Beanien siivoilua ja oikeustarkastelujen lisäystä.

Tuomas Riihimäki
Commit 3509774c authored Aug 21, 2010 by Tuomas Riihimäki
Showing with 137 additions and 220 deletions
code/LanBortalBeans/as3/fi/insomnia/bortal/beans/RoleBeanBase.as
code/LanBortalBeans/as3/fi/insomnia/bortal/beans/UserBeanBase.as
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/AccessRightBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/BillBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceMapBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/RoleBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/UserBean.java
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/facade/AccessRightFacade.java
code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/beans/AccessRightBeanLocal.java
code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/beans/UserBeanLocal.java
code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/enums/Permission.java
code/LanBortalWeb/src/fi/insomnia/bortal/handler/SessionHandler.java
code/LanBortalWeb/src/fi/insomnia/bortal/view/BillView.java
code/LanBortalWeb/src/fi/insomnia/bortal/view/MapView.java
code/LanBortalWeb/src/fi/insomnia/bortal/view/ProductShopView.java
code/LanBortalWeb/src/fi/insomnia/bortal/view/ProductView.java
code/LanBortalWeb/src/fi/insomnia/bortal/view/RoleView.java
code/LanBortalWeb/src/fi/insomnia/bortal/view/TestDataView.java
code/LanBortalWeb/src/fi/insomnia/bortal/view/UserView.java
--- a/code/LanBortalBeans/as3/fi/insomnia/bortal/beans/RoleBeanBase.as
+++ b/code/LanBortalBeans/as3/fi/insomnia/bortal/beans/RoleBeanBase.as
@@ -7,6 +7,7 @@
 package fi.insomnia.bortal.beans {
+    import fi.insomnia.bortal.facade.AccessRightFacade;
    import fi.insomnia.bortal.facade.RoleFacade;
    import fi.insomnia.bortal.facade.RoleRightFacade;
    import flash.utils.IDataInput;
@@ -16,20 +17,20 @@ package fi.insomnia.bortal.beans {
    [Bindable]
    public class RoleBeanBase implements IExternalizable {
-        private var _accessRightBean:AccessRightBeanLocal;
+        private var _accessRightFacade:AccessRightFacade;
        private var _eventBean:EventBeanLocal;
        private var _roleFacade:RoleFacade;
        private var _rrfacade:RoleRightFacade;
        public function readExternal(input:IDataInput):void {
-            _accessRightBean = input.readObject() as AccessRightBeanLocal;
+            _accessRightFacade = input.readObject() as AccessRightFacade;
            _eventBean = input.readObject() as EventBeanLocal;
            _roleFacade = input.readObject() as RoleFacade;
            _rrfacade = input.readObject() as RoleRightFacade;
        }
        public function writeExternal(output:IDataOutput):void {
-            output.writeObject(_accessRightBean);
+            output.writeObject(_accessRightFacade);
            output.writeObject(_eventBean);
            output.writeObject(_roleFacade);
            output.writeObject(_rrfacade);

--- a/code/LanBortalBeans/as3/fi/insomnia/bortal/beans/UserBeanBase.as
+++ b/code/LanBortalBeans/as3/fi/insomnia/bortal/beans/UserBeanBase.as
@@ -7,6 +7,7 @@
 package fi.insomnia.bortal.beans {
+    import fi.insomnia.bortal.facade.AccessRightFacade;
    import fi.insomnia.bortal.facade.UserFacade;
    import flash.utils.IDataInput;
    import flash.utils.IDataOutput;
@@ -16,7 +17,7 @@ package fi.insomnia.bortal.beans {
    [Bindable]
    public class UserBeanBase implements IExternalizable {
-        private var _accessRightBeanLocal:AccessRightBeanLocal;
+        private var _accessRightFacade:AccessRightFacade;
        private var _context:SessionContext;
        private var _eventBean:EventBeanLocal;
        private var _rolebean:RoleBeanLocal;
@@ -24,7 +25,7 @@ package fi.insomnia.bortal.beans {
        private var _userFacade:UserFacade;
        public function readExternal(input:IDataInput):void {
-            _accessRightBeanLocal = input.readObject() as AccessRightBeanLocal;
+            _accessRightFacade = input.readObject() as AccessRightFacade;
            _context = input.readObject() as SessionContext;
            _eventBean = input.readObject() as EventBeanLocal;
            _rolebean = input.readObject() as RoleBeanLocal;
@@ -33,7 +34,7 @@ package fi.insomnia.bortal.beans {
        }
        public function writeExternal(output:IDataOutput):void {
-            output.writeObject(_accessRightBeanLocal);
+            output.writeObject(_accessRightFacade);
            output.writeObject(_context);
            output.writeObject(_eventBean);
            output.writeObject(_rolebean);

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/AccessRightBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/AccessRightBean.java
-/*
- * To change this template, choose Tools | Templates
- * and open the template in the editor.
