NIHVIVO-2749 restrict the Menu Management.

2011-07-06 19:28:05 +00:00 · 2011-07-06 19:28:05 +00:00 · c2d1a05c2a
commit c2d1a05c2a
parent c0dbfafab8
4 changed files with 54 additions and 16 deletions
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java
@ -11,6 +11,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.AccessSpecialDataModels;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.EditIndividuals;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.EditOntology;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.EditOwnAccount;
@ -64,6 +65,9 @@ public class UseRestrictedPagesByRoleLevelPolicy implements PolicyIface {
 		} else if (whatToAuth instanceof UseMiscellaneousAdminPages) {
 			result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole);

+		} else if (whatToAuth instanceof AccessSpecialDataModels) {
+			result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole);
+			
 		} else if (whatToAuth instanceof EditOntology) {
 			result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);

--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/AccessSpecialDataModels.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/AccessSpecialDataModels.java
@ -0,0 +1,10 @@
+/* $This file is distributed under the terms of the license in /doc/license.txt$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages;
+
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
+
+/** Should we allow the user to read any write different data models on request? */
+public class AccessSpecialDataModels extends RequestedAction {
+	// no fields
+}
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java
@ -29,6 +29,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
 import edu.cornell.mannlib.vitro.webapp.beans.DisplayMessage;
 import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LogoutRedirector;
+import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder;

 public class VitroHttpServlet extends HttpServlet {
 	private static final long serialVersionUID = 1L;
@ -128,23 +129,25 @@ public class VitroHttpServlet extends HttpServlet {

 		log.debug("Servlet '" + this.getClass().getSimpleName()
 				+ "' is not authorized for actions: " + actions);
-
-		LoginStatusBean statusBean = LoginStatusBean.getBean(request);
-		if (statusBean.isLoggedIn()) {
-			redirectToInsufficientAuthorizationPage(request, response);
-			return false;
-		} else {
-			redirectToLoginPage(request, response);
-			return false;
-		}
+		redirectUnauthorizedRequest(request, response);
+		return false;
 	}

 	// ----------------------------------------------------------------------
 	// static utility methods for all Vitro servlets
 	// ----------------------------------------------------------------------

+	public static void redirectUnauthorizedRequest(HttpServletRequest request,
+			HttpServletResponse response) {
+		if (LoginStatusBean.getBean(request).isLoggedIn()) {
+			redirectToInsufficientAuthorizationPage(request, response);
+		} else {
+			redirectToLoginPage(request, response);
+		}
+	}
+	
 	/**
-	 * Logged in, but with insufficent authorization. Send them to the home page
+	 * Logged in, but with insufficient authorization. Send them to the home page
 	 * with a message. They won't be coming back.
 	 */
 	public static void redirectToInsufficientAuthorizationPage(
@ -180,7 +183,8 @@ public class VitroHttpServlet extends HttpServlet {
 		if ((queryString == null) || queryString.isEmpty()) {
 			return request.getRequestURI();
 		} else {
-			return request.getRequestURI() + "?" + queryString;
+			return request.getRequestURI() + "?"
+					+ UrlBuilder.urlEncode(queryString);
 		}
 	}

--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/VitroRequestPrep.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/filters/VitroRequestPrep.java
@ -34,9 +34,13 @@ import com.hp.hpl.jena.rdf.model.Model;
 import com.hp.hpl.jena.rdf.model.ModelFactory;

 import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.AccessSpecialDataModels;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.ManageMenus;
 import edu.cornell.mannlib.vitro.webapp.beans.ApplicationBean;
 import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
+import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
 import edu.cornell.mannlib.vitro.webapp.dao.filtering.WebappDaoFactoryFiltering;
@ -116,6 +120,12 @@ public class VitroRequestPrep implements Filter {
            }
        }

+        // If we're not authorized for this request, skip the chain and redirect.
+        if (!authorizedForSpecialModel(req)) {
+        	VitroHttpServlet.redirectUnauthorizedRequest(req, resp);
+        	return;
+        }
+        
        VitroRequest vreq = new VitroRequest(req);
        
        //-- setup appBean --//
@ -174,6 +184,16 @@ public class VitroRequestPrep implements Filter {
        }
    }
    
+	private boolean authorizedForSpecialModel(HttpServletRequest req) {
+		if (isParameterPresent(req, SWITCH_TO_DISPLAY_MODEL)) {
+			return PolicyHelper.isAuthorizedForActions(req, new ManageMenus());
+		} else if (anyOtherSpecialProperties(req)){
+			return PolicyHelper.isAuthorizedForActions(req, new AccessSpecialDataModels());
+		} else {
+			return true;
+		}
+	}
+
    @Override
 	public void destroy() {
    	// Nothing to do.
@ -222,10 +242,10 @@ public class VitroRequestPrep implements Filter {

    }

-	private boolean anyOtherSpecialProperties(VitroRequest vreq) {
-		return isParameterPresent(vreq, USE_MODEL_PARAM)
-				|| isParameterPresent(vreq, USE_TBOX_MODEL_PARAM)
-				|| isParameterPresent(vreq, USE_DISPLAY_MODEL_PARAM);
+	private boolean anyOtherSpecialProperties(HttpServletRequest req) {
+		return isParameterPresent(req, USE_MODEL_PARAM)
+				|| isParameterPresent(req, USE_TBOX_MODEL_PARAM)
+				|| isParameterPresent(req, USE_DISPLAY_MODEL_PARAM);
 	}

 	/**