mirror of
https://github.com/sismics/docs.git
synced 2024-11-22 14:07:55 +01:00
#83: Permission check for tags
This commit is contained in:
parent
0f661e5a34
commit
ddf9e83a9b
@ -118,11 +118,16 @@ public class AclDao {
|
|||||||
* @return True if the document is accessible
|
* @return True if the document is accessible
|
||||||
*/
|
*/
|
||||||
public boolean checkPermission(String sourceId, PermType perm, List<String> targetIdList) {
|
public boolean checkPermission(String sourceId, PermType perm, List<String> targetIdList) {
|
||||||
// TODO Handle tags as source for ACL
|
|
||||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||||
Query q = em.createQuery("select a from Acl a where a.sourceId = :sourceId and a.perm = :perm and a.targetId in (:targetIdList) and a.deleteDate is null");
|
StringBuilder sb = new StringBuilder("select a.ACL_ID_C from T_ACL a ");
|
||||||
|
sb.append(" where a.ACL_TARGETID_C in (:targetIdList) and a.ACL_SOURCEID_C = :sourceId and a.ACL_PERM_C = :perm and a.ACL_DELETEDATE_D is null ");
|
||||||
|
sb.append(" union all ");
|
||||||
|
sb.append(" select a.ACL_ID_C from T_ACL a, T_DOCUMENT_TAG dt ");
|
||||||
|
sb.append(" where a.ACL_SOURCEID_C = dt.DOT_IDTAG_C and dt.DOT_IDDOCUMENT_C = :sourceId and dt.DOT_DELETEDATE_D is null ");
|
||||||
|
sb.append(" and a.ACL_TARGETID_C in (:targetIdList) and a.ACL_PERM_C = :perm and a.ACL_DELETEDATE_D is null ");
|
||||||
|
Query q = em.createNativeQuery(sb.toString());
|
||||||
q.setParameter("sourceId", sourceId);
|
q.setParameter("sourceId", sourceId);
|
||||||
q.setParameter("perm", perm);
|
q.setParameter("perm", perm.name());
|
||||||
q.setParameter("targetIdList", targetIdList);
|
q.setParameter("targetIdList", targetIdList);
|
||||||
|
|
||||||
// We have a matching permission
|
// We have a matching permission
|
||||||
|
@ -90,6 +90,11 @@ public class DocumentDao {
|
|||||||
* @return Document
|
* @return Document
|
||||||
*/
|
*/
|
||||||
public DocumentDto getDocument(String id, PermType perm, List<String> targetIdList) {
|
public DocumentDto getDocument(String id, PermType perm, List<String> targetIdList) {
|
||||||
|
AclDao aclDao = new AclDao();
|
||||||
|
if (!aclDao.checkPermission(id, perm, targetIdList)) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||||
StringBuilder sb = new StringBuilder("select distinct d.DOC_ID_C, d.DOC_TITLE_C, d.DOC_DESCRIPTION_C, d.DOC_SUBJECT_C, d.DOC_IDENTIFIER_C, d.DOC_PUBLISHER_C, d.DOC_FORMAT_C, d.DOC_SOURCE_C, d.DOC_TYPE_C, d.DOC_COVERAGE_C, d.DOC_RIGHTS_C, d.DOC_CREATEDATE_D, d.DOC_LANGUAGE_C, ");
|
