Search in sources :

Example 11 with ForbiddenUserException

use of org.asqatasun.webapp.exception.ForbiddenUserException in project Asqatasun by Asqatasun.

the class AbstractAuditDataHandlerController method isUserAllowedToDisplayResult.

/**
     * This methods checks whether the current user is allowed to display the
     * audit result of a given audit. To do so, we verify that the act
     * associated with the audit belongs to the current user and
     * that the current contract is not expired
     * 
     * @param audit
     * @return
     *      true if the user is allowed to display the result, false otherwise.
     */
protected boolean isUserAllowedToDisplayResult(Audit audit) {
    if (audit == null) {
        throw new ForbiddenPageException();
    }
    User user = getCurrentUser();
    Contract contract = getActDataService().getActFromAudit(audit).getContract();
    if (isAdminUser() || (!isContractExpired(contract) && user.getId().compareTo(contract.getUser().getId()) == 0)) {
        return true;
    }
    throw new ForbiddenUserException();
}
Also used : User(org.asqatasun.webapp.entity.user.User) Contract(org.asqatasun.webapp.entity.contract.Contract) ForbiddenUserException(org.asqatasun.webapp.exception.ForbiddenUserException) ForbiddenPageException(org.asqatasun.webapp.exception.ForbiddenPageException)

Example 12 with ForbiddenUserException

use of org.asqatasun.webapp.exception.ForbiddenUserException in project Asqatasun by Asqatasun.

the class ContractManagementController method submitManageContractsAdminPage.

/**
     * @param contractDisplayCommand
     * @param userId
     * @param request
     * @param response
     * @param model
     * @return The pages audit set-up form page
     */
@RequestMapping(value = TgolKeyStore.MANAGE_CONTRACTS_URL, method = RequestMethod.POST)
@Secured(TgolKeyStore.ROLE_ADMIN_KEY)
public String submitManageContractsAdminPage(@ModelAttribute(TgolKeyStore.CONTRACT_SORT_COMMAND_KEY) ContractSortCommand contractDisplayCommand, @RequestParam(TgolKeyStore.USER_ID_KEY) String userId, HttpServletRequest request, HttpServletResponse response, Model model) {
    Long lUserId;
    try {
        lUserId = Long.valueOf(userId);
    } catch (NumberFormatException nfe) {
        throw new ForbiddenUserException();
    }
    User userToManage = getUserDataService().read(lUserId);
    model.addAttribute(TgolKeyStore.CONTRACT_LIST_KEY, ContractSortCommandHelper.prepareContract(userToManage, contractDisplayCommand, displayOptionFieldsBuilderList, model));
    model.addAttribute(TgolKeyStore.USER_NAME_KEY, userToManage.getEmail1());
    return TgolKeyStore.MANAGE_CONTRACTS_VIEW_NAME;
}
Also used : User(org.asqatasun.webapp.entity.user.User) ForbiddenUserException(org.asqatasun.webapp.exception.ForbiddenUserException) Secured(org.springframework.security.access.annotation.Secured) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 13 with ForbiddenUserException

use of org.asqatasun.webapp.exception.ForbiddenUserException in project Asqatasun by Asqatasun.

the class ContractManagementController method submitEditContractAdminPage.

/**
     * @param createContractCommand
     * @param result
     * @param request
     * @param response
     * @param model
     * @return The pages audit set-up form page
     */
@RequestMapping(value = TgolKeyStore.EDIT_CONTRACT_URL, method = RequestMethod.POST)
@Secured(TgolKeyStore.ROLE_ADMIN_KEY)
public String submitEditContractAdminPage(@ModelAttribute(TgolKeyStore.CREATE_CONTRACT_COMMAND_KEY) CreateContractCommand createContractCommand, BindingResult result, HttpServletRequest request, HttpServletResponse response, Model model) {
    Object contractId = request.getSession().getAttribute(TgolKeyStore.CONTRACT_ID_KEY);
    Long lContractId;
    if (contractId instanceof Long) {
        lContractId = (Long) contractId;
    } else {
        try {
            lContractId = Long.valueOf(contractId.toString());
        } catch (NumberFormatException nfe) {
            throw new ForbiddenUserException();
        }
    }
    Contract contract = getContractDataService().read(lContractId);
    Map<String, List<ContractOptionFormField>> optionFormFieldMap = ContractOptionFormFieldHelper.getFreshContractOptionFormFieldMap(getContractOptionFormFieldBuilderMap());
    getCreateContractFormValidator().setContractOptionFormFieldMap(optionFormFieldMap);
    // We check whether the form is valid
    getCreateContractFormValidator().validate(createContractCommand, result);
    // If the form has some errors, we display it again with errors' details
    if (result.hasErrors()) {
        return displayFormWithErrors(model, createContractCommand, contract.getUser().getEmail1(), contract.getUser().getId(), optionFormFieldMap, TgolKeyStore.EDIT_CONTRACT_VIEW_NAME);
    }
    contract = CreateContractCommandFactory.getInstance().updateContractFromCommand(createContractCommand, contract);
    saveOrUpdateContract(contract);
    request.getSession().setAttribute(TgolKeyStore.UPDATED_CONTRACT_NAME_KEY, contract.getLabel());
    model.addAttribute(TgolKeyStore.USER_ID_KEY, contract.getUser().getId());
    request.getSession().removeAttribute(TgolKeyStore.CONTRACT_ID_KEY);
    return TgolKeyStore.MANAGE_CONTRACTS_VIEW_REDIRECT_NAME;
}
Also used : List(java.util.List) ForbiddenUserException(org.asqatasun.webapp.exception.ForbiddenUserException) Contract(org.asqatasun.webapp.entity.contract.Contract) Secured(org.springframework.security.access.annotation.Secured) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 14 with ForbiddenUserException

