Changeset 14:629e15b345aa in AnnotationManagerN4J for src/main/java/de/mpiwg/itgroup/annotations/restlet

Timestamp:

Jul 13, 2012, 6:41:02 PM (12 years ago)

Author:

casties

Branch:

default

Message:

permissions mostly work. need more server-side checking.

Location:

src/main/java/de/mpiwg/itgroup/annotations/restlet

Files:

• AnnotatorAnnotations.java (modified) (8 diffs)
• AnnotatorResourceImpl.java (modified) (5 diffs)
• AnnotatorSearch.java (modified) (4 diffs)

src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorAnnotations.java

@@ -51 +51 @@
         // TODO: what to return without id - list of all annotations?
 
-        // TODO: what to do with authentication?
-        boolean authenticated = isAuthenticated(entity);
-        logger.debug("request authenticated=" + authenticated);
-
-        Annotation annots = getAnnotationStore().getAnnotationById(id);
-        if (annots != null) {
-            // there should be only one
-            JSONObject result = createAnnotatorJson(annots);
+        // do authentication
+        String authUser = this.checkAuthToken(entity);
+        logger.debug("request authenticated=" + authUser);
+
+        Annotation annot = getAnnotationStore().getAnnotationById(id);
+        if (annot != null) {
+            if (! annot.isActionAllowed("read", authUser)) {
+                setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
+                return null;
+            }
+            JSONObject result = createAnnotatorJson(annot, (authUser == null));
             logger.debug("sending:");
             logger.debug(result);
             return new JsonRepresentation(result);
         } else {
-            JSONArray results = new JSONArray();
-            // annotator read request returns a list of annotation objects
-            logger.debug("sending:");
-            logger.debug(results);
-            return new JsonRepresentation(results);
+            // not found
+            setStatus(Status.CLIENT_ERROR_NOT_FOUND);
+            return null;
         }
     }
@@ -73 +74 @@
     /**
      * POST with JSON content-type.
-     * 
-     * json hash: username: name des users xpointer: xpointer auf den Ausschnitt
-     * (incl. der URL des Dokumentes) text: text der annotation annoturl: url
-     * auf eine Annotation falls extern
      * 
      * @return
@@ -85 +82 @@
         // set headers
         setCorsHeaders();
+        
+        // do authentication TODO: who's allowed to create? 
+        String authUser = this.checkAuthToken(entity);
+        logger.debug("request authenticated=" + authUser);
+        if (authUser == null) {
+            setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
+            return null;
+        }
+
         Annotation annot = null;
         try {
@@ -115 +121 @@
          * return 303: see other. For now we return the annotation.
          */
-        JSONObject jo = createAnnotatorJson(storedAnnot);
+        JSONObject jo = createAnnotatorJson(storedAnnot, (authUser == null));
         JsonRepresentation retRep = new JsonRepresentation(jo);
         return retRep;
@@ -135 +141 @@
         logger.debug("annotation-id=" + id);
 
-        // TODO: what to do with authentication? we should check the owner
-        boolean authenticated = isAuthenticated(entity);
-        logger.debug("request authenticated=" + authenticated);
-        if (!authenticated) {
-            setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
-            return null;
-        }
+        // do authentication
+        String authUser = this.checkAuthToken(entity);
+        logger.debug("request authenticated=" + authUser);
 
         Annotation annot = null;
@@ -156 +158 @@
             if (storedAnnot == null) {
                 setStatus(Status.CLIENT_ERROR_NOT_FOUND);
+                return null;
+            }
+            if (! storedAnnot.isActionAllowed("update", authUser)) {
+                setStatus(Status.CLIENT_ERROR_FORBIDDEN);
                 return null;
             }
@@ -170 +176 @@
              */
             // return new annotation
-            jo = createAnnotatorJson(storedAnnot);
+            jo = createAnnotatorJson(storedAnnot, (authUser == null));
             JsonRepresentation retRep = new JsonRepresentation(jo);
             return retRep;
@@ -198 +204 @@
         logger.debug("annotation-id=" + id);
 