- */
-package fi.insomnia.bortal.beans;
-import java.util.List;
-import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.facade.AccessRightFacade;
-import fi.insomnia.bortal.model.AccessRight;
-import javax.ejb.EJB;
-import javax.ejb.Stateless;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-/**
- * 
- * @author tuukka
- */
-@Stateless
-public class AccessRightBean implements AccessRightBeanLocal {
-    @EJB
-    private AccessRightFacade accessRightFacade;
-    private static final Logger logger = LoggerFactory.getLogger(AccessRightBean.class);
-    public AccessRight findOrCreate(Permission permission) {
-        AccessRight right = accessRightFacade.findByPermission(permission);
-        if (right == null) {
-            right = new AccessRight();
-            right.setName(permission.name());
-            right.setDescription(permission.getDescription());
-            accessRightFacade.create(right);
-            logger.info("Access right permission {} not found. created {}", permission, right);
-        }
-        return right;
-    }
-    public List<AccessRight> findAll() {
-        return accessRightFacade.findAll();
-    }
-}
--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/BillBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/BillBean.java
@@ -62,15 +62,9 @@ public class BillBean implements BillBeanLocal {
        Bill bill = billFacade.find(event.getId(), id);
        User currentuser = userBean.getCurrentUser();
-        if (!currentuser.equals(bill.getUser()))
+        if (!currentuser.equals(bill.getUser())) {
-            if (!authbean.isAuthorised(currentuser, Right.ADMIN, RightType.READ)) {
+            userBean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.READ, "User tried to print the bill with insufficient rights. Bill id: ", bill);
-                {
+        }
-                    secubean.logPermissionDenied(currentuser,
-                            "User tried to print the bill with insufficient rights. Bill id: " + bill);
-                    return null;
-                }
-            }
        return bill;
    }
@@ -129,5 +123,4 @@ public class BillBean implements BillBeanLocal {
        return line;
    }
 }
--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceMapBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceMapBean.java
@@ -54,7 +54,7 @@ public class PlaceMapBean implements PlaceMapBeanLocal {
    public void printPlaceMapToStream(OutputStream outputStream, String filetype, Integer mapId, List<Integer> placeIds) throws IOException {
        User user = userbean.getCurrentUser();
-        if (!userbean.hasPermission(Permission.TICKET_SALES, user, RolePermission.READ)) {
+        if (!userbean.hasPermission(Permission.TICKET_SALES,  RolePermission.READ)) {
            throw new PermissionDeniedException(secubean, user, "User has no right to view placemap ( TICKET_SALES, READ )");
        }

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/RoleBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/RoleBean.java
@@ -17,6 +17,8 @@ import org.slf4j.LoggerFactory;
 import fi.insomnia.bortal.enums.BeanRole;
 import fi.insomnia.bortal.enums.Permission;
+import fi.insomnia.bortal.facade.AccessRightFacade;
+import fi.insomnia.bortal.facade.EventChildGenericFacade;
 import fi.insomnia.bortal.facade.RoleFacade;
 import fi.insomnia.bortal.facade.RoleRightFacade;
