NIHVIVO-3523 Convert all simple PUBLIC-or-above requested actions to SimplePermissions.

2011-12-22 15:33:48 +00:00 · 2011-12-22 15:33:48 +00:00 · 45e8d0c654
commit 45e8d0c654
parent e5894ee80a
7 changed files with 67 additions and 109 deletions
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java
@ -170,13 +170,16 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory {
 	 */
 	private Collection<? extends Identifier> createPermissionIdentifiers(
 			HttpServletRequest req) {
 		Collection<Identifier> ids = new ArrayList<Identifier>();
 		UserAccount user = LoginStatusBean.getCurrentUser(req);
 		if (user == null) {
-			log.debug("No Permissions: not logged in.");
+			return createPublicPermissions();
-			return ids;
+		} else {
 			return createUserPermissions(user);
 		}
 	}
 	private Collection<? extends Identifier> createPublicPermissions() {
 		Collection<Identifier> ids = new ArrayList<Identifier>();
 		WebappDaoFactory wdf = (WebappDaoFactory) context
 				.getAttribute("webappDaoFactory");
@ -185,9 +188,38 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory {
 			return ids;
 		}
 		Set<String> permissionUris = new HashSet<String>();
 		UserAccountsDao uaDao = wdf.getUserAccountsDao();
-		for (String psUri: user.getPermissionSetUris()) {
+
 		Set<String> permissionUris = new HashSet<String>();
 		for (PermissionSet ps : uaDao.getAllPermissionSets()) {
 			if (ps.isForPublic()) {
 				permissionUris.addAll(ps.getPermissionUris());
 			}
 		}
 		PermissionRegistry registry = PermissionRegistry.getRegistry(context);
 		for (String permissionUri : permissionUris) {
 			Permission permission = registry.getPermission(permissionUri);
 			ids.add(new HasPermission(permission));
 		}
 		return ids;
 	}
 	private Collection<? extends Identifier> createUserPermissions(UserAccount user) {
 		Collection<Identifier> ids = new ArrayList<Identifier>();
 		WebappDaoFactory wdf = (WebappDaoFactory) context
 				.getAttribute("webappDaoFactory");
 		if (wdf == null) {
 			log.error("Could not get a WebappDaoFactory from the ServletContext");
 			return ids;
 		}
 		UserAccountsDao uaDao = wdf.getUserAccountsDao();
 		Set<String> permissionUris = new HashSet<String>();
 		for (String psUri : user.getPermissionSetUris()) {
 			PermissionSet ps = uaDao.getPermissionSetByUri(psUri);
 			if (ps != null) {
 				permissionUris.addAll(ps.getPermissionUris());
@ -195,7 +227,7 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory {
 		}
 		PermissionRegistry registry = PermissionRegistry.getRegistry(context);
-		for (String permissionUri: permissionUris) {
+		for (String permissionUri : permissionUris) {
 			Permission permission = registry.getPermission(permissionUri);
 			ids.add(new HasPermission(permission));
 		}
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java
@ -52,6 +52,8 @@ public class SimplePermission implements Permission {
 			"ManageTabs");
 	public static final SimplePermission MANAGE_USER_ACCOUNTS = new SimplePermission(
 			"ManageUserAccounts");
 	public static final SimplePermission QUERY_FULL_MODEL = new SimplePermission(
 			"QueryFullModel");
 	public static final SimplePermission QUERY_USER_ACCOUNTS_MODEL = new SimplePermission(
 			"QueryUserAccountsModel");
 	public static final SimplePermission REBUILD_VCLASS_GROUP_CACHE = new SimplePermission(
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java
@ -1,83 +0,0 @@
 /* $This file is distributed under the terms of the license in /doc/license.txt$ */
 package edu.cornell.mannlib.vitro.webapp.auth.policy;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasRoleLevel;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.querymodel.QueryFullModel;
 import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 /**
 * Check the users role level to determine whether they are allowed to use
 * restricted pages.
