fix #216 - check-in operators shouldn't access the admin GUI

(cherry picked from commit 90f3034)
alfio-event · Sep 21, 2016 · 2c44977 · 2c44977
1 parent 4bba560
commit 2c44977
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 9 deletions.
diff --git a/src/main/java/alfio/config/WebSecurityConfig.java b/src/main/java/alfio/config/WebSecurityConfig.java
@@ -46,6 +46,7 @@ public class WebSecurityConfig {
     public static final String CSRF_SESSION_ATTRIBUTE = "CSRF_SESSION_ATTRIBUTE";
     public static final String CSRF_PARAM_NAME = "_csrf";
     public static final String OPERATOR = "OPERATOR";
+    private static final String SUPERVISOR = "SUPERVISOR";
     public static final String SPONSOR = "SPONSOR";
     private static final String ADMIN = "ADMIN";
     private static final String OWNER = "OWNER";
@@ -82,9 +83,9 @@ protected void configure(HttpSecurity http) throws Exception {
             http.requestMatcher((request) -> request.getHeader("Authorization") != null).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
             .and().csrf().disable()
             .authorizeRequests()
-            .antMatchers(ADMIN_API + "/check-in/**").hasRole(OPERATOR)
-            .antMatchers(HttpMethod.GET, ADMIN_API + "/events").hasAnyRole(OPERATOR, SPONSOR)
-            .antMatchers(ADMIN_API + "/user-type").hasAnyRole(OPERATOR, SPONSOR)
+            .antMatchers(ADMIN_API + "/check-in/**").hasAnyRole(OPERATOR, SUPERVISOR)
+            .antMatchers(HttpMethod.GET, ADMIN_API + "/events").hasAnyRole(OPERATOR, SUPERVISOR, SPONSOR)
+            .antMatchers(ADMIN_API + "/user-type").hasAnyRole(OPERATOR, SUPERVISOR, SPONSOR)
             .antMatchers(ADMIN_API + "/**").denyAll()
             .antMatchers(HttpMethod.POST, "/api/attendees/sponsor-scan").hasRole(SPONSOR)
             .antMatchers("/**").authenticated()
@@ -134,11 +135,11 @@ protected void configure(HttpSecurity http) throws Exception {
                 .authorizeRequests()
                 .antMatchers(ADMIN_API + "/configuration/**", ADMIN_API + "/users/**").hasAnyRole(ADMIN, OWNER)
                 .antMatchers(ADMIN_API + "/organizations/new").hasRole(ADMIN)
-                .antMatchers(ADMIN_API + "/check-in/**").hasAnyRole(ADMIN, OWNER, OPERATOR)
-                .antMatchers(HttpMethod.GET, ADMIN_API + "/**").hasAnyRole(ADMIN, OWNER, OPERATOR)
+                .antMatchers(ADMIN_API + "/check-in/**").hasAnyRole(ADMIN, OWNER, SUPERVISOR)
+                .antMatchers(HttpMethod.GET, ADMIN_API + "/**").hasAnyRole(ADMIN, OWNER, SUPERVISOR)
                 .antMatchers(ADMIN_API + "/**").hasAnyRole(ADMIN, OWNER)
                 .antMatchers("/admin/**/export/**").hasAnyRole(ADMIN, OWNER)
-                .antMatchers("/admin/**").hasAnyRole(ADMIN, OWNER, OPERATOR)
+                .antMatchers("/admin/**").hasAnyRole(ADMIN, OWNER, SUPERVISOR)
                 .antMatchers("/api/attendees/**").denyAll()
                 .antMatchers("/**").permitAll()
                 .and()

diff --git a/src/main/java/alfio/manager/user/UserManager.java b/src/main/java/alfio/manager/user/UserManager.java
@@ -87,7 +87,7 @@ public User findUser(int id) {
 
     public Collection<Role> getAvailableRoles(String username) {
         User user = findUserByUsername(username);
-        return isAdmin(user) || isOwner(user) ? EnumSet.of(Role.OWNER, Role.OPERATOR, Role.SPONSOR) : Collections.emptySet();
+        return isAdmin(user) || isOwner(user) ? EnumSet.of(Role.OWNER, Role.OPERATOR, Role.SUPERVISOR, Role.SPONSOR) : Collections.emptySet();
     }
 
     /**

diff --git a/src/main/java/alfio/model/user/Role.java b/src/main/java/alfio/model/user/Role.java
@@ -22,7 +22,7 @@
 
 @Getter
 public enum Role {
-    ADMIN("ROLE_ADMIN", "Administrator"), OWNER("ROLE_OWNER", "Organization owner"), OPERATOR("ROLE_OPERATOR", "Check-in operator"), SPONSOR("ROLE_SPONSOR", "Sponsor");
+    ADMIN("ROLE_ADMIN", "Administrator"), OWNER("ROLE_OWNER", "Organization owner"), SUPERVISOR("ROLE_SUPERVISOR", "Check-in supervisor"), OPERATOR("ROLE_OPERATOR", "Check-in operator"), SPONSOR("ROLE_SPONSOR", "Sponsor");
 
     private final String roleName;
     private final String description;

diff --git a/src/main/webapp/resources/angular-templates/admin/partials/main/edit-user.html b/src/main/webapp/resources/angular-templates/admin/partials/main/edit-user.html
@@ -5,9 +5,38 @@
         <field-error data-form-obj="editUser" data-field-obj="editUserCtrl.editUser.organizationId"></field-error>
     </div>
     <div class="form-group" bs-form-error="editUserCtrl.editUser.role">
-        <label for="role">Role</label>
+        <label for="role">Role</label> <a class="btn btn-xs btn-default" uib-popover-template="'helpUserRole.html'" popover-placement="left"><i class="fa fa-info-circle"></i> help</a>
         <select data-ng-model="editUserCtrl.user.role" name="role" class="form-control" id="role" data-required data-ng-options="r.role as r.description for r in editUserCtrl.roles"></select>
         <field-error data-form-obj="editUser" data-field-obj="editUserCtrl.editUser.role"></field-error>
+        <script type="text/ng-template" id="helpUserRole.html">
+            <h4>User Role:</h4>
+            <ul class="list-group">
+                <li class="list-group-item">
+                    <div class="list-group-item-heading"><strong>Organization owner</strong></div>
+                    <div class="list-group-item-text">
+                        Can view and update all the events, he/she can also create other users and access the configuration at organization and event level.
+                    </div>
+                </li>
+                <li class="list-group-item">
+                    <div class="list-group-item-heading"><strong>Check-in supervisor</strong></div>
+                    <div class="list-group-item-text">
+                        Can view all the events, he/she can also perform the check-in using either the web interface or the app.
+                    </div>
+                </li>
+                <li class="list-group-item">
+                    <div class="list-group-item-heading"><strong>Check-in operator</strong></div>
+                    <div class="list-group-item-text">
+                        Can only perform the check-in using the app. Access on the web GUI is denied.
+                    </div>
+                </li>
+                <li class="list-group-item">
+                    <div class="list-group-item-heading"><strong>Sponsor</strong></div>
+                    <div class="list-group-item-text">
+                        Can only scan checked-in badges using the app and collect attendees' data. Access on the web GUI is denied.
+                    </div>
+                </li>
+            </ul>
+        </script>
     </div>
     <div class="form-group" bs-form-error="editUserCtrl.editUser.username">
         <label for="username">Username</label>