NIHVIVO-2254 Rewrite the role-based policies to use the PropertyRestrictionPolicyHelper.
This commit is contained in:
j2blake
parent
835ffa3481
commit
b0db5dd122
23 changed files with 1139 additions and 2364 deletions
|
|
@ -1,152 +0,0 @@
|
|||
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
|
||||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.rdf.model.impl.Util;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
|
||||
/**
|
||||
* Used by several policies to disallow the modification of Vitro-reserved
|
||||
* resources and/or properties.
|
||||
*/
|
||||
public class AdministrativeUriRestrictor {
|
||||
private static final Log log = LogFactory
|
||||
.getLog(AdministrativeUriRestrictor.class);
|
||||
|
||||
private static final String[] DEFAULT_PROHIBITED_PROPERTIES = {};
|
||||
|
||||
private static final String[] DEFAULT_PROHIBITED_RESOURCES = {};
|
||||
|
||||
private static final String[] DEFAULT_PROHIBITED_NAMESPACES = {
|
||||
VitroVocabulary.vitroURI,
|
||||
VitroVocabulary.OWL,
|
||||
"" };
|
||||
|
||||
private static final String[] DEFAULT_EDITABLE_VITRO_URIS = {
|
||||
VitroVocabulary.MONIKER,
|
||||
VitroVocabulary.BLURB,
|
||||
VitroVocabulary.DESCRIPTION,
|
||||
VitroVocabulary.MODTIME,
|
||||
VitroVocabulary.TIMEKEY,
|
||||
|
||||
VitroVocabulary.CITATION,
|
||||
VitroVocabulary.IND_MAIN_IMAGE,
|
||||
|
||||
VitroVocabulary.LINK,
|
||||
VitroVocabulary.PRIMARY_LINK,
|
||||
VitroVocabulary.ADDITIONAL_LINK,
|
||||
VitroVocabulary.LINK_ANCHOR,
|
||||
VitroVocabulary.LINK_URL,
|
||||
|
||||
VitroVocabulary.KEYWORD_INDIVIDUALRELATION,
|
||||
VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD,
|
||||
VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL,
|
||||
VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE };
|
||||
|
||||
/**
|
||||
* Namespaces from which Self Editors should not be able to use resources.
|
||||
*/
|
||||
private final Set<String> prohibitedNamespaces;
|
||||
|
||||
/**
|
||||
* URIs of properties that SelfEditors should not be able to use in
|
||||
* statements
|
||||
*/
|
||||
protected final Set<String> prohibitedProperties;
|
||||
|
||||
/**
|
||||
* URIs of resources that SelfEditors should not be able to use in
|
||||
* statements
|
||||
*/
|
||||
protected final Set<String> prohibitedResources;
|
||||
|
||||
/**
|
||||
* URIs of properties from prohibited namespaces that Self Editors need to
|
||||
* be able to edit
|
||||
*/
|
||||
protected final Set<String> editableVitroUris;
|
||||
|
||||
public AdministrativeUriRestrictor(Set<String> prohibitedProperties,
|
||||
Set<String> prohibitedResources, Set<String> prohibitedNamespaces,
|
||||
Set<String> editableVitroUris) {
|
||||
this.prohibitedProperties = useDefaultIfNull(prohibitedProperties,
|
||||
DEFAULT_PROHIBITED_PROPERTIES);
|
||||
this.prohibitedResources = useDefaultIfNull(prohibitedResources,
|
||||
DEFAULT_PROHIBITED_RESOURCES);
|
||||
this.prohibitedNamespaces = useDefaultIfNull(prohibitedNamespaces,
|
||||
DEFAULT_PROHIBITED_NAMESPACES);
|
||||
this.editableVitroUris = useDefaultIfNull(editableVitroUris,
|
||||
DEFAULT_EDITABLE_VITRO_URIS);
|
||||
}
|
||||
|
||||
private Set<String> useDefaultIfNull(Set<String> valueSet,
|
||||
String[] defaultArray) {
|
||||
Collection<String> strings = (valueSet == null) ? Arrays
|
||||
.asList(defaultArray) : valueSet;
|
||||
return Collections.unmodifiableSet(new HashSet<String>(strings));
|
||||
}
|
||||
|
||||
public boolean canModifyResource(String uri) {
|
||||
if (uri == null || uri.length() == 0) {
|
||||
log.debug("Resource URI is empty: " + uri);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (editableVitroUris.contains(uri)) {
|
||||
log.debug("Resource matches an editable URI: " + uri);
|
||||
return true;
|
||||
}
|
||||
|
||||
String namespace = uri.substring(0, Util.splitNamespace(uri));
|
||||
if (prohibitedNamespaces.contains(namespace)) {
|
||||
log.debug("Resource matches a prohibited namespace: " + uri);
|
||||
return false;
|
||||
}
|
||||
|
||||
log.debug("Resource is not prohibited: " + uri);
|
||||
return true;
|
||||
}
|
||||
|
||||
public boolean canModifyPredicate(String uri) {
|
||||
if (uri == null || uri.length() == 0) {
|
||||
log.debug("Predicate URI is empty: " + uri);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (prohibitedProperties.contains(uri)) {
|
||||
log.debug("Predicate matches a prohibited predicate: " + uri);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (editableVitroUris.contains(uri)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
String namespace = uri.substring(0, Util.splitNamespace(uri));
|
||||
if (prohibitedNamespaces.contains(namespace)) {
|
||||
log.debug("Predicate matches a prohibited namespace: " + uri);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "AdministrativeUriRestrictor[prohibitedNamespaces="
|
||||
+ prohibitedNamespaces + ", prohibitedProperties="
|
||||
+ prohibitedProperties + ", prohibitedResources="
|
||||
+ prohibitedResources + ", editableVitroUris="
|
||||
+ editableVitroUris + "]";
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -5,16 +5,37 @@ package edu.cornell.mannlib.vitro.webapp.auth.policy;
|
|||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory.SelfEditing;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
|
||||
/**
|
||||
* A base class with utility methods for policies involving self-editing.
|
||||
*/
|
||||
public abstract class BaseSelfEditingPolicy {
|
||||
protected final ServletContext ctx;
|
||||
protected final RoleLevel roleLevel;
|
||||
|
||||
public BaseSelfEditingPolicy(ServletContext ctx, RoleLevel roleLevel) {
|
||||
this.ctx = ctx;
|
||||
this.roleLevel = roleLevel;
|
||||
}
|
||||
|
||||
protected boolean canModifyResource(String uri) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyResource(
|
||||
uri, roleLevel);
|
||||
}
|
||||
|
||||
protected boolean canModifyPredicate(String uri) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyPredicate(
|
||||
uri, roleLevel);
|
||||
}
|
||||
|
||||
protected List<String> getUrisOfSelfEditor(IdentifierBundle ids) {
|
||||
List<String> uris = new ArrayList<String>();
|
||||
|
|
|
|||
|
|
@ -2,432 +2,172 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.rdf.model.impl.Util;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.CuratorEditingIdentifierFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.VisitingPolicyIface;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.AddNewUser;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.LoadOntology;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RebuildTextIndex;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RemoveUser;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.ServerStatus;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UpdateTextIndex;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UploadFile;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.CreateOwlClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineDataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineObjectProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.RemoveOwlClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractResourceAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.DropResource;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
|
||||
/**
|
||||
* Policy to use for Vivo Curator-Editing for use at Cornell.
|
||||
* All methods in this class should be thread safe
|
||||
* and side effect free.
|
||||
* Policy to use for Vivo Curator-Editing for use at Cornell. All methods in
|
||||
* this class should be thread safe and side effect free.
|
||||
*/
|
||||
public class CuratorEditingPolicy implements VisitingPolicyIface {
|
||||
protected static Log log = LogFactory.getLog( CuratorEditingPolicy.class );
|
||||
|
||||
/** regex for extracting a namespace from a URI */
|
||||
// Do not use this; use Jena's splitNamespace() util instead.
|
||||
//private Pattern ns = Pattern.compile("([^#]*#)[^#]*");
|
||||
|
||||
/**
|
||||
* Namespaces from which Curator Editors should not be able to use resources.
|
||||
*/
|
||||
private Set<String> prohibitedNs;
|
||||
|
||||
/** URIs of properties that CuratorEditors should not be able to use in statements*/
|
||||
protected Set<String>prohibitedProperties;
|
||||
|
||||
/** URIs of resources that CuratorEditors should not be able to use in statements*/
|
||||
protected Set<String>prohibitedResources;
|
||||
|
||||
/** Indicates which Authorization to use when the user isn't explicitly authorized. */
|
||||
protected Authorization defaultFailure = Authorization.INCONCLUSIVE;
|
||||
|
||||
/** URIs of properties from prohibited namespaces that Curator Editors need to be
|
||||
* able to edit */
|
||||
protected Set<String> editableVitroUris;
|
||||
|
||||
public CuratorEditingPolicy(
|
||||
Set<String>prohibitedProperties,
|
||||
Set<String>prohibitedResources,
|
||||
Set<String>prohibitedNamespaces,
|
||||
Set<String>editableVitroUris ){
|
||||
|
||||
if( prohibitedProperties != null )
|
||||
this.prohibitedProperties = prohibitedProperties;
|
||||
else
|
||||
this.prohibitedProperties = Collections.EMPTY_SET;
|
||||
|
||||
if( prohibitedResources != null )
|
||||
this.prohibitedResources = prohibitedResources;
|
||||
else
|
||||
this.prohibitedResources = Collections.EMPTY_SET;
|
||||
|
||||
if( prohibitedNamespaces != null )
|
||||
this.prohibitedNs = prohibitedNamespaces;
|
||||
else{
|
||||
prohibitedNs = new HashSet<String>();
|
||||
prohibitedNs.add( VitroVocabulary.vitroURI);
|
||||
prohibitedNs.add( VitroVocabulary.OWL );
|
||||
prohibitedNs.add("");
|
||||
}
|
||||
|
||||
if( editableVitroUris != null )
|
||||
this.editableVitroUris = editableVitroUris;
|
||||
else{
|
||||
this.editableVitroUris = new HashSet<String>();
|
||||
this.editableVitroUris.add(VitroVocabulary.MONIKER);
|
||||
this.editableVitroUris.add(VitroVocabulary.BLURB);
|
||||
this.editableVitroUris.add(VitroVocabulary.DESCRIPTION);
|
||||
this.editableVitroUris.add(VitroVocabulary.MODTIME);
|
||||
this.editableVitroUris.add(VitroVocabulary.TIMEKEY);
|
||||
|
||||
this.editableVitroUris.add(VitroVocabulary.CITATION);
|
||||
this.editableVitroUris.add(VitroVocabulary.IND_MAIN_IMAGE);
|
||||
|
||||
this.editableVitroUris.add(VitroVocabulary.LINK);
|
||||
this.editableVitroUris.add(VitroVocabulary.PRIMARY_LINK);
|
||||
this.editableVitroUris.add(VitroVocabulary.ADDITIONAL_LINK);
|
||||
this.editableVitroUris.add(VitroVocabulary.LINK_ANCHOR);
|
||||
this.editableVitroUris.add(VitroVocabulary.LINK_URL);
|
||||
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION);
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD);
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL);
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE);
|
||||
}
|
||||
}
|
||||
|
||||
public PolicyDecision isAuthorized(IdentifierBundle whomToAuth, RequestedAction whatToAuth) {
|
||||
BasicPolicyDecision pd = new BasicPolicyDecision(this.defaultFailure,"not yet set");
|
||||
if( whomToAuth == null )
|
||||
return pd.setMessage("whomToAuth was null");
|
||||
if(whatToAuth == null)
|
||||
return pd.setMessage("whatToAuth was null");
|
||||
|
||||
String roleStr = getRoleOf(whomToAuth);
|
||||
if (roleStr == null)
|
||||
return pd.setMessage("Unable to get a role for the curator from IdBundle");
|
||||
|
||||
try{
|
||||
if( Integer.parseInt( roleStr ) /*<*/ != LoginStatusBean.CURATOR)
|
||||
return pd.setMessage("CuratorEditingPolicy found role of "+roleStr+" but only authorizes for users logged in as CURATOR or higher");
|
||||
}catch(NumberFormatException nef){}
|
||||
|
||||
if (whatToAuth instanceof OntoRequestedAction)
|
||||
return pd.setMessage("CuratorEditingPolicy doesn't authorize OntoRequestedActions");
|
||||
if (whatToAuth instanceof AdminRequestedAction)
|
||||
return pd.setMessage("CuratorEditingPolicy doesn't authorize AdminRequestedActions");
|
||||
|
||||
//kick off the visitor pattern
|
||||
return whatToAuth.accept(this, whomToAuth);
|
||||
}
|
||||
|
||||
|
||||
protected String getRoleOf( IdentifierBundle whomToAuth) {
|
||||
if( whomToAuth == null ) return null;
|
||||
|
||||
for(Identifier id : whomToAuth){
|
||||
if (id instanceof CuratorEditingIdentifierFactory.CuratorEditingId) {
|
||||
return ((CuratorEditingIdentifierFactory.CuratorEditingId)id).getRole();
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
protected boolean canModifyResource(String uri){
|
||||
if( uri == null || uri.length() == 0 )
|
||||
return false;
|
||||
|
||||
if( editableVitroUris.contains( uri ) )
|
||||
return true;
|
||||
|
||||
String namespace = uri.substring(0, Util.splitNamespace(uri));
|
||||
//Matcher match = ns.matcher(uri);
|
||||
//if( match.matches() && match.groupCount() > 0){
|
||||
// String namespace = match.group(1);
|
||||
if( prohibitedNs.contains( namespace ) ) {
|
||||
log.debug("The uri "+uri+" represents a resource that cannot be modified because it matches a prohibited namespace");
|
||||
return false;
|
||||
}
|
||||
//}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
protected boolean canModifyPredicate(String uri){
|
||||
if( uri == null || uri.length() == 0 )
|
||||
return false;
|
||||
|
||||
if( editableVitroUris.contains( uri ) )
|
||||
return true;
|
||||
|
||||
if( prohibitedProperties.contains(uri)) {
|
||||
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it is on a list of properties prohibited from curator editing");
|
||||
return false;
|
||||
}
|
||||
|
||||
String namespace = uri.substring(0, Util.splitNamespace(uri));
|
||||
//Matcher match = ns.matcher(uri);
|
||||
//if( match.matches() && match.groupCount() > 0){
|
||||
// String namespace = match.group(1);
|
||||
if( prohibitedNs.contains( namespace ) ) {
|
||||
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it matches a prohibited namespace");
|
||||
return false;
|
||||
}
|
||||
//}
|
||||
return true;
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddObjectPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.uriOfObject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfObject);
