You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rave.apache.org by ca...@apache.org on 2011/10/28 17:03:39 UTC
svn commit: r1190386 -
/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java
Author: carlucci
Date: Fri Oct 28 15:03:39 2011
New Revision: 1190386
URL: http://svn.apache.org/viewvc?rev=1190386&view=rev
Log:
RAVE-310: fixed incorrect security annotation on updateWidget (admins can now update non-owned widgets)
Modified:
incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java
Modified: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java?rev=1190386&r1=1190385&r2=1190386&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java (original)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetService.java Fri Oct 28 15:03:39 2011
@@ -119,7 +119,11 @@ public interface WidgetService {
*
* @param widget new Widget to store
* @return Widget if it is new and can be stored, otherwise {@literal null}
- */
+ *
+ * TODO: change the security annotation to:
+ * @PostAuthorize("hasPermission(returnObject, 'create')")
+ * once RAVE-319 has been resolved
+ */
@PreAuthorize("hasPermission(new org.apache.rave.portal.security.impl.RaveSecurityContext(#widget.owner.entityId, 'org.apache.rave.portal.model.User'), 'org.apache.rave.portal.model.Widget', 'create')")
Widget registerNewWidget(Widget widget);
@@ -145,6 +149,6 @@ public interface WidgetService {
*
* @param widget to save
*/
- @PreAuthorize("hasPermission(new org.apache.rave.portal.security.impl.RaveSecurityContext(#widget.owner.entityId, 'org.apache.rave.portal.model.User'), 'org.apache.rave.portal.model.Widget', 'update')")
+ @PreAuthorize("hasPermission(#widget.entityId, 'org.apache.rave.portal.model.Widget', 'update')")
void updateWidget(Widget widget);
}