Readonly User für den BIM-Viewer http://bitnami/issues/5184

WeltWeitBau · Sep 15, 2021 · e668050 · e668050
1 parent 11e7e30
commit e668050
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/BimServer/src/org/bimserver/webservices/impl/ServiceImpl.java b/BimServer/src/org/bimserver/webservices/impl/ServiceImpl.java
@@ -1709,6 +1709,11 @@ public List<SProject> getAllNonAuthorizedProjectsOfUser(Long uoid) throws Server
 	@Override
 	public SUser getUserByUserName(String username) throws ServerException, UserException {
 		requireRealUserAuthentication();
+
+		if(isUserAccessable(username) == false) {
+			throw new UserException("Admin rights required to list users");
+		}
+
 		DatabaseSession session = getBimServer().getDatabase().createSession(OperationType.READ_ONLY);
 		try {
 			BimDatabaseAction<User> action = new GetUserByUserNameDatabaseAction(session, getInternalAccessMethod(), username);
@@ -1896,6 +1901,11 @@ public void updateGeoTag(SGeoTag sGeoTag) throws ServerException, UserException
 	@Override
 	public SUser getUserByUoid(Long uoid) throws ServerException, UserException {
 		requireAuthentication();
+
+		if(isUserAccessable(uoid) == false) {
+			throw new UserException("Admin rights required to see user");
+		}
+
 		DatabaseSession session = getBimServer().getDatabase().createSession(OperationType.READ_ONLY);
 		try {
 			GetUserByUoidDatabaseAction action = new GetUserByUoidDatabaseAction(session, getInternalAccessMethod(), uoid);
@@ -1906,6 +1916,34 @@ public SUser getUserByUoid(Long uoid) throws ServerException, UserException {
 			session.close();
 		}
 	}
+
+	private boolean isUserAccessable(String strUsername) throws ServerException, UserException {
+		return isUserAccessable(-1, strUsername);
+	}
+
+	private boolean isUserAccessable(long uoid) throws ServerException, UserException {
+		return isUserAccessable(uoid, null);
+	}
+
+	private boolean isUserAccessable(long uoid, String strUsername) throws ServerException, UserException {
+		if (getBimServer().getServerSettingsCache().getServerSettings().getHideUserListForNonAdmin() == false) {
+			return true;
+		}
+
+		if (getCurrentUser() != null & getCurrentUser().getUserType() == SUserType.ADMIN) {
+			return true;
+		}
+
+		if(uoid > -1 && getCurrentUser().getOid() == uoid) {
+			return true;
+		}
+
+		if(strUsername != null && strUsername.equals(getCurrentUser().getUsername())) {
+			return true;
+		}
+
+		return false;
+	}
 
 	public List<SUser> getAllNonAuthorizedUsersOfProject(Long poid) throws ServerException, UserException {
 		requireRealUserAuthentication();