|
||||
|
||||
if( !canModifyResource( action.uriOfSubject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfSubject);
|
||||
|
||||
if( !canModifyPredicate( action.uriOfPredicate ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin predicates; " +
|
||||
"cannot modify " + action.uriOfPredicate);
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user can edit allowed properties of anybody");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DropResource action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
|
||||
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not removal of admin resources");
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: may remove resource");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddResource action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
|
||||
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not allow creation of admin resources");
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: may add resource");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DropDataPropStmt action) {
|
||||
if( ids == null || action == null ) {
|
||||
log.debug("CuratorEditingPolicy for DropDataPropStmt is inconclusive because the test has null action or ids");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
|
||||
}
|
||||
//cannot edit resources related to system
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) ) { // jc55 was getResourceURI()
|
||||
log.debug("CuratorEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin resources");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources");
|
||||
}
|
||||
|
||||
//many predicates are prohibited by namespace but there are many ones that curator editors need to work with
|
||||
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) ) {
|
||||
log.debug("CuratorEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin controls");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin controls");
|
||||
}
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.getSubjectUri() ) ) {
|
||||
log.debug("CuratorEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.getSubjectUri());
|
||||
}
|
||||
if( !canModifyPredicate( action.getPredicateUri() ) ) {
|
||||
log.debug("CuratorEditingPolicy for EditDatapropStmt is inconclusive because it does not grant access to admin predicates; cannot modify " + action.getPredicateUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin predicates; " +
|
||||
"cannot modify " + action.getPredicateUri());
|
||||
}
|
||||
log.debug("CuratorEditingPolicy for DropDatapropStmt returns authorization because the user is a curator");
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user is may drop data property statement");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DropObjectPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.uriOfObject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfObject);
|
||||
|
||||
if( !canModifyResource( action.uriOfSubject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfSubject);
|
||||
|
||||
if( !canModifyPredicate( action.uriOfPredicate ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin predicates; " +
|
||||
"cannot modify " + action.uriOfPredicate);
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user can edit any individual");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddDataPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources");
|
||||
|
||||
//many predicates are prohibited by namespace but there are many ones that curator editors need to work with
|
||||
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin controls");
|
||||
|
||||
if( !canModifyPredicate( action.getPredicateUri() ) ) {
|
||||
log.debug("CuratorEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
|
||||
"cannot modify " + action.getPredicateUri());
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user may add this data property statement");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, EditDataPropStmt action) {
|
||||
|
||||
if( ids == null || action == null ) {
|
||||
log.debug("CuratorEditingPolicy for EditDataPropStmt is inconclusive because the test has null action or ids");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
|
||||
}
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.getSubjectUri() ) ) {
|
||||
log.debug("CuratorEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.getSubjectUri());
|
||||
}
|
||||
if( !canModifyPredicate( action.getPredicateUri() ) ) {
|
||||
log.debug("CuratorEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
|
||||
"cannot modify " + action.getPredicateUri());
|
||||
}
|
||||
|
||||
log.debug("CuratorEditingPolicy for EditDatapropStmt returns authorization because the user is a curator");
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user may edit data property statement");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, EditObjPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.uriOfObject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfObject);
|
||||
|
||||
if( !canModifyResource( action.uriOfSubject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfSubject);
|
||||
|
||||
if( !canModifyPredicate( action.uriOfPredicate ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin predicates; " +
|
||||
"cannot modify " + action.uriOfPredicate);
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user may edit any individual");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, UploadFile action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: may upload files");
|
||||
}
|
||||
|
||||
|
||||
// *** the following actions are generally not part of curator editing *** //
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddNewUser action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, RemoveUser action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, LoadOntology action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, RebuildTextIndex action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, UpdateTextIndex action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, ServerStatus action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, CreateOwlClass action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, RemoveOwlClass action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DefineDataProperty action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DefineObjectProperty action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public String toString(){
|
||||
return "CuratorEditingPolicy " + hashCode()
|
||||
+ " nspaces: " + prohibitedNs.size() + " prohibited Props: "
|
||||
+ prohibitedProperties.size() + " prohibited resources: "
|
||||
+ prohibitedResources.size();
|
||||
}
|
||||
public class CuratorEditingPolicy implements PolicyIface {
|
||||
private final ServletContext ctx;
|
||||
|
||||
public CuratorEditingPolicy(ServletContext ctx) {
|
||||
this.ctx = ctx;
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicates which Authorization to use when the user isn't explicitly
|
||||
* authorized.
|
||||
*/
|
||||
private PolicyDecision defaultDecision(String message) {
|
||||
return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
|
||||
}
|
||||
|
||||
@Override
|
||||
public PolicyDecision isAuthorized(IdentifierBundle whomToAuth,
|
||||
RequestedAction whatToAuth) {
|
||||
if (whomToAuth == null) {
|
||||
return defaultDecision("whomToAuth was null");
|
||||
}
|
||||
if (whatToAuth == null) {
|
||||
return defaultDecision("whatToAuth was null");
|
||||
}
|
||||
|
||||
if (!isCurator(whomToAuth)) {
|
||||
return defaultDecision("IdBundle does not include a Curator identifier");
|
||||
}
|
||||
|
||||
if (whatToAuth instanceof OntoRequestedAction) {
|
||||
return defaultDecision("CuratorEditingPolicy doesn't authorize OntoRequestedActions");
|
||||
} else if (whatToAuth instanceof AdminRequestedAction) {
|
||||
return defaultDecision("CuratorEditingPolicy doesn't authorize AdminRequestedActions");
|
||||
}
|
||||
|
||||
if (whatToAuth instanceof AddDataPropStmt) {
|
||||
return isAuthorized((AddDataPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof DropDataPropStmt) {
|
||||
return isAuthorized((DropDataPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof EditDataPropStmt) {
|
||||
return isAuthorized((EditDataPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof AddObjectPropStmt) {
|
||||
return isAuthorized((AddObjectPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof DropObjectPropStmt) {
|
||||
return isAuthorized((DropObjectPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof EditObjPropStmt) {
|
||||
return isAuthorized((EditObjPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof AddResource) {
|
||||
return isAuthorized((AddResource) whatToAuth);
|
||||
} else if (whatToAuth instanceof DropResource) {
|
||||
return isAuthorized((DropResource) whatToAuth);
|
||||
} else {
|
||||
return defaultDecision("unrecognized requested action: "
|
||||
+ whatToAuth);
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isCurator(IdentifierBundle whomToAuth) {
|
||||
for (Identifier id : whomToAuth) {
|
||||
if (id instanceof CuratorEditingIdentifierFactory.CuratorEditingId) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean canModifyResource(String uri) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyResource(
|
||||
uri, RoleLevel.CURATOR);
|
||||
}
|
||||
|
||||
private boolean canModifyPredicate(String uri) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyPredicate(
|
||||
uri, RoleLevel.CURATOR);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check authorization for Adding, Editing or Dropping a DataProperty.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(AbstractDataPropertyAction action) {
|
||||
if (!canModifyResource(action.getSubjectUri())) {
|
||||
return defaultDecision("CuratorEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.getSubjectUri());
|
||||
}
|
||||
|
||||
if (!canModifyPredicate(action.getPredicateUri())) {
|
||||
return defaultDecision("CuratorEditingPolicy does not grant access to admin predicates; "
|
||||
+ "may not modify " + action.getPredicateUri());
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,
|
||||
"CuratorEditingPolicy: user may modify '"
|
||||
+ action.getSubjectUri() + "' ==> '"
|
||||
+ action.getPredicateUri() + "'");
|
||||
}
|
||||
|
||||
/**
|
||||
* Check authorization for Adding, Editing or Dropping an ObjectProperty.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(AbstractObjectPropertyAction action) {
|
||||
if (!canModifyResource(action.uriOfSubject)) {
|
||||
return defaultDecision("CuratorEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.uriOfSubject);
|
||||
}
|
||||
|
||||
if (!canModifyPredicate(action.uriOfPredicate)) {
|
||||
return defaultDecision("CuratorEditingPolicy does not grant access to admin predicates; "
|
||||
+ "may not modify " + action.uriOfPredicate);
|
||||
}
|
||||
|
||||
if (!canModifyResource(action.uriOfObject)) {
|
||||
return defaultDecision("CuratorEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.uriOfObject);
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,
|
||||
"CuratorEditingPolicy: user may modify '" + action.uriOfSubject
|
||||
+ "' ==> '" + action.uriOfPredicate + "' ==> '"
|
||||
+ action.uriOfObject + "'");
|
||||
}
|
||||
|
||||
/**
|
||||
* Check authorization for Adding or Dropping a Resource.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(AbstractResourceAction action) {
|
||||
if (!canModifyResource(action.getSubjectUri())) {
|
||||
return defaultDecision("CuratorEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.getSubjectUri());
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,
|
||||
"CuratorEditingPolicy: may add or remove resource: "
|
||||
+ action.getSubjectUri());
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "CuratorEditingPolicy - " + hashCode();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,445 +2,172 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.rdf.model.impl.Util;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.DbAdminEditingIdentifierFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory.SelfEditing;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.VisitingPolicyIface;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.AddNewUser;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.LoadOntology;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RebuildTextIndex;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RemoveUser;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.ServerStatus;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UpdateTextIndex;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UploadFile;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.CreateOwlClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineDataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineObjectProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.RemoveOwlClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractResourceAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.DropResource;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
|
||||
/**
|
||||
* Policy to use for Vivo non-privileged but user accouunt-based editing
|
||||
* All methods in this class should be thread safe
|
||||
* and side effect free.
|
||||
* Policy to use for Vivo non-privileged but user accouunt-based editing All
|
||||
* methods in this class should be thread safe and side effect free.
|
||||
*/
|
||||
public class DbAdminEditingPolicy implements VisitingPolicyIface {
|
||||
protected static Log log = LogFactory.getLog( DbAdminEditingPolicy.class );
|
||||
|
||||
/** regex for extracting a namespace from a URI */
|
||||
// Do not use this; use Jena's splitNamespace() util instead.
|
||||
//private Pattern ns = Pattern.compile("([^#]*#)[^#]*");
|
||||
|
||||
/**
|
||||
* Namespaces from which DbAdmins should not be able to use resources.
|
||||
*/
|
||||
private Set<String> prohibitedNs;
|
||||
|
||||
/** URIs of properties that DbAdmins should not be able to use in statements*/
|
||||
protected Set<String>prohibitedProperties;
|
||||
|
||||
/** URIs of resources that DbAdmins should not be able to use in statements*/
|
||||
protected Set<String>prohibitedResources;
|
||||
|
||||
/** Indicates which Authorization to use when the user isn't explicitly authorized. */
|
||||
protected Authorization defaultFailure = Authorization.INCONCLUSIVE;
|
||||
|
||||
/** URIs of properties from prohibited namespaces that DbAdmins need to be
|
||||
* able to edit */
|
||||
protected Set<String> editableVitroUris;
|
||||
|
||||
public DbAdminEditingPolicy(
|
||||
Set<String>prohibitedProperties,
|
||||
Set<String>prohibitedResources,
|
||||
Set<String>prohibitedNamespaces,
|
||||
Set<String>editableVitroUris ){
|
||||
|
||||
if( prohibitedProperties != null )
|
||||
this.prohibitedProperties = prohibitedProperties;
|
||||
else
|
||||
this.prohibitedProperties = Collections.EMPTY_SET;
|
||||
|
||||
if( prohibitedResources != null )
|
||||
this.prohibitedResources = prohibitedResources;
|
||||
else
|
||||
this.prohibitedResources = Collections.EMPTY_SET;
|
||||
|
||||
if( prohibitedNamespaces != null )
|
||||
this.prohibitedNs = prohibitedNamespaces;
|
||||
else{
|
||||
prohibitedNs = new HashSet<String>();
|
||||
prohibitedNs.add( VitroVocabulary.vitroURI);
|
||||
prohibitedNs.add( VitroVocabulary.OWL );
|
||||
prohibitedNs.add("");
|
||||
}
|
||||
|
||||
if( editableVitroUris != null )
|
||||
this.editableVitroUris = editableVitroUris;
|
||||
else{
|
||||
this.editableVitroUris = new HashSet<String>();
|
||||
this.editableVitroUris.add(VitroVocabulary.MONIKER);
|
||||
this.editableVitroUris.add(VitroVocabulary.BLURB);
|
||||
this.editableVitroUris.add(VitroVocabulary.DESCRIPTION);
|
||||
this.editableVitroUris.add(VitroVocabulary.MODTIME);
|
||||
this.editableVitroUris.add(VitroVocabulary.TIMEKEY);
|
||||
|
||||
this.editableVitroUris.add(VitroVocabulary.CITATION);
|
||||
this.editableVitroUris.add(VitroVocabulary.IND_MAIN_IMAGE);
|
||||
|
||||
this.editableVitroUris.add(VitroVocabulary.LINK);
|
||||
this.editableVitroUris.add(VitroVocabulary.PRIMARY_LINK);
|
||||
this.editableVitroUris.add(VitroVocabulary.ADDITIONAL_LINK);
|
||||
this.editableVitroUris.add(VitroVocabulary.LINK_ANCHOR);
|
||||
this.editableVitroUris.add(VitroVocabulary.LINK_URL);
|
||||
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION);
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD);
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL);
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE);
|
||||
}
|
||||
}
|
||||
|
||||
public PolicyDecision isAuthorized(IdentifierBundle whoToAuth, RequestedAction whatToAuth) {
|
||||
BasicPolicyDecision pd = new BasicPolicyDecision(this.defaultFailure,"not yet set");
|
||||
if( whoToAuth == null )
|
||||
return pd.setMessage("whomToAuth was null");
|
||||
if(whatToAuth == null)
|
||||
return pd.setMessage("whatToAuth was null");
|
||||
|
||||
String roleStr = getRoleOf(whoToAuth);
|
||||
if (roleStr == null)
|
||||
return pd.setMessage("Unable to get a role for the dbAdmin from IdBundle");
|
||||
|
||||
try{
|
||||
if( Integer.parseInt( roleStr ) /*<*/ != LoginStatusBean.DBA) {
|
||||
return pd.setMessage("DbAdminEditingPolicy found role of "+roleStr+" and only authorizes for users logged in as DB_ADMIN");
|
||||
}
|
||||
} catch(NumberFormatException nef){
|
||||
log.debug(nef,nef);
|
||||
}
|
||||
|
||||
try{
|
||||
SelfEditing sei = SelfEditingIdentifierFactory.getSelfEditingIdentifier(whoToAuth);
|
||||
if( sei != null && sei.isFake() ){
|
||||
return pd.setMessage("DbAdminEditingPolicy will not authorize actions for a fake self editor");
|
||||
}
|
||||
}catch( Exception e ){
|
||||
log.debug(e,e);
|
||||
}
|
||||
|
||||
if (whatToAuth instanceof OntoRequestedAction)
|
||||
return pd.setMessage("DbAdminEditingPolicy doesn't authorize OntoRequestedActions");
|
||||
if (whatToAuth instanceof AdminRequestedAction)
|
||||
return pd.setMessage("DbAdminEditingPolicy doesn't authorize AdminRequestedActions");
|
||||
|
||||
//kick off the visitor pattern
|
||||
return whatToAuth.accept(this, whoToAuth);
|
||||
}
|
||||
|
||||
|
||||
protected String getRoleOf( IdentifierBundle whomToAuth) {
|
||||
if( whomToAuth == null ) return null;
|
||||
|
||||
for(Identifier id : whomToAuth){
|
||||
if (id instanceof DbAdminEditingIdentifierFactory.DbAdminEditingId) {
|
||||
return ((DbAdminEditingIdentifierFactory.DbAdminEditingId)id).getRole();
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
protected boolean canModifyResource(String uri){
|
||||
if( uri == null || uri.length() == 0 )
|
||||
return false;
|
||||
|
||||
if( editableVitroUris.contains( uri ) )
|
||||
return true;
|
||||
|
||||
String namespace = uri.substring(0, Util.splitNamespace(uri));
|
||||
//Matcher match = ns.matcher(uri);
|
||||
//if( match.matches() && match.groupCount() > 0){
|
||||
// String namespace = match.group(1);
|
||||
if( prohibitedNs.contains( namespace ) ) {
|
||||
log.debug("The uri "+uri+" represents a resource that cannot be modified because it matches a prohibited namespace");
|
||||
return false;
|
||||
}
|
||||
//}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
protected boolean canModifyPredicate(String uri){
|
||||
if( uri == null || uri.length() == 0 )
|
||||
return false;
|
||||
|
||||
if( editableVitroUris.contains( uri ) ) // properties like moniker that are never (currently) set non-editable
|
||||
return true;
|
||||
|
||||
if( prohibitedProperties.contains(uri)) {
|
||||
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it is on a list of properties prohibited from dbAdmin editing");
|
||||
return false;
|
||||
}
|
||||
|
||||
String namespace = uri.substring(0, Util.splitNamespace(uri));
|
||||
//Matcher match = ns.matcher(uri);
|
||||
//if( match.matches() && match.groupCount() > 0){
|
||||
// String namespace = match.group(1);
|
||||
if( prohibitedNs.contains( namespace ) ) {
|
||||
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it matches a prohibited namespace");
|
||||
return false;
|
||||
}
|
||||
//}
|
||||
return true;
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddObjectPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.uriOfObject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfObject);
|
||||
|
||||
if( !canModifyResource( action.uriOfSubject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfSubject);
|
||||
|
||||
if( !canModifyPredicate( action.uriOfPredicate ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to prohibited predicates or certain namespaces: " +
|
||||
"cannot modify " + action.uriOfPredicate);
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user can edit allowed properties of anybody");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DropResource action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
|
||||
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not removal of admin resources");
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: may remove resource");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddResource action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
|
||||
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not allow creation of admin resources");
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: may add resource");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DropDataPropStmt action) {
|
||||
if( ids == null || action == null ) {
|
||||
log.debug("DbAdminEditingPolicy for DropDataPropStmt is inconclusive because the test has null action or ids");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
|
||||
}
|
||||
//cannot edit resources related to system
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) ) { // jc55 was getResourceURI()
|
||||
log.debug("DbAdminEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin resources");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources");
|
||||
}
|
||||
|
||||
//many predicates are prohibited by namespace but there are many ones that dbAdmin editors need to work with
|
||||
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) ) {
|
||||
log.debug("DbAdminEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin controls");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin controls");
|
||||
}
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.getSubjectUri() ) ) {
|
||||
log.debug("DbAdminEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.getSubjectUri());
|
||||
}
|
||||
if( !canModifyPredicate( action.getPredicateUri() ) ) {
|
||||
log.debug("DbAdminEditingPolicy does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to prohibited predicates or certain namespaces: " +
|
||||
"cannot modify " + action.getPredicateUri());
|
||||
}
|
||||
log.debug("DbAdminEditingPolicy for DropDatapropStmt returns authorization because the user is a dbAdmin");
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user is may drop data property statement");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DropObjectPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.uriOfObject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfObject);
|
||||
|
||||
if( !canModifyResource( action.uriOfSubject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfSubject);
|
||||
|
||||
if( !canModifyPredicate( action.uriOfPredicate ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to prohibited predicates or certain namespaces: " +
|
||||
"cannot modify " + action.uriOfPredicate);
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user can edit any individual");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddDataPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy has null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources from prohibited namespaces");
|
||||
|
||||
//many predicates are prohibited by namespace but there are many ones that dbAdmin editors need to work with
|
||||
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin controls");
|
||||
|
||||
if( !canModifyPredicate( action.getPredicateUri() ) ) {
|
||||
log.debug("DbAdminEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
|
||||
"cannot modify " + action.getPredicateUri());
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user may add this data property statement");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, EditDataPropStmt action) {
|
||||
|
||||
if( ids == null || action == null ) {
|
||||
log.debug("DbAdminEditingPolicy for EditDataPropStmt is inconclusive because the test has null action or ids");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
|
||||
}
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.getSubjectUri() ) ) {
|
||||
log.debug("DbAdminEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.getSubjectUri());
|
||||
}
|
||||
if( !canModifyPredicate( action.getPredicateUri() ) ) {
|
||||
log.debug("DbAdminEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
|
||||
"cannot modify " + action.getPredicateUri());
|
||||
}
|
||||
|
||||
log.debug("DbAdminEditingPolicy for EditDatapropStmt returns authorization because the user is a dbAdmin");
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user may edit data property statement");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, EditObjPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.uriOfObject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfObject);
|
||||
|
||||
if( !canModifyResource( action.uriOfSubject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfSubject);
|
||||
|
||||
if( !canModifyPredicate( action.uriOfPredicate ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy for EditObjPropStmt does not grant access to prohibited predicates or certain namespaces: " +
|
||||
"cannot modify " + action.uriOfPredicate);
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user may edit any individual");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, UploadFile action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: may upload files");
|
||||
}
|
||||
|
||||
|
||||
// *** the following actions are generally not part of dbAdmin editing *** //
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddNewUser action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, RemoveUser action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, LoadOntology action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, RebuildTextIndex action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, UpdateTextIndex action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, ServerStatus action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, CreateOwlClass action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, RemoveOwlClass action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DefineDataProperty action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DefineObjectProperty action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
|
||||
}
|
||||
|
||||
public String toString(){
|
||||
return "DbAdminEditingPolicy " + hashCode()
|
||||
+ " nspaces: " + prohibitedNs.size() + " prohibited Props: "
|
||||
+ prohibitedProperties.size() + " prohibited resources: "
|
||||
+ prohibitedResources.size();
|
||||
}
|
||||
public class DbAdminEditingPolicy implements PolicyIface {
|
||||
private final ServletContext ctx;
|
||||
|
||||
public DbAdminEditingPolicy(ServletContext ctx) {
|
||||
this.ctx = ctx;
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicates which Authorization to use when the user isn't explicitly
|
||||
* authorized.
|
||||
*/
|
||||
private PolicyDecision defaultDecision(String message) {
|
||||
return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
|
||||
}
|
||||
|
||||
@Override
|
||||
public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
|
||||
RequestedAction whatToAuth) {
|
||||
if (whoToAuth == null) {
|
||||
return defaultDecision("whomToAuth was null");
|
||||
}
|
||||
if (whatToAuth == null) {
|
||||
return defaultDecision("whatToAuth was null");
|
||||
}
|
||||
|
||||
if (!isDba(whoToAuth)) {
|
||||
return defaultDecision("IdBundle does not include a DbAdmin identifier");
|
||||
}
|
||||
|
||||
if (whatToAuth instanceof OntoRequestedAction) {
|
||||
return defaultDecision("DbAdminEditingPolicy doesn't authorize OntoRequestedActions");
|
||||
} else if (whatToAuth instanceof AdminRequestedAction) {
|
||||
return defaultDecision("DbAdminEditingPolicy doesn't authorize AdminRequestedActions");
|
||||
}
|
||||
|
||||
if (whatToAuth instanceof AddDataPropStmt) {
|
||||
return isAuthorized((AddDataPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof DropDataPropStmt) {
|
||||
return isAuthorized((DropDataPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof EditDataPropStmt) {
|
||||
return isAuthorized((EditDataPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof AddObjectPropStmt) {
|
||||
return isAuthorized((AddObjectPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof DropObjectPropStmt) {
|
||||
return isAuthorized((DropObjectPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof EditObjPropStmt) {
|
||||
return isAuthorized((EditObjPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof AddResource) {
|
||||
return isAuthorized((AddResource) whatToAuth);
|
||||
} else if (whatToAuth instanceof DropResource) {
|
||||
return isAuthorized((DropResource) whatToAuth);
|
||||
} else {
|
||||
return defaultDecision("unrecognized requested action: "
|
||||
+ whatToAuth);
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isDba(IdentifierBundle whomToAuth) {
|
||||
for (Identifier id : whomToAuth) {
|
||||
if (id instanceof DbAdminEditingIdentifierFactory.DbAdminEditingId) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean canModifyResource(String uri) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyResource(
|
||||
uri, RoleLevel.DB_ADMIN);
|
||||
}
|
||||
|
||||
private boolean canModifyPredicate(String uri) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyPredicate(
|
||||
uri, RoleLevel.DB_ADMIN);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check authorization for Adding, Editing or Dropping a DataProperty.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(AbstractDataPropertyAction action) {
|
||||
if (!canModifyResource(action.getSubjectUri())) {
|
||||
return defaultDecision("DbAdminEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.getSubjectUri());
|
||||
}
|
||||
|
||||
if (!canModifyPredicate(action.getPredicateUri())) {
|
||||
return defaultDecision("DbAdminEditingPolicy does not grant access to admin predicates; "
|
||||
+ "may not modify " + action.getPredicateUri());
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,
|
||||
"DbAdminEditingPolicy: user may modify '"
|
||||
+ action.getSubjectUri() + "' ==> '"
|
||||
+ action.getPredicateUri() + "'");
|
||||
}
|
||||
|
||||
/**
|
||||
* Check authorization for Adding, Editing or Dropping an ObjectProperty.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(AbstractObjectPropertyAction action) {
|
||||
if (!canModifyResource(action.uriOfSubject)) {
|
||||
return defaultDecision("DbAdminEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.uriOfSubject);
|
||||
}
|
||||
|
||||
if (!canModifyPredicate(action.uriOfPredicate)) {
|
||||
return defaultDecision("DbAdminEditingPolicy does not grant access to admin predicates; "
|
||||
+ "may not modify " + action.uriOfPredicate);
|
||||
}
|
||||
|
||||
if (!canModifyResource(action.uriOfObject)) {
|
||||
return defaultDecision("DbAdminEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.uriOfObject);
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,
|
||||
"DbAdminEditingPolicy: user may modify '" + action.uriOfSubject
|
||||
+ "' ==> '" + action.uriOfPredicate + "' ==> '"
|
||||
+ action.uriOfObject + "'");
|
||||
}
|
||||
|
||||
/**
|
||||
* Check authorization for Adding or Dropping a Resource.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(AbstractResourceAction action) {
|
||||
if (!canModifyResource(action.getSubjectUri())) {
|
||||
return defaultDecision("DbAdminEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.getSubjectUri());
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,
|
||||
"DbAdminEditingPolicy: may add or remove resource: "
|
||||
+ action.getSubjectUri());
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "DbAdminEditingPolicy - " + hashCode();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,432 +2,172 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.rdf.model.impl.Util;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.EditorEditingIdentifierFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.VisitingPolicyIface;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.AddNewUser;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.LoadOntology;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RebuildTextIndex;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RemoveUser;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.ServerStatus;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UpdateTextIndex;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UploadFile;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.CreateOwlClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineDataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineObjectProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.RemoveOwlClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractResourceAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.DropResource;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
|
||||
/**
|
||||
* Policy to use for Vivo non-privileged but user accouunt-based editing
|
||||
* All methods in this class should be thread safe
|
||||
* and side effect free.
|
||||
* Policy to use for Vivo non-privileged but user accouunt-based editing All
|
||||
* methods in this class should be thread safe and side effect free.
|
||||
*/
|
||||
public class EditorEditingPolicy implements VisitingPolicyIface{
|
||||
protected static Log log = LogFactory.getLog( EditorEditingPolicy.class );
|
||||
|
||||
/** regex for extracting a namespace from a URI */
|
||||
// Do not use this; use Jena's splitNamespace() util instead.
|
||||
//private Pattern ns = Pattern.compile("([^#]*#)[^#]*");
|
||||
|
||||
/**
|
||||
* Namespaces from which Editors should not be able to use resources.
|
||||
*/
|
||||
private Set<String> prohibitedNs;
|
||||
|
||||
/** URIs of properties that Editors should not be able to use in statements*/
|
||||
protected Set<String>prohibitedProperties;
|
||||
|
||||
/** URIs of resources that Editors should not be able to use in statements*/
|
||||
protected Set<String>prohibitedResources;
|
||||
|
||||
/** Indicates which Authorization to use when the user isn't explicitly authorized. */
|
||||
protected Authorization defaultFailure = Authorization.INCONCLUSIVE;
|
||||
|
||||
/** URIs of properties from prohibited namespaces that Editors need to be
|
||||
* able to edit */
|
||||
protected Set<String> editableVitroUris;
|
||||
|
||||
public EditorEditingPolicy(
|
||||
Set<String>prohibitedProperties,
|
||||
Set<String>prohibitedResources,
|
||||
Set<String>prohibitedNamespaces,
|
||||
Set<String>editableVitroUris ){
|
||||
|
||||
if( prohibitedProperties != null )
|
||||
this.prohibitedProperties = prohibitedProperties;
|
||||
else
|
||||
this.prohibitedProperties = Collections.EMPTY_SET;
|
||||
|
||||
if( prohibitedResources != null )
|
||||
this.prohibitedResources = prohibitedResources;
|
||||
else
|
||||
this.prohibitedResources = Collections.EMPTY_SET;
|
||||
|
||||
if( prohibitedNamespaces != null )
|
||||
this.prohibitedNs = prohibitedNamespaces;
|
||||
else{
|
||||
prohibitedNs = new HashSet<String>();
|
||||
prohibitedNs.add( VitroVocabulary.vitroURI);
|
||||
prohibitedNs.add( VitroVocabulary.OWL );
|
||||
prohibitedNs.add("");
|
||||
}
|
||||
|
||||
if( editableVitroUris != null )
|
||||
this.editableVitroUris = editableVitroUris;
|
||||
else{
|
||||
this.editableVitroUris = new HashSet<String>();
|
||||
this.editableVitroUris.add(VitroVocabulary.MONIKER);
|
||||
this.editableVitroUris.add(VitroVocabulary.BLURB);
|
||||
this.editableVitroUris.add(VitroVocabulary.DESCRIPTION);
|
||||
this.editableVitroUris.add(VitroVocabulary.MODTIME);
|
||||
this.editableVitroUris.add(VitroVocabulary.TIMEKEY);
|
||||
|
||||
this.editableVitroUris.add(VitroVocabulary.CITATION);
|
||||
this.editableVitroUris.add(VitroVocabulary.IND_MAIN_IMAGE);
|
||||
|
||||
this.editableVitroUris.add(VitroVocabulary.LINK);
|
||||
this.editableVitroUris.add(VitroVocabulary.PRIMARY_LINK);
|
||||
this.editableVitroUris.add(VitroVocabulary.ADDITIONAL_LINK);
|
||||
this.editableVitroUris.add(VitroVocabulary.LINK_ANCHOR);
|
||||
this.editableVitroUris.add(VitroVocabulary.LINK_URL);
|
||||
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION);
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD);
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL);
|
||||
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE);
|
||||
}
|
||||
}
|
||||
|
||||
public PolicyDecision isAuthorized(IdentifierBundle whomToAuth, RequestedAction whatToAuth) {
|
||||
BasicPolicyDecision pd = new BasicPolicyDecision(this.defaultFailure,"not yet set");
|
||||
if( whomToAuth == null )
|
||||
return pd.setMessage("whomToAuth was null");
|
||||
if(whatToAuth == null)
|
||||
return pd.setMessage("whatToAuth was null");
|
||||
|
||||
String roleStr = getRoleOf(whomToAuth);
|
||||
if (roleStr == null)
|
||||
return pd.setMessage("Unable to get a role for the editor from IdBundle");
|
||||
|
||||
try{
|
||||
if( Integer.parseInt( roleStr ) /*<*/ != LoginStatusBean.EDITOR)
|
||||
return pd.setMessage("EditorEditingPolicy found role of "+roleStr+" but only authorizes for users logged in as EDITOR or higher");
|
||||
}catch(NumberFormatException nef){}
|
||||
|
||||
if (whatToAuth instanceof OntoRequestedAction)
|
||||
return pd.setMessage("EditorEditingPolicy doesn't authorize OntoRequestedActions");
|
||||
if (whatToAuth instanceof AdminRequestedAction)
|
||||
return pd.setMessage("EditorEditingPolicy doesn't authorize AdminRequestedActions");
|
||||
|
||||
//kick off the visitor pattern
|
||||
return whatToAuth.accept(this, whomToAuth);
|
||||
}
|
||||
|
||||
|
||||
protected String getRoleOf( IdentifierBundle whomToAuth) {
|
||||
if( whomToAuth == null ) return null;
|
||||
|
||||
for(Identifier id : whomToAuth){
|
||||
if (id instanceof EditorEditingIdentifierFactory.EditorEditingId) {
|
||||
return ((EditorEditingIdentifierFactory.EditorEditingId)id).getRole();
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
protected boolean canModifyResource(String uri){
|
||||
if( uri == null || uri.length() == 0 )
|
||||
return false;
|
||||
|
||||
if( editableVitroUris.contains( uri ) )
|
||||
return true;
|
||||
|
||||
String namespace = uri.substring(0, Util.splitNamespace(uri));
|
||||
//Matcher match = ns.matcher(uri);
|
||||
//if( match.matches() && match.groupCount() > 0){
|
||||
// String namespace = match.group(1);
|
||||
if( prohibitedNs.contains( namespace ) ) {
|
||||
log.debug("The uri "+uri+" represents a resource that cannot be modified because it matches a prohibited namespace");
|
||||
return false;
|
||||
}
|
||||
//}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
protected boolean canModifyPredicate(String uri){
|
||||
if( uri == null || uri.length() == 0 )
|
||||
return false;
|
||||
|
||||
if( editableVitroUris.contains( uri ) )
|
||||
return true;
|
||||
|
||||
if( prohibitedProperties.contains(uri)) {
|
||||
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it is on a list of properties prohibited from editor editing");
|
||||
return false;
|
||||
}
|
||||
|
||||
String namespace = uri.substring(0, Util.splitNamespace(uri));
|
||||
//Matcher match = ns.matcher(uri);
|
||||
//if( match.matches() && match.groupCount() > 0){
|
||||
// String namespace = match.group(1);
|
||||
if( prohibitedNs.contains( namespace ) ) {
|
||||
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it matches a prohibited namespace");
|
||||
return false;
|
||||
}
|
||||
//}
|
||||
return true;
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddObjectPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.uriOfObject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfObject);
|
||||
|
||||
if( !canModifyResource( action.uriOfSubject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfSubject);
|
||||
|
||||
if( !canModifyPredicate( action.uriOfPredicate ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin predicates; " +
|
||||
"cannot modify " + action.uriOfPredicate);
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user can edit allowed properties of anybody");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DropResource action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
|
||||
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not removal of admin resources");
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: may remove resource");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddResource action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
|
||||
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not allow creation of admin resources");
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: may add resource");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DropDataPropStmt action) {
|
||||
if( ids == null || action == null ) {
|
||||
log.debug("EditorEditingPolicy for DropDataPropStmt is inconclusive because the test has null action or ids");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
|
||||
}
|
||||
//cannot edit resources related to system
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) ) { // jc55 was getResourceURI()
|
||||
log.debug("EditorEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin resources");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources");
|
||||
}
|
||||
|
||||
//many predicates are prohibited by namespace but there are many ones that editor editors need to work with
|
||||
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) ) {
|
||||
log.debug("EditorEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin controls");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin controls");
|
||||
}
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.getSubjectUri() ) ) {
|
||||
log.debug("EditorEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.getSubjectUri());
|
||||
}
|
||||
if( !canModifyPredicate( action.getPredicateUri() ) ) {
|
||||
log.debug("EditorEditingPolicy for EditDatapropStmt is inconclusive because it does not grant access to admin predicates; cannot modify " + action.getPredicateUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin predicates; " +
|
||||
"cannot modify " + action.getPredicateUri());
|
||||
}
|
||||
log.debug("EditorEditingPolicy for DropDatapropStmt returns authorization because the user is a editor");
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user is may drop data property statement");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DropObjectPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.uriOfObject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfObject);
|
||||
|
||||
if( !canModifyResource( action.uriOfSubject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfSubject);
|
||||
|
||||
if( !canModifyPredicate( action.uriOfPredicate ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin predicates; " +
|
||||
"cannot modify " + action.uriOfPredicate);
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user can edit any individual");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddDataPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( prohibitedNs.contains( action.getSubjectUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources");
|
||||
|
||||
//many predicates are prohibited by namespace but there are many ones that editor editors need to work with
|
||||
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin controls");
|
||||
|
||||
if( !canModifyPredicate( action.getPredicateUri() ) ) {
|
||||
log.debug("EditorEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
|
||||
"cannot modify " + action.getPredicateUri());
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user may add this data property statement");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, EditDataPropStmt action) {
|
||||
|
||||
if( ids == null || action == null ) {
|
||||
log.debug("EditorEditingPolicy for EditDataPropStmt is inconclusive because the test has null action or ids");
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
|
||||
}
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.getSubjectUri() ) ) {
|
||||
log.debug("EditorEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.getSubjectUri());
|
||||
}
|
||||
if( !canModifyPredicate( action.getPredicateUri() ) ) {
|
||||
log.debug("EditorEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
|
||||
"cannot modify " + action.getPredicateUri());
|
||||
}
|
||||
|
||||
log.debug("EditorEditingPolicy for EditDatapropStmt returns authorization because the user is a editor");
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user may edit data property statement");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, EditObjPropStmt action) {
|
||||
if( ids == null || action == null )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
|
||||
|
||||
//cannot edit resources related to system
|
||||
if( !canModifyResource( action.uriOfObject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfObject);
|
||||
|
||||
if( !canModifyResource( action.uriOfSubject ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
|
||||
"cannot modify " + action.uriOfSubject);
|
||||
|
||||
if( !canModifyPredicate( action.uriOfPredicate ) )
|
||||
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin predicates; " +
|
||||
"cannot modify " + action.uriOfPredicate);
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user may edit any individual");
|
||||
|
||||
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
|
||||
}
|
||||
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, UploadFile action) {
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: may upload files");
|
||||
}
|
||||
|
||||
|
||||
// *** the following actions are generally not part of editor editing *** //
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, AddNewUser action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, RemoveUser action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, LoadOntology action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, RebuildTextIndex action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, UpdateTextIndex action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, ServerStatus action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, CreateOwlClass action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, RemoveOwlClass action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DefineDataProperty action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public PolicyDecision visit(IdentifierBundle ids, DefineObjectProperty action) {
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
|
||||
}
|
||||
|
||||
public String toString(){
|
||||
return "EditorEditingPolicy " + hashCode()
|
||||
+ " nspaces: " + prohibitedNs.size() + " prohibited Props: "
|
||||
+ prohibitedProperties.size() + " prohibited resources: "
|
||||
+ prohibitedResources.size();
|
||||
}
|
||||
public class EditorEditingPolicy implements PolicyIface {
|
||||
|
||||
private final ServletContext ctx;
|
||||
|
||||
public EditorEditingPolicy(ServletContext ctx) {
|
||||
this.ctx = ctx;
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicates which Authorization to use when the user isn't explicitly
|
||||
* authorized.
|
||||
*/
|
||||
private PolicyDecision defaultDecision(String message) {
|
||||
return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
|
||||
}
|
||||
|
||||
@Override
|
||||
public PolicyDecision isAuthorized(IdentifierBundle whomToAuth,
|
||||
RequestedAction whatToAuth) {
|
||||
if (whomToAuth == null) {
|
||||
return defaultDecision("whomToAuth was null");
|
||||
}
|
||||
if (whatToAuth == null) {
|
||||
return defaultDecision("whatToAuth was null");
|
||||
}
|
||||
if (!isEditor(whomToAuth)) {
|
||||
return defaultDecision("IdBundle does not include an Editor identifier");
|
||||
}
|
||||
|
||||
if (whatToAuth instanceof OntoRequestedAction) {
|
||||
return defaultDecision("EditorEditingPolicy doesn't authorize OntoRequestedActions");
|
||||
} else if (whatToAuth instanceof AdminRequestedAction) {
|
||||
return defaultDecision("EditorEditingPolicy doesn't authorize AdminRequestedActions");
|
||||
}
|
||||
|
||||
if (whatToAuth instanceof AddDataPropStmt) {
|
||||
return isAuthorized((AddDataPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof DropDataPropStmt) {
|
||||
return isAuthorized((DropDataPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof EditDataPropStmt) {
|
||||
return isAuthorized((EditDataPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof AddObjectPropStmt) {
|
||||
return isAuthorized((AddObjectPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof DropObjectPropStmt) {
|
||||
return isAuthorized((DropObjectPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof EditObjPropStmt) {
|
||||
return isAuthorized((EditObjPropStmt) whatToAuth);
|
||||
} else if (whatToAuth instanceof AddResource) {
|
||||
return isAuthorized((AddResource) whatToAuth);
|
||||
} else if (whatToAuth instanceof DropResource) {
|
||||
return isAuthorized((DropResource) whatToAuth);
|
||||
} else {
|
||||
return defaultDecision("unrecognized requested action: "
|
||||
+ whatToAuth);
|
||||
}
|
||||
}
|
||||
|
||||
private boolean isEditor(IdentifierBundle whomToAuth) {
|
||||
for (Identifier id : whomToAuth) {
|
||||
if (id instanceof EditorEditingIdentifierFactory.EditorEditingId) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean canModifyResource(String uri) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyResource(
|
||||
uri, RoleLevel.EDITOR);
|
||||
}
|
||||
|
||||
private boolean canModifyPredicate(String uri) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyPredicate(
|
||||
uri, RoleLevel.EDITOR);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check authorization for Adding, Editing or Dropping a DataProperty.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(AbstractDataPropertyAction action) {
|
||||
if (!canModifyResource(action.getSubjectUri())) {
|
||||
return defaultDecision("EditorEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.getSubjectUri());
|
||||
}
|
||||
|
||||
if (!canModifyPredicate(action.getPredicateUri())) {
|
||||
return defaultDecision("EditorEditingPolicy does not grant access to admin predicates; "
|
||||
+ "may not modify " + action.getPredicateUri());
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,
|
||||
"EditorEditingPolicy: user may modify '"
|
||||
+ action.getSubjectUri() + "' ==> '"
|
||||
+ action.getPredicateUri() + "'");
|
||||
}
|
||||
|
||||
/**
|
||||
* Check authorization for Adding, Editing or Dropping an ObjectProperty.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(AbstractObjectPropertyAction action) {
|
||||
if (!canModifyResource(action.uriOfSubject)) {
|
||||
return defaultDecision("EditorEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.uriOfSubject);
|
||||
}
|
||||
|
||||
if (!canModifyPredicate(action.uriOfPredicate)) {
|
||||
return defaultDecision("EditorEditingPolicy does not grant access to admin predicates; "
|
||||
+ "may not modify " + action.uriOfPredicate);
|
||||
}
|
||||
|
||||
if (!canModifyResource(action.uriOfObject)) {
|
||||
return defaultDecision("EditorEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.uriOfObject);
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,
|
||||
"EditorEditingPolicy: user may modify '" + action.uriOfSubject
|
||||
+ "' ==> '" + action.uriOfPredicate + "' ==> '"
|
||||
+ action.uriOfObject + "'");
|
||||
}
|
||||
|
||||
/**
|
||||
* Check authorization for Adding or Dropping a Resource.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(AbstractResourceAction action) {
|
||||
if (!canModifyResource(action.getSubjectUri())) {
|
||||
return defaultDecision("EditorEditingPolicy does not grant access to admin resources; "
|
||||
+ "may not modify " + action.getSubjectUri());
|
||||
}
|
||||
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,
|
||||
"EditorEditingPolicy: may add or remove resource: "
|
||||
+ action.getSubjectUri());
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "EditorEditingPolicy - " + hashCode();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,6 +5,8 @@ package edu.cornell.mannlib.vitro.webapp.auth.policy;
|
|||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
|
|
@ -23,6 +25,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
|
|||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
|
||||
/**
|
||||
|
|
@ -44,12 +47,10 @@ public class InformationResourceEditingPolicy extends BaseSelfEditingPolicy
|
|||
+ "linkedAuthor";
|
||||
|
||||
private final OntModel model;
|
||||
private final AdministrativeUriRestrictor restrictor;
|
||||
|
||||
public InformationResourceEditingPolicy(OntModel model,
|
||||
AdministrativeUriRestrictor restrictor) {
|
||||
public InformationResourceEditingPolicy(ServletContext ctx, OntModel model) {
|
||||
super(ctx, RoleLevel.SELF);
|
||||
this.model = model;
|
||||
this.restrictor = restrictor;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -91,10 +92,10 @@ public class InformationResourceEditingPolicy extends BaseSelfEditingPolicy
|
|||
String subject = action.getSubjectUri();
|
||||
String predicate = action.getPredicateUri();
|
||||
|
||||
if (!restrictor.canModifyResource(subject)) {
|
||||
if (!canModifyResource(subject)) {
|
||||
return cantModifyResource(subject);
|
||||
}
|
||||
if (!restrictor.canModifyPredicate(predicate)) {
|
||||
if (!canModifyPredicate(predicate)) {
|
||||
return cantModifyPredicate(predicate);
|
||||
}
|
||||
|
||||
|
|
@ -120,13 +121,13 @@ public class InformationResourceEditingPolicy extends BaseSelfEditingPolicy
|
|||
String predicate = action.getUriOfPredicate();
|
||||
String object = action.getUriOfObject();
|
||||
|
||||
if (!restrictor.canModifyResource(subject)) {
|
||||
if (!canModifyResource(subject)) {
|
||||
return cantModifyResource(subject);
|
||||
}
|
||||
if (!restrictor.canModifyPredicate(predicate)) {
|
||||
if (!canModifyPredicate(predicate)) {
|
||||
return cantModifyPredicate(predicate);
|
||||
}
|
||||
if (!restrictor.canModifyResource(object)) {
|
||||
if (!canModifyResource(object)) {
|
||||
return cantModifyResource(object);
|
||||
}
|
||||
|
||||
|
|
@ -286,34 +287,4 @@ public class InformationResourceEditingPolicy extends BaseSelfEditingPolicy
|
|||
private PolicyDecision authorizedObjectAuthor() {
|
||||
return authorizedDecision("User is author of the object of the statement");
|
||||
}
|
||||
|
||||
/**
|
||||
* TODO
|
||||
*
|
||||
* <pre>
|
||||
* We don't need to do resource operations.
