SRSoftware/Umbrella
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

added permission check to StockModule.getChildLocations

Browse Source 
Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
This commit is contained in:
Stephan Richter
2026-02-12 08:41:12 +01:00
parent 6e7bb08738
commit a72d556a36
2 changed files with 11 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
stock/src/main/java/de/srsoftware/umbrella/stock/StockModule.java
View File

@@ -33,12 +33,10 @@ import de.srsoftware.umbrella.core.constants.Text;
import de.srsoftware.umbrella.core.exceptions.UmbrellaException;
import de.srsoftware.umbrella.core.model.*;
import de.srsoftware.umbrella.core.model.Location;
import java.io.IOException;
import java.util.*;
import de.srsoftware.umbrella.messagebus.events.Event;
import de.srsoftware.umbrella.messagebus.events.ItemEvent;
import java.io.IOException;
import java.util.*;
import org.json.JSONObject;
public class StockModule extends BaseHandler implements StockService {
@@ -228,7 +226,8 @@ public class StockModule extends BaseHandler implements StockService {
}
private boolean getChildLocations(UmbrellaUser user, long parentId, HttpExchange ex) throws IOException {
LOG.log(WARNING,"No security check implemented for {0}.getChildLocations(user, parentId, ex)!",getClass().getSimpleName()); // TODO check, that user is allowed to request that location
var owner = stockDb.loadLocation(parentId).owner();
if (!assigned(owner,user)) throw forbidden("You are not allowed to access items of {owner}", OWNER,owner);
return sendContent(ex, stockDb.listChildLocations(parentId).stream().sorted(comparing(l -> l.name().toLowerCase())).map(DbLocation::toMap));
}