[cvs] expresso commit by lhamel: admin has all privileges

Fri Nov 12 23:13:25 PST 2004

Log Message:
-----------
admin has all privileges

Modified Files:
--------------
    expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint:
        Add.java

Revision Data
-------------
Index: Add.java
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/Add.java,v
retrieving revision 1.21
retrieving revision 1.22
diff -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/Add.java -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/Add.java -u -r1.21 -r1.22

--- expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/Add.java
+++ expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/Add.java
@@ -65,19 +65,21 @@
 package com.jcorporate.expresso.services.controller.dbmaint;
 
 
+import com.jcorporate.expresso.core.controller.Controller;
 import com.jcorporate.expresso.core.controller.ControllerException;
 import com.jcorporate.expresso.core.controller.ControllerRequest;
 import com.jcorporate.expresso.core.controller.ControllerResponse;
 import com.jcorporate.expresso.core.controller.Input;
 import com.jcorporate.expresso.core.controller.NonHandleableException;
 import com.jcorporate.expresso.core.controller.Transition;
-import com.jcorporate.expresso.core.controller.Controller;
 import com.jcorporate.expresso.core.dataobjects.DataFieldMetaData;
 import com.jcorporate.expresso.core.dataobjects.DataObject;
 import com.jcorporate.expresso.core.dataobjects.DataObjectMetaData;
 import com.jcorporate.expresso.core.dataobjects.Securable;
 import com.jcorporate.expresso.core.db.DBException;
+import com.jcorporate.expresso.core.dbobj.SecuredDBObject;
 import com.jcorporate.expresso.core.misc.StringUtil;
+import com.jcorporate.expresso.core.security.User;
 import com.jcorporate.expresso.services.controller.ui.DefaultAutoElement;
 import com.jcorporate.expresso.services.dbobj.Setup;
 
@@ -218,11 +220,16 @@
             if (myDBObj instanceof Securable) {
                 ((Securable) myDBObj).isAllowed("A");
             } else {
-                String allowInsecure = Setup.getValue(req.getDataContext(),
-                        com.jcorporate.expresso.core.ExpressoSchema.class.getName(),
-                        "insecureDBMaint");
-                if (!("y".equalsIgnoreCase(allowInsecure))) {
-                    throw new SecurityException("Access to unsecured Objects not allowed");
+                if (getUid() == SecuredDBObject.SYSTEM_ACCOUNT
+                        || User.getUserFromId(getUid(), this.getControllerRequest().getDataContext()).isAdmin()) {
+                    // all access ok
+                } else {
+                   String allowInsecure = Setup.getValue(req.getDataContext(),
+                                        com.jcorporate.expresso.core.ExpressoSchema.class.getName(),
+                                        "insecureDBMaint");
+                    if (!(StringUtil.toBoolean(allowInsecure))) {
+                        throw new SecurityException("Access to unsecured Objects not allowed");
+                    }
                 }
             }
 