 import fi.insomnia.bortal.model.AccessRight;
@@ -38,8 +40,8 @@ public class RoleBean implements RoleBeanLocal {
    private RoleFacade roleFacade;
    @EJB
    private RoleRightFacade rrfacade;
-    @EJB
-    private AccessRightBeanLocal accessRightBean;
+    private AccessRightFacade accessRightFacade;
    private static final Logger logger = LoggerFactory.getLogger(RoleBean.class);
@@ -93,7 +95,7 @@ public class RoleBean implements RoleBeanLocal {
    public List<RoleRight> getRoleRights(Role r) {
-        List<AccessRight> rights = accessRightBean.findAll();
+        List<AccessRight> rights = accessRightFacade.findAll();
        List<RoleRight> ret = new ArrayList<RoleRight>();
        for (AccessRight ar : rights) {
            ret.add(findRoleRight(r, ar));
@@ -121,7 +123,7 @@ public class RoleBean implements RoleBeanLocal {
    }
    public RoleRight findRoleRight(Role role, Permission perm) {
-        AccessRight acr = accessRightBean.findOrCreate(perm);
+        AccessRight acr = accessRightFacade.findByPermission(perm);
        return findRoleRight(role, acr);
    }

--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/UserBean.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/UserBean.java
@@ -18,6 +18,7 @@ import org.slf4j.LoggerFactory;
 import fi.insomnia.bortal.enums.Permission;
 import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.exceptions.PermissionDeniedException;
+import fi.insomnia.bortal.facade.AccessRightFacade;
 import fi.insomnia.bortal.facade.UserFacade;
 import fi.insomnia.bortal.model.AccessRight;
 import fi.insomnia.bortal.model.Role;
@@ -46,7 +47,7 @@ public class UserBean implements UserBeanLocal {
    @EJB
    private RoleBeanLocal rolebean;
    @EJB
-    private AccessRightBeanLocal accessRightBeanLocal;
+    private AccessRightFacade accessRightFacade;
    @EJB
    private SecurityBeanLocal secubean;
@@ -72,10 +73,7 @@ public class UserBean implements UserBeanLocal {
    }
    public List<User> getUsers() {
-        User curruser = getCurrentUser();
+        fatalPermission(Permission.USER_MANAGEMENT, RolePermission.READ);
-        if (curruser == null || !hasPermission(Permission.USER_MANAGEMENT, curruser, RolePermission.READ)) {
-            throw new PermissionDeniedException(secubean, curruser, "User tried to execute getUsers function with insufficient permissions");
-        }
        List<User> ret = userFacade.findAll();
        logger.info("Found {} users from database ", ret.size());
@@ -84,10 +82,8 @@ public class UserBean implements UserBeanLocal {
    @Override
    public User mergeChanges(User user) {
-        User curruser = getCurrentUser();
+        fatalPermission(Permission.USER_MANAGEMENT, RolePermission.WRITE);
-        if (curruser == null || !hasPermission(Permission.USER_MANAGEMENT, curruser, RolePermission.WRITE) || !user.equals(curruser)) {
-            throw new PermissionDeniedException(secubean, curruser, "User tried to merge someone others data with insufficient permissions");
-        }
        return userFacade.merge(user);
    }
@@ -133,13 +129,12 @@ public class UserBean implements UserBeanLocal {
        return defaultUser;
    }
-    public boolean hasPermission(Permission target, User user, RolePermission permission) {
+    // TODO: Voisi olla hyvä idea cachettaa... Tätä kutsutaan aika paljon..
