Revision 1250b949
Added by Andreas Kohlbecker about 6 years ago
| cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/voter/CdmPermissionVoter.java | ||
|---|---|---|
| 20 | 20 |
import eu.etaxonomy.cdm.model.common.CdmBase; |
| 21 | 21 |
import eu.etaxonomy.cdm.persistence.hibernate.permission.CRUD; |
| 22 | 22 |
import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmAuthority; |
| 23 |
import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmPermissionClass; |
|
| 24 | 23 |
import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmAuthorityParsingException; |
| 24 |
import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmPermissionClass; |
|
| 25 | 25 |
|
| 26 | 26 |
/** |
| 27 | 27 |
* The <code>CdmPermissionVoter</code> provides access control votes for {@link CdmBase} objects.
|
| ... | ... | |
| 120 | 120 |
vr.isClassMatch = isALL || auth.getPermissionClass().equals(evalPermission.getPermissionClass()); |
| 121 | 121 |
vr.isPermissionMatch = auth.getOperation().containsAll(evalPermission.getOperation()); |
| 122 | 122 |
vr.isUuidMatch = auth.hasTargetUuid() && auth.getTargetUUID().equals(cdmBase.getUuid()); |
| 123 |
vr.isIgnoreUuidMatch = !auth.hasTargetUuid(); |
|
| 123 | 124 |
|
| 124 | 125 |
// first of all, always allow deleting orphan entities |
| 125 | 126 |
if(vr.isClassMatch && evalPermission.getOperation().equals(DELETE) && isOrpahn(cdmBase)) {
|
| ... | ... | |
| 127 | 128 |
} |
| 128 | 129 |
|
| 129 | 130 |
if(!auth.hasProperty()){
|
| 130 |
if ( !auth.hasTargetUuid() && vr.isClassMatch && vr.isPermissionMatch){
|
|
| 131 |
if ( vr.isIgnoreUuidMatch && vr.isClassMatch && vr.isPermissionMatch){
|
|
| 131 | 132 |
logger.debug("no targetUuid, class & permission match => ACCESS_GRANTED");
|
| 132 | 133 |
return ACCESS_GRANTED; |
| 133 | 134 |
} |
| ... | ... | |
| 215 | 216 |
* to {@link CdmPermissionVoter#furtherVotingDescisions(CdmAuthority, Object, Collection, ValidationResult)}
|
| 216 | 217 |
* |
| 217 | 218 |
* @author andreas kohlbecker |
| 218 |
* @date Sep 5, 2012
|
|
| 219 |
* @since Sep 5, 2012
|
|
| 219 | 220 |
* |
| 220 | 221 |
*/ |
| 221 | 222 |
protected class ValidationResult {
|
| 223 |
|
|
| 224 |
/** |
|
| 225 |
* ignore the result of the uuid match test completely |
|
| 226 |
* this flag becomes true when the authority given to |
|
| 227 |
* an authentication has no uuid part |
|
| 228 |
*/ |
|
| 229 |
public boolean isIgnoreUuidMatch; |
|
| 222 | 230 |
boolean isPermissionMatch = false; |
| 223 | 231 |
boolean isPropertyMatch = false; |
| 224 | 232 |
boolean isUuidMatch = false; |
| cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/voter/RegistrationVoter.java | ||
|---|---|---|
| 44 | 44 |
* {@inheritDoc}
|
| 45 | 45 |
*/ |
| 46 | 46 |
@Override |
| 47 |
protected Integer furtherVotingDescisions(CdmAuthority cdmAuthority, Object object, Collection<ConfigAttribute> attributes, ValidationResult validationResult) {
|
|
| 47 |
protected Integer furtherVotingDescisions(CdmAuthority cdmAuthority, Object object, Collection<ConfigAttribute> attributes, ValidationResult vr) {
