Merge branch 'issue-1855' of dlab/hive

from pull-request 1413 * refs/heads/issue-1855: refactors codes fixes a bug that site admin does not have group admin authorization. Reviewed-by: 채수원 <sw.chae@navercorp.com> Reviewed-by: 백기선 <keesun.baik@navercorp.com> Reviewed-by: 이응준 <eungjun.yi@navercorp.com>
naver · Jan 27, 2015 · fb98846 · fb98846
2 parents 9086c94 + 8caf892
commit fb98846
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 15 deletions.
diff --git a/app/controllers/OrganizationApp.java b/app/controllers/OrganizationApp.java
@@ -21,7 +21,6 @@
 package controllers;
 
 import controllers.annotation.AnonymousCheck;
-import controllers.annotation.IsAllowed;
 import models.*;
 import models.enumeration.Operation;
 import models.enumeration.RequestState;
@@ -46,10 +45,7 @@
 import javax.validation.ConstraintViolation;
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 import static play.data.Form.form;
 import static utils.LogoUtil.*;
@@ -152,7 +148,7 @@ private static Result validateForAddMember(Form<User> addMemberForm, String orga
         }
 
         User currentUser = UserApp.currentUser();
-        if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) {
+        if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) {
             flash(Constants.WARNING, "organization.member.needManagerRole");
             return redirect(routes.OrganizationApp.members(organizationName));
         }
@@ -243,7 +239,8 @@ private static Result validateForEditMember(Form<Role> roleForm, String organiza
             flash(Constants.WARNING, "organization.member.needManagerRole");
             return okWithLocation(routes.OrganizationApp.members(organizationName).url());
         }
-        if (OrganizationUser.isAdmin(organization.id, userId) && organization.getAdmins().size() == 1) {
+
+        if (organization.isLastAdmin(currentUser) && roleForm.get().id.equals(RoleType.ORG_MEMBER.roleType())) {
             flash(Constants.WARNING, "organization.member.atLeastOneAdmin");
             return okWithLocation(routes.OrganizationApp.members(organizationName).url());
         }
@@ -270,7 +267,7 @@ public static ValidationResult validateForLeave(String organizationName) {
             return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true);
         }
 
-        if (OrganizationUser.isAdmin(organization.id, UserApp.currentUser().id)) {
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.LEAVE)) {
             if (OrganizationUser.findAdminsOf(organization).size() == 1) {
                 return new ValidationResult(forbidden(getJsonErrorMsg("organization.member.atLeastOneAdmin")), true);
             }
@@ -303,7 +300,7 @@ private static Result validateForSetting(String organizationName) {
         }
 
         User currentUser = UserApp.currentUser();
-        if (!OrganizationUser.isAdmin(organization.id, currentUser.id)) {
+        if (!AccessControl.isAllowed(currentUser, organization.asResource(), Operation.UPDATE)) {
             return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization));
         }
 
@@ -363,6 +360,11 @@ private static Result validateForUpdate(Form<Organization> organizationForm, Org
             return notFound(ErrorViews.NotFound.render("organization.member.unknownOrganization"));
         }
 
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.UPDATE)) {
+            flash(Constants.WARNING, "organization.member.needManagerRole");
+            return forbidden(ErrorViews.Forbidden.render("error.forbidden", organization));
+        }
+
         if (isDuplicateName(organization, modifiedOrganization)) {
             organizationForm.reject("name", "organization.name.duplicate");
             return badRequest(setting.render(organization, organizationForm));
@@ -435,6 +437,9 @@ private static ValidationResult validateForDelete(Organization organization) {
         if (organization == null) {
             return new ValidationResult(notFound(getJsonErrorMsg("organization.member.unknownOrganization")), true);
         }
+        if (!AccessControl.isAllowed(UserApp.currentUser(), organization.asResource(), Operation.DELETE)) {
+            return new ValidationResult(notFound(getJsonErrorMsg("organization.member.needManagerRole")), true);
+        }
         if (organization.projects != null && organization.projects.size() > 0) {
             return new ValidationResult(notFound(getJsonErrorMsg("organization.delete.impossible.project.exist")), true);
         }

diff --git a/app/models/Organization.java b/app/models/Organization.java
@@ -80,6 +80,10 @@ public static boolean isNameExist(String name) {
         return (findRowCount != 0);
     }
 
+    public boolean isLastAdmin(User currentUser) {
+        return OrganizationUser.isAdmin(this, currentUser) && getAdmins().size() == 1;
+    }
+
     @Transactional
     public void cleanEnrolledUsers() {
         List<User> enrolledUsers = this.enrolledUsers;
@@ -180,5 +184,6 @@ private void updateProjects(String newOwner) throws IOException, ServletExceptio
             project.update();
         }
     }
+
 }
 
diff --git a/app/views/error/forbidden_organization.scala.html b/app/views/error/forbidden_organization.scala.html
@@ -18,11 +18,14 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 **@
-@(messageKey:String = "error.forbidden", organization: Organization)
+@(messageKey:String = "error.forbidden", org: Organization)
 
-@siteLayout(organization.name, utils.MenuType.NONE) {
-    <div class="site-breadcrumb-outer">
-        <div class="site-breadcrumb-inner">
+@organizationLayout(org.name, utils.MenuType.NONE, org) {
+    @organization.header(org)
+    @organization.menu(org)
+
+    <div class="page-wrap-outer">
+        <div class="project-page-wrap">
             <div class="error-wrap">
                 <i class="ico ico-err2"></i>
                 <p>@Messages(messageKey)</p>

diff --git a/app/views/organization/menu.scala.html b/app/views/organization/menu.scala.html
@@ -31,12 +31,11 @@
         </ul>
         <div class="project-setting">
             <ul class="project-menu-nav">
-                @if(OrganizationUser.isAdmin(org, UserApp.currentUser)) {
+                @if(OrganizationUser.isAdmin(org, UserApp.currentUser) || UserApp.currentUser().isSiteManager) {
                     <li class="">
                         <a href="@routes.OrganizationApp.settingForm(org.name)">
                             <i class="yobicon-cog"></i>
                             <span class="blind">@Messages("menu.admin")</span>
-
                         </a>
                     <li>
                 }