Mercurial > hg > AnnotationManagerN4J
diff src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java @ 14:629e15b345aa
permissions mostly work. need more server-side checking.
author | casties |
---|---|
date | Fri, 13 Jul 2012 20:41:02 +0200 |
parents | 3599b29c393f |
children | 58357a4b86de |
line wrap: on
line diff
--- a/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java Fri Jul 13 17:22:05 2012 +0200 +++ b/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java Fri Jul 13 20:41:02 2012 +0200 @@ -50,33 +50,30 @@ // TODO: what to return without id - list of all annotations? - // TODO: what to do with authentication? - boolean authenticated = isAuthenticated(entity); - logger.debug("request authenticated=" + authenticated); + // do authentication + String authUser = this.checkAuthToken(entity); + logger.debug("request authenticated=" + authUser); - Annotation annots = getAnnotationStore().getAnnotationById(id); - if (annots != null) { - // there should be only one - JSONObject result = createAnnotatorJson(annots); + Annotation annot = getAnnotationStore().getAnnotationById(id); + if (annot != null) { + if (! annot.isActionAllowed("read", authUser)) { + setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!"); + return null; + } + JSONObject result = createAnnotatorJson(annot, (authUser == null)); logger.debug("sending:"); logger.debug(result); return new JsonRepresentation(result); } else { - JSONArray results = new JSONArray(); - // annotator read request returns a list of annotation objects - logger.debug("sending:"); - logger.debug(results); - return new JsonRepresentation(results); + // not found + setStatus(Status.CLIENT_ERROR_NOT_FOUND); + return null; } } /** * POST with JSON content-type. * - * json hash: username: name des users xpointer: xpointer auf den Ausschnitt - * (incl. der URL des Dokumentes) text: text der annotation annoturl: url - * auf eine Annotation falls extern - * * @return */ @Post("json") @@ -84,6 +81,15 @@ logger.debug("AnnotatorAnnotations doPostJSON!"); // set headers setCorsHeaders(); + + // do authentication TODO: who's allowed to create? + String authUser = this.checkAuthToken(entity); + logger.debug("request authenticated=" + authUser); + if (authUser == null) { + setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!"); + return null; + } + Annotation annot = null; try { JsonRepresentation jrep = new JsonRepresentation(entity); @@ -114,7 +120,7 @@ * according to https://github.com/okfn/annotator/wiki/Storage we should * return 303: see other. For now we return the annotation. */ - JSONObject jo = createAnnotatorJson(storedAnnot); + JSONObject jo = createAnnotatorJson(storedAnnot, (authUser == null)); JsonRepresentation retRep = new JsonRepresentation(jo); return retRep; } @@ -134,13 +140,9 @@ String id = decodeJsonId(jsonId); logger.debug("annotation-id=" + id); - // TODO: what to do with authentication? we should check the owner - boolean authenticated = isAuthenticated(entity); - logger.debug("request authenticated=" + authenticated); - if (!authenticated) { - setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!"); - return null; - } + // do authentication + String authUser = this.checkAuthToken(entity); + logger.debug("request authenticated=" + authUser); Annotation annot = null; AnnotationStore store = getAnnotationStore(); @@ -157,6 +159,10 @@ setStatus(Status.CLIENT_ERROR_NOT_FOUND); return null; } + if (! storedAnnot.isActionAllowed("update", authUser)) { + setStatus(Status.CLIENT_ERROR_FORBIDDEN); + return null; + } // update from posted JSON annot = updateAnnotation(storedAnnot, jo, entity); // store Annotation @@ -169,7 +175,7 @@ * this.getResponse().setLocationRef(thisUrl); */ // return new annotation - jo = createAnnotatorJson(storedAnnot); + jo = createAnnotatorJson(storedAnnot, (authUser == null)); JsonRepresentation retRep = new JsonRepresentation(jo); return retRep; } catch (JSONException e) { @@ -197,14 +203,17 @@ String id = decodeJsonId(jsonId); logger.debug("annotation-id=" + id); - // TODO: what to do with authentication? we should check the owner - boolean authenticated = isAuthenticated(entity); - logger.debug("request authenticated=" + authenticated); - if (!authenticated) { - setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!"); - return null; + // do authentication + String authUser = this.checkAuthToken(entity); + logger.debug("request authenticated=" + authUser); + Annotation annot = getAnnotationStore().getAnnotationById(id); + if (annot != null) { + if (! annot.isActionAllowed("delete", authUser)) { + setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!"); + return null; + } } - + // delete annotation getAnnotationStore().deleteById(id); setStatus(Status.SUCCESS_NO_CONTENT);