Mercurial > hg > AnnotationManagerN4J

diff src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java @ 14:629e15b345aa

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
permissions mostly work. need more server-side checking.
author casties
date Fri, 13 Jul 2012 20:41:02 +0200
parents 3599b29c393f
children 58357a4b86de
line wrap: on
line diff
--- a/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java	Fri Jul 13 17:22:05 2012 +0200
+++ b/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java	Fri Jul 13 20:41:02 2012 +0200
@@ -50,33 +50,30 @@
 
         // TODO: what to return without id - list of all annotations?
 
-        // TODO: what to do with authentication?
-        boolean authenticated = isAuthenticated(entity);
-        logger.debug("request authenticated=" + authenticated);
+        // do authentication
+        String authUser = this.checkAuthToken(entity);
+        logger.debug("request authenticated=" + authUser);
 
-        Annotation annots = getAnnotationStore().getAnnotationById(id);
-        if (annots != null) {
-            // there should be only one
-            JSONObject result = createAnnotatorJson(annots);
+        Annotation annot = getAnnotationStore().getAnnotationById(id);
+        if (annot != null) {
+            if (! annot.isActionAllowed("read", authUser)) {
+                setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
+                return null;
+            }
+            JSONObject result = createAnnotatorJson(annot, (authUser == null));
             logger.debug("sending:");
             logger.debug(result);
             return new JsonRepresentation(result);
         } else {
-            JSONArray results = new JSONArray();
-            // annotator read request returns a list of annotation objects
-            logger.debug("sending:");
-            logger.debug(results);
-            return new JsonRepresentation(results);
+            // not found
+            setStatus(Status.CLIENT_ERROR_NOT_FOUND);
+            return null;
         }
     }
 
     /**
      * POST with JSON content-type.
      * 
-     * json hash: username: name des users xpointer: xpointer auf den Ausschnitt
-     * (incl. der URL des Dokumentes) text: text der annotation annoturl: url
-     * auf eine Annotation falls extern
-     * 
      * @return
      */
     @Post("json")
@@ -84,6 +81,15 @@
         logger.debug("AnnotatorAnnotations doPostJSON!");
         // set headers
         setCorsHeaders();
+        
+        // do authentication TODO: who's allowed to create? 
+        String authUser = this.checkAuthToken(entity);
+        logger.debug("request authenticated=" + authUser);
+        if (authUser == null) {
+            setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
+            return null;
+        }
+
         Annotation annot = null;
         try {
             JsonRepresentation jrep = new JsonRepresentation(entity);
@@ -114,7 +120,7 @@
          * according to https://github.com/okfn/annotator/wiki/Storage we should
          * return 303: see other. For now we return the annotation.
          */
-        JSONObject jo = createAnnotatorJson(storedAnnot);
+        JSONObject jo = createAnnotatorJson(storedAnnot, (authUser == null));
         JsonRepresentation retRep = new JsonRepresentation(jo);
         return retRep;
     }
@@ -134,13 +140,9 @@
         String id = decodeJsonId(jsonId);
         logger.debug("annotation-id=" + id);
 
-        // TODO: what to do with authentication? we should check the owner
-        boolean authenticated = isAuthenticated(entity);
-        logger.debug("request authenticated=" + authenticated);
-        if (!authenticated) {
-            setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
-            return null;
-        }
+        // do authentication
+        String authUser = this.checkAuthToken(entity);
+        logger.debug("request authenticated=" + authUser);
 
         Annotation annot = null;
         AnnotationStore store = getAnnotationStore();
@@ -157,6 +159,10 @@
                 setStatus(Status.CLIENT_ERROR_NOT_FOUND);
                 return null;
             }
+            if (! storedAnnot.isActionAllowed("update", authUser)) {
+                setStatus(Status.CLIENT_ERROR_FORBIDDEN);
+                return null;
+            }
             // update from posted JSON
             annot = updateAnnotation(storedAnnot, jo, entity);
             // store Annotation
@@ -169,7 +175,7 @@
              * this.getResponse().setLocationRef(thisUrl);
              */
             // return new annotation
-            jo = createAnnotatorJson(storedAnnot);
+            jo = createAnnotatorJson(storedAnnot, (authUser == null));
             JsonRepresentation retRep = new JsonRepresentation(jo);
             return retRep;
         } catch (JSONException e) {
@@ -197,14 +203,17 @@
         String id = decodeJsonId(jsonId);
         logger.debug("annotation-id=" + id);
 
-        // TODO: what to do with authentication? we should check the owner
-        boolean authenticated = isAuthenticated(entity);
-        logger.debug("request authenticated=" + authenticated);
-        if (!authenticated) {
-            setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
-            return null;
+        // do authentication
+        String authUser = this.checkAuthToken(entity);
+        logger.debug("request authenticated=" + authUser);
+        Annotation annot = getAnnotationStore().getAnnotationById(id);
+        if (annot != null) {
+            if (! annot.isActionAllowed("delete", authUser)) {
+                setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
+                return null;
+            }
         }
-
+        
         // delete annotation
         getAnnotationStore().deleteById(id);
         setStatus(Status.SUCCESS_NO_CONTENT);