Commit 20d8adb8 authored by Maxym Borodenko's avatar Maxym Borodenko Committed by Matija Obreza
Browse files

Respect Institute files permissions

- Fixed incorrect parameters from the edit page. Changed redirect path after updating file metadata.
parent ce6e1879
......@@ -36,6 +36,7 @@ public interface InstituteService {
FaoInstitute getInstitute(String wiewsCode);
FaoInstitute findInstitute(String wiewsCode);
FaoInstitute getInstituteForEdit(String wiewsCode);
List<FaoInstitute> getInstitutes(Collection<String> wiewsCodes);
......
......@@ -46,6 +46,7 @@ import org.springframework.data.domain.PageRequest;
import org.springframework.data.domain.Pageable;
import org.springframework.data.domain.Sort;
import org.springframework.data.domain.Sort.Direction;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.core.userdetails.UserDetails;
......@@ -111,7 +112,19 @@ public class InstituteServiceImpl implements InstituteService {
return inst;
}
@Override
/**
* Returns institute if user has required permissions
*
* @param wiewsCode code
* @return institute
*/
@Override
@PostAuthorize("hasRole('ADMINISTRATOR') or hasPermission(returnObject, 'ADMINISTRATION')")
public FaoInstitute getInstituteForEdit(final String wiewsCode) {
return instituteRepository.findByCode(wiewsCode);
}
@Override
public List<FaoInstitute> listByCountry(Country country) {
return instituteRepository.listByCountry(country, new Sort("code"));
}
......
......@@ -464,8 +464,7 @@ public class WiewsController extends BaseController {
/* File management */
@PreAuthorize("hasRole('ADMINISTRATOR')")
@RequestMapping(value = "/{wiewsCode}/files/**", method = RequestMethod.GET)
@GetMapping(value = "/{wiewsCode}/files/**")
public String listAllFiles(HttpServletRequest request, ModelMap model) throws UnsupportedEncodingException, InvalidRepositoryPathException {
String fullpath = (String) request.getAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE);
// The /** mapping does not decode the URL
......@@ -474,17 +473,19 @@ public class WiewsController extends BaseController {
return listAllFiles(model, fullpath);
}
@PreAuthorize("hasRole('ADMINISTRATOR')")
@RequestMapping(value = "/{path}/files", method = RequestMethod.GET)
@GetMapping(value = "/{path}/files")
public String listAllFiles(ModelMap model, @PathVariable(value = "path") String path) throws InvalidRepositoryPathException {
final String repositoryPath = path.contains("/wiews/") ? path.replace("/files/", "/") : "/wiews/" + path;
String wiewsCode = path.replace("/wiews/", "");
wiewsCode = wiewsCode.contains("/") ? wiewsCode.substring(0, wiewsCode.indexOf("/")) : wiewsCode;
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
if (LOG.isDebugEnabled()) {
LOG.debug("Listing files for path={}", repositoryPath);
}
String wiewsCode = path.replace("/wiews/", "");
wiewsCode = wiewsCode.contains("/") ? wiewsCode.substring(0, wiewsCode.indexOf("/")) : wiewsCode;
List<String> subPaths = new ArrayList<>();
for (String subPath: repositoryService.listPaths(repositoryPath, new PageRequest(0, 10))) {
if (!subPath.equals(repositoryPath) && subPath.contains(repositoryPath)) {
......@@ -501,11 +502,12 @@ public class WiewsController extends BaseController {
return MANAGE_FILES_JSP_PATH + "/index";
}
@PreAuthorize("hasRole('ADMINISTRATOR')")
@RequestMapping(value = "/upload-file", method = RequestMethod.POST)
public String uploadFile(@RequestParam MultipartFile file, @RequestParam String wiewsCode, @RequestParam String repositoryPath,
@PostMapping(value = "/{wiewsCode}/upload-file")
public String uploadFile(@RequestParam MultipartFile file, @PathVariable String wiewsCode, @RequestParam String repositoryPath,
RedirectAttributes redirectAttributes) throws IOException {
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
final String mimeType = file.getContentType();
try {
......@@ -529,9 +531,11 @@ public class WiewsController extends BaseController {
}
}
@PreAuthorize("hasRole('ADMINISTRATOR')")
@RequestMapping(value = "/delete-file", method = RequestMethod.POST)
public String deleteFile(@RequestParam String uuid, @RequestParam String wiewsCode) throws NoSuchRepositoryFileException, IOException {
@PostMapping(value = "/{wiewsCode}/delete-file")
public String deleteFile(@RequestParam String uuid, @PathVariable String wiewsCode) throws NoSuchRepositoryFileException, IOException {
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
RepositoryFile repositoryFile = repositoryService.getFile(UUID.fromString(uuid));
repositoryService.removeFile(repositoryFile);
......@@ -542,33 +546,48 @@ public class WiewsController extends BaseController {
}
}
@PreAuthorize("hasRole('ADMINISTRATOR')")
@RequestMapping(value = "/{wiewsCode}/edit-file", method = RequestMethod.GET)
@GetMapping(value = "/{wiewsCode}/edit-file")
public String getEditPage(@RequestParam String uuid, @PathVariable(value = "wiewsCode") String wiewsCode, ModelMap model) throws NoSuchRepositoryFileException {
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
RepositoryFile file = repositoryService.getFile(UUID.fromString(uuid));
String fileSubPath = file.getPath().replace("/wiews/" + wiewsCode, "");
model.addAttribute("file", file);
model.addAttribute("wiewsCode", wiewsCode);
model.addAttribute("fileSubPath", fileSubPath);
return MANAGE_FILES_JSP_PATH + "/edit";
}
@PreAuthorize("hasRole('ADMINISTRATOR')")
@RequestMapping(value = "/{wiewsCode}/update-file", method = RequestMethod.POST)
public String updateMetadata(@ModelAttribute RepositoryFile fileData, @RequestParam String uuid, @PathVariable(value = "wiewsCode") String wiewsCode) throws NoSuchRepositoryFileException {
RepositoryFile updatedFile = repositoryService.getFile(UUID.fromString(uuid));
@PostMapping(value = "/{wiewsCode}/update-file")
public String updateMetadata(@ModelAttribute RepositoryFile fileData, @PathVariable(value = "wiewsCode") String wiewsCode) throws NoSuchRepositoryFileException {
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
RepositoryFile updatedFile = repositoryService.getFile(UUID.fromString(fileData.getUuid().toString()));
repositoryService.updateMetadata(updatedFile.getUuid(), fileData);
String fileSubPath = updatedFile.getPath().replace("/wiews/" + wiewsCode, "");
return "redirect:/wiews/" + wiewsCode + "/files";
return "redirect:/wiews/" + wiewsCode + "/files" + fileSubPath;
}
/* Image gallery management */
@GetMapping(value = "/{wiewsCode}/files/gallery")
public String listAllFiles(ModelMap model, @PathVariable("wiewsCode") String wiewsCode, HttpServletRequest request) {
return "redirect:/wiews/" + wiewsCode + "/files" + "/gallery" + "/1";
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
return "redirect:/wiews/" + wiewsCode + "/files" + "/gallery" + "/1";
}
@GetMapping(value = "/{wiewsCode}/files/gallery/{page:\\d+}")
public String listAllFiles(ModelMap model, @PathVariable("page") int page, @PathVariable("wiewsCode") String wiewsCode) {
Page<ImageGallery> pagedData = imageGalleryService.listImageGalleries(new PageRequest(page - 1, 50, new Sort("path")));
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
Page<ImageGallery> pagedData = imageGalleryService.listImageGalleries("/wiews/" + wiewsCode, new PageRequest(page - 1, 50, new Sort("path")));
model.addAttribute("pagedData", pagedData);
model.addAttribute("wiewsCode", wiewsCode);
......@@ -576,9 +595,12 @@ public class WiewsController extends BaseController {
}
@GetMapping(value = "/{wiewsCode}/files/gallery/details")
public String listAllFiles(ModelMap model, HttpServletRequest request, @PathVariable("wiewsCode") String wiewsCode) {
public String listAllFiles(ModelMap model, HttpServletRequest request, @PathVariable("wiewsCode") String wiewsCode, @RequestParam String galleryPath) {
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
ImageGallery imageGallery = imageGalleryService.loadImageGallery("/wiews/" + wiewsCode);
ImageGallery imageGallery = imageGalleryService.loadImageGallery(galleryPath);
String gallerySubPath = galleryPath.replace("/wiews/" + wiewsCode, "");
if (imageGallery == null) {
throw new ResourceNotFoundException("No image gallery here!");
......@@ -588,31 +610,37 @@ public class WiewsController extends BaseController {
model.addAttribute("thumbnailFormat", "200x200");
model.addAttribute("imageGallery", imageGallery);
model.addAttribute("wiewsCode", wiewsCode);
model.addAttribute("gallerySubPath", gallerySubPath);
return MANAGE_FILES_JSP_PATH + "/gallery/details";
}
@GetMapping(value = "/{path}/files/gallery/edit")
public String getEditPage(@RequestParam String galleryPath, ModelMap model) throws NoSuchRepositoryFileException {
ImageGallery imageGallery = imageGalleryService.loadImageGallery(galleryPath);
@GetMapping(value = "/{wiewsCode}/files/gallery/edit")
public String getEditGalleryPage(@RequestParam String galleryPath, @PathVariable("wiewsCode") String wiewsCode, ModelMap model) throws NoSuchRepositoryFileException {
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
ImageGallery imageGallery = imageGalleryService.loadImageGallery(galleryPath);
if (imageGallery == null) {
imageGallery = new ImageGallery();
imageGallery.setPath(galleryPath);
}
model.addAttribute("imageGallery", imageGallery);
model.addAttribute("wiewsCode", galleryPath);
model.addAttribute("wiewsCode", wiewsCode);
return MANAGE_FILES_JSP_PATH + "/gallery/edit";
}
@PostMapping(value = "{wiewsCode}/files/gallery/update")
public String updateMetadata(@PathVariable("wiewsCode") String wiewsCode, @ModelAttribute ImageGallery imageGallery, RedirectAttributes redirectAttributes) throws NoSuchRepositoryFileException {
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
ImageGallery updatedGallery = imageGalleryService.loadImageGallery(imageGallery.getPath());
ImageGallery updatedGallery = imageGalleryService.loadImageGallery(imageGallery.getPath());
if (updatedGallery == null) {
updatedGallery = imageGalleryService.createImageGallery(imageGallery.getPath(), imageGallery.getTitle(), imageGallery.getDescription());
imageGalleryService.createImageGallery(imageGallery.getPath(), imageGallery.getTitle(), imageGallery.getDescription());
} else {
updatedGallery = imageGalleryService.updateImageGalery(updatedGallery, imageGallery.getTitle(), imageGallery.getDescription());
imageGalleryService.updateImageGalery(updatedGallery, imageGallery.getTitle(), imageGallery.getDescription());
}
redirectAttributes.addFlashAttribute("successMessage", "repository.gallery.successfully-updated");
......@@ -621,8 +649,10 @@ public class WiewsController extends BaseController {
@PostMapping(value = "{wiewsCode}/files/gallery/delete")
public String deleteFile(@RequestParam String galleryPath, RedirectAttributes redirectAttributes, @PathVariable("wiewsCode") String wiewsCode) throws InvalidRepositoryPathException {
//check user permissions
instituteService.getInstituteForEdit(wiewsCode);
ImageGallery imageGallery = imageGalleryService.loadImageGallery(galleryPath);
ImageGallery imageGallery = imageGalleryService.loadImageGallery(galleryPath);
imageGalleryService.removeGallery(imageGallery);
redirectAttributes.addFlashAttribute("successMessage", "repository.gallery.removed");
......
......@@ -8,7 +8,7 @@
</head>
<body>
<h4>Updating metadata for file <strong><c:out value="${file.originalFilename}"/></strong></h4>
<a href="<c:url value="/wiews/${wiewsCode}/files" />" class="btn btn-default margin-top-10">
<a href="<c:url value="/wiews/${wiewsCode}/files${fileSubPath}" />" class="btn btn-default margin-top-10">
<spring:message code="cancel"/>
</a>
......@@ -19,6 +19,7 @@
<input type="hidden" name="md5Sum" value="${file.md5Sum}"/>
<input type="hidden" name="sha1Sum" value="${file.sha1Sum}"/>
<input type="hidden" name="path" value="${file.path}"/>
<input type="hidden" name="id" value="${file.id}"/>
<div class="row">
<div class="col-md-6 margin-top-20">
......@@ -35,8 +36,7 @@
<div class="col-md-12 margin-top-20">
<label for="description"><spring:message code="repository.file.description"/></label>
<textarea id="description" name="description" class="form-control"><c:out escapeXml="false"
value="${file.description}"/></textarea>