StringBuilder sb = new StringBuilder("select distinct d.DOC_ID_C, d.DOC_TITLE_C, d.DOC_DESCRIPTION_C, d.DOC_SUBJECT_C, d.DOC_IDENTIFIER_C, d.DOC_PUBLISHER_C, d.DOC_FORMAT_C, d.DOC_SOURCE_C, d.DOC_TYPE_C, d.DOC_COVERAGE_C, d.DOC_RIGHTS_C, d.DOC_CREATEDATE_D, d.DOC_LANGUAGE_C, ");
|
||||||
sb.append(" (select count(s.SHA_ID_C) from T_SHARE s, T_ACL ac where ac.ACL_SOURCEID_C = d.DOC_ID_C and ac.ACL_TARGETID_C = s.SHA_ID_C and ac.ACL_DELETEDATE_D is null and s.SHA_DELETEDATE_D is null), ");
|
sb.append(" (select count(s.SHA_ID_C) from T_SHARE s, T_ACL ac where ac.ACL_SOURCEID_C = d.DOC_ID_C and ac.ACL_TARGETID_C = s.SHA_ID_C and ac.ACL_DELETEDATE_D is null and s.SHA_DELETEDATE_D is null), ");
|
||||||
@ -97,15 +102,10 @@ public class DocumentDao {
|
|||||||
sb.append(" u.USE_USERNAME_C ");
|
sb.append(" u.USE_USERNAME_C ");
|
||||||
sb.append(" from T_DOCUMENT d ");
|
sb.append(" from T_DOCUMENT d ");
|
||||||
sb.append(" join T_USER u on d.DOC_IDUSER_C = u.USE_ID_C ");
|
sb.append(" join T_USER u on d.DOC_IDUSER_C = u.USE_ID_C ");
|
||||||
sb.append(" left join T_ACL a on a.ACL_TARGETID_C in (:targetIdList) and a.ACL_SOURCEID_C = d.DOC_ID_C and a.ACL_PERM_C = :perm and a.ACL_DELETEDATE_D is null ");
|
sb.append(" where d.DOC_ID_C = :id and d.DOC_DELETEDATE_D is null ");
|
||||||
sb.append(" left join T_DOCUMENT_TAG dta on dta.DOT_IDDOCUMENT_C = d.DOC_ID_C and dta.DOT_DELETEDATE_D is null ");
|
|
||||||
sb.append(" left join T_ACL a2 on a2.ACL_TARGETID_C in (:targetIdList) and a2.ACL_SOURCEID_C = dta.DOT_IDTAG_C and a2.ACL_PERM_C = 'READ' and a2.ACL_DELETEDATE_D is null ");
|
|
||||||
sb.append(" where d.DOC_ID_C = :id and (a.ACL_ID_C is not null or a2.ACL_ID_C is not null) and d.DOC_DELETEDATE_D is null ");
|
|
||||||
|
|
||||||
Query q = em.createNativeQuery(sb.toString());
|
Query q = em.createNativeQuery(sb.toString());
|
||||||
q.setParameter("id", id);
|
q.setParameter("id", id);
|
||||||
q.setParameter("perm", perm.name());
|
|
||||||
q.setParameter("targetIdList", targetIdList);
|
|
||||||
|
|
||||||
Object[] o;
|
Object[] o;
|
||||||
try {
|
try {
|
||||||
|
@ -71,7 +71,6 @@ public class GroupDao {
|
|||||||
* @param group Group
|
* @param group Group
|
||||||
* @param userId User ID
|
* @param userId User ID
|
||||||
* @return New ID
|
* @return New ID
|
||||||
* @throws Exception
|
|
||||||
*/
|
*/
|
||||||
public String create(Group group, String userId) {
|
public String create(Group group, String userId) {
|
||||||
// Create the UUID
|
// Create the UUID
|
||||||
@ -127,9 +126,8 @@ public class GroupDao {
|
|||||||
/**
|
/**
|
||||||
* Add an user to a group.
|
* Add an user to a group.
|
||||||
*
|
*
|
||||||
* @param group Group
|
* @param userGroup User group
|
||||||
* @return New ID
|
* @return New ID
|
||||||
* @throws Exception
|
|
||||||
*/
|
*/
|
||||||
public String addMember(UserGroup userGroup) {
|
public String addMember(UserGroup userGroup) {
|
||||||
// Create the UUID
|
// Create the UUID
|
||||||
@ -170,8 +168,8 @@ public class GroupDao {
|
|||||||
* @return List of groups
|
* @return List of groups
|
||||||
*/
|
*/
|
||||||
public List<GroupDto> findByCriteria(GroupCriteria criteria, SortCriteria sortCriteria) {
|
public List<GroupDto> findByCriteria(GroupCriteria criteria, SortCriteria sortCriteria) {
|
||||||
Map<String, Object> parameterMap = new HashMap<String, Object>();
|
Map<String, Object> parameterMap = new HashMap<>();
|
||||||
List<String> criteriaList = new ArrayList<String>();
|
List<String> criteriaList = new ArrayList<>();
|
||||||
|
|
||||||
StringBuilder sb = new StringBuilder("select g.GRP_ID_C as c0, g.GRP_NAME_C as c1, g.GRP_IDPARENT_C as c2, gp.GRP_NAME_C as c3, g.GRP_IDROLE_C ");
|
StringBuilder sb = new StringBuilder("select g.GRP_ID_C as c0, g.GRP_NAME_C as c1, g.GRP_IDPARENT_C as c2, gp.GRP_NAME_C as c3, g.GRP_IDROLE_C ");
|
||||||
if (criteria.getUserId() != null) {
|
if (criteria.getUserId() != null) {
|
||||||
@ -187,8 +185,8 @@ public class GroupDao {
|
|||||||
}
|
}
|
||||||
if (criteria.getUserId() != null) {
|
if (criteria.getUserId() != null) {
|
||||||
// Left join and post-filtering for recursive groups
|
// Left join and post-filtering for recursive groups
|
||||||
sb.append((criteria.isRecursive() ? " left " : "")
|
sb.append(criteria.isRecursive() ? " left " : "");
|
||||||
+ " join T_USER_GROUP ug on ug.UGP_IDGROUP_C = g.GRP_ID_C and ug.UGP_IDUSER_C = :userId and ug.UGP_DELETEDATE_D is null ");
|
sb.append(" join T_USER_GROUP ug on ug.UGP_IDGROUP_C = g.GRP_ID_C and ug.UGP_IDUSER_C = :userId and ug.UGP_DELETEDATE_D is null ");
|
||||||
parameterMap.put("userId", criteria.getUserId());
|
parameterMap.put("userId", criteria.getUserId());
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -216,7 +214,7 @@ public class GroupDao {
|
|||||||
.setParentName((String) o[i++])
|
.setParentName((String) o[i++])
|
||||||
.setRoleId((String) o[i++]);
|
.setRoleId((String) o[i++]);
|
||||||
groupDtoList.add(groupDto);
|
groupDtoList.add(groupDto);
|
||||||
if (criteria.getUserId() != null && o[i++] != null) {
|
if (criteria.getUserId() != null && o[i] != null) {
|
||||||
userGroupDtoList.add(groupDto);
|
userGroupDtoList.add(groupDto);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -46,6 +46,7 @@ public class TagDao {
|
|||||||
*/
|
*/
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public List<Tag> getByUserId(String userId) {
|
public List<Tag> getByUserId(String userId) {
|
||||||
|
// TODO Use ACLs
|
||||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||||
Query q = em.createQuery("select t from Tag t where t.userId = :userId and t.deleteDate is null order by t.name");
|
Query q = em.createQuery("select t from Tag t where t.userId = :userId and t.deleteDate is null order by t.name");
|
||||||
q.setParameter("userId", userId);
|
q.setParameter("userId", userId);
|
||||||
@ -102,6 +103,7 @@ public class TagDao {
|
|||||||
*/
|
*/
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public List<TagDto> getByDocumentId(String documentId, String userId) {
|
public List<TagDto> getByDocumentId(String documentId, String userId) {
|
||||||
|
// TODO Use ACLs
|
||||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||||
StringBuilder sb = new StringBuilder("select t.TAG_ID_C, t.TAG_NAME_C, t.TAG_COLOR_C, t.TAG_IDPARENT_C from T_DOCUMENT_TAG dt ");
