NIHVIVO-3523 Create the DisplayByRolePermission, so we can use the PermissionsPolicy instead of DisplayRestrictedDataByRoleLevelPolicy, and these display restrictions can be assigned to arbitrary PermissionSets.
This commit is contained in:
j2blake
parent
6bd7e4bb7b
commit
ffafc5f3e0
8 changed files with 305 additions and 190 deletions
|
|
@ -0,0 +1,138 @@
|
|||
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
|
||||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.permissions;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
|
||||
|
||||
/**
|
||||
* Is the user authorized to display properties that are marked as restricted to
|
||||
* a certain "Role Level"?
|
||||
*/
|
||||
public class DisplayByRolePermission extends Permission {
|
||||
private static final Log log = LogFactory
|
||||
.getLog(DisplayByRolePermission.class);
|
||||
|
||||
public static final String NAMESPACE = "java:"
|
||||
+ DisplayByRolePermission.class.getName() + "#";
|
||||
|
||||
private final String roleName;
|
||||
private final RoleLevel roleLevel;
|
||||
private final ServletContext ctx;
|
||||
|
||||
public DisplayByRolePermission(String roleName, RoleLevel roleLevel,
|
||||
ServletContext ctx) {
|
||||
super(NAMESPACE + roleName);
|
||||
|
||||
if (roleName == null) {
|
||||
throw new NullPointerException("role may not be null.");
|
||||
}
|
||||
if (roleLevel == null) {
|
||||
throw new NullPointerException("roleLevel may not be null.");
|
||||
}
|
||||
if (ctx == null) {
|
||||
throw new NullPointerException("context may not be null.");
|
||||
}
|
||||
|
||||
this.roleName = roleName;
|
||||
this.roleLevel = roleLevel;
|
||||
this.ctx = ctx;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isAuthorized(RequestedAction whatToAuth) {
|
||||
boolean result;
|
||||
|
||||
if (whatToAuth instanceof DisplayDataProperty) {
|
||||
result = isAuthorized((DisplayDataProperty) whatToAuth);
|
||||
} else if (whatToAuth instanceof DisplayObjectProperty) {
|
||||
result = isAuthorized((DisplayObjectProperty) whatToAuth);
|
||||
} else if (whatToAuth instanceof DisplayDataPropertyStatement) {
|
||||
result = isAuthorized((DisplayDataPropertyStatement) whatToAuth);
|
||||
} else if (whatToAuth instanceof DisplayObjectPropertyStatement) {
|
||||
result = isAuthorized((DisplayObjectPropertyStatement) whatToAuth);
|
||||
} else {
|
||||
result = false;
|
||||
}
|
||||
|
||||
if (result) {
|
||||
log.debug(this + " authorizes " + whatToAuth);
|
||||
} else {
|
||||
log.debug(this + " does not authorize " + whatToAuth);
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* The user may see this data property if they are allowed to see its
|
||||
* predicate.
|
||||
*/
|
||||
private boolean isAuthorized(DisplayDataProperty action) {
|
||||
String predicateUri = action.getDataProperty().getURI();
|
||||
return canDisplayPredicate(predicateUri);
|
||||
}
|
||||
|
||||
/**
|
||||
* The user may see this object property if they are allowed to see its
|
||||
* predicate.
|
||||
*/
|
||||
private boolean isAuthorized(DisplayObjectProperty action) {
|
||||
String predicateUri = action.getObjectProperty().getURI();
|
||||
return canDisplayPredicate(predicateUri);
|
||||
}
|
||||
|
||||
/**
|
||||
* The user may see this data property if they are allowed to see its
|
||||
* subject and its predicate.
|
||||
*/
|
||||
private boolean isAuthorized(DisplayDataPropertyStatement action) {
|
||||
DataPropertyStatement stmt = action.getDataPropertyStatement();
|
||||
String subjectUri = stmt.getIndividualURI();
|
||||
String predicateUri = stmt.getDatapropURI();
|
||||
return canDisplayResource(subjectUri)
|
||||
&& canDisplayPredicate(predicateUri);
|
||||
}
|
||||
|
||||
/**
|
||||
* The user may see this data property if they are allowed to see its
|
||||
* subject, its predicate, and its object.
|
||||
*/
|
||||
private boolean isAuthorized(DisplayObjectPropertyStatement action) {
|
||||
ObjectPropertyStatement stmt = action.getObjectPropertyStatement();
|
||||
String subjectUri = stmt.getSubjectURI();
|
||||
String predicateUri = stmt.getPropertyURI();
|
||||
String objectUri = stmt.getObjectURI();
|
||||
return canDisplayResource(subjectUri)
|
||||
&& canDisplayPredicate(predicateUri)
|
||||
&& canDisplayResource(objectUri);
|
||||
}
|
||||
|
||||
private boolean canDisplayResource(String resourceUri) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx).canDisplayResource(
|
||||
resourceUri, this.roleLevel);
|
||||
}
|
||||
|
||||
private boolean canDisplayPredicate(String predicateUri) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx)
|
||||
.canDisplayPredicate(predicateUri, this.roleLevel);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "DisplayByRolePermission['" + roleName + "']";
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -16,6 +16,7 @@ import javax.servlet.ServletContextListener;
|
|||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
import edu.cornell.mannlib.vitro.webapp.startup.StartupStatus;
|
||||
|
||||
/**
|
||||
|
|
@ -31,7 +32,7 @@ public class PermissionRegistry {
|
|||
private static final String ATTRIBUTE_NAME = PermissionRegistry.class
|
||||
.getName();
|
||||
|
||||
/**
|
||||
/**
|
||||
* Has the registry been created yet?
|
||||
*/
|
||||
public static boolean isRegistryCreated(ServletContext ctx) {
|
||||
|
|
@ -59,7 +60,8 @@ public class PermissionRegistry {
|
|||
}
|
||||
|
||||
/**
|
||||
* Get the registry from the context. If there isn't one, throw an exception.
|
||||
* Get the registry from the context. If there isn't one, throw an
|
||||
* exception.
|
||||
*/
|
||||
public static PermissionRegistry getRegistry(ServletContext ctx) {
|
||||
if (ctx == null) {
|
||||
|
|
@ -128,7 +130,9 @@ public class PermissionRegistry {
|
|||
StartupStatus ss = StartupStatus.getBean(ctx);
|
||||
try {
|
||||
List<Permission> permissions = new ArrayList<Permission>();
|
||||
|
||||
permissions.addAll(SimplePermission.getAllInstances());
|
||||
permissions.addAll(createDisplayByRolePermissions(ctx));
|
||||
|
||||
PermissionRegistry.createRegistry(ctx, permissions);
|
||||
|
||||
|
|
@ -140,6 +144,20 @@ public class PermissionRegistry {
|
|||
}
|
||||
}
|
||||
|
||||
private Collection<Permission> createDisplayByRolePermissions(
|
||||
ServletContext ctx) {
|
||||
List<Permission> list = new ArrayList<Permission>();
|
||||
list.add(new DisplayByRolePermission("Admin", RoleLevel.DB_ADMIN,
|
||||
ctx));
|
||||
list.add(new DisplayByRolePermission("Curator", RoleLevel.CURATOR,
|
||||
ctx));
|
||||
list.add(new DisplayByRolePermission("Editor", RoleLevel.EDITOR,
|
||||
ctx));
|
||||
list.add(new DisplayByRolePermission("Public", RoleLevel.PUBLIC,
|
||||
ctx));
|
||||
return list;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) {
|
||||
sce.getServletContext().removeAttribute(ATTRIBUTE_NAME);
|
||||
|
|
|
|||
|
|
@ -1,179 +0,0 @@
|
|||
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
|
||||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasRoleLevel;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
|
||||
|
||||
/**
|
||||
* Permit display of various data based on the user's Role level and the
|
||||
* restrictions in the onotology.
|
||||
*/
|
||||
public class DisplayRestrictedDataByRoleLevelPolicy implements PolicyIface {
|
||||
private static final Log log = LogFactory
|
||||
.getLog(DisplayRestrictedDataByRoleLevelPolicy.class);
|
||||
|
||||
private final ServletContext ctx;
|
||||
|
||||
public DisplayRestrictedDataByRoleLevelPolicy(ServletContext ctx) {
|
||||
this.ctx = ctx;
|
||||
}
|
||||
|
||||
/**
|
||||
* If the requested action is to display a property or a property statement,
|
||||
* we might authorize it based on their role level.
