You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@rave.apache.org by ca...@apache.org on 2011/10/28 17:03:39 UTC

svn commit: r1190386 - /incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java

Author: carlucci
Date: Fri Oct 28 15:03:39 2011
New Revision: 1190386

URL: http://svn.apache.org/viewvc?rev=1190386&view=rev
Log:
RAVE-310: fixed incorrect security annotation on updateWidget (admins can now update non-owned widgets)

Modified:
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java

Modified: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java?rev=1190386&r1=1190385&r2=1190386&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java (original)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java Fri Oct 28 15:03:39 2011
@@ -119,7 +119,11 @@ public interface WidgetService {
      *
      * @param widget new Widget to store
      * @return Widget if it is new and can be stored, otherwise {@literal null}
-     */
+     * 
+     * TODO: change the security annotation to:
+     * @PostAuthorize("hasPermission(returnObject, 'create')") 
+     * once RAVE-319 has been resolved
+     */        
     @PreAuthorize("hasPermission(new org.apache.rave.portal.security.impl.RaveSecurityContext(#widget.owner.entityId, 'org.apache.rave.portal.model.User'), 'org.apache.rave.portal.model.Widget', 'create')")    
     Widget registerNewWidget(Widget widget);
     
@@ -145,6 +149,6 @@ public interface WidgetService {
      *
      * @param widget to save
      */
-    @PreAuthorize("hasPermission(new org.apache.rave.portal.security.impl.RaveSecurityContext(#widget.owner.entityId, 'org.apache.rave.portal.model.User'), 'org.apache.rave.portal.model.Widget', 'update')")        
+    @PreAuthorize("hasPermission(#widget.entityId, 'org.apache.rave.portal.model.Widget', 'update')")        
     void updateWidget(Widget widget);
 }