hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-07 01:54:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

DS-3542: Spring permission evaluator for REST API

Browse Source
This commit is contained in:
frederic
2017-12-14 09:42:47 +01:00
committed by Tom Desair
parent 238ede5f9d
commit 295d6d6ba1
44 changed files with 910 additions and 182 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
dspace-spring-rest/pom.xml
View File

@@ -212,6 +212,11 @@
<artifactId>spring-boot-starter-data-rest</artifactId>
<version>${spring-boot.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
<version>${spring-boot.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>

1
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/AuthorityEntryLinkRepository.java
View File

@@ -54,6 +54,7 @@ public class AuthorityEntryLinkRepository extends AbstractDSpaceRestRepository
return new AuthorityEntryResource(model);
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
public Page<AuthorityEntryRest> query(HttpServletRequest request, String name,
Pageable pageable, String projection) {
Context context = obtainContext();

1
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/AuthorityEntryValueLinkRepository.java
View File

@@ -42,6 +42,7 @@ public class AuthorityEntryValueLinkRepository extends AbstractDSpaceRestReposit
return new AuthorityEntryResource(model);
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
public AuthorityEntryRest getResource(HttpServletRequest request, String name, String relId,
Pageable pageable, String projection) {
Context context = obtainContext();

7
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/AuthorityRestRepository.java
View File

@@ -16,7 +16,6 @@ import org.dspace.app.rest.model.hateoas.AuthorityResource;
import org.dspace.app.rest.utils.AuthorityUtils;
import org.dspace.content.authority.ChoiceAuthority;
import org.dspace.content.authority.service.ChoiceAuthorityService;
import org.dspace.core.Context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
@@ -37,15 +36,17 @@ public class AuthorityRestRepository extends DSpaceRestRepository<AuthorityRest,
@Autowired
private AuthorityUtils authorityUtils;
//TODO @PreAuthorize("hasAuthority('EPERSON')")
@Override
public AuthorityRest findOne(Context context, String name) {
public AuthorityRest findOne(String name) {
ChoiceAuthority source = cas.getChoiceAuthorityByAuthorityName(name);
AuthorityRest result = authorityUtils.convertAuthority(source, name);
return result;
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
@Override
public Page<AuthorityRest> findAll(Context context, Pageable pageable) {
public Page<AuthorityRest> findAll(Pageable pageable) {
Set<String> authoritiesName = cas.getChoiceAuthoritiesNames();
List<AuthorityRest> results = new ArrayList<AuthorityRest>();
for (String authorityName : authoritiesName) {

9
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/BitstreamFormatRestRepository.java
View File

@@ -15,7 +15,6 @@ import org.dspace.app.rest.model.BitstreamFormatRest;
import org.dspace.app.rest.model.hateoas.BitstreamFormatResource;
import org.dspace.content.BitstreamFormat;
import org.dspace.content.service.BitstreamFormatService;
import org.dspace.core.Context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.Pageable;
@@ -41,10 +40,10 @@ public class BitstreamFormatRestRepository extends DSpaceRestRepository<Bitstrea
}
@Override
public BitstreamFormatRest findOne(Context context, Integer id) {
public BitstreamFormatRest findOne(Integer id) {
BitstreamFormat bit = null;
try {
bit = bfs.find(context, id);
bit = bfs.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
@@ -55,10 +54,10 @@ public class BitstreamFormatRestRepository extends DSpaceRestRepository<Bitstrea
}
@Override
public Page<BitstreamFormatRest> findAll(Context context, Pageable pageable) {
public Page<BitstreamFormatRest> findAll(Pageable pageable) {
List<BitstreamFormat> bit = null;
try {
bit = bfs.findAll(context);
bit = bfs.findAll(obtainContext());
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}

10
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/BitstreamRestRepository.java
View File

@@ -28,6 +28,7 @@ import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
import org.springframework.data.domain.Pageable;
import org.springframework.data.rest.webmvc.ResourceNotFoundException;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
@@ -51,10 +52,11 @@ public class BitstreamRestRepository extends DSpaceRestRepository<BitstreamRest,
}
@Override
public BitstreamRest findOne(Context context, UUID id) {
@PreAuthorize("hasPermission(#id, 'BITSTREAM', 'READ')")
public BitstreamRest findOne(UUID id) {
Bitstream bit = null;
try {
bit = bs.find(context, id);
bit = bs.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
@@ -72,7 +74,9 @@ public class BitstreamRestRepository extends DSpaceRestRepository<BitstreamRest,
}
@Override
public Page<BitstreamRest> findAll(Context context, Pageable pageable) {
@PreAuthorize("hasAuthority('ADMIN')")
public Page<BitstreamRest> findAll(Pageable pageable) {
Context context = obtainContext();
List<Bitstream> bit = new ArrayList<Bitstream>();
Iterator<Bitstream> it = null;
int total = 0;

5
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/BrowseIndexRestRepository.java
View File

@@ -15,7 +15,6 @@ import org.dspace.app.rest.model.BrowseIndexRest;
import org.dspace.app.rest.model.hateoas.BrowseIndexResource;
import org.dspace.browse.BrowseException;
import org.dspace.browse.BrowseIndex;
import org.dspace.core.Context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
@@ -33,7 +32,7 @@ public class BrowseIndexRestRepository extends DSpaceRestRepository<BrowseIndexR
BrowseIndexConverter converter;
@Override
public BrowseIndexRest findOne(Context context, String name) {
public BrowseIndexRest findOne(String name) {
BrowseIndexRest bi = null;
BrowseIndex bix;
try {
@@ -48,7 +47,7 @@ public class BrowseIndexRestRepository extends DSpaceRestRepository<BrowseIndexR
}
@Override
public Page<BrowseIndexRest> findAll(Context context, Pageable pageable) {
public Page<BrowseIndexRest> findAll(Pageable pageable) {
List<BrowseIndexRest> it = null;
List<BrowseIndex> indexesList = new ArrayList<BrowseIndex>();
int total = 0;

27
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/CollectionRestRepository.java
View File

@@ -29,6 +29,7 @@ import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
import org.springframework.data.domain.Pageable;
import org.springframework.data.rest.webmvc.ResourceNotFoundException;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
/**
@@ -55,21 +56,23 @@ public class CollectionRestRepository extends DSpaceRestRepository<CollectionRes
}
@Override
public CollectionRest findOne(Context context, UUID id) {
Collection collection = null;
try {
collection = cs.find(context, id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
if (collection == null) {
return null;
}
return converter.fromModel(collection);
@PreAuthorize("hasPermission(#id, 'COLLECTION', 'READ')")
public CollectionRest findOne(UUID id) {
Collection collection = null;
try {
collection = cs.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
if (collection == null) {
return null;
}
return converter.fromModel(collection);
}
@Override
public Page<CollectionRest> findAll(Context context, Pageable pageable) {
public Page<CollectionRest> findAll(Pageable pageable) {
Context context = obtainContext();
List<Collection> it = null;
List<Collection> collections = new ArrayList<Collection>();
int total = 0;

11
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/CommunityRestRepository.java
View File

@@ -25,6 +25,7 @@ import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
import org.springframework.data.domain.Pageable;
import org.springframework.data.rest.webmvc.ResourceNotFoundException;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
/**
@@ -47,21 +48,23 @@ public class CommunityRestRepository extends DSpaceRestRepository<CommunityRest,
}
@Override
public CommunityRest findOne(Context context, UUID id) {
@PreAuthorize("hasPermission(#id, 'COMMUNITY', 'READ')")
public CommunityRest findOne(UUID id) {
Community community = null;
try {
community = cs.find(context, id);
community = cs.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
if (community == null) {
return null;
throw new ResourceNotFoundException();
}
return converter.fromModel(community);
}
@Override
public Page<CommunityRest> findAll(Context context, Pageable pageable) {
public Page<CommunityRest> findAll(Pageable pageable) {
Context context = obtainContext();
List<Community> it = null;
List<Community> communities = new ArrayList<Community>();
int total = 0;

19
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/DSpaceRestRepository.java
View File

