mirror of
https://github.com/sismics/docs.git
synced 2024-11-25 15:17:57 +01:00
Cleanup ACL checks
This commit is contained in:
parent
1ed7422171
commit
642b9a63d3
@ -1,8 +1,8 @@
|
|||||||
package com.sismics.docs.rest.resource;
|
package com.sismics.docs.rest.resource;
|
||||||
|
|
||||||
import com.sismics.docs.core.constant.PermType;
|
import com.sismics.docs.core.constant.PermType;
|
||||||
|
import com.sismics.docs.core.dao.jpa.AclDao;
|
||||||
import com.sismics.docs.core.dao.jpa.CommentDao;
|
import com.sismics.docs.core.dao.jpa.CommentDao;
|
||||||
import com.sismics.docs.core.dao.jpa.DocumentDao;
|
|
||||||
import com.sismics.docs.core.dao.jpa.dto.CommentDto;
|
import com.sismics.docs.core.dao.jpa.dto.CommentDto;
|
||||||
import com.sismics.docs.core.model.jpa.Comment;
|
import com.sismics.docs.core.model.jpa.Comment;
|
||||||
import com.sismics.rest.exception.ForbiddenClientException;
|
import com.sismics.rest.exception.ForbiddenClientException;
|
||||||
@ -42,8 +42,8 @@ public class CommentResource extends BaseResource {
|
|||||||
content = ValidationUtil.validateLength(content, "content", 1, 4000, false);
|
content = ValidationUtil.validateLength(content, "content", 1, 4000, false);
|
||||||
|
|
||||||
// Read access on doc gives access to write comments
|
// Read access on doc gives access to write comments
|
||||||
DocumentDao documentDao = new DocumentDao();
|
AclDao aclDao = new AclDao();
|
||||||
if (documentDao.getDocument(documentId, PermType.READ, getTargetIdList(null)) == null) {
|
if (!aclDao.checkPermission(documentId, PermType.READ, getTargetIdList(null))) {
|
||||||
throw new NotFoundException();
|
throw new NotFoundException();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -88,8 +88,8 @@ public class CommentResource extends BaseResource {
|
|||||||
// If the current user owns the comment, skip ACL check
|
// If the current user owns the comment, skip ACL check
|
||||||
if (!comment.getUserId().equals(principal.getId())) {
|
if (!comment.getUserId().equals(principal.getId())) {
|
||||||
// Get the associated document
|
// Get the associated document
|
||||||
DocumentDao documentDao = new DocumentDao();
|
AclDao aclDao = new AclDao();
|
||||||
if (documentDao.getDocument(comment.getDocumentId(), PermType.WRITE, getTargetIdList(null)) == null) {
|
if (!aclDao.checkPermission(comment.getDocumentId(), PermType.WRITE, getTargetIdList(null))) {
|
||||||
throw new NotFoundException();
|
throw new NotFoundException();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -116,8 +116,8 @@ public class CommentResource extends BaseResource {
|
|||||||
authenticate();
|
authenticate();
|
||||||
|
|
||||||
// Read access on doc gives access to read comments
|
// Read access on doc gives access to read comments
|
||||||
DocumentDao documentDao = new DocumentDao();
|
AclDao aclDao = new AclDao();
|
||||||
if (documentDao.getDocument(documentId, PermType.READ, getTargetIdList(shareId)) == null) {
|
if (!aclDao.checkPermission(documentId, PermType.READ, getTargetIdList(shareId))) {
|
||||||
throw new NotFoundException();
|
throw new NotFoundException();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -668,14 +668,14 @@ public class DocumentResource extends BaseResource {
|
|||||||
// Get the document
|
// Get the document
|
||||||
DocumentDao documentDao = new DocumentDao();
|
DocumentDao documentDao = new DocumentDao();
|
||||||
FileDao fileDao = new FileDao();
