Moving Lists and Resources under Boards in order to apply a consistent

security context / rights over these objects rather than having their own.

Moving Lists and Resources under Boards in order to apply a consistent
security context / rights over these objects rather than having their own.
92517ec6 · Peter Harrison · 04f7afd9 · 92517ec6 · 92517ec6 · 92517ec6
Commit 92517ec6 authored Oct 14, 2015 by Peter Harrison
38 changed files
--- a/src/main/java/nz/net/orcon/kanban/automation/plugin/FreemarkerPlugin.java
+++ b/src/main/java/nz/net/orcon/kanban/automation/plugin/FreemarkerPlugin.java
@@ -42,7 +42,7 @@ public class FreemarkerPlugin implements Plugin {

 	@Override
 	public Map<String,Object> process( Action action, Map<String,Object> context ) throws Exception{        
-        String resource = getResourceController().getResource(action.getResource());
+        String resource = getResourceController().getResource((String)context.get("boardid"),action.getResource());
        
        Configuration configuration = new Configuration();
        

--- a/src/main/java/nz/net/orcon/kanban/automation/plugin/ScriptPlugin.java
+++ b/src/main/java/nz/net/orcon/kanban/automation/plugin/ScriptPlugin.java
@@ -74,7 +74,7 @@ public class ScriptPlugin implements Plugin{
 		
 		String script = null;
 		if(StringUtils.isNotBlank(action.getResource()) ){
-			script = resourceController.getResource(action.getResource());
+			script = resourceController.getResource((String)context.get("boardid"),action.getResource());
 		} else {
 			script = action.getMethod();
 		}

--- a/src/main/java/nz/net/orcon/kanban/automation/plugin/TemplatePlugin.java
+++ b/src/main/java/nz/net/orcon/kanban/automation/plugin/TemplatePlugin.java
@@ -44,7 +44,7 @@ public class TemplatePlugin implements Plugin {
 	@Override
 	public Map<String,Object> process( Action action, Map<String,Object> context ) throws Exception{        

-		String resource = getResourceController().getResource(action.getResource());
+		String resource = getResourceController().getResource((String)context.get("boardid"),action.getResource());

 		StringBuilder builder = new StringBuilder(resource);
 		

--- a/src/main/java/nz/net/orcon/kanban/automation/plugin/VelocityPlugin.java
+++ b/src/main/java/nz/net/orcon/kanban/automation/plugin/VelocityPlugin.java
@@ -42,7 +42,7 @@ public class VelocityPlugin implements Plugin {
 	
 	@Override
 	public Map<String,Object> process( Action action, Map<String,Object> context ) throws Exception{        
-		String resource = getResourceController().getResource(action.getResource());
+		String resource = getResourceController().getResource((String)context.get("boardid"),action.getResource());
        VelocityContext velocityContext = new VelocityContext(context);
        StringWriter resultWriter = new StringWriter();
        getVelocityEngine().evaluate(velocityContext, resultWriter, action.getResource(), resource);

--- a/src/main/java/nz/net/orcon/kanban/controllers/BoardController.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/BoardController.java
@@ -105,6 +105,7 @@ public class BoardController {
 	@Autowired
 	SecurityTool securityTool;
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'READ,WRITE,ADMIN')")
 	@RequestMapping(value = "/{boardId}", method=RequestMethod.GET)
 	public @ResponseBody Board getBoard(@PathVariable String boardId) throws Exception {
 		Board board = boardsCache.getItem(boardId);

--- a/src/main/java/nz/net/orcon/kanban/controllers/BoardsCache.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/BoardsCache.java
@@ -94,11 +94,11 @@ public class BoardsCache extends CacheImpl<Board> implements MessageListener {
 	}

 	@Override
-	protected Board getFromStore(String itemId) throws Exception {
+	protected Board getFromStore(String... itemIds) throws Exception {
 		ObjectContentManager ocm = ocmFactory.getOcm();
 		Board board;
 		try{
-			board = (Board) ocm.getObject(Board.class,String.format(URI.BOARD_URI, itemId));
+			board = (Board) ocm.getObject(Board.class,String.format(URI.BOARD_URI, itemIds));
 		} finally {
 			ocm.logout();
 		}
@@ -106,7 +106,7 @@ public class BoardsCache extends CacheImpl<Board> implements MessageListener {
 	}

 	@Override
-	protected Map<String, String> getListFromStore() throws Exception {
+	protected Map<String, String> getListFromStore(String... prefixes) throws Exception {
 		
 		logger.info("Getting Board List");
 		

