added permission check to StockModule.getChildLocations

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
Merge branch 'feature/stock-item-link'
2026-02-12 08:41:12 +01:00 · 2026-02-12 08:24:21 +01:00 · 2026-02-11 14:48:01 +01:00 · 2026-02-11 14:32:41 +01:00 · 2026-02-11 13:41:45 +01:00
5 changed files with 55 additions and 18 deletions
--- a/bus/src/main/java/de/srsoftware/umbrella/messagebus/events/ItemEvent.java
+++ b/bus/src/main/java/de/srsoftware/umbrella/messagebus/events/ItemEvent.java
@@ -1,16 +1,15 @@
+/* © SRSoftware 2025 */
 package de.srsoftware.umbrella.messagebus.events;

-import de.srsoftware.umbrella.core.ModuleRegistry;
-import de.srsoftware.umbrella.core.api.Owner;
-import de.srsoftware.umbrella.core.constants.Field;
-import de.srsoftware.umbrella.core.model.*;
-
-import java.util.Collection;
-import java.util.List;
-
 import static de.srsoftware.umbrella.core.constants.Field.*;
 import static de.srsoftware.umbrella.core.model.Translatable.t;

+import de.srsoftware.umbrella.core.ModuleRegistry;
+import de.srsoftware.umbrella.core.api.Owner;
+import de.srsoftware.umbrella.core.model.*;
+import java.util.Collection;
+import java.util.List;
+
 public class ItemEvent extends Event<Item>{
 	public ItemEvent(UmbrellaUser initiator, String module, Item item, EventType type) {
 		super(initiator, module, item, type);
--- a/frontend/src/App.svelte
+++ b/frontend/src/App.svelte
@@ -103,7 +103,8 @@
        <Route path="/search"                      component={Search} />
        <Route path="/stock"                       component={Stock} />
        <Route path="/stock/location/:location_id" component={Stock} />
-        <Route path="/stock/:owner/:owner_id/item/:item_id" component={Stock} />
+        <Route path="/stock/:item_id/view"         component={Stock} />
+        <Route path="/stock/:owner/:owner_id/item/:owner_number" component={Stock} />
        <Route path="/tags"                        component={TagList} />
        <Route path="/tags/use/:tag"               component={TagUses} />
        <Route path="/task"                        component={TaskList} />
--- a/frontend/src/routes/stock/Index.svelte
+++ b/frontend/src/routes/stock/Index.svelte
@@ -1,5 +1,6 @@
 <script>
    import { onMount }      from 'svelte';
+    import { useTinyRouter } from 'svelte-tiny-router';
    import { api, drop, get, patch } from '../../urls.svelte';
    import { error, yikes } from '../../warn.svelte';
    import { t }            from '../../translations.svelte';
@@ -17,8 +18,9 @@
    let location        = $state(null);
    let draggedItem     = $state(null)
    let draggedLocation = $state(null)
-    let { item_id, location_id, owner, owner_id } = $props();
+    let { item_id, location_id, owner, owner_id, owner_number } = $props();
    let skip_location = false; // disable effect on setting location within loadItem()
+    let router = useTinyRouter();

    $effect(() => {
        // This effect runs whenever `location` changes
@@ -98,8 +100,8 @@
    }

    async function loadItem(){
-        if (!item_id) return;
-        const url = api(`stock/${owner}/${owner_id}/item/${item_id}`);
+        if (!owner_number) return;
+        const url = api(`stock/${owner}/${owner_id}/item/${owner_number}`);
        const res = await get(url);
        if (res.ok){
            yikes();
@@ -116,7 +118,7 @@
                }
            }
            for (let i of json.items){
-                if (i.owner_number == +item_id) item = i;
+                if (i.owner_number == +owner_number) item = i;
            }
        } else {
            error(res);
@@ -170,12 +172,27 @@
    }

    async function load(){
+        await preload();
        await loadUserLocations();
        await loadPath();
        await loadProperties();
        await loadItem();
    }

