use of edu.harvard.iq.dataverse.authorization.users.GuestUser in project dataverse by IQSS.
the class RoleAssigneeServiceBean method setup.
@PostConstruct
protected void setup() {
GuestUser gu = GuestUser.get();
predefinedRoleAssignees.put(gu.getIdentifier(), gu);
predefinedRoleAssignees.put(AuthenticatedUsers.get().getIdentifier(), AuthenticatedUsers.get());
predefinedRoleAssignees.put(AllUsers.get().getIdentifier(), AllUsers.get());
}
use of edu.harvard.iq.dataverse.authorization.users.GuestUser in project dataverse by IQSS.
the class SearchServiceBean method getPermissionFilterQuery.
/**
* Moved this logic out of the "search" function
*
* @return
*/
private String getPermissionFilterQuery(DataverseRequest dataverseRequest, SolrQuery solrQuery, Dataverse dataverse, boolean onlyDatatRelatedToMe) {
User user = dataverseRequest.getUser();
if (user == null) {
throw new NullPointerException("user cannot be null");
}
if (solrQuery == null) {
throw new NullPointerException("solrQuery cannot be null");
}
/**
* @todo For people who are not logged in, should we show stuff indexed
* with "AllUsers" group or not? If so, uncomment the allUsersString
* stuff below.
*/
// String allUsersString = IndexServiceBean.getGroupPrefix() + AllUsers.get().getAlias();
// String publicOnly = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + " OR " + allUsersString + ")";
String publicOnly = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + ")";
// String publicOnly = "{!join from=" + SearchFields.GROUPS + " to=" + SearchFields.PERMS + "}id:" + IndexServiceBean.getPublicGroupString();
// initialize to public only to be safe
String dangerZoneNoSolrJoin = null;
if (user instanceof PrivateUrlUser) {
user = GuestUser.get();
}
// ----------------------------------------------------
if (user instanceof GuestUser) {
String groupsFromProviders = "";
Set<Group> groups = groupService.collectAncestors(groupService.groupsFor(dataverseRequest));
StringBuilder sb = new StringBuilder();
for (Group group : groups) {
logger.fine("found group " + group.getIdentifier() + " with alias " + group.getAlias());
String groupAlias = group.getAlias();
if (groupAlias != null && !groupAlias.isEmpty()) {
sb.append(" OR ");
// i.e. group_builtIn/all-users, ip/ipGroup3
sb.append(IndexServiceBean.getGroupPrefix()).append(groupAlias);
}
}
groupsFromProviders = sb.toString();
logger.fine("groupsFromProviders:" + groupsFromProviders);
String guestWithGroups = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + groupsFromProviders + ")";
logger.fine(guestWithGroups);
return guestWithGroups;
}
// ----------------------------------------------------
if (!(user instanceof AuthenticatedUser)) {
logger.severe("Should never reach here. A User must be an AuthenticatedUser or a Guest");
throw new IllegalStateException("A User must be an AuthenticatedUser or a Guest");
}
AuthenticatedUser au = (AuthenticatedUser) user;
// Logged in user, has publication status facet
//
solrQuery.addFacetField(SearchFields.PUBLICATION_STATUS);
// ----------------------------------------------------
if (au.isSuperuser()) {
return dangerZoneNoSolrJoin;
}
// ----------------------------------------------------
if (onlyDatatRelatedToMe == true) {
if (systemConfig.myDataDoesNotUsePermissionDocs()) {
logger.fine("old 4.2 behavior: MyData is not using Solr permission docs");
return dangerZoneNoSolrJoin;
} else {
logger.fine("new post-4.2 behavior: MyData is using Solr permission docs");
}
}
// ----------------------------------------------------
// (5) Work with Authenticated User who is not a Superuser
// ----------------------------------------------------
/**
* @todo all this code needs cleanup and clarification.
*/
/**
* Every AuthenticatedUser is part of a "User Private Group" (UGP), a
* concept we borrow from RHEL:
* https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Managing_Users_and_Groups.html#s2-users-groups-private-groups
*/
/**
* @todo rename this from publicPlusUserPrivateGroup. Confusing
*/
// safe default: public only
String publicPlusUserPrivateGroup = publicOnly;
// + (onlyDatatRelatedToMe ? "" : (publicOnly + " OR "))
// + "{!join from=" + SearchFields.GROUPS + " to=" + SearchFields.PERMS + "}id:" + IndexServiceBean.getGroupPerUserPrefix() + au.getId() + ")";
// /**
// * @todo add onlyDatatRelatedToMe option into the experimental JOIN
// * before enabling it.
// */
/**
* From a search perspective, we don't care about if the group was
* created within one dataverse or another. We just want a list of *all*
* the groups the user is part of. We are greedy. We want all BuiltIn
* Groups, Shibboleth Groups, IP Groups, "system" groups, everything.
*
* A JOIN on "permission documents" will determine if the user can find
* a given "content document" (dataset version, etc) in Solr.
*/
String groupsFromProviders = "";
Set<Group> groups = groupService.collectAncestors(groupService.groupsFor(dataverseRequest));
StringBuilder sb = new StringBuilder();
for (Group group : groups) {
logger.fine("found group " + group.getIdentifier() + " with alias " + group.getAlias());
String groupAlias = group.getAlias();
if (groupAlias != null && !groupAlias.isEmpty()) {
sb.append(" OR ");
// i.e. group_builtIn/all-users, group_builtIn/authenticated-users, group_1-explictGroup1, group_shib/2
sb.append(IndexServiceBean.getGroupPrefix() + groupAlias);
}
}
groupsFromProviders = sb.toString();
logger.fine(groupsFromProviders);
if (true) {
/**
* @todo get rid of "experimental" in name
*/
String experimentalJoin = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + " OR " + IndexServiceBean.getGroupPerUserPrefix() + au.getId() + groupsFromProviders + ")";
publicPlusUserPrivateGroup = experimentalJoin;
}
// permissionFilterQuery = publicPlusUserPrivateGroup;
logger.fine(publicPlusUserPrivateGroup);
return publicPlusUserPrivateGroup;
}
use of edu.harvard.iq.dataverse.authorization.users.GuestUser in project dataverse by IQSS.
the class WorldMapPermissionHelper method canUserSeeExploreWorldMapButton.
/**
* WARNING: Before calling this, make sure the user has download
* permission for the file!! (See DatasetPage.canDownloadFile())
*
* Should there be a Explore WorldMap Button for this file?
* See table in: https://github.com/IQSS/dataverse/issues/1618
*
* (1) Does the file have MapLayerMetadata?
* (2) Are the proper settings in place
*
* @param fm FileMetadata
* @return boolean
*/
private boolean canUserSeeExploreWorldMapButton(FileMetadata fm, boolean permissionsChecked) {
if (fm == null) {
return false;
}
// This is only here to make the public method users think...
if (!permissionsChecked) {
return false;
}
if (this.fileMetadataWorldMapExplore.containsKey(fm.getId())) {
// logger.info("using cached result for candownloadfile on filemetadata "+fid);
return this.fileMetadataWorldMapExplore.get(fm.getId());
}
/* -----------------------------------------------------
Does a Map Exist?
----------------------------------------------------- */
if (!(this.hasMapLayerMetadata(fm))) {
// See if it does
MapLayerMetadata layer_metadata = mapLayerMetadataService.findMetadataByDatafile(fm.getDataFile());
if (layer_metadata != null) {
if (mapLayerMetadataLookup == null) {
loadMapLayerMetadataLookup(fm.getDataFile().getOwner());
}
// yes: keep going...
mapLayerMetadataLookup.put(layer_metadata.getDataFile().getId(), layer_metadata);
} else {
// Nope: no button
this.fileMetadataWorldMapExplore.put(fm.getId(), false);
return false;
}
}
/*
Is setting for GeoconnectViewMaps true?
Nope? no button
*/
if (!settingsWrapper.isTrueForKey(SettingsServiceBean.Key.GeoconnectViewMaps, false)) {
this.fileMetadataWorldMapExplore.put(fm.getId(), false);
return false;
}
if (fm.getDatasetVersion().isDeaccessioned()) {
if (this.doesSessionUserHavePermission(Permission.EditDataset, fm)) {
// Yes, save answer and return true
this.fileMetadataWorldMapExplore.put(fm.getId(), true);
return true;
} else {
this.fileMetadataWorldMapExplore.put(fm.getId(), false);
return false;
}
}
// Check for restrictions
boolean isRestrictedFile = fm.isRestricted();
// --------------------------------------------------------------------
if (!isRestrictedFile) {
// Yes, save answer and return true
this.fileMetadataWorldMapExplore.put(fm.getId(), true);
return true;
}
if (session.getUser() instanceof GuestUser) {
this.fileMetadataWorldMapExplore.put(fm.getId(), false);
return false;
}
if (!this.doesSessionUserHavePermission(Permission.DownloadFile, fm)) {
// Yes, save answer and return true
this.fileMetadataWorldMapExplore.put(fm.getId(), false);
return false;
}
/* -----------------------------------------------------
Yes: User can view button!
----------------------------------------------------- */
this.fileMetadataWorldMapExplore.put(fm.getId(), true);
return true;
}
use of edu.harvard.iq.dataverse.authorization.users.GuestUser in project dataverse by IQSS.
the class Access method isAccessAuthorized.
private boolean isAccessAuthorized(DataFile df, String apiToken) {
// First, check if the file belongs to a released Dataset version:
boolean published = false;
if (df.getOwner().getReleasedVersion() != null) {
// logger.fine("file belongs to a dataset with a released version.");
if (df.getOwner().getReleasedVersion().getFileMetadatas() != null) {
// logger.fine("going through the list of filemetadatas that belong to the released version.");
for (FileMetadata fm : df.getOwner().getReleasedVersion().getFileMetadatas()) {
if (df.equals(fm.getDataFile())) {
// logger.fine("found a match!");
published = true;
}
}
}
}
// TODO: (IMPORTANT!)
// Business logic like this should NOT be maintained in individual
// application fragments.
// At the moment it is duplicated here, and inside the Dataset page.
// There are also stubs for file-level permission lookups and caching
// inside Gustavo's view-scoped PermissionsWrapper.
// All this logic needs to be moved to the PermissionServiceBean where it will be
// centrally maintained; with the PermissionsWrapper providing
// efficient cached lookups to the pages (that often need to make
// repeated lookups on the same files). Care will need to be taken
// to preserve the slight differences in logic utilized by the page and
// this Access call (the page checks the restriction flag on the
// filemetadata, not the datafile - as it needs to reflect the permission
// status of the file in the version history).
// I will open a 4.[34] ticket.
//
// -- L.A. 4.2.1
// We don't need to check permissions on files that are
// from released Dataset versions and not restricted:
boolean restricted = false;
if (df.isRestricted()) {
restricted = true;
} else {
// !df.isReleased() really means just this: new file, only exists in a Draft version!
if (!df.isReleased()) {
if (df.getFileMetadata().isRestricted()) {
restricted = true;
}
}
}
if (!restricted) {
// be handled below)
if (published) {
return true;
}
}
User user = null;
if (session != null) {
if (session.getUser() != null) {
if (session.getUser().isAuthenticated()) {
user = session.getUser();
} else {
logger.fine("User associated with the session is not an authenticated user.");
if (session.getUser() instanceof PrivateUrlUser) {
logger.fine("User associated with the session is a PrivateUrlUser user.");
user = session.getUser();
}
if (session.getUser() instanceof GuestUser) {
logger.fine("User associated with the session is indeed a guest user.");
}
}
} else {
logger.fine("No user associated with the session.");
}
} else {
logger.fine("Session is null.");
}
User apiTokenUser = null;
if ((apiToken != null) && (apiToken.length() != 64)) {
try {
logger.fine("calling apiTokenUser = findUserOrDie()...");
apiTokenUser = findUserOrDie();
} catch (WrappedResponse wr) {
logger.log(Level.FINE, "Message from findUserOrDie(): {0}", wr.getMessage());
}
if (apiTokenUser == null) {
logger.warning("API token-based auth: Unable to find a user with the API token provided.");
}
}
if (!restricted) {
if (user != null) {
// used in JSF context
if (permissionService.requestOn(dvRequestService.getDataverseRequest(), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
// it's not unthinkable, that a null user (i.e., guest user) could be given
// the ViewUnpublished permission!
logger.log(Level.FINE, "Session-based auth: user {0} has access rights on the non-restricted, unpublished datafile.", user.getIdentifier());
return true;
}
}
if (apiTokenUser != null) {
// used in an API context
if (permissionService.requestOn(createDataverseRequest(apiTokenUser), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
logger.log(Level.FINE, "Session-based auth: user {0} has access rights on the non-restricted, unpublished datafile.", apiTokenUser.getIdentifier());
return true;
}
}
// Guset user is impled by the code above.
if (permissionService.requestOn(dvRequestService.getDataverseRequest(), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
return true;
}
// We don't want to return false just yet.
// If all else fails, we'll want to use the special WorldMapAuth
// token authentication before we give up.
// return false;
} else {
// OK, this is a restricted file.
boolean hasAccessToRestrictedBySession = false;
boolean hasAccessToRestrictedByToken = false;
if (permissionService.on(df).has(Permission.DownloadFile)) {
// Note: PermissionServiceBean.on(Datafile df) will obtain the
// User from the Session object, just like in the code fragment
// above. That's why it's not passed along as an argument.
hasAccessToRestrictedBySession = true;
} else if (apiTokenUser != null && permissionService.requestOn(createDataverseRequest(apiTokenUser), df).has(Permission.DownloadFile)) {
hasAccessToRestrictedByToken = true;
}
if (hasAccessToRestrictedBySession || hasAccessToRestrictedByToken) {
if (published) {
if (hasAccessToRestrictedBySession) {
if (user != null) {
logger.log(Level.FINE, "Session-based auth: user {0} is granted access to the restricted, published datafile.", user.getIdentifier());
} else {
logger.fine("Session-based auth: guest user is granted access to the restricted, published datafile.");
}
} else {
logger.log(Level.FINE, "Token-based auth: user {0} is granted access to the restricted, published datafile.", apiTokenUser.getIdentifier());
}
return true;
} else {
// user with the ViewUnpublished permission, or vice versa!
if (hasAccessToRestrictedBySession) {
if (permissionService.on(df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
if (user != null) {
logger.log(Level.FINE, "Session-based auth: user {0} is granted access to the restricted, unpublished datafile.", user.getIdentifier());
} else {
logger.fine("Session-based auth: guest user is granted access to the restricted, unpublished datafile.");
}
return true;
}
} else {
if (apiTokenUser != null && permissionService.requestOn(createDataverseRequest(apiTokenUser), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
logger.log(Level.FINE, "Token-based auth: user {0} is granted access to the restricted, unpublished datafile.", apiTokenUser.getIdentifier());
return true;
}
}
}
}
}
if ((apiToken != null) && (apiToken.length() == 64)) {
/*
WorldMap token check
- WorldMap tokens are 64 chars in length
- Use the worldMapTokenServiceBean to verify token
and check permissions against the requested DataFile
*/
if (!(this.worldMapTokenServiceBean.isWorldMapTokenAuthorizedForDataFileDownload(apiToken, df))) {
return false;
}
// Yes! User may access file
//
logger.fine("WorldMap token-based auth: Token is valid for the requested datafile");
return true;
} else if ((apiToken != null) && (apiToken.length() != 64)) {
try {
logger.fine("calling user = findUserOrDie()...");
user = findUserOrDie();
} catch (WrappedResponse wr) {
logger.log(Level.FINE, "Message from findUserOrDie(): {0}", wr.getMessage());
}
if (user == null) {
logger.warning("API token-based auth: Unable to find a user with the API token provided.");
return false;
}
if (permissionService.requestOn(createDataverseRequest(user), df).has(Permission.DownloadFile)) {
if (published) {
logger.log(Level.FINE, "API token-based auth: User {0} has rights to access the datafile.", user.getIdentifier());
return true;
} else {
// unpublished versions:
if (permissionService.requestOn(createDataverseRequest(user), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
logger.log(Level.FINE, "API token-based auth: User {0} has rights to access the (unpublished) datafile.", user.getIdentifier());
return true;
} else {
logger.log(Level.FINE, "API token-based auth: User {0} is not authorized to access the (unpublished) datafile.", user.getIdentifier());
}
}
} else {
logger.log(Level.FINE, "API token-based auth: User {0} is not authorized to access the datafile.", user.getIdentifier());
}
return false;
}
if (user != null) {
logger.log(Level.FINE, "Session-based auth: user {0} has NO access rights on the requested datafile.", user.getIdentifier());
}
if (apiTokenUser != null) {
logger.log(Level.FINE, "Token-based auth: user {0} has NO access rights on the requested datafile.", apiTokenUser.getIdentifier());
}
if (user == null && apiTokenUser == null) {
logger.fine("Unauthenticated access: No guest access to the datafile.");
}
return false;
}
Aggregations