+    public boolean hasPermission(Permission target, RolePermission permission) {
-        if (user == null) {
+        User user = getCurrentUser();
-            return false;
-        }
-        AccessRight expectedRight = accessRightBeanLocal.findOrCreate(target);
+        AccessRight expectedRight = accessRightFacade.findByPermission(target);
        User dbusr = userFacade.find(user.getId());
        if (dbusr != null) {
@@ -199,17 +194,12 @@ public class UserBean implements UserBeanLocal {
    @Override
    public boolean hasCurrentUserPermission(Permission permission, RolePermission rolePermission) {
-        return this.hasPermission(permission, getCurrentUser(), rolePermission);
+        return this.hasPermission(permission, rolePermission);
    }
    @Override
    public void fatalPermission(Permission target, RolePermission permission, Object... failmessage) {
-        fatalPermission(getCurrentUser(), target, permission, failmessage);
+        boolean ret = hasPermission(target, permission);
-    }
-    @Override
-    public void fatalPermission(User user, Permission target, RolePermission permission, Object... failmessage) {
-        boolean ret = hasPermission(target, user, permission);
        if (!ret) {
            String message = null;
            if (failmessage == null || failmessage.length == 0) {
@@ -229,5 +219,11 @@ public class UserBean implements UserBeanLocal {
        }
    }
+    @Override
+    public void fatalNotLoggedIn() {
+        if (!isLoggedIn()) {
+            throw new PermissionDeniedException(secubean, getCurrentUser(), "User is not logged in!");
+        }
+    }
 }
--- a/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/facade/AccessRightFacade.java
+++ b/code/LanBortalBeans/ejbModule/fi/insomnia/bortal/facade/AccessRightFacade.java
@@ -27,25 +27,20 @@ public class AccessRightFacade extends IntegerPkGenericFacade<AccessRight> {
    protected EntityManager getEm() {
        return em;
    }
-/*
-    public AccessRight findOrCreateByName(String target) {
-        // Fetch access right by name
+    /*
-        TypedQuery<AccessRight> q = em.createQuery("SELECT a FROM AccessRight a WHERE a.name = :name", AccessRight.class);
+     * public AccessRight findOrCreateByName(String target) {
-        q.setParameter("name", target);
+     * 
-        AccessRight right = null;
+     * // Fetch access right by name TypedQuery<AccessRight> q =
-        right = this.getSingleNullableResult(q);
+     * em.createQuery("SELECT a FROM AccessRight a WHERE a.name = :name",
+     * AccessRight.class); q.setParameter("name", target); AccessRight right =
-        // Might not exist yet -> create
+     * null; right = this.getSingleNullableResult(q);
-        if (right == null) {
+     * 
-            right = new AccessRight();
+     * // Might not exist yet -> create if (right == null) { right = new
-            right.setName(target);
+     * AccessRight(); right.setName(target); em.persist(right); }
-            em.persist(right);
+     * 
-        }
+     * return right; }
+     */
-        return right;
-    }
-    */
    public AccessRight findByPermission(Permission target) {
@@ -54,11 +49,15 @@ public class AccessRightFacade extends IntegerPkGenericFacade<AccessRight> {
        q.setParameter("name", target.name());
        AccessRight right = null;
        right = this.getSingleNullableResult(q);
+        if (right == null) {
+            right = new AccessRight(target.name());
+            create(right);
+        }
        return right;
    }
    public void find(LanEvent e, Role r) {
-       throw new NotImplementedException();
+        throw new NotImplementedException();
    }
 }
--- a/code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/beans/AccessRightBeanLocal.java
+++ b/code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/beans/AccessRightBeanLocal.java
-/*
- * To change this template, choose Tools | Templates
- * and open the template in the editor.
- */
-package fi.insomnia.bortal.beans;
-import java.util.List;
-import fi.insomnia.bortal.enums.Permission;
-import fi.insomnia.bortal.model.AccessRight;
