Merge remote-tracking branch 'origin/master'

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageAssignmentsList.java

@@ -33,9 +33,9 @@
 import com.evolveum.midpoint.web.page.self.dto.AssignmentConflictDto;
 import com.evolveum.midpoint.web.session.SessionStorage;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+import org.apache.commons.collections.ListUtils;
+import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.StringUtils;
-import org.apache.wicket.Component;
-import org.apache.wicket.Page;
 import org.apache.wicket.ajax.AjaxRequestTarget;
 import org.apache.wicket.ajax.form.AjaxFormComponentUpdatingBehavior;
 import org.apache.wicket.markup.html.form.TextArea;
@@ -138,7 +138,12 @@ protected void onError(AjaxRequestTarget target, org.apache.wicket.markup.html.f
 
             @Override
             protected void onSubmit(AjaxRequestTarget target, org.apache.wicket.markup.html.form.Form<?> form) {
-                onRequestPerformed(target);
+                if (getSessionStorage().getRoleCatalog().getTargetUserList() == null ||
+                        getSessionStorage().getRoleCatalog().getTargetUserList().size() <= 1) {
+                    onSingleUserRequestPerformed(target);
+                } else {
+                    onMultiUserRequestPerformed(target);
+                }
             }
 
         };
@@ -176,7 +181,56 @@ && getSessionStorage().getRoleCatalog().getConflictsList() != null
 
     }
 
-    private void onRequestPerformed(AjaxRequestTarget target) {
+    private void onSingleUserRequestPerformed(AjaxRequestTarget target) {
+        OperationResult result = new OperationResult(OPERATION_REQUEST_ASSIGNMENTS);
+        ObjectDelta<UserType> delta;
+        PrismObject<UserType> user = getTargetUser();
+        Collection<ObjectDelta<? extends ObjectType>> deltas = new ArrayList<ObjectDelta<? extends ObjectType>>();
+        try {
+            delta = user.createModifyDelta();
+            deltas.add(delta);
+            PrismContainerDefinition def = user.getDefinition().findContainerDefinition(UserType.F_ASSIGNMENT);
+            handleAssignmentDeltas(delta, addAssignmentsToUser(user.asObjectable()), def);
+
+            OperationBusinessContextType businessContextType;
+            if (descriptionModel.getObject() != null) {
+                businessContextType = new OperationBusinessContextType();
+                businessContextType.setComment(descriptionModel.getObject());
+            } else {
+                businessContextType = null;
+            }
+            getModelService().executeChanges(deltas, ModelExecuteOptions.createRequestBusinessContext(businessContextType),
+                    createSimpleTask(OPERATION_REQUEST_ASSIGNMENTS), result);
+
+            result.recordSuccess();
+            SessionStorage storage = getSessionStorage();
+            storage.getRoleCatalog().getAssignmentShoppingCart().clear();
+        } catch (Exception e) {
+            LoggingUtils.logUnexpectedException(LOGGER, "Could not save assignments ", e);
+            error("Could not save assignments. Reason: " + e);
+            target.add(getFeedbackPanel());
+        } finally {
+            result.recomputeStatus();
+        }
+
+        findBackgroundTaskOperation(result);
+        if (backgroundTaskOperationResult != null
+                && StringUtils.isNotEmpty(backgroundTaskOperationResult.getBackgroundTaskOid())){
+            result.setMessage(createStringResource("operation.com.evolveum.midpoint.web.page.self.PageRequestRole.taskCreated").getString());
+            showResult(result);
+            setResponsePage(PageAssignmentShoppingKart.class);
+            return;
+        }
+        showResult(result);
+        if (!WebComponentUtil.isSuccessOrHandledError(result)) {
+            target.add(getFeedbackPanel());
+            target.add(PageAssignmentsList.this.get(ID_FORM));
+        } else {
+            setResponsePage(PageAssignmentShoppingKart.class);
+        }
+    }
+
+    private void onMultiUserRequestPerformed(AjaxRequestTarget target) {
             OperationResult result = new OperationResult(OPERATION_REQUEST_ASSIGNMENTS);
             Task operationalTask = createSimpleTask(OPERATION_REQUEST_ASSIGNMENTS);
 
