From cbeb7eeab671ca744c09381fb647d577028bfee8 Mon Sep 17 00:00:00 2001
From: brinn <brinn>
Date: Tue, 24 Jul 2012 09:35:28 +0000
Subject: [PATCH] Tighten authorization check.

SVN: 26172
---
 .../ScreeningPlateListReadOnlyPredicate.java  | 28 +++++++++++--------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/shared/api/internal/authorization/ScreeningPlateListReadOnlyPredicate.java b/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/shared/api/internal/authorization/ScreeningPlateListReadOnlyPredicate.java
index bd25d5432b5..0d8c7ec0a11 100644
--- a/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/shared/api/internal/authorization/ScreeningPlateListReadOnlyPredicate.java
+++ b/screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/shared/api/internal/authorization/ScreeningPlateListReadOnlyPredicate.java
@@ -32,6 +32,7 @@ import ch.systemsx.cisd.openbis.generic.shared.authorization.RoleWithIdentifier;
 import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.ShouldFlattenCollections;
 import ch.systemsx.cisd.openbis.generic.shared.authorization.predicate.AbstractSpacePredicate;
 import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.exception.UndefinedSpaceException;
 import ch.systemsx.cisd.openbis.generic.shared.util.SpaceCodeHelper;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.PlateIdentifier;
 
@@ -62,22 +63,27 @@ public class ScreeningPlateListReadOnlyPredicate extends
         final List<String> permIds = new ArrayList<String>(plates.size());
         for (PlateIdentifier plate : plates)
         {
+            boolean hasPermId = false;
             if (plate.getPermId() != null)
             {
                 permIds.add(plate.getPermId());
-            } else
+                hasPermId = true;
+            }
+            
+            final String spaceCodeOrNull =
+                    SpaceCodeHelper.getSpaceCode(person, plate.tryGetSpaceCode());
+            if (spaceCodeOrNull == null && hasPermId == false)
+            {
+                throw new UndefinedSpaceException();
+            }
+            if (spaceCodeOrNull != null && plate.isSharedPlate() == false)
             {
-                final String spaceCode =
-                        SpaceCodeHelper.getSpaceCode(person, plate.tryGetSpaceCode());
-                if (plate.isSharedPlate() == false)
+                final Status status =
+                        evaluate(person, allowedRoles, authorizationDataProvider
+                                .getHomeDatabaseInstance(), spaceCodeOrNull);
+                if (Status.OK.equals(status) == false)
                 {
-                    final Status status =
-                            evaluate(person, allowedRoles, authorizationDataProvider
-                                    .getHomeDatabaseInstance(), spaceCode);
-                    if (Status.OK.equals(status) == false)
-                    {
-                        return status;
-                    }
+                    return status;
                 }
             }
         }
-- 
GitLab