bug #9183
Updated by Andreas Kohlbecker over 3 years ago
Users can select references in the new registration view even if permissions to edit them are not suficcient. Clicking on the "Continue" button routes to the RegistrationWorkingsetView and an error is raised without notifying on the lack of permissions properly: ~~~ ... 88 more Caused by: eu.etaxonomy.cdm.database.PermissionDeniedException: Access to the workingset is denied for the current user. at eu.etaxonomy.cdm.api.service.registration.RegistrationWorkingSetService.checkPermissions(RegistrationWorkingSetService.java:298) at eu.etaxonomy.cdm.api.service.registration.RegistrationWorkingSetService.loadWorkingSetByReferenceUuid(RegistrationWorkingSetService.java:275) at sun.reflect.GeneratedMethodAccessor1710.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:208) at com.sun.proxy.$Proxy233.loadWorkingSetByReferenceUuid(Unknown Source) at eu.etaxonomy.cdm.vaadin.view.registration.RegistrationWorkingsetPresenter.loadWorkingSet(RegistrationWorkingsetPresenter.java:271) at eu.etaxonomy.cdm.vaadin.view.registration.RegistrationWorkingsetPresenter.handleViewEntered(RegistrationWorkingsetPresenter.java:247) at eu.etaxonomy.cdm.vaadin.view.registration.RegistrationWorksetViewBean.enter(RegistrationWorksetViewBean.java:169) ~~~ Solutions: A. Filter out all references for which the user is not having enough permissions B. Block the "Continue" button from being clicked Option B. is preferable since it still allows to lookup references in the system even if the user has not the permissions to modify them. This Otherwise this could expose names mentioned in the reference title which should be undisclosed. `StartRegistrationPresenter.handleViewEntered()` already implements a permission filter, but it seems not to be reliable in all cases: ~~~java // restrict by allowed reference uuids Set<UUID> allowedUuids = referencePermissions.stream().filter(p -> p.getTargetUUID() != null).map(CdmAuthority::getTargetUUID).collect(Collectors.toSet()); ~~~