@@ -317,9 +371,7 @@ private List<AssignmentConflictDto> getAssignmentConflicts(){
         OperationResult result = new OperationResult(OPERATION_PREVIEW_ASSIGNMENT_CONFLICTS);
         Task task = createSimpleTask(OPERATION_PREVIEW_ASSIGNMENT_CONFLICTS);
         List<AssignmentConflictDto> conflictsList = new ArrayList<>();
-        List<PrismObject<UserType>> usersList = getSessionStorage().getRoleCatalog().getTargetUserList();
-        PrismObject<UserType> user = usersList != null && usersList.size() > 0 ?
-                usersList.get(0) : loadUserSelf(PageAssignmentsList.this);
+        PrismObject<UserType> user = getTargetUser();
         try {
             delta = user.createModifyDelta();
 
@@ -465,6 +517,13 @@ private TextArea getDescriptionComponent(){
         return (TextArea) get(ID_FORM).get(ID_DESCRIPTION);
     }
 
+    private PrismObject<UserType> getTargetUser(){
+        List<PrismObject<UserType>> usersList = getSessionStorage().getRoleCatalog().getTargetUserList();
+        PrismObject<UserType> user = usersList != null && usersList.size() > 0 ?
+                usersList.get(0) : loadUserSelf(PageAssignmentsList.this);
+        return user;
+    }
+
     @Override
     public boolean canRedirectBack(){
         return true;

gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2016 Evolveum
+  ~ Copyright (c) 2010-2017 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -51,6 +51,19 @@
             </owner>
         </object>
     </authorization>
+    <authorization>
+    	<name>self-persona-read</name>
+    	<description>
+    		Allow to read all the personas of currently logged-in user.
+    	</description>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+    		<type>UserType</type>
+    		<owner>
+    			<special>self</special>
+    		</owner>
+    	</object>
+    </authorization>
     <authorization>
     	<name>self-credentials-request</name>
     	<description>

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java

@@ -3431,7 +3431,7 @@ private void addTask(String oid, String name, String ownerOid, String handlerUri
 		modelService.executeChanges(MiscSchemaUtil.createCollection(task.createAddDelta()), null, execTask, result);
 	}
 
-	@Test(enabled=false) // need searchable personaRef
+	@Test
     public void test400AutzJackPersonaManagement() throws Exception {
 		final String TEST_NAME = "test400AutzJackPersonaManagement";
         TestUtil.displayTestTile(this, TEST_NAME);
@@ -3449,7 +3449,7 @@ public void test400AutzJackPersonaManagement() throws Exception {
         assertGetDeny(UserType.class, USER_CHARLES_OID);
 
         assertSearch(UserType.class, null, 1);
-        assertSearch(ObjectType.class, null, 0);
+        assertSearch(ObjectType.class, null, 1);
         assertSearch(OrgType.class, null, 0);
 
         assertAddDeny();
@@ -3461,7 +3461,7 @@ public void test400AutzJackPersonaManagement() throws Exception {
         assertGlobalStateUntouched();
 	}
 
-    @Test(enabled=false) // need searchable personaRef
+    @Test
     public void test402AutzLechuckPersonaManagement() throws Exception {
 		final String TEST_NAME = "test402AutzLechuckPersonaManagement";
         TestUtil.displayTestTile(this, TEST_NAME);
@@ -3477,9 +3477,10 @@ public void test402AutzLechuckPersonaManagement() throws Exception {
         assertGetDeny(UserType.class, USER_GUYBRUSH_OID);
         assertGetAllow(UserType.class, USER_LECHUCK_OID);
         assertGetAllow(UserType.class, USER_CHARLES_OID);
-
-        assertSearch(UserType.class, null, 2);
-        assertSearch(ObjectType.class, null, 0);
+
+//        TODO: MID-3899
+//        assertSearch(UserType.class, null, 2);
+//        assertSearch(ObjectType.class, null, 2);
         assertSearch(OrgType.class, null, 0);
 
         assertAddDeny();

repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java

@@ -996,6 +996,7 @@ private <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObje
 								if (objectDefinition == null) {
 									objectDefinition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(objectType);
 								}
+								// TODO: MID-3899
 								if (AbstractRoleType.class.isAssignableFrom(objectType)) {
 									objSpecSecurityFilter = applyOwnerFilterOwnerRef(new ItemPath(AbstractRoleType.F_OWNER_REF), objSpecSecurityFilter,  principal, objectDefinition);
 								} else if (TaskType.class.isAssignableFrom(objectType)) {