|
||||
*/
|
||||
@Override
|
||||
public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
|
||||
RequestedAction whatToAuth) {
|
||||
if (whoToAuth == null) {
|
||||
return defaultDecision("whomToAuth was null");
|
||||
}
|
||||
if (whatToAuth == null) {
|
||||
return defaultDecision("whatToAuth was null");
|
||||
}
|
||||
|
||||
RoleLevel userRole = HasRoleLevel.getUsersRoleLevel(whoToAuth);
|
||||
/*
|
||||
* This policy treats a self-editor as no better than public. If you
|
||||
* want self-editors to see their own properties, some other policy must
|
||||
* grant that.
|
||||
*/
|
||||
if (userRole == RoleLevel.SELF) {
|
||||
userRole = RoleLevel.PUBLIC;
|
||||
}
|
||||
|
||||
PolicyDecision result;
|
||||
if (whatToAuth instanceof DisplayDataProperty) {
|
||||
result = isAuthorized((DisplayDataProperty) whatToAuth, userRole);
|
||||
} else if (whatToAuth instanceof DisplayObjectProperty) {
|
||||
result = isAuthorized((DisplayObjectProperty) whatToAuth, userRole);
|
||||
} else if (whatToAuth instanceof DisplayDataPropertyStatement) {
|
||||
result = isAuthorized((DisplayDataPropertyStatement) whatToAuth,
|
||||
userRole);
|
||||
} else if (whatToAuth instanceof DisplayObjectPropertyStatement) {
|
||||
result = isAuthorized((DisplayObjectPropertyStatement) whatToAuth,
|
||||
userRole);
|
||||
} else {
|
||||
result = defaultDecision("Unrecognized action");
|
||||
}
|
||||
|
||||
log.debug("decision for '" + whatToAuth + "' is " + result);
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* The user may see this data property if they are allowed to see its
|
||||
* predicate.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(DisplayDataProperty action,
|
||||
RoleLevel userRole) {
|
||||
String predicateUri = action.getDataProperty().getURI();
|
||||
if (canDisplayPredicate(predicateUri, userRole)) {
|
||||
return authorized("user may view DataProperty " + predicateUri);
|
||||
} else {
|
||||
return defaultDecision("user may not view DataProperty "
|
||||
+ predicateUri);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The user may see this object property if they are allowed to see its
|
||||
* predicate.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(DisplayObjectProperty action,
|
||||
RoleLevel userRole) {
|
||||
String predicateUri = action.getObjectProperty().getURI();
|
||||
if (canDisplayPredicate(predicateUri, userRole)) {
|
||||
return authorized("user may view ObjectProperty " + predicateUri);
|
||||
} else {
|
||||
return defaultDecision("user may not view ObjectProperty "
|
||||
+ predicateUri);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The user may see this data property if they are allowed to see its
|
||||
* subject and its predicate.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(DisplayDataPropertyStatement action,
|
||||
RoleLevel userRole) {
|
||||
DataPropertyStatement stmt = action.getDataPropertyStatement();
|
||||
String subjectUri = stmt.getIndividualURI();
|
||||
String predicateUri = stmt.getDatapropURI();
|
||||
if (canDisplayResource(subjectUri, userRole)
|
||||
&& canDisplayPredicate(predicateUri, userRole)) {
|
||||
return authorized("user may view DataPropertyStatement "
|
||||
+ subjectUri + " ==> " + predicateUri);
|
||||
} else {
|
||||
return defaultDecision("user may not view DataPropertyStatement "
|
||||
+ subjectUri + " ==> " + predicateUri);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The user may see this data property if they are allowed to see its
|
||||
* subject, its predicate, and its object.