<textarea id="description" name="description" class="form-control"><c:out escapeXml="false" value="${file.description}"/></textarea>
</div>
<div class="col-md-6 margin-top-20">
......@@ -47,7 +47,7 @@
<div class="col-md-6 margin-top-20">
<label for="created"><spring:message code="repository.file.created"/></label>
<input type="text" id="created" name="created" class="form-control" value="${file.created}"
<input type="text" id="created" name="created" class="form-control" value="${file.createdDate}"
placeholder="<spring:message code="repository.file.created" />">
</div>
......@@ -108,7 +108,7 @@
</div>
</div>
<button type="submit" class="btn btn-primary margin-top-20">Save</button>
<button type="submit" class="btn btn-primary margin-top-20"><spring:message code="save" /></button>
</form>
</body>
</html>
......@@ -13,9 +13,10 @@
<div class="free-text">
<c:out value="${imageGallery.description}"/>
</div>
<a href="<c:url value="/wiews/${wiewsCode}/files/gallery" />" class="btn btn-default"><spring:message code="cancel"/></a>
<a href="<c:url value="/wiews/${wiewsCode}/files" />" class="btn btn-default"><spring:message code="navigate.back"/></a>
<div class="margin-top-20">
<a href="<c:url value="/wiews/${wiewsCode}/files/gallery" />" class="btn btn-default"><spring:message code="cancel"/></a>
<a href="<c:url value="/wiews/${wiewsCode}/files${gallerySubPath}" />" class="btn btn-default"><spring:message code="navigate.back"/></a>
</div>
<div class="row" id="imagegallery-thumbs">
<c:forEach items="${imageGallery.images}" var="image">
<div x-src="<c:out value="${image.storageFullPath}" />" class="col-xs-6 col-sm-3 col-md-2 col-lg-2">
......
......@@ -9,40 +9,39 @@
<body>
<div class="row">
<div class="col-md-12">
<a href="<c:url value="${wiewsCode}/files/gallery" />" class="btn btn-default"><spring:message
code="cancel" /></a>
<div class="margin-top-20">
<a href="<c:url value="/wiews/${wiewsCode}/files/gallery" />" class="btn btn-default"><spring:message code="cancel" /></a>
</div>
<h4>
Updating metadata for image gallery
<c:out value="${imageGallery.path}" />
<strong><c:out value="${imageGallery.path}" /></strong>
</h4>
<form action="<c:url value="${wiewsCode}/files/gallery/update" />" method="post">
<form action="<c:url value="/wiews/${wiewsCode}/files/gallery/update" />" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<input type="hidden" name="path" value="<c:out value="${imageGallery.path}" />">
<div class="form-group">
<label for="title"><spring:message
code="repository.gallery.title" /></label> <input type="text" id="title"
name="title" value="<c:out value="${imageGallery.title}" />"
class="form-control">
</div>
<div class="form-group">
<label for="title"><spring:message
code="repository.gallery.path" /></label> <span class=""><c:out
value="${imageGallery.path}" /></span>
</div>
<div class="form-group">
<label for="subject"><spring:message
code="repository.gallery.description" /></label>
<textarea id="description" name="description" class="form-control"><c:out
escapeXml="false" value="${imageGallery.description}" /></textarea>
</div>
<button type="submit" class="btn btn-default">
<spring:message code="save" />
</button>
<div class="row">
<div class="col-md-6 margin-top-20">
<label for="title"><spring:message code="repository.gallery.title" /></label>
<input type="text" class="form-control" id="title" name="title" value="<c:out value="${imageGallery.title}" />">
</div>
<div class="col-md-6 margin-top-20">
<label><spring:message code="repository.gallery.path" /></label>
<input type="text" disabled class="form-control" value="<c:out value="${imageGallery.path}" />">
</div>
<div class="col-md-12 margin-top-20">
<label for="description"><spring:message code="repository.gallery.description" /></label>
<textarea id="description" name="description" class="form-control"><c:out escapeXml="true" value="${imageGallery.description}" /></textarea>
</div>
</div>
<div class="margin-top-20">
<button type="submit" class="btn btn-primary"><spring:message code="save" /></button>
</div>
</form>
</div>
</div>
......
