Permissions for editable tables should use property path #PL-4074

2024-12-05 04:38:10 +08:00 · 2014-07-29 10:01:12 +00:00 · 2014-07-29 10:01:12 +00:00 · 6e3b5a8a30
commit 6e3b5a8a30
parent c56a2ba97a
2 changed files with 12 additions and 8 deletions
--- a/modules/desktop/src/com/haulmont/cuba/desktop/gui/components/DesktopAbstractTable.java
+++ b/modules/desktop/src/com/haulmont/cuba/desktop/gui/components/DesktopAbstractTable.java
@ -33,7 +33,6 @@ import com.haulmont.cuba.gui.data.impl.CollectionDsListenerAdapter;
 import com.haulmont.cuba.gui.data.impl.DatasourceImplementation;
 import com.haulmont.cuba.gui.presentations.Presentations;
 import com.haulmont.cuba.security.entity.EntityAttrAccess;
-import com.haulmont.cuba.security.entity.EntityOp;
 import com.haulmont.cuba.security.global.UserSession;
 import net.miginfocom.layout.CC;
 import net.miginfocom.swing.MigLayout;
@ -602,11 +601,9 @@ public abstract class DesktopAbstractTable<C extends JXTable>
        List<Object> columnsOrder = new ArrayList<>();
        for (Table.Column column : this.columnsOrder) {
            if (column.getId() instanceof MetaPropertyPath) {
-                MetaProperty colMetaProperty = ((MetaPropertyPath) column.getId()).getMetaProperty();
-                MetaClass colMetaClass = colMetaProperty.getDomain();
-                if (userSession.isEntityOpPermitted(colMetaClass, EntityOp.READ)
-                        && userSession.isEntityAttrPermitted(
-                        colMetaClass, colMetaProperty.getName(), EntityAttrAccess.VIEW)) {
+                MetaPropertyPath propertyPath = (MetaPropertyPath) column.getId();
+
+                if (security.isEntityPropertyPathPermitted(metaClass, propertyPath.toString(), EntityAttrAccess.VIEW)) {
                    columnsOrder.add(column.getId());
                }
            } else {
--- a/modules/global/src/com/haulmont/cuba/core/sys/SecurityImpl.java
+++ b/modules/global/src/com/haulmont/cuba/core/sys/SecurityImpl.java
@ -79,8 +79,15 @@ public class SecurityImpl implements Security {
        MetaProperty chainProperty = propertyChain[chainIndex];

        if (chainIndex == propertyChain.length - 1) {
-            return isEntityOpPermitted(metaClass, EntityOp.READ)
-                    && isEntityAttrPermitted(metaClass, chainProperty.getName(), access);
+            if (access == EntityAttrAccess.VIEW) {
+                return isEntityOpPermitted(metaClass, EntityOp.READ)
+                        && isEntityAttrPermitted(metaClass, chainProperty.getName(), access);
+            } else if (access == EntityAttrAccess.MODIFY) {
+                return isEntityOpPermitted(metaClass, EntityOp.UPDATE)
+                        && isEntityAttrPermitted(metaClass, chainProperty.getName(), access);
+            } else {
+                return false;
+            }
        } else {
            MetaClass chainMetaClass = chainProperty.getRange().asClass();