NIHVIVO-3523 Convert all simple PUBLIC-or-above requested actions to SimplePermissions.

2011-12-22 15:33:48 +00:00 · 2011-12-22 15:33:48 +00:00 · 45e8d0c654
commit 45e8d0c654
parent e5894ee80a
7 changed files with 67 additions and 109 deletions
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/common/CommonIdentifierBundleFactory.java
@ -170,13 +170,16 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory {
 	 */
 	private Collection<? extends Identifier> createPermissionIdentifiers(
 			HttpServletRequest req) {
-		Collection<Identifier> ids = new ArrayList<Identifier>();
-
 		UserAccount user = LoginStatusBean.getCurrentUser(req);
 		if (user == null) {
-			log.debug("No Permissions: not logged in.");
-			return ids;
+			return createPublicPermissions();
+		} else {
+			return createUserPermissions(user);
 		}
+	}
+
+	private Collection<? extends Identifier> createPublicPermissions() {
+		Collection<Identifier> ids = new ArrayList<Identifier>();

 		WebappDaoFactory wdf = (WebappDaoFactory) context
 				.getAttribute("webappDaoFactory");
@ -185,9 +188,38 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory {
 			return ids;
 		}

-		Set<String> permissionUris = new HashSet<String>();
 		UserAccountsDao uaDao = wdf.getUserAccountsDao();
-		for (String psUri: user.getPermissionSetUris()) {
+
+		Set<String> permissionUris = new HashSet<String>();
+		for (PermissionSet ps : uaDao.getAllPermissionSets()) {
+			if (ps.isForPublic()) {
+				permissionUris.addAll(ps.getPermissionUris());
+			}
+		}
+
+		PermissionRegistry registry = PermissionRegistry.getRegistry(context);
+		for (String permissionUri : permissionUris) {
+			Permission permission = registry.getPermission(permissionUri);
+			ids.add(new HasPermission(permission));
+		}
+
+		return ids;
+	}
+
+	private Collection<? extends Identifier> createUserPermissions(UserAccount user) {
+		Collection<Identifier> ids = new ArrayList<Identifier>();
+
+		WebappDaoFactory wdf = (WebappDaoFactory) context
+				.getAttribute("webappDaoFactory");
+		if (wdf == null) {
+			log.error("Could not get a WebappDaoFactory from the ServletContext");
+			return ids;
+		}
+
+		UserAccountsDao uaDao = wdf.getUserAccountsDao();
+
+		Set<String> permissionUris = new HashSet<String>();
+		for (String psUri : user.getPermissionSetUris()) {
 			PermissionSet ps = uaDao.getPermissionSetByUri(psUri);
 			if (ps != null) {
 				permissionUris.addAll(ps.getPermissionUris());
@ -195,7 +227,7 @@ public class CommonIdentifierBundleFactory implements IdentifierBundleFactory {
 		}

 		PermissionRegistry registry = PermissionRegistry.getRegistry(context);
-		for (String permissionUri: permissionUris) {
+		for (String permissionUri : permissionUris) {
 			Permission permission = registry.getPermission(permissionUri);
 			ids.add(new HasPermission(permission));
 		}
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java
@ -52,6 +52,8 @@ public class SimplePermission implements Permission {
 			"ManageTabs");
 	public static final SimplePermission MANAGE_USER_ACCOUNTS = new SimplePermission(
 			"ManageUserAccounts");
+	public static final SimplePermission QUERY_FULL_MODEL = new SimplePermission(
+			"QueryFullModel");
 	public static final SimplePermission QUERY_USER_ACCOUNTS_MODEL = new SimplePermission(
 			"QueryUserAccountsModel");
 	public static final SimplePermission REBUILD_VCLASS_GROUP_CACHE = new SimplePermission(
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java
@ -1,83 +0,0 @@
-/* $This file is distributed under the terms of the license in /doc/license.txt$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.policy;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasRoleLevel;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.querymodel.QueryFullModel;
-import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
-
-/**
- * Check the users role level to determine whether they are allowed to use
- * restricted pages.
- */
-public class UseRestrictedPagesByRoleLevelPolicy implements PolicyIface {
-	private static final Log log = LogFactory
-			.getLog(UseRestrictedPagesByRoleLevelPolicy.class);
-
-	@Override
-	public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
-			RequestedAction whatToAuth) {
-		if (whoToAuth == null) {
-			return defaultDecision("whomToAuth was null");
-		}
-		if (whatToAuth == null) {
-			return defaultDecision("whatToAuth was null");
-		}
-
-		RoleLevel userRole = HasRoleLevel.getUsersRoleLevel(whoToAuth);
-
-		PolicyDecision result;
-		if (whatToAuth instanceof QueryFullModel) {
-			result = isAuthorized(whatToAuth, RoleLevel.PUBLIC, userRole);
-
-		} else {
-			result = defaultDecision("Unrecognized action");
-		}
-
-		log.debug("decision for '" + whatToAuth + "' is " + result);
-		return result;
-	}
-
-	/** Authorize if user's role is at least as high as the required role. */
-	private PolicyDecision isAuthorized(RequestedAction whatToAuth,
-			RoleLevel requiredRole, RoleLevel currentRole) {
-		if (isRoleAtLeast(requiredRole, currentRole)) {
-			return authorized("User may view page: " + whatToAuth
-					+ ", requiredRole=" + requiredRole + ", currentRole="
-					+ currentRole);
-		} else {
-			return defaultDecision("User may not view page: " + whatToAuth
-					+ ", requiredRole=" + requiredRole + ", currentRole="
-					+ currentRole);
-		}
-	}
-
-	private boolean isRoleAtLeast(RoleLevel required, RoleLevel current) {
-		return (current.compareTo(required) >= 0);
-	}
-
-	/** If the user is explicitly authorized, return this. */
-	private PolicyDecision authorized(String message) {
-		String className = this.getClass().getSimpleName();
-		return new BasicPolicyDecision(Authorization.AUTHORIZED, className
-				+ ": " + message);
-	}
-
-	/** If the user isn't explicitly authorized, return this. */
-	private PolicyDecision defaultDecision(String message) {
-		return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
-	}
-
-	@Override
-	public String toString() {
-		return this.getClass().getSimpleName() + " - " + hashCode();
-	}
-}
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java
@ -14,7 +14,6 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.EditRestrictedDataByRoleLeve
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PermissionsPolicy;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.SelfEditingPolicy;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.UseRestrictedPagesByRoleLevelPolicy;
 import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;

