NIHVIVO-3523 Create the DisplayByRolePermission, so we can use the PermissionsPolicy instead of DisplayRestrictedDataByRoleLevelPolicy, and these display restrictions can be assigned to arbitrary PermissionSets.

2012-01-06 21:58:16 +00:00 · 2012-01-06 21:58:16 +00:00 · ffafc5f3e0
commit ffafc5f3e0
parent 6bd7e4bb7b
8 changed files with 305 additions and 190 deletions
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/DisplayByRolePermission.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/DisplayByRolePermission.java
@ -0,0 +1,138 @@
 /* $This file is distributed under the terms of the license in /doc/license.txt$ */
 package edu.cornell.mannlib.vitro.webapp.auth.permissions;
 import javax.servlet.ServletContext;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
 import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
 /**
 * Is the user authorized to display properties that are marked as restricted to
 * a certain "Role Level"?
 */
 public class DisplayByRolePermission extends Permission {
 	private static final Log log = LogFactory
 			.getLog(DisplayByRolePermission.class);
 	public static final String NAMESPACE = "java:"
 			+ DisplayByRolePermission.class.getName() + "#";
 	private final String roleName;
 	private final RoleLevel roleLevel;
 	private final ServletContext ctx;
 	public DisplayByRolePermission(String roleName, RoleLevel roleLevel,
 			ServletContext ctx) {
 		super(NAMESPACE + roleName);
 		if (roleName == null) {
 			throw new NullPointerException("role may not be null.");
 		}
 		if (roleLevel == null) {
 			throw new NullPointerException("roleLevel may not be null.");
 		}
 		if (ctx == null) {
 			throw new NullPointerException("context may not be null.");
 		}
 		this.roleName = roleName;
 		this.roleLevel = roleLevel;
 		this.ctx = ctx;
 	}
 	@Override
 	public boolean isAuthorized(RequestedAction whatToAuth) {
 		boolean result;
 		if (whatToAuth instanceof DisplayDataProperty) {
 			result = isAuthorized((DisplayDataProperty) whatToAuth);
 		} else if (whatToAuth instanceof DisplayObjectProperty) {
 			result = isAuthorized((DisplayObjectProperty) whatToAuth);
 		} else if (whatToAuth instanceof DisplayDataPropertyStatement) {
 			result = isAuthorized((DisplayDataPropertyStatement) whatToAuth);
 		} else if (whatToAuth instanceof DisplayObjectPropertyStatement) {
 			result = isAuthorized((DisplayObjectPropertyStatement) whatToAuth);
 		} else {
 			result = false;
 		}
 		if (result) {
 			log.debug(this + " authorizes " + whatToAuth);
 		} else {
 			log.debug(this + " does not authorize " + whatToAuth);
 		}
 		return result;
 	}
 	/**
 	 * The user may see this data property if they are allowed to see its
 	 * predicate.
 	 */
 	private boolean isAuthorized(DisplayDataProperty action) {
 		String predicateUri = action.getDataProperty().getURI();
 		return canDisplayPredicate(predicateUri);
 	}
 	/**
 	 * The user may see this object property if they are allowed to see its
 	 * predicate.
 	 */
 	private boolean isAuthorized(DisplayObjectProperty action) {
 		String predicateUri = action.getObjectProperty().getURI();
 		return canDisplayPredicate(predicateUri);
 	}
 	/**
 	 * The user may see this data property if they are allowed to see its
 	 * subject and its predicate.
 	 */
 	private boolean isAuthorized(DisplayDataPropertyStatement action) {
 		DataPropertyStatement stmt = action.getDataPropertyStatement();
 		String subjectUri = stmt.getIndividualURI();
 		String predicateUri = stmt.getDatapropURI();
 		return canDisplayResource(subjectUri)
 				&& canDisplayPredicate(predicateUri);
 	}
 	/**
 	 * The user may see this data property if they are allowed to see its
 	 * subject, its predicate, and its object.
