Merge remote-tracking branch 'origin/1.12'

Conflicts: opennms-webapp/src/main/java/org/opennms/web/rest/UserRestService.java
OpenNMS · Apr 16, 2014 · 05aeaee · 05aeaee
2 parents 8ec9a63 + 26c7d51
commit 05aeaee
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/opennms-webapp/src/main/java/org/opennms/web/rest/UserRestService.java b/opennms-webapp/src/main/java/org/opennms/web/rest/UserRestService.java
@@ -130,6 +130,9 @@ public OnmsUser getUser(@PathParam("username") final String username) {
     public Response addUser(final OnmsUser user) {
         writeLock();
         try {
+            if (!hasEditRights()) {
+                throw getException(Status.BAD_REQUEST, new RuntimeException(m_securityContext.getUserPrincipal().getName() + " does not have write access to users!"));
+            }
             LOG.debug("addUser: Adding user {}", user);
             m_userManager.save(user);
             return Response.seeOther(getRedirectUri(m_uriInfo, user.getUsername())).build();
@@ -147,6 +150,9 @@ public Response updateUser(@PathParam("userCriteria") final String userCriteria,
         OnmsUser user = null;
         writeLock();
         try {
+            if (!hasEditRights()) {
+                throw getException(Status.BAD_REQUEST, new RuntimeException(m_securityContext.getUserPrincipal().getName() + " does not have write access to users!"));
+            }
             try {
                 user = m_userManager.getOnmsUser(userCriteria);
             } catch (final Throwable t) {
@@ -180,6 +186,9 @@ public Response updateUser(@PathParam("userCriteria") final String userCriteria,
     public Response deleteUser(@PathParam("userCriteria") final String userCriteria) {
         writeLock();
         try {
+            if (!hasEditRights()) {
+                throw getException(Status.BAD_REQUEST, new RuntimeException(m_securityContext.getUserPrincipal().getName() + " does not have write access to users!"));
+            }
             OnmsUser user = null;
             try {
                 user = m_userManager.getOnmsUser(userCriteria);
@@ -199,8 +208,8 @@ public Response deleteUser(@PathParam("userCriteria") final String userCriteria)
         }
     }
 
-    public boolean isAdmin() {
-        if (m_securityContext.isUserInRole(Authentication.ROLE_ADMIN)) {
+    public boolean hasEditRights() {
+        if (m_securityContext.isUserInRole(Authentication.ROLE_ADMIN) || m_securityContext.isUserInRole(Authentication.ROLE_REST)) {
             return true;
         }
         return false;
@@ -215,7 +224,7 @@ private OnmsUserList filterUserPasswords(final OnmsUserList users) {
     }
 
     private OnmsUser filterUserPassword(final OnmsUser user) {
-        if (!isAdmin()) {
+        if (!hasEditRights()) {
             final Principal principal = m_securityContext.getUserPrincipal();
             // users may see their own password hash  :)
             if (!user.getUsername().equals(principal.getName())) {