@@ -69,13 +69,6 @@ public abstract class DSpaceRestRepository<T extends RestAddressableModel, ID ex
return null;
}
@Override
public T findOne(ID id) {
Context context = obtainContext();
return findOne(context, id);
}
public abstract T findOne(Context context, ID id);
@Override
public boolean exists(ID id) {
@@ -133,19 +126,15 @@ public abstract class DSpaceRestRepository<T extends RestAddressableModel, ID ex
}
public abstract T findOne(ID id);
public abstract Page<T> findAll(Pageable pageable);
@Override
public Iterable<T> findAll(Sort sort) {
throw new RuntimeException("findAll MUST be paginated");
}
@Override
public Page<T> findAll(Pageable pageable) {
Context context = obtainContext();
return findAll(context, pageable);
}
public abstract Page<T> findAll(Context context, Pageable pageable);
public abstract Class<T> getDomainClass();
public abstract DSpaceResource<T> wrapResource(T model, String... rels);

13
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/EPersonRestRepository.java
View File

@@ -34,6 +34,8 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
import org.springframework.data.domain.Pageable;
import org.springframework.data.rest.webmvc.ResourceNotFoundException;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
@@ -94,22 +96,25 @@ public class EPersonRestRepository extends DSpaceRestRepository<EPersonRest, UUI
}
@Override
public EPersonRest findOne(Context context, UUID id) {
@PreAuthorize("hasPermission(#id, 'EPERSON', 'READ')")
public EPersonRest findOne(UUID id) {
EPerson eperson = null;
try {
eperson = es.find(context, id);
eperson = es.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
if (eperson == null) {
return null;
throw new ResourceNotFoundException();
}
return converter.fromModel(eperson);
}
@Override
public Page<EPersonRest> findAll(Context context, Pageable pageable) {
@PreAuthorize("hasAuthority('ADMIN')")
public Page<EPersonRest> findAll(Pageable pageable) {
List<EPerson> epersons = null;
Context context = obtainContext();
int total = 0;
try {
if (!authorizeService.isAdmin(context)) {

10
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/GroupRestRepository.java
View File

@@ -22,6 +22,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
import org.springframework.data.domain.Pageable;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
/**
@@ -38,10 +39,11 @@ public class GroupRestRepository extends DSpaceRestRepository<GroupRest, UUID> {
GroupConverter converter;
@Override
public GroupRest findOne(Context context, UUID id) {
@PreAuthorize("hasPermission(#id, 'GROUP', 'READ')")
public GroupRest findOne(UUID id) {
Group group = null;
try {
group = gs.find(context, id);
group = gs.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
@@ -51,8 +53,10 @@ public class GroupRestRepository extends DSpaceRestRepository<GroupRest, UUID> {
return converter.fromModel(group);
}
//TODO @PreAuthorize("hasAuthority('ADMIN')")
@Override
public Page<GroupRest> findAll(Context context, Pageable pageable) {
public Page<GroupRest> findAll(Pageable pageable) {
Context context = obtainContext();
List<Group> groups = null;
int total = 0;
try {

12
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/ItemRestRepository.java
View File

@@ -32,6 +32,7 @@ import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
import org.springframework.data.domain.Pageable;
import org.springframework.data.rest.webmvc.ResourceNotFoundException;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
/**
@@ -63,21 +64,24 @@ public class ItemRestRepository extends DSpaceRestRepository<ItemRest, UUID> {
}
@Override
public ItemRest findOne(Context context, UUID id) {
@PreAuthorize("hasPermission(#id, 'ITEM', 'READ')")
public ItemRest findOne(UUID id) {
Item item = null;
try {
item = is.find(context, id);
item = is.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
if (item == null) {
return null;
throw new ResourceNotFoundException();
}
return converter.fromModel(item);
}
@Override
public Page<ItemRest> findAll(Context context, Pageable pageable) {
@PreAuthorize("hasAuthority('ADMIN')")
public Page<ItemRest> findAll(Pageable pageable) {
Context context = obtainContext();
Iterator<Item> it = null;
List<Item> items = new ArrayList<Item>();
int total = 0;

1
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/LicenseRestLinkRepository.java
View File

@@ -43,6 +43,7 @@ public class LicenseRestLinkRepository extends AbstractDSpaceRestRepository
return new LicenseResource(model);
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
public LicenseRest getLicenseCollection(HttpServletRequest request, UUID uuid, Pageable pageable, String projection)
throws Exception {
Context context = obtainContext();

8
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/MetadataFieldRestRepository.java
View File

@@ -46,10 +46,10 @@ public class MetadataFieldRestRepository extends DSpaceRestRepository<MetadataFi
}
@Override
public MetadataFieldRest findOne(Context context, Integer id) {
public MetadataFieldRest findOne(Integer id) {
MetadataField metadataField = null;
try {
metadataField = metaFieldService.find(context, id);
metadataField = metaFieldService.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
@@ -60,10 +60,10 @@ public class MetadataFieldRestRepository extends DSpaceRestRepository<MetadataFi
}
@Override
public Page<MetadataFieldRest> findAll(Context context, Pageable pageable) {
public Page<MetadataFieldRest> findAll(Pageable pageable) {
List<MetadataField> metadataField = null;
try {
metadataField = metaFieldService.findAll(context);
metadataField = metaFieldService.findAll(obtainContext());
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}

9
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/MetadataSchemaRestRepository.java
View File

@@ -15,7 +15,6 @@ import org.dspace.app.rest.model.MetadataSchemaRest;
import org.dspace.app.rest.model.hateoas.MetadataSchemaResource;
import org.dspace.content.MetadataSchema;
import org.dspace.content.service.MetadataSchemaService;
import org.dspace.core.Context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.Pageable;
@@ -39,10 +38,10 @@ public class MetadataSchemaRestRepository extends DSpaceRestRepository<MetadataS
}
@Override
public MetadataSchemaRest findOne(Context context, Integer id) {
public MetadataSchemaRest findOne(Integer id) {
MetadataSchema metadataSchema = null;
try {
metadataSchema = metaScemaService.find(context, id);
metadataSchema = metaScemaService.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
@@ -53,10 +52,10 @@ public class MetadataSchemaRestRepository extends DSpaceRestRepository<MetadataS
}
@Override
public Page<MetadataSchemaRest> findAll(Context context, Pageable pageable) {
public Page<MetadataSchemaRest> findAll(Pageable pageable) {
List<MetadataSchema> metadataSchema = null;
try {
metadataSchema = metaScemaService.findAll(context);
metadataSchema = metaScemaService.findAll(obtainContext());
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}

9
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/ResourcePolicyRestRepository.java
View File

@@ -16,7 +16,6 @@ import org.dspace.app.rest.model.hateoas.ResourcePolicyResource;
import org.dspace.app.rest.utils.Utils;
import org.dspace.authorize.ResourcePolicy;
import org.dspace.authorize.service.ResourcePolicyService;
import org.dspace.core.Context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.Pageable;
@@ -39,11 +38,12 @@ public class ResourcePolicyRestRepository extends DSpaceRestRepository<ResourceP
@Autowired
Utils utils;
//TODO @PreAuthorize("hasAuthority('EPERSON')")
@Override
public ResourcePolicyRest findOne(Context context, Integer id) {
public ResourcePolicyRest findOne(Integer id) {
ResourcePolicy source = null;
try {
source = resourcePolicyService.find(context, id);
source = resourcePolicyService.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
@@ -53,8 +53,9 @@ public class ResourcePolicyRestRepository extends DSpaceRestRepository<ResourceP
return resourcePolicyConverter.convert(source);
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
@Override
public Page<ResourcePolicyRest> findAll(Context context, Pageable pageable) {
public Page<ResourcePolicyRest> findAll(Pageable pageable) {
throw new RepositoryMethodNotImplementedException(ResourcePolicyRest.NAME, "findAll");
}

9
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/SiteRestRepository.java
View File

