diff --git a/app/controllers/OrganizationApp.java b/app/controllers/OrganizationApp.java index 64d10c0b2..94612bca4 100644 --- a/app/controllers/OrganizationApp.java +++ b/app/controllers/OrganizationApp.java @@ -21,7 +21,6 @@ package controllers; import controllers.annotation.AnonymousCheck; -import controllers.annotation.IsAllowed; import models.*; import models.enumeration.Operation; import models.enumeration.RequestState; @@ -46,10 +45,7 @@ import javax.validation.ConstraintViolation; import java.io.IOException; import java.security.NoSuchAlgorithmException; -import java.util.Date; -import java.util.HashMap; -import java.util.Map; -import java.util.Set; +import java.util.*; import static play.data.Form.form; import static utils.LogoUtil.*; @@ -152,7 +148,7 @@ private static Result validateForAddMember(Form addMemberForm, String orga } User currentUser = UserApp.currentUser(); - if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) { + if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) { flash(Constants.WARNING, "organization.member.needManagerRole"); return redirect(routes.OrganizationApp.members(organizationName)); } @@ -243,9 +239,11 @@ private static Result validateForEditMember(Form roleForm, String organiza flash(Constants.WARNING, "organization.member.needManagerRole"); return okWithLocation(routes.OrganizationApp.members(organizationName).url()); } - if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1) { - flash(Constants.WARNING, "organization.member.atLeastOneAdmin"); - return okWithLocation(routes.OrganizationApp.members(organizationName).url()); + + if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1 + && roleForm.get().id.equals(RoleType.ORG_MEMBER.roleType())) { + flash(Constants.WARNING, "organization.member.atLeastOneAdmin"); + return okWithLocation(routes.OrganizationApp.members(organizationName).url()); } return null; @@ -270,7 +268,7 @@ public static ValidationResult validateForLeave(String organizationName) { return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true); } - if (OrganizationUser.isAdmin(organization.id, UserApp.currentUser().id)) { + if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.LEAVE)) { if (OrganizationUser.findAdminsOf(organization).size() == 1) { return new ValidationResult(forbidden(getJsonErrorMsg("organization.member.atLeastOneAdmin")), true); } @@ -303,7 +301,7 @@ private static Result validateForSetting(String organizationName) { } User currentUser = UserApp.currentUser(); - if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) { + if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) { return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization)); } @@ -363,6 +361,11 @@ private static Result validateForUpdate(Form organizationForm, Org return notFound(ErrorViews.NotFound.render("organization.member.unknownOrganization")); } + if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.UPDATE)) { + flash(Constants.WARNING, "organization.member.needManagerRole"); + return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization)); + } + if (isDuplicateName(organization, modifiedOrganization)) { organizationForm.reject("name", "organization.name.duplicate"); return badRequest(setting.render(organization, organizationForm)); @@ -435,6 +438,9 @@ private static ValidationResult validateForDelete(Organization organization) { if (organization == null) { return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true); } + if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.DELETE)) { + return new ValidationResult(notFound(getJsonErrorMsg("organization.member.needManagerRole")), true); + } if (organization.projects != null && organization.projects.size() > 0) { return new ValidationResult(notFound(getJsonErrorMsg("organization.delete.impossible.project.exist")), true); } diff --git a/app/views/error/forbidden_organization.scala.html b/app/views/error/forbidden_organization.scala.html index 4fdba9bc9..c85dbc7ce 100644 --- a/app/views/error/forbidden_organization.scala.html +++ b/app/views/error/forbidden_organization.scala.html @@ -18,11 +18,14 @@ * See the License for the specific language governing permissions and * limitations under the License. **@ -@(messageKey:String = "error.forbidden", organization: Organization) +@(messageKey:String = "error.forbidden", org: Organization) -@siteLayout(organization.name, utils.MenuType.NONE) { -
-
+@organizationLayout(org.name, utils.MenuType.NONE, org) { + @organization.header(org) + @organization.menu(org) + +
+

@Messages(messageKey)

diff --git a/app/views/organization/menu.scala.html b/app/views/organization/menu.scala.html index 2cb11669b..a05e65947 100644 --- a/app/views/organization/menu.scala.html +++ b/app/views/organization/menu.scala.html @@ -31,12 +31,11 @@
    - @if(OrganizationUser.isAdmin(org, UserApp.currentUser)) { + @if(OrganizationUser.isAdmin(org, UserApp.currentUser) || UserApp.currentUser().isSiteManager) {
  • @Messages("menu.admin") -
  • }