+    async function preload(){
+        if (item_id) {
+            let url = api(`stock/item/${item_id}`);
+            const res = await get(url);
+            if (res.ok){
+                const json   = await res.json();
+                owner        = json.owner.type;
+                owner_id     = json.owner.id;
+                owner_number = json.owner_number;
+                location_id  = json.location.id;
+            }
+        }
+    }
+
    function moveToTop(loc){
        if (patchLocation(location,'parent_location_id',0)){
            loc.parent_location_id = 0;
--- a/frontend/src/routes/stock/ItemProps.svelte
+++ b/frontend/src/routes/stock/ItemProps.svelte
@@ -75,6 +75,10 @@
 </div>
 <table>
    <tbody>
+        <tr>
+            <td>{t('ID')}</td>
+            <td>{item.id}</td>
+        </tr>
        <tr>
            <td>{t('Code')}:</td>
            <td>
--- a/stock/src/main/java/de/srsoftware/umbrella/stock/StockModule.java
+++ b/stock/src/main/java/de/srsoftware/umbrella/stock/StockModule.java
@@ -33,12 +33,10 @@ import de.srsoftware.umbrella.core.constants.Text;
 import de.srsoftware.umbrella.core.exceptions.UmbrellaException;
 import de.srsoftware.umbrella.core.model.*;
 import de.srsoftware.umbrella.core.model.Location;
-
-import java.io.IOException;
-import java.util.*;
-
 import de.srsoftware.umbrella.messagebus.events.Event;
 import de.srsoftware.umbrella.messagebus.events.ItemEvent;
+import java.io.IOException;
+import java.util.*;
 import org.json.JSONObject;

 public class StockModule extends BaseHandler implements StockService {
@@ -120,6 +118,7 @@ public class StockModule extends BaseHandler implements StockService {
 						yield super.doGet(path,ex);
 					}
 				}
+				case Path.ITEM -> getItemById(user.get(),path,ex);
 				case Path.LOCATION -> {
 					try {
 						var location = Location.of(Long.parseLong(path.pop()));
@@ -162,6 +161,22 @@ public class StockModule extends BaseHandler implements StockService {
 		}
 	}

+	private boolean getItemById(UmbrellaUser user, de.srsoftware.tools.Path path, HttpExchange ex) throws IOException {
+		var head = path.pop();
+		if (head == null) throw missingField(Field.ID);
+		try {
+			var itemId = Long.parseLong(head);
+			var item = stockDb.loadItem(itemId);
+			var owner = item.location().resolve().owner().resolve();
+			boolean allowed = owner instanceof UmbrellaUser u && user.equals(u);
+			allowed = allowed || owner instanceof Company c && companyService().membership(c.id(),user.id());
+			if (!allowed) throw forbidden("You are not allowed to access item {id}",ID,itemId);
+			return sendContent(ex,item);
+		} catch (NumberFormatException e) {
+			throw invalidField(Field.ID, Text.NUMBER);
+		}
+	}
+
 	@Override
 	public boolean doPatch(de.srsoftware.tools.Path path, HttpExchange ex) throws IOException {
 		addCors(ex);
@@ -211,7 +226,8 @@ public class StockModule extends BaseHandler implements StockService {
 	}

 	private boolean getChildLocations(UmbrellaUser user, long parentId, HttpExchange ex) throws IOException {
-		LOG.log(WARNING,"No security check implemented for {0}.getChildLocations(user, parentId, ex)!",getClass().getSimpleName()); // TODO check, that user is allowed to request that location
+		var owner = stockDb.loadLocation(parentId).owner();
+		if (!assigned(owner,user)) throw forbidden("You are not allowed to access items of {owner}", OWNER,owner);
 		return sendContent(ex, stockDb.listChildLocations(parentId).stream().sorted(comparing(l -> l.name().toLowerCase())).map(DbLocation::toMap));
 	}
Author	SHA1	Message	Date
Stephan Richter	a72d556a36	added permission check to StockModule.getChildLocations Signed-off-by: Stephan Richter <s.richter@srsoftware.de>	2026-02-12 08:41:12 +01:00
Stephan Richter	6e7bb08738	Merge branch 'feature/stock-item-link' All checks were successful Build Docker Image / Docker-Build (push) Successful in 2m34s Details Build Docker Image / Clean-Registry (push) Successful in 2s Details	2026-02-12 08:24:21 +01:00
Stephan Richter	1e29aa8583	fixed frontend path Signed-off-by: Stephan Richter <s.richter@srsoftware.de>	2026-02-11 14:48:01 +01:00
Stephan Richter	214a4c00f5	finished loading item by db id Signed-off-by: Stephan Richter <s.richter@srsoftware.de>	2026-02-11 14:32:41 +01:00
Stephan Richter	12ed6d47ec	working on loading item by id	2026-02-11 13:41:45 +01:00