Examples with UpdateAccessDeniedException org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException used on opensource projects

Example 6 with UpdateAccessDeniedException

use of org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException in project dhis2-core by dhis2.

the class MessageConversationController method unmarkMessageConversationFollowup.

//--------------------------------------------------------------------------
// Clear follow up
//--------------------------------------------------------------------------
@RequestMapping(value = "unfollowup", method = RequestMethod.POST, produces = { MediaType.APPLICATION_JSON_VALUE, MediaType.APPLICATION_XML_VALUE })
@ResponseBody
public RootNode unmarkMessageConversationFollowup(@RequestParam(value = "user", required = false) String userUid, @RequestBody List<String> uids, HttpServletResponse response) {
    RootNode responseNode = new RootNode("response");
    User currentUser = currentUserService.getCurrentUser();
    User user = userUid != null ? userService.getUser(userUid) : currentUser;
    if (user == null) {
        response.setStatus(HttpServletResponse.SC_NOT_FOUND);
        responseNode.addChild(new SimpleNode("message", "No user with uid: " + userUid));
        return responseNode;
    }
    if (!canModifyUserConversation(currentUser, user)) {
        throw new UpdateAccessDeniedException("Not authorized to modify this object.");
    }
    Collection<org.hisp.dhis.message.MessageConversation> messageConversations = messageService.getMessageConversations(user, uids);
    if (messageConversations.isEmpty()) {
        response.setStatus(HttpServletResponse.SC_NOT_FOUND);
        responseNode.addChild(new SimpleNode("message", "No MessageConversations found for the given UIDs"));
        return responseNode;
    }
    CollectionNode marked = responseNode.addChild(new CollectionNode("unmarkedFollowup"));
    marked.setWrapping(false);
    for (org.hisp.dhis.message.MessageConversation conversation : messageConversations) {
        if (conversation.isFollowUp()) {
            conversation.toggleFollowUp(user);
            messageService.updateMessageConversation(conversation);
        }
        marked.addChild(new SimpleNode("uid", conversation.getUid()));
    }
    response.setStatus(HttpServletResponse.SC_OK);
    return responseNode;
}

Example 7 with UpdateAccessDeniedException

use of org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException in project dhis2-core by dhis2.

the class MessageConversationController method removeUserAssigned.

//--------------------------------------------------------------------------
// Remove assigned user
//--------------------------------------------------------------------------
@RequestMapping(value = "/{uid}/assign", method = RequestMethod.DELETE, produces = { MediaType.APPLICATION_JSON_VALUE, MediaType.APPLICATION_XML_VALUE })
@ResponseBody
public RootNode removeUserAssigned(@PathVariable String uid, HttpServletResponse response) {
    RootNode responseNode = new RootNode("response");
    User user = currentUserService.getCurrentUser();
    if (!canModifyUserConversation(user, user) && (messageService.hasAccessToManageFeedbackMessages(user))) {
        throw new UpdateAccessDeniedException("Not authorized to modify this object.");
    }
    org.hisp.dhis.message.MessageConversation messageConversation = messageService.getMessageConversation(uid);
    if (messageConversation == null) {
        response.setStatus(HttpServletResponse.SC_NOT_FOUND);
        responseNode.addChild(new SimpleNode("message", "No MessageConversation found for the given ID."));
        return responseNode;
    }
    messageConversation.setAssignee(null);
    messageService.updateMessageConversation(messageConversation);
    responseNode.addChild(new SimpleNode("message", "Message is no longer assigned to user"));
    response.setStatus(HttpServletResponse.SC_OK);
    return responseNode;
}

Example 8 with UpdateAccessDeniedException

use of org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException in project dhis2-core by dhis2.

the class DefaultCollectionService method delCollectionItems.

@Override
@SuppressWarnings("unchecked")
public void delCollectionItems(IdentifiableObject object, String propertyName, List<IdentifiableObject> objects) throws Exception {
    Schema schema = schemaService.getDynamicSchema(object.getClass());
    if (!aclService.canUpdate(currentUserService.getCurrentUser(), object)) {
        throw new UpdateAccessDeniedException("You don't have the proper permissions to update this object.");
    }
    if (!schema.haveProperty(propertyName)) {
        throw new WebMessageException(WebMessageUtils.notFound("Property " + propertyName + " does not exist on " + object.getClass().getName()));
    }
    Property property = schema.getProperty(propertyName);
    if (!property.isCollection() || !property.isIdentifiableObject()) {
        throw new WebMessageException(WebMessageUtils.conflict("Only identifiable object collections can be removed from."));
    }
    Collection<String> itemCodes = objects.stream().map(IdentifiableObject::getUid).collect(Collectors.toList());
    if (itemCodes.isEmpty()) {
        return;
    }
    List<? extends IdentifiableObject> items = manager.get(((Class<? extends IdentifiableObject>) property.getItemKlass()), itemCodes);
    manager.refresh(object);
    if (property.isOwner()) {
        Collection<IdentifiableObject> collection = (Collection<IdentifiableObject>) property.getGetterMethod().invoke(object);
        for (IdentifiableObject item : items) {
            if (collection.contains(item))
                collection.remove(item);
        }
    } else {
        Schema owningSchema = schemaService.getDynamicSchema(property.getItemKlass());
        Property owningProperty = owningSchema.propertyByRole(property.getOwningRole());
        for (IdentifiableObject item : items) {
            try {
                Collection<IdentifiableObject> collection = (Collection<IdentifiableObject>) owningProperty.getGetterMethod().invoke(item);
                if (collection.contains(object)) {
                    collection.remove(object);
                    manager.update(item);
                }
            } catch (Exception ex) {
            }
        }
    }
    manager.update(object);
    dbmsManager.clearSession();
    cacheManager.clearCache();
}

Example 9 with UpdateAccessDeniedException

use of org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException in project dhis2-core by dhis2.

the class HibernateGenericStore method update.

@Override
public void update(T object, User user) {
    String username = user != null ? user.getUsername() : "system-process";
    if (IdentifiableObject.class.isInstance(object)) {
        BaseIdentifiableObject identifiableObject = (BaseIdentifiableObject) object;
        identifiableObject.setAutoFields();
        identifiableObject.setLastUpdatedBy(user);
        if (identifiableObject.getUser() == null) {
            identifiableObject.setUser(user);
        }
    }
    if (!isUpdateAllowed(object, user)) {
        AuditLogUtil.infoWrapper(log, username, object, AuditLogUtil.ACTION_UPDATE_DENIED);
        throw new UpdateAccessDeniedException(object.toString());
    }
    AuditLogUtil.infoWrapper(log, username, object, AuditLogUtil.ACTION_UPDATE);
    if (object != null) {
        getSession().update(object);
    }
    if (MetadataObject.class.isInstance(object)) {
        deletedObjectService.deleteDeletedObjects(new DeletedObjectQuery((IdentifiableObject) object));
    }
}

Example 10 with UpdateAccessDeniedException

use of org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException in project dhis2-core by dhis2.

the class MessageConversationController method setUserAssigned.

//--------------------------------------------------------------------------
// Assign user
//--------------------------------------------------------------------------
@RequestMapping(value = "/{uid}/assign", method = RequestMethod.POST, produces = { MediaType.APPLICATION_JSON_VALUE, MediaType.APPLICATION_XML_VALUE })
@ResponseBody
public RootNode setUserAssigned(@PathVariable String uid, @RequestParam(required = false) String userId, HttpServletResponse response) {
    RootNode responseNode = new RootNode("response");
    User user = currentUserService.getCurrentUser();
    if (!canModifyUserConversation(user, user) && (messageService.hasAccessToManageFeedbackMessages(user))) {
        throw new UpdateAccessDeniedException("Not authorized to modify this object.");
    }
    org.hisp.dhis.message.MessageConversation messageConversation = messageService.getMessageConversation(uid);
    if (messageConversation == null) {
        response.setStatus(HttpServletResponse.SC_NOT_FOUND);
        responseNode.addChild(new SimpleNode("message", "No MessageConversation found for the given ID."));
        return responseNode;
    }
    User userToAssign;
    if ((userToAssign = userService.getUser(userId)) == null) {
        response.setStatus(HttpServletResponse.SC_NOT_FOUND);
        responseNode.addChild(new SimpleNode("message", "Could not find user to assign"));
        return responseNode;
    }
    if (!configurationService.isUserInFeedbackRecipientUserGroup(userToAssign)) {
        response.setStatus(HttpServletResponse.SC_CONFLICT);
        responseNode.addChild(new SimpleNode("message", "User provided is not a member of the system's feedback recipient group"));
        return responseNode;
    }
    messageConversation.setAssignee(userToAssign);
    messageService.updateMessageConversation(messageConversation);
    responseNode.addChild(new SimpleNode("message", "User " + userToAssign.getName() + " was assigned to ticket"));
    response.setStatus(HttpServletResponse.SC_OK);
    return responseNode;
}