Revision 441
Added by bojilova about 24 years ago
| src/edu/ucsb/nceas/metacat/DocumentImpl.java | ||
|---|---|---|
| 468 | 468 |
SAXException, SAXParseException, Exception {
|
| 469 | 469 |
|
| 470 | 470 |
if ( action.equals("UPDATE") ) {
|
| 471 |
// Determine if the docid is OK for an UPDATE
|
|
| 471 |
// Determine if the docid is OK for UPDATE |
|
| 472 | 472 |
AccessionNumber ac = new AccessionNumber(); |
| 473 | 473 |
String newdocid = ac.generate(docid, "UPDATE"); |
| 474 | 474 |
|
| 475 |
// b' of the command line invocation |
|
| 476 |
if ( (user != null) && (group != null) ) {
|
|
| 477 |
if ( !hasWritePermission(conn, docid, user, group) ) {
|
|
| 478 |
throw new Exception("User " + user +
|
|
| 479 |
" does not have permission to update XML Document #" + docid); |
|
| 480 |
} |
|
| 475 |
// check for 'write' permission for 'user' to update this document |
|
| 476 |
if ( !hasWritePermission(conn, docid, user, group) ) {
|
|
| 477 |
throw new Exception("User " + user +
|
|
| 478 |
" does not have permission to update XML Document #" + docid); |
|
| 481 | 479 |
} |
| 482 | 480 |
} |
| 483 | 481 |
|
| ... | ... | |
| 530 | 528 |
throws IOException, SQLException, ClassNotFoundException, |
| 531 | 529 |
AccessionNumberException, Exception {
|
| 532 | 530 |
|
| 531 |
// Determine if the docid is OK for DELETE |
|
| 533 | 532 |
AccessionNumber ac = new AccessionNumber(); |
| 534 | 533 |
String newdocid = ac.generate(docid, "DELETE"); |
| 535 | 534 |
|
| 536 |
if ( (user != null) && (group != null) ) {
|
|
| 537 |
if ( !hasWritePermission(conn, docid, user, group) ) {
|
|
| 538 |
throw new Exception("User " + user +
|
|
| 539 |
" does not have permission to delete XML Document #" + docid); |
|
| 540 |
} |
|
| 535 |
// check for 'write' permission for 'user' to delete this document |
|
| 536 |
if ( !hasWritePermission(conn, docid, user, group) ) {
|
|
| 537 |
throw new Exception("User " + user +
|
|
| 538 |
" does not have permission to delete XML Document #" + docid); |
|
| 541 | 539 |
} |
| 542 | 540 |
|
| 543 | 541 |
conn.setAutoCommit(false); |
| ... | ... | |
| 556 | 554 |
private static boolean hasWritePermission(Connection conn, String docid, |
| 557 | 555 |
String user, String group) |
| 558 | 556 |
throws SQLException {
|
| 557 |
// b' of the command line invocation |
|
| 558 |
if ( (user == null) && (group == null) ) {
|
|
| 559 |
return true; |
|
| 560 |
} |
|
| 561 |
|
|
| 559 | 562 |
PreparedStatement pstmt; |
| 560 | 563 |
// checking if user is owner of docid |
| 561 | 564 |
try {
|
| 562 | 565 |
pstmt = conn.prepareStatement( |
| 563 |
"SELECT docid FROM xml_documents " +
|
|
| 566 |
"SELECT 'x' FROM xml_documents " +
|
|
| 564 | 567 |
"WHERE docid LIKE ? AND user_owner LIKE ?"); |
| 565 | 568 |
// Bind the values to the query |
| 566 | 569 |
pstmt.setString(1, docid); |
| ... | ... | |
| 576 | 579 |
|
| 577 | 580 |
} catch (SQLException e) {
|
| 578 | 581 |
throw new |
| 579 |
