Attept to do more work on security - needs to be postponed until the …

…parser branch is merged.

model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java

@@ -267,11 +267,24 @@ protected void importObjectFromFile(File file, OperationResult result) throws Fi
 		subResult.computeStatus();
 		if (subResult.isError()) {
 			LOGGER.error("Import of file "+file+" failed:\n{}", subResult.debugDump());
-			Throwable cause = subResult.getCause();
+			Throwable cause = findCause(subResult);
 			throw new SystemException("Import of file "+file+" failed: "+subResult.getMessage(), cause);
 		}
 	}
 
+	protected Throwable findCause(OperationResult result) {
+		if (result.getCause() != null) {
+			return result.getCause();
+		}
+		for (OperationResult sub: result.getSubresults()) {
+			Throwable cause = findCause(sub);
+			if (cause != null) {
+				return cause;
+			}
+		}
+		return null;
+	}
+
 	protected <T extends ObjectType> PrismObject<T> importAndGetObjectFromFile(Class<T> type, String filename, String oid, Task task, OperationResult result) throws FileNotFoundException, ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException {
 		return importAndGetObjectFromFile(type, new File(filename), oid, task, result);
 	}

repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java

@@ -36,12 +36,17 @@
 import org.springframework.stereotype.Component;
 import org.w3c.dom.Element;
 
+import com.evolveum.midpoint.prism.Item;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismObjectDefinition;
+import com.evolveum.midpoint.prism.PrismValue;
+import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.match.MatchingRuleRegistry;
+import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.schema.QueryConvertor;
+import com.evolveum.midpoint.schema.holder.XPathHolder;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.SchemaDebugUtil;
 import com.evolveum.midpoint.security.api.Authorization;
@@ -156,6 +161,14 @@ public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String
 								continue;
 							}
 
+							// item
+							if (isApplicableItem(autz, object, delta)) {
+								LOGGER.trace("  Authorization applicable for items (continuing evaluation)");
+							} else {
+								LOGGER.trace("  Authorization not applicable for items (breaking evaluation)");
+								continue;
+							}
+
 							// authority is applicable to this situation. now we can process the decision.
 							AuthorizationDecisionType decision = autz.getDecision();
 							if (decision == null || decision == AuthorizationDecisionType.ALLOW) {
@@ -284,6 +297,35 @@ private <O extends ObjectType> boolean isApplicable(ObjectSpecificationType obje
 		return false;
 	}
 
+	private <O extends ObjectType, T extends ObjectType> boolean isApplicableItem(Authorization autz,
+			PrismObject<O> object, ObjectDelta<O> delta) {
+		List<Element> itemPaths = autz.getItem();
+		if (itemPaths == null || itemPaths.isEmpty()) {
+			// No item constraints. Applicable for all items.
+			LOGGER.trace("  items empty");
+			return true;
+		}
+		return true;
+//		TODO: this has to wait for merge of "parser" branch
+//		for (Element itemPathElement: itemPaths) {
+//			XPathHolder xholder = new XPathHolder(itemPathElement);
+//			ItemPath itemPath = xholder.toItemPath();
+//			if (object != null) {
+//				Item<?> item = object.findItem(itemPath);
+//				if (item != null && ! item.isEmpty()) {
+//					return true;
+//				}
+//			}
+//			if (delta != null) {
+//				ItemDelta<PrismValue> itemDelta = delta.findItemDelta(itemPath);
+//				if (itemDelta != null && !itemDelta.isEmpty()) {
+//					return true;
+//				}
+//			}
+//		}
+//		return false;
+	}
+
 	/**
 	 * Spring security method. It is practically applicable only for simple cases.
 	 */