Fixing regression with parentOrgRef and security (also see MID-3234 a…

…nd MID-3233)
Evolveum · Jun 22, 2016 · b2471f6 · b2471f6
1 parent d19f56e
commit b2471f6
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 10 deletions.
diff --git a/...in/java/com/evolveum/midpoint/web/page/admin/users/component/AbstractRoleMemberPanel.java b/...in/java/com/evolveum/midpoint/web/page/admin/users/component/AbstractRoleMemberPanel.java
@@ -264,6 +264,7 @@ protected void okPerformed(QName type, AjaxRequestTarget target) {
 
 	}
 
+	// TODO: merge this with TreeTablePanel.initObjectForAdd, also see MID-3233
 	private void initObjectForAdd(ObjectReferenceType parentOrgRef, QName type, QName relation,
 			AjaxRequestTarget target) throws SchemaException {
 		getPageBase().hideMainPopup(target);
@@ -278,11 +279,17 @@ private void initObjectForAdd(ObjectReferenceType parentOrgRef, QName type, QNam
 			AssignmentType assignment = new AssignmentType();
 			assignment.setTargetRef(parentOrgRef);
 			((FocusType) objType).getAssignment().add(assignment);
-		} else {
-			if (parentOrgRef == null) {
-				parentOrgRef = createReference(relation);
-			}
+		} 
+
+		// Set parentOrgRef in any case. This is not strictly correct.
+		// The parentOrgRef should be added by the projector. But
+		// this is needed to successfully pass through security
+		// TODO: fix MID-3234
+		if (parentOrgRef == null) {
+			parentOrgRef = createReference(relation);
 			objType.getParentOrgRef().add(parentOrgRef);
+		} else {
+			objType.getParentOrgRef().add(parentOrgRef.clone());
 		}
 
 		Class newObjectPageClass = objectDetailsMap.get(obj.getCompileTimeClass());

diff --git a/...ui/src/main/java/com/evolveum/midpoint/web/page/admin/users/component/TreeTablePanel.java b/...ui/src/main/java/com/evolveum/midpoint/web/page/admin/users/component/TreeTablePanel.java
@@ -253,6 +253,7 @@ public void onClick(AjaxRequestTarget target) {
 		objectDetailsMap.put(TaskType.class, PageTaskEdit.class);
 	}
 
+	// TODO: merge this with AbstractRoleMemeberPanel.initObjectForAdd, also see MID-3233
 	private void initObjectForAdd(ObjectReferenceType parentOrgRef, QName type, QName relation,
 			AjaxRequestTarget target) throws SchemaException {
 		TreeTablePanel.this.getPageBase().hideMainPopup(target);
@@ -265,17 +266,26 @@ private void initObjectForAdd(ObjectReferenceType parentOrgRef, QName type, QNam
 			AssignmentType assignment = new AssignmentType();
 			assignment.setTargetRef(parentOrgRef);
 			((FocusType) objType).getAssignment().add(assignment);
-		} else {
-			if (parentOrgRef == null) {
-				ObjectType org = getTreePanel().getSelected().getValue();
-				parentOrgRef = ObjectTypeUtil.createObjectRef(org);
-				parentOrgRef.setRelation(relation);
-			}
+		}
 
+		// Set parentOrgRef in any case. This is not strictly correct.
+		// The parentOrgRef should be added by the projector. But
+		// this is needed to successfully pass through security
+		// TODO: fix MID-3234
+		if (parentOrgRef == null) {
+			ObjectType org = getTreePanel().getSelected().getValue();
+			parentOrgRef = ObjectTypeUtil.createObjectRef(org);
+			parentOrgRef.setRelation(relation);
 			objType.getParentOrgRef().add(parentOrgRef);
+		} else {
+			objType.getParentOrgRef().add(parentOrgRef.clone());
 		}
 
 		Class newObjectPageClass = objectDetailsMap.get(obj.getCompileTimeClass());
+
+		if (LOGGER.isDebugEnabled()) {
+			LOGGER.debug("Adding child by using page {}:\n{}", newObjectPageClass.getSimpleName(), obj.debugDump(1));
+		}
 
 		Constructor constructor = null;
 		try {

diff --git a/samples/evolveum/roles.xml b/samples/evolveum/roles.xml
@@ -53,4 +53,52 @@
 		<roleType>application</roleType>
 	</role>
 
+	<role oid="b613c706-3889-11e6-b175-d78cc67d7066">
+		<name>Delegated Identity Administrator</name>
+		<description>Allows full identity administration for organizations where the user is a manager.</description>
+		<authorization>
+	    	<name>gui-access</name>
+	    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll</action>
+	        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgAll</action>
+	    </authorization>
+		<authorization>
+	    	<name>autz-read</name>
+	    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+	    	<object>
+	    		<orgRelation>
+	    			<subjectRelation>org:manager</subjectRelation>
+	    			<scope>allDescendants</scope>
+	    			<includeReferenceOrg>true</includeReferenceOrg>
+	    		</orgRelation>
+	    	</object>
+	    </authorization>
+	    <authorization>
+	    	<name>autz-write</name>
+	    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+	    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+	    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
+	    	<object>
+	    		<orgRelation>
+	    			<subjectRelation>org:manager</subjectRelation>
+	    		</orgRelation>
+	    	</object>
+	    </authorization>
+	    <authorization>
+	    	<name>autz-shadow</name>
+	    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+	    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+	    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+	    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
+	    	<object>
+	    		<type>ShadowType</type>
+	    		<owner>
+	    			<orgRelation>
+		    			<subjectRelation>org:manager</subjectRelation>
+		    		</orgRelation>
+	    		</owner>
+	    	</object>
+	    </authorization>
+		<roleType>application</roleType>
+	</role>
+
 </objects>