|
StringBuilder sb = new StringBuilder("select t.TAG_ID_C, t.TAG_NAME_C, t.TAG_COLOR_C, t.TAG_IDPARENT_C from T_DOCUMENT_TAG dt ");
|
||||||
sb.append(" join T_TAG t on t.TAG_ID_C = dt.DOT_IDTAG_C ");
|
sb.append(" join T_TAG t on t.TAG_ID_C = dt.DOT_IDTAG_C ");
|
||||||
@ -196,6 +198,7 @@ public class TagDao {
|
|||||||
* @return Tag
|
* @return Tag
|
||||||
*/
|
*/
|
||||||
public Tag getByName(String userId, String name) {
|
public Tag getByName(String userId, String name) {
|
||||||
|
// TODO Use ACLs
|
||||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||||
Query q = em.createQuery("select t from Tag t where t.name = :name and t.userId = :userId and t.deleteDate is null");
|
Query q = em.createQuery("select t from Tag t where t.name = :name and t.userId = :userId and t.deleteDate is null");
|
||||||
q.setParameter("userId", userId);
|
q.setParameter("userId", userId);
|
||||||
@ -215,6 +218,7 @@ public class TagDao {
|
|||||||
* @return Tag
|
* @return Tag
|
||||||
*/
|
*/
|
||||||
public Tag getByTagId(String userId, String tagId) {
|
public Tag getByTagId(String userId, String tagId) {
|
||||||
|
// TODO Use ACLs
|
||||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||||
Query q = em.createQuery("select t from Tag t where t.id = :tagId and t.userId = :userId and t.deleteDate is null");
|
Query q = em.createQuery("select t from Tag t where t.id = :tagId and t.userId = :userId and t.deleteDate is null");
|
||||||
q.setParameter("userId", userId);
|
q.setParameter("userId", userId);
|
||||||
@ -250,6 +254,11 @@ public class TagDao {
|
|||||||
q.setParameter("tagId", tagId);
|
q.setParameter("tagId", tagId);
|
||||||
q.executeUpdate();
|
q.executeUpdate();
|
||||||
|
|
||||||
|
q = em.createQuery("update Acl a set a.deleteDate = :dateNow where a.sourceId = :tagId and a.deleteDate is null");
|
||||||
|
q.setParameter("tagId", tagId);
|
||||||
|
q.setParameter("dateNow", dateNow);
|
||||||
|
q.executeUpdate();
|
||||||
|
|
||||||
// Create audit log
|
// Create audit log
|
||||||
AuditLogUtil.create(tagDb, AuditLogType.DELETE, userId);
|
AuditLogUtil.create(tagDb, AuditLogType.DELETE, userId);
|
||||||
}
|
}
|
||||||
@ -262,6 +271,7 @@ public class TagDao {
|
|||||||
*/
|
*/
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public List<Tag> findByName(String userId, String name) {
|
public List<Tag> findByName(String userId, String name) {
|
||||||
|
// TODO Use ACLs
|
||||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
||||||
Query q = em.createQuery("select t from Tag t where t.name like :name and t.userId = :userId and t.deleteDate is null");
|
Query q = em.createQuery("select t from Tag t where t.name like :name and t.userId = :userId and t.deleteDate is null");
|
||||||
q.setParameter("userId", userId);
|
q.setParameter("userId", userId);
|
||||||
|
@ -188,23 +188,6 @@ public class UserDao {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Gets an active user by its password recovery token.
|
|
||||||
*
|
|
||||||
* @param passwordResetKey Password recovery token
|
|
||||||
* @return User
|
|
||||||
*/
|
|
||||||
public User getActiveByPasswordResetKey(String passwordResetKey) {
|
|
||||||
EntityManager em = ThreadLocalContext.get().getEntityManager();
|
|
||||||
try {
|
|
||||||
Query q = em.createQuery("select u from User u where u.passwordResetKey = :passwordResetKey and u.deleteDate is null");
|
|
||||||
q.setParameter("passwordResetKey", passwordResetKey);
|
|
||||||
return (User) q.getSingleResult();
|
|
||||||
} catch (NoResultException e) {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Deletes a user.
|
* Deletes a user.
