diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java index 01af0ecb5..70b2e3b19 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java @@ -13,6 +13,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseAdvancedDataToolsPages; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseEditUserAccountsPages; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseOntologyEditorPages; import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel; @@ -41,6 +42,8 @@ public class UseRestrictedPagesByRoleLevelPolicy implements PolicyIface { result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole); } else if (whatToAuth instanceof UseOntologyEditorPages) { result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole); + } else if (whatToAuth instanceof UseEditUserAccountsPages) { + result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole); } else { result = defaultDecision("Unrecognized action"); } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseEditUserAccountsPages.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseEditUserAccountsPages.java new file mode 100644 index 000000000..fd131acc9 --- /dev/null +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseEditUserAccountsPages.java @@ -0,0 +1,11 @@ +/* $This file is distributed under the terms of the license in /doc/license.txt$ */ + +package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages; + +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; + +/** Should we allow the user to edit user accounts? */ +public class UseEditUserAccountsPages extends RequestedAction implements + UsePagesRequestedAction { + // no fields +} diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserEditController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserEditController.java index 294465b4c..bec79d310 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserEditController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserEditController.java @@ -15,6 +15,8 @@ import org.apache.commons.logging.LogFactory; import edu.cornell.mannlib.vedit.beans.LoginStatusBean; import edu.cornell.mannlib.vedit.controller.BaseEditController; +import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseEditUserAccountsPages; import edu.cornell.mannlib.vitro.webapp.beans.Individual; import edu.cornell.mannlib.vitro.webapp.beans.IndividualImpl; import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty; @@ -27,6 +29,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.dao.UserDao; import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary; +@RequiresAuthorizationFor(UseEditUserAccountsPages.class) public class UserEditController extends BaseEditController { private String[] roleNameStr = new String[51]; @@ -39,17 +42,8 @@ public class UserEditController extends BaseEditController { roleNameStr[50] = "system administrator"; } - public void doPost (HttpServletRequest request, HttpServletResponse response) throws ServletException { - - if (!checkLoginStatus(request,response, LoginStatusBean.DBA)) - return; - - try { - super.doGet(request,response); - } catch (Exception e) { - log.error(this.getClass().getName()+" caught exception calling doGet()"); - } - + @Override + public void doPost (HttpServletRequest request, HttpServletResponse response) throws ServletException { VitroRequest vreq = new VitroRequest(request); Portal portal = vreq.getPortal(); diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserRetryController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserRetryController.java index f0aff2849..4f5217d20 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserRetryController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/UserRetryController.java @@ -27,13 +27,16 @@ import edu.cornell.mannlib.vedit.listener.ChangeListener; import edu.cornell.mannlib.vedit.util.FormUtils; import edu.cornell.mannlib.vedit.validator.ValidationObject; import edu.cornell.mannlib.vedit.validator.Validator; +import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.SelfEditingPolicySetup; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseEditUserAccountsPages; import edu.cornell.mannlib.vitro.webapp.beans.Portal; import edu.cornell.mannlib.vitro.webapp.beans.User; import edu.cornell.mannlib.vitro.webapp.controller.Controllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.dao.UserDao; +@RequiresAuthorizationFor(UseEditUserAccountsPages.class) public class UserRetryController extends BaseEditController { private static final String ROLE_PROTOCOL = "role:/"; // this is weird; need to revisit @@ -43,21 +46,10 @@ public class UserRetryController extends BaseEditController { public void doPost (HttpServletRequest req, HttpServletResponse response) { VitroRequest request = new VitroRequest(req); - - if (!checkLoginStatus(request,response)) - return; - - try { - super.doGet(request,response); - } catch (Exception e) { - log.error(this.getClass().getName()+" encountered exception calling super.doGet()"); - } - - VitroRequest vreq = new VitroRequest(request); //create an EditProcessObject for this and put it in the session EditProcessObject epo = super.createEpo(request); - epo.setDataAccessObject(vreq.getFullWebappDaoFactory().getVClassDao()); + epo.setDataAccessObject(request.getFullWebappDaoFactory().getVClassDao()); String action = null; if (epo.getAction() == null) { @@ -67,7 +59,7 @@ public class UserRetryController extends BaseEditController { action = epo.getAction(); } - UserDao uDao = vreq.getFullWebappDaoFactory().getUserDao(); + UserDao uDao = request.getFullWebappDaoFactory().getUserDao(); epo.setDataAccessObject(uDao); User userForEditing = null; @@ -90,7 +82,7 @@ public class UserRetryController extends BaseEditController { userForEditing = (User) epo.getNewBean(); } - populateBeanFromParams(userForEditing, vreq); + populateBeanFromParams(userForEditing, request); //validators Validator v = new PairedPasswordValidator(); diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/listing/UsersListingController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/listing/UsersListingController.java index 95658b884..07b9d883b 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/listing/UsersListingController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/listing/UsersListingController.java @@ -13,12 +13,15 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import edu.cornell.mannlib.vedit.controller.BaseEditController; +import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseEditUserAccountsPages; import edu.cornell.mannlib.vitro.webapp.beans.Portal; import edu.cornell.mannlib.vitro.webapp.beans.User; import edu.cornell.mannlib.vitro.webapp.controller.Controllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.dao.UserDao; +@RequiresAuthorizationFor(UseEditUserAccountsPages.class) public class UsersListingController extends BaseEditController { private String[] roleNameStr = new String[51]; @@ -30,19 +33,11 @@ public class UsersListingController extends BaseEditController { roleNameStr[50] = "system administrator"; } - public void doGet(HttpServletRequest request, HttpServletResponse response) { + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) { VitroRequest vrequest = new VitroRequest(request); Portal portal = vrequest.getPortal(); - if(!checkLoginStatus(request,response)) - return; - - try { - super.doGet(request, response); - } catch (Throwable t) { - t.printStackTrace(); - } - UserDao dao = vrequest.getFullWebappDaoFactory().getUserDao(); List users = dao.getAllUsers(); @@ -119,7 +114,8 @@ public class UsersListingController extends BaseEditController { } - public void doPost(HttpServletRequest request, HttpServletResponse response) { + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) { doGet(request,response); } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/SiteAdminController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/SiteAdminController.java index 0b1603b3a..ec8d64c6f 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/SiteAdminController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/SiteAdminController.java @@ -20,6 +20,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseAdvance import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseOntologyEditorPages; import edu.cornell.mannlib.vitro.webapp.beans.VClassGroup; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; +import edu.cornell.mannlib.vitro.webapp.controller.edit.listing.UsersListingController; import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder.ParamMap; import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.ResponseValues; import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.TemplateResponseValues; @@ -68,8 +69,6 @@ public class SiteAdminController extends FreemarkerHttpServlet { // of step with the levels required by the pages themselves. We should implement a // mechanism similar to what's used on the front end to display links to Site Admin // and Revision Info iff the user has access to those pages. - // jeb228 This could be done with - // PolicyHelper.areRequiredAuthorizationsSatisfied(req, SomeServlet.class); if (loginBean.isLoggedInAtLeast(LoginStatusBean.CURATOR)) { body.put("siteConfig", getSiteConfigurationData(vreq, urlBuilder)); } @@ -129,7 +128,7 @@ public class SiteAdminController extends FreemarkerHttpServlet { urls.put("tabs", urlBuilder.getPortalUrl("/listTabs")); - if (LoginStatusBean.getBean(vreq).isLoggedInAtLeast(LoginStatusBean.DBA)) { + if (PolicyHelper.areRequiredAuthorizationsSatisfied(vreq, UsersListingController.class)) { urls.put("users", urlBuilder.getPortalUrl("/listUsers")); } diff --git a/webapp/web/templates/edit/specific/user_edit.jsp b/webapp/web/templates/edit/specific/user_edit.jsp index 16de14ab5..a41ec2049 100644 --- a/webapp/web/templates/edit/specific/user_edit.jsp +++ b/webapp/web/templates/edit/specific/user_edit.jsp @@ -6,6 +6,9 @@ +<%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %> + +