Check that returned place belongs to this event

Also unbuying of place should be restricted to MANAGE_OTHERS

Check that returned place belongs to this event
Also unbuying of place should be restricted to MANAGE_OTHERS
Tuomas Riihimäki
Commit c3cb60cf authored Jan 29, 2015 by Tuomas Riihimäki
Showing with 19 additions and 4 deletions
code/moya-beans/ejbModule/fi/codecrew/moya/beans/PlaceBean.java
--- a/code/moya-beans/ejbModule/fi/codecrew/moya/beans/PlaceBean.java
+++ b/code/moya-beans/ejbModule/fi/codecrew/moya/beans/PlaceBean.java
@@ -584,11 +584,26 @@ public class PlaceBean implements PlaceBeanLocal {
 	@Override
 	@RolesAllowed(MapPermission.S_VIEW)
 	public Place find(int placeId) {
-		return placeFacade.find(placeId);
+		Place ret = placeFacade.find(placeId);
+		// Check that place belongs to this event before returning it.
+		if (ret.getProduct() != null) {
+			if (eventBean.getCurrentEvent().equals(ret.getProduct().getEvent())) {
+				return ret;
+			}
+			return null;
+		}
+		if (ret.getMap() != null) {
+			if (eventBean.getCurrentEvent().equals(ret.getMap().getEvent())) {
+				return ret;
+			}
+		}
+		return null;
 	}
 	@Override
-	@RolesAllowed(MapPermission.S_BUY_PLACES)
+	@RolesAllowed(MapPermission.S_MANAGE_OTHERS)
 	public Place unbuyPlace(Place place) {
 		place = placeFacade.reload(place);
 		if (place.getGroup() != null) {
@@ -806,7 +821,7 @@ public class PlaceBean implements PlaceBeanLocal {
 		row = placeSlotFacade.reload(row);
 		if (row.getPlace() == null && row.getUsed() == null) {
 			row.setUsed(new Date());
-		}else {
+		} else {
 			return false;
 		}
 		return true;
@@ -817,7 +832,7 @@ public class PlaceBean implements PlaceBeanLocal {
 		row = placeSlotFacade.reload(row);
 		if (row.getPlace() == null && row.getUsed() != null) {
 			row.setUsed(null);
-		}else {
+		} else {
 			return false;
 		}
 		return true;