Permission checks for upsertAccession

src/main/java/org/genesys2/server/service/impl/BatchRESTServiceImpl.java

@@ -37,6 +37,7 @@ import org.genesys2.server.service.InstituteService;
 import org.genesys2.server.service.OrganizationService;
 import org.genesys2.server.service.TaxonomyService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -66,6 +67,7 @@ public class BatchRESTServiceImpl implements BatchRESTService {
 
 	@Override
 	@Transactional
+	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#institute, 'WRITE') or hasPermission(#institute, 'CREATE')")
 	public boolean upsertAccessionData(FaoInstitute institute, Map<BatchRESTService.DataJson, ObjectNode> batch) {
 		LOG.info("Batch processing " + batch.size() + " entries for " + institute);
 		List<Accession> toSave = new ArrayList<Accession>();

src/main/java/org/genesys2/server/servlet/controller/rest/AccessionController.java

@@ -17,9 +17,7 @@
 package org.genesys2.server.servlet.controller.rest;
 
 import java.io.IOException;
-import java.util.ArrayList;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 
 import org.genesys2.server.model.genesys.Accession;
@@ -56,7 +54,7 @@ public class AccessionController extends RestController {
 
 	@Autowired
 	GenesysService genesysService;
-	
+
 	@Autowired
 	BatchRESTService batchRESTService;
 
@@ -133,7 +131,13 @@ public class AccessionController extends RestController {
 
 			Accession accession = genesysService.getAccession(dataJson.instCode, dataJson.genus, dataJson.acceNumb);
 
-			ret.put("id", accession != null ? accession.getId() : null);
+			if (accession != null) {
+				ret.put("id", accession.getId());
+				// Give them back the UUID
+				if (accession.getUuid() != null) {
+					ret.put("uuid", accession.getUuid());
+				}
+			}
 
 			rets.add(ret);
 		}
@@ -141,94 +145,6 @@ public class AccessionController extends RestController {
 		return rets;
 	}
 
-	/**
-	 * Update accessions in the system
-	 * 
-	 * @return
-	 * @throws IOException
-	 * @throws JsonProcessingException
-	 */
-	@RequestMapping(value = "/{instCode}/update", method = { RequestMethod.POST, RequestMethod.PUT }, produces = { MediaType.APPLICATION_JSON_VALUE })
-	public @ResponseBody
-	boolean updateInstituteAccession(@PathVariable("instCode") String instCode, @RequestBody String content) throws JsonProcessingException, IOException {
-		// TODO Check user's permissions to update this WIEWS institute.
-		FaoInstitute institute = instituteService.getInstitute(instCode);
-		if (institute == null) {
-			throw new ResourceNotFoundException();
-		}
-
-		JsonNode json = mapper.readTree(content);
-		Map<BatchRESTService.DataJson, ObjectNode> batch = new HashMap<BatchRESTService.DataJson, ObjectNode>();
-
-		if (json.isArray()) {
-			for (JsonNode j : json) {
-				BatchRESTService.DataJson dataJson = readAid3(j);
-				if (!instCode.equals(dataJson.instCode)) {
-					throw new RuntimeException("Accession does not belong to instCode=" + instCode + " acn=" + dataJson);
-				}
-				batch.put(dataJson, (ObjectNode) j);
-			}
-		} else {
-			BatchRESTService.DataJson dataJson = readAid3(json);
-			if (!instCode.equals(dataJson.instCode)) {
-				throw new RuntimeException("Accession does not belong to instCode=" + instCode + " acn=" + dataJson);
-			}
-			batch.put(dataJson, (ObjectNode) json);
-		}
-
-		LOG.info("Batch processing " + batch.size() + " entries for " + institute);
-		List<Accession> toSave = new ArrayList<Accession>();
-
-		for (BatchRESTService.DataJson dataJson : batch.keySet()) {
-			if (LOG.isDebugEnabled())
-				LOG.debug("Loading accession " + dataJson);
-
-			Accession accession = genesysService.getAccession(dataJson.instCode, dataJson.genus, dataJson.acceNumb);
-
-			if (accession == null) {
-				// LOG.warn("No accession " + dataJson);
-				continue;
-			}
-
-			ObjectNode accnJson = batch.get(dataJson);
-			boolean updated = false;
-
-			JsonNode value = accnJson.get("mlsStat");
-			if (value != null) {
-				Boolean inMls = value.isNull() ? null : value.asBoolean();
-
-				if (inMls != accession.getMlsStatus()) {
-					if (LOG.isDebugEnabled())
-						LOG.debug("Setting MLSSTAT to " + inMls);
-					accession.setMlsStatus(inMls);
-					updated = true;
-				}
-			}
-
-			value = accnJson.get("availability");
-			if (value != null) {
-				Boolean availability = value.isNull() ? null : value.asBoolean();
-
-				if (availability != accession.getAvailability()) {
-					if (LOG.isDebugEnabled())
-						LOG.debug("Setting Availability to " + availability);
-					accession.setAvailability(availability);
-					updated = true;
-				}
-			}
-
-			if (updated) {
-				toSave.add(accession);
-			}
-		}
-
-		if (toSave.size() > 0) {
-			LOG.info("Storing " + toSave.size() + " accessions.");
-			genesysService.saveAccessions(toSave);
-		}
-
-		return toSave.size() > 0;
-	}
 
 	/**
 	 * Update accessions in the system
@@ -240,7 +156,7 @@ public class AccessionController extends RestController {
 	@RequestMapping(value = "/{instCode}/upsert", method = { RequestMethod.POST, RequestMethod.PUT }, produces = { MediaType.APPLICATION_JSON_VALUE })
 	public @ResponseBody
 	boolean upsertInstituteAccession(@PathVariable("instCode") String instCode, @RequestBody String content) throws JsonProcessingException, IOException {
-		// TODO Check user's permissions to update this WIEWS institute.
+		// User's permission to WRITE to this WIEWS institute are checked in BatchRESTService.
 		FaoInstitute institute = instituteService.getInstitute(instCode);
 		if (institute == null) {
 			throw new ResourceNotFoundException();