use of org.asqatasun.webapp.exception.ForbiddenUserException in project Asqatasun by Asqatasun.

the class ContractManagementController method deleteContractAuditsConfirmationPage.

/**
     * 
     * @param request
     * @param response
     * @param model
     * @return 
     */
@RequestMapping(value = TgolKeyStore.DELETE_CONTRACT_AUDITS_URL, method = RequestMethod.POST)
@Secured(TgolKeyStore.ROLE_ADMIN_KEY)
public String deleteContractAuditsConfirmationPage(HttpServletRequest request, HttpServletResponse response, Model model) {
    Object contractId = request.getSession().getAttribute(TgolKeyStore.CONTRACT_ID_TO_DELETE_KEY);
    Long lContractId;
    if (contractId instanceof Long) {
        lContractId = (Long) contractId;
    } else {
        try {
            lContractId = Long.valueOf(contractId.toString());
        } catch (NumberFormatException nfe) {
            throw new ForbiddenUserException();
        }
    }
    Contract contractToDelete = getContractDataService().read(lContractId);
    deleteAllAuditsFromContract(contractToDelete);
    request.getSession().removeAttribute(TgolKeyStore.CONTRACT_ID_TO_DELETE_KEY);
    request.getSession().setAttribute(TgolKeyStore.DELETED_CONTRACT_AUDITS_NAME_KEY, contractToDelete.getLabel());
    model.addAttribute(TgolKeyStore.USER_ID_KEY, contractToDelete.getUser().getId());
    return TgolKeyStore.MANAGE_CONTRACTS_VIEW_REDIRECT_NAME;
}
Also used : ForbiddenUserException(org.asqatasun.webapp.exception.ForbiddenUserException) Contract(org.asqatasun.webapp.entity.contract.Contract) Secured(org.springframework.security.access.annotation.Secured) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 15 with ForbiddenUserException

use of org.asqatasun.webapp.exception.ForbiddenUserException in project Asqatasun by Asqatasun.

the class HomeController method submitForm.

@RequestMapping(value = TgolKeyStore.HOME_URL, method = RequestMethod.POST)
@Secured({ TgolKeyStore.ROLE_USER_KEY, TgolKeyStore.ROLE_ADMIN_KEY })
protected String submitForm(@ModelAttribute(TgolKeyStore.CONTRACT_SORT_COMMAND_KEY) ContractSortCommand contractDisplayCommand, BindingResult result, Model model, HttpServletRequest request) {
    User user = getCurrentUser();
    if (!user.getId().equals(contractDisplayCommand.getUserId())) {
        throw new ForbiddenUserException();
    }
    // The page is displayed with sort option. Form needs to be set up
    model.addAttribute(TgolKeyStore.CONTRACT_LIST_KEY, ContractSortCommandHelper.prepareContractInfo(user, contractDisplayCommand, displayOptionFieldsBuilderList, model));
    return TgolKeyStore.HOME_VIEW_NAME;
}
Also used : User(org.asqatasun.webapp.entity.user.User) ForbiddenUserException(org.asqatasun.webapp.exception.ForbiddenUserException) Secured(org.springframework.security.access.annotation.Secured) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Aggregations

ForbiddenUserException (org.asqatasun.webapp.exception.ForbiddenUserException)29 Secured (org.springframework.security.access.annotation.Secured)20 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)16 Contract (org.asqatasun.webapp.entity.contract.Contract)15 User (org.asqatasun.webapp.entity.user.User)12 ForbiddenPageException (org.asqatasun.webapp.exception.ForbiddenPageException)8 Audit (org.asqatasun.entity.audit.Audit)6 WebResource (org.asqatasun.entity.subject.WebResource)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)3 Site (org.asqatasun.entity.subject.Site)3 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)3 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)3 ExtendedModelMap (org.springframework.ui.ExtendedModelMap)3 Model (org.springframework.ui.Model)3 List (java.util.List)2 SSP (org.asqatasun.entity.audit.SSP)1 Criterion (org.asqatasun.entity.reference.Criterion)1 Test (org.asqatasun.entity.reference.Test)1 Page (org.asqatasun.entity.subject.Page)1 ChangePasswordCommand (org.asqatasun.webapp.command.ChangePasswordCommand)1