[cvs] expresso commit by lhamel: admin gets full permissions

[JCorporate Ltd]

Log Message:
-----------
admin gets full permissions

Modified Files:
--------------
    expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint:
        ViewBlob.java

Revision Data
-------------
Index: ViewBlob.java
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/ViewBlob.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/ViewBlob.java -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/ViewBlob.java -u -r1.9 -r1.10
--- expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/ViewBlob.java
+++ expresso-web/WEB-INF/src/com/jcorporate/expresso/services/controller/dbmaint/ViewBlob.java
@@ -76,6 +76,8 @@
 import com.jcorporate.expresso.core.dataobjects.jdbc.LobField;
 import com.jcorporate.expresso.core.db.DBException;
 import com.jcorporate.expresso.core.dbobj.SecuredDBObject;
+import com.jcorporate.expresso.core.misc.StringUtil;
+import com.jcorporate.expresso.core.security.User;
 import com.jcorporate.expresso.services.dbobj.MediaDBObject;
 import com.jcorporate.expresso.services.dbobj.MimeTypes;
 import com.jcorporate.expresso.services.dbobj.Setup;
@@ -167,11 +169,16 @@
             if (curDBObj instanceof Securable) {
                 ((Securable) curDBObj).isAllowed("S");
             } else {
-                String allowInsecure = Setup.getValue(newRequest.getDataContext(),
-                        com.jcorporate.expresso.core.ExpressoSchema.class.getName(),
-                        "insecureDBMaint");
-                if (!("y".equalsIgnoreCase(allowInsecure))) {
-                    throw new SecurityException("Access to unsecured Objects not allowed");
+                if (getUid() == SecuredDBObject.SYSTEM_ACCOUNT
+                        || User.getUserFromId(getUid(), this.getControllerRequest().getDataContext()).isAdmin()) {
+                    // all access ok
+                } else {
+                    String allowInsecure = Setup.getValue(newRequest.getDataContext(),
+                            com.jcorporate.expresso.core.ExpressoSchema.class.getName(),
+                            "insecureDBMaint");
+                    if (!(StringUtil.toBoolean(allowInsecure))) {
+                        throw new SecurityException("Access to unsecured Objects not allowed");
+                    }
                 }
             }
         } catch (DBException ex) {