-        // TODO: what to do with authentication? we should check the owner
-        boolean authenticated = isAuthenticated(entity);
-        logger.debug("request authenticated=" + authenticated);
-        if (!authenticated) {
-            setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
-            return null;
-        }
-
+        // do authentication
+        String authUser = this.checkAuthToken(entity);
+        logger.debug("request authenticated=" + authUser);
+        Annotation annot = getAnnotationStore().getAnnotationById(id);
+        if (annot != null) {
+            if (! annot.isActionAllowed("delete", authUser)) {
+                setStatus(Status.CLIENT_ERROR_FORBIDDEN, "Not Authorized!");
+                return null;
+            }
+        }
+        
         // delete annotation
         getAnnotationStore().deleteById(id);

src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorResourceImpl.java

@@ -141 +141 @@
         Form requestHeaders = (Form) getRequest().getAttributes().get("org.restlet.http.headers");
         String authToken = requestHeaders.getFirstValue("x-annotator-auth-token", true);
+        if (authToken == null) return null;
         // decode token first to get consumer key
         JsonToken token = new JsonTokenParser(null, null).deserialize(authToken);
@@ -178 +179 @@
      * 
      * @param annot
+     * @param forAnonymous TODO
      * @return
      */
-    public JSONObject createAnnotatorJson(Annotation annot) {
+    public JSONObject createAnnotatorJson(Annotation annot, boolean forAnonymous) {
         // return user as a JSON object (otherwise just as string)
         boolean makeUserObject = true;
@@ -233 +235 @@
             if (adminPerm != null) {
                 adminPerms.put(adminPerm.getIdString());
+            } else if (forAnonymous) {
+                // set something because its not allowed for anonymous
+                adminPerms.put("not-you");
             }
             // delete
@@ -240 +245 @@
             if (deletePerm != null) {
                 deletePerms.put(deletePerm.getIdString());
+            } else if (forAnonymous) {
+                // set something because its not allowed for anonymous
+                deletePerms.put("not-you");
             }
             // update
@@ -247 +255 @@
             if (updatePerm != null) {
                 updatePerms.put(updatePerm.getIdString());
+            } else if (forAnonymous) {
+                // set something because its not allowed for anonymous
+                updatePerms.put("not-you");
             }
             // read

src/main/java/de/mpiwg/itgroup/annotations/restlet/AnnotatorSearch.java

@@ -16 +16 @@
 
 import de.mpiwg.itgroup.annotations.Annotation;
-import de.mpiwg.itgroup.annotations.neo4j.AnnotationStore;
 
 /**
@@ -32 +31 @@
 
     /**
-     * result for JSON content-type. optional search parameters: uri user limit
-     * offset
+     * result for JSON content-type. optional search parameters: uri, user, limit,
+     * offset.
      * 
      * @param entity
@@ -42 +41 @@
         logger.debug("AnnotatorSearch doGetJSON!");
         setCorsHeaders();
-        // TODO: what to do with authentication?
-        boolean authenticated = isAuthenticated(entity);
-        logger.debug("request authenticated=" + authenticated);
+        // do authentication
+        String authUser = this.checkAuthToken(entity);
+        logger.debug("request authenticated=" + authUser);
 
         Form form = getRequest().getResourceRef().getQueryAsForm();
         String uri = form.getFirstValue("uri");
         String user = form.getFirstValue("user");
-
         String limit = form.getFirstValue("limit");
         String offset = form.getFirstValue("offset");
 
-        AnnotationStore searcher = getAnnotationStore();
-
-        JSONArray ja;
-
-        List<Annotation> annots = searcher.searchByUriUser(uri, user, limit, offset);
-
-        ja = new JSONArray();
+        JSONArray results = new JSONArray();
+        // do search
+        logger.debug(String.format("searching for uri=%s user=%s", uri, user));
+        List<Annotation> annots = getAnnotationStore().searchByUriUser(uri, user, limit, offset);
         for (Annotation annot : annots) {
-            JSONObject jo = createAnnotatorJson(annot);
+            // check permission
+            if (!annot.isActionAllowed("read", authUser)) continue;
+            JSONObject jo = createAnnotatorJson(annot, (authUser == null));
             if (jo != null) {
-                ja.put(createAnnotatorJson(annot));
+                results.put(jo);
             } else {
                 setStatus(Status.SERVER_ERROR_INTERNAL, "JSON Error");
@@ -69 +66 @@
             }
         }
-
+        // assemble result object
         JSONObject result = new JSONObject();
         try {
-            result.put("rows", ja);
-            result.put("total", ja.length());
+            result.put("rows", results);
+            result.put("total", results.length());
         } catch (JSONException e) {
-            e.printStackTrace();
             setStatus(Status.SERVER_ERROR_INTERNAL, "JSON Error");
             return null;