From 07b1bee3da0252b7d58a785e4c47a78c4e94d254 Mon Sep 17 00:00:00 2001 From: j2blake Date: Mon, 18 Apr 2011 15:23:14 +0000 Subject: [PATCH] NIHVIVO-2492 JenaExportController must be accessible if either of two RequestedActions is authorized. Right now, the annotation can't handle that, so we use this method call instead. Not the best solution. --- .../webapp/controller/VitroHttpServlet.java | 32 +++++++++++++++++++ .../controller/jena/JenaExportController.java | 10 +++--- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java index a94b19d5c..76a3ba9a4 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java @@ -24,6 +24,7 @@ import org.apache.commons.logging.LogFactory; import edu.cornell.mannlib.vedit.beans.LoginStatusBean; import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; import edu.cornell.mannlib.vitro.webapp.beans.DisplayMessage; import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LogoutRedirector; @@ -163,6 +164,37 @@ public class VitroHttpServlet extends HttpServlet { } } + /** + * If none of these actions are authorized by the current policy, redirect + * them to the appropriate page. + * + * Currently the RequiresAuthorizationFor annotation can't handle "or" + * situations, so we need to do an explicit call to this method. You should + * still use the annotation with no actions, so we know this is a restricted + * page when we logout. + */ + public static boolean checkIfAnyActionsAreAuthorized( + HttpServletRequest request, HttpServletResponse response, + Class... actionClasses) { + for (Class actionClass : actionClasses) { + if (PolicyHelper.isAuthorized(request, actionClass)) { + log.trace("Authorized for '" + actionClass.getSimpleName() + + "'"); + return true; + } + } + LoginStatusBean statusBean = LoginStatusBean.getBean(request); + if (statusBean.isLoggedIn()) { + log.trace("Authorization is insufficient for requested actions"); + redirectToInsufficientAuthorizationPage(request, response); + return false; + } else { + log.trace("Not logged in; not sufficient for requested actions"); + redirectToLoginPage(request, response); + return false; + } + } + /** * Logged in, but with insufficent authorization. Send them to the home page * with a message. They won't be coming back. diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/jena/JenaExportController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/jena/JenaExportController.java index e6c51a3e6..3476b63a8 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/jena/JenaExportController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/jena/JenaExportController.java @@ -21,21 +21,23 @@ import com.hp.hpl.jena.shared.Lock; import edu.cornell.mannlib.vedit.controller.BaseEditController; import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseAdvancedDataToolsPages; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseOntologyEditorPages; import edu.cornell.mannlib.vitro.webapp.controller.Controllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.dao.jena.JenaModelUtils; import edu.cornell.mannlib.vitro.webapp.dao.jena.ModelContext; import edu.cornell.mannlib.vitro.webapp.servlet.setup.JenaDataSourceSetupBase; -@RequiresAuthorizationFor(UseAdvancedDataToolsPages.class) +@RequiresAuthorizationFor(/* either-or; see call to checkIfAnyActionsAreAuthorized */) public class JenaExportController extends BaseEditController { public void doGet( HttpServletRequest request, HttpServletResponse response ) { - VitroRequest vreq = new VitroRequest(request); - if (!checkLoginStatus(vreq,response)) - return; + if (!checkIfAnyActionsAreAuthorized(vreq, response, + UseAdvancedDataToolsPages.class, UseOntologyEditorPages.class)) { + return; + } if ( vreq.getRequestURL().indexOf("/download/") > -1 ) { outputRDF( vreq, response );