/ - Diff - Metacat - Ecoinformatics Redmine

« Previous | Next »

Revision 6225

Added by ben leinfelder over 13 years ago

-use every Subject in the session (alt Ids and Group membership)
-consolidate to single isAuthorized method

     		String guid = pid.getValue();
     		// are we allowed to do this?
     		if (!hasPermission(session, pid, Permission.CHANGE_PERMISSION)) {
     		if (!isAuthorized(session, pid, Permission.CHANGE_PERMISSION)) {
     			throw new NotAuthorized("4881", Permission.CHANGE_PERMISSION + " not allowed by " + subject.getValue() + " on " + guid);
+    		}
-...
     		String guid = pid.getValue();
     		// are we allowed to do this?
     		if (!hasPermission(session, pid, Permission.WRITE)) {
     		if (!isAuthorized(session, pid, Permission.WRITE)) {
     			throw new NotAuthorized("4720", Permission.WRITE + " not allowed by " + subject.getValue() + " on " + guid);
+    		}
-...
     		// get the system metadata
     		String guid1 = pidOfSubject.getValue();
     		// are we allowed to do this?
     		if (!hasPermission(session, pidOfSubject, Permission.READ)) {
     		if (!isAuthorized(session, pidOfSubject, Permission.READ)) {
     			throw new NotAuthorized("4881", Permission.READ + " not allowed on " + guid1);
+    		}
-...
     		String guid = pid.getValue();
     		// are we allowed to do this?
     		if (!hasPermission(session, pid, Permission.READ)) {
     		if (!isAuthorized(session, pid, Permission.READ)) {
     			throw new NotAuthorized("4720", Permission.READ + " not allowed on " + guid);
+    		}
-...
     		String guid = pid.getValue();
     		// are we allowed to do this?
     		if (!hasPermission(session, pid, Permission.CHANGE_PERMISSION)) {
     		if (!isAuthorized(session, pid, Permission.CHANGE_PERMISSION)) {
     			throw new NotAuthorized("4440", "not allowed by " + subject.getValue() + " on " + guid);
+    		}

     package edu.ucsb.nceas.metacat.dataone;
     import java.io.InputStream;
     import java.util.ArrayList;
     import java.util.Calendar;
     import java.util.Date;
     import java.util.List;
-...
     import org.dataone.service.types.AccessRule;
     import org.dataone.service.types.Event;
     import org.dataone.service.types.Identifier;
     import org.dataone.service.types.Group;
     import org.dataone.service.types.Log;
     import org.dataone.service.types.LogEntry;
     import org.dataone.service.types.NodeReference;
     import org.dataone.service.types.Permission;
     import org.dataone.service.types.Person;
     import org.dataone.service.types.Session;
     import org.dataone.service.types.Subject;
     import org.dataone.service.types.SystemMetadata;
-...
     		String guid = pid.getValue();
     		// are we allowed to do this?
     		if (!hasPermission(session, pid, Permission.CHANGE_PERMISSION)) {
     		if (!isAuthorized(session, pid, Permission.CHANGE_PERMISSION)) {
     			throw new NotAuthorized("4420", "not allowed by " + subject.getValue() + " on " + guid);
+    		}
-...
     		boolean allowed = false;
     		// get the subject
     		Subject subject = session.getSubject();
     		// get the subjects from the session
     		List<Subject> subjects = new ArrayList<Subject>();
     		subjects.add(session.getSubject());
     		for (Person p: session.getSubjectList().getPersonList()) {
     			subjects.add(p.getSubject());
+    		}
     		for (Group g: session.getSubjectList().getGroupList()) {
     			subjects.add(g.getSubject());
+    		}
     		// get the system metadata
     		String guid = pid.getValue();
-...
+    		}
     		List<AccessRule> allows = systemMetadata.getAccessPolicy().getAllowList();
     		for (AccessRule accessRule: allows) {
     			if (accessRule.getSubjectList().contains(subject)) {
     				allowed = accessRule.getPermissionList().contains(permission);
     				if (allowed) {
     					break;
     			for (Subject subject: subjects) {
     				if (accessRule.getSubjectList().contains(subject)) {
     					allowed = accessRule.getPermissionList().contains(permission);
     					if (allowed) {
     						break;
+    					}
+    				}
+    			}
+    		}
     		// TODO: throw or return?
     		if (!allowed) {
     			throw new NotAuthorized("1820", permission + "not allowed by " + subject.getValue() + " on " + guid);
     			throw new NotAuthorized("1820", permission + "not allowed on " + guid);
+    		}
     		return allowed;
+    	}
     	protected boolean hasPermission(Session session, Identifier pid, Permission permission)
     	  throws ServiceFailure, InvalidToken, NotFound, NotAuthorized,
     	  NotImplemented, InvalidRequest {
     		boolean allowed = false;
     		// get the subject
     		Subject subject = session.getSubject();
     		// get the system metadata
     		String guid = pid.getValue();
     		SystemMetadata systemMetadata = null;
     		try {
     			systemMetadata = IdentifierManager.getInstance().getSystemMetadata(guid);
     		} catch (McdbDocNotFoundException e) {
     			throw new NotFound("1800", "No record found for: " + guid);
+    		}
     		List<AccessRule> allows = systemMetadata.getAccessPolicy().getAllowList();
     		for (AccessRule accessRule: allows) {
     			if (accessRule.getSubjectList().contains(subject)) {
     				allowed = accessRule.getPermissionList().contains(permission);
     				if (allowed) {
     					break;
+    				}
+    			}
+    		}
     		return allowed;
+    	}
     	/* End methods common to CNAuthorization and MNAuthorization APIs */
     	/**

Also available in: Unified diff

Project

General

Profile

Metacat

Revision 6225

Added by ben leinfelder over 13 years ago