fixing authorization in GUI

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/util/ObjectWrapperUtil.java

@@ -11,6 +11,7 @@
 import com.evolveum.midpoint.web.component.prism.ContainerStatus;
 import com.evolveum.midpoint.web.component.prism.ObjectWrapper;
 import com.evolveum.midpoint.web.page.PageBase;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
@@ -24,7 +25,10 @@ public static <O extends ObjectType> ObjectWrapper createObjectWrapper(String di
 
 	public static <O extends ObjectType> ObjectWrapper createObjectWrapper(String displayName, String description, PrismObject<O> object, ContainerStatus status, boolean delayContainerCreation, PageBase pageBase) {
 		try {
-			PrismContainerDefinition objectDefinitionForEditing = pageBase.getModelInteractionService().getEditObjectDefinition(object);
+
+			AuthorizationPhaseType phase = getAuthorizationPhase(status);
+
+			PrismContainerDefinition objectDefinitionForEditing = pageBase.getModelInteractionService().getEditObjectDefinition(object, phase);
 			RefinedObjectClassDefinition objectClassDefinitionForEditing = null;
 			if (isShadow(object)) {
 				PrismReference resourceRef = object.findReference(ShadowType.F_RESOURCE_REF);
@@ -39,6 +43,21 @@ public static <O extends ObjectType> ObjectWrapper createObjectWrapper(String di
 		}
 	}
 
+	private static AuthorizationPhaseType getAuthorizationPhase(ContainerStatus status) {
+		if (status == null){
+			return null;
+		}
+		switch (status) {
+			case ADDING:
+				return AuthorizationPhaseType.REQUEST;
+			case MODIFYING:
+				return AuthorizationPhaseType.EXECUTION;
+
+			default:
+				return null;
+		}
+	}
+
 	private static boolean isShadow(PrismObject object){
 		return (object.getCompileTimeClass() != null && ShadowType.class.isAssignableFrom(object
 				.getCompileTimeClass()))

model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java

@@ -32,6 +32,7 @@
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
@@ -99,7 +100,7 @@ <F extends ObjectType> ModelContext<F> previewChanges(
      * @return schema with correctly set constraint parts or null
      * @throws SchemaException 
      */
-    <O extends ObjectType> PrismObjectDefinition<O> getEditObjectDefinition(PrismObject<O> object) throws SchemaException;
+    <O extends ObjectType> PrismObjectDefinition<O> getEditObjectDefinition(PrismObject<O> object, AuthorizationPhaseType phase) throws SchemaException;
 
     RefinedObjectClassDefinition getEditObjectClassDefinition(PrismObject<ShadowType> shadow, PrismObject<ResourceType> resource) throws SchemaException;
 

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java

@@ -133,6 +133,7 @@
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ImportOptionsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ConnectorHostType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ConnectorType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
@@ -705,7 +706,7 @@ public <F extends ObjectType> ModelContext<F> previewChanges(
 	}
 
 	@Override
-	public <O extends ObjectType> PrismObjectDefinition<O> getEditObjectDefinition(PrismObject<O> object) throws SchemaException {
+	public <O extends ObjectType> PrismObjectDefinition<O> getEditObjectDefinition(PrismObject<O> object, AuthorizationPhaseType phase) throws SchemaException {
 		PrismObjectDefinition<O> origDefinition = object.getDefinition();
 		// TODO: maybe we need to expose owner resolver in the interface?
 		ObjectSecurityConstraints securityConstraints = securityEnforcer.compileSecurityConstraints(object, null);
@@ -716,9 +717,9 @@ public <O extends ObjectType> PrismObjectDefinition<O> getEditObjectDefinition(P
 			return null;
 		}
 		PrismObjectDefinition<O> finalDefinition = applySecurityContraints(origDefinition, new ItemPath(), securityConstraints,
-				securityConstraints.getActionDecision(ModelAuthorizationAction.READ.getUrl(), null),
-				securityConstraints.getActionDecision(ModelAuthorizationAction.ADD.getUrl(), null),
-				securityConstraints.getActionDecision(ModelAuthorizationAction.MODIFY.getUrl(), null));
+				securityConstraints.getActionDecision(ModelAuthorizationAction.READ.getUrl(), phase),
+				securityConstraints.getActionDecision(ModelAuthorizationAction.ADD.getUrl(), phase),
+				securityConstraints.getActionDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase));
 		return finalDefinition;
 	}
 

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java

@@ -721,7 +721,7 @@ public void testAutzJackPropReadSomeModifySome(final String TEST_NAME, String ro
         PrismAsserts.assertNoItem(userJack, new ItemPath(UserType.F_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS));
         assertAssignmentsWithTargets(userJack, 1);
 
-        PrismObjectDefinition<UserType> userJackEditSchema = modelInteractionService.getEditObjectDefinition(userJack);
+        PrismObjectDefinition<UserType> userJackEditSchema = modelInteractionService.getEditObjectDefinition(userJack, null);
         display("Jack's edit schema", userJackEditSchema);
         assertItemFlags(userJackEditSchema, UserType.F_NAME, true, false, false);
         assertItemFlags(userJackEditSchema, UserType.F_FULL_NAME, true, false, true);