Merge remote-tracking branch 'origin/master'

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java

@@ -2158,7 +2158,7 @@ private boolean isMenuItemAuthorized(Class<? extends PageAdmin> newPageClass) {
         return false;
     }
 
-    private void createFocusPageViewMenu(List<MenuItem> submenu, String viewKey,
+    private void  createFocusPageViewMenu(List<MenuItem> submenu, String viewKey,
                                          final Class<? extends PageBase> newPageType) {
         MenuItem view = new MenuItem(createStringResource(viewKey), newPageType, null, new VisibleEnableBehaviour() {
             private static final long serialVersionUID = 1L;

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/cases/PageCaseWorkItem.java

@@ -30,6 +30,7 @@
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.web.application.AuthorizationAction;
 import com.evolveum.midpoint.web.application.PageDescriptor;
+import com.evolveum.midpoint.web.application.Url;
 import com.evolveum.midpoint.web.component.AjaxButton;
 import com.evolveum.midpoint.web.component.util.VisibleBehaviour;
 import com.evolveum.midpoint.web.page.admin.workflow.CaseWorkItemSummaryPanel;
@@ -56,7 +57,12 @@
 /**
  * @author mederly
  */
-@PageDescriptor(url = "/admin/caseWorkItem", encoder = OnePageParameterEncoder.class, action = {
+@PageDescriptor(
+		urls = {
+				@Url(mountUrl = "/admin/caseWorkItem", matchUrlForSecurity = "/admin/caseWorkItem")
+		},
+		encoder = OnePageParameterEncoder.class,
+		action = {
 		@AuthorizationAction(actionUri = PageAdminCaseWorkItems.AUTH_CASE_WORK_ITEMS_ALL,
 				label = PageAdminCaseWorkItems.AUTH_CASE_WORK_ITEMS_ALL_LABEL,
 				description = PageAdminCaseWorkItems.AUTH_CASE_WORK_ITEMS_ALL_DESCRIPTION),

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/cases/PageCases.java

@@ -47,7 +47,7 @@
         urls = {
                 @Url(mountUrl = "/admin/casesAll", matchUrlForSecurity = "/admin/casesAll")
         }, action = {
-        @AuthorizationAction(actionUri = PageAdminCases.AUTH_CASES_ALL_LABEL,
+        @AuthorizationAction(actionUri = PageAdminCases.AUTH_CASES_ALL,
                 label = PageAdminCases.AUTH_CASES_ALL_LABEL,
                 description = PageAdminCases.AUTH_CASES_ALL_DESCRIPTION),
         @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_CASES_ALL_URL,

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/cases/PageCasesAll.java

@@ -12,7 +12,7 @@
         urls = {
                 @Url(mountUrl = "/admin/casesAll", matchUrlForSecurity = "/admin/casesAll")
         }, action = {
-        @AuthorizationAction(actionUri = PageAdminCases.AUTH_CASES_ALL_LABEL,
+        @AuthorizationAction(actionUri = PageAdminCases.AUTH_CASES_ALL,
                 label = PageAdminCases.AUTH_CASES_ALL_LABEL,
                 description = PageAdminCases.AUTH_CASES_ALL_DESCRIPTION),
         @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_CASES_ALL_URL,

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/cases/PageCasesAllocatedToMe.java

@@ -12,7 +12,7 @@
         urls = {
                 @Url(mountUrl = "/admin/casesAllocatedToMe", matchUrlForSecurity = "/admin/casesAllocatedToMe")
         }, action = {
-        @AuthorizationAction(actionUri = PageAdminCases.AUTH_CASES_ALLOCATED_TO_ME_LABEL,
+        @AuthorizationAction(actionUri = PageAdminCases.AUTH_CASES_ALLOCATED_TO_ME,
                 label = PageAdminCases.AUTH_CASES_ALLOCATED_TO_ME_LABEL,
                 description = PageAdminCases.AUTH_CASES_ALLOCATED_TO_ME_DESCRIPTION),
         @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_CASES_ALLOCATED_TO_ME_URL,