|
||||
*
|
||||
* We can do data or object property operations
|
||||
* if not restricted
|
||||
* if the subject or object is an information resource
|
||||
* if that information resource has an author or editor who is an active self-editor.
|
||||
* </pre>
|
||||
*/
|
||||
|
||||
/**
|
||||
* TODO
|
||||
*
|
||||
* <pre>
|
||||
* If the request is an object property operation
|
||||
*
|
||||
* Check restrictions. If restricted, we are done.
|
||||
* Get the URIs of self-editors identifiers. If none, we are done.
|
||||
* Get the list of editors and authors for this document. Is
|
||||
* Get the list of information resources that these self-editors author or edit.
|
||||
* If subject or object is in that set, approve.
|
||||
*
|
||||
* If the request is a data property operations, same except there is no object.
|
||||
* </pre>
|
||||
*/
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,12 +3,8 @@
|
|||
package edu.cornell.mannlib.vitro.webapp.auth.policy;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.ontology.OntModel;
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
|
||||
|
|
@ -17,6 +13,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAct
|
|||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractResourceAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
|
||||
/**
|
||||
* Policy to use for Vivo Self-Editing based on NetId for use at Cornell. All
|
||||
|
|
@ -24,19 +21,11 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractRe
|
|||
*/
|
||||
public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
|
||||
PolicyIface {
|
||||
protected static Log log = LogFactory.getLog(SelfEditingPolicy.class);
|
||||
|
||||
protected final OntModel model;
|
||||
private final AdministrativeUriRestrictor restrictor;
|
||||
|
||||
public SelfEditingPolicy(Set<String> prohibitedProperties,
|
||||
Set<String> prohibitedResources, Set<String> prohibitedNamespaces,
|
||||
Set<String> editableVitroUris, OntModel model) {
|
||||
this.model = model;
|
||||
this.restrictor = new AdministrativeUriRestrictor(prohibitedProperties,
|
||||
prohibitedResources, prohibitedNamespaces, editableVitroUris);
|
||||
public SelfEditingPolicy(ServletContext ctx) {
|
||||
super(ctx, RoleLevel.SELF);
|
||||
}
|
||||
|
||||
@Override
|
||||
public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
|
||||
RequestedAction whatToAuth) {
|
||||
if (whoToAuth == null) {
|
||||
|
|
@ -80,13 +69,13 @@ public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
|
|||
String predicate = action.getUriOfPredicate();
|
||||
String object = action.getUriOfObject();
|
||||
|
||||
if (!restrictor.canModifyResource(subject)) {
|
||||
if (!canModifyResource(subject)) {
|
||||
return cantModifyResource(subject);
|
||||
}
|
||||
if (!restrictor.canModifyPredicate(predicate)) {
|
||||
if (!canModifyPredicate(predicate)) {
|
||||
return cantModifyPredicate(predicate);
|
||||
}
|
||||
if (!restrictor.canModifyResource(object)) {
|
||||
if (!canModifyResource(object)) {
|
||||
return cantModifyResource(object);
|
||||
}
|
||||
|
||||
|
|
@ -106,10 +95,10 @@ public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
|
|||
String subject = action.getSubjectUri();
|
||||
String predicate = action.getPredicateUri();
|
||||
|
||||
if (!restrictor.canModifyResource(subject)) {
|
||||
if (!canModifyResource(subject)) {
|
||||
return cantModifyResource(subject);
|
||||
}
|
||||
if (!restrictor.canModifyPredicate(predicate)) {
|
||||
if (!canModifyPredicate(predicate)) {
|
||||
return cantModifyPredicate(predicate);
|
||||
}
|
||||
|
||||
|
|
@ -126,7 +115,7 @@ public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
|
|||
private PolicyDecision isAuthorizedForResourceAction(
|
||||
AbstractResourceAction action) {
|
||||
String uri = action.getSubjectUri();
|
||||
if (!restrictor.canModifyResource(uri)) {
|
||||
if (!canModifyResource(uri)) {
|
||||
return cantModifyResource(uri);
|
||||
} else {
|
||||
return authorizedDecision("May add/remove resource.");
|
||||
|
|
@ -162,7 +151,7 @@ public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
|
|||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "SelfEditingPolicy " + hashCode() + "[" + restrictor + "]";
|
||||
return "SelfEditingPolicy - " + hashCode();
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,8 +11,8 @@ import com.hp.hpl.jena.ontology.OntModel;
|
|||
|
||||
import edu.cornell.mannlib.vedit.beans.EditProcessObject;
|
||||
import edu.cornell.mannlib.vedit.listener.ChangeListener;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Property;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Property;
|
||||
|
||||
/**
|
||||
* Add this ChangeListener to your EditProcessObject when modifying the
|
||||
|
|
@ -37,7 +37,7 @@ public class PropertyRestrictionListener implements ChangeListener {
|
|||
Property p = (Property) oldObj;
|
||||
if (eitherRoleChanged(p.getHiddenFromDisplayBelowRoleLevel(),
|
||||
p.getProhibitedFromUpdateBelowRoleLevel(), null, null)) {
|
||||
log.debug("replacing all prohibition policies after deletion");
|
||||
log.debug("rebuilding the PropertyRestrictionPolicyHelper after deletion");
|
||||
createAndSetBean();
|
||||
}
|
||||
}
|
||||
|
|
@ -51,7 +51,7 @@ public class PropertyRestrictionListener implements ChangeListener {
|
|||
if (eitherRoleChanged(null, null,
|
||||
p.getHiddenFromDisplayBelowRoleLevel(),
|
||||
p.getProhibitedFromUpdateBelowRoleLevel())) {
|
||||
log.debug("replacing all prohibition policies after insertion");
|
||||
log.debug("rebuilding the PropertyRestrictionPolicyHelper after insertion");
|
||||
createAndSetBean();
|
||||
}
|
||||
}
|
||||
|
|
@ -67,7 +67,7 @@ public class PropertyRestrictionListener implements ChangeListener {
|
|||
oldP.getProhibitedFromUpdateBelowRoleLevel(),
|
||||
newP.getHiddenFromDisplayBelowRoleLevel(),
|
||||
newP.getProhibitedFromUpdateBelowRoleLevel())) {
|
||||
log.debug("replacing all prohibition policies after update");
|
||||
log.debug("rebuilding the PropertyRestrictionPolicyHelper after update");
|
||||
createAndSetBean();
|
||||
}
|
||||
}
|
||||
|
|
@ -91,6 +91,8 @@ public class PropertyRestrictionListener implements ChangeListener {
|
|||
|
||||
private void createAndSetBean() {
|
||||
OntModel model = (OntModel) ctx.getAttribute("jenaOntModel");
|
||||
PropertyRestrictionPolicyHelper.createAndSetBean(ctx, model);
|
||||
PropertyRestrictionPolicyHelper bean = PropertyRestrictionPolicyHelper
|
||||
.createBean(model);
|
||||
PropertyRestrictionPolicyHelper.setBean(ctx, bean);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,12 +2,12 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy.bean;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletContextEvent;
|
||||
|
|
@ -27,57 +27,49 @@ import com.hp.hpl.jena.shared.Lock;
|
|||
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
|
||||
|
||||
/**
|
||||
* Assists the role-based policies in determining whether a property or resource
|
||||
* may be displayed or modified.
|
||||
*
|
||||
* There is a bean in the context that holds the current threshold role levels
|
||||
* for displaying and modifying restricted properties.
|
||||
*
|
||||
* Create this bean after the Jena model is in place in the context.
|
||||
*
|
||||
* Add PropertyRestrictionListener to your EditProcessObject if you are editing
|
||||
* a property, to ensure that the bean stays current.
|
||||
*/
|
||||
public class PropertyRestrictionPolicyHelper {
|
||||
private static final Log log = LogFactory
|
||||
.getLog(PropertyRestrictionPolicyHelper.class);
|
||||
|
||||
private static final Collection<String> PROHIBITED_NAMESPACES = setProhibitedNamespaces();
|
||||
private static final Collection<String> PERMITTED_EXCEPTIONS = setPermittedExceptions();
|
||||
private static final Collection<String> PROHIBITED_NAMESPACES = Arrays
|
||||
.asList(new String[] { VitroVocabulary.vitroURI,
|
||||
VitroVocabulary.OWL, "" });
|
||||
|
||||
private static Collection<String> setProhibitedNamespaces() {
|
||||
Set<String> prohibitedNs = new HashSet<String>();
|
||||
prohibitedNs.add(VitroVocabulary.vitroURI);
|
||||
prohibitedNs.add(VitroVocabulary.OWL);
|
||||
prohibitedNs.add("");
|
||||
return Collections.unmodifiableSet(prohibitedNs);
|
||||
}
|
||||
private static final Collection<String> PERMITTED_EXCEPTIONS = Arrays
|
||||
.asList(new String[] {
|
||||
VitroVocabulary.MONIKER,
|
||||
VitroVocabulary.BLURB,
|
||||
VitroVocabulary.DESCRIPTION,
|
||||
VitroVocabulary.MODTIME,
|
||||
VitroVocabulary.TIMEKEY,
|
||||
|
||||
private static Collection<String> setPermittedExceptions() {
|
||||
Set<String> editableVitroUris = new HashSet<String>();
|
||||
VitroVocabulary.CITATION,
|
||||
VitroVocabulary.IND_MAIN_IMAGE,
|
||||
|
||||
editableVitroUris.add(VitroVocabulary.MONIKER);
|
||||
editableVitroUris.add(VitroVocabulary.BLURB);
|
||||
editableVitroUris.add(VitroVocabulary.DESCRIPTION);
|
||||
editableVitroUris.add(VitroVocabulary.MODTIME);
|
||||
editableVitroUris.add(VitroVocabulary.TIMEKEY);
|
||||
VitroVocabulary.LINK,
|
||||
VitroVocabulary.PRIMARY_LINK,
|
||||
VitroVocabulary.ADDITIONAL_LINK,
|
||||
VitroVocabulary.LINK_ANCHOR,
|
||||
VitroVocabulary.LINK_URL,
|
||||
|
||||
editableVitroUris.add(VitroVocabulary.CITATION);
|
||||
editableVitroUris.add(VitroVocabulary.IND_MAIN_IMAGE);
|
||||
|
||||
editableVitroUris.add(VitroVocabulary.LINK);
|
||||
editableVitroUris.add(VitroVocabulary.PRIMARY_LINK);
|
||||
editableVitroUris.add(VitroVocabulary.ADDITIONAL_LINK);
|
||||
editableVitroUris.add(VitroVocabulary.LINK_ANCHOR);
|
||||
editableVitroUris.add(VitroVocabulary.LINK_URL);
|
||||
|
||||
editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION);
|
||||
editableVitroUris
|
||||
.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD);
|
||||
editableVitroUris
|
||||
.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL);
|
||||
editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE);
|
||||
|
||||
return Collections.unmodifiableSet(editableVitroUris);
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------
|
||||
// static methods
|
||||
// ----------------------------------------------------------------------
|
||||
VitroVocabulary.KEYWORD_INDIVIDUALRELATION,
|
||||
VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD,
|
||||
VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL,
|
||||
VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE });
|
||||
|
||||
/**
|
||||
* The bean is attached to the ServletContext using this attribute name.
