[cvs] expresso commit by lhamel: set UID to anon before filter setting

[JCorporate Ltd]

Log Message:
-----------
set UID to anon before filter setting

Modified Files:
--------------
    expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj:
        RowSecuredDBObject.java

Revision Data
-------------
Index: RowSecuredDBObject.java
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java,v
retrieving revision 1.30
retrieving revision 1.31
diff -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java -u -r1.30 -r1.31
--- expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java
+++ expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java
@@ -123,12 +123,18 @@
      * to set data context and user ID from expresso v.5.6.  However, if you
      * have not set up this filter in web.xml, be sure to set dbname and user id
      * after constructing.
-     * @todo after expresso v.5.7, change impl to throw exception if servlet filter is not found. Introducing this in v5.6, so legacy does not want exceptions
      *
      * @throws DBException upon database communication error
+     * @todo after expresso v.5.7, change impl to throw exception if servlet filter is not found. Introducing this in v5.6, so legacy does not want exceptions
      */
     public RowSecuredDBObject() throws DBException {
-        try {
+
+        // by default, the superclass sets requesting user ID to 'system' == superuser,
+        // so reset the requesting user here
+        setRequestingUid(User.getIdFromLogin(User.UNKNOWN_USER, getDataContext()));
+
+        // override if filter is found
+       try {
             setDataContext(RequestRegistry.getDataContext());
             setRequestingUid(RequestRegistry.getUser().getUid());
         } catch (IllegalStateException e) {
@@ -161,14 +167,14 @@
 
     /**
      * Creates a new RowSecuredDBObject object.
-     *  This constructor will attempt to use servlet filter
+     * This constructor will attempt to use servlet filter
      * to set data context--from expresso v.5.6.  However, if you
      * have not set up this filter in web.xml, be sure to set dbname and user id
      * after constructing.
-     * @todo after expresso v.5.7, change impl to throw exception if servlet filter is not found. Introducing this in v5.6, so legacy does not want exceptions     *
      *
      * @param theUser requesting user
      * @throws DBException upon database communication error
+     * @todo after expresso v.5.7, change impl to throw exception if servlet filter is not found. Introducing this in v5.6, so legacy does not want exceptions     *
      */
     public RowSecuredDBObject(int theUser) throws DBException {
         super(theUser);
@@ -341,7 +347,7 @@
      * @param requestedFunction code for function -- Add, Update, Delete, Search (read)
      * @return true if this function is allowed for this requesting user
      * @throws SecurityException (unchecked) if not allowed
-     * @throws DBException for other data-related errors.
+     * @throws DBException       for other data-related errors.
      */
     public boolean isRowAllowed(String requestedFunction)
             throws DBException {