diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/DisplayByRolePermission.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/DisplayByRolePermission.java new file mode 100644 index 000000000..c98120dec --- /dev/null +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/DisplayByRolePermission.java @@ -0,0 +1,138 @@ +/* $This file is distributed under the terms of the license in /doc/license.txt$ */ + +package edu.cornell.mannlib.vitro.webapp.auth.permissions; + +import javax.servlet.ServletContext; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; +import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel; +import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement; +import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement; + +/** + * Is the user authorized to display properties that are marked as restricted to + * a certain "Role Level"? + */ +public class DisplayByRolePermission extends Permission { + private static final Log log = LogFactory + .getLog(DisplayByRolePermission.class); + + public static final String NAMESPACE = "java:" + + DisplayByRolePermission.class.getName() + "#"; + + private final String roleName; + private final RoleLevel roleLevel; + private final ServletContext ctx; + + public DisplayByRolePermission(String roleName, RoleLevel roleLevel, + ServletContext ctx) { + super(NAMESPACE + roleName); + + if (roleName == null) { + throw new NullPointerException("role may not be null."); + } + if (roleLevel == null) { + throw new NullPointerException("roleLevel may not be null."); + } + if (ctx == null) { + throw new NullPointerException("context may not be null."); + } + + this.roleName = roleName; + this.roleLevel = roleLevel; + this.ctx = ctx; + } + + @Override + public boolean isAuthorized(RequestedAction whatToAuth) { + boolean result; + + if (whatToAuth instanceof DisplayDataProperty) { + result = isAuthorized((DisplayDataProperty) whatToAuth); + } else if (whatToAuth instanceof DisplayObjectProperty) { + result = isAuthorized((DisplayObjectProperty) whatToAuth); + } else if (whatToAuth instanceof DisplayDataPropertyStatement) { + result = isAuthorized((DisplayDataPropertyStatement) whatToAuth); + } else if (whatToAuth instanceof DisplayObjectPropertyStatement) { + result = isAuthorized((DisplayObjectPropertyStatement) whatToAuth); + } else { + result = false; + } + + if (result) { + log.debug(this + " authorizes " + whatToAuth); + } else { + log.debug(this + " does not authorize " + whatToAuth); + } + + return result; + } + + /** + * The user may see this data property if they are allowed to see its + * predicate. + */ + private boolean isAuthorized(DisplayDataProperty action) { + String predicateUri = action.getDataProperty().getURI(); + return canDisplayPredicate(predicateUri); + } + + /** + * The user may see this object property if they are allowed to see its + * predicate. + */ + private boolean isAuthorized(DisplayObjectProperty action) { + String predicateUri = action.getObjectProperty().getURI(); + return canDisplayPredicate(predicateUri); + } + + /** + * The user may see this data property if they are allowed to see its + * subject and its predicate. + */ + private boolean isAuthorized(DisplayDataPropertyStatement action) { + DataPropertyStatement stmt = action.getDataPropertyStatement(); + String subjectUri = stmt.getIndividualURI(); + String predicateUri = stmt.getDatapropURI(); + return canDisplayResource(subjectUri) + && canDisplayPredicate(predicateUri); + } + + /** + * The user may see this data property if they are allowed to see its + * subject, its predicate, and its object. + */ + private boolean isAuthorized(DisplayObjectPropertyStatement action) { + ObjectPropertyStatement stmt = action.getObjectPropertyStatement(); + String subjectUri = stmt.getSubjectURI(); + String predicateUri = stmt.getPropertyURI(); + String objectUri = stmt.getObjectURI(); + return canDisplayResource(subjectUri) + && canDisplayPredicate(predicateUri) + && canDisplayResource(objectUri); + } + + private boolean canDisplayResource(String resourceUri) { + return PropertyRestrictionPolicyHelper.getBean(ctx).canDisplayResource( + resourceUri, this.roleLevel); + } + + private boolean canDisplayPredicate(String predicateUri) { + return PropertyRestrictionPolicyHelper.getBean(ctx) + .canDisplayPredicate(predicateUri, this.roleLevel); + } + + @Override + public String toString() { + return "DisplayByRolePermission['" + roleName + "']"; + } + +} diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java index dd169f190..d539fcfbe 