use of edu.harvard.iq.dataverse.authorization.Permission in project dataverse by IQSS.
the class ReturnDatasetToAuthorCommandTest method setUp.
@Before
public void setUp() {
dataset = new Dataset();
HttpServletRequest aHttpServletRequest = null;
dataverseRequest = new DataverseRequest(MocksFactory.makeAuthenticatedUser("First", "Last"), aHttpServletRequest);
testEngine = new TestDataverseEngine(new TestCommandContext() {
@Override
public AuthenticationServiceBean authentication() {
return new AuthenticationServiceBean() {
@Override
public AuthenticatedUser getAuthenticatedUser(String id) {
return MocksFactory.makeAuthenticatedUser("First", "Last");
}
};
}
@Override
public IndexServiceBean index() {
return new IndexServiceBean() {
@Override
public Future<String> indexDataset(Dataset dataset, boolean doNormalSolrDocCleanUp) {
return null;
}
};
}
@Override
public EntityManager em() {
return new NoOpTestEntityManager();
}
@Override
public DatasetServiceBean datasets() {
return new DatasetServiceBean() {
{
em = new NoOpTestEntityManager();
}
@Override
public DatasetVersionUser getDatasetVersionUser(DatasetVersion version, User user) {
return null;
}
@Override
public WorkflowComment addWorkflowComment(WorkflowComment comment) {
return comment;
}
@Override
public void removeDatasetLocks(Long datasetId, DatasetLock.Reason aReason) {
}
};
}
@Override
public DataverseRoleServiceBean roles() {
return new DataverseRoleServiceBean() {
@Override
public DataverseRole findBuiltinRoleByAlias(String alias) {
return new DataverseRole();
}
@Override
public RoleAssignment save(RoleAssignment assignment) {
// no-op
return assignment;
}
};
}
@Override
public PermissionServiceBean permissions() {
return new PermissionServiceBean() {
@Override
public List<AuthenticatedUser> getUsersWithPermissionOn(Permission permission, DvObject dvo) {
// We only need permissions for notifications, which we are testing in InReviewWorkflowIT.
return Collections.emptyList();
}
};
}
});
}
use of edu.harvard.iq.dataverse.authorization.Permission in project dataverse by IQSS.
the class EjbDataverseEngine method submit.
public <R> R submit(Command<R> aCommand) throws CommandException {
final ActionLogRecord logRec = new ActionLogRecord(ActionLogRecord.ActionType.Command, aCommand.getClass().getCanonicalName());
try {
logRec.setUserIdentifier(aCommand.getRequest().getUser().getIdentifier());
// Check permissions - or throw an exception
Map<String, ? extends Set<Permission>> requiredMap = aCommand.getRequiredPermissions();
if (requiredMap == null) {
throw new RuntimeException("Command " + aCommand + " does not define required permissions.");
}
DataverseRequest dvReq = aCommand.getRequest();
Map<String, DvObject> affectedDvObjects = aCommand.getAffectedDvObjects();
logRec.setInfo(aCommand.describe());
for (Map.Entry<String, ? extends Set<Permission>> pair : requiredMap.entrySet()) {
String dvName = pair.getKey();
if (!affectedDvObjects.containsKey(dvName)) {
throw new RuntimeException("Command instance " + aCommand + " does not have a DvObject named '" + dvName + "'");
}
DvObject dvo = affectedDvObjects.get(dvName);
Set<Permission> granted = (dvo != null) ? permissionService.permissionsFor(dvReq, dvo) : EnumSet.allOf(Permission.class);
Set<Permission> required = requiredMap.get(dvName);
if (!granted.containsAll(required)) {
required.removeAll(granted);
logRec.setActionResult(ActionLogRecord.Result.PermissionError);
/**
* @todo Is there any harm in showing the "granted" set
* since we already show "required"? It would help people
* reason about the mismatch.
*/
throw new PermissionException("Can't execute command " + aCommand + ", because request " + aCommand.getRequest() + " is missing permissions " + required + " on Object " + dvo.accept(DvObject.NamePrinter), aCommand, required, dvo);
}
}
try {
return aCommand.execute(getContext());
} catch (EJBException ejbe) {
logRec.setActionResult(ActionLogRecord.Result.InternalError);
throw new CommandException("Command " + aCommand.toString() + " failed: " + ejbe.getMessage(), ejbe.getCausedByException(), aCommand);
}
} catch (RuntimeException re) {
logRec.setActionResult(ActionLogRecord.Result.InternalError);
logRec.setInfo(re.getMessage());
Throwable cause = re;
while (cause != null) {
if (cause instanceof ConstraintViolationException) {
StringBuilder sb = new StringBuilder();
sb.append("Unexpected bean validation constraint exception:");
ConstraintViolationException constraintViolationException = (ConstraintViolationException) cause;
for (ConstraintViolation<?> violation : constraintViolationException.getConstraintViolations()) {
sb.append(" Invalid value: <<<").append(violation.getInvalidValue()).append(">>> for ").append(violation.getPropertyPath()).append(" at ").append(violation.getLeafBean()).append(" - ").append(violation.getMessage());
}
logger.log(Level.SEVERE, sb.toString());
// set this more detailed info in action log
logRec.setInfo(sb.toString());
}
cause = cause.getCause();
}
throw re;
} finally {
if (logRec.getActionResult() == null) {
logRec.setActionResult(ActionLogRecord.Result.OK);
}
logRec.setEndTime(new java.util.Date());
logSvc.log(logRec);
}
}
use of edu.harvard.iq.dataverse.authorization.Permission in project dataverse by IQSS.
the class ManagePermissionsPage method setRole.
public void setRole(DataverseRole role) {
this.role = role;
selectedPermissions = new LinkedList<>();
if (role != null) {
for (Permission p : role.permissions()) {
selectedPermissions.add(p.name());
}
}
}
use of edu.harvard.iq.dataverse.authorization.Permission in project dataverse by IQSS.
the class PermissionServiceBean method permissionsFor.
/**
* Finds all the permissions the {@link User} in {@code req} has over
* {@code dvo}, in the context of {@code req}.
* @param req
* @param dvo
* @return Permissions of {@code req.getUser()} over {@code dvo}.
*/
public Set<Permission> permissionsFor(DataverseRequest req, DvObject dvo) {
Set<Permission> permissions = EnumSet.noneOf(Permission.class);
// Add permissions specifically given to the user
permissions.addAll(permissionsForSingleRoleAssignee(req.getUser(), dvo));
Set<Group> groups = groupService.groupsFor(req, dvo);
// Add permissions gained from groups
for (Group g : groups) {
final Set<Permission> groupPremissions = permissionsForSingleRoleAssignee(g, dvo);
permissions.addAll(groupPremissions);
}
if (!req.getUser().isAuthenticated()) {
permissions.removeAll(PERMISSIONS_FOR_AUTHENTICATED_USERS_ONLY);
}
return permissions;
}
use of edu.harvard.iq.dataverse.authorization.Permission in project dataverse by IQSS.
the class PermissionServiceBean method permissionsFor.
/**
* Returns the set of permission a user/group has over a dataverse object.
* This method takes into consideration group memberships as well, but does
* not look into request-level groups.
* @param ra The role assignee.
* @param dvo The {@link DvObject} on which the user wants to operate
* @return the set of permissions {@code ra} has over {@code dvo}.
*/
public Set<Permission> permissionsFor(RoleAssignee ra, DvObject dvo) {
Set<Permission> permissions = EnumSet.noneOf(Permission.class);
// Add permissions specifically given to the user
permissions.addAll(permissionsForSingleRoleAssignee(ra, dvo));
// Add permissions gained from groups
Set<Group> groupsRaBelongsTo = groupService.groupsFor(ra, dvo);
for (Group g : groupsRaBelongsTo) {
permissions.addAll(permissionsForSingleRoleAssignee(g, dvo));
}
if ((ra instanceof User) && (!((User) ra).isAuthenticated())) {
permissions.removeAll(PERMISSIONS_FOR_AUTHENTICATED_USERS_ONLY);
}
return permissions;
}
Aggregations