diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java index 44da8b360..e19567403 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java @@ -170,13 +170,16 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory { */ private Collection createPermissionIdentifiers( HttpServletRequest req) { - Collection ids = new ArrayList(); - UserAccount user = LoginStatusBean.getCurrentUser(req); if (user == null) { - log.debug("No Permissions: not logged in."); - return ids; + return createPublicPermissions(); + } else { + return createUserPermissions(user); } + } + + private Collection createPublicPermissions() { + Collection ids = new ArrayList(); WebappDaoFactory wdf = (WebappDaoFactory) context .getAttribute("webappDaoFactory"); @@ -184,22 +187,51 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory { log.error("Could not get a WebappDaoFactory from the ServletContext"); return ids; } - - Set permissionUris = new HashSet(); + UserAccountsDao uaDao = wdf.getUserAccountsDao(); - for (String psUri: user.getPermissionSetUris()) { + + Set permissionUris = new HashSet(); + for (PermissionSet ps : uaDao.getAllPermissionSets()) { + if (ps.isForPublic()) { + permissionUris.addAll(ps.getPermissionUris()); + } + } + + PermissionRegistry registry = PermissionRegistry.getRegistry(context); + for (String permissionUri : permissionUris) { + Permission permission = registry.getPermission(permissionUri); + ids.add(new HasPermission(permission)); + } + + return ids; + } + + private Collection createUserPermissions(UserAccount user) { + Collection ids = new ArrayList(); + + WebappDaoFactory wdf = (WebappDaoFactory) context + .getAttribute("webappDaoFactory"); + if (wdf == null) { + log.error("Could not get a WebappDaoFactory from the ServletContext"); + return ids; + } + + UserAccountsDao uaDao = wdf.getUserAccountsDao(); + + Set permissionUris = new HashSet(); + for (String psUri : user.getPermissionSetUris()) { PermissionSet ps = uaDao.getPermissionSetByUri(psUri); if (ps != null) { permissionUris.addAll(ps.getPermissionUris()); } } - + PermissionRegistry registry = PermissionRegistry.getRegistry(context); - for (String permissionUri: permissionUris) { + for (String permissionUri : permissionUris) { Permission permission = registry.getPermission(permissionUri); ids.add(new HasPermission(permission)); } - + return ids; } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java index 10e9e5e8b..b8b1195a3 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java @@ -52,6 +52,8 @@ public class SimplePermission implements Permission { "ManageTabs"); public static final SimplePermission MANAGE_USER_ACCOUNTS = new SimplePermission( "ManageUserAccounts"); + public static final SimplePermission QUERY_FULL_MODEL = new SimplePermission( + "QueryFullModel"); public static final SimplePermission QUERY_USER_ACCOUNTS_MODEL = new SimplePermission( "QueryUserAccountsModel"); public static final SimplePermission REBUILD_VCLASS_GROUP_CACHE = new SimplePermission( diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java deleted file mode 100644 index 3ee7efb12..000000000 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java +++ /dev/null @@ -1,83 +0,0 @@ -/* $This file is distributed under the terms of the license in /doc/license.txt$ */ - -package edu.cornell.mannlib.vitro.webapp.auth.policy; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; -import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasRoleLevel; -import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; -import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; -import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface; -import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; -import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.querymodel.QueryFullModel; -import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel; - -/** - * Check the users role level to determine whether they are allowed to use - * restricted pages. - */ -public class UseRestrictedPagesByRoleLevelPolicy implements PolicyIface { - private static final Log log = LogFactory - .getLog(UseRestrictedPagesByRoleLevelPolicy.class); - - @Override - public PolicyDecision isAuthorized(IdentifierBundle whoToAuth, - RequestedAction whatToAuth) { - if (whoToAuth == null) { - return defaultDecision("whomToAuth was null"); - } - if (whatToAuth == null) { - return defaultDecision("whatToAuth was null"); - } - - RoleLevel userRole = HasRoleLevel.getUsersRoleLevel(whoToAuth); - - PolicyDecision result; - if (whatToAuth instanceof QueryFullModel) { - result = isAuthorized(whatToAuth, RoleLevel.PUBLIC, userRole); - - } else { - result = defaultDecision("Unrecognized action"); - } - - log.debug("decision for '" + whatToAuth + "' is " + result); - return result; - } - - /** Authorize if user's role is at least as high as the required role. */ - private PolicyDecision isAuthorized(RequestedAction whatToAuth, - RoleLevel requiredRole, RoleLevel currentRole) { - if (isRoleAtLeast(requiredRole, currentRole)) { - return authorized("User may view page: " + whatToAuth - + ", requiredRole=" + requiredRole + ", currentRole=" - + currentRole); - } else { - return defaultDecision("User may not view page: " + whatToAuth - + ", requiredRole=" + requiredRole + ", currentRole=" - + currentRole); - } - } - - private boolean isRoleAtLeast(RoleLevel required, RoleLevel current) { - return (current.compareTo(required) >= 0); - } - - /** If the user is explicitly authorized, return this. */ - private PolicyDecision authorized(String message) { - String className = this.getClass().getSimpleName(); - return new BasicPolicyDecision(Authorization.AUTHORIZED, className - + ": " + message); - } - - /** If the user isn't explicitly authorized, return this. */ - private PolicyDecision defaultDecision(String message) { - return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message); - } - - @Override - public String toString() { - return this.getClass().getSimpleName() + " - " + hashCode(); - } -} diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java index 2a9d02a27..343e31a5d 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java @@ -14,7 +14,6 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.EditRestrictedDataByRoleLeve import edu.cornell.mannlib.vitro.webapp.auth.policy.PermissionsPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.SelfEditingPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList; -import edu.cornell.mannlib.vitro.webapp.auth.policy.UseRestrictedPagesByRoleLevelPolicy; import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus; /** @@ -36,8 +35,6 @@ public class CommonPolicyFamilySetup implements ServletContextListener { new DisplayRestrictedDataToSelfPolicy(ctx)); ServletPolicyList.addPolicy(ctx, new EditRestrictedDataByRoleLevelPolicy(ctx)); - ServletPolicyList.addPolicy(ctx, - new UseRestrictedPagesByRoleLevelPolicy()); ServletPolicyList.addPolicy(ctx, new SelfEditingPolicy(ctx)); diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/querymodel/QueryFullModel.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/querymodel/QueryFullModel.java deleted file mode 100644 index db3473b98..000000000 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/querymodel/QueryFullModel.java +++ /dev/null @@ -1,10 +0,0 @@ -/* $This file is distributed under the terms of the license in /doc/license.txt$ */ - -package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.querymodel; - -import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; - -/** Should we allow the user to query the full data model? */ -public class QueryFullModel extends RequestedAction { - // no fields -} diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java index de461c8cb..7a326c18e 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java @@ -28,7 +28,6 @@ import com.hp.hpl.jena.rdf.model.Model; import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions; -import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.querymodel.QueryFullModel; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.dao.jena.OntModelSelector; @@ -55,7 +54,7 @@ public class SparqlQueryAjaxController extends VitroAjaxController { if (OPTION_MODEL_USER_ACCOUNTS.equals(modelParam)) { return SimplePermission.QUERY_USER_ACCOUNTS_MODEL.ACTIONS; } else { - return new Actions(new QueryFullModel()); + return SimplePermission.QUERY_FULL_MODEL.ACTIONS; } } diff --git a/webapp/web/WEB-INF/resources/permission_config.n3 b/webapp/web/WEB-INF/resources/permission_config.n3 index eca3dde66..67ecf59c7 100644 --- a/webapp/web/WEB-INF/resources/permission_config.n3 +++ b/webapp/web/WEB-INF/resources/permission_config.n3 @@ -42,6 +42,9 @@ auth:ADMIN auth:hasPermission simplePermission:QueryUserAccountsModel ; auth:hasPermission simplePermission:UseBasicAjaxControllers ; auth:hasPermission simplePermission:UseMiscellaneousPages ; + + # permissions for ANY user, even if they are not logged in. + auth:hasPermission simplePermission:QueryFullModel ; . auth:CURATOR @@ -70,6 +73,9 @@ auth:CURATOR auth:hasPermission simplePermission:QueryUserAccountsModel ; auth:hasPermission simplePermission:UseBasicAjaxControllers ; auth:hasPermission simplePermission:UseMiscellaneousPages ; + + # permissions for ANY user, even if they are not logged in. + auth:hasPermission simplePermission:QueryFullModel ; . auth:EDITOR @@ -90,11 +96,14 @@ auth:EDITOR auth:hasPermission simplePermission:QueryUserAccountsModel ; auth:hasPermission simplePermission:UseBasicAjaxControllers ; auth:hasPermission simplePermission:UseMiscellaneousPages ; + + # permissions for ANY user, even if they are not logged in. + auth:hasPermission simplePermission:QueryFullModel ; . auth:SELF_EDITOR a auth:PermissionSet ; - a auth:DefaultPermissionSetForNewUsers ; + a auth:PermissionSetForNewUsers ; rdfs:label "Self Editor" ; # permissions for ANY logged-in user. @@ -104,4 +113,16 @@ auth:SELF_EDITOR auth:hasPermission simplePermission:QueryUserAccountsModel ; auth:hasPermission simplePermission:UseBasicAjaxControllers ; auth:hasPermission simplePermission:UseMiscellaneousPages ; + + # permissions for ANY user, even if they are not logged in. + auth:hasPermission simplePermission:QueryFullModel ; + . + +auth:PUBLIC + a auth:PermissionSet ; + a auth:PermissionSetForPublic ; + rdfs:label "Public" ; + + # permissions for ANY user, even if they are not logged in. + auth:hasPermission simplePermission:QueryFullModel ; .