[cvs] expresso commit by lhamel: admin has all privileges

Fri Nov 12 23:20:27 PST 2004

Log Message:
-----------
admin has all privileges

Modified Files:
--------------
    expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint:
        Update.java

Revision Data
-------------
Index: Update.java
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/Update.java,v
retrieving revision 1.23
retrieving revision 1.24
diff -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/Update.java -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/Update.java -u -r1.23 -r1.24

--- expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/Update.java
+++ expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/Update.java
@@ -65,21 +65,23 @@
 package com.jcorporate.expresso.services.controller.dbmaint;
 
 import com.jcorporate.expresso.core.controller.Block;
+import com.jcorporate.expresso.core.controller.Controller;
 import com.jcorporate.expresso.core.controller.ControllerException;
 import com.jcorporate.expresso.core.controller.ControllerRequest;
 import com.jcorporate.expresso.core.controller.ControllerResponse;
 import com.jcorporate.expresso.core.controller.Input;
 import com.jcorporate.expresso.core.controller.NonHandleableException;
 import com.jcorporate.expresso.core.controller.Transition;
-import com.jcorporate.expresso.core.controller.Controller;
 import com.jcorporate.expresso.core.controller.session.PersistentSession;
 import com.jcorporate.expresso.core.dataobjects.DataObject;
 import com.jcorporate.expresso.core.dataobjects.DataObjectMetaData;
 import com.jcorporate.expresso.core.dataobjects.Defineable;
 import com.jcorporate.expresso.core.dataobjects.Securable;
 import com.jcorporate.expresso.core.db.DBException;
+import com.jcorporate.expresso.core.dbobj.SecuredDBObject;
 import com.jcorporate.expresso.core.misc.StringUtil;
 import com.jcorporate.expresso.core.misc.URLUTF8Encoder;
+import com.jcorporate.expresso.core.security.User;
 import com.jcorporate.expresso.services.controller.ui.DefaultAutoElement;
 import com.jcorporate.expresso.services.dbobj.Setup;
 
@@ -92,7 +94,6 @@
  * (except primary key). Extend this class if only updating
  * one or several but not all fields.
  *
- * @version        $Revision$  $Date$
  * @author        Michael Nash, contributions by Kevin King
  */
 public class Update
@@ -252,11 +253,16 @@
             if (myDBObj instanceof Securable) {
                 ((Securable) myDBObj).isAllowed("U");
             } else {
-                String allowInsecure = Setup.getValue(req.getDataContext(),
+                if (getUid() == SecuredDBObject.SYSTEM_ACCOUNT
+                        || User.getUserFromId(getUid(), this.getControllerRequest().getDataContext()).isAdmin()) {
+                    // all access ok
+                } else {
+                    String allowInsecure = Setup.getValue(req.getDataContext(),
                         com.jcorporate.expresso.core.ExpressoSchema.class.getName(),
                         "insecureDBMaint");
-                if (!("y".equalsIgnoreCase(allowInsecure))) {
-                    throw new SecurityException("Access to unsecured Objects not allowed");
+                    if (!(StringUtil.toBoolean(allowInsecure))) {
+                        throw new SecurityException("Access to unsecured Objects not allowed");
+                    }
                 }
             }
             showForm();
@@ -378,5 +384,4 @@
     } /* run(ControllerRequest, ControllerResponse) */
 
 }
-
 /* Update */
