fixes a bug that site admin does not have group admin authorization.

* Issue - Logics for site admin authroization are omitted in organization codes. - Some validations does not check authroizations and have bugs. * Solution - Bugs are fixed and site admin authroization logics are added. Private-issue: 1855
naver · Jan 22, 2015 · bd17dce · bd17dce
1 parent 9751305
commit bd17dce
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 17 deletions.
diff --git a/app/controllers/OrganizationApp.java b/app/controllers/OrganizationApp.java
@@ -21,7 +21,6 @@
 package controllers;
 
 import controllers.annotation.AnonymousCheck;
-import controllers.annotation.IsAllowed;
 import models.*;
 import models.enumeration.Operation;
 import models.enumeration.RequestState;
@@ -46,10 +45,7 @@
 import javax.validation.ConstraintViolation;
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 import static play.data.Form.form;
 import static utils.LogoUtil.*;
@@ -152,7 +148,7 @@ private static Result validateForAddMember(Form<User> addMemberForm, String orga
         }
 
         User currentUser = UserApp.currentUser();
-        if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) {
+        if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) {
             flash(Constants.WARNING, "organization.member.needManagerRole");
             return redirect(routes.OrganizationApp.members(organizationName));
         }
@@ -243,9 +239,11 @@ private static Result validateForEditMember(Form<Role> roleForm, String organiza
             flash(Constants.WARNING, "organization.member.needManagerRole");
             return okWithLocation(routes.OrganizationApp.members(organizationName).url());
         }
-        if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1) {
-            flash(Constants.WARNING, "organization.member.atLeastOneAdmin");
-            return okWithLocation(routes.OrganizationApp.members(organizationName).url());
+
+        if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1
+                && roleForm.get().id.equals(RoleType.ORG_MEMBER.roleType())) {
+                    flash(Constants.WARNING, "organization.member.atLeastOneAdmin");
+                    return okWithLocation(routes.OrganizationApp.members(organizationName).url());
         }
 
         return null;
@@ -270,7 +268,7 @@ public static ValidationResult validateForLeave(String organizationName) {
             return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true);
         }
 
-        if (OrganizationUser.isAdmin(organization.id, UserApp.currentUser().id)) {
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.LEAVE)) {
             if (OrganizationUser.findAdminsOf(organization).size() == 1) {
                 return new ValidationResult(forbidden(getJsonErrorMsg("organization.member.atLeastOneAdmin")), true);
             }
@@ -303,7 +301,7 @@ private static Result validateForSetting(String organizationName) {
         }
 
         User currentUser = UserApp.currentUser();
-        if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) {
+        if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) {
             return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization));
         }
 
@@ -363,6 +361,11 @@ private static Result validateForUpdate(Form<Organization> organizationForm, Org
             return notFound(ErrorViews.NotFound.render("organization.member.unknownOrganization"));
         }
 
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.UPDATE)) {
+            flash(Constants.WARNING, "organization.member.needManagerRole");
+            return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization));
+        }
+
         if (isDuplicateName(organization, modifiedOrganization)) {
             organizationForm.reject("name", "organization.name.duplicate");
             return badRequest(setting.render(organization, organizationForm));
@@ -435,6 +438,9 @@ private static ValidationResult validateForDelete(Organization organization) {
         if (organization == null) {
             return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true);
         }
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.DELETE)) {
+            return new ValidationResult(notFound(getJsonErrorMsg("organization.member.needManagerRole")), true);
+        }
         if (organization.projects != null && organization.projects.size() > 0) {
             return new ValidationResult(notFound(getJsonErrorMsg("organization.delete.impossible.project.exist")), true);
         }

diff --git a/app/views/error/forbidden_organization.scala.html b/app/views/error/forbidden_organization.scala.html
@@ -18,11 +18,14 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 **@
-@(messageKey:String = "error.forbidden", organization: Organization)
+@(messageKey:String = "error.forbidden", org: Organization)
 
-@siteLayout(organization.name, utils.MenuType.NONE) {
-    <div class="site-breadcrumb-outer">
-        <div class="site-breadcrumb-inner">
+@organizationLayout(org.name, utils.MenuType.NONE, org) {
+    @organization.header(org)
+    @organization.menu(org)
+
+    <div class="page-wrap-outer">
+        <div class="project-page-wrap">
             <div class="error-wrap">
                 <i class="ico ico-err2"></i>
                 <p>@Messages(messageKey)</p>

diff --git a/app/views/organization/menu.scala.html b/app/views/organization/menu.scala.html
@@ -31,12 +31,11 @@
         </ul>
         <div class="project-setting">
             <ul class="project-menu-nav">
-                @if(OrganizationUser.isAdmin(org, UserApp.currentUser)) {
+                @if(OrganizationUser.isAdmin(org, UserApp.currentUser) || UserApp.currentUser().isSiteManager) {
                     <li class="">
                         <a href="@routes.OrganizationApp.settingForm(org.name)">
                             <i class="yobicon-cog"></i>
                             <span class="blind">@Messages("menu.admin")</span>
-
                         </a>
                     <li>
                 }