|
||||
|
|
@ -85,6 +77,10 @@ public class PropertyRestrictionPolicyHelper {
|
|||
private static final String ATTRIBUTE_NAME = PropertyRestrictionPolicyHelper.class
|
||||
.getName();
|
||||
|
||||
// ----------------------------------------------------------------------
|
||||
// static methods
|
||||
// ----------------------------------------------------------------------
|
||||
|
||||
public static PropertyRestrictionPolicyHelper getBean(ServletContext ctx) {
|
||||
Object attribute = ctx.getAttribute(ATTRIBUTE_NAME);
|
||||
if (!(attribute instanceof PropertyRestrictionPolicyHelper)) {
|
||||
|
|
@ -98,11 +94,19 @@ public class PropertyRestrictionPolicyHelper {
|
|||
ctx.removeAttribute(ATTRIBUTE_NAME);
|
||||
}
|
||||
|
||||
public static void setBean(ServletContext ctx,
|
||||
PropertyRestrictionPolicyHelper bean) {
|
||||
if (bean == null) {
|
||||
throw new NullPointerException("bean may not be null.");
|
||||
}
|
||||
ctx.setAttribute(ATTRIBUTE_NAME, bean);
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize the bean with the standard prohibitions and exceptions, and
|
||||
* with the thresholds obtained from the model.
|
||||
*/
|
||||
public static void createAndSetBean(ServletContext ctx, OntModel model) {
|
||||
public static PropertyRestrictionPolicyHelper createBean(OntModel model) {
|
||||
Map<String, RoleLevel> displayThresholdMap = new HashMap<String, RoleLevel>();
|
||||
Map<String, RoleLevel> modifyThresholdMap = new HashMap<String, RoleLevel>();
|
||||
|
||||
|
|
@ -119,12 +123,12 @@ public class PropertyRestrictionPolicyHelper {
|
|||
PROHIBITED_NAMESPACES, PERMITTED_EXCEPTIONS,
|
||||
displayThresholdMap, modifyThresholdMap);
|
||||
|
||||
ctx.setAttribute(ATTRIBUTE_NAME, bean);
|
||||
return bean;
|
||||
}
|
||||
|
||||
/**
|
||||
* Find all the resources that possess this property, and map the resource
|
||||
* URI to the require RoleLevel.
|
||||
* URI to the required RoleLevel.
|
||||
*/
|
||||
private static void populateThresholdMap(OntModel model,
|
||||
Map<String, RoleLevel> map, String propertyUri) {
|
||||
|
|
@ -167,22 +171,22 @@ public class PropertyRestrictionPolicyHelper {
|
|||
private final Collection<String> modifyExceptionsAllowedUris;
|
||||
|
||||
/**
|
||||
* URIs in here can be displayed only if the user's role is at least as high
|
||||
* These URIs can be displayed only if the user's role is at least as high
|
||||
* as the threshold role.
|
||||
*/
|
||||
private final Map<String, RoleLevel> displayThresholdMap;
|
||||
|
||||
/**
|
||||
* URIs in here can be modified only if the user's role is at least as high
|
||||
* as the threshold role.
|
||||
* These URIs can be modified only if the user's role is at least as high as
|
||||
* the threshold role.
|
||||
*/
|
||||
private final Map<String, RoleLevel> modifyThresholdMap;
|
||||
|
||||
/**
|
||||
* Store unmodifiable versions of the inputs.
|
||||
*
|
||||
* Protected access: should only be created by the static methods, or by
|
||||
* unit tests.
|
||||
* Protected access: the bean should only be created by the static methods,
|
||||
* or by unit tests.
|
||||
*/
|
||||
protected PropertyRestrictionPolicyHelper(
|
||||
Collection<String> modifyProhibitedNamespaces,
|
||||
|
|
@ -193,9 +197,9 @@ public class PropertyRestrictionPolicyHelper {
|
|||
this.modifyExceptionsAllowedUris = unmodifiable(modifyExceptionsAllowedUris);
|
||||
this.displayThresholdMap = unmodifiable(displayThresholdMap);
|
||||
this.modifyThresholdMap = unmodifiable(modifyThresholdMap);
|
||||
|
||||
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("prohibited namespaces: " + this.modifyProhibitedNamespaces);
|
||||
log.debug("prohibited: " + this.modifyProhibitedNamespaces);
|
||||
log.debug("exceptions: " + this.modifyExceptionsAllowedUris);
|
||||
log.debug("display thresholds: " + this.displayThresholdMap);
|
||||
log.debug("modify thresholds: " + this.modifyThresholdMap);
|
||||
|
|
@ -347,8 +351,27 @@ public class PropertyRestrictionPolicyHelper {
|
|||
@Override
|
||||
public void contextInitialized(ServletContextEvent sce) {
|
||||
ServletContext ctx = sce.getServletContext();
|
||||
OntModel model = (OntModel) ctx.getAttribute("jenaOntModel");
|
||||
createAndSetBean(ctx, model);
|
||||
|
||||
if (AbortStartup.isStartupAborted(ctx)) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
OntModel model = (OntModel) ctx.getAttribute("jenaOntModel");
|
||||
if (model == null) {
|
||||
throw new NullPointerException(
|
||||
"jenaOntModel has not been initialized.");
|
||||
}
|
||||
|
||||
PropertyRestrictionPolicyHelper bean = PropertyRestrictionPolicyHelper
|
||||
.createBean(model);
|
||||
PropertyRestrictionPolicyHelper.setBean(ctx, bean);
|
||||
} catch (Exception e) {
|
||||
log.error("could not run PropertyRestrictionPolicyHelper$Setup: "
|
||||
+ e);
|
||||
AbortStartup.abortStartup(ctx);
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
|||
|
|
@ -2,10 +2,6 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
|
||||
|
||||
import java.util.EnumSet;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletContextEvent;
|
||||
import javax.servlet.ServletContextListener;
|
||||
|
|
@ -13,82 +9,54 @@ import javax.servlet.ServletContextListener;
|
|||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.ontology.OntModel;
|
||||
import com.hp.hpl.jena.rdf.model.Model;
|
||||
import com.hp.hpl.jena.rdf.model.ResIterator;
|
||||
import com.hp.hpl.jena.rdf.model.Resource;
|
||||
import com.hp.hpl.jena.rdf.model.ResourceFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.CuratorEditingIdentifierFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.CuratorEditingPolicy;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
|
||||
|
||||
/**
|
||||
* Sets up RoleBasedPolicy and IdentifierBundleFactory.
|
||||
* This will cause the vitro native login to add Identifiers that can
|
||||
* be used by the Auth system and the in-line editing.
|
||||
* Sets up RoleBasedPolicy and IdentifierBundleFactory. This will cause the
|
||||
* vitro native login to add Identifiers that can be used by the Auth system and
|
||||
* the in-line editing.
|
||||
*
|
||||
* To use this add it as a listener to the web.xml.
|
||||
* To use this add it as a listener to the web.xml.
|
||||
*
|
||||
* See RoleBasedPolicy.java
|
||||
*
|
||||
* @author bdc34
|
||||
*
|
||||
*/
|
||||
public class CuratorEditingPolicySetup implements ServletContextListener {
|
||||
private static final Log log = LogFactory.getLog(CuratorEditingPolicySetup.class.getName());
|
||||
|
||||
@Override
|
||||
public class CuratorEditingPolicySetup implements ServletContextListener {
|
||||
private static final Log log = LogFactory
|
||||
.getLog(CuratorEditingPolicySetup.class.getName());
|
||||
|
||||
@Override
|
||||
public void contextInitialized(ServletContextEvent sce) {
|
||||
try{
|
||||
log.debug("Setting up CuratorEditingPolicy");
|
||||
|
||||
//need to make a policy and add it to the ServeltContext
|
||||
OntModel model = (OntModel)sce.getServletContext().getAttribute("jenaOntModel");
|
||||
CuratorEditingPolicy cep = makeCuratorEditPolicyFromModel(model);
|
||||
ServletPolicyList.addPolicy(sce.getServletContext(), cep);
|
||||
|
||||
//need to put an IdentifierFactory for CuratorEditingIds into the ServletContext
|
||||
ActiveIdentifierBundleFactories.addFactory(sce, new CuratorEditingIdentifierFactory());
|
||||
|
||||
log.debug( "Finished setting up CuratorEditingPolicy: " + cep );
|
||||
}catch(Exception e){
|
||||
log.error("could not run CuratorEditingPolicySetup: " + e);
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) { /*nothing*/ }
|
||||
|
||||
public static CuratorEditingPolicy makeCuratorEditPolicyFromModel( Model model ){
|
||||
CuratorEditingPolicy pol = null;
|
||||
if( model == null )
|
||||
pol = new CuratorEditingPolicy(null,null,null,null);
|
||||
else{
|
||||
Set<String> prohibitedProps = new HashSet<String>();
|
||||
//ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROPERTY_CURATOREDITPROHIBITEDANNOT ) );
|
||||
// need to iterate through one level higher than CURATOR (the higher of current 2 targeted levels) plus all higher levels
|
||||
for (BaseResourceBean.RoleLevel e : EnumSet.range(BaseResourceBean.RoleLevel.DB_ADMIN,BaseResourceBean.RoleLevel.NOBODY)) {
|
||||
ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT),ResourceFactory.createResource(e.getURI()));
|
||||
while( it.hasNext() ){
|
||||
Resource resource = it.nextResource();
|
||||
if( resource != null && resource.getURI() != null ) {
|
||||
log.debug("adding \""+resource.getURI()+"\" to properties prohibited from inline curator editing ("+e.getLabel()+")");
|
||||
prohibitedProps.add( resource.getURI() );
|
||||
}
|
||||
}
|
||||
}
|
||||
pol = new CuratorEditingPolicy(prohibitedProps,null,null,null);
|
||||
}
|
||||
return pol;
|
||||
}
|
||||
|
||||
|
||||
public static void replaceCuratorEditing( ServletContext sc, Model model ){
|
||||
ServletPolicyList.replacePolicy(sc, makeCuratorEditPolicyFromModel(model));
|
||||
}
|
||||
}
|
||||
ServletContext ctx = sce.getServletContext();
|
||||
|
||||
if (AbortStartup.isStartupAborted(ctx)) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
log.debug("Setting up CuratorEditingPolicy");
|
||||
|
||||
// need to make a policy and add it to the ServletContext
|
||||
CuratorEditingPolicy cep = new CuratorEditingPolicy(ctx);
|
||||
ServletPolicyList.addPolicy(ctx, cep);
|
||||
|
||||
// need to put an IdentifierFactory for CuratorEditingIds into the
|
||||
// ServletContext
|
||||
ActiveIdentifierBundleFactories.addFactory(sce,
|
||||
new CuratorEditingIdentifierFactory());
|
||||
|
||||
log.debug("Finished setting up CuratorEditingPolicy: " + cep);
|
||||
} catch (Exception e) {
|
||||
log.error("could not run CuratorEditingPolicySetup: " + e);
|
||||
AbortStartup.abortStartup(ctx);
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) { /* nothing */
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletContextEvent;
|
||||
import javax.servlet.ServletContextListener;
|
||||
|
|
@ -12,81 +9,54 @@ import javax.servlet.ServletContextListener;
|
|||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.ontology.OntModel;
|
||||
import com.hp.hpl.jena.rdf.model.Model;
|
||||
import com.hp.hpl.jena.rdf.model.ResIterator;
|
||||
import com.hp.hpl.jena.rdf.model.Resource;
|
||||
import com.hp.hpl.jena.rdf.model.ResourceFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.DbAdminEditingIdentifierFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.DbAdminEditingPolicy;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
|
||||
|
||||
/**
|
||||
* Sets up RoleBasedPolicy and IdentifierBundleFactory.
|
||||
* This will cause the vitro native login to add Identifiers that can
|
||||
* be used by the Auth system and the in-line editing.
|
||||
* Sets up RoleBasedPolicy and IdentifierBundleFactory. This will cause the
|
||||
* vitro native login to add Identifiers that can be used by the Auth system and
|
||||
* the in-line editing.
|
||||
*
|
||||
* To use this add it as a listener to the web.xml.
|
||||
* To use this add it as a listener to the web.xml.