 */
 public class UseRestrictedPagesByRoleLevelPolicy implements PolicyIface {
 	private static final Log log = LogFactory
 			.getLog(UseRestrictedPagesByRoleLevelPolicy.class);
 	@Override
 	public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
 			RequestedAction whatToAuth) {
 		if (whoToAuth == null) {
 			return defaultDecision("whomToAuth was null");
 		}
 		if (whatToAuth == null) {
 			return defaultDecision("whatToAuth was null");
 		}
 		RoleLevel userRole = HasRoleLevel.getUsersRoleLevel(whoToAuth);
 		PolicyDecision result;
 		if (whatToAuth instanceof QueryFullModel) {
 			result = isAuthorized(whatToAuth, RoleLevel.PUBLIC, userRole);
 		} else {
 			result = defaultDecision("Unrecognized action");
 		}
 		log.debug("decision for '" + whatToAuth + "' is " + result);
 		return result;
 	}
 	/** Authorize if user's role is at least as high as the required role. */
 	private PolicyDecision isAuthorized(RequestedAction whatToAuth,
 			RoleLevel requiredRole, RoleLevel currentRole) {
 		if (isRoleAtLeast(requiredRole, currentRole)) {
 			return authorized("User may view page: " + whatToAuth
 					+ ", requiredRole=" + requiredRole + ", currentRole="
 					+ currentRole);
 		} else {
 			return defaultDecision("User may not view page: " + whatToAuth
 					+ ", requiredRole=" + requiredRole + ", currentRole="
 					+ currentRole);
 		}
 	}
 	private boolean isRoleAtLeast(RoleLevel required, RoleLevel current) {
 		return (current.compareTo(required) >= 0);
 	}
 	/** If the user is explicitly authorized, return this. */
 	private PolicyDecision authorized(String message) {
 		String className = this.getClass().getSimpleName();
 		return new BasicPolicyDecision(Authorization.AUTHORIZED, className
 				+ ": " + message);
 	}
 	/** If the user isn't explicitly authorized, return this. */
 	private PolicyDecision defaultDecision(String message) {
 		return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
 	}
 	@Override
 	public String toString() {
 		return this.getClass().getSimpleName() + " - " + hashCode();
 	}
 }
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java
@ -14,7 +14,6 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.EditRestrictedDataByRoleLeve
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PermissionsPolicy;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.SelfEditingPolicy;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.UseRestrictedPagesByRoleLevelPolicy;
 import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;
 /**
@ -36,8 +35,6 @@ public class CommonPolicyFamilySetup implements ServletContextListener {
 					new DisplayRestrictedDataToSelfPolicy(ctx));
 			ServletPolicyList.addPolicy(ctx,
 					new EditRestrictedDataByRoleLevelPolicy(ctx));
 			ServletPolicyList.addPolicy(ctx,
 					new UseRestrictedPagesByRoleLevelPolicy());
 			ServletPolicyList.addPolicy(ctx, new SelfEditingPolicy(ctx));
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/querymodel/QueryFullModel.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/querymodel/QueryFullModel.java
@ -1,10 +0,0 @@
 /* $This file is distributed under the terms of the license in /doc/license.txt$ */
 package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.querymodel;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
 /** Should we allow the user to query the full data model? */
 public class QueryFullModel extends RequestedAction {
 	// no fields
 }
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java
@ -28,7 +28,6 @@ import com.hp.hpl.jena.rdf.model.Model;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.querymodel.QueryFullModel;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.OntModelSelector;
@ -55,7 +54,7 @@ public class SparqlQueryAjaxController extends VitroAjaxController {
 		if (OPTION_MODEL_USER_ACCOUNTS.equals(modelParam)) {
 			return SimplePermission.QUERY_USER_ACCOUNTS_MODEL.ACTIONS;
 		} else {
-			return new Actions(new QueryFullModel());
+			return SimplePermission.QUERY_FULL_MODEL.ACTIONS;
 		}
 	}
--- a/webapp/web/WEB-INF/resources/permission_config.n3
+++ b/webapp/web/WEB-INF/resources/permission_config.n3
@ -42,6 +42,9 @@ auth:ADMIN
    auth:hasPermission simplePermission:QueryUserAccountsModel ;
    auth:hasPermission simplePermission:UseBasicAjaxControllers ;
    auth:hasPermission simplePermission:UseMiscellaneousPages ;
    # permissions for ANY user, even if they are not logged in.
    auth:hasPermission simplePermission:QueryFullModel ;
    .
 auth:CURATOR 
@ -70,6 +73,9 @@ auth:CURATOR
    auth:hasPermission simplePermission:QueryUserAccountsModel ;
    auth:hasPermission simplePermission:UseBasicAjaxControllers ;
    auth:hasPermission simplePermission:UseMiscellaneousPages ;
    # permissions for ANY user, even if they are not logged in.
    auth:hasPermission simplePermission:QueryFullModel ;
    .
 auth:EDITOR 
@ -90,11 +96,14 @@ auth:EDITOR
    auth:hasPermission simplePermission:QueryUserAccountsModel ;
    auth:hasPermission simplePermission:UseBasicAjaxControllers ;
    auth:hasPermission simplePermission:UseMiscellaneousPages ;
    # permissions for ANY user, even if they are not logged in.
    auth:hasPermission simplePermission:QueryFullModel ;
    .
 auth:SELF_EDITOR
    a auth:PermissionSet ;
-    a auth:DefaultPermissionSetForNewUsers ;
+    a auth:PermissionSetForNewUsers ;
    rdfs:label "Self Editor" ;
    # permissions for ANY logged-in user.
@ -104,4 +113,16 @@ auth:SELF_EDITOR
    auth:hasPermission simplePermission:QueryUserAccountsModel ;
    auth:hasPermission simplePermission:UseBasicAjaxControllers ;
    auth:hasPermission simplePermission:UseMiscellaneousPages ;
    # permissions for ANY user, even if they are not logged in.
    auth:hasPermission simplePermission:QueryFullModel ;
    .
 auth:PUBLIC
    a auth:PermissionSet ;
    a auth:PermissionSetForPublic ;
    rdfs:label "Public" ;
    # permissions for ANY user, even if they are not logged in.
    auth:hasPermission simplePermission:QueryFullModel ;
    .