Example 1 with Group
use of edu.harvard.iq.dataverse.authorization.groups.Group in project dataverse by IQSS.
the class MailServiceBean method getRoleStringFromUser.
/**
* Returns a '/'-separated string of roles that are effective for {@code au}
* over {@code dvObj}. Traverses the containment hierarchy of the {@code d}.
* Takes into consideration all groups that {@code au} is part of.
* @param au The authenticated user whose role assignments we look for.
* @param dvObj The Dataverse object over which the roles are assigned
* @return A set of all the role assignments for {@code ra} over {@code d}.
*/
private String getRoleStringFromUser(AuthenticatedUser au, DvObject dvObj) {
// Find user's role(s) for given dataverse/dataset
Set<RoleAssignment> roles = permissionService.assignmentsFor(au, dvObj);
List<String> roleNames = new ArrayList<>();
// Include roles derived from a user's groups
Set<Group> groupsUserBelongsTo = groupService.groupsFor(au, dvObj);
for (Group g : groupsUserBelongsTo) {
roles.addAll(permissionService.assignmentsFor(g, dvObj));
}
for (RoleAssignment ra : roles) {
roleNames.add(ra.getRole().getName());
}
return StringUtils.join(roleNames, "/");
}Example 2 with Group
use of edu.harvard.iq.dataverse.authorization.groups.Group in project dataverse by IQSS.
the class RoleAssigneeServiceBean method getUserRuntimeGroups.
private List<String> getUserRuntimeGroups(DataverseRequest dataverseRequest) {
List<String> retVal = new ArrayList<>();
// Set<Group> groups = groupSvc.groupsFor(dataverseRequest, null);
Set<Group> groups = groupSvc.collectAncestors(groupSvc.groupsFor(dataverseRequest));
for (Group group : groups) {
logger.fine("found group " + group.getIdentifier() + " with alias " + group.getAlias());
// if (group.getGroupProvider().getGroupProviderAlias().equals("shib") || group.getGroupProvider().getGroupProviderAlias().equals("ip")) {
String groupAlias = group.getAlias();
if (groupAlias != null && !groupAlias.isEmpty()) {
if (group instanceof ExplicitGroup) {
retVal.add("&explicit/" + groupAlias);
} else {
retVal.add('&' + groupAlias);
}
}
// }
}
logger.fine("retVal: " + retVal);
return retVal;
}
Also used :
ExplicitGroup(edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup)
Group(edu.harvard.iq.dataverse.authorization.groups.Group)
ArrayList(java.util.ArrayList)
ExplicitGroup(edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup)
Example 3 with Group
use of edu.harvard.iq.dataverse.authorization.groups.Group in project dataverse by IQSS.
the class PermissionServiceBean method permissionsFor.
/**
* Finds all the permissions the {@link User} in {@code req} has over
* {@code dvo}, in the context of {@code req}.
* @param req
* @param dvo
* @return Permissions of {@code req.getUser()} over {@code dvo}.
*/
public Set<Permission> permissionsFor(DataverseRequest req, DvObject dvo) {
Set<Permission> permissions = EnumSet.noneOf(Permission.class);
// Add permissions specifically given to the user
permissions.addAll(permissionsForSingleRoleAssignee(req.getUser(), dvo));
Set<Group> groups = groupService.groupsFor(req, dvo);
// Add permissions gained from groups
for (Group g : groups) {
final Set<Permission> groupPremissions = permissionsForSingleRoleAssignee(g, dvo);
permissions.addAll(groupPremissions);
}
if (!req.getUser().isAuthenticated()) {
permissions.removeAll(PERMISSIONS_FOR_AUTHENTICATED_USERS_ONLY);
}
return permissions;
}
Also used :
Group(edu.harvard.iq.dataverse.authorization.groups.Group)
Permission(edu.harvard.iq.dataverse.authorization.Permission)
Example 4 with Group
use of edu.harvard.iq.dataverse.authorization.groups.Group in project dataverse by IQSS.
the class SearchServiceBean method getPermissionFilterQuery.
/**
* Moved this logic out of the "search" function
*
* @return
*/
private String getPermissionFilterQuery(DataverseRequest dataverseRequest, SolrQuery solrQuery, Dataverse dataverse, boolean onlyDatatRelatedToMe) {
User user = dataverseRequest.getUser();
if (user == null) {
throw new NullPointerException("user cannot be null");
}
if (solrQuery == null) {
throw new NullPointerException("solrQuery cannot be null");
}
/**
* @todo For people who are not logged in, should we show stuff indexed
* with "AllUsers" group or not? If so, uncomment the allUsersString
* stuff below.
*/
// String allUsersString = IndexServiceBean.getGroupPrefix() + AllUsers.get().getAlias();
// String publicOnly = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + " OR " + allUsersString + ")";
String publicOnly = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + ")";
// String publicOnly = "{!join from=" + SearchFields.GROUPS + " to=" + SearchFields.PERMS + "}id:" + IndexServiceBean.getPublicGroupString();
// initialize to public only to be safe
String dangerZoneNoSolrJoin = null;
if (user instanceof PrivateUrlUser) {
user = GuestUser.get();
}
// ----------------------------------------------------
if (user instanceof GuestUser) {
String groupsFromProviders = "";
Set<Group> groups = groupService.collectAncestors(groupService.groupsFor(dataverseRequest));
StringBuilder sb = new StringBuilder();
for (Group group : groups) {
logger.fine("found group " + group.getIdentifier() + " with alias " + group.getAlias());
String groupAlias = group.getAlias();
if (groupAlias != null && !groupAlias.isEmpty()) {
sb.append(" OR ");
// i.e. group_builtIn/all-users, ip/ipGroup3
sb.append(IndexServiceBean.getGroupPrefix()).append(groupAlias);
}
}
groupsFromProviders = sb.toString();
logger.fine("groupsFromProviders:" + groupsFromProviders);
String guestWithGroups = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + groupsFromProviders + ")";
logger.fine(guestWithGroups);
return guestWithGroups;
}
// ----------------------------------------------------
if (!(user instanceof AuthenticatedUser)) {
logger.severe("Should never reach here. A User must be an AuthenticatedUser or a Guest");
throw new IllegalStateException("A User must be an AuthenticatedUser or a Guest");
}
AuthenticatedUser au = (AuthenticatedUser) user;
// Logged in user, has publication status facet
//
solrQuery.addFacetField(SearchFields.PUBLICATION_STATUS);
// ----------------------------------------------------
if (au.isSuperuser()) {
return dangerZoneNoSolrJoin;
}
// ----------------------------------------------------
if (onlyDatatRelatedToMe == true) {
if (systemConfig.myDataDoesNotUsePermissionDocs()) {
logger.fine("old 4.2 behavior: MyData is not using Solr permission docs");
return dangerZoneNoSolrJoin;
} else {
logger.fine("new post-4.2 behavior: MyData is using Solr permission docs");
}
}
// ----------------------------------------------------
// (5) Work with Authenticated User who is not a Superuser
// ----------------------------------------------------
/**
* @todo all this code needs cleanup and clarification.
*/
/**
* Every AuthenticatedUser is part of a "User Private Group" (UGP), a
* concept we borrow from RHEL:
* https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Managing_Users_and_Groups.html#s2-users-groups-private-groups
*/
/**
* @todo rename this from publicPlusUserPrivateGroup. Confusing
*/
// safe default: public only
String publicPlusUserPrivateGroup = publicOnly;
// + (onlyDatatRelatedToMe ? "" : (publicOnly + " OR "))
// + "{!join from=" + SearchFields.GROUPS + " to=" + SearchFields.PERMS + "}id:" + IndexServiceBean.getGroupPerUserPrefix() + au.getId() + ")";
// /**
// * @todo add onlyDatatRelatedToMe option into the experimental JOIN
// * before enabling it.
// */
/**
* From a search perspective, we don't care about if the group was
* created within one dataverse or another. We just want a list of *all*
* the groups the user is part of. We are greedy. We want all BuiltIn
* Groups, Shibboleth Groups, IP Groups, "system" groups, everything.
*
* A JOIN on "permission documents" will determine if the user can find
* a given "content document" (dataset version, etc) in Solr.
*/
String groupsFromProviders = "";
Set<Group> groups = groupService.collectAncestors(groupService.groupsFor(dataverseRequest));
StringBuilder sb = new StringBuilder();
for (Group group : groups) {
logger.fine("found group " + group.getIdentifier() + " with alias " + group.getAlias());
String groupAlias = group.getAlias();
if (groupAlias != null && !groupAlias.isEmpty()) {
sb.append(" OR ");
// i.e. group_builtIn/all-users, group_builtIn/authenticated-users, group_1-explictGroup1, group_shib/2
sb.append(IndexServiceBean.getGroupPrefix() + groupAlias);
}
}
groupsFromProviders = sb.toString();
logger.fine(groupsFromProviders);
if (true) {
/**
* @todo get rid of "experimental" in name
*/
String experimentalJoin = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + " OR " + IndexServiceBean.getGroupPerUserPrefix() + au.getId() + groupsFromProviders + ")";
publicPlusUserPrivateGroup = experimentalJoin;
}
// permissionFilterQuery = publicPlusUserPrivateGroup;
logger.fine(publicPlusUserPrivateGroup);
return publicPlusUserPrivateGroup;
}
Also used :
GuestUser(edu.harvard.iq.dataverse.authorization.users.GuestUser)
Group(edu.harvard.iq.dataverse.authorization.groups.Group)
AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)
User(edu.harvard.iq.dataverse.authorization.users.User)
PrivateUrlUser(edu.harvard.iq.dataverse.authorization.users.PrivateUrlUser)
GuestUser(edu.harvard.iq.dataverse.authorization.users.GuestUser)
PrivateUrlUser(edu.harvard.iq.dataverse.authorization.users.PrivateUrlUser)
AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)
Example 5 with Group
use of edu.harvard.iq.dataverse.authorization.groups.Group in project dataverse by IQSS.
the class PermissionServiceBean method getDataversesUserHasPermissionOn.
/**
* Go from (User, Permission) to a list of Dataverse objects that the user
* has the permission on.
*
* @param user
* @param permission
* @return The list of dataverses {@code user} has permission {@code permission} on.
*/
public List<Dataverse> getDataversesUserHasPermissionOn(AuthenticatedUser user, Permission permission) {
Set<Group> groups = groupService.groupsFor(user);
String identifiers = GroupUtil.getAllIdentifiersForUser(user, groups);
/**
* @todo Are there any strings in identifiers that would break this SQL
* query?
*/
String query = "SELECT id FROM dvobject WHERE dtype = 'Dataverse' and id in (select definitionpoint_id from roleassignment where assigneeidentifier in (" + identifiers + "));";
logger.log(Level.FINE, "query: {0}", query);
Query nativeQuery = em.createNativeQuery(query);
List<Integer> dataverseIdsToCheck = nativeQuery.getResultList();
List<Dataverse> dataversesUserHasPermissionOn = new LinkedList<>();
for (int dvIdAsInt : dataverseIdsToCheck) {
Dataverse dataverse = dataverseService.find(Long.valueOf(dvIdAsInt));
if (userOn(user, dataverse).has(permission)) {
dataversesUserHasPermissionOn.add(dataverse);
}
}
return dataversesUserHasPermissionOn;
}
Also used :
Group(edu.harvard.iq.dataverse.authorization.groups.Group)
Query(javax.persistence.Query)
LinkedList(java.util.LinkedList)
Aggregations
Group (edu.harvard.iq.dataverse.authorization.groups.Group)8
AuthenticatedUser (edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)3
ArrayList (java.util.ArrayList)3
Permission (edu.harvard.iq.dataverse.authorization.Permission)2
GuestUser (edu.harvard.iq.dataverse.authorization.users.GuestUser)2
User (edu.harvard.iq.dataverse.authorization.users.User)2
RoleAssignment (edu.harvard.iq.dataverse.RoleAssignment)1
ExplicitGroup (edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup)1
PrivateUrlUser (edu.harvard.iq.dataverse.authorization.users.PrivateUrlUser)1
LinkedList (java.util.LinkedList)1
Query (javax.persistence.Query)1
