NIHVIVO-2492 restrict assorted pages by UseMiscellaneousAdminPages and UseMiscellaneousCuratorPages

2011-04-20 17:13:26 +00:00 · 2011-04-20 17:13:26 +00:00 · da7f10cd0a
commit da7f10cd0a
parent 0669f3758a
13 changed files with 65 additions and 14 deletions
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java
@ -17,9 +17,12 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseAdvance
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseEditUserAccountsPages;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseIndividualEditorPages;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMenuEditorPages;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousAdminPages;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousCuratorPages;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseOntologyEditorPages;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UsePortalEditorPages;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseSiteAdminPage;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseSiteInfoEditingPage;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseTabEditorPages;
 import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;

@ -46,22 +49,40 @@ public class UseRestrictedPagesByRoleLevelPolicy implements PolicyIface {
 		PolicyDecision result;
 		if (whatToAuth instanceof UseAdvancedDataToolsPages) {
 			result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole);
+
 		} else if (whatToAuth instanceof UseEditUserAccountsPages) {
 			result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole);
+
 		} else if (whatToAuth instanceof UseMenuEditorPages) {
 			result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole);
+
+		} else if (whatToAuth instanceof UseMiscellaneousAdminPages) {
+			result = isAuthorized(whatToAuth, RoleLevel.DB_ADMIN, userRole);
+
 		} else if (whatToAuth instanceof UseOntologyEditorPages) {
 			result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);
+
 		} else if (whatToAuth instanceof UsePortalEditorPages) {
 			result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);
+
 		} else if (whatToAuth instanceof UseTabEditorPages) {
 			result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);
+
+		} else if (whatToAuth instanceof UseSiteInfoEditingPage) {
+			result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);
+			
+		} else if (whatToAuth instanceof UseMiscellaneousCuratorPages) {
+			result = isAuthorized(whatToAuth, RoleLevel.CURATOR, userRole);
+
 		} else if (whatToAuth instanceof UseIndividualEditorPages) {
 			result = isAuthorized(whatToAuth, RoleLevel.EDITOR, userRole);
+
 		} else if (whatToAuth instanceof UseSiteAdminPage) {
 			result = isAuthorized(whatToAuth, RoleLevel.EDITOR, userRole);
+
 		} else if (whatToAuth instanceof SeeRevisionInfo) {
 			result = isAuthorized(whatToAuth, RoleLevel.EDITOR, userRole);
+
 		} else {
 			result = defaultDecision("Unrecognized action");
 		}
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseMiscellaneousAdminPages.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseMiscellaneousAdminPages.java
@ -0,0 +1,11 @@
+/* $This file is distributed under the terms of the license in /doc/license.txt$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages;
+
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
+
+/** Should we allow the user to use the odd-lots pages that were designed for DBAs? */
+public class UseMiscellaneousAdminPages extends RequestedAction implements
+		UsePagesRequestedAction {
+	// no fields
+}
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseMiscellaneousCuratorPages.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseMiscellaneousCuratorPages.java
@ -0,0 +1,11 @@
+/* $This file is distributed under the terms of the license in /doc/license.txt$ */
+
+package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages;
+
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
+
+/** Should we allow the user to use the odd-lots pages that were designed for Curators or DBAs? */
+public class UseMiscellaneousCuratorPages extends RequestedAction implements
+		UsePagesRequestedAction {
+	// no fields
+}
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/FakeSelfEditController.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/FakeSelfEditController.java
@ -13,9 +13,12 @@ import javax.servlet.http.HttpSession;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;

-import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.FakeSelfEditingIdentifierFactory;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
+import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor;
+import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousAdminPages;

+@RequiresAuthorizationFor(/* restricted page, but checking is done internally. */)
 /**
 * TODO This is caught in the middle of the transition from LoginFormBean to LoginStatusBean.
 */
@ -30,6 +33,7 @@ public class FakeSelfEditController extends VitroHttpServlet {
 	private static final Log log = LogFactory
 			.getLog(FakeSelfEditController.class.getName());

+	@Override
 	public void doGet(HttpServletRequest request, HttpServletResponse response)
 			throws IOException, ServletException {
 		
@ -39,7 +43,7 @@ public class FakeSelfEditController extends VitroHttpServlet {
 			VitroRequest vreq = new VitroRequest(request);
 			HttpSession session = request.getSession();

-			if (!isAuthorized(session)) {
+			if (!isAuthorized(vreq, session)) {
 				redirectToLoginPage(request, response);
 			} else if (vreq.getParameter("force") != null) {
 				startFaking(vreq, response);
@ -54,9 +58,9 @@ public class FakeSelfEditController extends VitroHttpServlet {
 		}
 	}

