Revision 7142
Added by ben leinfelder over 12 years ago
| src/edu/ucsb/nceas/metacat/restservice/MNResourceHandler.java | ||
|---|---|---|
| 631 | 631 |
* @throws NotImplemented |
| 632 | 632 |
* @throws IllegalAccessException |
| 633 | 633 |
* @throws InstantiationException |
| 634 |
* @throws InvalidToken |
|
| 634 | 635 |
*/ |
| 635 | 636 |
private void replicate() |
| 636 | 637 |
throws ServiceFailure, InvalidRequest, IOException, FileUploadException, |
| 637 | 638 |
JiBXException, NotImplemented, NotAuthorized, InsufficientResources, |
| 638 |
UnsupportedType, InstantiationException, IllegalAccessException {
|
|
| 639 |
UnsupportedType, InstantiationException, IllegalAccessException, InvalidToken {
|
|
| 639 | 640 |
|
| 640 | 641 |
logMetacat.debug("in POST replicate()");
|
| 641 | 642 |
|
| 642 | 643 |
// somewhat unorthodox, but the call is asynchronous and we'd like to return this info sooner |
| 644 |
boolean allowed = false; |
|
| 643 | 645 |
if (session == null) {
|
| 644 | 646 |
String msg = "No session was provided."; |
| 645 | 647 |
NotAuthorized failure = new NotAuthorized("2152", msg);
|
| 646 | 648 |
throw failure; |
| 649 |
} else {
|
|
| 650 |
allowed = MNodeService.getInstance(request).isAdminAuthorized(session); |
|
| 651 |
if (!allowed) {
|
|
| 652 |
String msg = "User is not an admin user"; |
|
| 653 |
NotAuthorized failure = new NotAuthorized("2152", msg);
|
|
| 654 |
throw failure; |
|
| 655 |
} |
|
| 647 | 656 |
} |
| 648 | 657 |
|
| 649 | 658 |
//parse the systemMetadata |
| src/edu/ucsb/nceas/metacat/dataone/MNodeService.java | ||
|---|---|---|
| 913 | 913 |
|
| 914 | 914 |
//are we allowed? only CNs |
| 915 | 915 |
try {
|
| 916 |
allowed = isAdminAuthorized(session, pid, Permission.READ);
|
|
| 916 |
allowed = isAdminAuthorized(session); |
|
| 917 | 917 |
if ( !allowed ){
|
| 918 | 918 |
throw new NotAuthorized("2162",
|
| 919 | 919 |
"Not allowed to call synchronizationFailed() on this node."); |
| src/edu/ucsb/nceas/metacat/dataone/CNodeService.java | ||
|---|---|---|
| 337 | 337 |
throws InvalidToken, ServiceFailure, NotAuthorized, NotFound, NotImplemented {
|
| 338 | 338 |
|
| 339 | 339 |
// check that it is CN/admin |
| 340 |
boolean allowed = isAdminAuthorized(session, pid, Permission.CHANGE_PERMISSION);
|
|
| 340 |
boolean allowed = isAdminAuthorized(session); |
|
| 341 | 341 |
|
| 342 | 342 |
if (!allowed) {
|
| 343 | 343 |
String msg = "The subject is not allowed to call delete() on a Coordinating Node."; |
| ... | ... | |
| 1237 | 1237 |
lock = HazelcastService.getInstance().getLock(pid.getValue()); |
| 1238 | 1238 |
// are we allowed? |
| 1239 | 1239 |
boolean isAllowed = false; |
| 1240 |
isAllowed = isAdminAuthorized(session, pid, Permission.WRITE);
|
|
| 1240 |
isAllowed = isAdminAuthorized(session); |
|
| 1241 | 1241 |
|
| 1242 | 1242 |
// proceed if we're called by a CN |
| 1243 | 1243 |
if ( isAllowed ) {
|
| src/edu/ucsb/nceas/metacat/dataone/D1NodeService.java | ||
|---|---|---|
| 800 | 800 |
|
| 801 | 801 |
/** |
| 802 | 802 |
* Test if the user identified by the provided token has administrative authorization |
| 803 |
* for the operation on the specified object. |
|
| 804 | 803 |
* |
| 805 | 804 |
* @param session - the Session object containing the credentials for the Subject |
| 806 |
* @param pid - The identifer of the resource for which access is being checked |
|
| 807 |
* @param operation - The type of operation which is being requested for the given pid |
|
| 808 | 805 |
* |
| 809 |
* @return true if the operation is allowed
|
|
| 806 |
* @return true if the user is admin
|
|
| 810 | 807 |
* |
| 811 | 808 |
* @throws ServiceFailure |
| 812 | 809 |
* @throws InvalidToken |
| ... | ... | |
| 814 | 811 |
* @throws NotAuthorized |
| 815 | 812 |
* @throws NotImplemented |
| 816 | 813 |
*/ |
| 817 |
protected boolean isAdminAuthorized(Session session, Identifier pid, |
|
| 818 |
Permission permission) |
|
| 814 |
public boolean isAdminAuthorized(Session session) |
|
| 819 | 815 |
throws ServiceFailure, InvalidToken, NotAuthorized, |
| 820 | 816 |
NotImplemented {
|
| 821 | 817 |
|
| ... | ... | |
| 823 | 819 |
|
| 824 | 820 |
// must have a session in order to check admin |
| 825 | 821 |
if (session == null) {
|
| 826 |
logMetacat.debug("In isAdminAuthorized(), session is null for " +
|
|
| 827 |
"identifier " + pid.getValue() + " and permission " + |
|
| 828 |
permission.toString()); |
|
| 829 |
return false; |
|
| 822 |
logMetacat.debug("In isAdminAuthorized(), session is null ");
|
|
| 823 |
return false; |
|
| 830 | 824 |
} |
| 831 | 825 |
|
| 832 | 826 |
logMetacat.debug("In isAdminAuthorized(), checking CN or MN authorization for " +
|
| 833 |
session.getSubject().getValue() + " on identifier " + pid.getValue());
|
|
| 827 |
session.getSubject().getValue()); |
|
| 834 | 828 |
|
| 835 | 829 |
// are we allowed to do this? only CNs are allowed |
| 836 | 830 |
CNode cn = D1Client.getCN(); |
| ... | ... | |
| 900 | 894 |
List<Permission> expandedPermissions = null; |
| 901 | 895 |
|
| 902 | 896 |
// always allow CN access |
| 903 |
if ( isAdminAuthorized(session, pid, permission) ) {
|
|
| 897 |
if ( isAdminAuthorized(session) ) {
|
|
| 904 | 898 |
allowed = true; |
| 905 | 899 |
return allowed; |
| 906 | 900 |
|
Also available in: Unified diff
remove extraneous pid and permission parameters from isAdminAuthorized() method and make public so that it can be called in other locations - namely before our asynchronous replicate() implementation on the MN.