-import javax.ejb.Local;
-/**
- *
- * @author tuukka
- */
-@Local
-public interface AccessRightBeanLocal {
-    public AccessRight findOrCreate(Permission permission);
-    public List<AccessRight> findAll();
-}
--- a/code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/beans/UserBeanLocal.java
+++ b/code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/beans/UserBeanLocal.java
@@ -24,7 +24,7 @@ public interface UserBeanLocal {
    User getAnonUser();
-    boolean hasPermission(Permission target, User user, RolePermission permission);
+    boolean hasPermission(Permission target, RolePermission permission);
    boolean isCurrentUser(User thisuser);
@@ -32,10 +32,11 @@ public interface UserBeanLocal {
    boolean isLoggedIn();
-    void fatalPermission(User user, Permission target, RolePermission permission, Object ... failmessage);
    void fatalPermission(Permission target, RolePermission permission, Object ... failmessage);
+    void fatalNotLoggedIn();

--- a/code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/enums/Permission.java
+++ b/code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/enums/Permission.java
@@ -10,10 +10,10 @@ package fi.insomnia.bortal.enums;
 */
 public enum Permission {
-    PERMISSION("Description"),
+    // PERMISSION("Description"),
-    LOGIN("User can see loginbutton. (only defaultuser should have permission to that one)"),
+    LOGIN("User can see loginbutton(r). (only defaultuser should have permission to that one), LoggedIn user has (x)"),
    USER_MANAGEMENT("User has right to view all users(r), modify users(w), execute actions for user(x), Eg shop! "),
-    TICKET_SALES("User has right to view, and/or buy tickets"),
+    TICKET_SALES("User has right to view(r), administer(w) and buy(x)"),
    ROLE_MANAGEMENT("User has right to view(r), modify(w) and assign(x) roles"),
    PRODUCT("View(r), modify(w), and shop(x) products"),

--- a/code/LanBortalWeb/src/fi/insomnia/bortal/handler/SessionHandler.java
+++ b/code/LanBortalWeb/src/fi/insomnia/bortal/handler/SessionHandler.java
@@ -77,7 +77,7 @@ public class SessionHandler {
        if (target == null || permission == null) {
            throw new RuntimeException("Empty target or permission!");
        }
-        boolean ret = userbean.hasPermission(target, getUser(), permission);
+        boolean ret = userbean.hasPermission(target, permission);
        return ret;
    }
@@ -101,29 +101,29 @@ public class SessionHandler {
    private boolean impersonating = false;
-    public void impersonateUser(User user) {
+//    public void impersonateUser(User user) {
-        if (user == null) {
+//        if (user == null) {
-            this.thisuser = getUser();
+//            this.thisuser = getUser();
-            impersonating = false;
+//            impersonating = false;
-        } else if (canExecute("user")) {
+//        } else if (canExecute("user")) {
-            secubean.logMessage(userbean.getCurrentUser(), "Successfully impersonating user id: " + user.getId() + " and login: " + user.getLogin());
+//            secubean.logMessage(userbean.getCurrentUser(), "Successfully impersonating user id: " + user.getId() + " and login: " + user.getLogin());
-            this.thisuser = user;
+//            this.thisuser = user;
-            impersonating = true;
+//            impersonating = true;
-        } else {
+//        } else {
-            secubean.logMessage(userbean.getCurrentUser(), "User tried to impersonate as id: " + user.getId() + " login: " + user.getLogin() + " but did not have enough rights");
+//            secubean.logMessage(userbean.getCurrentUser(), "User tried to impersonate as id: " + user.getId() + " login: " + user.getLogin() + " but did not have enough rights");
-        }
+//        }
-    }
+//    }
+//
-    public User getUser() {
+//    public User getUser() {
+//
-        boolean iscurruser = userbean.isCurrentUser(thisuser);
+//        boolean iscurruser = userbean.isCurrentUser(thisuser);
-        logger.debug("Current user {}", (thisuser == null) ? "null" : thisuser.getNick());
+//        logger.debug("Current user {}", (thisuser == null) ? "null" : thisuser.getNick());
