// check from the backlogId if the associated product is accessible for the current user
 private boolean checkAccess(int backlogId) {
   Product product = (backlogBusiness.getParentProduct(backlogBusiness.retrieve(backlogId)));
   User user = SecurityUtil.getLoggedUser();
   Collection<Team> teams = user.getTeams();
   for (Iterator<Team> iter = teams.iterator(); iter.hasNext(); ) {
     Team team = (Team) iter.next();
     if (team.getProducts().contains(product)) {
       return false;
     }
   }
   return true;
 }
Пример #2
0
  @Override
  public String intercept(ActionInvocation invocation) throws Exception {
    // System.out.println("URL: " + ServletActionContext.getRequest().getRequestURL().toString());
    HttpServletRequest req = ServletActionContext.getRequest();
    String actionName = ServletActionContext.getActionMapping().getName();

    User loggedUser =
        SecurityUtil
            .getLoggedUser(); // SecurityUtil.getLoggedUser() can't get all needed information of
                              // user -> should retrieve by making new user.
    User user = userBusiness.retrieve(loggedUser.getId());

    boolean admin = user.isAdmin();
    boolean readOnly = user.getName().equals("readonly");
    boolean access = false;

    if (admin) {
      // if admin, everything is fine
      access = true;
    } else if (readOnly) {
      // check read only operations
      if (actionName.equals("ROIterationHistoryByToken")
          || actionName.equals("ROIterationMetricsByToken")
          || actionName.equals(("ROIterationData"))) {
        access = true;
      }
    } else {
      if (actionName.equals("createTeam")
          || actionName.equals("deleteTeam")
          || actionName.equals("deleteTeamForm")
          || actionName.equals("storeTeam")
          || actionName.equals("storeNewTeam")) {

        // these are admin-only operations
        access = false;

      } else if (actionName.equals("storeUserAndRedirect")) {
        Map params = req.getParameterMap();
        boolean attemptAdmin = params.containsKey("user.admin");
        int id = Integer.parseInt(((String[]) params.get("userId"))[0]);
        if (id == user.getId() && !attemptAdmin) {
          access = true;
        }
      } else if (actionName.equals("storeUser")) {

        // check if ID is of current user, and what is being stored
        // can't set user.admin or team
        Map params = req.getParameterMap();
        boolean attemptAdmin = params.containsKey("user.admin");
        boolean attemptTeam = params.containsKey("teamsChanged") || params.containsKey("teamIds");
        int id = Integer.parseInt(((String[]) params.get("userId"))[0]);

        if (id == user.getId() && !attemptAdmin && !attemptTeam) {
          // check not setting user.admin
          access = true;
        }
      } else if (actionName.equals("storeNewUser")) {
        Map params = req.getParameterMap();
        boolean attemptToCreateNonAdmin =
            params.containsKey("user.admin")
                && ((String[]) params.get("user.admin"))[0].equals("false");
        // Non admins can create only other non admin users
        if (attemptToCreateNonAdmin) {
          // Non admins can only add new users to their teams
          if (params.containsKey("teamIds")) {
            Set<String> myTeamIds = new HashSet<String>();
            for (Team team : user.getTeams()) {
              myTeamIds.add("" + team.getId());
            }
            String[] teamIds = (String[]) params.get("teamIds");
            Set<String> newUserTeamIds = new HashSet<String>();
            for (String teamId : teamIds) {
              newUserTeamIds.add(teamId);
            }
            if (myTeamIds.containsAll(newUserTeamIds)) {
              access = true;
            }
          } else {
            access = true;
          }
        }
      } else if (actionName.equals("retrieveAllProducts")
          || actionName.equals("retrieveAllSAIterations")) {
        // access matrix operations
        access = false;
      } else if (actionName.equals("storeNewIteration") || actionName.equals("storeNewProduct")) {
        // these are operations available to everyone
        access = true;
      } else if ((actionName.equals("retrieveBranchMetrics")
              || actionName.equals("getStoryHierarchy"))
          && req.getParameterMap().containsKey("storyId")) {
        Map params = req.getParameterMap();
        int storyId = Integer.parseInt(((String[]) params.get("storyId"))[0]);
        Story story = storyBusiness.retrieve(storyId);
        if (story.getIteration() != null) {
          access =
              this.authorizationBusiness.isBacklogAccessible(story.getIteration().getId(), user);
        }
        if (!access && story.getBacklog() != null) {
          access = this.authorizationBusiness.isBacklogAccessible(story.getBacklog().getId(), user);
        }
      } else {
        // Default case: Try to find a backlog id of some kind to check.

        Map params = req.getParameterMap();
        int id = -1;
        if (params.containsKey("iterationId"))
          id = Integer.parseInt(((String[]) params.get("iterationId"))[0]);
        else if (params.containsKey("backlogId"))
          id = Integer.parseInt(((String[]) params.get("backlogId"))[0]);
        else if (params.containsKey("productId"))
          id = Integer.parseInt(((String[]) params.get("productId"))[0]);
        else if (params.containsKey("projectId"))
          id = Integer.parseInt(((String[]) params.get("projectId"))[0]);
        else if (params.containsKey("taskId")) {
          int taskId = Integer.parseInt(((String[]) params.get("taskId"))[0]);
          Task task = taskBusiness.retrieve(taskId);
          if (task.getIteration() != null) id = task.getIteration().getId();
          else if (task.getStory().getIteration() != null)
            id = task.getStory().getIteration().getId();
          else id = task.getStory().getBacklog().getId(); // story in project/product w/a iteration
        } else if (params.containsKey("storyId")) {
          int storyId = Integer.parseInt(((String[]) params.get("storyId"))[0]);
          Story story = storyBusiness.retrieve(storyId);
          if (story.getIteration() != null) {
            id = story.getIteration().getId();
          } else {
            id = story.getBacklog().getId();
          }
        }

        boolean attemptTeam = params.containsKey("teamsChanged");
        if (!attemptTeam) {
          if (id != -1
              && !(id == 0 && actionName.equals("retrieveSubBacklogs") && params.size() == 1))
            access = this.authorizationBusiness.isBacklogAccessible(id, user);
          else
            // Operations without ids must be allowed
            access = true;
        }
      }
    }

    if (access) return invocation.invoke();
    else return "noauth";
  }