 /**
@ -36,8 +35,6 @@ public class CommonPolicyFamilySetup implements ServletContextListener {
 					new DisplayRestrictedDataToSelfPolicy(ctx));
 			ServletPolicyList.addPolicy(ctx,
 					new EditRestrictedDataByRoleLevelPolicy(ctx));
-			ServletPolicyList.addPolicy(ctx,
-					new UseRestrictedPagesByRoleLevelPolicy());

 			ServletPolicyList.addPolicy(ctx, new SelfEditingPolicy(ctx));

--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/querymodel/QueryFullModel.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/querymodel/QueryFullModel.java
@ -1,10 +0,0 @@
-/* $This file is distributed under the terms of the license in /doc/license.txt$ */
-
-package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.querymodel;
-
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
-
-/** Should we allow the user to query the full data model? */
-public class QueryFullModel extends RequestedAction {
-	// no fields
-}
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java
@ -28,7 +28,6 @@ import com.hp.hpl.jena.rdf.model.Model;

 import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions;
-import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.querymodel.QueryFullModel;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.dao.jena.OntModelSelector;

@ -55,7 +54,7 @@ public class SparqlQueryAjaxController extends VitroAjaxController {
 		if (OPTION_MODEL_USER_ACCOUNTS.equals(modelParam)) {
 			return SimplePermission.QUERY_USER_ACCOUNTS_MODEL.ACTIONS;
 		} else {
-			return new Actions(new QueryFullModel());
+			return SimplePermission.QUERY_FULL_MODEL.ACTIONS;
 		}
 	}

--- a/webapp/web/WEB-INF/resources/permission_config.n3
+++ b/webapp/web/WEB-INF/resources/permission_config.n3
@ -42,6 +42,9 @@ auth:ADMIN
    auth:hasPermission simplePermission:QueryUserAccountsModel ;
    auth:hasPermission simplePermission:UseBasicAjaxControllers ;
    auth:hasPermission simplePermission:UseMiscellaneousPages ;
+    
+    # permissions for ANY user, even if they are not logged in.
+    auth:hasPermission simplePermission:QueryFullModel ;
    .

 auth:CURATOR 
@ -70,6 +73,9 @@ auth:CURATOR
    auth:hasPermission simplePermission:QueryUserAccountsModel ;
    auth:hasPermission simplePermission:UseBasicAjaxControllers ;
    auth:hasPermission simplePermission:UseMiscellaneousPages ;
+    
+    # permissions for ANY user, even if they are not logged in.
+    auth:hasPermission simplePermission:QueryFullModel ;
    .

 auth:EDITOR 
@ -90,11 +96,14 @@ auth:EDITOR
    auth:hasPermission simplePermission:QueryUserAccountsModel ;
    auth:hasPermission simplePermission:UseBasicAjaxControllers ;
    auth:hasPermission simplePermission:UseMiscellaneousPages ;
+    
+    # permissions for ANY user, even if they are not logged in.
+    auth:hasPermission simplePermission:QueryFullModel ;
    .

 auth:SELF_EDITOR
    a auth:PermissionSet ;
-    a auth:DefaultPermissionSetForNewUsers ;
+    a auth:PermissionSetForNewUsers ;
    rdfs:label "Self Editor" ;

    # permissions for ANY logged-in user.
@ -104,4 +113,16 @@ auth:SELF_EDITOR
    auth:hasPermission simplePermission:QueryUserAccountsModel ;
    auth:hasPermission simplePermission:UseBasicAjaxControllers ;
    auth:hasPermission simplePermission:UseMiscellaneousPages ;
+    
+    # permissions for ANY user, even if they are not logged in.
+    auth:hasPermission simplePermission:QueryFullModel ;
+    .
+
+auth:PUBLIC
+    a auth:PermissionSet ;
+    a auth:PermissionSetForPublic ;
+    rdfs:label "Public" ;
+    
+    # permissions for ANY user, even if they are not logged in.
+    auth:hasPermission simplePermission:QueryFullModel ;
    .