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/PageUrlMapping.java

@@ -65,6 +65,16 @@ public enum PageUrlMapping {
                     "PageAdminRoles.authUri.rolesAll.label", "PageAdminRoles.authUri.guiAll.description"),
             new AuthorizationActionValue(AUTZ_GUI_ALL_DEPRECATED_URL,
                     "PageAdminRoles.authUri.rolesAll.label", "PageAdminRoles.authUri.guiAll.description")
+    }),
+    CASE_DETAILS("/admin/caseWorkItem/**", new DisplayableValue[]{
+            new AuthorizationActionValue(AUTZ_UI_CASE_WORK_ITEM_URL,
+                    "PageCaseWorkItems.authUri.resourceDetails.label", "PageAdminResources.authUri.resourceDetails.description"),
+            new AuthorizationActionValue(AUTZ_UI_CASE_WORK_ITEMS_ALL_URL,
+                    "PageCaseWorkItems.authUri.resourcesAll.label", "PageAdminResources.authUri.resourcesAll.description"),
+            new AuthorizationActionValue(AUTZ_GUI_ALL_URL,
+                    "PageCaseWorkItems.authUri.rolesAll.label", "PageAdminRoles.authUri.guiAll.description"),
+            new AuthorizationActionValue(AUTZ_GUI_ALL_DEPRECATED_URL,
+                    "PageCaseWorkItems.authUri.rolesAll.label", "PageAdminRoles.authUri.guiAll.description")
     });
 
     private String url;

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensElementContext.java

@@ -844,6 +844,12 @@ public void forEachObject(Consumer<PrismObject<O>> consumer) {
 		}
 	}
 
+	public void forEachDelta(Consumer<ObjectDelta<O>> consumer) {
+		if (primaryDelta != null) {
+			consumer.accept(primaryDelta);
+		}
+	}
+
 	public void finishBuild() {
 		if (primaryDelta != null) {
 			primaryDelta.normalize();

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensFocusContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 package com.evolveum.midpoint.model.impl.lens;
 
 import java.util.*;
+import java.util.function.Consumer;
 
 import com.evolveum.midpoint.prism.delta.ObjectDeltaCollectionsUtil;
 import com.evolveum.midpoint.prism.equivalence.EquivalenceStrategy;
@@ -587,4 +588,14 @@ public void setItemDefinitionsMap(@NotNull Map<UniformItemPath, ObjectTemplateIt
 	public Map<UniformItemPath, ObjectTemplateItemDefinitionType> getItemDefinitionsMap() {
 		return itemDefinitionsMap;
 	}
+
+	@Override
+	public void forEachDelta(Consumer<ObjectDelta<O>> consumer) {
+		super.forEachDelta(consumer);
+		for (ObjectDelta<O> secondaryDelta : secondaryDeltas) {
+			consumer.accept(secondaryDelta);
+		}
+	}
+
+
 }

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Objects;
+import java.util.function.Consumer;
 
 import javax.xml.namespace.QName;
 
@@ -1520,4 +1521,11 @@ public boolean hasPendingOperations() {
 		return !current.asObjectable().getPendingOperation().isEmpty();
 	}
 
+	@Override
+	public void forEachDelta(Consumer<ObjectDelta<ShadowType>> consumer) {
+		super.forEachDelta(consumer);
+		if (secondaryDelta != null) {
+			consumer.accept(secondaryDelta);
+		}
+	}
 }

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java

@@ -37,8 +37,10 @@
 import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
 import com.evolveum.midpoint.model.api.ModelExecuteOptions;
 import com.evolveum.midpoint.model.api.RoleSelectionSpecification;
+import com.evolveum.midpoint.model.api.context.ModelContext;
 import com.evolveum.midpoint.prism.Item;
 import com.evolveum.midpoint.prism.ItemDefinition;
+import com.evolveum.midpoint.prism.Objectable;
 import com.evolveum.midpoint.prism.PrismContainerValue;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.PrismObjectDefinition;
@@ -47,6 +49,7 @@
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.delta.ReferenceDelta;
+import com.evolveum.midpoint.prism.delta.builder.S_ItemEntry;
 import com.evolveum.midpoint.prism.query.NoneFilter;
 import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
@@ -1038,7 +1041,8 @@ public void test218AutzJackPropReadSomeModifySomeExecAll() throws Exception {
 
     /**
      * FullName is computed in user template. It is not readable, therefore it should not be present in the preview deltas.
-     *	But it is modifiable (execution). Therefore the real modify operation should pass.
+     * But it is modifiable (execution). Therefore the real modify operation should pass.
+     * MID-5595
      */
     @Test
     public void test219AutzJackPropReadSomeModifySomeFullName() throws Exception {
@@ -1047,6 +1051,7 @@ public void test219AutzJackPropReadSomeModifySomeFullName() throws Exception {
         // GIVEN
         cleanupAutzTest(USER_JACK_OID);
         assignRole(USER_JACK_OID, ROLE_PROP_READ_SOME_MODIFY_SOME_FULLNAME_OID);
+        assignAccountToUser(USER_JACK_OID, RESOURCE_DUMMY_OID, null);
         login(USER_JACK_USERNAME);
 
         // WHEN
@@ -1066,8 +1071,89 @@ public void test219AutzJackPropReadSomeModifySomeFullName() throws Exception {
         		.assertAdministrativeStatus(ActivationStatusType.ENABLED)
         		.assertNoEffectiveStatus();
 