SQLException("Error getting document's owner: " + e.getMessage());
|
|
| 582 |
SQLException("Error checking document's owner: " + e.getMessage());
|
|
| 580 | 583 |
} |
| 581 | 584 |
|
| 582 | 585 |
// checking access type from xml_access table |
| ... | ... | |
| 587 | 590 |
"WHERE docid LIKE ? " + |
| 588 | 591 |
"AND principal_name LIKE ? " + |
| 589 | 592 |
"AND principal_type = 'user' " + |
| 590 |
"AND sysdate BETWEEN begin_time AND end_time " + |
|
| 593 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 594 |
"AND nvl(end_time,sysdate) " + |
|
| 591 | 595 |
"UNION " + |
| 592 | 596 |
"SELECT access_type FROM xml_access " + |
| 593 | 597 |
"WHERE docid LIKE ? " + |
| 594 | 598 |
"AND principal_name LIKE ? " + |
| 595 | 599 |
"AND principal_type = 'group' " + |
| 596 |
"AND sysdate BETWEEN begin_time AND end_time"); |
|
| 600 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 601 |
"AND nvl(end_time,sysdate)"); |
|
| 597 | 602 |
// Bind the values to the query |
| 598 | 603 |
pstmt.setString(1, docid); |
| 599 | 604 |
pstmt.setString(2, user); |
| src/edu/ucsb/nceas/metacat/DBQuery.java | ||
|---|---|---|
| 35 | 35 |
*/ |
| 36 | 36 |
public class DBQuery {
|
| 37 | 37 |
|
| 38 |
static final int ALL = 1; |
|
| 39 |
static final int WRITE = 2; |
|
| 40 |
static final int READ = 4; |
|
| 41 |
|
|
| 38 | 42 |
private Connection conn = null; |
| 39 | 43 |
private String parserName = null; |
| 40 | 44 |
|
| ... | ... | |
| 65 | 69 |
DBQuery queryobj = new DBQuery(dbconn, util.getOption("saxparser"));
|
| 66 | 70 |
FileReader xml = new FileReader(new File(xmlfile)); |
| 67 | 71 |
Hashtable nodelist = null; |
| 68 |
nodelist = queryobj.findDocuments(xml); |
|
| 72 |
nodelist = queryobj.findDocuments(xml, null, null);
|
|
| 69 | 73 |
|
| 70 | 74 |
// Print the reulting document listing |
| 71 | 75 |
StringBuffer result = new StringBuffer(); |
| ... | ... | |
| 117 | 121 |
* |
| 118 | 122 |
* @param xmlquery the xml serialization of the query (@see pathquery.dtd) |
| 119 | 123 |
*/ |
| 120 |
public Hashtable findDocuments(Reader xmlquery) {
|
|
| 124 |
public Hashtable findDocuments(Reader xmlquery, String user, String group) {
|
|
| 121 | 125 |
Hashtable docListResult = new Hashtable(); |
| 122 | 126 |
PreparedStatement pstmt; |
| 123 | 127 |
String docid = null; |
| ... | ... | |
| 143 | 147 |
boolean tableHasRows = rs.next(); |
| 144 | 148 |
while (tableHasRows) {
|
| 145 | 149 |
docid = rs.getString(1); |
| 150 |
if ( !hasReadPermission(conn, docid, user, group) ) {continue;}
|
|
| 146 | 151 |
docname = rs.getString(2); |
| 147 | 152 |
doctype = rs.getString(3); |
| 148 | 153 |
doctitle = rs.getString(4); |
| ... | ... | |
| 186 | 191 |
while(tableHasRows) |
| 187 | 192 |
{
|
| 188 | 193 |
docid = rs.getString(1); |
| 194 |
if ( !hasReadPermission(conn, docid, user, group) ) {continue;}
|
|
| 189 | 195 |
fieldname = rs.getString(2); |
| 190 | 196 |
fielddata = rs.getString(3); |
| 191 | 197 |
|
| ... | ... | |
| 478 | 484 |
public static String createQuery(String value) {
|
| 479 | 485 |
return createQuery(value, "any"); |
| 480 | 486 |
} |
| 487 |
|
|
| 488 |
/** Check for "read" permissions from DB connection */ |
|
| 489 |
private boolean hasReadPermission(Connection conn, String docid, |
|
| 490 |
String user, String group) |
|
| 491 |
throws SQLException {
|
|
| 492 |
// b' of the command line invocation |
|
| 493 |
if ( (user == null) && (group == null) ) {
|
|
| 494 |
return true; |
|
| 495 |
} |
|
| 496 |
|
|
| 497 |
PreparedStatement pstmt; |
|
| 498 |
// checking if user is owner of docid or if docid has public access |
|
| 499 |
try {
|
|
| 500 |
pstmt = conn.prepareStatement( |
|
| 501 |
"SELECT 'x' FROM xml_documents " + |
|
| 502 |
"WHERE docid LIKE ? AND user_owner LIKE ? " + |
|
| 503 |
"UNION " + |
|
| 504 |
"SELECT 'x' FROM xml_documents " + |
|
| 505 |
"WHERE docid LIKE ? AND public_access = 1"); |
|
| 506 |
// Bind the values to the query |
|
| 507 |
pstmt.setString(1, docid); |
|
| 508 |
pstmt.setString(2, user); |
|
| 509 |
pstmt.setString(3, docid); |
|
| 510 |
|
|
| 511 |
pstmt.execute(); |
|
| 512 |
ResultSet rs = pstmt.getResultSet(); |
|
| 513 |
boolean hasRow = rs.next(); |
|
| 514 |
pstmt.close(); |
|
| 515 |
if (hasRow) {
|
|
| 516 |
return true; |
|
| 517 |
} |
|
| 518 |
|
|
| 519 |
} catch (SQLException e) {
|
|
| 520 |
throw new |
|
| 521 |
SQLException("Error checking document's owner or public access: "
|
|
| 522 |
+ e.getMessage()); |
|
| 523 |
} |
|
| 524 |
|
|
| 525 |
// checking if docid has public access at this time |
|
| 526 |
try {
|
|
| 527 |
pstmt = conn.prepareStatement( |
|
| 528 |
"SELECT 'x' FROM xml_access " + |
|
| 529 |
"WHERE docid LIKE ? " + |
|
| 530 |
"AND principal_name = 'public' " + |
|
| 531 |
"AND principal_type = 'user' " + |
|
| 532 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 533 |
"AND nvl(end_time,sysdate)"); |
|
| 534 |
// Bind the values to the query |
|
| 535 |
pstmt.setString(1, docid); |
|
| 536 |
|
|
| 537 |
pstmt.execute(); |
|
| 538 |
ResultSet rs = pstmt.getResultSet(); |
|
| 539 |
boolean hasRow = rs.next(); |
|
| 540 |
pstmt.close(); |
|
| 541 |
if (hasRow) {
|
|
| 542 |
return true; |
|
| 543 |
} |
|
| 544 |
|
|
| 545 |
} catch (SQLException e) {
|
|
| 546 |
throw new |
|
| 547 |
SQLException("Error checking doc's public access: " + e.getMessage());
|
|
| 548 |
} |
|
| 549 |
|
|
| 550 |
// checking access type from xml_access table |
|
| 551 |
int accesstype = 0; |
|
| 552 |
try {
|
|
| 553 |
pstmt = conn.prepareStatement( |
|
| 554 |
"SELECT access_type FROM xml_access " + |
|
| 555 |
"WHERE docid LIKE ? " + |
|
| 556 |
"AND principal_name LIKE ? " + |
|
| 557 |
"AND principal_type = 'user' " + |
|
| 558 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 559 |
"AND nvl(end_time,sysdate) " + |
|
| 560 |
"UNION " + |
|
| 561 |
"SELECT access_type FROM xml_access " + |
|
| 562 |
"WHERE docid LIKE ? " + |
|
| 563 |
"AND principal_name LIKE ? " + |
|
| 564 |
"AND principal_type = 'group' " + |
|
| 565 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 566 |
"AND nvl(end_time,sysdate)"); |
|
| 567 |
// Bind the values to the query |
|
| 568 |
pstmt.setString(1, docid); |
|
| 569 |
pstmt.setString(2, user); |
|
| 570 |
pstmt.setString(3, docid); |
|
| 571 |
pstmt.setString(2, group); |
|
| 572 |
|
|
| 573 |
pstmt.execute(); |
|
| 574 |
ResultSet rs = pstmt.getResultSet(); |
|
| 575 |
boolean hasRows = rs.next(); |
|
| 576 |
while ( hasRows ) {
|
|
| 577 |
accesstype = rs.getInt(1); |
|
| 578 |
if ( (accesstype & READ) == READ ) {
|
|
| 579 |
pstmt.close(); |
|
| 580 |
return true; |
|
| 581 |
} |
|
| 582 |
hasRows = rs.next(); |
|
| 583 |
} |
|
| 584 |
|
|
| 585 |
pstmt.close(); |
|
| 586 |
return false; |
|
| 587 |
|
|
| 588 |
} catch (SQLException e) {
|
|
| 589 |
throw new |
|
| 590 |
SQLException("Error getting document's permissions: " + e.getMessage());
|
|
| 591 |
} |
|
| 592 |
} |
|
| 593 |
|
|
| 481 | 594 |
} |
| 482 | 595 |
|
| 483 | 596 |
/** |
| 484 | 597 |
* '$Log$ |
| 598 |
* 'Revision 1.18 2000/09/05 20:50:56 berkley |
|
| 599 |
* 'Added a method called getNodeContent which retrieves the content of a node in a document. If there are more than one nodes with the same name returned, it returns an array with all of the data. |
|
| 600 |
* ' |
|
| 485 | 601 |
* 'Revision 1.17 2000/08/31 21:20:39 berkley |
| 486 | 602 |
* 'changed xslf for new returnfield scheme. the returnfields are now returned as <param name="<returnfield>"> tags. |
| 487 | 603 |
* 'hThe sql for the returnfield query was redone to fix a previous problem with slow queries |
| src/edu/ucsb/nceas/metacat/MetaCatServlet.java | ||
|---|---|---|
| 241 | 241 |
if (sess.isNew()) {
|
| 242 | 242 |
// session expired or has not been stored b/w user requests |
| 243 | 243 |
// redirect to default page for query only access |
| 244 |
|
|
| 245 |
// response.sendRedirect(htmlpath + "/sexpire.html");
|
|
| 244 |
// response.sendRedirect(htmlpath + "/sexpire.html"); |
|
| 245 |
username = "public";
|
|
| 246 | 246 |
} else {
|
| 247 | 247 |
username = (String)sess.getAttribute("username");
|
| 248 | 248 |
groupname = (String)sess.getAttribute("groupname");
|
| ... | ... | |
| 253 | 253 |
// to a particular action handler |
| 254 | 254 |
if(action.equals("query"))
|
| 255 | 255 |
{
|
| 256 |
handleQuery(out, params, response); |
|
| 256 |
handleQuery(out, params, response, username, groupname);
|
|
| 257 | 257 |
} |
| 258 | 258 |
else if(action.equals("squery"))
|
| 259 | 259 |
{
|
| 260 | 260 |
if(params.containsKey("query"))
|
| 261 | 261 |
{
|
| 262 |
handleSQuery(out, params, response); |
|
| 262 |
handleSQuery(out, params, response, username, groupname);
|
|
| 263 | 263 |
} |
| 264 | 264 |
else |
| 265 | 265 |
{
|
| ... | ... | |
| 381 | 381 |
* @param conn the database connection |
| 382 | 382 |
*/ |
| 383 | 383 |
protected void handleSQuery(PrintWriter out, Hashtable params, |
| 384 |
HttpServletResponse response)
|
|
| 384 |
HttpServletResponse response, String user, String group)
|
|
| 385 | 385 |
{
|
| 386 | 386 |
String xmlquery = ((String[])params.get("query"))[0];
|
| 387 | 387 |
String qformat = ((String[])params.get("qformat"))[0];
|
| 388 |
Hashtable doclist = runQuery(xmlquery); |
|
| 388 |
Hashtable doclist = runQuery(xmlquery, user, group);
|
|
| 389 | 389 |
String resultdoc = createResultDocument(doclist, xmlquery); |
| 390 | 390 |
|
| 391 | 391 |
//format and transform the results |
| ... | ... | |
| 408 | 408 |
* @param response the response object linked to the client |
| 409 | 409 |
*/ |
| 410 | 410 |
protected void handleQuery(PrintWriter out, Hashtable params, |
| 411 |
HttpServletResponse response)
|
|
| 411 |
HttpServletResponse response, String user, String group)
|
|
| 412 | 412 |
{
|
| 413 | 413 |
//create the query and run it |
| 414 | 414 |
String xmlquery = DBQuery.createSQuery(params); |
| 415 |
Hashtable doclist = runQuery(xmlquery); |
|
| 415 |
Hashtable doclist = runQuery(xmlquery, user, group);
|
|
| 416 | 416 |
String qformat = ((String[])params.get("qformat"))[0];
|
| 417 | 417 |
String resultdoc = createResultDocument(doclist, transformQuery(params)); |
| 418 | 418 |
|
| ... | ... | |
| 452 | 452 |
* |
| 453 | 453 |
* @param xmlquery the query to run |
| 454 | 454 |
*/ |
| 455 |
private Hashtable runQuery(String xmlquery) |
|
| 455 |
private Hashtable runQuery(String xmlquery, String user, String group)
|
|
| 456 | 456 |
{
|
| 457 | 457 |
Hashtable doclist=null; |
| 458 | 458 |
Connection conn = null; |
| 459 | 459 |
try |
| 460 | 460 |
{
|
| 461 |
conn = util.getConnection();
|
|
| 462 |
DBQuery queryobj = new DBQuery(conn, saxparser);
|
|
| 463 |
doclist = queryobj.findDocuments(new StringReader(xmlquery));
|
|
| 464 |
util.returnConnection(conn);
|
|
| 465 |
return doclist;
|
|
| 461 |
conn = util.getConnection(); |
|
| 462 |
DBQuery queryobj = new DBQuery(conn, saxparser); |
|
| 463 |
doclist = queryobj.findDocuments(new StringReader(xmlquery),user,group);
|
|
| 464 |
util.returnConnection(conn); |
|
| 465 |
return doclist; |
|
| 466 | 466 |
} |
| 467 | 467 |
catch (Exception e) |
| 468 | 468 |
{
|
| 469 |
if (conn != null) |
|
| 470 |
{
|
|
| 471 |
util.returnConnection(conn); |
|
| 472 |
} |
|
| 469 |
util.returnConnection(conn); |
|
| 473 | 470 |
util.debugMessage("Error in runQuery: " + e.getMessage());
|
| 474 | 471 |
doclist = null; |
| 475 | 472 |
return doclist; |
| ... | ... | |
| 499 | 496 |
} |
| 500 | 497 |
catch(Exception e) |
| 501 | 498 |
{
|
| 502 |
//if (conn != null) |
|
| 503 |
{
|
|
| 504 |
util.returnConnection(conn); |
|
| 505 |
} |
|
| 499 |
util.returnConnection(conn); |
|
| 506 | 500 |
} |
| 507 | 501 |
} |
| 508 | 502 |
|
Also available in: Unified diff
added check from "read" permission on "query" and "squery" actions
for connected user or for "public" connection