|
||||
*
|
||||
* See RoleBasedPolicy.java
|
||||
*
|
||||
* @author bdc34
|
||||
*
|
||||
*/
|
||||
public class DbAdminEditingPolicySetup implements ServletContextListener {
|
||||
private static final Log log = LogFactory.getLog(DbAdminEditingPolicySetup.class.getName());
|
||||
|
||||
@Override
|
||||
public class DbAdminEditingPolicySetup implements ServletContextListener {
|
||||
private static final Log log = LogFactory
|
||||
.getLog(DbAdminEditingPolicySetup.class.getName());
|
||||
|
||||
@Override
|
||||
public void contextInitialized(ServletContextEvent sce) {
|
||||
try{
|
||||
log.debug("Setting up DbAdminEditingPolicy");
|
||||
|
||||
//need to make a policy and add it to the ServeltContext
|
||||
OntModel model = (OntModel)sce.getServletContext().getAttribute("jenaOntModel");
|
||||
DbAdminEditingPolicy cep = makeDbAdminEditPolicyFromModel(model);
|
||||
ServletPolicyList.addPolicy(sce.getServletContext(), cep);
|
||||
|
||||
//need to put an IdentifierFactory for DbAdminEditingIds into the ServletContext
|
||||
ActiveIdentifierBundleFactories.addFactory(sce, new DbAdminEditingIdentifierFactory());
|
||||
|
||||
log.debug( "Finished setting up DbAdminEditingPolicy: " + cep );
|
||||
}catch(Exception e){
|
||||
log.error("could not run DbAdminEditingPolicySetup: " + e);
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) { /*nothing*/ }
|
||||
|
||||
public static DbAdminEditingPolicy makeDbAdminEditPolicyFromModel( Model model ){
|
||||
DbAdminEditingPolicy pol = null;
|
||||
if( model == null )
|
||||
pol = new DbAdminEditingPolicy(null,null,null,null);
|
||||
else{
|
||||
Set<String> prohibitedProps = new HashSet<String>();
|
||||
// no need to iterate through any level higher than DB_ADMIN
|
||||
//for (BaseResourceBean.RoleLevel e : EnumSet.range(BaseResourceBean.RoleLevel.NOBODY,BaseResourceBean.RoleLevel.NOBODY)) {
|
||||
BaseResourceBean.RoleLevel e = BaseResourceBean.RoleLevel.NOBODY;
|
||||
ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT),ResourceFactory.createResource(e.getURI()));
|
||||
while( it.hasNext() ){
|
||||
Resource resource = it.nextResource();
|
||||
if( resource != null && resource.getURI() != null ) {
|
||||
log.debug("adding \""+resource.getURI()+"\" to properties prohibited from dbAdmin editing ("+e.getLabel()+")");
|
||||
prohibitedProps.add( resource.getURI() );
|
||||
}
|
||||
}
|
||||
//}
|
||||
pol = new DbAdminEditingPolicy(prohibitedProps,null,null,null);
|
||||
}
|
||||
return pol;
|
||||
}
|
||||
|
||||
public static void replaceDbAdminEditing( ServletContext sc, Model model ){
|
||||
ServletPolicyList.replacePolicy(sc, makeDbAdminEditPolicyFromModel(model));
|
||||
}
|
||||
}
|
||||
ServletContext ctx = sce.getServletContext();
|
||||
|
||||
if (AbortStartup.isStartupAborted(ctx)) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
log.debug("Setting up DbAdminEditingPolicy");
|
||||
|
||||
// need to make a policy and add it to the ServletContext
|
||||
DbAdminEditingPolicy dep = new DbAdminEditingPolicy(ctx);
|
||||
ServletPolicyList.addPolicy(ctx, dep);
|
||||
|
||||
// need to put an IdentifierFactory for DbAdminEditingIds into the
|
||||
// ServletContext
|
||||
ActiveIdentifierBundleFactories.addFactory(sce,
|
||||
new DbAdminEditingIdentifierFactory());
|
||||
|
||||
log.debug("Finished setting up DbAdminEditingPolicy: " + dep);
|
||||
} catch (Exception e) {
|
||||
log.error("could not run DbAdminEditingPolicySetup: " + e);
|
||||
AbortStartup.abortStartup(ctx);
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) { /* nothing */
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,10 +2,6 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
|
||||
|
||||
import java.util.EnumSet;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletContextEvent;
|
||||
import javax.servlet.ServletContextListener;
|
||||
|
|
@ -13,80 +9,54 @@ import javax.servlet.ServletContextListener;
|
|||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.ontology.OntModel;
|
||||
import com.hp.hpl.jena.rdf.model.Model;
|
||||
import com.hp.hpl.jena.rdf.model.ResIterator;
|
||||
import com.hp.hpl.jena.rdf.model.Resource;
|
||||
import com.hp.hpl.jena.rdf.model.ResourceFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.EditorEditingIdentifierFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.EditorEditingPolicy;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
|
||||
|
||||
/**
|
||||
* Sets up RoleBasedPolicy and IdentifierBundleFactory.
|
||||
* This will cause the vitro native login to add Identifiers that can
|
||||
* be used by the Auth system and the in-line editing.
|
||||
* Sets up RoleBasedPolicy and IdentifierBundleFactory. This will cause the
|
||||
* vitro native login to add Identifiers that can be used by the Auth system and
|
||||
* the in-line editing.
|
||||
*
|
||||
* To use this add it as a listener to the web.xml.
|
||||
* To use this add it as a listener to the web.xml.
|
||||
*
|
||||
* See RoleBasedPolicy.java
|
||||
*
|
||||
* @author bdc34
|
||||
*
|
||||
*/
|
||||
public class EditorEditingPolicySetup implements ServletContextListener {
|
||||
private static final Log log = LogFactory.getLog(EditorEditingPolicySetup.class.getName());
|
||||
|
||||
@Override
|
||||
public class EditorEditingPolicySetup implements ServletContextListener {
|
||||
private static final Log log = LogFactory
|
||||
.getLog(EditorEditingPolicySetup.class.getName());
|
||||
|
||||
@Override
|
||||
public void contextInitialized(ServletContextEvent sce) {
|
||||
try{
|
||||
log.debug("Setting up EditorEditingPolicy");
|
||||
|
||||
//need to make a policy and add it to the ServeltContext
|
||||
OntModel model = (OntModel)sce.getServletContext().getAttribute("jenaOntModel");
|
||||
EditorEditingPolicy cep = makeEditorEditPolicyFromModel(model);
|
||||
ServletPolicyList.addPolicy(sce.getServletContext(), cep);
|
||||
|
||||
//need to put an IdentifierFactory for EditorEditingIds into the ServletContext
|
||||
ActiveIdentifierBundleFactories.addFactory(sce, new EditorEditingIdentifierFactory());
|
||||
|
||||
log.debug( "Finished setting up EditorEditingPolicy: " + cep );
|
||||
}catch(Exception e){
|
||||
log.error("could not run EditorEditingPolicySetup: " + e);
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) { /*nothing*/ }
|
||||
|
||||
public static EditorEditingPolicy makeEditorEditPolicyFromModel( Model model ){
|
||||
EditorEditingPolicy pol = null;
|
||||
if( model == null )
|
||||
pol = new EditorEditingPolicy(null,null,null,null);
|
||||
else{
|
||||
Set<String> prohibitedProps = new HashSet<String>();
|
||||
// need to iterate through one level higher than EDITOR (the higher of current 2 targeted levels) plus all higher levels
|
||||
for (BaseResourceBean.RoleLevel e : EnumSet.range(BaseResourceBean.RoleLevel.CURATOR,BaseResourceBean.RoleLevel.NOBODY)) {
|
||||
ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT),ResourceFactory.createResource(e.getURI()));
|
||||
while( it.hasNext() ){
|
||||
Resource resource = it.nextResource();
|
||||
if( resource != null && resource.getURI() != null ) {
|
||||
log.debug("adding \""+resource.getURI()+"\" to properties prohibited from inline editor editing ("+e.getLabel()+")");
|
||||
prohibitedProps.add( resource.getURI() );
|
||||
}
|
||||
}
|
||||
}
|
||||
pol = new EditorEditingPolicy(prohibitedProps,null,null,null);
|
||||
}
|
||||
return pol;
|
||||
}
|
||||
|
||||
public static void replaceEditorEditing( ServletContext sc, Model model ){
|
||||
ServletPolicyList.replacePolicy(sc, makeEditorEditPolicyFromModel(model));
|
||||
}
|
||||
}
|
||||
ServletContext ctx = sce.getServletContext();
|
||||
|
||||
if (AbortStartup.isStartupAborted(ctx)) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
log.debug("Setting up EditorEditingPolicy");
|
||||
|
||||
// need to make a policy and add it to the ServletContext
|
||||
EditorEditingPolicy cep = new EditorEditingPolicy(ctx);
|
||||
ServletPolicyList.addPolicy(ctx, cep);
|
||||
|
||||
// need to put an IdentifierFactory for EditorEditingIds into the
|
||||
// ServletContext
|
||||
ActiveIdentifierBundleFactories.addFactory(sce,
|
||||
new EditorEditingIdentifierFactory());
|
||||
|
||||
log.debug("Finished setting up EditorEditingPolicy: " + cep);
|
||||
} catch (Exception e) {
|
||||
log.error("could not run EditorEditingPolicySetup: " + e);
|
||||
AbortStartup.abortStartup(ctx);
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) { /* nothing */
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,10 +2,6 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
|
||||
|
||||
import java.util.EnumSet;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletContextEvent;
|
||||
import javax.servlet.ServletContextListener;
|
||||
|
|
@ -14,15 +10,10 @@ import org.apache.commons.logging.Log;
|
|||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.ontology.OntModel;
|
||||
import com.hp.hpl.jena.rdf.model.ResIterator;
|
||||
import com.hp.hpl.jena.rdf.model.Resource;
|
||||
import com.hp.hpl.jena.rdf.model.ResourceFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.AdministrativeUriRestrictor;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.InformationResourceEditingPolicy;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
|
||||
|
||||
/**
|
||||
* Set up the InformationResourceEditingPolicy. This is tied to the SelfEditor
|
||||
|
|
@ -35,62 +26,37 @@ public class InformationResourceEditingPolicySetup implements
|
|||
|
||||
@Override
|
||||
public void contextInitialized(ServletContextEvent sce) {
|
||||
ServletContext ctx = sce.getServletContext();
|
||||
|
||||
if (AbortStartup.isStartupAborted(ctx)) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
log.debug("Setting up InformationResourceEditingPolicy");
|
||||
|
||||
// need to make a policy and add it to the ServletContext
|
||||
OntModel model = (OntModel) sce.getServletContext().getAttribute(
|
||||
"jenaOntModel");
|
||||
replacePolicy(sce.getServletContext(), model);
|
||||
InformationResourceEditingPolicy irep = new InformationResourceEditingPolicy(
|
||||
ctx, model);
|
||||
ServletPolicyList.addPolicy(ctx, irep);
|
||||
|
||||
log.debug("InformationResourceEditingPolicy has been setup. ");
|
||||
// don't need an IdentifierFactory if the SelfEditingPolicy is
|
||||
// providing it.
|
||||
|
||||
log.debug("Finished setting up InformationResourceEditingPolicy: "
|
||||
+ irep);
|
||||
} catch (Exception e) {
|
||||
log.error("could not run SelfEditingPolicySetup: " + e);
|
||||
e.printStackTrace();
|
||||
log.error("could not run InformationResourceEditingPolicySetup: "
|
||||
+ e);
|
||||
AbortStartup.abortStartup(ctx);
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
public static InformationResourceEditingPolicy makePolicyFromModel(
|
||||
OntModel model) {
|
||||
InformationResourceEditingPolicy policy = null;
|
||||
if (model == null)
|
||||
policy = new InformationResourceEditingPolicy(null,
|
||||
new AdministrativeUriRestrictor(null, null, null, null));
|
||||
else {
|
||||
Set<String> prohibitedProps = new HashSet<String>();
|
||||
|
||||
// need to iterate through one level higher than SELF (the lowest
|
||||
// level where restrictions make sense) plus all higher levels
|
||||
for (BaseResourceBean.RoleLevel e : EnumSet.range(
|
||||
BaseResourceBean.RoleLevel.EDITOR,
|
||||
BaseResourceBean.RoleLevel.NOBODY)) {
|
||||
ResIterator it = model
|
||||
.listSubjectsWithProperty(
|
||||
model.createProperty(VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT),
|
||||
ResourceFactory.createResource(e.getURI()));
|
||||
while (it.hasNext()) {
|
||||
Resource resource = it.nextResource();
|
||||
if (resource != null && resource.getURI() != null) {
|
||||
log.debug("adding '"
|
||||
+ resource.getURI()
|
||||
+ "' to properties prohibited from information resource editing ("
|
||||
+ e.getLabel() + ")");
|
||||
prohibitedProps.add(resource.getURI());
|
||||
}
|
||||
}
|
||||
}
|
||||
policy = new InformationResourceEditingPolicy(model,
|
||||
new AdministrativeUriRestrictor(prohibitedProps, null, null, null));
|
||||
}
|
||||
return policy;
|
||||
}
|
||||
|
||||
public static void replacePolicy(ServletContext sc, OntModel model) {
|
||||
ServletPolicyList.replacePolicy(sc, makePolicyFromModel(model));
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) {
|
||||
// Nothing to do.
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,10 +2,6 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
|
||||
|
||||
import java.util.EnumSet;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.ServletContextEvent;
|
||||
import javax.servlet.ServletContextListener;
|
||||
|
|
@ -13,88 +9,57 @@ import javax.servlet.ServletContextListener;
|
|||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.ontology.OntModel;
|
||||
import com.hp.hpl.jena.rdf.model.ResIterator;
|
||||
import com.hp.hpl.jena.rdf.model.Resource;
|
||||
import com.hp.hpl.jena.rdf.model.ResourceFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.SelfEditingPolicy;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
|
||||
import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
|
||||
|
||||
/**
|
||||
* Policy for SelfEditors. This will set up the self-editing policy which
|
||||
* will will look for SelfEditing identifier in the IdentifierBundle. If
|
||||
* the user is associated with a URI in the system then they will be allowed
|
||||
* to edit resources related to that URI.
|
||||
*
|
||||
* To use this add it as a listener to the web.xml.
|
||||
*
|
||||
* The SelfEditing policy may return
|
||||
* Authorization.UNAUTHORIZED so it should be at the start of the
|
||||
* ServletPolicyList if you want it to override other Policies.
|
||||
* For example, this Listener should be before the curator listener so
|
||||
* that if a curator is faking selfEditing the capabilities they have
|
||||
* as curator will not override the results of the SelfEditing policy.
|
||||
* Policy for SelfEditors. This will set up the self-editing policy which will
|
||||
* will look for SelfEditing identifier in the IdentifierBundle. If the user is
|
||||
* associated with a URI in the system then they will be allowed to edit
|
||||
* resources related to that URI.
|
||||
*
|
||||
* @author bdc34
|
||||
*
|
||||
* To use this add it as a listener to the web.xml.
|
||||
*/
|
||||
public class SelfEditingPolicySetup implements ServletContextListener {
|
||||
private static final Log log = LogFactory.getLog(SelfEditingPolicySetup.class.getName());
|
||||
public static final String SELF_EDITING_POLICY_WAS_SETUP= "selfEditingPolicyWasSetup";
|
||||
|
||||
@Override
|
||||
public void contextInitialized(ServletContextEvent sce) {
|
||||
try{
|
||||
log.debug("Setting up SelfEditingPolicy");
|
||||
|
||||
OntModel model = (OntModel)sce.getServletContext().getAttribute("jenaOntModel");
|
||||
replaceSelfEditing(sce.getServletContext(), model);
|
||||
public class SelfEditingPolicySetup implements ServletContextListener {
|
||||
private static final Log log = LogFactory
|
||||
.getLog(SelfEditingPolicySetup.class.getName());
|
||||
public static final String SELF_EDITING_POLICY_WAS_SETUP = "selfEditingPolicyWasSetup";
|
||||
|
||||
ActiveIdentifierBundleFactories.addFactory(sce, new SelfEditingIdentifierFactory());
|
||||
|
||||
sce.getServletContext().setAttribute(SELF_EDITING_POLICY_WAS_SETUP, Boolean.TRUE);
|
||||
|
||||
log.debug( "SelfEditingPolicy has been setup. " );
|
||||
}catch(Exception e){
|
||||
log.error("could not run SelfEditingPolicySetup: " + e);
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) { /*nothing*/ }
|
||||
|
||||
public static SelfEditingPolicy makeSelfEditPolicyFromModel( OntModel model ){
|
||||
SelfEditingPolicy pol = null;
|
||||
if( model == null )
|
||||
pol = new SelfEditingPolicy(null,null,null,null, null);
|
||||
else{
|
||||
Set<String> prohibitedProps = new HashSet<String>();
|
||||
//ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROPERTY_SELFEDITPROHIBITEDANNOT ) );
|
||||
|
||||
// need to iterate through one level higher than SELF (the lowest level where restrictions make sense) plus all higher levels
|
||||
for (BaseResourceBean.RoleLevel e : EnumSet.range(BaseResourceBean.RoleLevel.EDITOR,BaseResourceBean.RoleLevel.NOBODY)) {
|
||||
ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT),ResourceFactory.createResource(e.getURI()));
|
||||
while( it.hasNext() ){
|
||||
Resource resource = it.nextResource();
|
||||
if( resource != null && resource.getURI() != null ) {
|
||||
log.debug("adding \""+resource.getURI()+"\" to properties prohibited from self-editing ("+e.getLabel()+")");
|
||||
prohibitedProps.add( resource.getURI() );
|
||||
}
|
||||
}
|
||||
}
|
||||
pol = new SelfEditingPolicy(prohibitedProps,null,null,null,model);
|
||||
}
|
||||
return pol;
|
||||
}
|
||||
|
||||
|
||||
public static void replaceSelfEditing( ServletContext sc, OntModel model ){
|
||||
ServletPolicyList.replacePolicy(sc, makeSelfEditPolicyFromModel(model));
|
||||
}
|
||||
@Override
|
||||
public void contextInitialized(ServletContextEvent sce) {
|
||||
ServletContext ctx = sce.getServletContext();
|
||||
|
||||
if (AbortStartup.isStartupAborted(ctx)) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
log.debug("Setting up SelfEditingPolicy");
|
||||
|
||||
// need to make a policy and add it to the ServletContext
|
||||
SelfEditingPolicy cep = new SelfEditingPolicy(ctx);
|
||||
ServletPolicyList.addPolicy(ctx, cep);
|
||||
|
||||
// need to put an IdentifierFactory for CuratorEditingIds into the
|
||||
// ServletContext
|
||||
ActiveIdentifierBundleFactories.addFactory(sce,
|
||||
new SelfEditingIdentifierFactory());
|
||||
|
||||
sce.getServletContext().setAttribute(SELF_EDITING_POLICY_WAS_SETUP,
|
||||
Boolean.TRUE);
|
||||
|
||||
log.debug("Finished setting up SelfEditingPolicy: " + cep);
|
||||
} catch (Exception e) {
|
||||
log.error("could not run SelfEditingPolicySetup: " + e);
|
||||
AbortStartup.abortStartup(ctx);
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) { /* nothing */
|
||||
}
|
||||
}
|
||||
|
|
@ -2,49 +2,47 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.controller.edit;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URLEncoder;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.RequestDispatcher;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.EditProcessObject;
|
||||
import edu.cornell.mannlib.vedit.beans.FormObject;
|
||||
import edu.cornell.mannlib.vedit.beans.Option;
|
||||
import edu.cornell.mannlib.vedit.controller.BaseEditController;
|
||||
import edu.cornell.mannlib.vedit.forwarder.PageForwarder;
|
||||
import edu.cornell.mannlib.vedit.forwarder.impl.UrlForwarder;
|
||||
import edu.cornell.mannlib.vedit.util.FormUtils;
|
||||
import edu.cornell.mannlib.vedit.validator.impl.EnumValuesValidator;
|
||||
import edu.cornell.mannlib.vedit.validator.impl.IntValidator;
|
||||
import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Ontology;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Portal;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.VClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.DatatypeDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.edit.listener.impl.EditProhibitionListener;
|
||||
import java.io.IOException;
|
||||
import java.net.URLEncoder;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.RequestDispatcher;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.EditProcessObject;
|
||||
import edu.cornell.mannlib.vedit.beans.FormObject;
|
||||
import edu.cornell.mannlib.vedit.beans.Option;
|
||||
import edu.cornell.mannlib.vedit.controller.BaseEditController;
|
||||
import edu.cornell.mannlib.vedit.forwarder.PageForwarder;
|
||||
import edu.cornell.mannlib.vedit.forwarder.impl.UrlForwarder;
|
||||
import edu.cornell.mannlib.vedit.util.FormUtils;
|
||||
import edu.cornell.mannlib.vedit.validator.impl.IntValidator;
|
||||
import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionListener;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Portal;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.DatatypeDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
|
||||
|
||||
|
||||
public class DatapropRetryController extends BaseEditController {
|
||||
|
||||
private static final Log log = LogFactory.getLog(DatapropRetryController.class.getName());
|
||||
|
||||
public void doPost (HttpServletRequest request, HttpServletResponse response) {
|
||||
@Override
|
||||
public void doPost (HttpServletRequest request, HttpServletResponse response) {
|
||||
|
||||
if (!checkLoginStatus(request,response))
|
||||
return;
|
||||
|
|
@ -134,7 +132,7 @@ public class DatapropRetryController extends BaseEditController {
|
|||
|
||||
//set up any listeners
|
||||
List changeListenerList = new ArrayList();
|
||||
changeListenerList.add(new EditProhibitionListener(getServletContext()));
|
||||
changeListenerList.add(new PropertyRestrictionListener(getServletContext()));
|
||||
epo.setChangeListenerList(changeListenerList);
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -2,54 +2,51 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.controller.edit;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URLEncoder;
|
||||
import java.io.IOException;
|
||||
import java.net.URLEncoder;
|
||||
import java.text.Collator;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.Comparator;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashMap;
|
||||
import java.util.Iterator;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.List;
|
||||
import java.util.ListIterator;
|
||||
|
||||
import javax.servlet.RequestDispatcher;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.EditProcessObject;
|
||||
import edu.cornell.mannlib.vedit.beans.FormObject;
|
||||
import edu.cornell.mannlib.vedit.beans.Option;
|
||||
import edu.cornell.mannlib.vedit.controller.BaseEditController;
|
||||
import edu.cornell.mannlib.vedit.forwarder.PageForwarder;
|
||||
import edu.cornell.mannlib.vedit.forwarder.impl.UrlForwarder;
|
||||
import edu.cornell.mannlib.vedit.util.FormUtils;
|
||||
import edu.cornell.mannlib.vedit.validator.ValidationObject;
|
||||
import edu.cornell.mannlib.vedit.validator.Validator;
|
||||
import edu.cornell.mannlib.vedit.validator.impl.EnumValuesValidator;
|
||||
import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Portal;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.VClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.edit.listener.impl.EditProhibitionListener;
|
||||
|
||||
import javax.servlet.RequestDispatcher;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.EditProcessObject;
|
||||
import edu.cornell.mannlib.vedit.beans.FormObject;
|
||||
import edu.cornell.mannlib.vedit.beans.Option;
|
||||
import edu.cornell.mannlib.vedit.controller.BaseEditController;
|
||||
import edu.cornell.mannlib.vedit.forwarder.PageForwarder;
|
||||
import edu.cornell.mannlib.vedit.forwarder.impl.UrlForwarder;
|
||||
import edu.cornell.mannlib.vedit.util.FormUtils;
|
||||
import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionListener;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Portal;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.VClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
|
||||
|
||||
public class PropertyRetryController extends BaseEditController {
|
||||
|
||||
private static final Log log = LogFactory.getLog(PropertyRetryController.class.getName());
|
||||
|
||||
public void doPost (HttpServletRequest req, HttpServletResponse response) {
|
||||
@Override
|
||||
public void doPost (HttpServletRequest req, HttpServletResponse response) {
|
||||
VitroRequest request = new VitroRequest(req);
|
||||
if (!checkLoginStatus(request,response))
|
||||
return;
|
||||
|
|
@ -87,7 +84,7 @@ public class PropertyRetryController extends BaseEditController {
|
|||
String uri = request.getParameter("uri");
|
||||
if (uri != null) {
|
||||
try {
|
||||
propertyForEditing = (ObjectProperty)propDao.getObjectPropertyByURI(uri);
|
||||
propertyForEditing = propDao.getObjectPropertyByURI(uri);
|
||||
action = "update";
|
||||
epo.setAction("update");
|
||||
} catch (NullPointerException e) {
|
||||
|
|
@ -125,7 +122,7 @@ public class PropertyRetryController extends BaseEditController {
|
|||
//set up any listeners
|
||||
List changeListenerList = new ArrayList();
|
||||
//changeListenerList.add(new HiddenFromDisplayListener(getServletContext()));
|
||||
changeListenerList.add(new EditProhibitionListener(getServletContext()));
|
||||
changeListenerList.add(new PropertyRestrictionListener(getServletContext()));
|
||||
epo.setChangeListenerList(changeListenerList);
|
||||
|
||||
//set portal flag to current portal
|
||||
|
|
|
|||
|
|
@ -1,133 +0,0 @@
|
|||
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
|
||||
|
||||
package edu.cornell.mannlib.vitro.webapp.edit.listener.impl;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import com.hp.hpl.jena.ontology.OntModel;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.EditProcessObject;
|
||||
import edu.cornell.mannlib.vedit.listener.ChangeListener;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.CuratorEditingPolicySetup;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.DbAdminEditingPolicySetup;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.EditorEditingPolicySetup;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.InformationResourceEditingPolicySetup;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.SelfEditingPolicySetup;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Property;
|
||||
|
||||
public class EditProhibitionListener implements ChangeListener {
|
||||
private static final Log log = LogFactory.getLog(EditProhibitionListener.class.getName());
|
||||
private ServletContext context = null;
|
||||
|
||||
public EditProhibitionListener(ServletContext context) {
|
||||
this.context = context;
|
||||
}
|
||||
|
||||
public void doDeleted(Object oldObj, EditProcessObject epo) {
|
||||
Property p = (Property) oldObj;
|
||||
OntModel model = (OntModel) context.getAttribute("jenaOntModel");
|
||||
BaseResourceBean.RoleLevel oldRoleLevel = p.getProhibitedFromUpdateBelowRoleLevel();
|
||||
if (oldRoleLevel != null) {
|
||||
log.debug("replacing all edit prohibition policies after deletion");
|
||||
// do you want to do something more selective, such as seeing whether only certain policies are affected?
|
||||
// But, some (lower) will be affected if higher levels change (or will they if the object has been deleted?)
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
InformationResourceEditingPolicySetup.replacePolicy(context,model);
|
||||
EditorEditingPolicySetup.replaceEditorEditing(context,model);
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
|
||||
/*
|
||||
if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.PUBLIC)==0) {
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
} else if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.SELF)==0) {
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
} else if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.EDITOR)==0) {
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
} else if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.CURATOR)==0) {
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
} else if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.DB_ADMIN)==0) {
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
} else if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.NOBODY)==0) {
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
} */
|
||||
}
|
||||
}
|
||||
|
||||
public void doInserted(Object newObj, EditProcessObject epo) {
|
||||
Property p = (Property) newObj;
|
||||
OntModel model = (OntModel) context.getAttribute("jenaOntModel");
|
||||
BaseResourceBean.RoleLevel newRoleLevel = p.getProhibitedFromUpdateBelowRoleLevel();
|
||||
if (newRoleLevel != null) { // note have to replace even at same level since may have been unspecified
|
||||
if (newRoleLevel.compareTo(BaseResourceBean.RoleLevel.SELF)==0) {
|
||||
log.debug("replacing self editing editing policies after insertion of \"self\" update level");
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
InformationResourceEditingPolicySetup.replacePolicy(context,model);
|
||||
} else if (newRoleLevel.compareTo(BaseResourceBean.RoleLevel.EDITOR)==0) {
|
||||
log.debug("replacing editor and lower editing policies after insertion of new \"editor\" update level");
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
InformationResourceEditingPolicySetup.replacePolicy(context,model);
|
||||
EditorEditingPolicySetup.replaceEditorEditing(context,model);
|
||||
} else if (newRoleLevel.compareTo(BaseResourceBean.RoleLevel.CURATOR)==0) {
|
||||
log.debug("replacing curator and lower editing policies after insertion of new \"curator\" update level");
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
InformationResourceEditingPolicySetup.replacePolicy(context,model);
|
||||
EditorEditingPolicySetup.replaceEditorEditing(context,model);
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
} else if (newRoleLevel.compareTo(BaseResourceBean.RoleLevel.DB_ADMIN)==0) {
|
||||
log.debug("replacing db_admin and lower editing policies after insertion of new \"db_admin\" update level");
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
InformationResourceEditingPolicySetup.replacePolicy(context,model);
|
||||
EditorEditingPolicySetup.replaceEditorEditing(context,model);
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
|
||||
} else if (newRoleLevel.compareTo(BaseResourceBean.RoleLevel.NOBODY)==0) {
|
||||
log.debug("replacing db_admin and lower editing policies after insertion of new \"nobody\" update level");
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
InformationResourceEditingPolicySetup.replacePolicy(context,model);
|
||||
EditorEditingPolicySetup.replaceEditorEditing(context,model);
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void doUpdated(Object oldObj, Object newObj, EditProcessObject epo) {
|
||||
Property oldP = (Property) oldObj;
|
||||
Property newP = (Property) newObj;
|
||||
OntModel model = (OntModel) context.getAttribute("jenaOntModel");
|
||||
BaseResourceBean.RoleLevel oldRoleLevel = oldP.getProhibitedFromUpdateBelowRoleLevel();
|
||||
BaseResourceBean.RoleLevel newRoleLevel = newP.getProhibitedFromUpdateBelowRoleLevel();
|
||||
if (newRoleLevel != null) { // will always be true since select box has no non-empty choices
|
||||
if (oldRoleLevel != null) {
|
||||
if (newRoleLevel.compareTo(oldRoleLevel)!=0) {
|
||||
log.debug("replacing all editing policies after update when new level different from old");
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
InformationResourceEditingPolicySetup.replacePolicy(context,model);
|
||||
EditorEditingPolicySetup.replaceEditorEditing(context,model);
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
|
||||
} else {
|
||||
log.debug("update did not change role level");
|
||||
}
|
||||
} else {
|
||||
log.debug("replacing all editing policies after update when a role level introduced");
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
InformationResourceEditingPolicySetup.replacePolicy(context,model);
|
||||
EditorEditingPolicySetup.replaceEditorEditing(context,model);
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
|
||||
}
|
||||
} else if (oldRoleLevel != null) { // with fixed selections, not likely to happen
|
||||
log.debug("replacing all editing policies after update when old role level removed");
|
||||
SelfEditingPolicySetup.replaceSelfEditing(context,model);
|
||||
InformationResourceEditingPolicySetup.replacePolicy(context,model);
|
||||
EditorEditingPolicySetup.replaceEditorEditing(context,model);
|
||||
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
|
||||
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue