Revision 6245
Added by ben leinfelder almost 13 years ago
| src/edu/ucsb/nceas/metacat/dataone/D1NodeService.java | ||
|---|---|---|
| 69 | 69 |
import org.dataone.service.types.Person; |
| 70 | 70 |
import org.dataone.service.types.Session; |
| 71 | 71 |
import org.dataone.service.types.Subject; |
| 72 |
import org.dataone.service.types.SubjectList; |
|
| 72 | 73 |
import org.dataone.service.types.SystemMetadata; |
| 73 | 74 |
|
| 74 | 75 |
import edu.ucsb.nceas.metacat.AccessionNumberException; |
| ... | ... | |
| 613 | 614 |
|
| 614 | 615 |
// get the subjects from the session |
| 615 | 616 |
List<Subject> subjects = new ArrayList<Subject>(); |
| 616 |
subjects.add(session.getSubject());
|
|
| 617 |
for (Person p: session.getSubjectList().getPersonList()) {
|
|
| 618 |
subjects.add(p.getSubject());
|
|
| 617 |
Subject subject = session.getSubject();
|
|
| 618 |
if (subject != null) {
|
|
| 619 |
subjects.add(subject);
|
|
| 619 | 620 |
} |
| 620 |
for (Group g: session.getSubjectList().getGroupList()) {
|
|
| 621 |
subjects.add(g.getSubject()); |
|
| 621 |
SubjectList subjectList = session.getSubjectList(); |
|
| 622 |
if (subjectList != null) {
|
|
| 623 |
List<Person> personList = subjectList.getPersonList(); |
|
| 624 |
if (personList != null) {
|
|
| 625 |
for (Person p: personList) {
|
|
| 626 |
subjects.add(p.getSubject()); |
|
| 627 |
} |
|
| 628 |
} |
|
| 629 |
List<Group> groupList = subjectList.getGroupList(); |
|
| 630 |
if (groupList != null) {
|
|
| 631 |
for (Group g: groupList) {
|
|
| 632 |
subjects.add(g.getSubject()); |
|
| 633 |
} |
|
| 634 |
} |
|
| 622 | 635 |
} |
| 623 | 636 |
|
| 624 | 637 |
// get the system metadata |
| ... | ... | |
| 627 | 640 |
try {
|
| 628 | 641 |
systemMetadata = IdentifierManager.getInstance().getSystemMetadata(pidStr); |
| 629 | 642 |
} catch (McdbDocNotFoundException e) {
|
| 630 |
throw new NotFound("1800", "No record found for: " + pid);
|
|
| 643 |
throw new NotFound("1800", "No record found for " + pidStr);
|
|
| 631 | 644 |
} |
| 632 |
List<AccessRule> allows = systemMetadata.getAccessPolicy().getAllowList(); |
|
| 633 |
for (AccessRule accessRule: allows) {
|
|
| 634 |
for (Subject subject: subjects) {
|
|
| 635 |
if (accessRule.getSubjectList().contains(subject)) {
|
|
| 636 |
allowed = accessRule.getPermissionList().contains(permission); |
|
| 637 |
if (allowed) {
|
|
| 638 |
break; |
|
| 639 |
} |
|
| 640 |
} |
|
| 641 |
} |
|
| 642 |
} |
|
| 645 |
|
|
| 646 |
try {
|
|
| 647 |
List<AccessRule> allows = systemMetadata.getAccessPolicy().getAllowList(); |
|
| 648 |
for (AccessRule accessRule: allows) {
|
|
| 649 |
for (Subject s: subjects) {
|
|
| 650 |
if (accessRule.getSubjectList().contains(s)) {
|
|
| 651 |
allowed = accessRule.getPermissionList().contains(permission); |
|
| 652 |
if (allowed) {
|
|
| 653 |
break; |
|
| 654 |
} |
|
| 655 |
} |
|
| 656 |
} |
|
| 657 |
} |
|
| 658 |
} catch (Exception e) {
|
|
| 659 |
// catch all for errors - safe side should be to deny the access |
|
| 660 |
logMetacat.error("Problem checking authorization - defaulting to deny", e);
|
|
| 661 |
allowed = false; |
|
| 662 |
} |
|
| 643 | 663 |
|
| 644 |
// TODO: throw or return?
|
|
| 664 |
// throw or return? |
|
| 645 | 665 |
if (!allowed) {
|
| 646 |
throw new NotAuthorized("1820", permission + "not allowed on " + pid);
|
|
| 666 |
throw new NotAuthorized("1820", permission + " not allowed on " + pidStr);
|
|
| 647 | 667 |
} |
| 668 |
|
|
| 648 | 669 |
return allowed; |
| 649 | 670 |
|
| 650 | 671 |
} |
Also available in: Unified diff
isAuthorized: check for nulls in Session subjects, catch any unexpected errors and deny access when in doubt