-	private boolean isAuthorized(HttpSession session) {
+	private boolean isAuthorized(VitroRequest vreq, HttpSession session) {
 		boolean isFakingAlready = (session.getAttribute(ATTRIBUTE_LOGIN_STATUS_SAVE) != null);
-		boolean isAdmin = LoginStatusBean.getBean(session).isLoggedInAtLeast(LoginStatusBean.CURATOR);
+		boolean isAdmin = PolicyHelper.isAuthorizedForAction(vreq, UseMiscellaneousAdminPages.class);
 		log.debug("isFakingAlready: " + isFakingAlready + ", isAdmin: "	+ isAdmin);
 		return isAdmin || isFakingAlready;
 	}
@ -134,6 +138,7 @@ public class FakeSelfEditController extends VitroHttpServlet {
 		}
 	}
 	
+	@Override
 	public void doPost(HttpServletRequest request, HttpServletResponse response)
 			throws ServletException, IOException {
 		doGet(request, response);
--- a/webapp/web/admin/conceptRepair.jsp
+++ b/webapp/web/admin/conceptRepair.jsp
@ -6,7 +6,7 @@

 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>

-<vitro:confirmLoginStatus level="CURATOR" />
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousCuratorPages" />

 <%
    String conceptIdStr = request.getParameter("conceptId");
--- a/webapp/web/admin/fakeselfedit.jsp
+++ b/webapp/web/admin/fakeselfedit.jsp
@ -2,6 +2,8 @@

 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>

+<%-- doesn't use <vitro:requiresAuthorizationFor> becuase the controller does complex authorization. -->
+
 <div id="content">

 <h2>Configure Self-Edit Testing</h2>
--- a/webapp/web/admin/gotoIndividual.jsp
+++ b/webapp/web/admin/gotoIndividual.jsp
@ -6,7 +6,7 @@
 <%@ taglib uri="http://java.sun.com/jstl/core" prefix="c"%>
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>

-<vitro:confirmLoginStatus level="DBA" />
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousAdminPages" />

 <%
 if( request.getParameter("uri") != null ){
--- a/webapp/web/admin/log4j.jsp
+++ b/webapp/web/admin/log4j.jsp
@ -3,7 +3,6 @@
 <%@ page import="edu.cornell.mannlib.vitro.webapp.controller.Controllers" %>
 <%@ page import="org.apache.log4j.*" %>
 <%@ page import="java.util.*" %>
-<%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>

 <%--
  This JSP will display all the log4j Logger objects, their
@ -13,7 +12,9 @@
  Brian Cauros bdc34@cornell.edu
  based on work by Volker Mentzner. --%>

-<vitro:confirmLoginStatus level="DBA" bean="loginBean" />
+<%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>
+
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousAdminPages" />

 <%
 try {
--- a/webapp/web/admin/removeBadRestrictions.jsp
+++ b/webapp/web/admin/removeBadRestrictions.jsp
@ -3,7 +3,7 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>

-<vitro:confirmLoginStatus level="CURATOR" />
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousCuratorPages" />

 <%
    if (request.getParameter("execute") != null) {
--- a/webapp/web/admin/removeResourceDescription.jsp
+++ b/webapp/web/admin/removeResourceDescription.jsp
@ -5,7 +5,7 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>

-<vitro:confirmLoginStatus level="CURATOR" />
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousCuratorPages" />

 <%
    String resourceURIStr = request.getParameter("resourceURI");
--- a/webapp/web/admin/showids.jsp
+++ b/webapp/web/admin/showids.jsp
@ -5,6 +5,8 @@
 <%@page
   import="java.util.List"%>

+<%-- doesn't use vitro:requiresAuthorizationFor becuase the we want to be able to see IDs for any user. --%>
+<%-- uses "security through obscurity", and doesn't give away much information. --%>

 <%
      List idb = RequestIdentifiers.getIdBundleForRequest(request);
--- a/webapp/web/admin/syncSesame.jsp
+++ b/webapp/web/admin/syncSesame.jsp
@ -14,8 +14,7 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>

-<vitro:confirmLoginStatus level="DBA" />
-
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousAdminPages" />

 <%!

--- a/webapp/web/admin/temporaryLogin.jsp
+++ b/webapp/web/admin/temporaryLogin.jsp
@ -10,8 +10,7 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
 <%@ taglib prefix="vitro" uri="/WEB-INF/tlds/VitroUtils.tld" %>

-<vitro:confirmLoginStatus level="CURATOR" />
-
+<vitro:requiresAuthorizationFor classNames="edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMiscellaneousCuratorPages" />

 <%
    if(  request.getParameter("force") != null ){