IDEMPIERE-3935 Validate access level vs user level
This commit is contained in:
parent
b52490c10e
commit
08699f61e9
|
@ -45,6 +45,7 @@ import org.compiere.util.KeyNamePair;
|
|||
import org.compiere.util.Msg;
|
||||
import org.compiere.util.Trace;
|
||||
import org.compiere.util.Util;
|
||||
import org.compiere.wf.MWorkflow;
|
||||
|
||||
/**
|
||||
* Role Model.
|
||||
|
@ -1650,6 +1651,14 @@ public final class MRole extends X_AD_Role
|
|||
setAccessMap("m_processAccess", mergeAccess(getAccessMap("m_processAccess"), directAccess, true));
|
||||
} // reload
|
||||
Boolean retValue = m_processAccess.get(AD_Process_ID);
|
||||
if (retValue != null && retValue.booleanValue()) {
|
||||
MProcess process = MProcess.get(getCtx(), AD_Process_ID);
|
||||
if (! isAccessLevelCompatible(process.getAccessLevel())) {
|
||||
log.warning("Role " + getName() + " has assigned access incompatible process " + process.getName());
|
||||
m_processAccess.remove(AD_Process_ID);
|
||||
retValue = null;
|
||||
}
|
||||
}
|
||||
return retValue;
|
||||
} // getProcessAccess
|
||||
|
||||
|
@ -1730,6 +1739,14 @@ public final class MRole extends X_AD_Role
|
|||
setAccessMap("m_taskAccess", mergeAccess(getAccessMap("m_taskAccess"), directAccess, true));
|
||||
} // reload
|
||||
Boolean retValue = m_taskAccess.get(AD_Task_ID);
|
||||
if (retValue != null && retValue.booleanValue()) {
|
||||
MTask task = new MTask(getCtx(), AD_Task_ID, get_TrxName());
|
||||
if (! isAccessLevelCompatible(task.getAccessLevel())) {
|
||||
log.warning("Role " + getName() + " has assigned access incompatible task " + task.getName());
|
||||
m_taskAccess.remove(AD_Task_ID);
|
||||
retValue = null;
|
||||
}
|
||||
}
|
||||
return retValue;
|
||||
} // getTaskAccess
|
||||
|
||||
|
@ -1810,6 +1827,14 @@ public final class MRole extends X_AD_Role
|
|||
setAccessMap("m_formAccess", mergeAccess(getAccessMap("m_formAccess"), directAccess, true));
|
||||
} // reload
|
||||
Boolean retValue = m_formAccess.get(AD_Form_ID);
|
||||
if (retValue != null && retValue.booleanValue()) {
|
||||
MForm form = new MForm(getCtx(), AD_Form_ID, get_TrxName());
|
||||
if (! isAccessLevelCompatible(form.getAccessLevel())) {
|
||||
log.warning("Role " + getName() + " has assigned access incompatible form " + form.getName());
|
||||
m_formAccess.remove(AD_Form_ID);
|
||||
retValue = null;
|
||||
}
|
||||
}
|
||||
return retValue;
|
||||
} // getFormAccess
|
||||
|
||||
|
@ -1890,8 +1915,16 @@ public final class MRole extends X_AD_Role
|
|||
setAccessMap("m_workflowAccess", mergeAccess(getAccessMap("m_workflowAccess"), directAccess, true));
|
||||
} // reload
|
||||
Boolean retValue = m_workflowAccess.get(AD_Workflow_ID);
|
||||
if (retValue != null && retValue.booleanValue()) {
|
||||
MWorkflow workflow = MWorkflow.get(getCtx(), AD_Workflow_ID);
|
||||
if (! isAccessLevelCompatible(workflow.getAccessLevel())) {
|
||||
log.warning("Role " + getName() + " has assigned access incompatible workflow " + workflow.getName());
|
||||
m_workflowAccess.remove(AD_Workflow_ID);
|
||||
retValue = null;
|
||||
}
|
||||
}
|
||||
return retValue;
|
||||
} // getTaskAccess
|
||||
} // getWorkflowAccess
|
||||
|
||||
|
||||
/*************************************************************************
|
||||
|
@ -3160,6 +3193,16 @@ public final class MRole extends X_AD_Role
|
|||
setAccessMap("m_infoAccess", mergeAccess(getAccessMap("m_infoAccess"), directAccess, true));
|
||||
} // reload
|
||||
Boolean retValue = m_infoAccess.get(AD_InfoWindow_ID);
|
||||
/* Info Window doesn't have AccessLevel
|
||||
if (retValue != null && retValue.booleanValue()) {
|
||||
MInfoWindow infoWindow = new MInfoWindow(getCtx(), AD_InfoWindow_ID, get_TrxName());
|
||||
if (! isAccessLevelCompatible(infoWindow.getAccessLevel())) {
|
||||
log.warning("Role " + getName() + " has assigned access incompatible info window " + infoWindow.getName());
|
||||
m_infoAccess.remove(AD_InfoWindow_ID);
|
||||
retValue = null;
|
||||
}
|
||||
}
|
||||
*/
|
||||
return retValue;
|
||||
}
|
||||
|
||||
|
@ -3245,4 +3288,47 @@ public final class MRole extends X_AD_Role
|
|||
return whereClause.toString();
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify compatibility of AD_Role.UserLevel vs Access Level
|
||||
* @param accessLevel the access level of the dictionary object
|
||||
* @return true if access and user level are compatible
|
||||
*/
|
||||
private boolean isAccessLevelCompatible(String accessLevel) {
|
||||
boolean access = false;
|
||||
switch (getUserLevel()) {
|
||||
case USERLEVEL_System:
|
||||
switch (accessLevel) {
|
||||
case MProcess.ACCESSLEVEL_SystemOnly:
|
||||
case MProcess.ACCESSLEVEL_SystemPlusClient:
|
||||
case MProcess.ACCESSLEVEL_All:
|
||||
access = true;
|
||||
}
|
||||
case USERLEVEL_Client:
|
||||
switch (accessLevel) {
|
||||
case MProcess.ACCESSLEVEL_ClientOnly:
|
||||
case MProcess.ACCESSLEVEL_ClientPlusOrganization:
|
||||
case MProcess.ACCESSLEVEL_SystemPlusClient:
|
||||
case MProcess.ACCESSLEVEL_All:
|
||||
access = true;
|
||||
}
|
||||
case USERLEVEL_Organization:
|
||||
switch (accessLevel) {
|
||||
case MProcess.ACCESSLEVEL_Organization:
|
||||
case MProcess.ACCESSLEVEL_ClientPlusOrganization:
|
||||
case MProcess.ACCESSLEVEL_All:
|
||||
access = true;
|
||||
}
|
||||
case USERLEVEL_ClientPlusOrganization:
|
||||
switch (accessLevel) {
|
||||
case MProcess.ACCESSLEVEL_Organization:
|
||||
case MProcess.ACCESSLEVEL_ClientOnly:
|
||||
case MProcess.ACCESSLEVEL_ClientPlusOrganization:
|
||||
case MProcess.ACCESSLEVEL_SystemPlusClient:
|
||||
case MProcess.ACCESSLEVEL_All:
|
||||
access = true;
|
||||
}
|
||||
}
|
||||
return access;
|
||||
}
|
||||
|
||||
} // MRole
|
||||
|
|
Loading…
Reference in New Issue