Cleanup ACL checks

This commit is contained in:
jendib 2016-05-08 12:14:06 +02:00
parent 1ed7422171
commit 642b9a63d3
No known key found for this signature in database
GPG Key ID: 06EE7F699579166F
4 changed files with 20 additions and 23 deletions

View File

@ -1,8 +1,8 @@
package com.sismics.docs.rest.resource; package com.sismics.docs.rest.resource;
import com.sismics.docs.core.constant.PermType; import com.sismics.docs.core.constant.PermType;
import com.sismics.docs.core.dao.jpa.AclDao;
import com.sismics.docs.core.dao.jpa.CommentDao; import com.sismics.docs.core.dao.jpa.CommentDao;
import com.sismics.docs.core.dao.jpa.DocumentDao;
import com.sismics.docs.core.dao.jpa.dto.CommentDto; import com.sismics.docs.core.dao.jpa.dto.CommentDto;
import com.sismics.docs.core.model.jpa.Comment; import com.sismics.docs.core.model.jpa.Comment;
import com.sismics.rest.exception.ForbiddenClientException; import com.sismics.rest.exception.ForbiddenClientException;
@ -42,8 +42,8 @@ public class CommentResource extends BaseResource {
content = ValidationUtil.validateLength(content, "content", 1, 4000, false); content = ValidationUtil.validateLength(content, "content", 1, 4000, false);
// Read access on doc gives access to write comments // Read access on doc gives access to write comments
DocumentDao documentDao = new DocumentDao(); AclDao aclDao = new AclDao();
if (documentDao.getDocument(documentId, PermType.READ, getTargetIdList(null)) == null) { if (!aclDao.checkPermission(documentId, PermType.READ, getTargetIdList(null))) {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -88,8 +88,8 @@ public class CommentResource extends BaseResource {
// If the current user owns the comment, skip ACL check // If the current user owns the comment, skip ACL check
if (!comment.getUserId().equals(principal.getId())) { if (!comment.getUserId().equals(principal.getId())) {
// Get the associated document // Get the associated document
DocumentDao documentDao = new DocumentDao(); AclDao aclDao = new AclDao();
if (documentDao.getDocument(comment.getDocumentId(), PermType.WRITE, getTargetIdList(null)) == null) { if (!aclDao.checkPermission(comment.getDocumentId(), PermType.WRITE, getTargetIdList(null))) {
throw new NotFoundException(); throw new NotFoundException();
} }
} }
@ -116,8 +116,8 @@ public class CommentResource extends BaseResource {
authenticate(); authenticate();
// Read access on doc gives access to read comments // Read access on doc gives access to read comments
DocumentDao documentDao = new DocumentDao(); AclDao aclDao = new AclDao();
if (documentDao.getDocument(documentId, PermType.READ, getTargetIdList(shareId)) == null) { if (!aclDao.checkPermission(documentId, PermType.READ, getTargetIdList(shareId))) {
throw new NotFoundException(); throw new NotFoundException();
} }

View File

@ -668,14 +668,14 @@ public class DocumentResource extends BaseResource {
// Get the document // Get the document
DocumentDao documentDao = new DocumentDao(); DocumentDao documentDao = new DocumentDao();
FileDao fileDao = new FileDao(); FileDao fileDao = new FileDao();
DocumentDto documentDto = documentDao.getDocument(id, PermType.WRITE, getTargetIdList(null)); AclDao aclDao = new AclDao();
if (documentDto == null) { if (!aclDao.checkPermission(id, PermType.WRITE, getTargetIdList(null))) {
throw new NotFoundException(); throw new NotFoundException();
} }
List<File> fileList = fileDao.getByDocumentId(principal.getId(), id); List<File> fileList = fileDao.getByDocumentId(principal.getId(), id);
// Delete the document // Delete the document
documentDao.delete(documentDto.getId(), principal.getId()); documentDao.delete(id, principal.getId());
// Raise file deleted events (don't bother sending document updated event) // Raise file deleted events (don't bother sending document updated event)
for (File file : fileList) { for (File file : fileList) {
@ -688,7 +688,7 @@ public class DocumentResource extends BaseResource {
// Raise a document deleted event // Raise a document deleted event
DocumentDeletedAsyncEvent documentDeletedAsyncEvent = new DocumentDeletedAsyncEvent(); DocumentDeletedAsyncEvent documentDeletedAsyncEvent = new DocumentDeletedAsyncEvent();
documentDeletedAsyncEvent.setUserId(principal.getId()); documentDeletedAsyncEvent.setUserId(principal.getId());
documentDeletedAsyncEvent.setDocumentId(documentDto.getId()); documentDeletedAsyncEvent.setDocumentId(id);
AppContext.getInstance().getAsyncEventBus().post(documentDeletedAsyncEvent); AppContext.getInstance().getAsyncEventBus().post(documentDeletedAsyncEvent);
// Always return OK // Always return OK

