Examples with USERS_EDIT org.graylog2.shared.security.RestPermissions.USERS_EDIT used on opensource projects

Example 1 with USERS_EDIT

use of org.graylog2.shared.security.RestPermissions.USERS_EDIT in project graylog2-server by Graylog2.

the class EntitySharesResource method get.

@GET
@ApiOperation(value = "Return shares for a user")
@Path("user/{userId}")
public PaginatedResponse<EntityDescriptor> get(@ApiParam(name = "pagination parameters") @BeanParam PaginationParameters paginationParameters, @ApiParam(name = "userId", required = true) @PathParam("userId") @NotBlank String userId, @ApiParam(name = "capability") @QueryParam("capability") @DefaultValue("") String capabilityFilter, @ApiParam(name = "entity_type") @QueryParam("entity_type") @DefaultValue("") String entityTypeFilter) {
    final User user = userService.loadById(userId);
    if (user == null) {
        throw new NotFoundException("Couldn't find user <" + userId + ">");
    }
    if (!isPermitted(USERS_EDIT, user.getName())) {
        throw new ForbiddenException("Couldn't access user <" + userId + ">");
    }
    final GranteeSharesService.SharesResponse response = granteeSharesService.getPaginatedSharesFor(grnRegistry.ofUser(user), paginationParameters, capabilityFilter, entityTypeFilter);
    return PaginatedResponse.create("entities", response.paginatedEntities(), Collections.singletonMap("grantee_capabilities", response.capabilities()));
}

Example 2 with USERS_EDIT

use of org.graylog2.shared.security.RestPermissions.USERS_EDIT in project graylog2-server by Graylog2.

the class UsersResource method changeUser.

@PUT
@Path("{userId}")
@ApiOperation("Modify user details.")
@ApiResponses({ @ApiResponse(code = 400, message = "Attempted to modify a read only user account (e.g. built-in or LDAP users)."), @ApiResponse(code = 400, message = "Missing or invalid user details.") })
@AuditEvent(type = AuditEventTypes.USER_UPDATE)
public void changeUser(@ApiParam(name = "userId", value = "The ID of the user to modify.", required = true) @PathParam("userId") String userId, @ApiParam(name = "JSON body", value = "Updated user information.", required = true) @Valid @NotNull ChangeUserRequest cr) throws ValidationException {
    final User user = loadUserById(userId);
    final String username = user.getName();
    checkPermission(USERS_EDIT, username);
    if (user.isReadOnly()) {
        throw new BadRequestException("Cannot modify readonly user " + username);
    }
    // We only allow setting a subset of the fields in ChangeUserRequest
    if (!user.isExternalUser()) {
        if (cr.email() != null) {
            user.setEmail(cr.email());
        }
        if (cr.firstName() != null && cr.lastName() != null) {
            user.setFirstLastFullNames(cr.firstName(), cr.lastName());
        }
    }
    final boolean permitted = isPermitted(USERS_PERMISSIONSEDIT, user.getName());
    if (permitted && cr.permissions() != null) {
        user.setPermissions(getEffectiveUserPermissions(user, cr.permissions()));
    }
    if (isPermitted(USERS_ROLESEDIT, user.getName())) {
        setUserRoles(cr.roles(), user);
    }
    final String timezone = cr.timezone();
    if (timezone == null) {
        user.setTimeZone((String) null);
    } else {
        try {
            if (timezone.isEmpty()) {
                user.setTimeZone((String) null);
            } else {
                final DateTimeZone tz = DateTimeZone.forID(timezone);
                user.setTimeZone(tz);
            }
        } catch (IllegalArgumentException e) {
            LOG.error("Invalid timezone '{}', ignoring it for user {}.", timezone, username);
        }
    }
    final Startpage startpage = cr.startpage();
    if (startpage != null) {
        user.setStartpage(startpage.type(), startpage.id());
    }
    if (isPermitted("*")) {
        final Long sessionTimeoutMs = cr.sessionTimeoutMs();
        if (sessionTimeoutMs != null && sessionTimeoutMs != 0) {
            user.setSessionTimeoutMs(sessionTimeoutMs);
        }
    }
    userManagementService.update(user, cr);
}

Example 3 with USERS_EDIT

use of org.graylog2.shared.security.RestPermissions.USERS_EDIT in project graylog2-server by Graylog2.

the class UsersResource method getbyId.

@GET
@Path("id/{userId}")
@ApiOperation(value = "Get user details by userId", notes = "The user's permissions are only included if a user asks for his " + "own account or for users with the necessary permissions to edit permissions.")
@ApiResponses({ @ApiResponse(code = 404, message = "The user could not be found.") })
public UserSummary getbyId(@ApiParam(name = "userId", value = "The userId to return information for.", required = true) @PathParam("userId") String userId, @Context UserContext userContext) {
    final User user = loadUserById(userId);
    final String username = user.getName();
    // Reader users always have permissions to edit their own profile.
    if (!isPermitted(USERS_EDIT, username)) {
        throw new ForbiddenException("Not allowed to view userId " + userId);
    }
    return returnSummary(userContext, user);
}