@@ -17,7 +17,6 @@ import org.dspace.app.rest.model.SiteRest;
import org.dspace.app.rest.model.hateoas.SiteResource;
import org.dspace.content.Site;
import org.dspace.content.service.SiteService;
import org.dspace.core.Context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
@@ -44,10 +43,10 @@ public class SiteRestRepository extends DSpaceRestRepository<SiteRest, UUID> {
}
@Override
public SiteRest findOne(Context context, UUID id) {
public SiteRest findOne(UUID id) {
Site site = null;
try {
site = sitesv.find(context, id);
site = sitesv.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
@@ -58,11 +57,11 @@ public class SiteRestRepository extends DSpaceRestRepository<SiteRest, UUID> {
}
@Override
public Page<SiteRest> findAll(Context context, Pageable pageable) {
public Page<SiteRest> findAll(Pageable pageable) {
List<Site> sites = new ArrayList<Site>();
int total = 1;
try {
sites.add(sitesv.findSite(context));
sites.add(sitesv.findSite(obtainContext()));
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}

9
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/SubmissionDefinitionRestRepository.java
View File

@@ -23,11 +23,11 @@ import org.dspace.app.util.SubmissionConfigReaderException;
import org.dspace.content.Collection;
import org.dspace.content.factory.ContentServiceFactory;
import org.dspace.content.service.CollectionService;
import org.dspace.core.Context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
import org.springframework.data.domain.Pageable;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
/**
@@ -48,8 +48,9 @@ public class SubmissionDefinitionRestRepository extends DSpaceRestRepository<Sub
submissionConfigReader = new SubmissionConfigReader();
}
@PreAuthorize("hasAuthority('EPERSON')")
@Override
public SubmissionDefinitionRest findOne(Context context, String submitName) {
public SubmissionDefinitionRest findOne(String submitName) {
SubmissionConfig subConfig = submissionConfigReader.getSubmissionConfigByName(submitName);
if (subConfig == null) {
return null;
@@ -57,8 +58,9 @@ public class SubmissionDefinitionRestRepository extends DSpaceRestRepository<Sub
return converter.convert(subConfig);
}
@PreAuthorize("hasAuthority('EPERSON')")
@Override
public Page<SubmissionDefinitionRest> findAll(Context context, Pageable pageable) {
public Page<SubmissionDefinitionRest> findAll(Pageable pageable) {
List<SubmissionConfig> subConfs = new ArrayList<SubmissionConfig>();
int total = submissionConfigReader.countSubmissionConfigs();
subConfs = submissionConfigReader.getAllSubmissionConfigs(pageable.getPageSize(), pageable.getOffset());
@@ -66,6 +68,7 @@ public class SubmissionDefinitionRestRepository extends DSpaceRestRepository<Sub
return page;
}
@PreAuthorize("hasAuthority('EPERSON')")
@SearchRestMethod(name = "findByCollection")
public SubmissionDefinitionRest findByCollection(@Parameter(value = "uuid", required = true) UUID collectionUuid)
throws SQLException {

7
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/SubmissionFormRestRepository.java
View File

@@ -16,7 +16,6 @@ import org.dspace.app.rest.model.hateoas.SubmissionFormResource;
import org.dspace.app.util.DCInputSet;
import org.dspace.app.util.DCInputsReader;
import org.dspace.app.util.DCInputsReaderException;
import org.dspace.core.Context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
@@ -41,8 +40,9 @@ public class SubmissionFormRestRepository extends DSpaceRestRepository<Submissio
inputReader = new DCInputsReader();
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
@Override
public SubmissionFormRest findOne(Context context, String submitName) {
public SubmissionFormRest findOne(String submitName) {
DCInputSet inputConfig;
try {
inputConfig = inputReader.getInputsByFormName(submitName);
@@ -55,8 +55,9 @@ public class SubmissionFormRestRepository extends DSpaceRestRepository<Submissio
return converter.convert(inputConfig);
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
@Override
public Page<SubmissionFormRest> findAll(Context context, Pageable pageable) {
public Page<SubmissionFormRest> findAll(Pageable pageable) {
List<DCInputSet> subConfs = new ArrayList<DCInputSet>();
int total = inputReader.countInputs();
try {

7
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/SubmissionPanelRestRepository.java
View File

@@ -18,7 +18,6 @@ import org.dspace.app.util.SubmissionConfig;
import org.dspace.app.util.SubmissionConfigReader;
import org.dspace.app.util.SubmissionConfigReaderException;
import org.dspace.app.util.SubmissionStepConfig;
import org.dspace.core.Context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.Page;
import org.springframework.data.domain.PageImpl;
@@ -42,8 +41,9 @@ public class SubmissionPanelRestRepository extends DSpaceRestRepository<Submissi
submissionConfigReader = new SubmissionConfigReader();
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
@Override
public SubmissionSectionRest findOne(Context context, String id) {
public SubmissionSectionRest findOne(String id) {
try {
SubmissionStepConfig step = submissionConfigReader.getStepConfig(id);
return converter.convert(step);
@@ -53,8 +53,9 @@ public class SubmissionPanelRestRepository extends DSpaceRestRepository<Submissi
}
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
@Override
public Page<SubmissionSectionRest> findAll(Context context, Pageable pageable) {
public Page<SubmissionSectionRest> findAll(Pageable pageable) {
List<SubmissionConfig> subConfs = new ArrayList<SubmissionConfig>();
subConfs = submissionConfigReader.getAllSubmissionConfigs(pageable.getPageSize(), pageable.getOffset());
int total = 0;

10
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/SubmissionUploadRestRepository.java
View File

@@ -61,19 +61,21 @@ public class SubmissionUploadRestRepository extends DSpaceRestRepository<Submiss
submissionConfigReader = new SubmissionConfigReader();
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
@Override
public SubmissionUploadRest findOne(Context context, String submitName) {
public SubmissionUploadRest findOne(String submitName) {
UploadConfiguration config = uploadConfigurationService.getMap().get(submitName);
try {
return convert(context, config);
return convert(obtainContext(), config);
} catch (Exception e) {
log.error(e.getMessage(), e);
}
return null;
}
//TODO @PreAuthorize("hasAuthority('EPERSON')")
@Override
public Page<SubmissionUploadRest> findAll(Context context, Pageable pageable) {
public Page<SubmissionUploadRest> findAll(Pageable pageable) {
List<SubmissionConfig> subConfs = new ArrayList<SubmissionConfig>();
subConfs = submissionConfigReader.getAllSubmissionConfigs(pageable.getPageSize(), pageable.getOffset());
List<SubmissionUploadRest> results = new ArrayList<>();
@@ -84,7 +86,7 @@ public class SubmissionUploadRestRepository extends DSpaceRestRepository<Submiss
UploadConfiguration uploadConfig = uploadConfigurationService.getMap().get(step.getId());
if (uploadConfig != null) {
try {
results.add(convert(context, uploadConfig));
results.add(convert(obtainContext(), uploadConfig));
} catch (Exception e) {
log.error(e.getMessage(), e);
}

55
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/WorkspaceItemRestRepository.java
View File

@@ -13,7 +13,6 @@ import java.io.InputStream;
import java.sql.SQLException;
import java.util.List;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;
@@ -93,11 +92,12 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository<WorkspaceI
submissionConfigReader = new SubmissionConfigReader();
}
//TODO @PreAuthorize("hasPermission(#id, 'WORKSPACEITEM', 'READ')")
@Override
public WorkspaceItemRest findOne(Context context, Integer id) {
public WorkspaceItemRest findOne(Integer id) {
WorkspaceItem witem = null;
try {
witem = wis.find(context, id);
witem = wis.find(obtainContext(), id);
} catch (SQLException e) {
throw new RuntimeException(e.getMessage(), e);
}
@@ -107,8 +107,10 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository<WorkspaceI
return converter.fromModel(witem);
}
//TODO @PreAuthorize("hasAuthority('ADMIN')")
@Override
public Page<WorkspaceItemRest> findAll(Context context, Pageable pageable) {
public Page<WorkspaceItemRest> findAll(Pageable pageable) {
Context context = obtainContext();
List<WorkspaceItem> witems = null;
int total = 0;
try {
@@ -121,6 +123,7 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository<WorkspaceI
return page;
}
//TODO @PreAuthorize("hasPermission(#submitterID, 'EPERSON', 'READ')")
@SearchRestMethod(name = "findBySubmitter")
public Page<WorkspaceItemRest> findBySubmitter(@Parameter(value = "uuid", required = true) UUID submitterID,
Pageable pageable) {
@@ -146,8 +149,7 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository<WorkspaceI
@Override
protected WorkspaceItemRest save(Context context, WorkspaceItemRest wsi) {
SubmissionConfig submissionConfig = submissionConfigReader
.getSubmissionConfigByName(submissionConfigReader.getDefaultSubmissionConfigName());
SubmissionConfig submissionConfig = submissionConfigReader.getSubmissionConfigByName(submissionConfigReader.getDefaultSubmissionConfigName());
WorkspaceItem source = converter.toModel(wsi);
for (int stepNum = 0; stepNum < submissionConfig.getNumberOfSteps(); stepNum++) {
@@ -166,14 +168,13 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository<WorkspaceI
if (stepInstance instanceof AbstractProcessingStep) {
// load the JSPStep interface for this step
AbstractProcessingStep stepProcessing = (AbstractProcessingStep) stepClass
.newInstance();
.newInstance();
stepProcessing.doProcessing(context, getRequestService().getCurrentRequest(), source);
} else {
throw new Exception("The submission step class specified by '"
+ stepConfig.getProcessingClassName()
+ "' does not extend the class org.dspace.submit.AbstractProcessingStep!"
+ " Therefore it cannot be used by the Configurable Submission as the " +
"<processing-class>!");
+ stepConfig.getProcessingClassName()
+ "' does not extend the class org.dspace.submit.AbstractProcessingStep!"
+ " Therefore it cannot be used by the Configurable Submission as the <processing-class>!");
}
} catch (Exception e) {
@@ -194,9 +195,10 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository<WorkspaceI
return new WorkspaceItemResource(witem, utils, rels);
}
//TODO @PreAuthorize("hasPermission(#id, 'WORKSPACEITEM', 'WRITE')")
@Override
public UploadBitstreamRest upload(HttpServletRequest request, String apiCategory, String model, Integer id,
String extraField, MultipartFile file) throws Exception {
String extraField, MultipartFile file) throws Exception {
UploadBitstreamRest result;
Bitstream source = null;
@@ -243,30 +245,28 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository<WorkspaceI
return result;
}
//TODO @PreAuthorize("hasPermission(#id, 'WORKSPACEITEM', 'WRITE')")
@Override
public void patch(Context context, HttpServletRequest request, String apiCategory, String model, Integer id,
Patch patch) throws SQLException, AuthorizeException {
public void patch(Context context, HttpServletRequest request, String apiCategory, String model, Integer id, Patch patch) throws SQLException, AuthorizeException {
List<Operation> operations = patch.getOperations();
WorkspaceItemRest wsi = findOne(id);
WorkspaceItem source = wis.find(context, id);
for (Operation op : operations) {
//the value in the position 0 is a null value
String[] path = op.getPath().substring(1).split("/", 3);
String[] path = op.getPath().substring(1).split("/",3);
if (OPERATION_PATH_SECTIONS.equals(path[0])) {
String section = path[1];
evaluatePatch(context, request, source, wsi, section, op);
} else {
throw new PatchBadRequestException(
"Patch path operation need to starts with '" + OPERATION_PATH_SECTIONS + "'");
}
else {
throw new PatchBadRequestException("Patch path operation need to starts with '" + OPERATION_PATH_SECTIONS + "'");
}
}
wis.update(context, source);
}
private void evaluatePatch(Context context, HttpServletRequest request, WorkspaceItem source, WorkspaceItemRest wsi,
String section, Operation op) {
SubmissionConfig submissionConfig = submissionConfigReader
.getSubmissionConfigByName(wsi.getSubmissionDefinition().getName());
private void evaluatePatch(Context context, HttpServletRequest request, WorkspaceItem source, WorkspaceItemRest wsi, String section, Operation op) {
SubmissionConfig submissionConfig = submissionConfigReader.getSubmissionConfigByName(wsi.getSubmissionDefinition().getName());
for (int stepNum = 0; stepNum < submissionConfig.getNumberOfSteps(); stepNum++) {
SubmissionStepConfig stepConfig = submissionConfig.getStep(stepNum);
@@ -286,15 +286,13 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository<WorkspaceI
if (stepInstance instanceof AbstractRestProcessingStep) {
// load the JSPStep interface for this step
AbstractRestProcessingStep stepProcessing = (AbstractRestProcessingStep) stepClass
.newInstance();
.newInstance();
stepProcessing.doPatchProcessing(context, getRequestService().getCurrentRequest(), source, op);
} else {
throw new PatchBadRequestException("The submission step class specified by '"
+ stepConfig.getProcessingClassName()
+ "' does not extend the class org.dspace.submit" +
".AbstractProcessingStep!"
+ " Therefore it cannot be used by the Configurable " +
"Submission as the <processing-class>!");
+ stepConfig.getProcessingClassName()
+ "' does not extend the class org.dspace.submit.AbstractProcessingStep!"
+ " Therefore it cannot be used by the Configurable Submission as the <processing-class>!");
}
} catch (Exception e) {
@@ -304,6 +302,7 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository<WorkspaceI
}
}
//TODO @PreAuthorize("hasPermission(#id, 'WORKSPACEITEM', 'DELETE')")
@Override
protected void delete(Context context, Integer id) throws AuthorizeException {
WorkspaceItem witem = null;

69
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/AdminRestPermissionEvaluatorPlugin.java Normal file
View File

@@ -0,0 +1,69 @@
/**
* The contents of this file are subject to the license and copyright
* detailed in the LICENSE and NOTICE files at the root of the source
* tree and available online at
*
* http://www.dspace.org/license/
*/
package org.dspace.app.rest.security;
import java.io.Serializable;
import java.sql.SQLException;
import java.util.UUID;
import org.dspace.app.rest.utils.ContextUtil;
import org.dspace.authorize.service.AuthorizeService;
import org.dspace.content.DSpaceObject;
import org.dspace.content.factory.ContentServiceFactory;
import org.dspace.content.service.DSpaceObjectService;
import org.dspace.core.Constants;
import org.dspace.core.Context;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.service.EPersonService;
import org.dspace.services.RequestService;
import org.dspace.services.model.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
@Component
public class AdminRestPermissionEvaluatorPlugin extends DSpaceObjectPermissionEvaluatorPlugin {
private static final Logger log = LoggerFactory.getLogger(DSpaceObjectPermissionEvaluatorPlugin.class);
@Autowired
private AuthorizeService authorizeService;
@Autowired
private RequestService requestService;
@Autowired
private EPersonService ePersonService;
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
Object permission) {
Request request = requestService.getCurrentRequest();
Context context = ContextUtil.obtainContext(request.getServletRequest());
EPerson ePerson = null;
try {
ePerson = ePersonService.findByEmail(context, (String) authentication.getPrincipal());
UUID dsoId = UUID.fromString(targetId.toString());
DSpaceObjectService<DSpaceObject> dSpaceObjectService =
ContentServiceFactory.getInstance()
.getDSpaceObjectService(
Constants.getTypeID(
targetType
.toString()));
DSpaceObject dSpaceObject = dSpaceObjectService.find(context, dsoId);
return authorizeService.isAdmin(context, ePerson, dSpaceObject);
} catch (SQLException e) {
log.error(e.getMessage(),e);
}
return false;
}
}

71
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/AuthorizeServicePermissionEvaluatorPlugin.java Normal file
View File

