created:

class: - resourcePolicyRestPermissionEvaluatorPlugin method: - boolean hasDSpasePermission(Authentication authentication, Serializable targetId, String targetType, DSpaceRestPermission permission) - boolean isMyResoursePolicy(Context context, EPerson eperson, Integer id) - this one checks if the resourcePolicy, that I'm searching, is of the authenticated person - ResourcePolicy findOneById (DAO)
2025-10-07 01:54:22 +00:00 · 2019-12-02 16:15:32 +01:00
parent 5eff3c6295
commit 27735d7126
6 changed files with 112 additions and 1 deletions
--- a/dspace-api/src/main/java/org/dspace/authorize/ResourcePolicyServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/authorize/ResourcePolicyServiceImpl.java
@@ -26,6 +26,7 @@ import org.dspace.core.Constants;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
 import org.dspace.eperson.Group;
+import org.dspace.eperson.service.GroupService;
 import org.springframework.beans.factory.annotation.Autowired;

 /**
@@ -47,6 +48,9 @@ public class ResourcePolicyServiceImpl implements ResourcePolicyService {
    @Autowired(required = true)
    protected ResourcePolicyDAO resourcePolicyDAO;

+    @Autowired
+    private GroupService groupService;
+
    protected ResourcePolicyServiceImpl() {
    }

@@ -379,4 +383,19 @@ public class ResourcePolicyServiceImpl implements ResourcePolicyService {
    public int searchCountByGroupAndResourceUuid(Context context, Group group, UUID resourceUuid) throws SQLException {
        return resourcePolicyDAO.searchCountByGroupAndResourceUuid(context, group, resourceUuid);
    }
+
+    @Override
+    public boolean isMyResourcePolicy(Context context, EPerson eperson, Integer id) throws SQLException {
+        boolean isMy = false;
+
+        ResourcePolicy resourcePolicy = resourcePolicyDAO.findOneById(context, id);
+        Group group = resourcePolicy.getGroup();
+
+        if (resourcePolicy.getEPerson() != null && resourcePolicy.getEPerson().getID() == eperson.getID()) {
+            isMy = true;
+        } else if (group != null && groupService.isMember(context, eperson, group)) {
+            isMy = true;
+        }
+        return isMy;
+    }
 }
--- a/dspace-api/src/main/java/org/dspace/authorize/dao/ResourcePolicyDAO.java
+++ b/dspace-api/src/main/java/org/dspace/authorize/dao/ResourcePolicyDAO.java
@@ -109,4 +109,7 @@ public interface ResourcePolicyDAO extends GenericDAO<ResourcePolicy> {

    public int searchCountByGroupAndResourceUuid(Context context, Group group, UUID resourceUuid) throws SQLException;

+    public ResourcePolicy findOneById(Context context, Integer id) throws SQLException;
+
+
 }
--- a/dspace-api/src/main/java/org/dspace/authorize/dao/impl/ResourcePolicyDAOImpl.java
+++ b/dspace-api/src/main/java/org/dspace/authorize/dao/impl/ResourcePolicyDAOImpl.java
@@ -345,4 +345,14 @@ public class ResourcePolicyDAOImpl extends AbstractHibernateDAO<ResourcePolicy>
        query.setParameter("groupUuid", group.getID());
        return count(query);
    }
+
+    @Override
+    public ResourcePolicy findOneById(Context context, Integer id) throws SQLException {
+        CriteriaBuilder criteriaBuilder = getCriteriaBuilder(context);
+        CriteriaQuery criteriaQuery = getCriteriaQuery(criteriaBuilder, ResourcePolicy.class);
+        Root<ResourcePolicy> resourcePolicyRoot = criteriaQuery.from(ResourcePolicy.class);
+        criteriaQuery.select(resourcePolicyRoot);
+        criteriaQuery.where(criteriaBuilder.equal(resourcePolicyRoot.get(ResourcePolicy_.id), id));
+        return singleResult(context, criteriaQuery);
+    }
 }
--- a/dspace-api/src/main/java/org/dspace/authorize/service/ResourcePolicyService.java
+++ b/dspace-api/src/main/java/org/dspace/authorize/service/ResourcePolicyService.java
@@ -123,4 +123,6 @@ public interface ResourcePolicyService extends DSpaceCRUDService<ResourcePolicy>

    public int searchCountByGroupAndResourceUuid(Context context, Group group, UUID resourceUuid) throws SQLException;

+    public boolean isMyResourcePolicy(Context context, EPerson eperson, Integer id) throws SQLException;
+
 }
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ResourcePolicyRestRepository.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/ResourcePolicyRestRepository.java
@@ -51,8 +51,9 @@ public class ResourcePolicyRestRepository extends DSpaceRestRepository<ResourceP
    @Autowired
    private GroupService groupService;

-    @PreAuthorize("hasAuthority('AUTHENTICATED')")
+
    @Override
+    @PreAuthorize("hasPermission(#id, 'resourcepolicy', 'READ')")
    public ResourcePolicyRest findOne(Context context, Integer id) {
        ResourcePolicy source = null;
        try {
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/ResourcePolicyRestPermissionEvaluatorPlugin.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/ResourcePolicyRestPermissionEvaluatorPlugin.java
@@ -0,0 +1,76 @@
+package org.dspace.app.rest.security;
+
+import java.io.Serializable;
+import java.sql.SQLException;
+
+import org.apache.commons.lang3.StringUtils;
+import org.dspace.app.rest.model.ResourcePolicyRest;
+import org.dspace.app.rest.utils.ContextUtil;
+import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.ResourcePolicyService;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+import org.dspace.eperson.service.EPersonService;
+import org.dspace.services.RequestService;
+import org.dspace.services.model.Request;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+
+@Component
+public class ResourcePolicyRestPermissionEvaluatorPlugin extends RestObjectPermissionEvaluatorPlugin {
+
+    private static final Logger log = LoggerFactory.getLogger(ResourcePolicyRestPermissionEvaluatorPlugin.class);
+
+    @Autowired
+    AuthorizeService authorizeService;
+
+    @Autowired
+    private RequestService requestService;
+
+    @Autowired
+    private EPersonService ePersonService;
+
+    @Autowired
+    private ResourcePolicyService resourcePolicyService;
+
+    @Override
+    public boolean hasDSpacePermission(Authentication authentication, Serializable targetId, String targetType,
+            DSpaceRestPermission permission) {
+
+        DSpaceRestPermission restPermission = DSpaceRestPermission.convert(permission);
+
+        if (!DSpaceRestPermission.READ.equals(restPermission)
+                && !DSpaceRestPermission.WRITE.equals(restPermission)
+                && !DSpaceRestPermission.DELETE.equals(restPermission)
+                || !StringUtils.equalsIgnoreCase(targetType, ResourcePolicyRest.NAME)) {
+            return false;
+        }
+
+        Request request = requestService.getCurrentRequest();
+        Context context = ContextUtil.obtainContext(request.getServletRequest());
+        EPerson ePerson = null;
+
+        try {
+            ePerson = ePersonService.findByEmail(context, (String) authentication.getPrincipal());
+            Integer dsoId = Integer.parseInt(targetId.toString());
+
+            // anonymous user
+            if (ePerson == null) {
+                return false;
+            }
+
+            if (resourcePolicyService.isMyResourcePolicy(context, ePerson, dsoId)) {
+                return true;
+            }
+        } catch (SQLException e) {
+            log.error(e.getMessage(), e);
+        }
+
+        return false;
+    }
+
+}