[cvs] expresso commit by lhamel: protect against retrieved fields not

[JCorporate Ltd]

Log Message:
-----------
protect against retrieved fields not including key(s)

Modified Files:
--------------
    expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj:
        RowSecuredDBObject.java

Revision Data
-------------
Index: RowSecuredDBObject.java
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java,v
retrieving revision 1.55
retrieving revision 1.56
diff -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java -u -r1.55 -r1.56
--- expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java
+++ expresso-web/WEB-INF/src/com/jcorporate/expresso/core/dbobj/RowSecuredDBObject.java
@@ -76,10 +76,7 @@
 import com.jcorporate.expresso.services.dbobj.Setup;
 import com.jcorporate.expresso.services.dbobj.UserGroup;
 
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Iterator;
-import java.util.List;
+import java.util.*;
 
 
 /**
@@ -1017,13 +1014,33 @@
      */
     public synchronized int count() throws DBException {
         // todo after redesign of security system, rewrite to be a join that uses SQL count
+        RowSecuredDBObject search = null;
+        if (retrieveFields == null) {
+            // signal for all fields is no fields chosen--just fine to search with this obj
+            search = this;
+        } else {
+            // do we have key fields chosen?
+            boolean willRetrieveKeys = true;
+            Set retrieved = retrieveFields.keySet();
+            for (Iterator i = getMetaData().getKeyFieldListArray().iterator(); i.hasNext();) {
+                if ( !retrieved.contains((String) i.next()) ) {
+                    willRetrieveKeys = false;
+                    break;
+                }
+            }
 
-        // set just one field to be retrieved. whatever is the first field in the list
-        DBField field = (DBField) getDef().getAllFieldsIterator().next();
-
-        RowSecuredDBObject search = (RowSecuredDBObject) getThisDBObj();
-        search.setFieldsToRetrieve(field.getName());
-        search.copyAllFields(this);
+            // keys are necessary to check permissions; must retrieve them
+            if (!willRetrieveKeys) {
+                // use a clone that retrieves all
+                try {
+                    search = (RowSecuredDBObject) clone();
+                    search.retrieveFields = null;
+                    search.setFieldsToRetrieve(null);
+                } catch (CloneNotSupportedException e) {
+                    throw new DBException(e);
+                }
+            }
+        }
 
         return search.searchAndRetrieveList().size();
     }