|
||||
*/
|
||||
private PolicyDecision isAuthorized(DisplayObjectPropertyStatement action,
|
||||
RoleLevel userRole) {
|
||||
ObjectPropertyStatement stmt = action.getObjectPropertyStatement();
|
||||
String subjectUri = stmt.getSubjectURI();
|
||||
String predicateUri = stmt.getPropertyURI();
|
||||
String objectUri = stmt.getObjectURI();
|
||||
if (canDisplayResource(subjectUri, userRole)
|
||||
&& canDisplayPredicate(predicateUri, userRole)
|
||||
&& canDisplayResource(objectUri, userRole)) {
|
||||
return authorized("user may view ObjectPropertyStatement "
|
||||
+ subjectUri + " ==> " + predicateUri + " ==> " + objectUri);
|
||||
} else {
|
||||
return defaultDecision("user may not view ObjectPropertyStatement "
|
||||
+ subjectUri + " ==> " + predicateUri + " ==> " + objectUri);
|
||||
}
|
||||
}
|
||||
|
||||
/** If the user is explicitly authorized, return this. */
|
||||
private PolicyDecision authorized(String message) {
|
||||
String className = this.getClass().getSimpleName();
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED, className
|
||||
+ ": " + message);
|
||||
}
|
||||
|
||||
/** If the user isn't explicitly authorized, return this. */
|
||||
private PolicyDecision defaultDecision(String message) {
|
||||
return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
|
||||
}
|
||||
|
||||
private boolean canDisplayResource(String uri, RoleLevel userRole) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx).canDisplayResource(
|
||||
uri, userRole);
|
||||
}
|
||||
|
||||
private boolean canDisplayPredicate(String uri, RoleLevel userRole) {
|
||||
return PropertyRestrictionPolicyHelper.getBean(ctx)
|
||||
.canDisplayPredicate(uri, userRole);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return this.getClass().getSimpleName() + " - " + hashCode();
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -14,7 +14,6 @@ import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasProxyEditingR
|
|||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.HasRoleLevelFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.IsRootUserFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.factory.IsUserFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.DisplayRestrictedDataByRoleLevelPolicy;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.DisplayRestrictedDataToSelfPolicy;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.EditRestrictedDataByRoleLevelPolicy;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.PermissionsPolicy;
|
||||
|
|
@ -35,7 +34,6 @@ public class CommonPolicyFamilySetup implements ServletContextListener {
|
|||
|
||||
try {
|
||||
policy(ctx, new PermissionsPolicy());
|
||||
policy(ctx, new DisplayRestrictedDataByRoleLevelPolicy(ctx));
|
||||
policy(ctx, new DisplayRestrictedDataToSelfPolicy(ctx));
|
||||
policy(ctx, new EditRestrictedDataByRoleLevelPolicy(ctx));
|
||||
policy(ctx, new SelfEditingPolicy(ctx));
|
||||
|
|
|
|||
|
|
@ -0,0 +1,124 @@
|
|||
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
|
||||
|
||||
package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import net.sf.jga.fn.UnaryFunctor;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.common.HasPermission;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.permissions.DisplayByRolePermission;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.permissions.Permission;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionRegistry;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayDataPropertyStatement;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.display.DisplayObjectPropertyStatement;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatement;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.ObjectPropertyStatement;
|
||||
|
||||
/**
|
||||
* Filter the properties depending on what DisplayByRolePermission is on the
|
||||
* request. If no request, or no permission, use the Public permission.
|
||||
*/
|
||||
public class FilterByRoleLevelPermission extends VitroFiltersImpl {
|
||||
private static final Log log = LogFactory
|
||||
.getLog(FilterByRoleLevelPermission.class);
|
||||
|
||||
private final Permission permission;
|
||||
|
||||
private static Permission getDefaultPermission(ServletContext ctx) {
|
||||
if (ctx == null) {
|
||||
throw new NullPointerException("context may not be null.");
|
||||
}
|
||||
|
||||
return PermissionRegistry.getRegistry(ctx).getPermission(
|
||||
DisplayByRolePermission.NAMESPACE + "Public");
|
||||
}
|
||||
|
||||
private static Permission getPermissionFromRequest(HttpServletRequest req) {
|
||||
if (req == null) {
|
||||
throw new NullPointerException("request may not be null.");
|
||||
}
|
||||
|
||||
IdentifierBundle ids = RequestIdentifiers.getIdBundleForRequest(req);
|
||||
for (Permission p : HasPermission.getPermissions(ids)) {
|
||||
if (p instanceof DisplayByRolePermission) {
|
||||
return p;
|
||||
}
|
||||
}
|
||||
return getDefaultPermission(req.getSession().getServletContext());
|
||||
}
|
||||
|
||||
/** Get the DisplayByRolePermission from the request, or use Public. */
|
||||
public FilterByRoleLevelPermission(HttpServletRequest req) {
|
||||
this(getPermissionFromRequest(req));
|
||||
}
|
||||
|
||||
/** Use the Public permission. */
|
||||
public FilterByRoleLevelPermission(ServletContext ctx) {
|
||||
this(getDefaultPermission(ctx));
|
||||
}
|
||||
|
||||
/** Use the specified permission. */
|
||||
public FilterByRoleLevelPermission(Permission permission) {
|
||||
if (permission == null) {
|
||||
throw new NullPointerException("permission may not be null.");
|
||||
}
|
||||
|
||||
this.permission = permission;
|
||||
|
||||
setDataPropertyFilter(new DataPropertyFilterByPolicy());
|
||||
setObjectPropertyFilter(new ObjectPropertyFilterByPolicy());
|
||||
setDataPropertyStatementFilter(new DataPropertyStatementFilterByPolicy());
|
||||
setObjectPropertyStatementFilter(new ObjectPropertyStatementFilterByPolicy());
|
||||
}
|
||||
|
||||
boolean checkAuthorization(RequestedAction whatToAuth) {
|
||||
boolean decision = permission.isAuthorized(whatToAuth);
|
||||
log.debug("decision is " + decision);
|
||||
return decision;
|
||||
}
|
||||
|
||||
private class DataPropertyFilterByPolicy extends
|
||||
UnaryFunctor<DataProperty, Boolean> {
|
||||
@Override
|
||||
public Boolean fn(DataProperty dp) {
|
||||
return checkAuthorization(new DisplayDataProperty(dp));
|
||||
}
|
||||
}
|
||||
|
||||
private class ObjectPropertyFilterByPolicy extends
|
||||
UnaryFunctor<ObjectProperty, Boolean> {
|
||||
@Override
|
||||
public Boolean fn(ObjectProperty op) {
|
||||
return checkAuthorization(new DisplayObjectProperty(op));
|
||||
}
|
||||
}
|
||||
|
||||
private class DataPropertyStatementFilterByPolicy extends
|
||||
UnaryFunctor<DataPropertyStatement, Boolean> {
|
||||
@Override
|
||||
public Boolean fn(DataPropertyStatement dps) {
|
||||
return checkAuthorization(new DisplayDataPropertyStatement(dps));
|
||||
}
|
||||
}
|
||||
|
||||
private class ObjectPropertyStatementFilterByPolicy extends
|
||||
UnaryFunctor<ObjectPropertyStatement, Boolean> {
|
||||
@Override
|
||||
public Boolean fn(ObjectPropertyStatement ops) {
|
||||
return checkAuthorization(new DisplayObjectPropertyStatement(ops));
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -5,7 +5,6 @@ package edu.cornell.mannlib.vitro.webapp.dao.filtering.filters;
|
|||
import java.text.Collator;
|
||||
import java.util.Collections;
|
||||
import java.util.Comparator;
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
|
||||
import javax.servlet.ServletContext;
|
||||
|
|
@ -14,8 +13,6 @@ import net.sf.jga.fn.UnaryFunctor;
|
|||
import net.sf.jga.fn.adaptor.ChainUnary;
|
||||
import net.sf.jga.fn.property.GetProperty;
|
||||
import net.sf.jga.fn.string.Match;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.DisplayRestrictedDataByRoleLevelPolicy;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Individual;
|
||||
/**
|
||||
* Static methods to help create commonly used filters.
|
||||
|
|
@ -26,9 +23,7 @@ public class VitroFilterUtils {
|
|||
* public view.
|
||||
*/
|
||||
public static VitroFilters getPublicFilter(ServletContext ctx) {
|
||||
return new HideFromDisplayByPolicyFilter(
|
||||
new ArrayIdentifierBundle(),
|
||||
new DisplayRestrictedDataByRoleLevelPolicy(ctx));
|
||||
return new FilterByRoleLevelPermission(ctx);
|
||||
}
|
||||
|
||||
/** Gets a VitroFilters that permits all objects */
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
|
||||
@prefix auth: <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#> .
