Skip to content

Commit

Permalink
Drop rawOperation need for reports (MID-4958)
Browse files Browse the repository at this point in the history 
We still need this authorization for shadow-related queries.
However, this is worked around by checking if the user has this
authorization, and falling back to noFetch option if he has it not.
  • Loading branch information
@mederly
mederly committed Nov 5, 2018
1 parent 9bc0a8f commit f6798ba
Showing 1 changed file with 10 additions and 1 deletion.
11 changes: 10 additions & 1 deletion model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportServiceImpl.java
View file
Expand Up @@ -26,8 +26,12 @@
import javax.xml.namespace.QName;

import com.evolveum.midpoint.common.LocalizationService;
import com.evolveum.midpoint.model.api.ModelAuthorizationAction;
import com.evolveum.midpoint.prism.Containerable;
import com.evolveum.midpoint.prism.PrismContainerValue;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
Expand Down Expand Up @@ -85,6 +89,7 @@ public class ReportServiceImpl implements ReportService {
@Autowired private FunctionLibrary basicFunctionLibrary;
@Autowired private FunctionLibrary midpointFunctionLibrary;
@Autowired private LocalizationService localizationService;
@Autowired private SecurityEnforcer securityEnforcer;

@Override
public ObjectQuery parseQuery(String query, Map<QName, Object> parameters) throws SchemaException,
Expand Down Expand Up @@ -156,7 +161,11 @@ public Collection<PrismObject<? extends ObjectType>> searchObjects(ObjectQuery q
// options.add(new
// SelectorOptions(GetOperationOptions.createResolveNames()));
GetOperationOptions getOptions = GetOperationOptions.createResolveNames();
getOptions.setRaw(Boolean.TRUE);
if (ShadowType.class.isAssignableFrom(clazz) && securityEnforcer.isAuthorized(ModelAuthorizationAction.RAW_OPERATION.getUrl(), null, AuthorizationParameters.EMPTY, null, task, parentResult)) {
getOptions.setRaw(Boolean.TRUE); // shadows in non-raw mode require specifying resource OID and kind (at least) - todo research this further
} else {
getOptions.setNoFetch(Boolean.TRUE);
}
options = SelectorOptions.createCollection(getOptions);
List<PrismObject<? extends ObjectType>> results;
try {
Expand Down

0 comments on commit f6798ba

Please sign in to comment.