|
|
| 48 | 48 |
|
| 49 | 49 |
// we only need to implement the case where a property is contained in the authority |
| 50 | 50 |
// the other case is covered by the CdmPermissionVoter |
| 51 | 51 |
if(cdmAuthority.hasProperty() && object instanceof Registration){
|
| 52 | 52 |
|
| 53 | 53 |
RegistrationStatus status = ((Registration)object).getStatus(); |
| 54 |
if(cdmAuthority.getProperty().contains(status.name())){
|
|
| 55 |
return ACCESS_GRANTED; |
|
| 54 |
vr.isPropertyMatch = cdmAuthority.getProperty().contains(status.name()); |
|
| 55 |
logger.debug("property is matching");
|
|
| 56 |
|
|
| 57 |
if(vr.isPropertyMatch){
|
|
| 58 |
if(vr.isIgnoreUuidMatch){
|
|
| 59 |
logger.debug("ignoring the uuid match result");
|
|
| 60 |
return ACCESS_GRANTED; |
|
| 61 |
} |
|
| 62 |
if(vr.isUuidMatch){
|
|
| 63 |
return ACCESS_GRANTED; |
|
| 64 |
} else {
|
|
| 65 |
return ACCESS_DENIED; |
|
| 66 |
} |
|
| 56 | 67 |
} else {
|
| 57 | 68 |
return ACCESS_DENIED; |
| 58 | 69 |
} |
| cdmlib-persistence/src/test/java/eu/etaxonomy/cdm/persistence/hibenate/permission/RegistrationVoterTest.java | ||
|---|---|---|
| 39 | 39 |
Registration regREJECTED; |
| 40 | 40 |
|
| 41 | 41 |
String prep_ready = EnumSet.of(RegistrationStatus.PREPARATION,RegistrationStatus.READY).toString().replaceAll("[\\s\\]\\[]", "");
|
| 42 |
String prep = EnumSet.of(RegistrationStatus.PREPARATION,RegistrationStatus.READY).toString().replaceAll("[\\s\\]\\[]", "");
|
|
| 42 | 43 |
|
| 43 | 44 |
Authentication auth; |
| 44 | 45 |
|
| ... | ... | |
| 90 | 91 |
assertEquals(AccessDecisionVoter.ACCESS_DENIED, vote); |
| 91 | 92 |
} |
| 92 | 93 |
|
| 94 |
/** |
|
| 95 |
* see https://dev.e-taxonomy.eu/redmine/issues/7323 |
|
| 96 |
*/ |
|
| 97 |
@Test |
|
| 98 |
public void issue7323() {
|
|
| 99 |
|
|
| 100 |
Registration regGranted = Registration.NewInstance(); |
|
| 101 |
regGranted.setStatus(RegistrationStatus.PREPARATION); |
|
| 102 |
|
|
| 103 |
Registration regRequired = Registration.NewInstance(); |
|
| 104 |
regRequired.setStatus(RegistrationStatus.PREPARATION); |
|
| 105 |
|
|
| 106 |
|
|
| 107 |
Authentication auth = authentication( |
|
| 108 |
new CdmAuthority(regGranted, prep, EnumSet.of(CRUD.UPDATE)) |
|
| 109 |
); |
|
| 110 |
int vote = voter.vote(auth, |
|
| 111 |
regRequired, |
|
| 112 |
// the attributes to test for |
|
| 113 |
Arrays.asList(new CdmAuthority(CdmPermissionClass.REGISTRATION, null, EnumSet.of(CRUD.UPDATE), regRequired.getUuid()))); |
|
| 114 |
assertEquals(AccessDecisionVoter.ACCESS_DENIED, vote); |
|
| 115 |
|
|
| 116 |
vote = voter.vote(auth, |
|
| 117 |
regGranted, |
|
| 118 |
// the attributes to test for |
|
| 119 |
Arrays.asList(new CdmAuthority(CdmPermissionClass.REGISTRATION, null, EnumSet.of(CRUD.UPDATE), regGranted.getUuid()))); |
|
| 120 |
assertEquals(AccessDecisionVoter.ACCESS_GRANTED, vote); |
|
| 121 |
} |
|
| 122 |
|
|
| 93 | 123 |
} |
Also available in: Unified diff
fix #7323 adding missing uuid match check in furtherVotingDescissions()