|
||||
@prefix simplePermission: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission#> .
|
||||
@prefix displayByRole: <java:edu.cornell.mannlib.vitro.webapp.auth.permissions.DisplayByRolePermission#> .
|
||||
|
||||
auth:ADMIN
|
||||
a auth:PermissionSet ;
|
||||
|
|
@ -45,6 +46,9 @@ auth:ADMIN
|
|||
|
||||
# permissions for ANY user, even if they are not logged in.
|
||||
auth:hasPermission simplePermission:QueryFullModel ;
|
||||
|
||||
# role-based permissions for ADMIN
|
||||
auth:hasPermission displayByRole:Admin ;
|
||||
.
|
||||
|
||||
auth:CURATOR
|
||||
|
|
@ -76,6 +80,9 @@ auth:CURATOR
|
|||
|
||||
# permissions for ANY user, even if they are not logged in.
|
||||
auth:hasPermission simplePermission:QueryFullModel ;
|
||||
|
||||
# role-based permissions for CURATOR
|
||||
auth:hasPermission displayByRole:Curator ;
|
||||
.
|
||||
|
||||
auth:EDITOR
|
||||
|
|
@ -99,6 +106,9 @@ auth:EDITOR
|
|||
|
||||
# permissions for ANY user, even if they are not logged in.
|
||||
auth:hasPermission simplePermission:QueryFullModel ;
|
||||
|
||||
# role-based permissions for EDITOR
|
||||
auth:hasPermission displayByRole:Editor ;
|
||||
.
|
||||
|
||||
auth:SELF_EDITOR
|
||||
|
|
@ -116,6 +126,11 @@ auth:SELF_EDITOR
|
|||
|
||||
# permissions for ANY user, even if they are not logged in.
|
||||
auth:hasPermission simplePermission:QueryFullModel ;
|
||||
|
||||
# role-based permissions for SELF_EDITOR
|
||||
# For role-based display, SelfEditor is like Public.
|
||||
# SelfEditor uses its special permissions to edit/display its own values.
|
||||
auth:hasPermission displayByRole:Public ;
|
||||
.
|
||||
|
||||
auth:PUBLIC
|
||||
|
|
@ -125,4 +140,7 @@ auth:PUBLIC
|
|||
|
||||
# permissions for ANY user, even if they are not logged in.
|
||||
auth:hasPermission simplePermission:QueryFullModel ;
|
||||
|
||||
# role-based permissions for PUBLIC
|
||||
auth:hasPermission displayByRole:Public ;
|
||||
.
|
||||
|
|
|
|||
|
|
@ -46,7 +46,8 @@ edu.cornell.mannlib.vitro.webapp.auth.policy.RootUserPolicy$Setup
|
|||
|
||||
edu.cornell.mannlib.vitro.webapp.auth.policy.RestrictHomeMenuItemEditingPolicy$Setup
|
||||
|
||||
# The Solr index uses a "public" filter, so the PropertyRestrictionPolicyHelper must already be set up.
|
||||
# The Solr index uses a "public" permission, so the PropertyRestrictionPolicyHelper
|
||||
# and the PermissionRegistry must already be set up.
|
||||
edu.cornell.mannlib.vitro.webapp.search.solr.SolrSetup
|
||||
|
||||
edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerSetup
|
||||
|
|
@ -54,6 +55,8 @@ edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerSetup
|
|||
# On shutdown, this will kill the background thread started by Apache Commons File Upload
|
||||
org.apache.commons.fileupload.servlet.FileCleanerCleanup
|
||||
|
||||
# The VClassGroupCache index uses a "public" permission, so the PropertyRestrictionPolicyHelper
|
||||
# and the PermissionRegistry must already be set up.
|
||||
edu.cornell.mannlib.vitro.webapp.dao.jena.VClassGroupCache$Setup
|
||||
|
||||
# This should be near the end, because it will issue a warning if the connection to Solr times out.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue