This is an automated email from the git hooks/post-receive script. New commit to branch develop in repository coselmar. See http://git.codelutin.com/coselmar.git commit 6f71fb0f750f4a9357279924d7e469c2da9edece Author: Yannick Martel <martel@©odelutin.com> Date: Fri Jan 15 17:38:46 2016 +0100 fixes #7915 be able to see every user information --- .../persistence/entity/QuestionTopiaDao.java | 2 +- .../coselmar/services/v1/UsersWebService.java | 30 +++++++++++----------- coselmar-ui/src/main/webapp/views/users/user.html | 7 ++++- 3 files changed, 22 insertions(+), 17 deletions(-) diff --git a/coselmar-persistence/src/main/java/fr/ifremer/coselmar/persistence/entity/QuestionTopiaDao.java b/coselmar-persistence/src/main/java/fr/ifremer/coselmar/persistence/entity/QuestionTopiaDao.java index b854077..5ce33ab 100644 --- a/coselmar-persistence/src/main/java/fr/ifremer/coselmar/persistence/entity/QuestionTopiaDao.java +++ b/coselmar-persistence/src/main/java/fr/ifremer/coselmar/persistence/entity/QuestionTopiaDao.java @@ -143,7 +143,7 @@ public class QuestionTopiaDao extends AbstractQuestionTopiaDao<Question> { String clientCondition = DaoUtils.andAttributeContains("Q", Question.PROPERTY_CLIENTS, args, client); - hqlBuilder.append(" WHERE 1=1 AND (" + clientCondition + " ) "); + hqlBuilder.append(" WHERE 1=1 " + clientCondition + " "); if (searchExample != null) { String finerHql = refineSearch(searchExample, "Q", args); diff --git a/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java b/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java index 6d5ffd6..e4c72e6 100644 --- a/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java +++ b/coselmar-rest/src/main/java/fr/ifremer/coselmar/services/v1/UsersWebService.java @@ -87,27 +87,27 @@ public class UsersWebService extends CoselmarWebServiceSupport { boolean isAdmin = StringUtils.equals(userWebToken.getRole(), CoselmarUserRole.ADMIN.name()); boolean isSupervisor = StringUtils.equals(userWebToken.getRole(), CoselmarUserRole.SUPERVISOR.name()); boolean isHimself = StringUtils.equals(userWebToken.getUserId(), userId); - - if (!isAdmin && !isSupervisor && !isHimself) { - if (log.isDebugEnabled()) { - String message = String.format("A non admin user try to see account details with shortId '%s'", userId); - log.debug(message); - } - throw new UnauthorizedException("Not allowed to see user details"); - } +// +// if (!isAdmin && !isSupervisor && !isHimself) { +// if (log.isDebugEnabled()) { +// String message = String.format("A non admin user try to see account details with shortId '%s'", userId); +// log.debug(message); +// } +// throw new UnauthorizedException("Not allowed to see user details"); +// } // reconstitute full id String fullId = CoselmarUser.class.getCanonicalName() + getPersistenceContext().getTopiaIdFactory().getSeparator() + userId; CoselmarUser user = getCoselmarUserDao().forTopiaIdEquals(fullId).findUnique(); - if (isSupervisor && user.getRole() != CoselmarUserRole.CLIENT && !isHimself) { - if (log.isDebugEnabled()) { - String message = String.format("A supervisor user try to see non client account details with shortId '%s'", userId); - log.debug(message); - } - throw new UnauthorizedException("Not allowed to see user details"); - } +// if (isSupervisor && user.getRole() != CoselmarUserRole.CLIENT && !isHimself) { +// if (log.isDebugEnabled()) { +// String message = String.format("A supervisor user try to see non client account details with shortId '%s'", userId); +// log.debug(message); +// } +// throw new UnauthorizedException("Not allowed to see user details"); +// } UserBean userBean = BeanEntityConverter.toBean(userId, user); return userBean; diff --git a/coselmar-ui/src/main/webapp/views/users/user.html b/coselmar-ui/src/main/webapp/views/users/user.html index c30de13..b0e926c 100644 --- a/coselmar-ui/src/main/webapp/views/users/user.html +++ b/coselmar-ui/src/main/webapp/views/users/user.html @@ -56,7 +56,12 @@ </tr> </table> <div class="actions"> - <a class="btn btn-action btn-edit" ng-click="modifyUser()" ng-if="user.active">{{ 'common.button.edit' | translate }}</a> + <a class="btn btn-action btn-edit" ng-click="modifyUser()" + ng-if="user.active + && (context.currentUser.role == 'ADMIN' + || (context.currentUser.role == 'SUPERVISOR' && user.role == 'CLIENT') + || (context.currentUser.userId == user.id) + )">{{ 'common.button.edit' | translate }}</a> <a class="btn btn-action btn-edit" ng-confirm-message="user.message.disable" ng-confirm-click="disableUser()" -- To stop receiving notification emails like this one, please contact codelutin.com SCM administrator <admin+scm@codelutin.com>.