mirror of
https://github.com/sismics/docs.git
synced 2024-06-03 00:54:32 +02:00
#83: Permission check for tags
This commit is contained in:
jendib
parent
0f661e5a34
commit
ddf9e83a9b
|
|
@ -118,13 +118,18 @@ public class AclDao {
|
|||
* @return True if the document is accessible
|
||||
*/
|
||||
public boolean checkPermission(String sourceId, PermType perm, List<String> targetIdList) {
|
||||
// TODO Handle tags as source for ACL
|
||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||
Query q = em.createQuery("select a from Acl a where a.sourceId = :sourceId and a.perm = :perm and a.targetId in (:targetIdList) and a.deleteDate is null");
|
||||
StringBuilder sb = new StringBuilder("select a.ACL_ID_C from T_ACL a ");
|
||||
sb.append(" where a.ACL_TARGETID_C in (:targetIdList) and a.ACL_SOURCEID_C = :sourceId and a.ACL_PERM_C = :perm and a.ACL_DELETEDATE_D is null ");
|
||||
sb.append(" union all ");
|
||||
sb.append(" select a.ACL_ID_C from T_ACL a, T_DOCUMENT_TAG dt ");
|
||||
sb.append(" where a.ACL_SOURCEID_C = dt.DOT_IDTAG_C and dt.DOT_IDDOCUMENT_C = :sourceId and dt.DOT_DELETEDATE_D is null ");
|
||||
sb.append(" and a.ACL_TARGETID_C in (:targetIdList) and a.ACL_PERM_C = :perm and a.ACL_DELETEDATE_D is null ");
|
||||
Query q = em.createNativeQuery(sb.toString());
|
||||
q.setParameter("sourceId", sourceId);
|
||||
q.setParameter("perm", perm);
|
||||
q.setParameter("perm", perm.name());
|
||||
q.setParameter("targetIdList", targetIdList);
|
||||
|
||||
|
||||
// We have a matching permission
|
||||
return q.getResultList().size() > 0;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -90,6 +90,11 @@ public class DocumentDao {
|
|||
* @return Document
|
||||
*/
|
||||
public DocumentDto getDocument(String id, PermType perm, List<String> targetIdList) {
|
||||
AclDao aclDao = new AclDao();
|
||||
if (!aclDao.checkPermission(id, perm, targetIdList)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||
StringBuilder sb = new StringBuilder("select distinct d.DOC_ID_C, d.DOC_TITLE_C, d.DOC_DESCRIPTION_C, d.DOC_SUBJECT_C, d.DOC_IDENTIFIER_C, d.DOC_PUBLISHER_C, d.DOC_FORMAT_C, d.DOC_SOURCE_C, d.DOC_TYPE_C, d.DOC_COVERAGE_C, d.DOC_RIGHTS_C, d.DOC_CREATEDATE_D, d.DOC_LANGUAGE_C, ");
|
||||
sb.append(" (select count(s.SHA_ID_C) from T_SHARE s, T_ACL ac where ac.ACL_SOURCEID_C = d.DOC_ID_C and ac.ACL_TARGETID_C = s.SHA_ID_C and ac.ACL_DELETEDATE_D is null and s.SHA_DELETEDATE_D is null), ");
|
||||
|
|
@ -97,16 +102,11 @@ public class DocumentDao {
|
|||
sb.append(" u.USE_USERNAME_C ");
|
||||
sb.append(" from T_DOCUMENT d ");
|
||||
sb.append(" join T_USER u on d.DOC_IDUSER_C = u.USE_ID_C ");
|
||||
sb.append(" left join T_ACL a on a.ACL_TARGETID_C in (:targetIdList) and a.ACL_SOURCEID_C = d.DOC_ID_C and a.ACL_PERM_C = :perm and a.ACL_DELETEDATE_D is null ");
|
||||
sb.append(" left join T_DOCUMENT_TAG dta on dta.DOT_IDDOCUMENT_C = d.DOC_ID_C and dta.DOT_DELETEDATE_D is null ");
|
||||
sb.append(" left join T_ACL a2 on a2.ACL_TARGETID_C in (:targetIdList) and a2.ACL_SOURCEID_C = dta.DOT_IDTAG_C and a2.ACL_PERM_C = 'READ' and a2.ACL_DELETEDATE_D is null ");
|
||||
sb.append(" where d.DOC_ID_C = :id and (a.ACL_ID_C is not null or a2.ACL_ID_C is not null) and d.DOC_DELETEDATE_D is null ");
|
||||
sb.append(" where d.DOC_ID_C = :id and d.DOC_DELETEDATE_D is null ");
|
||||
|
||||
Query q = em.createNativeQuery(sb.toString());
|
||||
q.setParameter("id", id);
|
||||
q.setParameter("perm", perm.name());
|
||||
q.setParameter("targetIdList", targetIdList);
|
||||
|
||||
|
||||
Object[] o;
|
||||
try {
|
||||
o = (Object[]) q.getSingleResult();
|
||||
|
|
|
|||
|
|
@ -71,7 +71,6 @@ public class GroupDao {
|
|||
* @param group Group
|
||||
* @param userId User ID
|
||||
* @return New ID
|
||||
* @throws Exception
|
||||
*/
|
||||
public String create(Group group, String userId) {
|
||||
// Create the UUID
|
||||
|
|
@ -127,9 +126,8 @@ public class GroupDao {
|
|||
/**
|
||||
* Add an user to a group.
|
||||
*
|
||||
* @param group Group
|
||||
* @param userGroup User group
|
||||
* @return New ID
|
||||
* @throws Exception
|
||||
*/
|
||||
public String addMember(UserGroup userGroup) {
|
||||
// Create the UUID
|
||||
|
|
@ -170,8 +168,8 @@ public class GroupDao {
|
|||
* @return List of groups
|
||||
*/
|
||||
public List<GroupDto> findByCriteria(GroupCriteria criteria, SortCriteria sortCriteria) {
|
||||
Map<String, Object> parameterMap = new HashMap<String, Object>();
|
||||
List<String> criteriaList = new ArrayList<String>();
|
||||
Map<String, Object> parameterMap = new HashMap<>();
|
||||
List<String> criteriaList = new ArrayList<>();
|
||||
|
||||
StringBuilder sb = new StringBuilder("select g.GRP_ID_C as c0, g.GRP_NAME_C as c1, g.GRP_IDPARENT_C as c2, gp.GRP_NAME_C as c3, g.GRP_IDROLE_C ");
|
||||
if (criteria.getUserId() != null) {
|
||||
|
|
@ -187,8 +185,8 @@ public class GroupDao {
|
|||
}
|
||||
if (criteria.getUserId() != null) {
|
||||
// Left join and post-filtering for recursive groups
|
||||
sb.append((criteria.isRecursive() ? " left " : "")
|
||||
+ " join T_USER_GROUP ug on ug.UGP_IDGROUP_C = g.GRP_ID_C and ug.UGP_IDUSER_C = :userId and ug.UGP_DELETEDATE_D is null ");
|
||||
sb.append(criteria.isRecursive() ? " left " : "");
|
||||
sb.append(" join T_USER_GROUP ug on ug.UGP_IDGROUP_C = g.GRP_ID_C and ug.UGP_IDUSER_C = :userId and ug.UGP_DELETEDATE_D is null ");
|
||||
parameterMap.put("userId", criteria.getUserId());
|
||||
}
|
||||
|
||||
|
|
@ -216,7 +214,7 @@ public class GroupDao {
|
|||
.setParentName((String) o[i++])
|
||||
.setRoleId((String) o[i++]);
|
||||
groupDtoList.add(groupDto);
|
||||
if (criteria.getUserId() != null && o[i++] != null) {
|
||||
if (criteria.getUserId() != null && o[i] != null) {
|
||||
userGroupDtoList.add(groupDto);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -46,6 +46,7 @@ public class TagDao {
|
|||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
public List<Tag> getByUserId(String userId) {
|
||||
// TODO Use ACLs
|
||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||
Query q = em.createQuery("select t from Tag t where t.userId = :userId and t.deleteDate is null order by t.name");
|
||||
q.setParameter("userId", userId);
|
||||
|
|
@ -96,12 +97,13 @@ public class TagDao {
|
|||
|
||||
/**
|
||||
* Returns tag list on a document.
|
||||
*
|
||||
*
|
||||
* @param documentId Document ID
|
||||
* @return List of tags
|
||||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
public List<TagDto> getByDocumentId(String documentId, String userId) {
|
||||
// TODO Use ACLs
|
||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||
StringBuilder sb = new StringBuilder("select t.TAG_ID_C, t.TAG_NAME_C, t.TAG_COLOR_C, t.TAG_IDPARENT_C from T_DOCUMENT_TAG dt ");
|
||||
sb.append(" join T_TAG t on t.TAG_ID_C = dt.DOT_IDTAG_C ");
|
||||
|
|
@ -196,6 +198,7 @@ public class TagDao {
|
|||
* @return Tag
|
||||
*/
|
||||
public Tag getByName(String userId, String name) {
|
||||
// TODO Use ACLs
|
||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||
Query q = em.createQuery("select t from Tag t where t.name = :name and t.userId = :userId and t.deleteDate is null");
|
||||
q.setParameter("userId", userId);
|
||||
|
|
@ -215,6 +218,7 @@ public class TagDao {
|
|||
* @return Tag
|
||||
*/
|
||||
public Tag getByTagId(String userId, String tagId) {
|
||||
// TODO Use ACLs
|
||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||
Query q = em.createQuery("select t from Tag t where t.id = :tagId and t.userId = :userId and t.deleteDate is null");
|
||||
q.setParameter("userId", userId);
|
||||
|
|
@ -249,6 +253,11 @@ public class TagDao {
|
|||
q.setParameter("dateNow", dateNow);
|
||||
q.setParameter("tagId", tagId);
|
||||
q.executeUpdate();
|
||||
|
||||
q = em.createQuery("update Acl a set a.deleteDate = :dateNow where a.sourceId = :tagId and a.deleteDate is null");
|
||||
q.setParameter("tagId", tagId);
|
||||
q.setParameter("dateNow", dateNow);
|
||||
q.executeUpdate();
|
||||
|
||||
// Create audit log
|
||||
AuditLogUtil.create(tagDb, AuditLogType.DELETE, userId);
|
||||
|
|
@ -262,6 +271,7 @@ public class TagDao {
|
|||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
public List<Tag> findByName(String userId, String name) {
|
||||
// TODO Use ACLs
|
||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||
Query q = em.createQuery("select t from Tag t where t.name like :name and t.userId = :userId and t.deleteDate is null");
|
||||
q.setParameter("userId", userId);
|
||||
|
|
|
|||
|
|
@ -188,23 +188,6 @@ public class UserDao {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets an active user by its password recovery token.
|
||||
*
|
||||
* @param passwordResetKey Password recovery token
|
||||
* @return User
|
||||
*/
|
||||
public User getActiveByPasswordResetKey(String passwordResetKey) {
|
||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||
try {
|
||||
Query q = em.createQuery("select u from User u where u.passwordResetKey = :passwordResetKey and u.deleteDate is null");
|
||||
q.setParameter("passwordResetKey", passwordResetKey);
|
||||
return (User) q.getSingleResult();
|
||||
} catch (NoResultException e) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Deletes a user.
|
||||
*
|
||||
|
|
@ -258,7 +241,7 @@ public class UserDao {
|
|||
* @param password Clear password
|
||||
* @return Hashed password
|
||||
*/
|
||||
protected String hashPassword(String password) {
|
||||
private String hashPassword(String password) {
|
||||
return BCrypt.hashpw(password, BCrypt.gensalt());
|
||||
}
|
||||
|
||||
|
|
@ -270,8 +253,8 @@ public class UserDao {
|
|||
* @return List of users
|
||||
*/
|
||||
public List<UserDto> findByCriteria(UserCriteria criteria, SortCriteria sortCriteria) {
|
||||
Map<String, Object> parameterMap = new HashMap<String, Object>();
|
||||
List<String> criteriaList = new ArrayList<String>();
|
||||
Map<String, Object> parameterMap = new HashMap<>();
|
||||
List<String> criteriaList = new ArrayList<>();
|
||||
|
||||
StringBuilder sb = new StringBuilder("select u.USE_ID_C as c0, u.USE_USERNAME_C as c1, u.USE_EMAIL_C as c2, u.USE_CREATEDATE_D as c3, u.USE_STORAGECURRENT_N as c4, u.USE_STORAGEQUOTA_N as c5");
|
||||
sb.append(" from T_USER u ");
|
||||
|
|
@ -300,7 +283,7 @@ public class UserDao {
|
|||
List<Object[]> l = QueryUtil.getNativeQuery(queryParam).getResultList();
|
||||
|
||||
// Assemble results
|
||||
List<UserDto> userDtoList = new ArrayList<UserDto>();
|
||||
List<UserDto> userDtoList = new ArrayList<>();
|
||||
for (Object[] o : l) {
|
||||
int i = 0;
|
||||
UserDto userDto = new UserDto();
|
||||
|
|
@ -309,7 +292,7 @@ public class UserDao {
|
|||
userDto.setEmail((String) o[i++]);
|
||||
userDto.setCreateTimestamp(((Timestamp) o[i++]).getTime());
|
||||
userDto.setStorageCurrent(((Number) o[i++]).longValue());
|
||||
userDto.setStorageQuota(((Number) o[i++]).longValue());
|
||||
userDto.setStorageQuota(((Number) o[i]).longValue());
|
||||
userDtoList.add(userDto);
|
||||
}
|
||||
return userDtoList;
|
||||
|
|
|
|||
|
|
@ -106,7 +106,7 @@ public class TestGroupResource extends BaseJerseyTest {
|
|||
Assert.assertEquals(1, users.size());
|
||||
|
||||
// Add group1 to g112 (again)
|
||||
json = target().path("/group/g112").request()
|
||||
target().path("/group/g112").request()
|
||||
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
|
||||
.put(Entity.form(new Form()
|
||||
.param("username", "group1")), JsonObject.class);
|
||||
|
|
@ -145,7 +145,7 @@ public class TestGroupResource extends BaseJerseyTest {
|
|||
Assert.assertEquals("group1", members.getString(0));
|
||||
|
||||
// Remove group1 from g12new
|
||||
json = target().path("/group/g12new/group1").request()
|
||||
target().path("/group/g12new/group1").request()
|
||||
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
|
||||
.delete(JsonObject.class);
|
||||
|
||||
|
|
@ -164,7 +164,7 @@ public class TestGroupResource extends BaseJerseyTest {
|
|||
Assert.assertTrue(groupList.contains("g112"));
|
||||
|
||||
// Delete group g1
|
||||
json = target().path("/group/g1").request()
|
||||
target().path("/group/g1").request()
|
||||
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
|
||||
.delete(JsonObject.class);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user