-        if (thisuser == null || (!impersonating && !iscurruser)) {
+//        if (thisuser == null || (!impersonating && !iscurruser)) {
-            thisuser = userbean.getCurrentUser();
+//            thisuser = userbean.getCurrentUser();
-        }
+//        }
+//
-        return thisuser;
+//        return thisuser;
-    }
+//    }
    public String logout() {

--- a/code/LanBortalWeb/src/fi/insomnia/bortal/view/BillView.java
+++ b/code/LanBortalWeb/src/fi/insomnia/bortal/view/BillView.java
@@ -12,6 +12,8 @@ import org.slf4j.LoggerFactory;
 import fi.insomnia.bortal.beans.BillBeanLocal;
 import fi.insomnia.bortal.beans.UserBeanLocal;
+import fi.insomnia.bortal.enums.Permission;
+import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.model.Bill;
 @ManagedBean(name = "billView")
@@ -22,12 +24,12 @@ public class BillView {
    @EJB
    private UserBeanLocal userbean;
-    @EJB 
-    private BillBeanLocal billbean;
    private ListDataModel<Bill> billList;
    public ListDataModel<Bill> getUsersBills()
    {
+        userbean.fatalNotLoggedIn();
        List<Bill> bills = userbean.getCurrentUser().getBills();
        logger.debug("found {} bills for user {}", bills.size(), userbean.getCurrentUser().getLogin());
        billList = new ListDataModel<Bill>(bills);

--- a/code/LanBortalWeb/src/fi/insomnia/bortal/view/MapView.java
+++ b/code/LanBortalWeb/src/fi/insomnia/bortal/view/MapView.java
@@ -7,6 +7,9 @@ package fi.insomnia.bortal.view;
 import fi.insomnia.bortal.beans.EventBeanLocal;
 import fi.insomnia.bortal.beans.PlaceBeanLocal;
 import fi.insomnia.bortal.beans.PlaceMapBeanLocal;
+import fi.insomnia.bortal.beans.UserBeanLocal;
+import fi.insomnia.bortal.enums.Permission;
+import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.handler.SessionHandler;
 import fi.insomnia.bortal.model.LanEvent;
 import fi.insomnia.bortal.model.EventMap;
@@ -39,9 +42,9 @@ public class MapView {
    @EJB
    private PlaceBeanLocal placeBean;
+    @EJB
+    private UserBeanLocal userBean;
-    @ManagedProperty("#{sessionHandler}")
-    private SessionHandler sessionHandler;
    private EventMap activeMap = null;
    private List<Place> selectedPlaces = new ArrayList<Place>();
    @EJB
@@ -54,6 +57,8 @@ public class MapView {
    }
    public void placeSelectActionListener(ActionEvent e) {
+        userBean.fatalPermission(Permission.TICKET_SALES, RolePermission.EXECUTE);
        FacesContext context = FacesContext.getCurrentInstance();
        String clientId = e.getComponent().getClientId(context);
        Map requestParams = context.getExternalContext().getRequestParameterMap();
@@ -76,7 +81,8 @@ public class MapView {
    }
    public String getSelectPlaceMapUrl() {
-        User user = sessionHandler.getUser();
+        User user = userBean.getCurrentUser();
        logger.debug("Select map got user: {}", user);
        EventMap map = getActiveMap();
        logger.debug("Select map got active map: {}", map);
@@ -95,6 +101,7 @@ public class MapView {
     *         this event does not have map, return null.
     */
    public EventMap getActiveMap() {
+        userBean.fatalPermission(Permission.TICKET_SALES, RolePermission.READ);
        if (activeMap == null) {
            LanEvent event = eventBean.getCurrentEvent();
@@ -114,23 +121,10 @@ public class MapView {
        this.activeMap = activeMap;
    }
-    /**
-     * @return the sessionHandler
-     */
-    public SessionHandler getSessionHandler() {
-        return sessionHandler;
-    }
-    /**
-     * @param sessionHandler
-     *            the sessionHandler to set
-     */
-    public void setSessionHandler(SessionHandler sessionHandler) {
-        this.sessionHandler = sessionHandler;
-    }
    public String placeLeftToSelect() {
-        long totalPlaces = placeMapBean.selectablePlaceCount(sessionHandler.getUser());
+        long totalPlaces = placeMapBean.selectablePlaceCount(userBean.getCurrentUser());
        return (totalPlaces - selectedPlaces.size()) + "";
    }

--- a/code/LanBortalWeb/src/fi/insomnia/bortal/view/ProductShopView.java