View File

@ -265,8 +265,8 @@ public class FileResource extends BaseResource {
ValidationUtil.validateRequired(idList, "order"); ValidationUtil.validateRequired(idList, "order");
// Get the document // Get the document
DocumentDao documentDao = new DocumentDao(); AclDao aclDao = new AclDao();
if (documentDao.getDocument(documentId, PermType.WRITE, getTargetIdList(null)) == null) { if (!aclDao.checkPermission(documentId, PermType.WRITE, getTargetIdList(null))) {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -347,20 +347,19 @@ public class FileResource extends BaseResource {
// Get the file // Get the file
FileDao fileDao = new FileDao(); FileDao fileDao = new FileDao();
DocumentDao documentDao = new DocumentDao(); AclDao aclDao = new AclDao();
File file = fileDao.getFile(id); File file = fileDao.getFile(id);
if (file == null) { if (file == null) {
throw new NotFoundException(); throw new NotFoundException();
} }
DocumentDto documentDto = null;
if (file.getDocumentId() == null) { if (file.getDocumentId() == null) {
// It's an orphan file // It's an orphan file
if (!file.getUserId().equals(principal.getId())) { if (!file.getUserId().equals(principal.getId())) {
// But not ours // But not ours
throw new ForbiddenClientException(); throw new ForbiddenClientException();
} }
} else if ((documentDto = documentDao.getDocument(file.getDocumentId(), PermType.WRITE, getTargetIdList(null))) == null) { } else if (!aclDao.checkPermission(file.getDocumentId(), PermType.WRITE, getTargetIdList(null))) {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -384,11 +383,11 @@ public class FileResource extends BaseResource {
fileDeletedAsyncEvent.setFile(file); fileDeletedAsyncEvent.setFile(file);
AppContext.getInstance().getAsyncEventBus().post(fileDeletedAsyncEvent); AppContext.getInstance().getAsyncEventBus().post(fileDeletedAsyncEvent);
if (documentDto != null) { if (file.getDocumentId() != null) {
// Raise a new document updated // Raise a new document updated
DocumentUpdatedAsyncEvent documentUpdatedAsyncEvent = new DocumentUpdatedAsyncEvent(); DocumentUpdatedAsyncEvent documentUpdatedAsyncEvent = new DocumentUpdatedAsyncEvent();
documentUpdatedAsyncEvent.setUserId(principal.getId()); documentUpdatedAsyncEvent.setUserId(principal.getId());
documentUpdatedAsyncEvent.setDocumentId(documentDto.getId()); documentUpdatedAsyncEvent.setDocumentId(file.getDocumentId());
AppContext.getInstance().getAsyncEventBus().post(documentUpdatedAsyncEvent); AppContext.getInstance().getAsyncEventBus().post(documentUpdatedAsyncEvent);
} }

View File

@ -4,7 +4,6 @@ package com.sismics.docs.rest.resource;
import com.sismics.docs.core.constant.AclTargetType; import com.sismics.docs.core.constant.AclTargetType;
import com.sismics.docs.core.constant.PermType; import com.sismics.docs.core.constant.PermType;
import com.sismics.docs.core.dao.jpa.AclDao; import com.sismics.docs.core.dao.jpa.AclDao;
import com.sismics.docs.core.dao.jpa.DocumentDao;
import com.sismics.docs.core.dao.jpa.ShareDao; import com.sismics.docs.core.dao.jpa.ShareDao;
import com.sismics.docs.core.model.jpa.Acl; import com.sismics.docs.core.model.jpa.Acl;
import com.sismics.docs.core.model.jpa.Share; import com.sismics.docs.core.model.jpa.Share;
@ -46,9 +45,9 @@ public class ShareResource extends BaseResource {
ValidationUtil.validateRequired(documentId, "id"); ValidationUtil.validateRequired(documentId, "id");
name = ValidationUtil.validateLength(name, "name", 1, 36, true); name = ValidationUtil.validateLength(name, "name", 1, 36, true);
// Get the document // Check write permission on the document
DocumentDao documentDao = new DocumentDao(); AclDao aclDao = new AclDao();
if (documentDao.getDocument(documentId, PermType.WRITE, getTargetIdList(null)) == null) { if (!aclDao.checkPermission(documentId, PermType.WRITE, getTargetIdList(null))) {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -59,7 +58,6 @@ public class ShareResource extends BaseResource {
shareDao.create(share); shareDao.create(share);
// Create the ACL // Create the ACL
AclDao aclDao = new AclDao();
Acl acl = new Acl(); Acl acl = new Acl();
acl.setSourceId(documentId); acl.setSourceId(documentId);
acl.setPerm(PermType.READ); acl.setPerm(PermType.READ);