use of org.mycore.access.mcrimpl.MCRAccessControlSystem in project mycore by MyCoRe-Org.
the class MCRRestAPIUtil method checkRestAPIAccess.
/**
* checks if the given REST API operation is allowed
* @param request - the HTTP request
* @param permission "read" or "write"
* @param path - the REST API path, e.g. /v1/messages
*
* @throws MCRRestAPIException if access is restricted
*/
public static void checkRestAPIAccess(HttpServletRequest request, MCRRestAPIACLPermission permission, String path) throws MCRRestAPIException {
// save the current user and set REST API user into session,
// because ACL System can only validate the current user in session.
MCRUserInformation oldUser = MCRSessionMgr.getCurrentSession().getUserInformation();
try {
String userID = MCRJSONWebTokenUtil.retrieveUsernameFromAuthenticationToken(request);
if (userID != null) {
if (MCRSystemUserInformation.getGuestInstance().getUserID().equals(userID)) {
MCRSessionMgr.getCurrentSession().setUserInformation(MCRSystemUserInformation.getGuestInstance());
} else {
MCRSessionMgr.getCurrentSession().setUserInformation(MCRUserManager.getUser(userID));
}
}
MCRIPAddress theIP = new MCRIPAddress(MCRFrontendUtil.getRemoteAddr(request));
String thePath = path.startsWith("/") ? path : "/" + path;
boolean hasAPIAccess = ((MCRAccessControlSystem) MCRAccessControlSystem.instance()).checkAccess("restapi:/", permission.toString(), userID, theIP);
if (hasAPIAccess) {
MCRAccessRule rule = (MCRAccessRule) MCRAccessControlSystem.instance().getAccessRule("restapi:" + thePath, permission.toString());
if (rule != null) {
if (rule.checkAccess(userID, new Date(), theIP)) {
return;
}
} else {
return;
}
}
} catch (UnknownHostException e) {
// ignore
} finally {
MCRSessionMgr.getCurrentSession().setUserInformation(oldUser);
}
throw new MCRRestAPIException(Status.FORBIDDEN, new MCRRestAPIError(MCRRestAPIError.CODE_ACCESS_DENIED, "REST-API action is not allowed.", "Check access right '" + permission + "' on ACLs 'restapi:/' and 'restapi:" + path + "'!"));
}
Aggregations