| 169 |
169 |
throws InvalidToken, ServiceFailure, NotAuthorized, NotFound, NotImplemented {
|
| 170 |
170 |
|
| 171 |
171 |
String localId = null;
|
| 172 |
|
boolean allowed = false;
|
| 173 |
172 |
if (session == null) {
|
| 174 |
173 |
throw new InvalidToken("1330", "No session has been provided");
|
| 175 |
174 |
}
|
| ... | ... | |
| 187 |
186 |
} catch (McdbDocNotFoundException e) {
|
| 188 |
187 |
throw new NotFound("1340", "The object with the provided " + "identifier was not found.");
|
| 189 |
188 |
}
|
| 190 |
|
|
| 191 |
|
// only admin is allowed a full delete
|
| 192 |
|
allowed = isAdminAuthorized(session);
|
| 193 |
|
if (!allowed) {
|
| 194 |
|
throw new NotAuthorized("1320", "The provided identity does not have " + "permission to DELETE objects on the Member Node.");
|
| 195 |
|
}
|
| 196 |
189 |
|
| 197 |
190 |
try {
|
| 198 |
191 |
// delete the document, as admin
|
| ... | ... | |
| 640 |
633 |
try {
|
| 641 |
634 |
inputStream = handler.read(localId);
|
| 642 |
635 |
} catch (Exception e) {
|
| 643 |
|
throw new ServiceFailure("1020", "The object specified by " +
|
|
636 |
throw new NotFound("1020", "The object specified by " +
|
| 644 |
637 |
pid.getValue() +
|
| 645 |
638 |
"could not be returned due to error: " +
|
| 646 |
639 |
e.getMessage());
|
| ... | ... | |
| 848 |
841 |
}
|
| 849 |
842 |
|
| 850 |
843 |
/**
|
|
844 |
* Test if the user identified by the provided token has administrative authorization
|
|
845 |
* on this node because they are calling themselves
|
|
846 |
*
|
|
847 |
* @param session - the Session object containing the credentials for the Subject
|
|
848 |
*
|
|
849 |
* @return true if the user is this node
|
|
850 |
* @throws ServiceFailure
|
|
851 |
* @throws NotImplemented
|
|
852 |
*/
|
|
853 |
public boolean isNodeAdmin(Session session) throws NotImplemented, ServiceFailure {
|
|
854 |
|
|
855 |
boolean allowed = false;
|
|
856 |
|
|
857 |
// must have a session in order to check admin
|
|
858 |
if (session == null) {
|
|
859 |
logMetacat.debug("In isNodeAdmin(), session is null ");
|
|
860 |
return false;
|
|
861 |
}
|
|
862 |
|
|
863 |
logMetacat.debug("In isNodeAdmin(), MN authorization for " +
|
|
864 |
session.getSubject().getValue());
|
|
865 |
|
|
866 |
Node node = MNodeService.getInstance(request).getCapabilities();
|
|
867 |
NodeReference nodeReference = node.getIdentifier();
|
|
868 |
logMetacat.debug("In isNodeAdmin(), Node reference is: " + nodeReference.getValue());
|
|
869 |
|
|
870 |
Subject subject = session.getSubject();
|
|
871 |
|
|
872 |
if (node.getType() == NodeType.MN) {
|
|
873 |
List<Subject> nodeSubjects = node.getSubjectList();
|
|
874 |
|
|
875 |
// check if the session subject is in the node subject list
|
|
876 |
for (Subject nodeSubject : nodeSubjects) {
|
|
877 |
logMetacat.debug("In isNodeAdmin(), comparing subjects: " +
|
|
878 |
nodeSubject.getValue() + " and " + subject.getValue());
|
|
879 |
if ( nodeSubject.equals(subject) ) {
|
|
880 |
allowed = true; // subject of session == this node's subect
|
|
881 |
break;
|
|
882 |
}
|
|
883 |
}
|
|
884 |
}
|
|
885 |
|
|
886 |
return allowed;
|
|
887 |
}
|
|
888 |
|
|
889 |
/**
|
| 851 |
890 |
* Test if the user identified by the provided token has authorization
|
| 852 |
891 |
* for the operation on the specified object.
|
| 853 |
892 |
*
|
handle authorization for delete() differently for CN vs MN.
On the CN, only the CN (or tbd admin user) can call it.
On the MN, both the CN (or admin user) and the same MN can call it.