+++ b/code/LanBortalWeb/src/fi/insomnia/bortal/view/ProductShopView.java
@@ -23,6 +23,8 @@ import fi.insomnia.bortal.beans.BillBeanLocal;
 import fi.insomnia.bortal.beans.EventBeanLocal;
 import fi.insomnia.bortal.beans.ProductBeanLocal;
 import fi.insomnia.bortal.beans.UserBeanLocal;
+import fi.insomnia.bortal.enums.Permission;
+import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.exceptions.PermissionDeniedException;
 import fi.insomnia.bortal.model.Bill;
 import fi.insomnia.bortal.model.Product;
@@ -48,22 +50,15 @@ public class ProductShopView {
    private User shoppingUser;
    public DataModel<Product> getUserShoppableProducts() {
+        userBean.fatalNotLoggedIn();
        ListDataModel<Product> items = new ListDataModel<Product>(productBean.listUserShoppableProducts());
        logger.info("Fetching products. Found {}", items.getRowCount());
        return items;
    }
-    public ActionListener getBillCommitAL() {
-        logger.info("Fetching billCommitAl()");
-        return new ActionListener() {
-            @Override
-            public void processAction(ActionEvent event) throws AbortProcessingException {
-                logger.info("Executing BillCommit AL");
-            }
-        };
-    }
    public void commitBillCart() {
+        userBean.fatalPermission(Permission.PRODUCT, RolePermission.EXECUTE);
        logger.debug("Committing billCart");
        Iterator<ProductShopItem> cartIter = billCart.iterator();
        Bill bill = null;
@@ -80,6 +75,8 @@ public class ProductShopView {
    }
    public DataModel<ProductShopItem> getBillCart() {
+        userBean.fatalPermission(Permission.TICKET_SALES, RolePermission.EXECUTE);
        billCart = new ListDataModel<ProductShopItem>(ProductShopItem.productList(productBean.listUserShoppableProducts()));
        return billCart;
    }

--- a/code/LanBortalWeb/src/fi/insomnia/bortal/view/ProductView.java
+++ b/code/LanBortalWeb/src/fi/insomnia/bortal/view/ProductView.java
@@ -18,6 +18,9 @@ import org.slf4j.LoggerFactory;
 import fi.insomnia.bortal.beans.BillBeanLocal;
 import fi.insomnia.bortal.beans.ProductBeanLocal;
+import fi.insomnia.bortal.beans.UserBeanLocal;
+import fi.insomnia.bortal.enums.Permission;
+import fi.insomnia.bortal.enums.RolePermission;
 import fi.insomnia.bortal.model.Bill;
 import fi.insomnia.bortal.model.BillLine;
 import fi.insomnia.bortal.model.EventMap;
@@ -38,6 +41,9 @@ public class ProductView {
    @EJB
    private BillBeanLocal billBean;
+    @EJB
+    private UserBeanLocal userBean;
    private String productname = "";
    private BigDecimal productprice = BigDecimal.ZERO;
    private EventMap activeMap = null;
@@ -48,12 +54,15 @@ public class ProductView {
    public DataModel<Product> getProducts() {
+        userBean.fatalPermission(Permission.PRODUCT, RolePermission.READ,"User has no right to view products");
        products = new ListDataModel<Product>(productBean.getProducts());
        return products;
    }
    public String createProduct() {
+        userBean.fatalPermission(Permission.PRODUCT, RolePermission.WRITE);
        setProduct(productBean.createProduct(productname, productprice));
        productprice = BigDecimal.ZERO;
        productname = "";
@@ -62,11 +71,13 @@ public class ProductView {
    }
    public String edit() {
+        userBean.fatalPermission(Permission.PRODUCT, RolePermission.WRITE);
        product = products.getRowData();
        return "edit";
    }
    public String saveProduct() {
+        userBean.fatalPermission(Permission.PRODUCT, RolePermission.WRITE);
        productBean.mergeChanges(product);
        return "list";
    }
@@ -75,6 +86,7 @@ public class ProductView {
     * @return the activeMap
     */
    public EventMap getActiveMap() {
+        userBean.fatalPermission(Permission.TICKET_SALES, RolePermission.READ);
        return activeMap;
    }

--- a/code/LanBortalWeb/src/fi/insomnia/bortal/view/RoleView.java
+++ b/code/LanBortalWeb/src/fi/insomnia/bortal/view/RoleView.java
@@ -34,9 +34,6 @@ import fi.insomnia.bortal.model.RoleRight;
 @SessionScoped
 public class RoleView {
-    @ManagedProperty("#{sessionHandler}")
