LMS-1204 Calculated Columns: do not evaluate private columns of different users

SVN: 12967

LMS-1204 Calculated Columns: do not evaluate private columns of different users
f4d18b0b · tpylak · b8ea5f6a · f4d18b0b · f4d18b0b
Commit f4d18b0b authored 15 years ago by tpylak
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/AbstractServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/server/AbstractServer.java
@@ -16,6 +16,7 @@

 package ch.systemsx.cisd.openbis.generic.server;

+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;

@@ -35,6 +36,7 @@ import ch.systemsx.cisd.openbis.generic.server.plugin.ISampleTypeSlaveServerPlug
 import ch.systemsx.cisd.openbis.generic.server.plugin.SampleServerPluginRegistry;
 import ch.systemsx.cisd.openbis.generic.server.util.HibernateTransformer;
 import ch.systemsx.cisd.openbis.generic.shared.IServer;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.validator.CustomGridExpressionValidator;
 import ch.systemsx.cisd.openbis.generic.shared.basic.IDataStoreBaseURLProvider;
 import ch.systemsx.cisd.openbis.generic.shared.basic.TechId;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.DisplaySettings;
@@ -310,9 +312,23 @@ public abstract class AbstractServer<T extends IServer> extends AbstractServiceW

    public List<GridCustomColumn> listGridCustomColumns(String sessionToken, String gridId)
    {
-        checkSession(sessionToken);
-        List<GridCustomColumnPE> columns =
+        Session session = getSession(sessionToken);
+
+        List<GridCustomColumnPE> columnPEs =
                getDAOFactory().getGridCustomColumnDAO().listColumns(gridId);
-        return GridCustomColumnTranslator.translate(columns);
+
+        List<GridCustomColumn> result = new ArrayList<GridCustomColumn>();
+        List<GridCustomColumn> columns = GridCustomColumnTranslator.translate(columnPEs);
+        // we have to remove private columns of different users to avoid calculating them
+        CustomGridExpressionValidator validator = new CustomGridExpressionValidator();
+        PersonPE currentPerson = session.tryGetPerson();
+        for (GridCustomColumn column : columns)
+        {
+            if (validator.isValid(currentPerson, column))
+            {
+                result.add(column);
+            }
+        }
+        return result;
    }
 }
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/shared/authorization/validator/CustomGridExpressionValidator.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/shared/authorization/validator/CustomGridExpressionValidator.java
@@ -56,7 +56,7 @@ public final class CustomGridExpressionValidator extends
                        registrator.getDatabaseInstance().getCode());
    }

-    public boolean isInstanceAdmin(final PersonPE person, final DatabaseInstance databaseInstance)
+    private static boolean isInstanceAdmin(final PersonPE person, final DatabaseInstance databaseInstance)
    {
        final Set<RoleAssignmentPE> roleAssignments = person.getAllPersonRoles();
        for (final RoleAssignmentPE roleAssignment : roleAssignments)