 	 */
 	private boolean isAuthorized(DisplayObjectPropertyStatement action) {
 		ObjectPropertyStatement stmt = action.getObjectPropertyStatement();
 		String subjectUri = stmt.getSubjectURI();
 		String predicateUri = stmt.getPropertyURI();
 		String objectUri = stmt.getObjectURI();
 		return canDisplayResource(subjectUri)
 				&& canDisplayPredicate(predicateUri)
 				&& canDisplayResource(objectUri);
 	}
 	private boolean canDisplayResource(String resourceUri) {
 		return PropertyRestrictionPolicyHelper.getBean(ctx).canDisplayResource(
 				resourceUri, this.roleLevel);
 	}
 	private boolean canDisplayPredicate(String predicateUri) {
 		return PropertyRestrictionPolicyHelper.getBean(ctx)
 				.canDisplayPredicate(predicateUri, this.roleLevel);
 	}
 	@Override
 	public String toString() {
 		return "DisplayByRolePermission['" + roleName + "']";
 	}
 }
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/PermissionRegistry.java
@ -16,6 +16,7 @@ import javax.servlet.ServletContextListener;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;
 /**
@ -59,7 +60,8 @@ public class PermissionRegistry {
 	}
 	/**
-	 * Get the registry from the context. If there isn't one, throw an exception.
+	 * Get the registry from the context. If there isn't one, throw an
 	 * exception.
 	 */
 	public static PermissionRegistry getRegistry(ServletContext ctx) {
 		if (ctx == null) {
@ -128,7 +130,9 @@ public class PermissionRegistry {
 			StartupStatus ss = StartupStatus.getBean(ctx);
 			try {
 				List<Permission> permissions = new ArrayList<Permission>();
 				permissions.addAll(SimplePermission.getAllInstances());
 				permissions.addAll(createDisplayByRolePermissions(ctx));
 				PermissionRegistry.createRegistry(ctx, permissions);
@ -140,6 +144,20 @@ public class PermissionRegistry {
 			}
 		}
 		private Collection<Permission> createDisplayByRolePermissions(
 				ServletContext ctx) {
 			List<Permission> list = new ArrayList<Permission>();
 			list.add(new DisplayByRolePermission("Admin", RoleLevel.DB_ADMIN,
 					ctx));
 			list.add(new DisplayByRolePermission("Curator", RoleLevel.CURATOR,
 					ctx));
 			list.add(new DisplayByRolePermission("Editor", RoleLevel.EDITOR,
 					ctx));
 			list.add(new DisplayByRolePermission("Public", RoleLevel.PUBLIC,
 					ctx));
 			return list;
 		}
 		@Override
 		public void contextDestroyed(ServletContextEvent sce) {
 			sce.getServletContext().removeAttribute(ATTRIBUTE_NAME);
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayRestrictedDataByRoleLevelPolicy.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayRestrictedDataByRoleLevelPolicy.java
@ -1,179 +0,0 @@
 /* $This file is distributed under the terms of the license in /doc/license.txt$ */
 package edu.cornell.mannlib.vitro.webapp.auth.policy;
 import javax.servlet.ServletContext;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasRoleLevel;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
 import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
 /**
 * Permit display of various data based on the user's Role level and the
 * restrictions in the onotology.
 */
 public class DisplayRestrictedDataByRoleLevelPolicy implements PolicyIface {
 	private static final Log log = LogFactory
 			.getLog(DisplayRestrictedDataByRoleLevelPolicy.class);
 	private final ServletContext ctx;
 	public DisplayRestrictedDataByRoleLevelPolicy(ServletContext ctx) {
 		this.ctx = ctx;
 	}
 	/**
 	 * If the requested action is to display a property or a property statement,
 	 * we might authorize it based on their role level.
 	 */
 	@Override
 	public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
 			RequestedAction whatToAuth) {
 		if (whoToAuth == null) {
 			return defaultDecision("whomToAuth was null");
 		}
 		if (whatToAuth == null) {
 			return defaultDecision("whatToAuth was null");
 		}
 		RoleLevel userRole = HasRoleLevel.getUsersRoleLevel(whoToAuth);
 		/*
 		 * This policy treats a self-editor as no better than public. If you
 		 * want self-editors to see their own properties, some other policy must
 		 * grant that.
 		 */
 		if (userRole == RoleLevel.SELF) {
 			userRole = RoleLevel.PUBLIC;
 		}
 		PolicyDecision result;
 		if (whatToAuth instanceof DisplayDataProperty) {
 			result = isAuthorized((DisplayDataProperty) whatToAuth, userRole);
 		} else if (whatToAuth instanceof DisplayObjectProperty) {
 			result = isAuthorized((DisplayObjectProperty) whatToAuth, userRole);
 		} else if (whatToAuth instanceof DisplayDataPropertyStatement) {
 			result = isAuthorized((DisplayDataPropertyStatement) whatToAuth,
 					userRole);
 		} else if (whatToAuth instanceof DisplayObjectPropertyStatement) {
 			result = isAuthorized((DisplayObjectPropertyStatement) whatToAuth,
 					userRole);
 		} else {
 			result = defaultDecision("Unrecognized action");
 		}
 		log.debug("decision for '" + whatToAuth + "' is " + result);
 		return result;
 	}
 	/**
 	 * The user may see this data property if they are allowed to see its
 	 * predicate.
 	 */
 	private PolicyDecision isAuthorized(DisplayDataProperty action,
 			RoleLevel userRole) {
 		String predicateUri = action.getDataProperty().getURI();
 		if (canDisplayPredicate(predicateUri, userRole)) {
 			return authorized("user may view DataProperty " + predicateUri);
 		} else {
 			return defaultDecision("user may not view DataProperty "
 					+ predicateUri);
 		}
 	}
 	/**
 	 * The user may see this object property if they are allowed to see its
 	 * predicate.
 	 */
 	private PolicyDecision isAuthorized(DisplayObjectProperty action,
 			RoleLevel userRole) {
 		String predicateUri = action.getObjectProperty().getURI();
 		if (canDisplayPredicate(predicateUri, userRole)) {
 			return authorized("user may view ObjectProperty " + predicateUri);
 		} else {
 			return defaultDecision("user may not view ObjectProperty "
 					+ predicateUri);
 		}
 	}
 	/**
 	 * The user may see this data property if they are allowed to see its
 	 * subject and its predicate.
 	 */
 	private PolicyDecision isAuthorized(DisplayDataPropertyStatement action,
 			RoleLevel userRole) {
 		DataPropertyStatement stmt = action.getDataPropertyStatement();
 		String subjectUri = stmt.getIndividualURI();
 		String predicateUri = stmt.getDatapropURI();
 		if (canDisplayResource(subjectUri, userRole)
 				&& canDisplayPredicate(predicateUri, userRole)) {
 			return authorized("user may view DataPropertyStatement "
 					+ subjectUri + " ==> " + predicateUri);
 		} else {
 			return defaultDecision("user may not view DataPropertyStatement "
 					+ subjectUri + " ==> " + predicateUri);
 		}
 	}
 	/**
 	 * The user may see this data property if they are allowed to see its
 	 * subject, its predicate, and its object.
 	 */
 	private PolicyDecision isAuthorized(DisplayObjectPropertyStatement action,
 			RoleLevel userRole) {
 		ObjectPropertyStatement stmt = action.getObjectPropertyStatement();
 		String subjectUri = stmt.getSubjectURI();
 		String predicateUri = stmt.getPropertyURI();
 		String objectUri = stmt.getObjectURI();
 		if (canDisplayResource(subjectUri, userRole)
 				&& canDisplayPredicate(predicateUri, userRole)
 				&& canDisplayResource(objectUri, userRole)) {
 			return authorized("user may view ObjectPropertyStatement "
 					+ subjectUri + " ==> " + predicateUri + " ==> " + objectUri);
 		} else {
 			return defaultDecision("user may not view ObjectPropertyStatement "
 					+ subjectUri + " ==> " + predicateUri + " ==> " + objectUri);
 		}
 	}
 	/** If the user is explicitly authorized, return this. */
 	private PolicyDecision authorized(String message) {
 		String className = this.getClass().getSimpleName();
 		return new BasicPolicyDecision(Authorization.AUTHORIZED, className
 				+ ": " + message);
 	}
 	/** If the user isn't explicitly authorized, return this. */
 	private PolicyDecision defaultDecision(String message) {
 		return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
 	}
 	private boolean canDisplayResource(String uri, RoleLevel userRole) {
 		return PropertyRestrictionPolicyHelper.getBean(ctx).canDisplayResource(
 				uri, userRole);
 	}
 	private boolean canDisplayPredicate(String uri, RoleLevel userRole) {
 		return PropertyRestrictionPolicyHelper.getBean(ctx)
 				.canDisplayPredicate(uri, userRole);
 	}
 	@Override
 	public String toString() {
 		return this.getClass().getSimpleName() + " - " + hashCode();
 	}
 }
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CommonPolicyFamilySetup.java
@ -14,7 +14,6 @@ import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasProxyEditingR
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasRoleLevelFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.IsRootUserFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.IsUserFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.DisplayRestrictedDataByRoleLevelPolicy;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.DisplayRestrictedDataToSelfPolicy;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.EditRestrictedDataByRoleLevelPolicy;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.PermissionsPolicy;
@ -35,7 +34,6 @@ public class CommonPolicyFamilySetup implements ServletContextListener {
 		try {
 			policy(ctx, new PermissionsPolicy());
 			policy(ctx, new DisplayRestrictedDataByRoleLevelPolicy(ctx));
 			policy(ctx, new DisplayRestrictedDataToSelfPolicy(ctx));
 			policy(ctx, new EditRestrictedDataByRoleLevelPolicy(ctx));
 			policy(ctx, new SelfEditingPolicy(ctx));
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByRoleLevelPermission.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/FilterByRoleLevelPermission.java
@ -0,0 +1,124 @@
 /* $This file is distributed under the terms of the license in /doc/license.txt$ */
 package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters;
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 import net.sf.jga.fn.UnaryFunctor;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasPermission;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.DisplayByRolePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.Permission;
 import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionRegistry;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
 import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
 import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
 /**
 * Filter the properties depending on what DisplayByRolePermission is on the
 * request. If no request, or no permission, use the Public permission.
 */
 public class FilterByRoleLevelPermission extends VitroFiltersImpl {
 	private static final Log log = LogFactory
 			.getLog(FilterByRoleLevelPermission.class);
 	private final Permission permission;
 	private static Permission getDefaultPermission(ServletContext ctx) {
 		if (ctx == null) {
 			throw new NullPointerException("context may not be null.");
 		}
 		return PermissionRegistry.getRegistry(ctx).getPermission(
 				DisplayByRolePermission.NAMESPACE + "Public");
 	}
 	private static Permission getPermissionFromRequest(HttpServletRequest req) {
 		if (req == null) {
 			throw new NullPointerException("request may not be null.");
 		}
 		IdentifierBundle ids = RequestIdentifiers.getIdBundleForRequest(req);
 		for (Permission p : HasPermission.getPermissions(ids)) {
 			if (p instanceof DisplayByRolePermission) {
 				return p;
 			}
 		}
 		return getDefaultPermission(req.getSession().getServletContext());
 	}
 	/** Get the DisplayByRolePermission from the request, or use Public. */
 	public FilterByRoleLevelPermission(HttpServletRequest req) {
 		this(getPermissionFromRequest(req));
 	}
 	/** Use the Public permission. */
 	public FilterByRoleLevelPermission(ServletContext ctx) {
 		this(getDefaultPermission(ctx));
 	}
 	/** Use the specified permission. */
 	public FilterByRoleLevelPermission(Permission permission) {
 		if (permission == null) {
 			throw new NullPointerException("permission may not be null.");
 		}
 		this.permission = permission;
 		setDataPropertyFilter(new DataPropertyFilterByPolicy());
 		setObjectPropertyFilter(new ObjectPropertyFilterByPolicy());
 		setDataPropertyStatementFilter(new DataPropertyStatementFilterByPolicy());
 		setObjectPropertyStatementFilter(new ObjectPropertyStatementFilterByPolicy());
 	}
 	boolean checkAuthorization(RequestedAction whatToAuth) {
 		boolean decision = permission.isAuthorized(whatToAuth);
 		log.debug("decision is " + decision);
 		return decision;
 	}
 	private class DataPropertyFilterByPolicy extends
 			UnaryFunctor<DataProperty, Boolean> {
 		@Override
 		public Boolean fn(DataProperty dp) {
 			return checkAuthorization(new DisplayDataProperty(dp));
 		}
 	}
 	private class ObjectPropertyFilterByPolicy extends
 			UnaryFunctor<ObjectProperty, Boolean> {
 		@Override
 		public Boolean fn(ObjectProperty op) {
 			return checkAuthorization(new DisplayObjectProperty(op));
 		}
 	}
 	private class DataPropertyStatementFilterByPolicy extends
 			UnaryFunctor<DataPropertyStatement, Boolean> {
 		@Override
 		public Boolean fn(DataPropertyStatement dps) {
 			return checkAuthorization(new DisplayDataPropertyStatement(dps));
 		}
 	}
 	private class ObjectPropertyStatementFilterByPolicy extends
 			UnaryFunctor<ObjectPropertyStatement, Boolean> {
 		@Override
 		public Boolean fn(ObjectPropertyStatement ops) {
 			return checkAuthorization(new DisplayObjectPropertyStatement(ops));
 		}
 	}
 }
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilterUtils.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/dao/filtering/filters/VitroFilterUtils.java
@ -5,7 +5,6 @@ package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters;
 import java.text.Collator;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.Date;
 import java.util.List;
 import javax.servlet.ServletContext;
@ -14,8 +13,6 @@ import net.sf.jga.fn.UnaryFunctor;
 import net.sf.jga.fn.adaptor.ChainUnary;
 import net.sf.jga.fn.property.GetProperty;
 import net.sf.jga.fn.string.Match;
 import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
 import edu.cornell.mannlib.vitro.webapp.auth.policy.DisplayRestrictedDataByRoleLevelPolicy;
 import edu.cornell.mannlib.vitro.webapp.beans.Individual;
 /**
 * Static methods to help create commonly used filters.
@ -26,9 +23,7 @@ public class VitroFilterUtils {
 	 * public view.
 	 */
 	public static VitroFilters getPublicFilter(ServletContext ctx) {
-		return new HideFromDisplayByPolicyFilter(
+		return new FilterByRoleLevelPermission(ctx);
 				new ArrayIdentifierBundle(),
 				new DisplayRestrictedDataByRoleLevelPolicy(ctx));
 	}
    /** Gets a VitroFilters that permits all objects */
--- a/webapp/web/WEB-INF/resources/permission_config.n3
+++ b/webapp/web/WEB-INF/resources/permission_config.n3
@ -3,6 +3,7 @@
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
@prefix simplePermission: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#> .
@prefix displayByRole: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.DisplayByRolePermission#> .
 auth:ADMIN 
    a auth:PermissionSet ;
@ -45,6 +46,9 @@ auth:ADMIN
    # permissions for ANY user, even if they are not logged in.
    auth:hasPermission simplePermission:QueryFullModel ;
    # role-based permissions for ADMIN
    auth:hasPermission displayByRole:Admin ;
    .
 auth:CURATOR 
@ -76,6 +80,9 @@ auth:CURATOR
    # permissions for ANY user, even if they are not logged in.
    auth:hasPermission simplePermission:QueryFullModel ;
    # role-based permissions for CURATOR
    auth:hasPermission displayByRole:Curator ;
    .
 auth:EDITOR 
@ -99,6 +106,9 @@ auth:EDITOR
    # permissions for ANY user, even if they are not logged in.
    auth:hasPermission simplePermission:QueryFullModel ;
    # role-based permissions for EDITOR
    auth:hasPermission displayByRole:Editor ;
    .
 auth:SELF_EDITOR
@ -116,6 +126,11 @@ auth:SELF_EDITOR
    # permissions for ANY user, even if they are not logged in.
    auth:hasPermission simplePermission:QueryFullModel ;
    # role-based permissions for SELF_EDITOR
    #     For role-based display, SelfEditor is like Public. 
    #     SelfEditor uses its special permissions to edit/display its own values.
    auth:hasPermission displayByRole:Public ; 
    .
 auth:PUBLIC
@ -125,4 +140,7 @@ auth:PUBLIC
    # permissions for ANY user, even if they are not logged in.
    auth:hasPermission simplePermission:QueryFullModel ;
    # role-based permissions for PUBLIC
    auth:hasPermission displayByRole:Public ;
    .
--- a/webapp/web/WEB-INF/resources/startup_listeners.txt
+++ b/webapp/web/WEB-INF/resources/startup_listeners.txt
@ -46,7 +46,8 @@ edu.cornell.mannlib.vitro.webapp.auth.policy.RootUserPolicy$Setup
 edu.cornell.mannlib.vitro.webapp.auth.policy.RestrictHomeMenuItemEditingPolicy$Setup
-# The Solr index uses a "public" filter, so the PropertyRestrictionPolicyHelper must already be set up.
+# The Solr index uses a "public" permission, so the PropertyRestrictionPolicyHelper 
 #   and the PermissionRegistry must already be set up.
 edu.cornell.mannlib.vitro.webapp.search.solr.SolrSetup
 edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerSetup
@ -54,6 +55,8 @@ edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerSetup
 # On shutdown, this will kill the background thread started by Apache Commons File Upload
 org.apache.commons.fileupload.servlet.FileCleanerCleanup
 # The VClassGroupCache index uses a "public" permission, so the PropertyRestrictionPolicyHelper 
 #   and the PermissionRegistry must already be set up.
 edu.cornell.mannlib.vitro.webapp.dao.jena.VClassGroupCache$Setup
 # This should be near the end, because it will issue a warning if the connection to Solr times out.