@@ -0,0 +1,71 @@
/**
* The contents of this file are subject to the license and copyright
* detailed in the LICENSE and NOTICE files at the root of the source
* tree and available online at
*
* http://www.dspace.org/license/
*/
package org.dspace.app.rest.security;
import java.io.Serializable;
import java.sql.SQLException;
import java.util.UUID;
import org.dspace.app.rest.utils.ContextUtil;
import org.dspace.authorize.service.AuthorizeService;
import org.dspace.content.DSpaceObject;
import org.dspace.content.factory.ContentServiceFactory;
import org.dspace.content.service.DSpaceObjectService;
import org.dspace.core.Constants;
import org.dspace.core.Context;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.service.EPersonService;
import org.dspace.services.RequestService;
import org.dspace.services.model.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
@Component
public class AuthorizeServicePermissionEvaluatorPlugin extends DSpaceObjectPermissionEvaluatorPlugin {
private static final Logger log = LoggerFactory.getLogger(AuthorizeServicePermissionEvaluatorPlugin.class);
@Autowired
private AuthorizeService authorizeService;
@Autowired
private RequestService requestService;
@Autowired
private EPersonService ePersonService;
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
Object permission) {
Request request = requestService.getCurrentRequest();
Context context = ContextUtil.obtainContext(request.getServletRequest());
EPerson ePerson = null;
try {
ePerson = ePersonService.findByEmail(context, (String) authentication.getPrincipal());
UUID dsoId = UUID.fromString(targetId.toString());
DSpaceObjectService<DSpaceObject> dSpaceObjectService =
ContentServiceFactory.getInstance()
.getDSpaceObjectService(Constants.getTypeID(targetType.toString()));
DSpaceObject dSpaceObject = dSpaceObjectService.find(context, dsoId);
//If the dso is null then we give permission so we can throw another status code instead
if (dSpaceObject == null) {
return true;
}
int action = Constants.getActionID((String) permission);
return authorizeService.authorizeActionBoolean(context, ePerson, dSpaceObject, action, false);
} catch (SQLException e) {
log.error(e.getMessage(),e);
}
return false;
}
}

23
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/DSpaceObjectPermissionEvaluatorPlugin.java Normal file
View File

@@ -0,0 +1,23 @@
/**
* The contents of this file are subject to the license and copyright
* detailed in the LICENSE and NOTICE files at the root of the source
* tree and available online at
*
* http://www.dspace.org/license/
*/
package org.dspace.app.rest.security;
import org.dspace.app.rest.model.DSpaceObjectRest;
import org.springframework.security.core.Authentication;
public abstract class DSpaceObjectPermissionEvaluatorPlugin implements RestPermissionEvaluatorPlugin {
public boolean hasPermission(Authentication authentication, Object targetDomainObject,
Object permission) {
DSpaceObjectRest dSpaceObject = (DSpaceObjectRest) targetDomainObject;
return hasPermission(authentication, dSpaceObject.getId(), dSpaceObject.getType(), permission);
}
}

44
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/DSpacePermissionEvaluator.java Normal file
View File

@@ -0,0 +1,44 @@
/**
* The contents of this file are subject to the license and copyright
* detailed in the LICENSE and NOTICE files at the root of the source
* tree and available online at
*
* http://www.dspace.org/license/
*/
package org.dspace.app.rest.security;
import java.io.Serializable;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
@Component
public class DSpacePermissionEvaluator implements PermissionEvaluator {
@Autowired
private List<RestPermissionEvaluatorPlugin> permissionEvaluatorPluginList;
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
for (RestPermissionEvaluatorPlugin permissionEvaluatorPlugin : permissionEvaluatorPluginList) {
if (permissionEvaluatorPlugin.hasPermission(authentication, targetDomainObject, permission)) {
return true;
}
}
return false;
}
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
Object permission) {
for (RestPermissionEvaluatorPlugin permissionEvaluatorPlugin : permissionEvaluatorPluginList) {
if (permissionEvaluatorPlugin.hasPermission(authentication, targetId, targetType, permission)) {
return true;
}
}
return false;
}
}

58
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/EPersonRestPermissionEvaluatorPlugin.java Normal file
View File

@@ -0,0 +1,58 @@
/**
* The contents of this file are subject to the license and copyright
* detailed in the LICENSE and NOTICE files at the root of the source
* tree and available online at
*
* http://www.dspace.org/license/
*/
package org.dspace.app.rest.security;
import java.io.Serializable;
import java.sql.SQLException;
import java.util.UUID;
import org.dspace.app.rest.utils.ContextUtil;
import org.dspace.core.Constants;
import org.dspace.core.Context;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.service.EPersonService;
import org.dspace.services.RequestService;
import org.dspace.services.model.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
@Component
public class EPersonRestPermissionEvaluatorPlugin extends DSpaceObjectPermissionEvaluatorPlugin {
private static final Logger log = LoggerFactory.getLogger(EPersonRestPermissionEvaluatorPlugin.class);
@Autowired
private RequestService requestService;
@Autowired
private EPersonService ePersonService;
public boolean hasPermission(Authentication authentication, Serializable targetId,
String targetType, Object permission) {
Request request = requestService.getCurrentRequest();
Context context = ContextUtil.obtainContext(request.getServletRequest());
EPerson ePerson = null;
try {
ePerson = ePersonService.findByEmail(context, (String) authentication.getPrincipal());
UUID dsoId = UUID.fromString(targetId.toString());
if (Constants.getTypeID(targetType.toString()) == Constants.EPERSON) {
if (dsoId.equals(ePerson.getID())) {
return true;
}
}
} catch (SQLException e) {
log.error(e.getMessage(),e);
}
return false;
}
}

65
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/GroupRestPermissionEvaluatorPlugin.java Normal file
View File

@@ -0,0 +1,65 @@
/**
* The contents of this file are subject to the license and copyright
* detailed in the LICENSE and NOTICE files at the root of the source
* tree and available online at
*
* http://www.dspace.org/license/
*/
package org.dspace.app.rest.security;
import java.io.Serializable;
import java.sql.SQLException;
import java.util.UUID;
import org.dspace.app.rest.utils.ContextUtil;
import org.dspace.core.Constants;
import org.dspace.core.Context;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.Group;
import org.dspace.eperson.service.EPersonService;
import org.dspace.eperson.service.GroupService;
import org.dspace.services.RequestService;
import org.dspace.services.model.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
@Component
public class GroupRestPermissionEvaluatorPlugin extends DSpaceObjectPermissionEvaluatorPlugin {
private static final Logger log = LoggerFactory.getLogger(GroupRestPermissionEvaluatorPlugin.class);
@Autowired
private RequestService requestService;
@Autowired
private GroupService groupService;
@Autowired
private EPersonService ePersonService;
public boolean hasPermission(Authentication authentication, Serializable targetId,
String targetType, Object permission) {
Request request = requestService.getCurrentRequest();
Context context = ContextUtil.obtainContext(request.getServletRequest());
EPerson ePerson = null;
try {
ePerson = ePersonService.findByEmail(context, (String) authentication.getPrincipal());
UUID dsoId = UUID.fromString(targetId.toString());
if (Constants.getTypeID(targetType.toString()) == Constants.GROUP) {
Group group = groupService.find(context, dsoId);
if (group.getMembers().contains(ePerson)) {
return true;
}
}
} catch (SQLException e) {
log.error(e.getMessage(), e);
}
return false;
}
}

32
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/MethodSecurityConfig.java Normal file
View File

@@ -0,0 +1,32 @@
/**
* The contents of this file are subject to the license and copyright
* detailed in the LICENSE and NOTICE files at the root of the source
* tree and available online at
*
* http://www.dspace.org/license/
*/
package org.dspace.app.rest.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Autowired
private PermissionEvaluator dSpacePermissionEvaluator;
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
DefaultMethodSecurityExpressionHandler expressionHandler =
new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(dSpacePermissionEvaluator);
return expressionHandler;
}
}

22
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/RestPermissionEvaluatorPlugin.java Normal file
View File

@@ -0,0 +1,22 @@
/**
* The contents of this file are subject to the license and copyright
* detailed in the LICENSE and NOTICE files at the root of the source
* tree and available online at
*
* http://www.dspace.org/license/
*/
package org.dspace.app.rest.security;
import java.io.Serializable;
import org.springframework.security.core.Authentication;
public interface RestPermissionEvaluatorPlugin {
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission);
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
Object permission);
}

6
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/WebSecurityConfiguration.java
View File

@@ -15,12 +15,12 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -34,6 +34,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
@Configuration
@EnableConfigurationProperties(SecurityProperties.class)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
public static final String ADMIN_GRANT = "ADMIN";
@@ -69,9 +70,6 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
http
//Tell Spring to not create Sessions
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
//Return the login URL when having an access denied error
.exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/api/authn/login"))
.and()
//Anonymous requests should have the "ANONYMOUS" security grant
.anonymous().authorities(ANONYMOUS_GRANT).and()
//Wire up the HttpServletRequest with the current SecurityContext values

6
dspace-spring-rest/src/main/java/org/dspace/app/rest/utils/RestRepositoryUtils.java
View File

@@ -21,6 +21,7 @@ import org.dspace.app.rest.repository.LinkRestRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.core.MethodParameter;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.core.convert.ConversionException;
import org.springframework.core.convert.ConversionService;
import org.springframework.core.convert.TypeDescriptor;
@@ -96,8 +97,9 @@ public class RestRepositoryUtils {
*/
public Method getSearchMethod(String searchMethodName, DSpaceRestRepository repository) {
Method searchMethod = null;
for (Method method : repository.getClass().getMethods()) {
SearchRestMethod ann = method.getAnnotation(SearchRestMethod.class);
Method[] methods = org.springframework.util.ClassUtils.getUserClass(repository.getClass()).getMethods();
for (Method method : methods) {
SearchRestMethod ann = AnnotationUtils.findAnnotation(method, SearchRestMethod.class);
if (ann != null) {
String name = ann.name();
if (name.isEmpty()) {

23
dspace-spring-rest/src/test/java/org/dspace/app/rest/BitstreamRestRepositoryIT.java
View File

@@ -88,15 +88,15 @@ public class BitstreamRestRepositoryIT extends AbstractControllerIntegrationTest
.build();
}
getClient().perform(get("/api/core/bitstreams/"))
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/core/bitstreams/"))
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$._embedded.bitstreams", Matchers.containsInAnyOrder(
BitstreamMatcher.matchBitstreamEntry(bitstream),
BitstreamMatcher.matchBitstreamEntry(bitstream1)
)))
;
)));
}
@Test
@@ -145,7 +145,9 @@ public class BitstreamRestRepositoryIT extends AbstractControllerIntegrationTest
.build();
}
getClient().perform(get("/api/core/bitstreams/")
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/core/bitstreams/")
.param("size", "1"))
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
@@ -160,7 +162,7 @@ public class BitstreamRestRepositoryIT extends AbstractControllerIntegrationTest
;
getClient().perform(get("/api/core/bitstreams/")
getClient(token).perform(get("/api/core/bitstreams/")
.param("size", "1")
.param("page", "1"))
.andExpect(status().isOk())
@@ -172,9 +174,10 @@ public class BitstreamRestRepositoryIT extends AbstractControllerIntegrationTest
Matchers.contains(
BitstreamMatcher.matchBitstreamEntry(bitstream)
)
)))
)));
;
getClient().perform(get("/api/core/bitstreams/"))
.andExpect(status().isForbidden());
}
//TODO Re-enable test after https://jira.duraspace.org/browse/DS-3774 is fixed
@@ -413,7 +416,9 @@ public class BitstreamRestRepositoryIT extends AbstractControllerIntegrationTest
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
getClient().perform(get("/api/core/bitstreams/" + UUID.randomUUID()))
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/core/bitstreams/" + UUID.randomUUID()))
.andExpect(status().isNotFound())
;

2
dspace-spring-rest/src/test/java/org/dspace/app/rest/BrowsesResourceControllerIT.java
View File

@@ -322,7 +322,7 @@ public class BrowsesResourceControllerIT extends AbstractControllerIntegrationTe
.withIssueDate("2015-03-12")
.withAuthor("Duck, Donald")
.withSubject("Cartoons").withSubject("Ducks")
.makePrivate()
.makeUnDiscoverable()
.build();
//4. An item with an item-level embargo

6
dspace-spring-rest/src/test/java/org/dspace/app/rest/DiscoveryRestControllerIT.java
View File

@@ -1735,7 +1735,7 @@ public class DiscoveryRestControllerIT extends AbstractControllerIntegrationTest
.withIssueDate("1990-02-13")
.withAuthor("Smith, Maria").withAuthor("Doe, Jane").withAuthor("Testing, Works")
.withSubject("TestingForMore").withSubject("ExtraEntry")
.makePrivate()
.makeUnDiscoverable()
.build();
Item publicItem3 = ItemBuilder.createItem(context, col2)
@@ -1987,7 +1987,7 @@ public class DiscoveryRestControllerIT extends AbstractControllerIntegrationTest
.withAuthor("test2, test2").withAuthor("Maybe, Maybe")
.withSubject("AnotherTest").withSubject("TestingForMore")
.withSubject("ExtraEntry")
.makePrivate()
.makeUnDiscoverable()
.build();
UUID scope = col2.getID();
@@ -2142,7 +2142,7 @@ public class DiscoveryRestControllerIT extends AbstractControllerIntegrationTest
.withIssueDate("2010-02-13")
.withAuthor("Smith, Maria").withAuthor("Doe, Jane")
.withSubject("AnotherTest").withSubject("ExtraEntry")
.makePrivate()
.makeUnDiscoverable()
.build();

45
dspace-spring-rest/src/test/java/org/dspace/app/rest/EPersonRestRepositoryIT.java
View File

@@ -22,6 +22,7 @@ import java.util.Arrays;
import java.util.UUID;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.xmlbeans.impl.regex.Match;
import org.dspace.app.rest.builder.CollectionBuilder;
import org.dspace.app.rest.builder.CommunityBuilder;
import org.dspace.app.rest.builder.EPersonBuilder;
@@ -34,14 +35,19 @@ import org.dspace.app.rest.test.AbstractControllerIntegrationTest;
import org.dspace.content.Collection;
import org.dspace.content.Item;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.factory.EPersonServiceFactory;
import org.dspace.eperson.service.EPersonService;
import org.hamcrest.Matchers;
import org.junit.Ignore;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
public class EPersonRestRepositoryIT extends AbstractControllerIntegrationTest {
@Autowired
EPersonService ePersonService;
@Test
public void createTest() throws Exception {
context.turnOffAuthorisationSystem();
@@ -95,12 +101,16 @@ public class EPersonRestRepositoryIT extends AbstractControllerIntegrationTest {
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$._embedded.epersons", Matchers.containsInAnyOrder(
EPersonMatcher.matchEPersonEntry(newUser),
EPersonMatcher.matchDefaultTestEPerson(),
EPersonMatcher.matchDefaultTestEPerson()
EPersonMatcher.matchEPersonOnEmail(admin.getEmail()),
EPersonMatcher.matchEPersonOnEmail(eperson.getEmail())
)))
.andExpect(jsonPath("$.page.size", is(20)))
.andExpect(jsonPath("$.page.totalElements", is(3)))
;
getClient().perform(get("/api/eperson/eperson"))
.andExpect(status().isForbidden())
;
}
@Test
@@ -151,7 +161,7 @@ public class EPersonRestRepositoryIT extends AbstractControllerIntegrationTest {
)))
.andExpect(jsonPath("$._embedded.epersons", Matchers.not(
Matchers.contains(
EPersonMatcher.matchEPersonEntry(ePerson)
EPersonMatcher.matchEPersonEntry(admin)
)
)))
.andExpect(jsonPath("$.page.size", is(2)))
@@ -165,11 +175,15 @@ public class EPersonRestRepositoryIT extends AbstractControllerIntegrationTest {
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$._embedded.epersons", Matchers.contains(
EPersonMatcher.matchEPersonEntry(ePerson)
EPersonMatcher.matchEPersonEntry(admin)
)))
.andExpect(jsonPath("$.page.size", is(2)))
.andExpect(jsonPath("$.page.totalElements", is(3)))
;
getClient().perform(get("/api/eperson/epersons"))
.andExpect(status().isForbidden())
;
}
@@ -203,7 +217,7 @@ public class EPersonRestRepositoryIT extends AbstractControllerIntegrationTest {
}
@Test
public void findOneRelsTest() throws Exception {
public void readEpersonAuthorizationTest() throws Exception {
context.turnOffAuthorisationSystem();
EPerson ePerson = EPersonBuilder.createEPerson(context)
@@ -225,11 +239,28 @@ public class EPersonRestRepositoryIT extends AbstractControllerIntegrationTest {
)))
.andExpect(jsonPath("$", Matchers.not(
is(
EPersonMatcher.matchEPersonEntry(ePerson)
EPersonMatcher.matchEPersonEntry(eperson)
)
)))
.andExpect(jsonPath("$._links.self.href",
Matchers.containsString("/api/eperson/epersons/" + ePerson2.getID())));
//EPerson can only access himself
String epersonToken = getAuthToken(eperson.getEmail(), password);
getClient(epersonToken).perform(get("/api/eperson/epersons/" + ePerson2.getID()))
.andExpect(status().isForbidden());
getClient(epersonToken).perform(get("/api/eperson/epersons/" + eperson.getID()))
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$", is(
EPersonMatcher.matchEPersonOnEmail(eperson.getEmail())
)))
.andExpect(jsonPath("$._links.self.href", Matchers.containsString("/api/eperson/epersons/" + eperson.getID())));
}

79
dspace-spring-rest/src/test/java/org/dspace/app/rest/GroupRestRepositoryIT.java
View File

@@ -40,8 +40,8 @@ public class GroupRestRepositoryIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$._embedded.groups", hasSize(2)))
// The default groups should consist of "Anonymous" and "Anonymous"
.andExpect(jsonPath("$._embedded.groups", Matchers.containsInAnyOrder(
GroupMatcher.matchGroupWithName("Administrator"),
GroupMatcher.matchGroupWithName("Anonymous")
GroupMatcher.matchGroupWithName("Administrator"),
GroupMatcher.matchGroupWithName("Anonymous")
)))
;
}
@@ -69,27 +69,29 @@ public class GroupRestRepositoryIT extends AbstractControllerIntegrationTest {
.withName(testGroupName)
.build();
String token = getAuthToken(admin.getEmail(), password);
String generatedGroupId = group.getID().toString();
String groupIdCall = "/api/eperson/groups/" + generatedGroupId;
getClient().perform(get(groupIdCall))
//The status has to be 200 OK
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$", Matchers.is(
GroupMatcher.matchGroupEntry(group.getID(), group.getName())
)))
getClient(token).perform(get(groupIdCall))
//The status has to be 200 OK
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$", Matchers.is(
GroupMatcher.matchGroupEntry(group.getID(), group.getName())
)))
;
getClient().perform(get("/api/eperson/groups"))
//The status has to be 200 OK
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
getClient(token).perform(get("/api/eperson/groups"))
//The status has to be 200 OK
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$.page.totalElements", is(3)));
.andExpect(jsonPath("$.page.totalElements", is(3)));
}
@Test
public void findOneRelsTest() throws Exception {
public void readGroupAuthorizationTest() throws Exception {
context.turnOffAuthorisationSystem();
Group group = GroupBuilder.createGroup(context)
@@ -98,21 +100,42 @@ public class GroupRestRepositoryIT extends AbstractControllerIntegrationTest {
Group group2 = GroupBuilder.createGroup(context)
.withName("Group2")
.addMember(eperson)
.build();
getClient().perform(get("/api/eperson/groups/" + group2.getID()))
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$", Matchers.is(
GroupMatcher.matchGroupEntry(group2.getID(), group2.getName())
)))
.andExpect(jsonPath("$", Matchers.not(
Matchers.is(
GroupMatcher.matchGroupEntry(group.getID(), group.getName())
)
)))
.andExpect(jsonPath("$._links.self.href",
Matchers.containsString("/api/eperson/groups/" + group2.getID())));
//Admin can access
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/eperson/groups/" + group2.getID()))
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$", Matchers.is(
GroupMatcher.matchGroupEntry(group2.getID(), group2.getName())
)))
.andExpect(jsonPath("$", Matchers.not(
Matchers.is(
GroupMatcher.matchGroupEntry(group.getID(), group.getName())
)
)))
.andExpect(jsonPath("$._links.self.href",
Matchers.containsString("/api/eperson/groups/" + group2.getID())));
//People in group should be able to access token
token = getAuthToken(eperson.getEmail(), password);
getClient(token).perform(get("/api/eperson/groups/" + group2.getID()))
.andExpect(status().isOk())
.andExpect(content().contentType(contentType))
.andExpect(jsonPath("$", Matchers.is(
GroupMatcher.matchGroupEntry(group2.getID(), group2.getName())
)))
.andExpect(jsonPath("$", Matchers.not(
Matchers.is(
GroupMatcher.matchGroupEntry(group.getID(), group.getName())
)
)))
.andExpect(jsonPath("$._links.self.href",
Matchers.containsString("/api/eperson/groups/" + group2.getID())));
}
@Test

226
dspace-spring-rest/src/test/java/org/dspace/app/rest/ItemRestRepositoryIT.java
View File

@@ -80,7 +80,9 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
.withSubject("ExtraEntry")
.build();
getClient().perform(get("/api/core/items"))
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/core/items"))
.andExpect(status().isOk())
.andExpect(jsonPath("$._embedded.items", Matchers.containsInAnyOrder(
ItemMatcher.matchItemWithTitleAndDateIssued(publicItem1, "Public item 1", "2017-10-17"),
@@ -131,7 +133,9 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
.withSubject("ExtraEntry")
.build();
getClient().perform(get("/api/core/items")
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/core/items")
.param("size", "2"))
.andExpect(status().isOk())
.andExpect(jsonPath("$._embedded.items", Matchers.containsInAnyOrder(
@@ -146,7 +150,7 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$._links.self.href", Matchers.containsString("/api/core/items")))
;
getClient().perform(get("/api/core/items")
getClient(token).perform(get("/api/core/items")
.param("size", "2")
.param("page", "1"))
.andExpect(status().isOk())
@@ -312,7 +316,9 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
Collection col2 = CollectionBuilder.createCollection(context, child1).withName("Collection 2").build();
getClient().perform(get("/api/core/items/" + UUID.randomUUID()))
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/core/items/" + UUID.randomUUID()))
.andExpect(status().isNotFound())
;
@@ -1089,6 +1095,7 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
.andExpect(status().is(404));
}
@Test
public void deleteOneTemplateTest() throws Exception {
context.turnOffAuthorisationSystem();
@@ -1117,6 +1124,7 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
.andExpect(status().isOk());
}
@Test
public void deleteOneWorkspaceTest() throws Exception {
context.turnOffAuthorisationSystem();
@@ -1142,4 +1150,214 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
getClient().perform(get("/api/core/items/" + workspaceItem.getID()))
.andExpect(status().isOk());
}
@Test
public void embargoAnonymousAccessTest() throws Exception{
context.turnOffAuthorisationSystem();
//** GIVEN **
//1. A community-collection structure with one parent community with sub-community and two collections.
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
//2. Three public items that are readable by Anonymous with different subjects
Item embargoedItem1 = ItemBuilder.createItem(context, col1)
.withTitle("embargoed item 1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald").withAuthor("Doe, John")
.withSubject("ExtraEntry")
.withEmbargoPeriod("6 months")
.build();
//2. Three public items that are readable by Anonymous with different subjects
Item publicItem1 = ItemBuilder.createItem(context, col1)
.withTitle("Public item 1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald").withAuthor("Doe, John")
.withSubject("ExtraEntry")
.build();
context.restoreAuthSystemState();
getClient().perform(get("/api/core/items/" + embargoedItem1.getID()))
.andExpect(status().isForbidden());
}
@Test
public void undiscoverableAnonymousAccessTest() throws Exception{
context.turnOffAuthorisationSystem();
//** GIVEN **
//1. A community-collection structure with one parent community with sub-community and two collections.
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
//2. Three public items that are readable by Anonymous with different subjects
Item unDiscoverableYetAccessibleItem1 = ItemBuilder.createItem(context, col1)
.withTitle("Undiscoverable item 1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald").withAuthor("Doe, John")
.withSubject("ExtraEntry")
.makeUnDiscoverable()
.build();
context.restoreAuthSystemState();
getClient().perform(get("/api/core/items/" + unDiscoverableYetAccessibleItem1.getID()))
.andExpect(status().isOk())
.andExpect(jsonPath("$", Matchers.is(
ItemMatcher.matchItemWithTitleAndDateIssued(unDiscoverableYetAccessibleItem1,
"Undiscoverable item 1", "2017-10-17")
)));
}
@Test
public void publicAnonymousAccessTest() throws Exception {
context.turnOffAuthorisationSystem();
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
Item publicItem1 = ItemBuilder.createItem(context, col1)
.withTitle("private item 1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald").withAuthor("Doe, John")
.withSubject("ExtraEntry")
.build();
context.restoreAuthSystemState();
getClient().perform(get("/api/core/items/" + publicItem1.getID()))
.andExpect(status().isOk());
}
@Test
public void embargoAdminAccessTest() throws Exception{
context.turnOffAuthorisationSystem();
//** GIVEN **
//1. A community-collection structure with one parent community with sub-community and two collections.
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
//2. Three public items that are readable by Anonymous with different subjects
Item embargoedItem1 = ItemBuilder.createItem(context, col1)
.withTitle("embargoed item 1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald").withAuthor("Doe, John")
.withSubject("ExtraEntry")
.withEmbargoPeriod("6 months")
.build();
//2. Three public items that are readable by Anonymous with different subjects
Item publicItem1 = ItemBuilder.createItem(context, col1)
.withTitle("Public item 1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald").withAuthor("Doe, John")
.withSubject("ExtraEntry")
.build();
context.restoreAuthSystemState();
String token1 = getAuthToken(admin.getEmail(), password);
getClient(token1).perform(get("/api/core/items/" + embargoedItem1.getID()))
.andExpect(status().isOk());
}
@Test
public void privateAdminAccessTest() throws Exception{
context.turnOffAuthorisationSystem();
//** GIVEN **
//1. A community-collection structure with one parent community with sub-community and two collections.
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
//2. Three public items that are readable by Anonymous with different subjects
Item privateItem1 = ItemBuilder.createItem(context, col1)
.withTitle("private item 1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald").withAuthor("Doe, John")
.withSubject("ExtraEntry")
.makeUnDiscoverable()
.build();
context.restoreAuthSystemState();
String token1 = getAuthToken(admin.getEmail(), password);
getClient(token1).perform(get("/api/core/items/" + privateItem1.getID()))
.andExpect(status().isOk());
}
@Test
public void publicAdminAccessTest() throws Exception {
context.turnOffAuthorisationSystem();
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
Item publicItem1 = ItemBuilder.createItem(context, col1)
.withTitle("private item 1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald").withAuthor("Doe, John")
.withSubject("ExtraEntry")
.build();
context.restoreAuthSystemState();
getClient().perform(get("/api/core/items/" + publicItem1.getID()))
.andExpect(status().isOk());
}
}

43
dspace-spring-rest/src/test/java/org/dspace/app/rest/SubmissionDefinitionsControllerIT.java
View File

@@ -34,8 +34,16 @@ public class SubmissionDefinitionsControllerIT extends AbstractControllerIntegra
@Test
public void findAll() throws Exception {
//When we call the root endpoint
//When we call the root endpoint as anonymous user
getClient().perform(get("/api/config/submissiondefinitions"))
//The status has to be 403 Not Authorized
.andExpect(status().isForbidden());
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/config/submissiondefinitions"))
//The status has to be 200 OK
.andExpect(status().isOk())
//We expect the content type to be "application/hal+json;charset=UTF-8"
@@ -56,7 +64,14 @@ public class SubmissionDefinitionsControllerIT extends AbstractControllerIntegra
@Test
public void findDefault() throws Exception {
getClient().perform(get("/api/config/submissiondefinitions/traditional"))
//The status has to be 403 Not Authorized
.andExpect(status().isForbidden());
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/config/submissiondefinitions/traditional"))
//The status has to be 200 OK
.andExpect(status().isOk())
//We expect the content type to be "application/hal+json;charset=UTF-8"
@@ -80,6 +95,16 @@ public class SubmissionDefinitionsControllerIT extends AbstractControllerIntegra
Collection col1 = CollectionBuilder.createCollection(context, parentCommunity).withName("Collection 1").build();
getClient().perform(get("/api/config/submissiondefinitions/search/findByCollection")
.param("uuid", col1.getID().toString()))
//** THEN **
//The status has to be 200
.andExpect(status().isForbidden());
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/config/submissiondefinitions/search/findByCollection")
.param("uuid", col1.getID().toString()))
//** THEN **
//The status has to be 200
@@ -93,8 +118,17 @@ public class SubmissionDefinitionsControllerIT extends AbstractControllerIntegra
@Test
public void findCollections() throws Exception {
//Match only that a section exists with a submission configuration behind
getClient().perform(get("/api/config/submissiondefinitions/traditional/collections"))
//The status has to be 403 Not Authorized
.andExpect(status().isForbidden());
String token = getAuthToken(admin.getEmail(), password);
//Match only that a section exists with a submission configuration behind
getClient(token).perform(get("/api/config/submissiondefinitions/traditional/collections"))
//TODO - this method should return an empty page
.andExpect(status().isNoContent());
//this is the expected result
@@ -104,7 +138,14 @@ public class SubmissionDefinitionsControllerIT extends AbstractControllerIntegra
@Test
public void findSections() throws Exception {
getClient().perform(get("/api/config/submissiondefinitions/traditional/sections"))
//The status has to be 403 Not Authorized
.andExpect(status().isForbidden());
String token = getAuthToken(admin.getEmail(), password);
getClient(token).perform(get("/api/config/submissiondefinitions/traditional/sections"))
// The status has to be 200 OK
.andExpect(status().isOk())
// We expect the content type to be "application/hal+json;charset=UTF-8"

2
dspace-spring-rest/src/test/java/org/dspace/app/rest/builder/ItemBuilder.java
View File

@@ -67,7 +67,7 @@ public class ItemBuilder extends AbstractDSpaceObjectBuilder<Item> {
return addMetadataValue(item, MetadataSchema.DC_SCHEMA, "subject", null, subject);
}
public ItemBuilder makePrivate() {
public ItemBuilder makeUnDiscoverable() {
item.setDiscoverable(false);
return this;
}

7
dspace-spring-rest/src/test/java/org/dspace/app/rest/matcher/EPersonMatcher.java
View File

@@ -37,9 +37,10 @@ public class EPersonMatcher {
}
public static Matcher<? super Object> matchDefaultTestEPerson() {
public static Matcher<? super Object> matchEPersonOnEmail(String email) {
return allOf(
hasJsonPath("$.type", is("eperson"))
);
hasJsonPath("$.type", is("eperson")),
hasJsonPath("$.email", is(email))
);
}
}

3
dspace-spring-rest/src/test/java/org/dspace/app/rest/test/AbstractControllerIntegrationTest.java
View File

@@ -22,6 +22,7 @@ import org.apache.commons.io.Charsets;
import org.apache.commons.lang.StringUtils;
import org.dspace.app.rest.Application;
import org.dspace.app.rest.model.patch.Operation;
import org.dspace.app.rest.security.MethodSecurityConfig;
import org.dspace.app.rest.security.WebSecurityConfiguration;
import org.dspace.app.rest.utils.ApplicationConfig;
import org.junit.Assert;
@@ -54,7 +55,7 @@ import org.springframework.web.context.WebApplicationContext;
* @author Tom Desair (tom dot desair at atmire dot com)
*/
@RunWith(SpringJUnit4ClassRunner.class)
@SpringBootTest(classes = {Application.class, ApplicationConfig.class, WebSecurityConfiguration.class})
@SpringBootTest(classes = {Application.class, ApplicationConfig.class, WebSecurityConfiguration.class, MethodSecurityConfig.class})
@TestExecutionListeners( {DependencyInjectionTestExecutionListener.class, DirtiesContextTestExecutionListener.class,
TransactionalTestExecutionListener.class})
@DirtiesContext

6
dspace-spring-rest/src/test/java/org/dspace/app/rest/test/AbstractIntegrationTestWithDatabase.java
View File

@@ -122,9 +122,6 @@ public class AbstractIntegrationTestWithDatabase extends AbstractDSpaceIntegrati
ePersonService.update(context, eperson);
}
// Set our global test EPerson as the current user in DSpace
context.setCurrentUser(eperson);
// If our Anonymous/Administrator groups aren't initialized, initialize them as well
EPersonServiceFactory.getInstance().getGroupService().initDefaultGroupNames(context);
@@ -146,6 +143,9 @@ public class AbstractIntegrationTestWithDatabase extends AbstractDSpaceIntegrati
groupService.addMember(context, adminGroup, admin);
}
// Set our global test EPerson as the current user in DSpace
context.setCurrentUser(admin);
context.restoreAuthSystemState();
} catch (AuthorizeException ex) {
log.error("Error creating initial eperson or default groups", ex);