Project

General

Profile

« Previous | Next » 

Revision 9263

Added by Jing Tao over 9 years ago

On mn.update and mn.updateSystemMetadata, those clients are allowed:
1. CNs.
2. Clients with appropriate permission calling the method on the authoritative nodes.

View differences:

src/edu/ucsb/nceas/metacat/dataone/MNodeService.java
371 371 
        }
372 372 

  		




  373
  373
  
    
        // does the subject have WRITE ( == update) priveleges on the pid?


  		




  374
  
  
    
        allowed = isAuthorized(session, pid, Permission.WRITE);


  		




  375
  
  
    

  		




  
  374
  
    
        //allowed = isAuthorized(session, pid, Permission.WRITE);


  		




  
  375
  
    
        //CN having the permission is allowed; user with the write permission and calling on the authoritative node is allowed.


  		




  
  376
  
    
        allowed = allowUpdating(session, pid, Permission.WRITE);


  		




  376
  377
  
    
        if (allowed) {


  		




  377
  378
  
    
        	


  		




  378
  379
  
    
        	// check quality of SM


  		




  ......




  2207
  2208
  
    
         throw new InvalidRequest("4863", "Please specify the id in the updateSystemMetadata request ") ;


  		




  2208
  2209
  
    
     }


  		




  2209
  2210
  
    

  		




  2210
  
  
    
	 if(!isAuthoritativeNode(pid)) {


  		




  2211
  
  
    
	     throw  new InvalidRequest("4863", "Client can only call updateSystemMetadata request on the authoritative memember node.");


  		




  2212
  
  
    
	 }


  		




  2213
  
  
    

  		




  2214
  2211
  
    
     if (session == null) {


  		




  2215
  2212
  
    
         //TODO: many of the thrown exceptions do not use the correct error codes


  		




  2216
  2213
  
    
         //check these against the docs and correct them


  		




  ......




  2219
  2216
  
    
     } else {


  		




  2220
  2217
  
    
         try {


  		




  2221
  2218
  
    
             //Following session can do the change:


  		




  2222
  
  
    
           //- Authoritative Member Node (we can use isNodeAdmin since we checked isAuthoritativeNode in line 2159)


  		




  
  2219
  
    
           //- Authoritative Member Node (we can use isNodeAdmin since we checked isAuthoritativeNode )


  		




  2223
  2220
  
    
             //- Owner of object (coved by the userHasPermission method)


  		




  2224
  2221
  
    
             //- user subjects with the change permission


  		




  2225
  2222
  
    
             //Note: Coordinating Node can not because MN is authoritative


  		




  
  2223
  
    
             /*if(!isAuthoritativeNode(pid)) {


  		




  
  2224
  
    
                throw  new InvalidRequest("4863", "Client can only call updateSystemMetadata request on the authoritative memember node.");


  		




  
  2225
  
    
             }


  		




  2226
  2226
  
    
             if(!isNodeAdmin(session) && !userHasPermission(session, pid, Permission.CHANGE_PERMISSION)) {


  		




  2227
  2227
  
    
                 throw new NotAuthorized("4861", "The client -"+ session.getSubject().getValue()+ "is not authorized for updating the system metadata of the object "+pid.getValue());


  		




  
  2228
  
    
             }*/


  		




  
  2229
  
    
             if(!allowUpdating(session, pid, Permission.CHANGE_PERMISSION)) {


  		




  
  2230
  
    
                 throw new NotAuthorized("4861", "The client -"+ session.getSubject().getValue()+ "is not authorized for updating the system metadata of the object "+pid.getValue());


  		




  2228
  2231
  
    
             }


  		




  2229
  2232
  
    
         } catch (NotFound e) {


  		




  2230
  2233
  
    
             throw new InvalidRequest("4863", "Can't determine if the client has the permission to update the system metacat of the object with id "+pid.getValue()+" since "+e.getDescription());


  		




  ......




  2290
  2293
  
    
        return isAuthoritativeNode;


  		




  2291
  2294
  
    
    }


  		




  2292
  2295
  
    
    


  		




  
  2296
  
    
    /*


  		




  
  2297
  
    
     * Rules are:


  		




  
  2298
  
    
     * 1. If the session has an cn object, it is allowed.


  		




  
  2299
  
    
     * 2. If it is not a cn object, the client should have approperate permission and it should also happen on the authorative node.


  		




  
  2300
  
    
     */


  		




  
  2301
  
    
    private boolean allowUpdating(Session session, Identifier pid, Permission permission) throws NotAuthorized, NotFound{


  		




  
  2302
  
    
        boolean allow = false;


  		




  
  2303
  
    
        if(isCNAdmin (session)) {


  		




  
  2304
  
    
            allow = true;


  		




  
  2305
  
    
        } else {


  		




  
  2306
  
    
            if(isAuthoritativeNode(pid)) {


  		




  
  2307
  
    
                if(userHasPermission(session, pid, permission)) {


  		




  
  2308
  
    
                    allow = true;


  		




  
  2309
  
    
                } else {


  		




  
  2310
  
    
                    allow = false;


  		




  
  2311
  
    
                }


  		




  
  2312
  
    
            } else {


  		




  
  2313
  
    
                throw new NotAuthorized("4861", "Client can only call the request on the authoritative memember node.");


  		




  
  2314
  
    
            }


  		




  
  2315
  
    
        }


  		




  
  2316
  
    
        return allow;


  		




  
  2317
  
    
        


  		




  
  2318
  
    
    }


  		




  
  2319
  
    
    


  		




  2293
  2320
  
    
}


  		












Also available in:  Unified diff