litvinovg/vitro
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

NIHVIVO-2492 restrict assorted pages by UseMiscellaneousAdminPages and UseMiscellaneousCuratorPages

Browse source
This commit is contained in:
j2blake 2011-04-20 17:13:26 +00:00
parent 0669f3758a
commit da7f10cd0a
13 changed files with 65 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

21
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java
View file

@ -17,9 +17,12 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseAdvance
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseEditUserAccountsPages;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseIndividualEditorPages;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMenuEditorPages;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousAdminPages;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousCuratorPages;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseOntologyEditorPages;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UsePortalEditorPages;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseSiteAdminPage;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseSiteInfoEditingPage;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseTabEditorPages;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
@ -46,22 +49,40 @@ public class UseRestrictedPagesByRoleLevelPolicy implements PolicyIface {
PolicyDecision result;
if (whatToAuth instanceof UseAdvancedDataToolsPages) {
result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole);
} else if (whatToAuth instanceof UseEditUserAccountsPages) {
result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole);
} else if (whatToAuth instanceof UseMenuEditorPages) {
result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole);
} else if (whatToAuth instanceof UseMiscellaneousAdminPages) {
result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole);
} else if (whatToAuth instanceof UseOntologyEditorPages) {
result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);
} else if (whatToAuth instanceof UsePortalEditorPages) {
result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);
} else if (whatToAuth instanceof UseTabEditorPages) {
result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);
} else if (whatToAuth instanceof UseSiteInfoEditingPage) {
result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);
} else if (whatToAuth instanceof UseMiscellaneousCuratorPages) {
result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);
} else if (whatToAuth instanceof UseIndividualEditorPages) {
result = isAuthorized(whatToAuth, RoleLevel.EDITOR, userRole);
} else if (whatToAuth instanceof UseSiteAdminPage) {
result = isAuthorized(whatToAuth, RoleLevel.EDITOR, userRole);
} else if (whatToAuth instanceof SeeRevisionInfo) {
result = isAuthorized(whatToAuth, RoleLevel.EDITOR, userRole);
} else {
result = defaultDecision("Unrecognized action");
}

11
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseMiscellaneousAdminPages.java Normal file
View file

@ -0,0 +1,11 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
/** Should we allow the user to use the odd-lots pages that were designed for DBAs? */
public class UseMiscellaneousAdminPages extends RequestedAction implements
UsePagesRequestedAction {
// no fields
}

11
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseMiscellaneousCuratorPages.java Normal file
View file

@ -0,0 +1,11 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
/** Should we allow the user to use the odd-lots pages that were designed for Curators or DBAs? */
public class UseMiscellaneousCuratorPages extends RequestedAction implements
UsePagesRequestedAction {
// no fields
}

13
webapp/src/edu/cornell/mannlib/vitro/webapp/controller/FakeSelfEditController.java
View file

@ -13,9 +13,12 @@ import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.FakeSelfEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousAdminPages;
@RequiresAuthorizationFor(/* restricted page, but checking is done internally. */)
/**
* TODO This is caught in the middle of the transition from LoginFormBean to LoginStatusBean.
*/
@ -30,6 +33,7 @@ public class FakeSelfEditController extends VitroHttpServlet {
private static final Log log = LogFactory
.getLog(FakeSelfEditController.class.getName());
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {
@ -39,7 +43,7 @@ public class FakeSelfEditController extends VitroHttpServlet {
VitroRequest vreq = new VitroRequest(request);
HttpSession session = request.getSession();
if (!isAuthorized(session)) {
if (!isAuthorized(vreq, session)) {
redirectToLoginPage(request, response);
} else if (vreq.getParameter("force") != null) {
startFaking(vreq, response);
@ -54,9 +58,9 @@ public class FakeSelfEditController extends VitroHttpServlet {
}
}
private boolean isAuthorized(HttpSession session) {
private boolean isAuthorized(VitroRequest vreq, HttpSession session) {
boolean isFakingAlready = (session.getAttribute(ATTRIBUTE_LOGIN_STATUS_SAVE) != null);
boolean isAdmin = LoginStatusBean.getBean(session).isLoggedInAtLeast(LoginStatusBean.CURATOR);
boolean isAdmin = PolicyHelper.isAuthorizedForAction(vreq, UseMiscellaneousAdminPages.class);
log.debug("isFakingAlready: " + isFakingAlready + ", isAdmin: " + isAdmin);
return isAdmin || isFakingAlready;
}
@ -134,6 +138,7 @@ public class FakeSelfEditController extends VitroHttpServlet {
}
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);