Commit 414e2418 authored by Matija Obreza's avatar Matija Obreza
Browse files

Catalog services with better permission checks

- Fixed queries **ForCurrentUser (when blank the filter is ignored)
- Descriptors, DescriptorLists and Datasets must be published to be accessible or user needs read permission
parent 25af49a3
......@@ -33,6 +33,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.Pageable;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.multipart.MultipartFile;
......@@ -108,6 +109,7 @@ public interface DatasetService {
* @param input query by example
* @return dataset loaded from the database
*/
@PostAuthorize("returnObject==null || returnObject.published || hasPermission(returnObject, 'read')")
Dataset loadDataset(Dataset input);
/**
......@@ -117,6 +119,7 @@ public interface DatasetService {
* @param version the version
* @return the dataset
*/
@PostAuthorize("returnObject==null || returnObject.published || hasPermission(returnObject, 'read')")
Dataset loadDataset(UUID uuid, int version);
/**
......@@ -152,6 +155,7 @@ public interface DatasetService {
* @return loaded dataset
* @throws NotFoundElement when dataset not found by uuid
*/
@PostAuthorize("returnObject==null || returnObject.published || hasPermission(returnObject, 'read')")
Dataset loadDataset(UUID uuid) throws NotFoundElement;
/**
......@@ -188,6 +192,7 @@ public interface DatasetService {
* @return loaded list of RepositoryFile
* @throws NotFoundElement the not found element
*/
@PostAuthorize("#dataset.published || hasPermission(#dataset, 'read')")
List<RepositoryFile> listDatasetFiles(Dataset dataset) throws NotFoundElement;
/**
......
......@@ -140,7 +140,7 @@ public interface DescriptorListService {
* @param descriptorList descriptorList that be deleted
* @return deleted descriptorList
*/
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#descriptor, 'DELETE')")
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#descriptorList, 'DELETE')")
DescriptorList deleteDescriptorList(DescriptorList descriptorList);
/**
......@@ -150,7 +150,7 @@ public interface DescriptorListService {
* @param descriptorList an unpublished descriptor list
* @return published descriptor list
*/
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#descriptor, 'WRITE')")
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#descriptorList, 'WRITE')")
DescriptorList publishDescriptorList(DescriptorList descriptorList);
/**
......@@ -169,7 +169,7 @@ public interface DescriptorListService {
* @param descriptors the descriptors
* @return the descriptor list
*/
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#descriptor, 'WRITE')")
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#descriptorList, 'WRITE')")
DescriptorList setDescriptors(DescriptorList descriptorList, Descriptor[] descriptors);
}
......@@ -63,7 +63,7 @@ public interface DescriptorService {
* @param uuid uuid of descriptor
* @return loaded descriptor
*/
@PostAuthorize("returnObject==null || returnObject.published || hasPermission(returnObject, 'write')")
@PostAuthorize("returnObject==null || returnObject.published || hasPermission(returnObject, 'read')")
Descriptor getDescriptor(UUID uuid);
/**
......@@ -73,7 +73,7 @@ public interface DescriptorService {
* @param version the version
* @return the descriptor
*/
@PostAuthorize("returnObject==null || returnObject.published || hasPermission(returnObject, 'write')")
@PostAuthorize("returnObject==null || returnObject.published || hasPermission(returnObject, 'read')")
Descriptor getDescriptor(UUID uuid, int version);
/**
......@@ -109,6 +109,7 @@ public interface DescriptorService {
* @param source the source
* @return list of updated descriptors
*/
@PreAuthorize("hasRole('ADMINISTRATOR'")
List<Descriptor> upsertDescriptors(List<Descriptor> source);
/**
......
......@@ -15,6 +15,8 @@
*/
package org.genesys.catalog.service.impl;
import static org.genesys.catalog.model.dataset.QDataset.dataset;
import java.io.IOException;
import java.nio.file.Paths;
import java.util.ArrayList;
......@@ -240,8 +242,8 @@ public class DatasetServiceImpl implements DatasetService {
*/
@Override
public Page<Dataset> listDatasetsForCurrentUser(final DatasetFilter filter, final Pageable page) {
filter.id = new HashSet<>(utils.listObjectIdentityIdsForCurrentUser(Dataset.class, BasePermission.WRITE));
return datasetRepository.findAll(filter.buildQuery(), page);
HashSet<Long> ids = new HashSet<>(utils.listObjectIdentityIdsForCurrentUser(Dataset.class, BasePermission.WRITE));
return datasetRepository.findAll(dataset.id.in(ids).and(filter.buildQuery()), page);
}
/**
......
......@@ -15,6 +15,8 @@
*/
package org.genesys.catalog.service.impl;
import static org.genesys.catalog.model.traits.QDescriptorList.descriptorList;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
......@@ -267,8 +269,8 @@ public class DescriptorListServiceImpl implements DescriptorListService {
@Override
public Page<DescriptorList> listDescriptorListsForCurrentUser(DescriptorListFilter filter, Pageable page) {
filter.id = new HashSet<>(utils.listObjectIdentityIdsForCurrentUser(DescriptorList.class, BasePermission.WRITE));
return descriptorListRepository.findAll(filter.buildQuery(), page);
HashSet<Long> ids = new HashSet<>(utils.listObjectIdentityIdsForCurrentUser(DescriptorList.class, BasePermission.WRITE));
return descriptorListRepository.findAll(descriptorList.id.in(ids).and(filter.buildQuery()), page);
}
// TODO implement logic
......
......@@ -15,6 +15,8 @@
*/
package org.genesys.catalog.service.impl;
import static org.genesys.catalog.model.traits.QDescriptor.descriptor;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
......@@ -180,8 +182,8 @@ public class DescriptorServiceImpl implements DescriptorService {
*/
@Override
public Page<Descriptor> listDescriptorsForCurrentUser(final DescriptorFilter filter, final Pageable page) {
filter.id = new HashSet<>(utils.listObjectIdentityIdsForCurrentUser(Descriptor.class, BasePermission.WRITE));
return descriptorRepository.findAll(filter.buildQuery(), page);
HashSet<Long> ids = new HashSet<>(utils.listObjectIdentityIdsForCurrentUser(Descriptor.class, BasePermission.WRITE));
return descriptorRepository.findAll(descriptor.id.in(ids).and(filter.buildQuery()), page);
}
/**
......
......@@ -15,6 +15,8 @@
*/
package org.genesys.catalog.service.impl;
import static org.genesys.common.model.QPartner.partner;
import java.util.HashSet;
import java.util.UUID;
......@@ -144,8 +146,8 @@ public class PartnerServiceImpl implements PartnerService, InitializingBean {
*/
@Override
public Page<Partner> listPartnersForCurrentUser(final PartnerFilter filter, final Pageable page) {
filter.id = new HashSet<>(utils.listObjectIdentityIdsForCurrentUser(Partner.class, BasePermission.WRITE));
return partnerRepository.findAll(filter.buildQuery(), page);
HashSet<Long> ids = new HashSet<>(utils.listObjectIdentityIdsForCurrentUser(Partner.class, BasePermission.WRITE));
return partnerRepository.findAll(partner.id.in(ids).and(filter.buildQuery()), page);
}
/**
......
......@@ -45,6 +45,8 @@ public class Utils {
*/
public List<Long> listObjectIdentityIdsForCurrentUser(final Class<? extends AclAwareModel> clazz, final Permission permission) {
final AclSid userSid = SecurityContextUtil.getCurrentUser();
// System.err.println("Current user " + userSid + " for " + permission + " for "
// + clazz.toString());
return aclService.listObjectIdentityIdsForSid(clazz, userSid, permission);
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment