Project

General

Profile

« Previous | Next » 

Revision 7071

Added by Chris Jones almost 13 years ago

In setReplicationStatus(), first check for a replica target MN subject match with the session subject. If this fails, look to see if CN admin access is allowed. Otherwise throw NotAuthorized. Addresses https://redmine.dataone.org/issues/2494

View differences:

src/edu/ucsb/nceas/metacat/dataone/CNodeService.java
501 501
502 502 
                  // allow target MN certs and CN certs
503 503 
                  if (targetNode.getValue().equals(nodeReference.getValue()) ||
504 
                      node.getType() == NodeType.CN) {
504 
                      node.getType() == NodeType.MN) {
505 505 
                      List<Subject> nodeSubjects = node.getSubjectList();
506 506
507 507 
                      // check if the session subject is in the node subject list
508 508 
                      for (Subject nodeSubject : nodeSubjects) {
509 
                          logMetacat.debug("In setReplicationStatus(), comparing subjects: " +
510 
                                  nodeSubject.getValue() + " and " + subject.getValue());
509 511 
                          if ( nodeSubject.equals(subject) ) {
510 512 
                              allowed = true; // subject of session == target node subject
511 513 
                              break;
......
515 517 
                  }
516 518 
              }
517 519 

  		




  518
  
  
    
              if ( !isAuthorized(session, pid, Permission.WRITE) ) {


  		




  519
  
  
    
                  if (!allowed) {


  		




  520
  
  
    
                    String msg = "The subject identified by "


  		




  521
  
  
    
                            + subject.getValue()


  		




  522
  
  
    
                            + " does not have permission to set the replication status for "


  		




  523
  
  
    
                            + "the replica identified by "


  		




  524
  
  
    
                            + targetNode.getValue() + ".";


  		




  525
  
  
    
                    logMetacat.info(msg);


  		




  526
  
  
    
                    throw new NotAuthorized("4720", msg);


  		




  527
  
  
    
                }


  		




  
  520
  
    
              if ( !allowed ) {


  		




  
  521
  
    
                  //check for CN admin access


  		




  
  522
  
    
                  allowed = isAuthorized(session, pid, Permission.WRITE);


  		




  528
  523
  
    
                  


  		




  
  524
  
    
              }              


  		




  
  525
  
    
              


  		




  
  526
  
    
              if ( !allowed ) {


  		




  
  527
  
    
                  String msg = "The subject identified by "


  		




  
  528
  
    
                          + subject.getValue()


  		




  
  529
  
    
                          + " does not have permission to set the replication status for "


  		




  
  530
  
    
                          + "the replica identified by "


  		




  
  531
  
    
                          + targetNode.getValue() + ".";


  		




  
  532
  
    
                  logMetacat.info(msg);


  		




  
  533
  
    
                  throw new NotAuthorized("4720", msg);


  		




  
  534
  
    
                  


  		




  529
  535
  
    
              }


  		




  530
  
  
    
              


  		




  531
  536
  
    

  		




  532
  537
  
    
          } catch (RuntimeException e) { // Catch is generic since HZ throws RuntimeException


  		




  533
  538
  
    
            throw new NotFound("4740", "No record found for: " + pid.getValue() +


  		












Also available in:  Unified diff