......@@ -15,28 +15,28 @@
<c:out value="${successMessage}" />
</gui:alert>
<table class="table table-striped">
<table class="table table-striped margin-top-20">
<thead>
<tr>
<th class="col-xs-5"><spring:message
code="repository.gallery" /></th>
<th class="col-xs-3"><spring:message
code="repository.gallery.path" /></th>
<th class="col-xs-5"><spring:message code="repository.gallery" /></th>
<th class="col-xs-3"><spring:message code="repository.gallery.path" /></th>
<th class="col-xs-4"></th>
</tr>
</thead>
<tbody>
<c:forEach var="gallery" items="${pagedData.content}" varStatus="i">
<tr>
<td class="col-md-5"><a href="<c:url value="/wiews/${wiewsCode}/files/gallery/details" />"><c:out value="${gallery.title}" /></a></td>
<td class="col-md-5">
<a href="<c:url value="/wiews/${wiewsCode}/files/gallery/details"><c:param name="galleryPath" value="${gallery.path}" /></c:url>">
<c:out value="${gallery.title}" />
</a>
</td>
<td class="col-md-3"><c:out value="${gallery.path}" /></td>
<td class="col-md-4 text-right">
<form action="<c:url value="/wiews/${wiewsCode}/files/gallery/delete" />"
method="post">
<a
href="<c:url value="/wiews/${wiewsCode}/files/gallery/edit"><c:param name="galleryPath" value="${gallery.path}" /></c:url>"
class="btn btn-default"><spring:message code="edit" /></a>
<form action="<c:url value="/wiews/${wiewsCode}/files/gallery/delete" />" method="post">
<a href="<c:url value="/wiews/${wiewsCode}/files/gallery/edit"><c:param name="galleryPath" value="${gallery.path}" /></c:url>"
class="btn btn-default"><spring:message code="edit" />
</a>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<input type="hidden" name="galleryPath" value="${gallery.path}" />
<button type="submit" name="action" value="delete-file" class="btn btn-default confirm-delete"><spring:message code="delete" /></button>
......@@ -47,33 +47,17 @@
</tbody>
</table>
<content tag="javascript"> <script type="text/javascript">
$(document).ready(function() {
$('.confirm-delete').click(function(ev) {
if (! window.confirm('<spring:message code="prompt.confirm-delete" />')) {
ev.stopPropagation();
return false;
}
});
$('#repository-menu-item').addClass('active');
$('#repository-menu-item').find("a").first().addClass('active');
$('.humburger-btn').on('click', function () {
setTimeout(function() {
expandGroup ($(document).width());
}, 100);
<content tag="javascript">
<script type="text/javascript">
$(document).ready(function() {
$('.confirm-delete').click(function (ev) {
if (!window.confirm('<spring:message code="prompt.confirm-delete" />')) {
ev.stopPropagation();
return false;
}
});
});
});
$(window).resize(function() {
expandGroup ($(document).width());
});
function expandGroup (width) {
if (width < 1920) {
$('#repository-menu-item').addClass('open');
} else {
$('#repository-menu-item').removeClass('open');
}
}
</script> </content>
</script>
</content>
</body>
</html>
......@@ -27,7 +27,7 @@
<div class="col-xs-4">
<c:choose>
<c:when test="${imageGallery ne null}">
<a class="btn btn-default form-control" href="<c:url value="/wiews/${wiewsCode}/files/gallery" />">
<a class="btn btn-default form-control" href="<c:url value="/wiews/${wiewsCode}/files/gallery/details"><c:param name="galleryPath" value="${currentPath}" /></c:url>">
<spring:message code="repository.gallery.navigate" />
</a>
</c:when>
......@@ -57,16 +57,14 @@
<c:forEach var="file" items="${fileList}" varStatus="i">
<tr>
<td class="col-md-5 col-xs-7">
<a href="<c:url value="/repository/d${file.path}${file.uuid}${file.extension}" />">
<c:out value="${file.title}" />
<small><c:out value="${file.originalFilename}" /></small>
</a>
<c:out value="${file.title}" />
<small><c:out value="${file.originalFilename}" /></small>
</td>
<td class="col-md-3 hidden-sm hidden-xs">
<c:out value="${file.path}" />
</td>
<td class="col-md-4 col-xs-5 text-right">
<form action="<c:url value="/wiews/delete-file" />" method="post">
<form action="<c:url value="/wiews/${wiewsCode}/delete-file" />" method="post">
<a href="<c:url value="/wiews/${wiewsCode}/edit-file"><c:param name="uuid" value="${file.uuid}" /></c:url>"
class="btn btn-default"><spring:message code="edit" />
</a>
......@@ -84,7 +82,7 @@
</tbody>
</table>
<form action="<c:url value="/wiews/upload-file"><c:param name="${_csrf.parameterName}" value="${_csrf.token}" /></c:url>"
<form action="<c:url value="/wiews/${wiewsCode}/upload-file"><c:param name="${_csrf.parameterName}" value="${_csrf.token}" /></c:url>"
method="post" enctype="multipart/form-data" class="">
<input type="hidden" name="wiewsCode" value="${wiewsCode}" />
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment