This is an automated email from the git hooks/post-receive script. New commit to branch feature/permissionPollRestricted in repository pollen. See http://git.chorem.org/pollen.git commit 3838769200c66c5f4aac0384ae4cf8ed6c47874c Author: Adrien Garandel <a.garandel@dralagen.fr> Date: Tue Aug 5 15:52:17 2014 +0200 add security for vote visibility, review comment visibility --- .../pollen/services/service/VoteService.java | 9 ++- .../services/service/security/SecurityService.java | 88 +++++++++++++++------- .../src/main/webapp/js/controllers/pollCtrl.js | 24 +++--- 3 files changed, 78 insertions(+), 43 deletions(-) diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java index b1bf6ad..4096c22 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java @@ -81,7 +81,14 @@ public class VoteService extends PollenServiceSupport { checkNotNull(pollId); Poll poll = getPollService().getPoll0(pollId); - List<Vote> votes = getVotes0(poll); + List<Vote> allVotes = getVotes0(poll); + List<Vote> votes = new ArrayList<>(); + + for (Vote vote : allVotes) { + if (isPermitted(PermissionVerb.readVote, vote.getTopiaId())) { + votes.add(vote); + } + } List<VoteBean> voteBeans = toBeanList(VoteBean.class, votes, voteBeanFunction); return voteBeans; diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/security/SecurityService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/security/SecurityService.java index 9266e17..09c9d23 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/security/SecurityService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/security/SecurityService.java @@ -400,19 +400,7 @@ public class SecurityService extends PollenServiceSupport { } for (Poll poll : invitedPoll) { - generatePollPublicPermission(permissions, poll); - - if (poll.getCommentVisibility() == CommentVisibility.VOTER) { - permissions.add(createSubjectPermission(PermissionVerb.readComment, poll)); - } - - if (poll.getVoteVisibility() == VoteVisibility.VOTER) { - permissions.add(createSubjectPermission(PermissionVerb.readVote, poll)); - } - - if (poll.getResultVisibility() == ResultVisibility.VOTER && (poll.isClosed() || poll.isContinuousResults())) { - permissions.add(createSubjectPermission(PermissionVerb.readPollResult, poll)); - } + generatePollVoterPermission(permissions, poll); } PrincipalByType principalByType = resolvePrincipals(principals); @@ -438,6 +426,10 @@ public class SecurityService extends PollenServiceSupport { if (vote.getPoll().getPollType() != PollType.FREE) { permissions.remove(createSubjectPermission(PermissionVerb.addVote, vote.getPoll())); } + + if (vote.getPoll().getVoteVisibility() == VoteVisibility.VOTER) { + generatePollVoterPermission(permissions, vote.getPoll()); + } } for (Poll poll : principalByType.polls) { @@ -456,11 +448,13 @@ public class SecurityService extends PollenServiceSupport { } // add vote permissions - List<Vote> votes = getVoteDao().forPollEquals(poll).findAll(); - if (CollectionUtils.isNotEmpty(votes)) { - for (Vote vote : votes) { - permissions.add(createSubjectPermission(PermissionVerb.readVote, vote)); + + if (poll.getVoteVisibility() != VoteVisibility.ANONYMOUS) { + if ( CollectionUtils.isNotEmpty(votes) ) { + for ( Vote vote : votes ) { + permissions.add(createSubjectPermission(PermissionVerb.readVote, vote)); + } } } @@ -487,15 +481,36 @@ public class SecurityService extends PollenServiceSupport { protected void generatePollPublicPermission(Set<String> permissions, Poll poll) { permissions.add(createSubjectPermission(PermissionVerb.readPoll, poll)); - permissions.add(createSubjectPermission(PermissionVerb.addVote, poll)); permissions.add(createSubjectPermission(PermissionVerb.addComment, poll)); + if (!poll.isClosed()) { + permissions.add(createSubjectPermission(PermissionVerb.addVote, poll)); + } + if (poll.getCommentVisibility() == CommentVisibility.EVERYBODY) { permissions.add(createSubjectPermission(PermissionVerb.readComment, poll)); + + // add comment permissions + + List<Comment> comments = getCommentDao().forPollEquals(poll).findAll(); + if (CollectionUtils.isNotEmpty(comments)) { + for (Comment comment : comments) { + permissions.add(createSubjectPermission(PermissionVerb.readComment, comment)); + } + } } if (poll.getVoteVisibility() == VoteVisibility.EVERYBODY) { permissions.add(createSubjectPermission(PermissionVerb.readVote, poll)); + + // add vote permissions + + List<Vote> votes = getVoteDao().forPollEquals(poll).findAll(); + if (CollectionUtils.isNotEmpty(votes)) { + for (Vote vote : votes) { + permissions.add(createSubjectPermission(PermissionVerb.readVote, vote)); + } + } } if (poll.getResultVisibility() == ResultVisibility.EVERYBODY && (poll.isClosed() || poll.isContinuousResults())) { @@ -515,23 +530,40 @@ public class SecurityService extends PollenServiceSupport { } } - // add comment permissions + } + + protected void generatePollVoterPermission(Set<String> permissions, Poll poll) { + generatePollPublicPermission(permissions, poll); + + if (poll.getCommentVisibility() == CommentVisibility.VOTER) { + permissions.add(createSubjectPermission(PermissionVerb.readComment, poll)); - List<Comment> comments = getCommentDao().forPollEquals(poll).findAll(); - if (CollectionUtils.isNotEmpty(comments)) { - for (Comment comment : comments) { - permissions.add(createSubjectPermission(PermissionVerb.readComment, comment)); + // add comment permissions + + List<Comment> comments = getCommentDao().forPollEquals(poll).findAll(); + if (CollectionUtils.isNotEmpty(comments)) { + for (Comment comment : comments) { + permissions.add(createSubjectPermission(PermissionVerb.readComment, comment)); + } } } - // add vote permissions + if (poll.getVoteVisibility() == VoteVisibility.VOTER) { + permissions.add(createSubjectPermission(PermissionVerb.readVote, poll)); - List<Vote> votes = getVoteDao().forPollEquals(poll).findAll(); - if (CollectionUtils.isNotEmpty(votes)) { - for (Vote vote : votes) { - permissions.add(createSubjectPermission(PermissionVerb.readVote, vote)); + // add vote permissions + + List<Vote> votes = getVoteDao().forPollEquals(poll).findAll(); + if (CollectionUtils.isNotEmpty(votes)) { + for (Vote vote : votes) { + permissions.add(createSubjectPermission(PermissionVerb.readVote, vote)); + } } } + + if (poll.getResultVisibility() == ResultVisibility.VOTER && (poll.isClosed() || poll.isContinuousResults())) { + permissions.add(createSubjectPermission(PermissionVerb.readPollResult, poll)); + } } protected PrincipalByType resolvePrincipals(Set<PollenPrincipal> principals) { diff --git a/pollen-ui-angular/src/main/webapp/js/controllers/pollCtrl.js b/pollen-ui-angular/src/main/webapp/js/controllers/pollCtrl.js index 093bc6e..1405d47 100644 --- a/pollen-ui-angular/src/main/webapp/js/controllers/pollCtrl.js +++ b/pollen-ui-angular/src/main/webapp/js/controllers/pollCtrl.js @@ -1089,23 +1089,19 @@ angular.module('pollControllers', ['ngRoute', 'pollenServices', 'pascalprecht.tr $scope.data.choices = choices; }).$promise; - if ($scope.data.poll.voteIsVisible) { - pollChoicePromise.then(function () { - PollVote.query({pollId:$routeParams.pollId, permission:$routeParams.voteToken}, function (votes) { - $scope.data.votants = votes; - angular.forEach($scope.data.votants, function (voter) { - angular.forEach(voter.choice, function (choice) { - choice.voteValue = $scope.getVoteValue(choice.voteValue); - }); - for (var i = voter.choice.length; i < $scope.data.choices.length; ++i) { - voter.choice.push({choiceId: $scope.data.choices[i].id, voteValue : $scope.getVoteValue(null)}); - } + pollChoicePromise.then(function () { + PollVote.query({pollId:$routeParams.pollId, permission:$routeParams.voteToken}, function (votes) { + $scope.data.votants = votes; + angular.forEach($scope.data.votants, function (voter) { + angular.forEach(voter.choice, function (choice) { + choice.voteValue = $scope.getVoteValue(choice.voteValue); }); + for (var i = voter.choice.length; i < $scope.data.choices.length; ++i) { + voter.choice.push({choiceId: $scope.data.choices[i].id, voteValue : $scope.getVoteValue(null)}); + } }); }); - } else { - $scope.data.votants = []; - } + }); $q.all([$scope.pollDeferred.promise, pollChoicePromise]).then(function() { initVote(); -- To stop receiving notification emails like this one, please contact chorem.org SCM administrator <admin+scm@chorem.org>.