From 1168d1961ac7f38220f03c2f40689cb0c275fcbd Mon Sep 17 00:00:00 2001
From: Georgy Litvinov <git@litvinovg.pro>
Date: Tue, 12 Jul 2022 09:52:18 +0200
Subject: [PATCH] fix: allow self editors to create individuals in faux
 property forms (#317)

---
 .../EditRequestDispatchController.java         | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/controller/EditRequestDispatchController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/controller/EditRequestDispatchController.java
index c33b70279..4b22cf6aa 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/controller/EditRequestDispatchController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/edit/n3editing/controller/EditRequestDispatchController.java
@@ -72,12 +72,7 @@ public class EditRequestDispatchController extends FreemarkerHttpServlet {
     
 	@Override
 	protected AuthorizationRequest requiredActions(VitroRequest vreq) {
-		// If request is for new individual, return simple do back end editing action permission
-		if (StringUtils.isNotEmpty(EditConfigurationUtils.getTypeOfNew(vreq))) {
-			return SimplePermission.DO_BACK_END_EDITING.ACTION;
-		} else if(MANAGE_MENUS_FORM.equals(vreq.getParameter("editForm"))) {
-		    return SimplePermission.MANAGE_MENUS.ACTION;
-		}
+
 		if (isIndividualDeletion(vreq)) {
 			return SimplePermission.DO_BACK_END_EDITING.ACTION;
 		}
@@ -93,7 +88,7 @@ public class EditRequestDispatchController extends FreemarkerHttpServlet {
 		predicateProp.setRangeVClassURI(rangeUri);
 		OntModel ontModel = ModelAccess.on(vreq).getOntModel();
 		AbstractObjectPropertyStatementAction objectPropertyAction;
-		if (objectUri == null) {
+		if (StringUtils.isBlank(objectUri)) {
 			objectPropertyAction = new AddObjectPropertyStatement(ontModel, subjectUri, predicateProp, RequestedAction.SOME_URI);
 		} else {
 			if (isDeleteForm(vreq)) {
@@ -105,7 +100,14 @@ public class EditRequestDispatchController extends FreemarkerHttpServlet {
 		boolean isAuthorized = PolicyHelper.isAuthorizedForActions(vreq, 
 				new EditDataPropertyStatement(ontModel, subjectUri, predicateUri, objectUri).
 				or(objectPropertyAction));
-
+		if (!isAuthorized) {
+			// If request is for new individual, return simple do back end editing action permission
+			if (StringUtils.isNotEmpty(EditConfigurationUtils.getTypeOfNew(vreq))) {
+				return SimplePermission.DO_BACK_END_EDITING.ACTION;
+			} else if (MANAGE_MENUS_FORM.equals(vreq.getParameter("editForm"))) {
+				return SimplePermission.MANAGE_MENUS.ACTION;
+			}
+		}
 		return isAuthorized? SimplePermission.DO_FRONT_END_EDITING.ACTION: AuthorizationRequest.UNAUTHORIZED;
 	}