-        // TODO: preview
-
+        ObjectDelta<UserType> jackGivenNameDelta = deltaFor(UserType.class)
+        	.item(UserType.F_GIVEN_NAME).replace(createPolyString("Jackie"))
+        	.asObjectDelta(USER_JACK_OID);
+
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        // WHEN: preview changes
+        ModelContext<UserType> previewContext = previewChanges(jackGivenNameDelta, null, task, result);
+
+        assertSuccess(result);
+        assertPreviewContext(previewContext)
+        	.focusContext()
+        		.objectOld()
+        			.assertName(USER_JACK_USERNAME)
+        			.asUser()
+	        			.assertNoFullName()
+	                	.assertGivenName(USER_JACK_GIVEN_NAME)
+	                	.assertNoFamilyName()
+	                	.end()
+        			.end()
+    			.objectCurrent()
+        			.assertName(USER_JACK_USERNAME)
+        			.asUser()
+	        			.assertNoFullName()
+	                	.assertGivenName(USER_JACK_GIVEN_NAME)
+	                	.assertNoFamilyName()
+	                	.end()
+        			.end()
+    			.objectNew()
+        			.assertName(USER_JACK_USERNAME)
+        			.asUser()
+	        			.assertNoFullName()
+	                	.assertGivenName("Jackie")
+	                	.assertNoFamilyName()
+	                	.end()
+        			.end()
+        		.primaryDelta()
+        			.assertModify()
+    				.assertModifications(1)
+    				.property(UserType.F_GIVEN_NAME)
+    					.valuesToReplace()
+    						.single()
+    							.assertPolyStringValue("Jackie")
+    							.end()
+    						.end()
+    					.end()
+    				.end()
+    			.secondaryDelta()
+    				// Secondary delta should be there. Because we are changing something.
+    				// But the user does not have authorization to read fullname.
+    				// Therefore the delta should be empty.
+    				.assertModify()
+    				.assertModifications(0)
+    				.end()
+    			.end()
+    		.projectionContexts()
+    			.single()
+    				.objectOld()
+    					.assertKind(ShadowKindType.ACCOUNT)
+    					.assertObjectClass()
+    					.assertNoAttributes()
+    					.end()
+					.objectCurrent()
+    					.assertKind(ShadowKindType.ACCOUNT)
+    					.assertObjectClass()
+    					.assertNoAttributes()
+    					.assertAdministrativeStatus(ActivationStatusType.ENABLED)
+    					.end()
+					.objectNew()
+    					.assertKind(ShadowKindType.ACCOUNT)
+    					.assertObjectClass()
+    					.assertNoAttributes()
+    					.assertAdministrativeStatus(ActivationStatusType.ENABLED)
+    					.end()
+    				.assertNoPrimaryDelta()
+    				.secondaryDelta()
+    					.assertModify()
+    					// Read of shadow attributes not allowed
+    					.assertModifications(0);
+
+
+        // WHEN: real modification
         assertModifyAllow(UserType.class, USER_JACK_OID, UserType.F_GIVEN_NAME, createPolyString("Jackie"));
 
         userJack = getUser(USER_JACK_OID);
@@ -1102,8 +1188,6 @@ public void test219AutzJackPropReadSomeModifySomeFullName() throws Exception {
 
         assertDeleteDeny();
 
-        // TODO: preview add object
-
         loginAdministrator();
 
         userJack = getUser(USER_JACK_OID);

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityMultitenant.java

@@ -148,7 +148,7 @@ public class TestSecurityMultitenant extends AbstractSecurityTest {
 
 	protected static final String USER_LETO_ATREIDES_OID = "00000000-8888-6666-a200-200000000000";
 	protected static final String USER_LETO_ATREIDES_NAME = "leto";
-	protected static final String USER_LETO_ATREIDES_FULL_NAME = "Duke Leto Atreides";
+	protected static final String USER_LETO_ATREIDES_FULL_NAME = "Leto Atreides";
 
 	protected static final String USER_PAUL_ATREIDES_OID = "00000000-8888-6666-a200-200000000001";
 	protected static final String USER_PAUL_ATREIDES_NAME = "paul";

model/model-intest/src/test/resources/security/multitenant/org-multitenant.xml

@@ -577,7 +577,7 @@
 		<name>leto</name>
 		<givenName>Leto</givenName>
 		<familyName>Atreides</familyName>
-		<fullName>Duke Leto Atreides</fullName>
+		<fullName>Leto Atreides</fullName>
 		<honorificPrefix>Duke</honorificPrefix>
 		<assignment id="1">
 			<targetRef oid="00000000-8888-6666-a200-000000000000" type="OrgType"/> <!-- House Atreides -->