--- a/src/main/java/nz/net/orcon/kanban/controllers/Cache.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/Cache.java
@@ -27,10 +27,10 @@ public interface Cache<T> {

 	public void invalidate( String itemId );
 	
-	public T getItem(String itemId) throws Exception;
+	public T getItem(String... itemIds) throws Exception;
 	
-	public Map<String,String> list() throws Exception;
+	public Map<String,String> list(String... prefixs) throws Exception;
 	
-	public void storeItem( String itemId, T item) throws Exception;
+	public void storeItem(T item, String... itemIds ) throws Exception;

 }
--- a/src/main/java/nz/net/orcon/kanban/controllers/CacheImpl.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/CacheImpl.java
@@ -40,13 +40,15 @@ abstract public class CacheImpl<T> implements Cache<T> {
 	}

 	@Override
-	public T getItem(String itemId) throws Exception {
+	public T getItem(String... itemIds) throws Exception {
+		String itemId = getCacheId( itemIds);
+		
 		T item = cacheMap.get(itemId);
 		if( item!=null){
 			return item;
 		}
 		
-		item = getFromStore(itemId);
+		item = getFromStore(itemIds);

 		if(item==null){
 			throw new ResourceNotFoundException();
@@ -56,15 +58,20 @@ abstract public class CacheImpl<T> implements Cache<T> {
 		return item;
 	}
 	
-	public Map<String,String> list() throws Exception{
+	public Map<String,String> list(String... prefixs) throws Exception{
 		if( this.cacheList == null){
-			this.cacheList = this.getListFromStore();
+			if( prefixs.length>0){
+				this.cacheList = this.getListFromStore(prefixs);
+			} else {
+				this.cacheList = this.getListFromStore("");
+			}
 		}
 		return new HashMap<String,String>(this.cacheList);
 	}

 	@Override
-	public void storeItem(String itemId, T item) throws Exception {
+	public void storeItem(T item, String... itemIds ) throws Exception {
+		String itemId = getCacheId(itemIds);
 		this.cacheMap.put(itemId, item);
 	}
 	
@@ -74,7 +81,17 @@ abstract public class CacheImpl<T> implements Cache<T> {
 		this.cacheList = null;
 	}
 	
-	abstract protected T getFromStore( String itemId ) throws Exception;
+	public String getCacheId( String... ids ){
+		StringBuilder id = new StringBuilder();
+		for (int i = 0; i < ids.length; ++i) {
+			id.append(ids[i]);
+			id.append("-");
+		}
+		String returnValue = id.toString();
+		return returnValue.substring(0, returnValue.length()-1);
+	}
+	
+	abstract protected T getFromStore(String... itemIds) throws Exception;
 	
-	abstract protected Map<String,String> getListFromStore() throws Exception;
+	abstract protected Map<String,String> getListFromStore(String... prefixs) throws Exception;
 }
--- a/src/main/java/nz/net/orcon/kanban/controllers/CardController.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/CardController.java
@@ -1025,6 +1025,7 @@ public class CardController {
 		}
 		return cardNotifications;
 	}
+	
 	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'WRITE,ADMIN')")
 	@RequestMapping(value = "/{cardId}/tasks/{taskId}", method=RequestMethod.DELETE)
 	public void deleteTask(@PathVariable String boardId, 
@@ -1077,8 +1078,6 @@ public class CardController {
 			ocm.logout();
 		}
 	}
-
-	
 	
 	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'WRITE,ADMIN')")
 	@RequestMapping(value = "/{cardId}/notifications/{type}/reprocess/{notificationId}", method=RequestMethod.GET)

--- a/src/main/java/nz/net/orcon/kanban/controllers/FilterController.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/FilterController.java
@@ -41,6 +41,7 @@ import org.apache.jackrabbit.ocm.manager.ObjectContentManager;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -66,6 +67,7 @@ public class FilterController {
 	@Autowired 
 	private ListTools listTools;
 		
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")
 	@RequestMapping(value = "", method=RequestMethod.POST)
 	public @ResponseBody Filter createFilter(@PathVariable String boardId,
 										  @RequestBody Filter filter) throws Exception {
@@ -85,6 +87,7 @@ public class FilterController {
 		return filter;
 	}

+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")	
 	@RequestMapping(value = "/{filterId}", method=RequestMethod.PUT)
 	public @ResponseBody Filter updateFilter(@PathVariable String boardId,
 										  @PathVariable String filterId,
@@ -102,6 +105,7 @@ public class FilterController {
 		return filter;
 	}

+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'READ,WRITE,ADMIN')")	
 	@RequestMapping(value = "/{filterId}", method=RequestMethod.GET)
 	public @ResponseBody Filter getFilter(@PathVariable String boardId, 
 			@PathVariable String filterId) throws Exception {
@@ -115,6 +119,7 @@ public class FilterController {
 		return filter;		
 	}
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")
 	@RequestMapping(value = "/{filterId}/conditions", method=RequestMethod.POST)
 	public @ResponseBody Condition saveFilterField(@PathVariable String boardId, 
 			@PathVariable String filterId,
@@ -130,6 +135,7 @@ public class FilterController {
 		return filterField;
 	}
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")
 	@RequestMapping(value = "/{filterId}/conditions/{fieldId}", method=RequestMethod.DELETE)
 	public @ResponseBody void deleteFilterField(@PathVariable String boardId, 
 			@PathVariable String filterId,
@@ -143,6 +149,7 @@ public class FilterController {
 		this.cacheInvalidationManager.invalidate(BoardController.BOARD, boardId);
 	}
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'READ,WRITE,ADMIN')")	
 	@RequestMapping(value = "", method=RequestMethod.GET)
 	public @ResponseBody Map<String,String> listFilters(@PathVariable String boardId) throws Exception {
 		
@@ -152,6 +159,7 @@ public class FilterController {
 		return result;			
 	}
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'READ,WRITE,ADMIN')")	
 	@RequestMapping(value = "/{filterId}/execute", method=RequestMethod.GET)
 	public @ResponseBody Collection<Card> executeFilter(@PathVariable String boardId, 
 														@PathVariable String filterId) 
@@ -164,6 +172,7 @@ public class FilterController {
 		return cards;		
 	}	
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")
 	@RequestMapping(value = "/{filterId}", method=RequestMethod.DELETE)
 	public @ResponseBody void deleteFilter(@PathVariable String boardId, 
 			@PathVariable String filterId) throws Exception {
@@ -185,5 +194,4 @@ public class FilterController {
 		ocm.logout();
 		this.cacheInvalidationManager.invalidate(BoardController.BOARD, boardId);
 	}
-
 }
--- a/src/main/java/nz/net/orcon/kanban/controllers/FormCache.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/FormCache.java
@@ -43,11 +43,11 @@ public class FormCache extends CacheImpl<Form> {
 	ListTools listTools;
 	
 	@Override
-	protected Form getFromStore(String itemId) throws Exception {
+	protected Form getFromStore(String... itemIds) throws Exception {
 		ObjectContentManager ocm = ocmFactory.getOcm();
 		Form form;
 		try{
-			form = (Form) ocm.getObject(Form.class,String.format(URI.FORM_URI, itemId));
+			form = (Form) ocm.getObject(Form.class,String.format(URI.FORM_URI, (Object[])itemIds));
 		} finally {
 			ocm.logout();
 		}
@@ -55,11 +55,11 @@ public class FormCache extends CacheImpl<Form> {
 	}

 	@Override
-	protected Map<String, String> getListFromStore() throws Exception {
+	protected Map<String, String> getListFromStore(String... prefixes) throws Exception {
 		ObjectContentManager ocm = ocmFactory.getOcm();
 		Map<String,String> result = null;
 		try{
-			result = listTools.list(String.format(URI.FORM_URI, ""), "name", ocm.getSession());
+			result = listTools.list(String.format(URI.FORM_URI, (Object[])prefixes), "name", ocm.getSession());
 		} finally {
 			ocm.logout();
 		}

--- a/src/main/java/nz/net/orcon/kanban/controllers/FormController.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/FormController.java
@@ -104,6 +104,7 @@ public class FormController {
 		return formCache.getItem(formId);		
 	}

+	@PreAuthorize("hasPermission(#formId, 'FORM', 'READ,WRITE,ADMIN')")
 	@RequestMapping(value = "/{formId}/roles", method=RequestMethod.GET)
 	public @ResponseBody Map<String,String> getFormRoles(@PathVariable String formId) throws Exception {
 		return formCache.getItem(formId).getRoles();		
@@ -152,6 +153,7 @@ public class FormController {
 		}
 	}
 	
+	@PreAuthorize("hasPermission(#formId, 'FORM', 'ADMIN')")
 	@RequestMapping(value = "/{formId}/roles", method=RequestMethod.POST)
 	public  @ResponseBody void addRoles(@PathVariable String formId, @RequestBody Map<String,String> roles) throws Exception {

@@ -174,5 +176,4 @@ public class FormController {
 			ocm.logout();
 		}
 	}
-
 }
--- a/src/main/java/nz/net/orcon/kanban/controllers/ListCache.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/ListCache.java
@@ -50,19 +50,20 @@ public class ListCache extends CacheImpl<ListResource>{
 	ListTools listTools;
 			
 	@Override
-	protected ListResource getFromStore(String itemId) throws Exception {
-		ObjectContentManager ocm = ocmFactory.getOcm();	
-		ListResource list = (ListResource) ocm.getObject(ListResource.class,"/list/" + itemId);		
+	protected ListResource getFromStore(String... itemIds) throws Exception {
+		ObjectContentManager ocm = ocmFactory.getOcm();
+		ListResource list = (ListResource) ocm.getObject(ListResource.class,String.format(URI.LIST_URI, (Object[])itemIds));
 		ocm.logout();
 		return list;
 	}

 	@Override
-	protected Map<String, String> getListFromStore() throws Exception {
+	protected Map<String, String> getListFromStore(String... prefixes) throws Exception {
 		ObjectContentManager ocm = ocmFactory.getOcm();
 		Map<String,String> result = null;
 		try{
-			result = listTools.list(String.format(URI.LIST_URI,""), "name", ocm.getSession());
+			String path = String.format(URI.LIST_URI, (Object[])prefixes);
+			result = listTools.list(path, "name", ocm.getSession());
 		} finally {
 			ocm.logout();
 		}

--- a/src/main/java/nz/net/orcon/kanban/controllers/ListController.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/ListController.java
@@ -32,6 +32,7 @@ import nz.net.orcon.kanban.automation.CacheInvalidationInterface;
 import nz.net.orcon.kanban.model.ListResource;
 import nz.net.orcon.kanban.model.Option;
 import nz.net.orcon.kanban.tools.IdentifierTools;
+import nz.net.orcon.kanban.tools.ListTools;
 import nz.net.orcon.kanban.tools.OcmMapperFactory;

 import org.apache.commons.lang.StringUtils;
@@ -39,6 +40,7 @@ import org.apache.jackrabbit.ocm.manager.ObjectContentManager;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -47,7 +49,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;

 @Controller
-@RequestMapping("/list")
+@RequestMapping("/board/{boardId}/lists")
 public class ListController {
 	
 	private static final Logger logger = LoggerFactory.getLogger(ListController.class);
@@ -62,37 +64,58 @@ public class ListController {
 	
 	@Autowired
 	CacheInvalidationInterface cacheInvalidationManager;
+	
+	@Autowired 
+	ListTools listTools;
 		
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")	
 	@RequestMapping(value = "", method=RequestMethod.POST)
-	public @ResponseBody ListResource createList(@RequestBody ListResource list ) throws Exception {
+	public @ResponseBody ListResource createList(
+			@PathVariable String boardId,
+			@RequestBody ListResource list ) throws Exception {
 					
 		ObjectContentManager ocm = ocmFactory.getOcm();
+		
+		listTools.ensurePresence(String.format( URI.BOARD_URI, boardId), "lists", ocm.getSession());
 		 
 		String newId = IdentifierTools.getIdFromNamedModelClass(list);
-		list.setPath(String.format(URI.LIST_URI, newId.toString()));
+		list.setPath(String.format(URI.LIST_URI, boardId, newId.toString()));
 		ocm.insert(list);			
 		ocm.save();
 		ocm.logout();
 		return list;
 	}

+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'READ,WRITE,ADMIN')")
 	@RequestMapping(value = "/{listId}", method=RequestMethod.GET)
-	public @ResponseBody ListResource getList(@PathVariable String listId) throws Exception {
-		return listCache.getItem(IdentifierTools.getIdFromName(listId));
+	public @ResponseBody ListResource getList(
+			@PathVariable String boardId,
+			@PathVariable String listId) throws Exception {
+		
+		return listCache.getItem(boardId, IdentifierTools.getIdFromName(listId));
 	}
 	
-	public String getValue(String listId, String id) throws Exception{
-		ListResource resource = listCache.getItem(IdentifierTools.getIdFromName(listId));
+	public String getValue(
+			String boardId, 
+			String listId, 
+			String id) throws Exception{
+		
+		ListResource resource = listCache.getItem(boardId, IdentifierTools.getIdFromName(listId));
 		Option option = resource.getItems().get(id);
 		return option.getValue();
 	}
 	