|
||||||
*
|
*
|
||||||
@ -258,7 +241,7 @@ public class UserDao {
|
|||||||
* @param password Clear password
|
* @param password Clear password
|
||||||
* @return Hashed password
|
* @return Hashed password
|
||||||
*/
|
*/
|
||||||
protected String hashPassword(String password) {
|
private String hashPassword(String password) {
|
||||||
return BCrypt.hashpw(password, BCrypt.gensalt());
|
return BCrypt.hashpw(password, BCrypt.gensalt());
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -270,8 +253,8 @@ public class UserDao {
|
|||||||
* @return List of users
|
* @return List of users
|
||||||
*/
|
*/
|
||||||
public List<UserDto> findByCriteria(UserCriteria criteria, SortCriteria sortCriteria) {
|
public List<UserDto> findByCriteria(UserCriteria criteria, SortCriteria sortCriteria) {
|
||||||
Map<String, Object> parameterMap = new HashMap<String, Object>();
|
Map<String, Object> parameterMap = new HashMap<>();
|
||||||
List<String> criteriaList = new ArrayList<String>();
|
List<String> criteriaList = new ArrayList<>();
|
||||||
|
|
||||||
StringBuilder sb = new StringBuilder("select u.USE_ID_C as c0, u.USE_USERNAME_C as c1, u.USE_EMAIL_C as c2, u.USE_CREATEDATE_D as c3, u.USE_STORAGECURRENT_N as c4, u.USE_STORAGEQUOTA_N as c5");
|
StringBuilder sb = new StringBuilder("select u.USE_ID_C as c0, u.USE_USERNAME_C as c1, u.USE_EMAIL_C as c2, u.USE_CREATEDATE_D as c3, u.USE_STORAGECURRENT_N as c4, u.USE_STORAGEQUOTA_N as c5");
|
||||||
sb.append(" from T_USER u ");
|
sb.append(" from T_USER u ");
|
||||||
@ -300,7 +283,7 @@ public class UserDao {
|
|||||||
List<Object[]> l = QueryUtil.getNativeQuery(queryParam).getResultList();
|
List<Object[]> l = QueryUtil.getNativeQuery(queryParam).getResultList();
|
||||||
|
|
||||||
// Assemble results
|
// Assemble results
|
||||||
List<UserDto> userDtoList = new ArrayList<UserDto>();
|
List<UserDto> userDtoList = new ArrayList<>();
|
||||||
for (Object[] o : l) {
|
for (Object[] o : l) {
|
||||||
int i = 0;
|
int i = 0;
|
||||||
UserDto userDto = new UserDto();
|
UserDto userDto = new UserDto();
|
||||||
@ -309,7 +292,7 @@ public class UserDao {
|
|||||||
userDto.setEmail((String) o[i++]);
|
userDto.setEmail((String) o[i++]);
|
||||||
userDto.setCreateTimestamp(((Timestamp) o[i++]).getTime());
|
userDto.setCreateTimestamp(((Timestamp) o[i++]).getTime());
|
||||||
userDto.setStorageCurrent(((Number) o[i++]).longValue());
|
userDto.setStorageCurrent(((Number) o[i++]).longValue());
|
||||||
userDto.setStorageQuota(((Number) o[i++]).longValue());
|
userDto.setStorageQuota(((Number) o[i]).longValue());
|
||||||
userDtoList.add(userDto);
|
userDtoList.add(userDto);
|
||||||
}
|
}
|
||||||
return userDtoList;
|
return userDtoList;
|
||||||
|
@ -106,7 +106,7 @@ public class TestGroupResource extends BaseJerseyTest {
|
|||||||
Assert.assertEquals(1, users.size());
|
Assert.assertEquals(1, users.size());
|
||||||
|
|
||||||
// Add group1 to g112 (again)
|
// Add group1 to g112 (again)
|
||||||
json = target().path("/group/g112").request()
|
target().path("/group/g112").request()
|
||||||
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
|
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
|
||||||
.put(Entity.form(new Form()
|
.put(Entity.form(new Form()
|
||||||
.param("username", "group1")), JsonObject.class);
|
.param("username", "group1")), JsonObject.class);
|
||||||
@ -145,7 +145,7 @@ public class TestGroupResource extends BaseJerseyTest {
|
|||||||
Assert.assertEquals("group1", members.getString(0));
|
Assert.assertEquals("group1", members.getString(0));
|
||||||
|
|
||||||
// Remove group1 from g12new
|
// Remove group1 from g12new
|
||||||
json = target().path("/group/g12new/group1").request()
|
target().path("/group/g12new/group1").request()
|
||||||
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
|
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
|
||||||
.delete(JsonObject.class);
|
.delete(JsonObject.class);
|
||||||
|
|
||||||
@ -164,7 +164,7 @@ public class TestGroupResource extends BaseJerseyTest {
|
|||||||
Assert.assertTrue(groupList.contains("g112"));
|
Assert.assertTrue(groupList.contains("g112"));
|
||||||
|
|
||||||
// Delete group g1
|
// Delete group g1
|
||||||
json = target().path("/group/g1").request()
|
target().path("/group/g1").request()
|
||||||
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
|
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, adminToken)
|
||||||
.delete(JsonObject.class);
|
.delete(JsonObject.class);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user