NIHVIVO-2492 restrict assorted pages by UseMiscellaneousAdminPages and UseMiscellaneousCuratorPages

webapp/web/admin/conceptRepair.jsp

@@ -6,7 +6,7 @@
 
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>
 
-<vitro:confirmLoginStatus level="CURATOR" />
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousCuratorPages" />
 
 <%
     String conceptIdStr = request.getParameter("conceptId");

webapp/web/admin/fakeselfedit.jsp

@@ -2,6 +2,8 @@
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
 
+<%-- doesn't use <vitro:requiresAuthorizationFor> becuase the controller does complex authorization. -->
+
 <div id="content">
 
 <h2>Configure Self-Edit Testing</h2>

webapp/web/admin/gotoIndividual.jsp

@@ -6,7 +6,7 @@
 <%@ taglib uri="http://java.sun.com/jstl/core" prefix="c"%>
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>
 
-<vitro:confirmLoginStatus level="DBA" />
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousAdminPages" />
 
 <%
 if( request.getParameter("uri") != null ){

webapp/web/admin/log4j.jsp

@@ -3,7 +3,6 @@
 <%@ page import="edu.cornell.mannlib.vitro.webapp.controller.Controllers" %>
 <%@ page import="org.apache.log4j.*" %>
 <%@ page import="java.util.*" %>
-<%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>
 
  <%--
   This JSP will display all the log4j Logger objects, their
@@ -13,7 +12,9 @@
   Brian Cauros bdc34@cornell.edu
   based on work by Volker Mentzner. --%>
 
-<vitro:confirmLoginStatus level="DBA" bean="loginBean" />
+<%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>
+
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousAdminPages" />
 
 <%
 try {

webapp/web/admin/removeBadRestrictions.jsp

@@ -3,7 +3,7 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>
 
-<vitro:confirmLoginStatus level="CURATOR" />
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousCuratorPages" />
 
 <%
     if (request.getParameter("execute") != null) {

webapp/web/admin/removeResourceDescription.jsp

@@ -5,7 +5,7 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>
 
-<vitro:confirmLoginStatus level="CURATOR" />
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousCuratorPages" />
 
 <%
     String resourceURIStr = request.getParameter("resourceURI");

webapp/web/admin/showids.jsp

@@ -5,6 +5,8 @@
 <%@page
    import="java.util.List"%>
 
+<%-- doesn't use vitro:requiresAuthorizationFor becuase the we want to be able to see IDs for any user. --%>
+<%-- uses "security through obscurity", and doesn't give away much information. --%>
 
 <%
       List idb = RequestIdentifiers.getIdBundleForRequest(request);

webapp/web/admin/syncSesame.jsp

@@ -14,8 +14,7 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>
 
-<vitro:confirmLoginStatus level="DBA" />
-
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousAdminPages" />
 
 <%!
 

webapp/web/admin/temporaryLogin.jsp

@@ -10,8 +10,7 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>
 
-<vitro:confirmLoginStatus level="CURATOR" />
-
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousCuratorPages" />
 
 <%
     if(  request.getParameter("force") != null ){