From ddf9e83a9b9873ccf45950dc5ae13cf00160287e Mon Sep 17 00:00:00 2001 From: jendib Date: Sun, 1 May 2016 22:03:39 +0200 Subject: [PATCH] #83: Permission check for tags --- .../com/sismics/docs/core/dao/jpa/AclDao.java | 13 ++++++--- .../docs/core/dao/jpa/DocumentDao.java | 14 +++++----- .../sismics/docs/core/dao/jpa/GroupDao.java | 14 +++++----- .../com/sismics/docs/core/dao/jpa/TagDao.java | 12 ++++++++- .../sismics/docs/core/dao/jpa/UserDao.java | 27 ++++--------------- .../sismics/docs/rest/TestGroupResource.java | 6 ++--- 6 files changed, 41 insertions(+), 45 deletions(-) diff --git a/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/AclDao.java b/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/AclDao.java index 1338770c..7ecbf61c 100644 --- a/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/AclDao.java +++ b/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/AclDao.java @@ -118,13 +118,18 @@ public class AclDao { * @return True if the document is accessible */ public boolean checkPermission(String sourceId, PermType perm, List targetIdList) { - // TODO Handle tags as source for ACL EntityManager em = ThreadLocalContext.get().getEntityManager(); - Query q = em.createQuery("select a from Acl a where a.sourceId = :sourceId and a.perm = :perm and a.targetId in (:targetIdList) and a.deleteDate is null"); + StringBuilder sb = new StringBuilder("select a.ACL_ID_C from T_ACL a "); + sb.append(" where a.ACL_TARGETID_C in (:targetIdList) and a.ACL_SOURCEID_C = :sourceId and a.ACL_PERM_C = :perm and a.ACL_DELETEDATE_D is null "); + sb.append(" union all "); + sb.append(" select a.ACL_ID_C from T_ACL a, T_DOCUMENT_TAG dt "); + sb.append(" where a.ACL_SOURCEID_C = dt.DOT_IDTAG_C and dt.DOT_IDDOCUMENT_C = :sourceId and dt.DOT_DELETEDATE_D is null "); + sb.append(" and a.ACL_TARGETID_C in (:targetIdList) and a.ACL_PERM_C = :perm and a.ACL_DELETEDATE_D is null "); + Query q = em.createNativeQuery(sb.toString()); q.setParameter("sourceId", sourceId); - q.setParameter("perm", perm); + q.setParameter("perm", perm.name()); q.setParameter("targetIdList", targetIdList); - + // We have a matching permission return q.getResultList().size() > 0; } diff --git a/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/DocumentDao.java b/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/DocumentDao.java index 3b908076..7a28b2ab 100644 --- a/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/DocumentDao.java +++ b/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/DocumentDao.java @@ -90,6 +90,11 @@ public class DocumentDao { * @return Document */ public DocumentDto getDocument(String id, PermType perm, List targetIdList) { + AclDao aclDao = new AclDao(); + if (!aclDao.checkPermission(id, perm, targetIdList)) { + return null; + } + EntityManager em = ThreadLocalContext.get().getEntityManager(); StringBuilder sb = new StringBuilder("select distinct d.DOC_ID_C, d.DOC_TITLE_C, d.DOC_DESCRIPTION_C, d.DOC_SUBJECT_C, d.DOC_IDENTIFIER_C, d.DOC_PUBLISHER_C, d.DOC_FORMAT_C, d.DOC_SOURCE_C, d.DOC_TYPE_C, d.DOC_COVERAGE_C, d.DOC_RIGHTS_C, d.DOC_CREATEDATE_D, d.DOC_LANGUAGE_C, "); sb.append(" (select count(s.SHA_ID_C) from T_SHARE s, T_ACL ac where ac.ACL_SOURCEID_C = d.DOC_ID_C and ac.ACL_TARGETID_C = s.SHA_ID_C and ac.ACL_DELETEDATE_D is null and s.SHA_DELETEDATE_D is null), "); @@ -97,16 +102,11 @@ public class DocumentDao { sb.append(" u.USE_USERNAME_C "); sb.append(" from T_DOCUMENT d "); sb.append(" join T_USER u on d.DOC_IDUSER_C = u.USE_ID_C "); - sb.append(" left join T_ACL a on a.ACL_TARGETID_C in (:targetIdList) and a.ACL_SOURCEID_C = d.DOC_ID_C and a.ACL_PERM_C = :perm and a.ACL_DELETEDATE_D is null "); - sb.append(" left join T_DOCUMENT_TAG dta on dta.DOT_IDDOCUMENT_C = d.DOC_ID_C and dta.DOT_DELETEDATE_D is null "); - sb.append(" left join T_ACL a2 on a2.ACL_TARGETID_C in (:targetIdList) and a2.ACL_SOURCEID_C = dta.DOT_IDTAG_C and a2.ACL_PERM_C = 'READ' and a2.ACL_DELETEDATE_D is null "); - sb.append(" where d.DOC_ID_C = :id and (a.ACL_ID_C is not null or a2.ACL_ID_C is not null) and d.DOC_DELETEDATE_D is null "); + sb.append(" where d.DOC_ID_C = :id and d.DOC_DELETEDATE_D is null "); Query q = em.createNativeQuery(sb.toString()); q.setParameter("id", id); - q.setParameter("perm", perm.name()); - q.setParameter("targetIdList", targetIdList); - + Object[] o; try { o = (Object[]) q.getSingleResult(); diff --git a/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/GroupDao.java b/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/GroupDao.java index a4f6735b..b15e8934 100644 --- a/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/GroupDao.java +++ b/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/GroupDao.java @@ -71,7 +71,6 @@ public class GroupDao { * @param group Group * @param userId User ID * @return New ID - * @throws Exception */ public String create(Group group, String userId) { // Create the UUID @@ -127,9 +126,8 @@ public class GroupDao { /** * Add an user to a group. * - * @param group Group + * @param userGroup User group * @return New ID - * @throws Exception */ public String addMember(UserGroup userGroup) { // Create the UUID @@ -170,8 +168,8 @@ public class GroupDao { * @return List of groups */ public List findByCriteria(GroupCriteria criteria, SortCriteria sortCriteria) { - Map parameterMap = new HashMap(); - List criteriaList = new ArrayList(); + Map parameterMap = new HashMap<>(); + List criteriaList = new ArrayList<>(); StringBuilder sb = new StringBuilder("select g.GRP_ID_C as c0, g.GRP_NAME_C as c1, g.GRP_IDPARENT_C as c2, gp.GRP_NAME_C as c3, g.GRP_IDROLE_C "); if (criteria.getUserId() != null) { @@ -187,8 +185,8 @@ public class GroupDao { } if (criteria.getUserId() != null) { // Left join and post-filtering for recursive groups - sb.append((criteria.isRecursive() ? " left " : "") - + " join T_USER_GROUP ug on ug.UGP_IDGROUP_C = g.GRP_ID_C and ug.UGP_IDUSER_C = :userId and ug.UGP_DELETEDATE_D is null "); + sb.append(criteria.isRecursive() ? " left " : ""); + sb.append(" join T_USER_GROUP ug on ug.UGP_IDGROUP_C = g.GRP_ID_C and ug.UGP_IDUSER_C = :userId and ug.UGP_DELETEDATE_D is null "); parameterMap.put("userId", criteria.getUserId()); } @@ -216,7 +214,7 @@ public class GroupDao { .setParentName((String) o[i++]) .setRoleId((String) o[i++]); groupDtoList.add(groupDto); - if (criteria.getUserId() != null && o[i++] != null) { + if (criteria.getUserId() != null && o[i] != null) { userGroupDtoList.add(groupDto); } } diff --git a/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/TagDao.java b/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/TagDao.java index 66f3e20d..ac5a9b59 100644 --- a/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/TagDao.java +++ b/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/TagDao.java @@ -46,6 +46,7 @@ public class TagDao { */ @SuppressWarnings("unchecked") public List getByUserId(String userId) { + // TODO Use ACLs EntityManager em = ThreadLocalContext.get().getEntityManager(); Query q = em.createQuery("select t from Tag t where t.userId = :userId and t.deleteDate is null order by t.name"); q.setParameter("userId", userId); @@ -96,12 +97,13 @@ public class TagDao { /** * Returns tag list on a document. - * + * * @param documentId Document ID * @return List of tags */ @SuppressWarnings("unchecked") public List getByDocumentId(String documentId, String userId) { + // TODO Use ACLs EntityManager em = ThreadLocalContext.get().getEntityManager(); StringBuilder sb = new StringBuilder("select t.TAG_ID_C, t.TAG_NAME_C, t.TAG_COLOR_C, t.TAG_IDPARENT_C from T_DOCUMENT_TAG dt "); sb.append(" join T_TAG t on t.TAG_ID_C = dt.DOT_IDTAG_C "); @@ -196,6 +198,7 @@ public class TagDao { * @return Tag */ public Tag getByName(String userId, String name) { + // TODO Use ACLs EntityManager em = ThreadLocalContext.get().getEntityManager(); Query q = em.createQuery("select t from Tag t where t.name = :name and t.userId = :userId and t.deleteDate is null"); q.setParameter("userId", userId); @@ -215,6 +218,7 @@ public class TagDao { * @return Tag */ public Tag getByTagId(String userId, String tagId) { + // TODO Use ACLs EntityManager em = ThreadLocalContext.get().getEntityManager(); Query q = em.createQuery("select t from Tag t where t.id = :tagId and t.userId = :userId and t.deleteDate is null"); q.setParameter("userId", userId); @@ -249,6 +253,11 @@ public class TagDao { q.setParameter("dateNow", dateNow); q.setParameter("tagId", tagId); q.executeUpdate(); + + q = em.createQuery("update Acl a set a.deleteDate = :dateNow where a.sourceId = :tagId and