-    private SessionHandler sessionhandler;
    @EJB
    private EventBeanLocal eventbean;
    @EJB
@@ -54,6 +51,8 @@ public class RoleView {
    private ListDataModel<RoleRight> rolerights;
    public DataModel<Role> getRoles() {
+        userbean.fatalPermission(Permission.ROLE_MANAGEMENT, RolePermission.READ);
        items = new ListDataModel<Role>(roleBean.listRoles());
        logger.info("Fetching roles. Found {}", items.getRowCount());
@@ -61,6 +60,8 @@ public class RoleView {
    }
    public DataModel<RoleRight> getRoleRights() {
+        userbean.fatalPermission(Permission.ROLE_MANAGEMENT, RolePermission.READ);
        if (rolerights == null) {
            logger.info("Fetching new rolerights from database");
            rolerights = new ListDataModel<RoleRight>(roleBean.getRoleRights(role));
@@ -78,6 +79,8 @@ public class RoleView {
    }
    public String editRoleRight() {
+        userbean.fatalPermission(Permission.ROLE_MANAGEMENT, RolePermission.WRITE);
        logger.info("Roleright array: {}", rolerights);
        RoleRight row = rolerights.getRowData();
        roleBean.mergeChanges(row);
@@ -97,6 +100,8 @@ public class RoleView {
    }
    public String edit() {
+        userbean.fatalPermission(Permission.ROLE_MANAGEMENT, RolePermission.READ);
        setRole(items.getRowData());
        rolerights = null;
        items = null;
@@ -112,6 +117,8 @@ public class RoleView {
     * @return the role
     */
    public Role getRole() {
+        userbean.fatalPermission(Permission.ROLE_MANAGEMENT, RolePermission.READ);
        if (role == null) {
            role = new Role(eventbean.getCurrentEvent());
        }
@@ -126,20 +133,7 @@ public class RoleView {
        this.role = role;
    }
-    /**
-     * @return the sessionhandler
-     */
-    public SessionHandler getSessionhandler() {
-        return sessionhandler;
-    }
-    /**
-     * @param sessionhandler
-     *            the sessionhandler to set
-     */
-    public void setSessionhandler(SessionHandler sessionhandler) {
-        this.sessionhandler = sessionhandler;
-    }
    /**
     * @return the possibleParents

--- a/code/LanBortalWeb/src/fi/insomnia/bortal/view/TestDataView.java
+++ b/code/LanBortalWeb/src/fi/insomnia/bortal/view/TestDataView.java
@@ -32,11 +32,7 @@ public class TestDataView {
    private TestDataBeanLocal testdatabean;
    @EJB
    private UserBeanLocal userbean;
+ public void generateData() {
-    @ManagedProperty("#{sessionHandler}")
-    private SessionHandler sessionhandler;
-    public void generateData() {
        User user = testdatabean.createUser();
        User admin = testdatabean.createAdmin();
@@ -75,13 +71,6 @@ public class TestDataView {
    public TestDataView() {
    }
-    public void setSessionhandler(SessionHandler sessionhandler) {
-        this.sessionhandler = sessionhandler;
-    }
-    public SessionHandler getSessionhandler() {
-        return sessionhandler;
-    }
    public String printPlacesInfo() {
        testdatabean.printPlacesInfo();

--- a/code/LanBortalWeb/src/fi/insomnia/bortal/view/UserView.java
+++ b/code/LanBortalWeb/src/fi/insomnia/bortal/view/UserView.java
@@ -44,6 +44,8 @@ public class UserView {
    private SecurityBeanLocal securitybean;
    public String edit() {
+        userBean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.READ);
        setUser(items.getRowData());
        logger.info("Editing: Firstname: {} ", getUser().getFirstnames());
@@ -51,6 +53,7 @@ public class UserView {
    }
    public void initSelfedit() {
+        userBean.fatalNotLoggedIn();
        user = userBean.getCurrentUser();
    }
@@ -78,6 +81,8 @@ public class UserView {
    }
    public String saveUser() {
+        userBean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.WRITE);
        setUser(userBean.mergeChanges(getUser()));
        logger.info("Firstname: {} ", getUser().getFirstnames());
@@ -85,6 +90,8 @@ public class UserView {
    }
    public ListDataModel<User> getUsers() {
+        userBean.fatalPermission(Permission.USER_MANAGEMENT, RolePermission.READ);
        List<User> users;
        users = userBean.getUsers();