[cvs] expresso commit by lhamel: change implementation of group comparison,

[JCorporate Ltd]

Log Message:
-----------
change implementation of group comparison, and add an error case.

Modified Files:
--------------
    expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj:
        RowSecuredDBObject.java

Revision Data
-------------
Index: RowSecuredDBObject.java
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java,v
retrieving revision 1.38
retrieving revision 1.39
diff -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java -u -r1.38 -r1.39
--- expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java
+++ expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java
@@ -65,6 +65,7 @@
 
 import com.jcorporate.expresso.core.db.DBConnection;
 import com.jcorporate.expresso.core.db.DBException;
+import com.jcorporate.expresso.core.registry.MutableRequestRegistry;
 import com.jcorporate.expresso.core.registry.RequestRegistry;
 import com.jcorporate.expresso.core.security.User;
 import com.jcorporate.expresso.services.dbobj.RowGroupPerms;
@@ -132,7 +133,23 @@
      */
     public RowSecuredDBObject() throws DBException {
         try {
-            this.setRequestingUid(RequestRegistry.getUser().getUid());
+            User user = RequestRegistry.getUser();
+            try {
+                user.getUid();
+                this.setRequestingUid(user.getUid());
+            } catch (Throwable e) { // npe if user is null
+                getLogger().warn("Cannot get user from request registry for class: '"
+                        + getClass().getName()
+                        + "'. No user has been associated with this thread yet. (see "
+                        + MutableRequestRegistry.class.getName() + ")");
+
+                // by default, the superclass sets requesting user ID
+                // to 'system' == superuser,
+                // so reset the requesting user here
+                super.setRequestingUid(User.getIdFromLogin(User.UNKNOWN_USER,
+                        getDataContext()));
+            }
+
         } catch (Exception ex) {
 
             // by default, the superclass sets requesting user ID
@@ -145,10 +162,11 @@
             // @todo after expresso v.5.7, change impl to throw exception
             // if servlet filter is not found. Introducing this in v5.6,
             // so legacy does not want exceptions
-            getLogger().warn(ex.getMessage());
+            getLogger().warn("Problem automatically setting user ID: "
+                    + getClass().getName() + ", err: " + ex.getClass().getName()
+                    + ", msg: " + ex.getMessage());
         }
 
-
         // warn if key of this row may be too long
         checkKeyLength();
     }
@@ -627,8 +645,14 @@
             /**
              * @todo rewrite as a multidbobject join
              */
-            groups.retainAll(user.getGroups());
-            result = groups.size() > 0;
+            for (Iterator iterator = user.getGroups().iterator(); iterator.hasNext();) {
+                String userGrpname = (String) iterator.next();
+                for (Iterator iterator1 = groups.iterator(); iterator1.hasNext();) {
+                    String readGrpName = (String) iterator1.next();
+                    result = readGrpName.equals(userGrpname);
+                    if ( result ) break;
+                }
+            }
         }
 
         return result;