Project

General

Profile

« Previous | Next » 

Revision 441

Added by bojilova over 23 years ago

added check from "read" permission on "query" and "squery" actions
for connected user or for "public" connection

View differences:

src/edu/ucsb/nceas/metacat/DocumentImpl.java
468 468
                       SAXException, SAXParseException, Exception {
469 469

  
470 470
    if ( action.equals("UPDATE") ) {
471
      // Determine if the docid is OK for an UPDATE
471
      // Determine if the docid is OK for UPDATE
472 472
      AccessionNumber ac = new AccessionNumber();
473 473
      String newdocid = ac.generate(docid, "UPDATE");
474 474

  
475
      // b' of the command line invocation
476
      if ( (user != null) &&  (group != null) ) { 
477
        if ( !hasWritePermission(conn, docid, user, group) ) {
478
          throw new Exception("User " + user + 
479
                " does not have permission to update XML Document #" + docid);
480
        }        
475
      // check for 'write' permission for 'user' to update this document
476
      if ( !hasWritePermission(conn, docid, user, group) ) {
477
        throw new Exception("User " + user + 
478
              " does not have permission to update XML Document #" + docid);
481 479
      }          
482 480
    }
483 481

  
......
530 528
                throws IOException, SQLException, ClassNotFoundException, 
531 529
                       AccessionNumberException, Exception {
532 530

  
531
    // Determine if the docid is OK for DELETE
533 532
    AccessionNumber ac = new AccessionNumber();
534 533
    String newdocid = ac.generate(docid, "DELETE");
535 534

  
536
    if ( (user != null) &&  (group != null) ) {
537
      if ( !hasWritePermission(conn, docid, user, group) ) {
538
        throw new Exception("User " + user + 
539
                " does not have permission to delete XML Document #" + docid);
540
      }          
535
    // check for 'write' permission for 'user' to delete this document
536
    if ( !hasWritePermission(conn, docid, user, group) ) {
537
      throw new Exception("User " + user + 
538
              " does not have permission to delete XML Document #" + docid);
541 539
    }
542 540

  
543 541
    conn.setAutoCommit(false);
......
556 554
  private static boolean hasWritePermission(Connection conn, String docid, 
557 555
                                     String user, String group) 
558 556
                                     throws SQLException {
557
    // b' of the command line invocation
558
    if ( (user == null) && (group == null) ) {
559
      return true;
560
    }
561

  
559 562
    PreparedStatement pstmt;
560 563
    // checking if user is owner of docid
561 564
    try {
562 565
      pstmt = conn.prepareStatement(
563
                   "SELECT docid FROM xml_documents " +
566
                   "SELECT 'x' FROM xml_documents " +
564 567
                   "WHERE docid LIKE ? AND user_owner LIKE ?");
565 568
      // Bind the values to the query
566 569
      pstmt.setString(1, docid);
......
576 579
      
577 580
    } catch (SQLException e) {
578 581
      throw new 
579
        SQLException("Error getting document's owner: " + e.getMessage());
582
        SQLException("Error checking document's owner: " + e.getMessage());
580 583
    }
581 584

  
582 585
    // checking access type from xml_access table
......
587 590
                   "WHERE docid LIKE ? " + 
588 591
                   "AND principal_name LIKE ? " +
589 592
                   "AND principal_type = 'user' " +
590
                   "AND sysdate BETWEEN begin_time AND end_time " +
593
                   "AND sysdate BETWEEN nvl(begin_time,sysdate) " +
594
                                   "AND nvl(end_time,sysdate) " +
591 595
                   "UNION " +
592 596
                   "SELECT access_type FROM xml_access " +
593 597
                   "WHERE docid LIKE ? " + 
594 598
                   "AND principal_name LIKE ? " +
595 599
                   "AND principal_type = 'group' " +
596
                   "AND sysdate BETWEEN begin_time AND end_time");
600
                   "AND sysdate BETWEEN nvl(begin_time,sysdate) " +
601
                                   "AND nvl(end_time,sysdate)");
597 602
      // Bind the values to the query
598 603
      pstmt.setString(1, docid);
599 604
      pstmt.setString(2, user);
src/edu/ucsb/nceas/metacat/DBQuery.java
35 35
 */
36 36
public class DBQuery {
37 37

  
38
  static final int ALL = 1;
39
  static final int WRITE = 2;
40
  static final int READ = 4;
41

  
38 42
  private Connection	conn = null;
39 43
  private String	parserName = null;
40 44

  
......
65 69
          DBQuery queryobj = new DBQuery(dbconn, util.getOption("saxparser"));
66 70
          FileReader xml = new FileReader(new File(xmlfile));
67 71
          Hashtable nodelist = null;
68
          nodelist = queryobj.findDocuments(xml);
72
          nodelist = queryobj.findDocuments(xml, null, null);
69 73

  
70 74
          // Print the reulting document listing
71 75
          StringBuffer result = new StringBuffer();
......
117 121
   *
118 122
   * @param xmlquery the xml serialization of the query (@see pathquery.dtd)
119 123
   */
120
  public Hashtable findDocuments(Reader xmlquery) {
124
  public Hashtable findDocuments(Reader xmlquery, String user, String group) {
121 125
      Hashtable	 docListResult = new Hashtable();
122 126
      PreparedStatement pstmt;
123 127
      String docid = null;
......
143 147
        boolean tableHasRows = rs.next();
144 148
        while (tableHasRows) {
145 149
          docid = rs.getString(1);
150
          if ( !hasReadPermission(conn, docid, user, group) ) {continue;}
146 151
          docname = rs.getString(2);
147 152
          doctype = rs.getString(3);
148 153
          doctitle = rs.getString(4);
......
186 191
          while(tableHasRows) 
187 192
          {
188 193
            docid = rs.getString(1);
194
            if ( !hasReadPermission(conn, docid, user, group) ) {continue;}
189 195
            fieldname = rs.getString(2);
190 196
            fielddata = rs.getString(3);
191 197
            
......
478 484
   public static String createQuery(String value) {
479 485
     return createQuery(value, "any");
480 486
   }
487
   
488
  /** Check for "read" permissions from DB connection */
489
  private boolean hasReadPermission(Connection conn, String docid, 
490
                                     String user, String group) 
491
                                     throws SQLException {
492
    // b' of the command line invocation
493
    if ( (user == null) && (group == null) ) {
494
      return true;
495
    }
496
    
497
    PreparedStatement pstmt;
498
    // checking if user is owner of docid or if docid has public access
499
    try {
500
      pstmt = conn.prepareStatement(
501
                   "SELECT 'x' FROM xml_documents " +
502
                   "WHERE docid LIKE ? AND user_owner LIKE ? " + 
503
                   "UNION " +
504
                   "SELECT 'x' FROM xml_documents " +
505
                   "WHERE docid LIKE ? AND public_access = 1");
506
      // Bind the values to the query
507
      pstmt.setString(1, docid);
508
      pstmt.setString(2, user);
509
      pstmt.setString(3, docid);
510

  
511
      pstmt.execute();
512
      ResultSet rs = pstmt.getResultSet();
513
      boolean hasRow = rs.next();
514
      pstmt.close();
515
      if (hasRow) {
516
        return true;
517
      }
518
      
519
    } catch (SQLException e) {
520
      throw new 
521
        SQLException("Error checking document's owner or public access: "
522
                      + e.getMessage());
523
    }
524

  
525
    // checking if docid has public access at this time
526
    try {
527
      pstmt = conn.prepareStatement(
528
                   "SELECT 'x' FROM xml_access " +
529
                   "WHERE docid LIKE ? " +
530
                   "AND principal_name = 'public' " +
531
                   "AND principal_type = 'user' " +
532
                   "AND sysdate BETWEEN nvl(begin_time,sysdate) " +
533
                                   "AND nvl(end_time,sysdate)");
534
      // Bind the values to the query
535
      pstmt.setString(1, docid);
536

  
537
      pstmt.execute();
538
      ResultSet rs = pstmt.getResultSet();
539
      boolean hasRow = rs.next();
540
      pstmt.close();
541
      if (hasRow) {
542
        return true;
543
      }
544
      
545
    } catch (SQLException e) {
546
      throw new 
547
        SQLException("Error checking doc's public access: " + e.getMessage());
548
    }
549

  
550
    // checking access type from xml_access table
551
    int accesstype = 0;
552
    try {
553
      pstmt = conn.prepareStatement(
554
                   "SELECT access_type FROM xml_access " +
555
                   "WHERE docid LIKE ? " + 
556
                   "AND principal_name LIKE ? " +
557
                   "AND principal_type = 'user' " +
558
                   "AND sysdate BETWEEN nvl(begin_time,sysdate) " +
559
                                   "AND nvl(end_time,sysdate) " +
560
                   "UNION " +
561
                   "SELECT access_type FROM xml_access " +
562
                   "WHERE docid LIKE ? " + 
563
                   "AND principal_name LIKE ? " +
564
                   "AND principal_type = 'group' " +
565
                   "AND sysdate BETWEEN nvl(begin_time,sysdate) " +
566
                                   "AND nvl(end_time,sysdate)");
567
      // Bind the values to the query
568
      pstmt.setString(1, docid);
569
      pstmt.setString(2, user);
570
      pstmt.setString(3, docid);
571
      pstmt.setString(2, group);
572

  
573
      pstmt.execute();
574
      ResultSet rs = pstmt.getResultSet();
575
      boolean hasRows = rs.next();
576
      while ( hasRows ) {
577
        accesstype = rs.getInt(1);
578
        if ( (accesstype & READ) == READ ) {
579
          pstmt.close();
580
          return true;
581
        }
582
        hasRows = rs.next();
583
      }
584

  
585
      pstmt.close();
586
      return false;
587
      
588
    } catch (SQLException e) {
589
      throw new 
590
      SQLException("Error getting document's permissions: " + e.getMessage());
591
    }
592
  }
593
   
481 594
}
482 595

  
483 596
/**
484 597
 * '$Log$
598
 * 'Revision 1.18  2000/09/05 20:50:56  berkley
599
 * 'Added a method called getNodeContent which retrieves the content of a node in a document.  If there are more than one nodes with the same name returned, it returns an array with all of the data.
600
 * '
485 601
 * 'Revision 1.17  2000/08/31 21:20:39  berkley
486 602
 * 'changed xslf for new returnfield scheme.  the returnfields are now returned as <param name="<returnfield>"> tags.
487 603
 * 'hThe sql for the returnfield query was redone to fix a previous problem with slow queries
src/edu/ucsb/nceas/metacat/MetaCatServlet.java
241 241
      if (sess.isNew()) { 
242 242
        // session expired or has not been stored b/w user requests
243 243
        // redirect to default page for query only access
244

  
245
      //  response.sendRedirect(htmlpath + "/sexpire.html");
244
        //  response.sendRedirect(htmlpath + "/sexpire.html");
245
        username = "public";
246 246
      } else {
247 247
        username = (String)sess.getAttribute("username");
248 248
        groupname = (String)sess.getAttribute("groupname");
......
253 253
    // to a particular action handler
254 254
    if(action.equals("query"))
255 255
    {
256
      handleQuery(out, params, response); 
256
      handleQuery(out, params, response, username, groupname); 
257 257
    } 
258 258
    else if(action.equals("squery"))
259 259
    {
260 260
      if(params.containsKey("query"))
261 261
      {
262
        handleSQuery(out, params, response); 
262
        handleSQuery(out, params, response, username, groupname); 
263 263
      }
264 264
      else
265 265
      {
......
381 381
   * @param conn the database connection 
382 382
   */
383 383
  protected void handleSQuery(PrintWriter out, Hashtable params, 
384
                              HttpServletResponse response)
384
                 HttpServletResponse response, String user, String group)
385 385
  { 
386 386
    String xmlquery = ((String[])params.get("query"))[0];
387 387
    String qformat = ((String[])params.get("qformat"))[0];
388
    Hashtable doclist = runQuery(xmlquery);
388
    Hashtable doclist = runQuery(xmlquery, user, group);
389 389
    String resultdoc = createResultDocument(doclist, xmlquery);
390 390

  
391 391
    //format and transform the results                                        
......
408 408
    * @param response the response object linked to the client
409 409
    */ 
410 410
  protected void handleQuery(PrintWriter out, Hashtable params, 
411
                           HttpServletResponse response)
411
                 HttpServletResponse response, String user, String group)
412 412
  {
413 413
    //create the query and run it
414 414
    String xmlquery = DBQuery.createSQuery(params);
415
    Hashtable doclist = runQuery(xmlquery);
415
    Hashtable doclist = runQuery(xmlquery, user, group);
416 416
    String qformat = ((String[])params.get("qformat"))[0]; 
417 417
    String resultdoc = createResultDocument(doclist, transformQuery(params));
418 418

  
......
452 452
   *
453 453
   * @param xmlquery the query to run
454 454
   */
455
  private Hashtable runQuery(String xmlquery)
455
  private Hashtable runQuery(String xmlquery, String user, String group)
456 456
  {
457 457
    Hashtable doclist=null;
458 458
    Connection conn = null;
459 459
    try
460 460
    {
461
        conn = util.getConnection();
462
        DBQuery queryobj = new DBQuery(conn, saxparser);
463
        doclist = queryobj.findDocuments(new StringReader(xmlquery));
464
        util.returnConnection(conn);
465
        return doclist;
461
      conn = util.getConnection();
462
      DBQuery queryobj = new DBQuery(conn, saxparser);
463
      doclist = queryobj.findDocuments(new StringReader(xmlquery),user,group);
464
      util.returnConnection(conn);
465
      return doclist;
466 466
    } 
467 467
    catch (Exception e) 
468 468
    {
469
      if (conn != null) 
470
      {
471
        util.returnConnection(conn); 
472
      }
469
      util.returnConnection(conn); 
473 470
      util.debugMessage("Error in runQuery: " + e.getMessage());
474 471
      doclist = null;
475 472
      return doclist;
......
499 496
    }
500 497
    catch(Exception e)
501 498
    {
502
      //if (conn != null) 
503
      {
504
        util.returnConnection(conn); 
505
      }
499
      util.returnConnection(conn); 
506 500
    } 
507 501
  }
508 502
  

Also available in: Unified diff