From c2d1a05c2a6b4831172b5e49c61e379e3e18df6f Mon Sep 17 00:00:00 2001 From: j2blake Date: Wed, 6 Jul 2011 19:28:05 +0000 Subject: [PATCH] NIHVIVO-2749 restrict the Menu Management. --- .../UseRestrictedPagesByRoleLevelPolicy.java | 4 +++ .../usepages/AccessSpecialDataModels.java | 10 +++++++ .../webapp/controller/VitroHttpServlet.java | 26 +++++++++------- .../webapp/filters/VitroRequestPrep.java | 30 +++++++++++++++---- 4 files changed, 54 insertions(+), 16 deletions(-) create mode 100644 webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/AccessSpecialDataModels.java diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java index bb2995f3e..3161fa587 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java @@ -11,6 +11,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.AccessSpecialDataModels; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.EditIndividuals; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.EditOntology; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.EditOwnAccount; @@ -64,6 +65,9 @@ public class UseRestrictedPagesByRoleLevelPolicy implements PolicyIface { } else if (whatToAuth instanceof UseMiscellaneousAdminPages) { result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole); + } else if (whatToAuth instanceof AccessSpecialDataModels) { + result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole); + } else if (whatToAuth instanceof EditOntology) { result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole); diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/AccessSpecialDataModels.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/AccessSpecialDataModels.java new file mode 100644 index 000000000..5a9040684 --- /dev/null +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/AccessSpecialDataModels.java @@ -0,0 +1,10 @@ +/* $This file is distributed under the terms of the license in /doc/license.txt$ */ + +package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages; + +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; + +/** Should we allow the user to read any write different data models on request? */ +public class AccessSpecialDataModels extends RequestedAction { + // no fields +} diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java index 583242564..ea51b42fc 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java @@ -29,6 +29,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; import edu.cornell.mannlib.vitro.webapp.beans.DisplayMessage; import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LogoutRedirector; +import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder; public class VitroHttpServlet extends HttpServlet { private static final long serialVersionUID = 1L; @@ -128,23 +129,25 @@ public class VitroHttpServlet extends HttpServlet { log.debug("Servlet '" + this.getClass().getSimpleName() + "' is not authorized for actions: " + actions); - - LoginStatusBean statusBean = LoginStatusBean.getBean(request); - if (statusBean.isLoggedIn()) { - redirectToInsufficientAuthorizationPage(request, response); - return false; - } else { - redirectToLoginPage(request, response); - return false; - } + redirectUnauthorizedRequest(request, response); + return false; } // ---------------------------------------------------------------------- // static utility methods for all Vitro servlets // ---------------------------------------------------------------------- + public static void redirectUnauthorizedRequest(HttpServletRequest request, + HttpServletResponse response) { + if (LoginStatusBean.getBean(request).isLoggedIn()) { + redirectToInsufficientAuthorizationPage(request, response); + } else { + redirectToLoginPage(request, response); + } + } + /** - * Logged in, but with insufficent authorization. Send them to the home page + * Logged in, but with insufficient authorization. Send them to the home page * with a message. They won't be coming back. */ public static void redirectToInsufficientAuthorizationPage( @@ -180,7 +183,8 @@ public class VitroHttpServlet extends HttpServlet { if ((queryString == null) || queryString.isEmpty()) { return request.getRequestURI(); } else { - return request.getRequestURI() + "?" + queryString; + return request.getRequestURI() + "?" + + UrlBuilder.urlEncode(queryString); } } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/VitroRequestPrep.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/VitroRequestPrep.java index c73f26bfc..45fea6574 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/VitroRequestPrep.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/VitroRequestPrep.java @@ -34,9 +34,13 @@ import com.hp.hpl.jena.rdf.model.Model; import com.hp.hpl.jena.rdf.model.ModelFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers; +import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper; import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.AccessSpecialDataModels; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.ManageMenus; import edu.cornell.mannlib.vitro.webapp.beans.ApplicationBean; import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties; +import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; import edu.cornell.mannlib.vitro.webapp.dao.filtering.WebappDaoFactoryFiltering; @@ -116,8 +120,14 @@ public class VitroRequestPrep implements Filter { } } + // If we're not authorized for this request, skip the chain and redirect. + if (!authorizedForSpecialModel(req)) { + VitroHttpServlet.redirectUnauthorizedRequest(req, resp); + return; + } + VitroRequest vreq = new VitroRequest(req); - + //-- setup appBean --// vreq.setAppBean(_appbean); @@ -174,6 +184,16 @@ public class VitroRequestPrep implements Filter { } } + private boolean authorizedForSpecialModel(HttpServletRequest req) { + if (isParameterPresent(req, SWITCH_TO_DISPLAY_MODEL)) { + return PolicyHelper.isAuthorizedForActions(req, new ManageMenus()); + } else if (anyOtherSpecialProperties(req)){ + return PolicyHelper.isAuthorizedForActions(req, new AccessSpecialDataModels()); + } else { + return true; + } + } + @Override public void destroy() { // Nothing to do. @@ -222,10 +242,10 @@ public class VitroRequestPrep implements Filter { } - private boolean anyOtherSpecialProperties(VitroRequest vreq) { - return isParameterPresent(vreq, USE_MODEL_PARAM) - || isParameterPresent(vreq, USE_TBOX_MODEL_PARAM) - || isParameterPresent(vreq, USE_DISPLAY_MODEL_PARAM); + private boolean anyOtherSpecialProperties(HttpServletRequest req) { + return isParameterPresent(req, USE_MODEL_PARAM) + || isParameterPresent(req, USE_TBOX_MODEL_PARAM) + || isParameterPresent(req, USE_DISPLAY_MODEL_PARAM); } /**