use of edu.harvard.iq.dataverse.authorization.groups.Group in project dataverse by IQSS.
the class PermissionServiceBean method permissionsFor.
/**
* Returns the set of permission a user/group has over a dataverse object.
* This method takes into consideration group memberships as well, but does
* not look into request-level groups.
* @param ra The role assignee.
* @param dvo The {@link DvObject} on which the user wants to operate
* @return the set of permissions {@code ra} has over {@code dvo}.
*/
public Set<Permission> permissionsFor(RoleAssignee ra, DvObject dvo) {
Set<Permission> permissions = EnumSet.noneOf(Permission.class);
// Add permissions specifically given to the user
permissions.addAll(permissionsForSingleRoleAssignee(ra, dvo));
// Add permissions gained from groups
Set<Group> groupsRaBelongsTo = groupService.groupsFor(ra, dvo);
for (Group g : groupsRaBelongsTo) {
permissions.addAll(permissionsForSingleRoleAssignee(g, dvo));
}
if ((ra instanceof User) && (!((User) ra).isAuthenticated())) {
permissions.removeAll(PERMISSIONS_FOR_AUTHENTICATED_USERS_ONLY);
}
return permissions;
}
use of edu.harvard.iq.dataverse.authorization.groups.Group in project dataverse by IQSS.
the class SearchPermissionsServiceBean method getIndexableStringForUserOrGroup.
/**
* From a Solr perspective we can't just index any string when we go to do
* the JOIN to enforce security. (Maybe putting quotes around the string at
* search time would allow this.) For users, we index the primary key from
* the AuthenticatedUsers table. For groups we index the "alias" which
* should be globally unique because non-builtin groups have a sort of a
* name space with "shib/2" and "ip/ipGroup3", for example.
*/
private String getIndexableStringForUserOrGroup(RoleAssignee userOrGroup) {
if (userOrGroup instanceof AuthenticatedUser) {
logger.fine(userOrGroup.getIdentifier() + " must be a user: " + userOrGroup.getClass().getName());
AuthenticatedUser au = (AuthenticatedUser) userOrGroup;
// Strong prefence to index based on system generated value (e.g. primary key) whenever possible: https://github.com/IQSS/dataverse/issues/1151
Long primaryKey = au.getId();
return IndexServiceBean.getGroupPerUserPrefix() + primaryKey;
} else if (userOrGroup instanceof Group) {
logger.fine(userOrGroup.getIdentifier() + " must be a group: " + userOrGroup.getClass().getName());
Group group = (Group) userOrGroup;
logger.fine("group: " + group.getAlias());
String groupAlias = group.getAlias();
if (groupAlias != null) {
return IndexServiceBean.getGroupPrefix() + groupAlias;
} else {
logger.fine("Could not find group alias for " + group.getIdentifier());
return null;
}
} else {
return null;
}
}
use of edu.harvard.iq.dataverse.authorization.groups.Group in project dataverse by IQSS.
the class DataverseUserPage method getRoleStringFromUser.
private String getRoleStringFromUser(AuthenticatedUser au, DvObject dvObj) {
// Find user's role(s) for given dataverse/dataset
Set<RoleAssignment> roles = permissionService.assignmentsFor(au, dvObj);
List<String> roleNames = new ArrayList<>();
// Include roles derived from a user's groups
Set<Group> groupsUserBelongsTo = groupService.groupsFor(au, dvObj);
for (Group g : groupsUserBelongsTo) {
roles.addAll(permissionService.assignmentsFor(g, dvObj));
}
for (RoleAssignment ra : roles) {
roleNames.add(ra.getRole().getName());
}
if (roleNames.isEmpty()) {
return "[Unknown]";
}
return StringUtils.join(roleNames, "/");
}
Aggregations