a.deleteDate is null"); + q.setParameter("tagId", tagId); + q.setParameter("dateNow", dateNow); + q.executeUpdate(); // Create audit log AuditLogUtil.create(tagDb, AuditLogType.DELETE, userId); @@ -262,6 +271,7 @@ public class TagDao { */ @SuppressWarnings("unchecked") public List findByName(String userId, String name) { + // TODO Use ACLs EntityManager em = ThreadLocalContext.get().getEntityManager(); Query q = em.createQuery("select t from Tag t where t.name like :name and t.userId = :userId and t.deleteDate is null"); q.setParameter("userId", userId); diff --git a/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/UserDao.java b/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/UserDao.java index bc392947..216177cd 100644 --- a/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/UserDao.java +++ b/docs-core/src/main/java/com/sismics/docs/core/dao/jpa/UserDao.java @@ -188,23 +188,6 @@ public class UserDao { } } - /** - * Gets an active user by its password recovery token. - * - * @param passwordResetKey Password recovery token - * @return User - */ - public User getActiveByPasswordResetKey(String passwordResetKey) { - EntityManager em = ThreadLocalContext.get().getEntityManager(); - try { - Query q = em.createQuery("select u from User u where u.passwordResetKey = :passwordResetKey and u.deleteDate is null"); - q.setParameter("passwordResetKey", passwordResetKey); - return (User) q.getSingleResult(); - } catch (NoResultException e) { - return null; - } - } - /** * Deletes a user. * @@ -258,7 +241,7 @@ public class UserDao { * @param password Clear password * @return Hashed password */ - protected String hashPassword(String password) { + private String hashPassword(String password) { return BCrypt.hashpw(password, BCrypt.gensalt()); } @@ -270,8 +253,8 @@ public class UserDao { * @return List of users */ public List findByCriteria(UserCriteria criteria, SortCriteria sortCriteria) { - Map parameterMap = new HashMap(); - List criteriaList = new ArrayList(); + Map parameterMap = new HashMap<>(); + List criteriaList = new ArrayList<>(); StringBuilder sb = new StringBuilder("select u.USE_ID_C as c0, u.USE_USERNAME_C as c1, u.USE_EMAIL_C as c2, u.USE_CREATEDATE_D as c3, u.USE_STORAGECURRENT_N as c4, u.USE_STORAGEQUOTA_N as c5"); sb.append(" from T_USER u "); @@ -300,7 +283,7 @@ public class UserDao { List l = QueryUtil.getNativeQuery(queryParam).getResultList(); // Assemble results - List userDtoList = new ArrayList(); + List userDtoList = new ArrayList<>(); for (Object[] o : l) { int i = 0; UserDto userDto = new UserDto(); @@ -309,7 +292,7 @@ public class UserDao { userDto.setEmail((String) o[i++]); userDto.setCreateTimestamp(((Timestamp) o[i++]).getTime()); userDto.setStorageCurrent(((Number) o[i++]).longValue()); - userDto.setStorageQuota(((Number) o[i++]).longValue()); + userDto.setStorageQuota(((Number) o[i]).longValue()); userDtoList.add(userDto); } return userDtoList; diff --git a/docs-web/src/test/java/com/sismics/docs/rest/TestGroupResource.java b/docs-web/src/test/java/com/sismics/docs/rest/TestGroupResource.java index c37ad04c..1d5d37a9 100644 --- a/docs-web/src/test/java/com/sismics/docs/rest/TestGroupResource.java +++ b/docs-web/src/test/java/com/sismics/docs/rest/TestGroupResource.java @@ -106,7 +106,7 @@ public class TestGroupResource extends BaseJerseyTest { Assert.assertEquals(1, users.size()); // Add group1 to g112 (again) - json = target().path("/group/g112").request() + target().path("/group/g112").request() .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken) .put(Entity.form(new Form() .param("username", "group1")), JsonObject.class); @@ -145,7 +145,7 @@ public class TestGroupResource extends BaseJerseyTest { Assert.assertEquals("group1", members.getString(0)); // Remove group1 from g12new - json = target().path("/group/g12new/group1").request() + target().path("/group/g12new/group1").request() .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken) .delete(JsonObject.class); @@ -164,7 +164,7 @@ public class TestGroupResource extends BaseJerseyTest { Assert.assertTrue(groupList.contains("g112")); // Delete group g1 - json = target().path("/group/g1").request() + target().path("/group/g1").request() .cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken) .delete(JsonObject.class);