|
FileDao fileDao = new FileDao();
|
||||||
DocumentDto documentDto = documentDao.getDocument(id, PermType.WRITE, getTargetIdList(null));
|
AclDao aclDao = new AclDao();
|
||||||
if (documentDto == null) {
|
if (!aclDao.checkPermission(id, PermType.WRITE, getTargetIdList(null))) {
|
||||||
throw new NotFoundException();
|
throw new NotFoundException();
|
||||||
}
|
}
|
||||||
List<File> fileList = fileDao.getByDocumentId(principal.getId(), id);
|
List<File> fileList = fileDao.getByDocumentId(principal.getId(), id);
|
||||||
|
|
||||||
// Delete the document
|
// Delete the document
|
||||||
documentDao.delete(documentDto.getId(), principal.getId());
|
documentDao.delete(id, principal.getId());
|
||||||
|
|
||||||
// Raise file deleted events (don't bother sending document updated event)
|
// Raise file deleted events (don't bother sending document updated event)
|
||||||
for (File file : fileList) {
|
for (File file : fileList) {
|
||||||
@ -688,7 +688,7 @@ public class DocumentResource extends BaseResource {
|
|||||||
// Raise a document deleted event
|
// Raise a document deleted event
|
||||||
DocumentDeletedAsyncEvent documentDeletedAsyncEvent = new DocumentDeletedAsyncEvent();
|
DocumentDeletedAsyncEvent documentDeletedAsyncEvent = new DocumentDeletedAsyncEvent();
|
||||||
documentDeletedAsyncEvent.setUserId(principal.getId());
|
documentDeletedAsyncEvent.setUserId(principal.getId());
|
||||||
documentDeletedAsyncEvent.setDocumentId(documentDto.getId());
|
documentDeletedAsyncEvent.setDocumentId(id);
|
||||||
AppContext.getInstance().getAsyncEventBus().post(documentDeletedAsyncEvent);
|
AppContext.getInstance().getAsyncEventBus().post(documentDeletedAsyncEvent);
|
||||||
|
|
||||||
// Always return OK
|
// Always return OK
|
||||||
|
@ -265,8 +265,8 @@ public class FileResource extends BaseResource {
|
|||||||
ValidationUtil.validateRequired(idList, "order");
|
ValidationUtil.validateRequired(idList, "order");
|
||||||
|
|
||||||
// Get the document
|
// Get the document
|
||||||
DocumentDao documentDao = new DocumentDao();
|
AclDao aclDao = new AclDao();
|
||||||
if (documentDao.getDocument(documentId, PermType.WRITE, getTargetIdList(null)) == null) {
|
if (!aclDao.checkPermission(documentId, PermType.WRITE, getTargetIdList(null))) {
|
||||||
throw new NotFoundException();
|
throw new NotFoundException();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -347,20 +347,19 @@ public class FileResource extends BaseResource {
|
|||||||
|
|
||||||
// Get the file
|
// Get the file
|
||||||
FileDao fileDao = new FileDao();
|
FileDao fileDao = new FileDao();
|
||||||
DocumentDao documentDao = new DocumentDao();
|
AclDao aclDao = new AclDao();
|
||||||
File file = fileDao.getFile(id);
|
File file = fileDao.getFile(id);
|
||||||
if (file == null) {
|
if (file == null) {
|
||||||
throw new NotFoundException();
|
throw new NotFoundException();
|
||||||
}
|
}
|
||||||
|
|
||||||
DocumentDto documentDto = null;
|
|
||||||
if (file.getDocumentId() == null) {
|
if (file.getDocumentId() == null) {
|
||||||
// It's an orphan file
|
// It's an orphan file
|
||||||
if (!file.getUserId().equals(principal.getId())) {
|
if (!file.getUserId().equals(principal.getId())) {
|
||||||
// But not ours
|
// But not ours
|
||||||
throw new ForbiddenClientException();
|
throw new ForbiddenClientException();
|
||||||
}
|
}
|
||||||
} else if ((documentDto = documentDao.getDocument(file.getDocumentId(), PermType.WRITE, getTargetIdList(null))) == null) {
|
} else if (!aclDao.checkPermission(file.getDocumentId(), PermType.WRITE, getTargetIdList(null))) {
|
||||||
throw new NotFoundException();
|
throw new NotFoundException();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -384,11 +383,11 @@ public class FileResource extends BaseResource {
|
|||||||
fileDeletedAsyncEvent.setFile(file);
|
fileDeletedAsyncEvent.setFile(file);
|
||||||
AppContext.getInstance().getAsyncEventBus().post(fileDeletedAsyncEvent);
|
AppContext.getInstance().getAsyncEventBus().post(fileDeletedAsyncEvent);
|
||||||
|
|
||||||
if (documentDto != null) {
|
if (file.getDocumentId() != null) {
|
||||||
// Raise a new document updated
|
// Raise a new document updated
|
||||||
DocumentUpdatedAsyncEvent documentUpdatedAsyncEvent = new DocumentUpdatedAsyncEvent();
|
DocumentUpdatedAsyncEvent documentUpdatedAsyncEvent = new DocumentUpdatedAsyncEvent();
|
||||||
documentUpdatedAsyncEvent.setUserId(principal.getId());
|
documentUpdatedAsyncEvent.setUserId(principal.getId());
|
||||||
documentUpdatedAsyncEvent.setDocumentId(documentDto.getId());
|
documentUpdatedAsyncEvent.setDocumentId(file.getDocumentId());
|
||||||
AppContext.getInstance().getAsyncEventBus().post(documentUpdatedAsyncEvent);
|
AppContext.getInstance().getAsyncEventBus().post(documentUpdatedAsyncEvent);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -4,7 +4,6 @@ package com.sismics.docs.rest.resource;
|
|||||||
import com.sismics.docs.core.constant.AclTargetType;
|
import com.sismics.docs.core.constant.AclTargetType;
|
||||||
import com.sismics.docs.core.constant.PermType;
|
import com.sismics.docs.core.constant.PermType;
|
||||||
import com.sismics.docs.core.dao.jpa.AclDao;
|
import com.sismics.docs.core.dao.jpa.AclDao;
|
||||||
import com.sismics.docs.core.dao.jpa.DocumentDao;
|
|
||||||
import com.sismics.docs.core.dao.jpa.ShareDao;
|
import com.sismics.docs.core.dao.jpa.ShareDao;
|
||||||
import com.sismics.docs.core.model.jpa.Acl;
|
import com.sismics.docs.core.model.jpa.Acl;
|
||||||
import com.sismics.docs.core.model.jpa.Share;
|
import com.sismics.docs.core.model.jpa.Share;
|
||||||
@ -46,9 +45,9 @@ public class ShareResource extends BaseResource {
|
|||||||
ValidationUtil.validateRequired(documentId, "id");
|
ValidationUtil.validateRequired(documentId, "id");
|
||||||
name = ValidationUtil.validateLength(name, "name", 1, 36, true);
|
name = ValidationUtil.validateLength(name, "name", 1, 36, true);
|
||||||
|
|
||||||
// Get the document
|
// Check write permission on the document
|
||||||
DocumentDao documentDao = new DocumentDao();
|
AclDao aclDao = new AclDao();
|
||||||
if (documentDao.getDocument(documentId, PermType.WRITE, getTargetIdList(null)) == null) {
|
if (!aclDao.checkPermission(documentId, PermType.WRITE, getTargetIdList(null))) {
|
||||||
throw new NotFoundException();
|
throw new NotFoundException();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -59,7 +58,6 @@ public class ShareResource extends BaseResource {
|
|||||||
shareDao.create(share);
|
shareDao.create(share);
|
||||||
|
|
||||||
// Create the ACL
|
// Create the ACL
|
||||||
AclDao aclDao = new AclDao();
|
|
||||||
Acl acl = new Acl();
|
Acl acl = new Acl();
|
||||||
acl.setSourceId(documentId);
|
acl.setSourceId(documentId);
|
||||||
acl.setPerm(PermType.READ);
|
acl.setPerm(PermType.READ);
|
||||||
|
Loading…
Reference in New Issue
Block a user