-	public String getIdFromName( String name){
+	public String getIdFromName(String name){
 		return IdentifierTools.getIdFromName(name);
 	}
 	
-	public String getAttribute(String listId, String id, String attribute) throws Exception{
-		ListResource resource = listCache.getItem(IdentifierTools.getIdFromName(listId));
+	public String getAttribute(
+			String boardId, 
+			String listId, 
+			String id, 
+			String attribute) throws Exception{
+		
+		ListResource resource = listCache.getItem(boardId, IdentifierTools.getIdFromName(listId));
 		Option option = resource.getItems().get(id);
 		if(option==null){
 			option = resource.getItems().get(IdentifierTools.getIdFromName(id));
@@ -107,30 +130,40 @@ public class ListController {
 		return null;	
 	}

+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'READ,WRITE,ADMIN')")
 	@RequestMapping(value = "/{listId}/basic", method=RequestMethod.GET)
-	public @ResponseBody Map<String,String> getBasicList(@PathVariable String listId) throws Exception {
+	public @ResponseBody Map<String,String> getBasicList(
+			@PathVariable String boardId, 
+			@PathVariable String listId) throws Exception {
+		
 		Map<String,String> returnList = new HashMap<String,String>();
-		ListResource resource = listCache.getItem(listId);
+		ListResource resource = listCache.getItem(boardId,listId);
 		for( Entry<String, Option> entry : resource.getItems().entrySet()){
 			returnList.put(entry.getKey(), entry.getValue().getName());
 		}
 		return returnList;
 	}
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'READ,WRITE,ADMIN')")
 	@RequestMapping(value = "", method=RequestMethod.GET)
-	public @ResponseBody Map<String,String> listLists() throws Exception {
-		return this.listCache.list();		
+	public @ResponseBody Map<String,String> listLists(
+			@PathVariable String boardId) throws Exception {
+		
+		return this.listCache.list(boardId,"");		
 	}
 		
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")
 	@RequestMapping(value = "/{listId}", method=RequestMethod.DELETE)
-	public @ResponseBody void deleteList( @PathVariable String listId) throws Exception {
+	public @ResponseBody void deleteList( 
+			@PathVariable String boardId,
+			@PathVariable String listId) throws Exception {
 		
 		if( StringUtils.isBlank(listId)){
 			return;
 		}
 		
 		ObjectContentManager ocm = ocmFactory.getOcm();
-		Node node = ocm.getSession().getNode(String.format(URI.LIST_URI,listId));
+		Node node = ocm.getSession().getNode(String.format(URI.LIST_URI, boardId, listId));
 		
 		if(node==null){
 			ocm.logout();

--- a/src/main/java/nz/net/orcon/kanban/controllers/PhaseController.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/PhaseController.java
@@ -87,6 +87,7 @@ public class PhaseController {
 	@Autowired
 	CardLockInterface cardsLockCache;
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'READ,WRITE,ADMIN')")
 	@RequestMapping(value = "/{phaseId}", method=RequestMethod.GET)
 	public @ResponseBody Phase getPhase(
 			@PathVariable String boardId, @PathVariable String phaseId) throws Exception {
@@ -102,6 +103,7 @@ public class PhaseController {
 		return phase;		
 	}
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")
 	@RequestMapping(value = "", method=RequestMethod.POST)
 	public @ResponseBody Phase createPhase(@PathVariable String boardId, @RequestBody Phase phase) throws Exception {
 		
@@ -124,6 +126,7 @@ public class PhaseController {
 		return phase;
 	}

+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")
 	@RequestMapping(value = "/{phaseId}", method=RequestMethod.PUT)
 	public @ResponseBody Phase updatePhase(@PathVariable String boardId,
 										   @PathVariable String phaseId,
@@ -140,6 +143,7 @@ public class PhaseController {
 		return phase;
 	}

+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'READ,WRITE,ADMIN')")
 	@RequestMapping(value = "", method=RequestMethod.GET)
 	public @ResponseBody Collection<Phase> getPhaseList(@PathVariable String boardId) throws Exception {
 		ObjectContentManager ocm = ocmFactory.getOcm();
@@ -148,6 +152,7 @@ public class PhaseController {
 		return objects;
 	}
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")
 	@RequestMapping(value = "/{phaseId}", method=RequestMethod.DELETE)
 	public @ResponseBody void deletePhase(
 			@PathVariable String boardId, @PathVariable String phaseId) throws Exception {
@@ -170,6 +175,7 @@ public class PhaseController {
 		*/
 	}
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'WRITE,ADMIN')")
 	@RequestMapping(value = "/{phaseId}/examine", method=RequestMethod.GET)
 	public @ResponseBody Boolean examinePhase(@PathVariable String boardId, 
 										  		@PathVariable String phaseId) throws Exception {
@@ -196,6 +202,7 @@ public class PhaseController {
 	 * @return
 	 * @throws Exception
 	 */
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'ADMIN')")
 	@RequestMapping(value = "/{phaseId}/cure", method=RequestMethod.GET)
 	public @ResponseBody Boolean curePhase(@PathVariable String boardId, 
 										  		@PathVariable String phaseId) throws Exception {

--- a/src/main/java/nz/net/orcon/kanban/controllers/ResourceCache.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/ResourceCache.java
@@ -51,9 +51,9 @@ public class ResourceCache extends CacheImpl<String> {
 	ListTools listTools;
 				
 	@Override
-	protected String getFromStore(String itemId) throws Exception {
+	protected String getFromStore(String... itemIds) throws Exception {
 		ObjectContentManager ocm = this.ocmFactory.getOcm();
-		Node node = ocm.getSession().getNode(String.format(URI.RESOURCE_URI, itemId));
+		Node node = ocm.getSession().getNode(String.format(URI.RESOURCE_URI, (Object[])itemIds));
 		Property property = node.getProperty("resource");
 		String resource = property.getString();
 		ocm.logout();
@@ -61,11 +61,11 @@ public class ResourceCache extends CacheImpl<String> {
 	}

 	@Override
-	protected Map<String, String> getListFromStore() throws Exception {
+	protected Map<String, String> getListFromStore(String... prefixs) throws Exception {
 		ObjectContentManager ocm = ocmFactory.getOcm();
 		Map<String,String> result = null;
 		try{
-			result = listTools.list(String.format(URI.RESOURCE_URI,""), "name", ocm.getSession());
+			result = listTools.list(String.format(URI.RESOURCE_URI, (Object[])prefixs), "name", ocm.getSession());
 		} finally {
 			ocm.logout();
 		}

--- a/src/main/java/nz/net/orcon/kanban/controllers/ResourceController.java
+++ b/src/main/java/nz/net/orcon/kanban/controllers/ResourceController.java
@@ -21,12 +21,15 @@

 package nz.net.orcon.kanban.controllers;

+import java.io.BufferedReader;
+import java.io.Reader;
 import java.util.Map;

 import javax.annotation.Resource;
 import javax.jcr.Node;
 import javax.jcr.Property;
 import javax.jcr.Session;
+import javax.servlet.http.HttpServletRequest;

 import nz.net.orcon.kanban.automation.CacheInvalidationInterface;
 import nz.net.orcon.kanban.tools.ListTools;
@@ -36,6 +39,7 @@ import org.apache.jackrabbit.ocm.manager.ObjectContentManager;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -43,8 +47,10 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;

+import com.ibm.wsdl.util.IOUtils;
+
 @Controller
-@RequestMapping("/resource")
+@RequestMapping("/board/{boardId}/resources")
 public class ResourceController {
 		
 	private static final Logger logger = LoggerFactory.getLogger(ResourceController.class);
@@ -60,14 +66,16 @@ public class ResourceController {
 	@Autowired
 	CacheInvalidationInterface cacheInvalidationManager;
 	
+	@PreAuthorize("hasPermission(#boardId, 'BOARD', 'READ,WRITE,ADMIN')")
 	@RequestMapping(value = "/{resourceId}", method=RequestMethod.GET)
-	public @ResponseBody String getResource(@PathVariable String resourceId) throws Exception {
+	public @ResponseBody String getResource(@PathVariable String boardId, 
+			@PathVariable String resourceId) throws Exception {
 		
 		//TODO USE CACHE
 		
 		ObjectContentManager ocm = ocmFactory.getOcm();
 		
-		Node node = ocm.getSession().getNode(String.format(URI.RESOURCE_URI, resourceId));
+		Node node = ocm.getSession().getNode(String.format(URI.RESOURCE_URI, boardId, resourceId));
 		Property property = node.getProperty("resource");
 		String value = property.getString();
 		ocm.logout();
@@ -78,15 +86,37 @@ public class ResourceController {
 		return value;		
 	}