Revision 441
Added by bojilova over 23 years ago
DocumentImpl.java | ||
---|---|---|
468 | 468 |
SAXException, SAXParseException, Exception { |
469 | 469 |
|
470 | 470 |
if ( action.equals("UPDATE") ) { |
471 |
// Determine if the docid is OK for an UPDATE
|
|
471 |
// Determine if the docid is OK for UPDATE |
|
472 | 472 |
AccessionNumber ac = new AccessionNumber(); |
473 | 473 |
String newdocid = ac.generate(docid, "UPDATE"); |
474 | 474 |
|
475 |
// b' of the command line invocation |
|
476 |
if ( (user != null) && (group != null) ) { |
|
477 |
if ( !hasWritePermission(conn, docid, user, group) ) { |
|
478 |
throw new Exception("User " + user + |
|
479 |
" does not have permission to update XML Document #" + docid); |
|
480 |
} |
|
475 |
// check for 'write' permission for 'user' to update this document |
|
476 |
if ( !hasWritePermission(conn, docid, user, group) ) { |
|
477 |
throw new Exception("User " + user + |
|
478 |
" does not have permission to update XML Document #" + docid); |
|
481 | 479 |
} |
482 | 480 |
} |
483 | 481 |
|
... | ... | |
530 | 528 |
throws IOException, SQLException, ClassNotFoundException, |
531 | 529 |
AccessionNumberException, Exception { |
532 | 530 |
|
531 |
// Determine if the docid is OK for DELETE |
|
533 | 532 |
AccessionNumber ac = new AccessionNumber(); |
534 | 533 |
String newdocid = ac.generate(docid, "DELETE"); |
535 | 534 |
|
536 |
if ( (user != null) && (group != null) ) { |
|
537 |
if ( !hasWritePermission(conn, docid, user, group) ) { |
|
538 |
throw new Exception("User " + user + |
|
539 |
" does not have permission to delete XML Document #" + docid); |
|
540 |
} |
|
535 |
// check for 'write' permission for 'user' to delete this document |
|
536 |
if ( !hasWritePermission(conn, docid, user, group) ) { |
|
537 |
throw new Exception("User " + user + |
|
538 |
" does not have permission to delete XML Document #" + docid); |
|
541 | 539 |
} |
542 | 540 |
|
543 | 541 |
conn.setAutoCommit(false); |
... | ... | |
556 | 554 |
private static boolean hasWritePermission(Connection conn, String docid, |
557 | 555 |
String user, String group) |
558 | 556 |
throws SQLException { |
557 |
// b' of the command line invocation |
|
558 |
if ( (user == null) && (group == null) ) { |
|
559 |
return true; |
|
560 |
} |
|
561 |
|
|
559 | 562 |
PreparedStatement pstmt; |
560 | 563 |
// checking if user is owner of docid |
561 | 564 |
try { |
562 | 565 |
pstmt = conn.prepareStatement( |
563 |
"SELECT docid FROM xml_documents " +
|
|
566 |
"SELECT 'x' FROM xml_documents " +
|
|
564 | 567 |
"WHERE docid LIKE ? AND user_owner LIKE ?"); |
565 | 568 |
// Bind the values to the query |
566 | 569 |
pstmt.setString(1, docid); |
... | ... | |
576 | 579 |
|
577 | 580 |
} catch (SQLException e) { |
578 | 581 |
throw new |
579 |
SQLException("Error getting document's owner: " + e.getMessage());
|
|
582 |
SQLException("Error checking document's owner: " + e.getMessage());
|
|
580 | 583 |
} |
581 | 584 |
|
582 | 585 |
// checking access type from xml_access table |
... | ... | |
587 | 590 |
"WHERE docid LIKE ? " + |
588 | 591 |
"AND principal_name LIKE ? " + |
589 | 592 |
"AND principal_type = 'user' " + |
590 |
"AND sysdate BETWEEN begin_time AND end_time " + |
|
593 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
594 |
"AND nvl(end_time,sysdate) " + |
|
591 | 595 |
"UNION " + |
592 | 596 |
"SELECT access_type FROM xml_access " + |
593 | 597 |
"WHERE docid LIKE ? " + |
594 | 598 |
"AND principal_name LIKE ? " + |
595 | 599 |
"AND principal_type = 'group' " + |
596 |
"AND sysdate BETWEEN begin_time AND end_time"); |
|
600 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
601 |
"AND nvl(end_time,sysdate)"); |
|
597 | 602 |
// Bind the values to the query |
598 | 603 |
pstmt.setString(1, docid); |
599 | 604 |
pstmt.setString(2, user); |
Also available in: Unified diff
added check from "read" permission on "query" and "squery" actions
for connected user or for "public" connection