if (log.isDebugEnabled()) { + String message = String.format("A supervisor user try to see non client account details with shortId '%s'", userId); + log.debug(message); + } + throw new UnauthorizedException("Not allowed to see user details"); + } + UserBean userBean = BeanEntityConverter.toBean(userId, user); return userBean; } @@ -203,6 +215,7 @@ public class UsersWebService extends CoselmarWebServiceSupport { UserWebToken userWebToken = checkAuthentication(authorization); boolean isAdmin = StringUtils.equals(userWebToken.getRole(), CoselmarUserRole.ADMIN.name()); + boolean isSupervisor4Client = StringUtils.equals(userWebToken.getRole(), CoselmarUserRole.SUPERVISOR.name()) && StringUtils.equals(user.getRole(), CoselmarUserRole.CLIENT.name()); String userId = user.getId(); if (StringUtils.isBlank(userId)) { @@ -210,12 +223,12 @@ public class UsersWebService extends CoselmarWebServiceSupport { } // Admin does not need to give password, he should not know it anyway ! - if (StringUtils.isBlank(user.getPassword()) && !isAdmin) { + if (StringUtils.isBlank(user.getPassword()) && !isAdmin && !isSupervisor4Client) { throw new InvalidParameterException("User.password is mandatory"); } - // Who is allowed here ? Admin and user himself only - if (!isAdmin && !StringUtils.equals(userWebToken.getUserId(), userId)) { + // Who is allowed here ? Admin and user himself only and Supervisor if it is a "client" type user + if (!isAdmin && !StringUtils.equals(userWebToken.getUserId(), userId) && !isSupervisor4Client) { if (log.isDebugEnabled()) { String message = String.format("A non admin user try to modify account details with shortId '%s'", userId); log.debug(message); @@ -229,7 +242,7 @@ public class UsersWebService extends CoselmarWebServiceSupport { CoselmarUser coselmarUser = getCoselmarUserDao().forTopiaIdEquals(fullId).findAny(); // Last check : the password - if (!isAdmin) { + if (!isAdmin && !isSupervisor4Client) { checkPassword(coselmarUser.getPassword(), coselmarUser.getSalt(), user.getPassword()); } diff --git a/coselmar-ui/src/main/webapp/views/users/supervisorUsers.html b/coselmar-ui/src/main/webapp/views/users/supervisorUsers.html index e28eb42..cfc613b 100644 --- a/coselmar-ui/src/main/webapp/views/users/supervisorUsers.html +++ b/coselmar-ui/src/main/webapp/views/users/supervisorUsers.html @@ -80,11 +80,21 @@ <td>{{user.role}}</td> <td ng-if="user.active">Active</td> <td ng-if="!user.active">Disable</td> - <td> - <a class="btn btn-action btn-edit" href="#/users/{{user.id}}?edit" ng-if="user.role == 'CLIENT'"> - <span class="glyphicon glyphicon-edit" aria-hidden="true"></span>Modify + <td ng-if="user.role == 'CLIENT'"> + <a class="btn btn-action btn-edit" href="#/users/{{user.id}}?edit"> + <span class="fa fa-edit" aria-hidden="true"></span>Modify + </a> + <a class="btn btn-action btn-disable" ng-if="user.active" + ng-confirm-message="Do you really want to disable this user ?" + ng-confirm-click="disableUser(user)"> + <span class="fa fa-remove" aria-hidden="true"></span>Disable + </a> + <a class="btn btn-action" ng-if="!user.active" + ng-click="enableUser(user)"> + <span class="fa fa-remove" aria-hidden="true"></span>Enable </a> </td> + <td ng-if="user.role != 'CLIENT'"></td> </tr> </table> </div> \ No newline at end of file -- To stop receiving notification emails like this one, please contact codelutin.com SCM administrator <admin+scm@codelutin.com>.