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java @@ -16,6 +16,7 @@ import javax.servlet.ServletContextListener; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel; import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus; /** @@ -31,7 +32,7 @@ public class PermissionRegistry { private static final String ATTRIBUTE_NAME = PermissionRegistry.class .getName(); - /** + /** * Has the registry been created yet? */ public static boolean isRegistryCreated(ServletContext ctx) { @@ -59,7 +60,8 @@ public class PermissionRegistry { } /** - * Get the registry from the context. If there isn't one, throw an exception. + * Get the registry from the context. If there isn't one, throw an + * exception. */ public static PermissionRegistry getRegistry(ServletContext ctx) { if (ctx == null) { @@ -128,7 +130,9 @@ public class PermissionRegistry { StartupStatus ss = StartupStatus.getBean(ctx); try { List permissions = new ArrayList(); + permissions.addAll(SimplePermission.getAllInstances()); + permissions.addAll(createDisplayByRolePermissions(ctx)); PermissionRegistry.createRegistry(ctx, permissions); @@ -140,6 +144,20 @@ public class PermissionRegistry { } } + private Collection createDisplayByRolePermissions( + ServletContext ctx) { + List list = new ArrayList(); + list.add(new DisplayByRolePermission("Admin", RoleLevel.DB_ADMIN, + ctx)); + list.add(new DisplayByRolePermission("Curator", RoleLevel.CURATOR, + ctx)); + list.add(new DisplayByRolePermission("Editor", RoleLevel.EDITOR, + ctx)); + list.add(new DisplayByRolePermission("Public", RoleLevel.PUBLIC, + ctx)); + return list; + } + @Override public void contextDestroyed(ServletContextEvent sce) { sce.getServletContext().removeAttribute(ATTRIBUTE_NAME); diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayRestrictedDataByRoleLevelPolicy.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayRestrictedDataByRoleLevelPolicy.java deleted file mode 100644 index eaea0a599..000000000 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayRestrictedDataByRoleLevelPolicy.java +++ /dev/null @@ -1,179 +0,0 @@ -/* $This file is distributed under the terms of the license in /doc/license.txt$ */ - -package edu.cornell.mannlib.vitro.webapp.auth.policy; - -import javax.servlet.ServletContext; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; -import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasRoleLevel; -import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper; -import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; -import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; -import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface; -import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty; -import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement; -import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty; -import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement; -import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; -import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel; -import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement; -import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement; - -/** - * Permit display of various data based on the user's Role level and the - * restrictions in the onotology. - */ -public class DisplayRestrictedDataByRoleLevelPolicy implements PolicyIface { - private static final Log log = LogFactory - .getLog(DisplayRestrictedDataByRoleLevelPolicy.class); - - private final ServletContext ctx; - - public DisplayRestrictedDataByRoleLevelPolicy(ServletContext ctx) { - this.ctx = ctx; - } - - /** - * If the requested action is to display a property or a property statement, - * we might authorize it based on their role level. - */ - @Override - public PolicyDecision isAuthorized(IdentifierBundle whoToAuth, - RequestedAction whatToAuth) { - if (whoToAuth == null) { - return defaultDecision("whomToAuth was null"); - } - if (whatToAuth == null) { - return defaultDecision("whatToAuth was null"); - } - - RoleLevel userRole = HasRoleLevel.getUsersRoleLevel(whoToAuth); - /* - * This policy treats a self-editor as no better than public. If you - * want self-editors to see their own properties, some other policy must - * grant that. - */ - if (userRole == RoleLevel.SELF) { - userRole = RoleLevel.PUBLIC; - } - - PolicyDecision result; - if (whatToAuth instanceof DisplayDataProperty) { - result = isAuthorized((DisplayDataProperty) whatToAuth, userRole); - } else if (whatToAuth instanceof DisplayObjectProperty) { - result = isAuthorized((DisplayObjectProperty) whatToAuth, userRole); - } else if (whatToAuth instanceof DisplayDataPropertyStatement) { - result = isAuthorized((DisplayDataPropertyStatement) whatToAuth, - userRole); - } else if (whatToAuth instanceof DisplayObjectPropertyStatement) { - result = isAuthorized((DisplayObjectPropertyStatement) whatToAuth, - userRole); - } else { - result = defaultDecision("Unrecognized action"); - } - - log.debug("decision for '" + whatToAuth + "' is " + result); - return result; - } - - /** - * The user may see this data property if they are allowed to see its - * predicate. - */ - private PolicyDecision isAuthorized(DisplayDataProperty action, - RoleLevel userRole) { - String predicateUri = action.getDataProperty().getURI(); - if (canDisplayPredicate(predicateUri, userRole)) { - return authorized("user may view DataProperty " + predicateUri); - } else { - return defaultDecision("user may not view DataProperty " - + predicateUri); - } - } - - /** - * The user may see this object property if they are allowed to see its - * predicate. - */ - private PolicyDecision isAuthorized(DisplayObjectProperty action, - RoleLevel userRole) { - String predicateUri = action.getObjectProperty().getURI(); - if (canDisplayPredicate(predicateUri, userRole)) { - return authorized("user may view ObjectProperty " + predicateUri); - } else { - return defaultDecision("user may not view ObjectProperty " - + predicateUri); - } - } - - /** - * The user may see this data property if they are allowed to see its - * subject and its predicate. - */ - private PolicyDecision isAuthorized(DisplayDataPropertyStatement action, - RoleLevel userRole) { - DataPropertyStatement stmt = action.getDataPropertyStatement(); - String subjectUri = stmt.getIndividualURI(); - String predicateUri = stmt.getDatapropURI(); - if (canDisplayResource(subjectUri, userRole) - && canDisplayPredicate(predicateUri, userRole)) { - return authorized("user may view DataPropertyStatement " - + subjectUri + " ==> " + predicateUri); - } else { - return defaultDecision("user may not view DataPropertyStatement " - + subjectUri + " ==> " + predicateUri); - } - } - - /** - * The user may see this data property if they are allowed to see its - * subject, its predicate, and its object. - */ - private PolicyDecision isAuthorized(DisplayObjectPropertyStatement action, - RoleLevel userRole) { - ObjectPropertyStatement stmt = action.getObjectPropertyStatement(); - String subjectUri = stmt.getSubjectURI(); - String predicateUri = stmt.getPropertyURI(); - String objectUri = stmt.getObjectURI(); - if (canDisplayResource(subjectUri, userRole) - && canDisplayPredicate(predicateUri, userRole) - && canDisplayResource(objectUri, userRole)) { - return authorized("user may view ObjectPropertyStatement " - + subjectUri + " ==> " + predicateUri + " ==> " + objectUri); - } else { - return defaultDecision("user may not view ObjectPropertyStatement " - + subjectUri + " ==> " + predicateUri + " ==> " + objectUri); - } - } - - /** If the user is explicitly authorized, return this. */ - private PolicyDecision authorized(String message) { - String className = this.getClass().getSimpleName(); - return new BasicPolicyDecision(Authorization.AUTHORIZED, className - + ": " + message); - } - - /** If the user isn't explicitly authorized, return this. */ - private PolicyDecision defaultDecision(String message) { - return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message); - } - - private boolean canDisplayResource(String uri, RoleLevel userRole) { - return PropertyRestrictionPolicyHelper.getBean(ctx).canDisplayResource( - uri, userRole); - } - - private boolean canDisplayPredicate(String uri, RoleLevel userRole) { - return PropertyRestrictionPolicyHelper.getBean(ctx) - .canDisplayPredicate(uri, userRole); - } - - @Override - public String toString() { - return this.getClass().getSimpleName() + " - " + hashCode(); - } - -} diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java index 850f6e586..5662e7ab6 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java @@ -14,7 +14,6 @@ import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasProxyEditingR import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasRoleLevelFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.IsRootUserFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.IsUserFactory; -import edu.cornell.mannlib.vitro.webapp.auth.policy.DisplayRestrictedDataByRoleLevelPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.DisplayRestrictedDataToSelfPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.EditRestrictedDataByRoleLevelPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.PermissionsPolicy; @@ -35,7 +34,6 @@ public class CommonPolicyFamilySetup implements ServletContextListener { try { policy(ctx, new PermissionsPolicy()); - policy(ctx, new DisplayRestrictedDataByRoleLevelPolicy(ctx)); policy(ctx, new DisplayRestrictedDataToSelfPolicy(ctx)); policy(ctx, new EditRestrictedDataByRoleLevelPolicy(ctx)); policy(ctx, new SelfEditingPolicy(ctx)); diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByRoleLevelPermission.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByRoleLevelPermission.java new file mode 100644 index 000000000..f5ad90293 --- /dev/null +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByRoleLevelPermission.java @@ -0,0 +1,124 @@ +/* $This file is distributed under the terms of the license in /doc/license.txt$ */ + +package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters; + +import javax.servlet.ServletContext; +import javax.servlet.http.HttpServletRequest; + +import net.sf.jga.fn.UnaryFunctor; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; +import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers; +import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasPermission; +import edu.cornell.mannlib.vitro.webapp.auth.permissions.DisplayByRolePermission; +import edu.cornell.mannlib.vitro.webapp.auth.permissions.Permission; +import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionRegistry; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; +import edu.cornell.mannlib.vitro.webapp.beans.DataProperty; +import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement; +import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty; +import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement; + +/** + * Filter the properties depending on what DisplayByRolePermission is on the + * request. If no request, or no permission, use the Public permission. + */ +public class FilterByRoleLevelPermission extends VitroFiltersImpl { + private static final Log log = LogFactory + .getLog(FilterByRoleLevelPermission.class); + + private final Permission permission; + + private static Permission getDefaultPermission(ServletContext ctx) { + if (ctx == null) { + throw new NullPointerException("context may not be null."); + } + + return PermissionRegistry.getRegistry(ctx).getPermission( + DisplayByRolePermission.NAMESPACE + "Public"); + } + + private static Permission getPermissionFromRequest(HttpServletRequest req) { + if (req == null) { + throw new NullPointerException("request may not be null."); + } + + IdentifierBundle ids = RequestIdentifiers.getIdBundleForRequest(req); + for (Permission p : HasPermission.getPermissions(ids)) { + if (p instanceof DisplayByRolePermission) { + return p; + } + } + return getDefaultPermission(req.getSession().getServletContext()); + } + + /** Get the DisplayByRolePermission from the request, or use Public. */ + public FilterByRoleLevelPermission(HttpServletRequest req) { + this(getPermissionFromRequest(req)); + } + + /** Use the Public permission. */ + public FilterByRoleLevelPermission(ServletContext ctx) { + this(getDefaultPermission(ctx)); + } + + /** Use the specified permission. */ + public FilterByRoleLevelPermission(Permission permission) { + if (permission == null) { + throw new NullPointerException("permission may not be null."); + } + + this.permission = permission; + + setDataPropertyFilter(new DataPropertyFilterByPolicy()); + setObjectPropertyFilter(new ObjectPropertyFilterByPolicy()); + setDataPropertyStatementFilter(new DataPropertyStatementFilterByPolicy()); + setObjectPropertyStatementFilter(new ObjectPropertyStatementFilterByPolicy()); + } + + boolean checkAuthorization(RequestedAction whatToAuth) { + boolean decision = permission.isAuthorized(whatToAuth); + log.debug("decision is " + decision); + return decision; + } + + private class DataPropertyFilterByPolicy extends + UnaryFunctor { + @Override + public Boolean fn(DataProperty dp) { + return checkAuthorization(new DisplayDataProperty(dp)); + } + } + + private class ObjectPropertyFilterByPolicy extends + UnaryFunctor { + @Override + public Boolean fn(ObjectProperty op) { + return checkAuthorization(new DisplayObjectProperty(op)); + } + } + + private class DataPropertyStatementFilterByPolicy extends + UnaryFunctor { + @Override + public Boolean fn(DataPropertyStatement dps) { + return checkAuthorization(new DisplayDataPropertyStatement(dps)); + } + } + + private class ObjectPropertyStatementFilterByPolicy extends + UnaryFunctor { + @Override + public Boolean fn(ObjectPropertyStatement ops) { + return checkAuthorization(new DisplayObjectPropertyStatement(ops)); + } + } + +} diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilterUtils.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilterUtils.java index f4f628e03..7a8a15301 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilterUtils.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilterUtils.java @@ -5,7 +5,6 @@ package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters; import java.text.Collator; import java.util.Collections; import java.util.Comparator; -import java.util.Date; import java.util.List; import javax.servlet.ServletContext; @@ -14,8 +13,6 @@ import net.sf.jga.fn.UnaryFunctor; import net.sf.jga.fn.adaptor.ChainUnary; import net.sf.jga.fn.property.GetProperty; import net.sf.jga.fn.string.Match; -import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle; -import edu.cornell.mannlib.vitro.webapp.auth.policy.DisplayRestrictedDataByRoleLevelPolicy; import edu.cornell.mannlib.vitro.webapp.beans.Individual; /** * Static methods to help create commonly used filters. @@ -26,9 +23,7 @@ public class VitroFilterUtils { * public view. */ public static VitroFilters getPublicFilter(ServletContext ctx) { - return new HideFromDisplayByPolicyFilter( - new ArrayIdentifierBundle(), - new DisplayRestrictedDataByRoleLevelPolicy(ctx)); + return new FilterByRoleLevelPermission(ctx); } /** Gets a VitroFilters that permits all objects */ diff --git a/webapp/web/WEB-INF/resources/permission_config.n3 b/webapp/web/WEB-INF/resources/permission_config.n3 index 67ecf59c7..bb18ec92f 100644 --- a/webapp/web/WEB-INF/resources/permission_config.n3 +++ b/webapp/web/WEB-INF/resources/permission_config.n3 @@ -3,6 +3,7 @@ @prefix rdfs: . @prefix auth: . @prefix simplePermission: . +@prefix displayByRole: . auth:ADMIN a auth:PermissionSet ; @@ -45,6 +46,9 @@ auth:ADMIN # permissions for ANY user, even if they are not logged in. auth:hasPermission simplePermission:QueryFullModel ; + + # role-based permissions for ADMIN + auth:hasPermission displayByRole:Admin ; . auth:CURATOR @@ -76,6 +80,9 @@ auth:CURATOR # permissions for ANY user, even if they are not logged in. auth:hasPermission simplePermission:QueryFullModel ; + + # role-based permissions for CURATOR + auth:hasPermission displayByRole:Curator ; . auth:EDITOR @@ -99,6 +106,9 @@ auth:EDITOR # permissions for ANY user, even if they are not logged in. auth:hasPermission simplePermission:QueryFullModel ; + + # role-based permissions for EDITOR + auth:hasPermission displayByRole:Editor ; . auth:SELF_EDITOR @@ -116,6 +126,11 @@ auth:SELF_EDITOR # permissions for ANY user, even if they are not logged in. auth:hasPermission simplePermission:QueryFullModel ; + + # role-based permissions for SELF_EDITOR + # For role-based display, SelfEditor is like Public. + # SelfEditor uses its special permissions to edit/display its own values. + auth:hasPermission displayByRole:Public ; . auth:PUBLIC @@ -125,4 +140,7 @@ auth:PUBLIC # permissions for ANY user, even if they are not logged in. auth:hasPermission simplePermission:QueryFullModel ; + + # role-based permissions for PUBLIC + auth:hasPermission displayByRole:Public ; . diff --git a/webapp/web/WEB-INF/resources/startup_listeners.txt b/webapp/web/WEB-INF/resources/startup_listeners.txt index 5a62388c4..034242f09 100644 --- a/webapp/web/WEB-INF/resources/startup_listeners.txt +++ b/webapp/web/WEB-INF/resources/startup_listeners.txt @@ -46,7 +46,8 @@ edu.cornell.mannlib.vitro.webapp.auth.policy.RootUserPolicy$Setup edu.cornell.mannlib.vitro.webapp.auth.policy.RestrictHomeMenuItemEditingPolicy$Setup -# The Solr index uses a "public" filter, so the PropertyRestrictionPolicyHelper must already be set up. +# The Solr index uses a "public" permission, so the PropertyRestrictionPolicyHelper +# and the PermissionRegistry must already be set up. edu.cornell.mannlib.vitro.webapp.search.solr.SolrSetup edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerSetup @@ -54,6 +55,8 @@ edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerSetup # On shutdown, this will kill the background thread started by Apache Commons File Upload org.apache.commons.fileupload.servlet.FileCleanerCleanup +# The VClassGroupCache index uses a "public" permission, so the PropertyRestrictionPolicyHelper +# and the PermissionRegistry must already be set up. edu.cornell.mannlib.vitro.webapp.dao.jena.VClassGroupCache$Setup # This should be near the end, because it will issue a warning if the connection to Solr times out.