Changeset 105:7417f5915181 in AnnotationManagerN4J


Ignore:
Timestamp:
Feb 10, 2017, 2:45:35 PM (7 years ago)
Author:
casties
Branch:
default
Tags:
tip
Message:

check admin permission before changing permissions.
Enum for typesafe actions.

Location:
src/main/java/de/mpiwg/itgroup/annotations
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • src/main/java/de/mpiwg/itgroup/annotations/Annotation.java

    r95 r105  
    132132   
    133133    /**
     134     * Enum of actions (for permissions).
     135     */
     136    public static enum Action {
     137        read, update, create, delete, admin
     138    }
     139   
     140    /**
    134141     * Returns if the requested action is allowed for the given user on this annotation.
    135142     *
     
    139146     * @return
    140147     */
    141     public boolean isActionAllowed(String action, Person user, AnnotationStore store) {
    142         if (action.equals("read")) {
     148    public boolean isActionAllowed(Action action, Person user, AnnotationStore store) {
     149        if (action == Action.read) {
    143150            Actor reader = getReadPermission();
    144151            if (reader == null) {
     
    148155                return reader.isEquivalentWith(user, store);
    149156            }
    150         } else if (action.equals("update")) {
     157        } else if (action == Action.update) {
    151158            // require at least an authenticated user
    152159            if (user == null) return false;
     
    158165                return updater.isEquivalentWith(user, store);
    159166            }
    160         } else if (action.equals("delete")) {
     167        } else if (action == Action.delete) {
    161168            // require at least an authenticated user
    162169            if (user == null) return false;
     
    167174            }
    168175            return deleter.isEquivalentWith(user, store);
    169         } else if (action.equals("admin")) {
     176        } else if (action == Action.admin) {
    170177            // require at least an authenticated user
    171178            if (user == null) return false;
  • src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java

    r102 r105  
    4242
    4343import de.mpiwg.itgroup.annotations.Annotation;
     44import de.mpiwg.itgroup.annotations.Annotation.Action;
    4445import de.mpiwg.itgroup.annotations.Person;
    4546import de.mpiwg.itgroup.annotations.neo4j.AnnotationStore;
     
    9596        Annotation annot = store.getAnnotationById(id);
    9697        if (annot != null) {
    97             if (!annot.isActionAllowed("read", authUser, store)) {
     98            if (!annot.isActionAllowed(Action.read, authUser, store)) {
    9899                setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
    99100                return null;
     
    116117        for (Annotation annotation : annotations) {
    117118            // check permission
    118             if (!annotation.isActionAllowed("read", authUser, store))
     119            if (!annotation.isActionAllowed(Action.read, authUser, store))
    119120                continue;
    120121            // add annotation to list
     
    238239                return null;
    239240            }
    240             if (!storedAnnot.isActionAllowed("update", authUser, store)) {
     241            if (!storedAnnot.isActionAllowed(Action.update, authUser, store)) {
    241242                setStatus(Status.CLIENT_ERROR_FORBIDDEN);
    242243                return null;
     
    287288        Annotation annot = store.getAnnotationById(id);
    288289        if (annot != null) {
    289             if (!annot.isActionAllowed("delete", authUser, store)) {
     290            if (!annot.isActionAllowed(Action.delete, authUser, store)) {
    290291                setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
    291292                return null;
  • src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotationsByResources.java

    r91 r105  
    3939
    4040import de.mpiwg.itgroup.annotations.Annotation;
     41import de.mpiwg.itgroup.annotations.Annotation.Action;
    4142import de.mpiwg.itgroup.annotations.Person;
    4243import de.mpiwg.itgroup.annotations.neo4j.AnnotationStore;
     
    9091        for (Annotation annot : annotations) {
    9192            // check permission
    92             if (!annot.isActionAllowed("read", authUser, store))
     93            if (!annot.isActionAllowed(Action.read, authUser, store))
    9394                continue;
    9495
  • src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotationsByTags.java

    r91 r105  
    3838
    3939import de.mpiwg.itgroup.annotations.Annotation;
     40import de.mpiwg.itgroup.annotations.Annotation.Action;
    4041import de.mpiwg.itgroup.annotations.Person;
    4142import de.mpiwg.itgroup.annotations.neo4j.AnnotationStore;
     
    7980        for (Annotation annot : annotations) {
    8081            // check permission
    81             if (!annot.isActionAllowed("read", authUser, store))
     82            if (!annot.isActionAllowed(Action.read, authUser, store))
    8283                continue;
    8384
  • src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java

    r102 r105  
    5757import de.mpiwg.itgroup.annotations.Actor;
    5858import de.mpiwg.itgroup.annotations.Annotation;
     59import de.mpiwg.itgroup.annotations.Annotation.Action;
    5960import de.mpiwg.itgroup.annotations.Annotation.FragmentTypes;
    6061import de.mpiwg.itgroup.annotations.Group;
     
    680681         * permissions
    681682         */
    682         if (jo.has("permissions")) {
    683             JSONObject permissions = jo.getJSONObject("permissions");
    684             if (permissions.has("admin")) {
    685                 JSONArray perms = permissions.getJSONArray("admin");
    686                 Actor actor = getActorFromPermissions(perms);
    687                 annot.setAdminPermission(actor);
    688             }
    689             if (permissions.has("delete")) {
    690                 JSONArray perms = permissions.getJSONArray("delete");
    691                 Actor actor = getActorFromPermissions(perms);
    692                 annot.setDeletePermission(actor);
    693             }
    694             if (permissions.has("update")) {
    695                 JSONArray perms = permissions.getJSONArray("update");
    696                 Actor actor = getActorFromPermissions(perms);
    697                 annot.setUpdatePermission(actor);
    698             }
    699             if (permissions.has("read")) {
    700                 JSONArray perms = permissions.getJSONArray("read");
    701                 Actor actor = getActorFromPermissions(perms);
    702                 annot.setReadPermission(actor);
    703             }
    704         }
     683                if (jo.has("permissions")) {
     684                        // change permissions only if user has admin permission
     685                        if (annot.isActionAllowed(Action.admin, authUser, getAnnotationStore())) {
     686                                JSONObject permissions = jo.getJSONObject("permissions");
     687                                if (permissions.has("admin")) {
     688                                        JSONArray perms = permissions.getJSONArray("admin");
     689                                        Actor actor = getActorFromPermissions(perms);
     690                                        annot.setAdminPermission(actor);
     691                                }
     692                                if (permissions.has("delete")) {
     693                                        JSONArray perms = permissions.getJSONArray("delete");
     694                                        Actor actor = getActorFromPermissions(perms);
     695                                        annot.setDeletePermission(actor);
     696                                }
     697                                if (permissions.has("update")) {
     698                                        JSONArray perms = permissions.getJSONArray("update");
     699                                        Actor actor = getActorFromPermissions(perms);
     700                                        annot.setUpdatePermission(actor);
     701                                }
     702                                if (permissions.has("read")) {
     703                                        JSONArray perms = permissions.getJSONArray("read");
     704                                        Actor actor = getActorFromPermissions(perms);
     705                                        annot.setReadPermission(actor);
     706                                }
     707                        }
     708                }
    705709
    706710        /*
  • src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorSearch.java

    r91 r105  
    3636
    3737import de.mpiwg.itgroup.annotations.Annotation;
     38import de.mpiwg.itgroup.annotations.Annotation.Action;
    3839import de.mpiwg.itgroup.annotations.Person;
    3940import de.mpiwg.itgroup.annotations.neo4j.AnnotationStore;
     
    7778        for (Annotation annot : annots) {
    7879            // check permission
    79             if (!annot.isActionAllowed("read", authUser, store)) continue;
     80            if (!annot.isActionAllowed(Action.read, authUser, store)) continue;
    8081            JSONObject jo = createAnnotatorJson(annot, (authUser == null));
    8182            if (jo != null) {
Note: See TracChangeset for help on using the changeset viewer.