Permalink
Browse files

Restricted users should be able to query public assets

  • Loading branch information...
christianbauer committed Dec 5, 2017
1 parent fe0119e commit 5d53f7ddee90601b09c5ec4741063ab119a5b894
@@ -46,6 +46,7 @@
import static javax.ws.rs.core.Response.Status.*;
import static org.openremote.container.Container.JSON;
import static org.openremote.model.asset.AbstractAssetQuery.Access.PRIVATE_READ;
import static org.openremote.model.asset.AbstractAssetQuery.Access.PUBLIC_READ;
import static org.openremote.model.asset.AbstractAssetQuery.Access.RESTRICTED_READ;
import static org.openremote.model.attribute.AttributeEvent.Source.CLIENT;
@@ -431,10 +432,14 @@ public void delete(RequestParams requestParams, String assetId) {
}
if (isRestrictedUser()) {
// A restricted user can only query linked assets
query = query.userId(getUserId());
// A restricted user may not query private asset data, only restricted or public
if (query.select == null)
query.select = new Select();
query.select.filterAccess(RESTRICTED_READ);
if (query.select.access == null || query.select.access == PRIVATE_READ)
query.select.filterAccess(RESTRICTED_READ);
}
Tenant tenant = query.tenantPredicate != null
@@ -94,6 +94,7 @@
"createdOn": 1489042784142,
"name": "Smart Home",
"type": "urn:openremote:asset:building",
"accessPublicRead": false,
"realmId": "c38a3fdf-9d74-4dac-940c-50d3dce1d248",
"tenantRealm": "customerA",
"tenantDisplayName": "Customer A",
@@ -113,6 +114,7 @@
"createdOn": 1489042784148,
"name": "Apartment 1",
"type": "urn:openremote:asset:residence",
"accessPublicRead": false,
"parentId": "0oI7Gf_kTh6WyRJFUTr8Lg",
"parentName": "Smart Home",
"parentType": "urn:openremote:asset:building",
@@ -136,6 +138,7 @@
"createdOn": 1489042784157,
"name": "Living Room",
"type": "urn:openremote:asset:room",
"accessPublicRead": false,
"parentId": "B0x8ZOqZQHGjq_l0RxAJBA",
"parentName": "Apartment 1",
"parentType": "urn:openremote:asset:residence",
@@ -160,6 +163,7 @@
"createdOn": 1489042784164,
"name": "Living Room Thermostat",
"type": "urn:openremote:asset:thing",
"accessPublicRead": false,
"parentId": "bzlRiJmSSMCl8HIUt9-lMg",
"parentName": "Living Room",
"parentType": "urn:openremote:asset:room",
@@ -36,7 +36,8 @@
* <li>
* When a restricted client reads assets, only dynamic attributes with
* {@link AssetMeta#ACCESS_RESTRICTED_READ} and attribute meta items with {@link MetaItemDescriptor.Access#restrictedRead}
* are included.
* are included. A restricted client may submit a query for public assets and dynamic attributes with
* {@link AssetMeta#ACCESS_PUBLIC_READ} and meta items with {@link MetaItemDescriptor.Access#publicRead}.
* </li>
* <li>
* When a restricted client updates existing assets, new dynamic attributes can be added, but

0 comments on commit 5d53f7d

Please sign in to comment.