Account information editing permissions fixed

Fix for #1053, also impacts #1054 Signed-off-by: Claudio Mezzasalma <claudio.mezzasalma@eurotech.com>
eclipse-kapua · Nov 23, 2017 · 00dcb80 · 00dcb80
1 parent 850f6fb
commit 00dcb80
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 11 deletions.
diff --git a/.../main/java/org/eclipse/kapua/app/console/module/account/server/GwtAccountServiceImpl.java b/.../main/java/org/eclipse/kapua/app/console/module/account/server/GwtAccountServiceImpl.java
@@ -56,6 +56,7 @@
 import org.eclipse.kapua.commons.setting.system.SystemSettingKey;
 import org.eclipse.kapua.commons.security.KapuaSecurityUtils;
 import org.eclipse.kapua.commons.util.SystemUtils;
+import org.eclipse.kapua.commons.util.ThrowingRunnable;
 import org.eclipse.kapua.locator.KapuaLocator;
 import org.eclipse.kapua.model.config.metatype.KapuaTad;
 import org.eclipse.kapua.model.config.metatype.KapuaTicon;
@@ -132,26 +133,38 @@ public GwtAccount create(GwtXSRFToken xsrfToken, GwtAccountCreator gwtAccountCre
             gwtAccount = KapuaGwtAccountModelConverter.convertAccount(account);
 
             // Create roles
-            RoleService roleService = locator.getService(RoleService.class);
+            final RoleService roleService = locator.getService(RoleService.class);
             RoleFactory roleFactory = locator.getFactory(RoleFactory.class);
             PermissionFactory permissionFactory = locator.getFactory(PermissionFactory.class);
             Permission adminPermission = permissionFactory.newPermission(null, null, account.getId(), null, true);
-            RoleCreator adminRoleCreator = roleFactory.newCreator(account.getId());
+            final RoleCreator adminRoleCreator = roleFactory.newCreator(account.getId());
             Set<Permission> adminPermissions = new HashSet<Permission>();
             adminPermissions.add(adminPermission);
             adminRoleCreator.setName("admin");
             adminRoleCreator.setScopeId(account.getId());
             adminRoleCreator.setPermissions(adminPermissions);
-            roleService.create(adminRoleCreator);
+            KapuaSecurityUtils.doPrivileged(new ThrowingRunnable() {
 
-            RoleCreator thingRoleCreator = roleFactory.newCreator(account.getId());
+                @Override
+                public void run() throws Exception {
+                    roleService.create(adminRoleCreator);
+                }
+            });
+
+            final RoleCreator thingRoleCreator = roleFactory.newCreator(account.getId());
             Permission thingPermission = permissionFactory.newPermission(new BrokerDomain(), Actions.connect, account.getId(), null, false);
             Set<Permission> thingPermissions = new HashSet<Permission>();
             thingPermissions.add(thingPermission);
             thingRoleCreator.setName("thing");
             thingRoleCreator.setScopeId(account.getId());
             thingRoleCreator.setPermissions(thingPermissions);
-            roleService.create(thingRoleCreator);
+            KapuaSecurityUtils.doPrivileged(new ThrowingRunnable() {
+
+                @Override
+                public void run() throws Exception {
+                    roleService.create(thingRoleCreator);
+                }
+            });
         } catch (Throwable t) {
             KapuaExceptionHandler.handle(t);
         }
@@ -274,11 +287,12 @@ public GwtAccount update(GwtXSRFToken xsrfToken, GwtAccount gwtAccount)
         checkXSRFToken(xsrfToken);
 
         GwtAccount gwtAccountUpdated = null;
-        KapuaId scopeId = KapuaEid.parseCompactId(gwtAccount.getId());
+        KapuaId scopeId = gwtAccount.getScopeId() != null ? KapuaEid.parseCompactId(gwtAccount.getScopeId()) : null;
+        KapuaId accountId = KapuaEid.parseCompactId(gwtAccount.getId());
         try {
             KapuaLocator locator = KapuaLocator.getInstance();
             AccountService accountService = locator.getService(AccountService.class);
-            Account account = accountService.find(scopeId);
+            Account account = scopeId != null ? accountService.find(scopeId, accountId) : accountService.find(accountId);
 
             account.getOrganization().setName(gwtAccount.getGwtOrganization().getName());
             account.getOrganization().setPersonName(gwtAccount.getGwtOrganization().getPersonName());
@@ -309,11 +323,12 @@ public void delete(GwtXSRFToken xsrfToken, GwtAccount gwtAccount)
         // Checking validity of the given XSRF Token
         checkXSRFToken(xsrfToken);
 
-        KapuaId kapuaId = KapuaEid.parseCompactId(gwtAccount.getId());
+        KapuaId scopeId = gwtAccount.getScopeId() != null ? KapuaEid.parseCompactId(gwtAccount.getScopeId()) : null;
+        KapuaId accountId = KapuaEid.parseCompactId(gwtAccount.getId());
         try {
             KapuaLocator locator = KapuaLocator.getInstance();
             AccountService accountService = locator.getService(AccountService.class);
-            Account account = accountService.find(kapuaId);
+            Account account = accountService.find(scopeId, accountId);
 
             if (account != null) {
                 accountService.delete(account.getScopeId(), account.getId());

diff --git a/...internal/src/main/java/org/eclipse/kapua/service/account/internal/AccountServiceImpl.java b/...internal/src/main/java/org/eclipse/kapua/service/account/internal/AccountServiceImpl.java
@@ -23,6 +23,7 @@
 import org.eclipse.kapua.KapuaIllegalAccessException;
 import org.eclipse.kapua.KapuaIllegalArgumentException;
 import org.eclipse.kapua.commons.configuration.AbstractKapuaConfigurableResourceLimitedService;
+import org.eclipse.kapua.commons.security.KapuaSecurityUtils;
 import org.eclipse.kapua.commons.setting.system.SystemSetting;
 import org.eclipse.kapua.commons.setting.system.SystemSettingKey;
 import org.eclipse.kapua.commons.util.ArgumentValidator;
@@ -115,7 +116,7 @@ public Account create(AccountCreator accountCreator)
                 properties.put(ad.getId(), ad.getDefault());
             }
         }
-        setConfigValues(createdAccount.getId(), createdAccount.getScopeId(), toValues(configMetadata, properties));
+        KapuaSecurityUtils.doPrivileged(() -> setConfigValues(createdAccount.getId(), createdAccount.getScopeId(), toValues(configMetadata, properties)));
 
         return createdAccount;
     }
@@ -132,7 +133,13 @@ public Account update(Account account)
 
         //
         // Check Access
-        authorizationService.checkPermission(permissionFactory.newPermission(ACCOUNT_DOMAIN, Actions.write, account.getId()));
+        if (KapuaSecurityUtils.getSession().getScopeId().equals(account.getId())) {
+            // Editing self
+            authorizationService.checkPermission(permissionFactory.newPermission(ACCOUNT_DOMAIN, Actions.write, account.getId()));
+        } else {
+            // Editing child
+            authorizationService.checkPermission(permissionFactory.newPermission(ACCOUNT_DOMAIN, Actions.write, account.getScopeId()));
+        }
 
         //
         // Do update