HAWKULAR-180 - Disabled sub organizations.

hawkular · May 20, 2015 · e801949 · e801949
1 parent c007321
commit e801949
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/README.adoc b/README.adoc
@@ -54,6 +54,10 @@ Hawkular Accounts is based on the following concepts:
 * *Owner* - owns a Resource, and can be (currently) either a Hawkular User or an Organization.
 * *Member* - a User or Organization that can be part of an Organization.
 
+Note that the main Accounts API allows an Organization to be the Owner of another Organization. As some Hawkular
+components might not be able to deal with this scenario, however, this is currently blocked from the REST endpoint.
+This effectively means that organizations cannot create sub organizations.
+
 To retrieve the current Persona:
 [source,java]
 ----

diff --git a/accounts/src/main/java/org/hawkular/accounts/backend/boundary/OrganizationEndpoint.java b/accounts/src/main/java/org/hawkular/accounts/backend/boundary/OrganizationEndpoint.java
@@ -111,13 +111,26 @@ public Response getOrganizationsForPersona() {
      * Creates a new {@link org.hawkular.accounts.api.model.Organization} based on the parameters of the incoming
      * {@link org.hawkular.accounts.backend.entity.rest.OrganizationRequest}.
      *
+     * <p>
+     * Note that an organization cannot, currently, create an organization. The main Accounts API allows that, but we
+     * block it on this endpoint as other components might not be able to deal with this situation.
+     * </p>
+     *
      * @param request the incoming request as {@link org.hawkular.accounts.backend.entity.rest.OrganizationRequest}
      * @return a {@link javax.ws.rs.core.Response} whose entity is an
      * {@link org.hawkular.accounts.api.model.Organization}
      */
     @POST
     @Path("/")
     public Response createOrganization(@NotNull OrganizationRequest request) {
+        if (!persona.equals(user)) {
+            // HAWKULAR-180 - organizations cannot create other organizations
+            // so, we check if the current persona is the same as the current user, as users can only
+            // impersonate organizations, and organizations exist only when impersonated.
+            String message = "Organizations cannot create sub-organizations.";
+            return Response.status(Response.Status.FORBIDDEN).entity(message).build();
+        }
+
         Organization organization = organizationService.createOrganization(
                 request.getName(),
                 request.getDescription(),

diff --git a/api/src/main/java/org/hawkular/accounts/api/OrganizationService.java b/api/src/main/java/org/hawkular/accounts/api/OrganizationService.java
@@ -31,6 +31,10 @@
  *     </pre>
  * </p>
  * Concrete implementations do not hold any state, but it's advised to get an instance through CDI or as an EJB.
+ * <p>
+ *     NOTE: At this moment, it is possible to add organizations to other organizations, but this behavior is currently
+ *     blocked on the main REST endpoint (see the 'accounts' module).
+ * </p>
  *
  * @author Juraci Paixão Kröhling
  */