# HG changeset patch # User casties # Date 1486737935 -3600 # Node ID 7417f59151812552b28fa92b423a2841c660338d # Parent e953327d66bb25a67466f3e4776408e92e271640 check admin permission before changing permissions. Enum for typesafe actions. diff -r e953327d66bb -r 7417f5915181 src/main/java/de/mpiwg/itgroup/annotations/Annotation.java --- a/src/main/java/de/mpiwg/itgroup/annotations/Annotation.java Fri Feb 10 15:02:32 2017 +0100 +++ b/src/main/java/de/mpiwg/itgroup/annotations/Annotation.java Fri Feb 10 15:45:35 2017 +0100 @@ -131,6 +131,13 @@ protected Set tags; /** + * Enum of actions (for permissions). + */ + public static enum Action { + read, update, create, delete, admin + } + + /** * Returns if the requested action is allowed for the given user on this annotation. * * @param action @@ -138,8 +145,8 @@ * @param store AnnotationStore to check group membership * @return */ - public boolean isActionAllowed(String action, Person user, AnnotationStore store) { - if (action.equals("read")) { + public boolean isActionAllowed(Action action, Person user, AnnotationStore store) { + if (action == Action.read) { Actor reader = getReadPermission(); if (reader == null) { // if not specified then everybody is allowed @@ -147,7 +154,7 @@ } else { return reader.isEquivalentWith(user, store); } - } else if (action.equals("update")) { + } else if (action == Action.update) { // require at least an authenticated user if (user == null) return false; Actor updater = getUpdatePermission(); @@ -157,7 +164,7 @@ } else { return updater.isEquivalentWith(user, store); } - } else if (action.equals("delete")) { + } else if (action == Action.delete) { // require at least an authenticated user if (user == null) return false; Actor deleter = getDeletePermission(); @@ -166,7 +173,7 @@ deleter = creator; } return deleter.isEquivalentWith(user, store); - } else if (action.equals("admin")) { + } else if (action == Action.admin) { // require at least an authenticated user if (user == null) return false; Actor admin = getAdminPermission(); diff -r e953327d66bb -r 7417f5915181 src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java --- a/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java Fri Feb 10 15:02:32 2017 +0100 +++ b/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java Fri Feb 10 15:45:35 2017 +0100 @@ -41,6 +41,7 @@ import org.restlet.resource.Put; import de.mpiwg.itgroup.annotations.Annotation; +import de.mpiwg.itgroup.annotations.Annotation.Action; import de.mpiwg.itgroup.annotations.Person; import de.mpiwg.itgroup.annotations.neo4j.AnnotationStore; import de.mpiwg.itgroup.annotations.restlet.utils.JSONObjectComparator; @@ -94,7 +95,7 @@ AnnotationStore store = getAnnotationStore(); Annotation annot = store.getAnnotationById(id); if (annot != null) { - if (!annot.isActionAllowed("read", authUser, store)) { + if (!annot.isActionAllowed(Action.read, authUser, store)) { setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!"); return null; } @@ -115,7 +116,7 @@ List annotations = store.getAnnotations(null, null, 0, 0); for (Annotation annotation : annotations) { // check permission - if (!annotation.isActionAllowed("read", authUser, store)) + if (!annotation.isActionAllowed(Action.read, authUser, store)) continue; // add annotation to list JSONObject jo = createAnnotatorJson(annotation, false); @@ -237,7 +238,7 @@ setStatus(Status.CLIENT_ERROR_NOT_FOUND); return null; } - if (!storedAnnot.isActionAllowed("update", authUser, store)) { + if (!storedAnnot.isActionAllowed(Action.update, authUser, store)) { setStatus(Status.CLIENT_ERROR_FORBIDDEN); return null; } @@ -286,7 +287,7 @@ AnnotationStore store = getAnnotationStore(); Annotation annot = store.getAnnotationById(id); if (annot != null) { - if (!annot.isActionAllowed("delete", authUser, store)) { + if (!annot.isActionAllowed(Action.delete, authUser, store)) { setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!"); return null; } diff -r e953327d66bb -r 7417f5915181 src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotationsByResources.java --- a/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotationsByResources.java Fri Feb 10 15:02:32 2017 +0100 +++ b/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotationsByResources.java Fri Feb 10 15:45:35 2017 +0100 @@ -38,6 +38,7 @@ import org.restlet.resource.Get; import de.mpiwg.itgroup.annotations.Annotation; +import de.mpiwg.itgroup.annotations.Annotation.Action; import de.mpiwg.itgroup.annotations.Person; import de.mpiwg.itgroup.annotations.neo4j.AnnotationStore; import de.mpiwg.itgroup.annotations.restlet.utils.JSONObjectComparator; @@ -89,7 +90,7 @@ for (Annotation annot : annotations) { // check permission - if (!annot.isActionAllowed("read", authUser, store)) + if (!annot.isActionAllowed(Action.read, authUser, store)) continue; JSONObject jo = createAnnotatorJson(annot, false); diff -r e953327d66bb -r 7417f5915181 src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotationsByTags.java --- a/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotationsByTags.java Fri Feb 10 15:02:32 2017 +0100 +++ b/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotationsByTags.java Fri Feb 10 15:45:35 2017 +0100 @@ -37,6 +37,7 @@ import org.restlet.resource.Get; import de.mpiwg.itgroup.annotations.Annotation; +import de.mpiwg.itgroup.annotations.Annotation.Action; import de.mpiwg.itgroup.annotations.Person; import de.mpiwg.itgroup.annotations.neo4j.AnnotationStore; import de.mpiwg.itgroup.annotations.restlet.utils.JSONObjectComparator; @@ -78,7 +79,7 @@ for (Annotation annot : annotations) { // check permission - if (!annot.isActionAllowed("read", authUser, store)) + if (!annot.isActionAllowed(Action.read, authUser, store)) continue; JSONObject jo = createAnnotatorJson(annot, false); diff -r e953327d66bb -r 7417f5915181 src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java --- a/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java Fri Feb 10 15:02:32 2017 +0100 +++ b/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java Fri Feb 10 15:45:35 2017 +0100 @@ -56,6 +56,7 @@ import de.mpiwg.itgroup.annotations.Actor; import de.mpiwg.itgroup.annotations.Annotation; +import de.mpiwg.itgroup.annotations.Annotation.Action; import de.mpiwg.itgroup.annotations.Annotation.FragmentTypes; import de.mpiwg.itgroup.annotations.Group; import de.mpiwg.itgroup.annotations.Person; @@ -679,29 +680,32 @@ /* * permissions */ - if (jo.has("permissions")) { - JSONObject permissions = jo.getJSONObject("permissions"); - if (permissions.has("admin")) { - JSONArray perms = permissions.getJSONArray("admin"); - Actor actor = getActorFromPermissions(perms); - annot.setAdminPermission(actor); - } - if (permissions.has("delete")) { - JSONArray perms = permissions.getJSONArray("delete"); - Actor actor = getActorFromPermissions(perms); - annot.setDeletePermission(actor); - } - if (permissions.has("update")) { - JSONArray perms = permissions.getJSONArray("update"); - Actor actor = getActorFromPermissions(perms); - annot.setUpdatePermission(actor); - } - if (permissions.has("read")) { - JSONArray perms = permissions.getJSONArray("read"); - Actor actor = getActorFromPermissions(perms); - annot.setReadPermission(actor); - } - } + if (jo.has("permissions")) { + // change permissions only if user has admin permission + if (annot.isActionAllowed(Action.admin, authUser, getAnnotationStore())) { + JSONObject permissions = jo.getJSONObject("permissions"); + if (permissions.has("admin")) { + JSONArray perms = permissions.getJSONArray("admin"); + Actor actor = getActorFromPermissions(perms); + annot.setAdminPermission(actor); + } + if (permissions.has("delete")) { + JSONArray perms = permissions.getJSONArray("delete"); + Actor actor = getActorFromPermissions(perms); + annot.setDeletePermission(actor); + } + if (permissions.has("update")) { + JSONArray perms = permissions.getJSONArray("update"); + Actor actor = getActorFromPermissions(perms); + annot.setUpdatePermission(actor); + } + if (permissions.has("read")) { + JSONArray perms = permissions.getJSONArray("read"); + Actor actor = getActorFromPermissions(perms); + annot.setReadPermission(actor); + } + } + } /* * tags diff -r e953327d66bb -r 7417f5915181 src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorSearch.java --- a/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorSearch.java Fri Feb 10 15:02:32 2017 +0100 +++ b/src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorSearch.java Fri Feb 10 15:45:35 2017 +0100 @@ -35,6 +35,7 @@ import org.restlet.resource.Get; import de.mpiwg.itgroup.annotations.Annotation; +import de.mpiwg.itgroup.annotations.Annotation.Action; import de.mpiwg.itgroup.annotations.Person; import de.mpiwg.itgroup.annotations.neo4j.AnnotationStore; import de.mpiwg.itgroup.annotations.restlet.utils.JSONObjectComparator; @@ -76,7 +77,7 @@ List annots = store.searchAnnotationByUriUser(uri, user); for (Annotation annot : annots) { // check permission - if (!annot.isActionAllowed("read", authUser, store)) continue; + if (!annot.isActionAllowed(Action.read, authUser, store)) continue; JSONObject jo = createAnnotatorJson(annot, (authUser == null)); if (jo != null) { results.add(jo);