use of org.candlepin.common.exceptions.ForbiddenException in project candlepin by candlepin.
the class ConsumerResource method getHost.
@ApiOperation(notes = "Retrieves a Host Consumer of a Consumer", value = "getHost")
@ApiResponses({ @ApiResponse(code = 404, message = "") })
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/{consumer_uuid}/host")
public ConsumerDTO getHost(@PathParam("consumer_uuid") @Verify(Consumer.class) String consumerUuid, @Context Principal principal) {
Consumer consumer = consumerCurator.verifyAndLookupConsumer(consumerUuid);
if (consumer.getFact("virt.uuid") == null || consumer.getFact("virt.uuid").trim().equals("")) {
throw new BadRequestException(i18n.tr("The system with UUID {0} is not a virtual guest.", consumer.getUuid()));
}
Consumer host = consumerCurator.getHost(consumer);
Owner hostOwner = ownerCurator.findOwnerById(host.getOwnerId());
// current organization.
if (host == null || principal.canAccess(hostOwner, SubResource.CONSUMERS, Access.READ_ONLY)) {
return translator.translate(host, ConsumerDTO.class);
}
throw new ForbiddenException(i18n.tr("This host is under a different organization that you do not have access to"));
}
use of org.candlepin.common.exceptions.ForbiddenException in project candlepin by candlepin.
the class OwnerProductResource method removeBatchContent.
@ApiOperation(notes = "Adds one or more Content entities to a Product", value = "addBatchContent")
@DELETE
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Path("/{product_id}/batch_content")
@Transactional
public ProductDTO removeBatchContent(@PathParam("owner_key") String ownerKey, @PathParam("product_id") String productId, @ApiParam(name = "content", required = true) List<String> contentIds) {
Owner owner = this.getOwnerByKey(ownerKey);
Product product = this.fetchProduct(owner, productId);
if (product.isLocked()) {
throw new ForbiddenException(i18n.tr("product \"{0}\" is locked", product.getId()));
}
this.productCurator.lock(product);
ProductDTO pdto = this.translator.translate(product, ProductDTO.class);
// Impl note:
// This is a wholely inefficient way of doing this. When we return to using ID-based linking
// and we're not linking the universe with our model, we can just attach the IDs directly
// without needing all this DTO conversion back and forth.
// Alternatively, we can shut off Hibernate's auto-commit junk and get in the habit of
// calling commit methods as necessary so we don't have to work with DTOs internally.
boolean changed = false;
for (String contentId : contentIds) {
changed |= pdto.removeContent(contentId);
}
if (changed) {
product = this.productManager.updateProduct(pdto, owner, true);
}
return this.translator.translate(product, ProductDTO.class);
}
use of org.candlepin.common.exceptions.ForbiddenException in project candlepin by candlepin.
the class OwnerProductResource method updateProduct.
@ApiOperation(notes = "Updates a Product", value = "updateProduct")
@ApiResponses({ @ApiResponse(code = 400, message = "") })
@PUT
@Path("/{product_id}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@Transactional
public ProductDTO updateProduct(@PathParam("owner_key") String ownerKey, @PathParam("product_id") String productId, @ApiParam(name = "update", required = true) ProductDTO update) {
if (StringUtils.isEmpty(update.getId())) {
update.setId(productId);
} else if (!StringUtils.equals(update.getId(), productId)) {
throw new BadRequestException(i18n.tr("Contradictory ids in update request: {0}, {1}", productId, update.getId()));
}
Owner owner = this.getOwnerByKey(ownerKey);
Product existing = this.fetchProduct(owner, productId);
if (existing.isLocked()) {
throw new ForbiddenException(i18n.tr("product \"{0}\" is locked", existing.getId()));
}
this.productCurator.lock(existing);
Product updated = this.productManager.updateProduct(update, owner, true);
return this.translator.translate(updated, ProductDTO.class);
}
use of org.candlepin.common.exceptions.ForbiddenException in project candlepin by candlepin.
the class PoolResource method list.
/**
* @deprecated Use the method on /owners
* @return List of pools
*/
@ApiOperation(notes = "Retrieves a list of Pools @deprecated Use the method on /owners", value = "")
@ApiResponses({ @ApiResponse(code = 400, message = "if both consumer(unit) and owner are given, or if a" + " product id is specified without a consumer(unit) or owner"), @ApiResponse(code = 404, message = "if a specified consumer(unit) or owner is not found"), @ApiResponse(code = 403, message = "") })
@GET
@Produces(MediaType.APPLICATION_JSON)
@Wrapped(element = "pools")
@Deprecated
@SecurityHole
public List<PoolDTO> list(@QueryParam("owner") String ownerId, @QueryParam("consumer") String consumerUuid, @QueryParam("product") String productId, @ApiParam("Use with consumerUuid to list all pools available to the consumer. " + "This will include pools which would otherwise be omitted due to a rules" + " warning. (i.e. not recommended) Pools that trigger an error however will" + " still be omitted. (no entitlements available, consumer type mismatch, etc)") @QueryParam("listall") @DefaultValue("false") boolean listAll, @ApiParam("Uses ISO 8601 format") @QueryParam("activeon") String activeOn, @Context Principal principal, @Context PageRequest pageRequest) {
// Make sure we were given sane query parameters:
if (consumerUuid != null && ownerId != null) {
throw new BadRequestException(i18n.tr("Cannot filter on both owner and unit"));
}
if (consumerUuid == null && ownerId == null && productId != null) {
throw new BadRequestException(i18n.tr("A unit or owner is needed to filter on product"));
}
Date activeOnDate = activeOn != null ? ResourceDateParser.parseDateString(activeOn) : new Date();
Consumer c = null;
String oId = null;
if (consumerUuid != null) {
c = consumerCurator.findByUuid(consumerUuid);
if (c == null) {
throw new NotFoundException(i18n.tr("Unit: {0} not found", consumerUuid));
}
// Now that we have a consumer, check that this principal can access it:
if (!principal.canAccess(c, SubResource.NONE, Access.READ_ONLY)) {
throw new ForbiddenException(i18n.tr("User {0} cannot access unit {1}", principal.getPrincipalName(), consumerUuid));
}
if (listAll) {
oId = c.getOwnerId();
}
}
if (ownerId != null) {
Owner o = ownerCurator.secureFind(ownerId);
if (o == null) {
throw new NotFoundException(i18n.tr("owner: {0}", ownerId));
}
oId = o.getId();
// Now that we have an owner, check that this principal can access it:
if (!principal.canAccess(o, SubResource.POOLS, Access.READ_ONLY)) {
throw new ForbiddenException(i18n.tr("User {0} cannot access owner {1}", principal.getPrincipalName(), o.getKey()));
}
}
// the system).
if (consumerUuid == null && ownerId == null && !principal.hasFullAccess()) {
throw new ForbiddenException(i18n.tr("User {0} cannot access all pools.", principal.getPrincipalName()));
}
Page<List<Pool>> page = poolManager.listAvailableEntitlementPools(c, null, oId, productId, null, activeOnDate, listAll, new PoolFilterBuilder(), pageRequest, false, false, null);
List<Pool> poolList = page.getPageData();
calculatedAttributesUtil.setCalculatedAttributes(poolList, activeOnDate);
calculatedAttributesUtil.setQuantityAttributes(poolList, c, activeOnDate);
// Store the page for the LinkHeaderResponseFilter
ResteasyProviderFactory.pushContext(Page.class, page);
List<PoolDTO> poolDTOs = new ArrayList<>();
for (Pool pool : poolList) {
poolDTOs.add(translator.translate(pool, PoolDTO.class));
}
return poolDTOs;
}
use of org.candlepin.common.exceptions.ForbiddenException in project candlepin by candlepin.
the class PoolResource method getPool.
@ApiOperation(notes = "Retrieves a single Pool", value = "getPool")
@ApiResponses({ @ApiResponse(code = 404, message = "if the pool with the specified id is not found"), @ApiResponse(code = 404, message = "") })
@GET
@Path("/{pool_id}")
@Produces(MediaType.APPLICATION_JSON)
public PoolDTO getPool(@PathParam("pool_id") @Verify(Pool.class) String id, @QueryParam("consumer") String consumerUuid, @ApiParam("Uses ISO 8601 format") @QueryParam("activeon") String activeOn, @Context Principal principal) {
Pool toReturn = poolManager.find(id);
Consumer c = null;
if (consumerUuid != null) {
c = consumerCurator.findByUuid(consumerUuid);
if (c == null) {
throw new NotFoundException(i18n.tr("consumer: {0} not found", consumerUuid));
}
if (!principal.canAccess(c, SubResource.NONE, Access.READ_ONLY)) {
throw new ForbiddenException(i18n.tr("User {0} cannot access consumer {1}", principal.getPrincipalName(), c.getUuid()));
}
}
if (toReturn != null) {
Date activeOnDate = new Date();
if (activeOn != null) {
activeOnDate = ResourceDateParser.parseDateString(activeOn);
}
toReturn.setCalculatedAttributes(calculatedAttributesUtil.buildCalculatedAttributes(toReturn, activeOnDate));
calculatedAttributesUtil.setQuantityAttributes(toReturn, c, activeOnDate);
return translator.translate(toReturn, PoolDTO.class);
}
throw new NotFoundException(i18n.tr("Subscription Pool with ID \"{0}\" could not be found.", id));
}
Aggregations