package general;
import java.util.List;
import org.hibernate.Session;
import domain.Event;
import domain.PermissionType;
import domain.Role;
import domain.User;
public class EventAttributesAccessPolicy {
public static void enforce(Session databaseSession, User currentUser, List<Event> events) {
// get permission types from database (very very dumb):
PermissionType privatePermission = (PermissionType) databaseSession.get(PermissionType.class, new Long(3));
PermissionType protectedPermission = (PermissionType) databaseSession.get(PermissionType.class, new Long(2));
// get admin role, yep, dumb as well.
Role adminRole = (Role) databaseSession.get(Role.class, new Long(2));
// Remove sensitive information
for(Event event : events) {
// remove password from user anyway
event.getId().getOwner().setPassword(null);
// if event private, only owner can see it.
// if event protected, only admins see all
if ( ( event.getPermission().equals(privatePermission) && !currentUser.equals(event.getId().getOwner()) )
|| ( event.getPermission().equals(protectedPermission) && !currentUser.getRole().equals(adminRole) && !currentUser.equals(event.getId().getOwner()) ) ) {
event.setDescription(null);
event.getId().setType(null);
event.getId().setOwner(null);
}
}
}
}