mirror of
https://github.com/DSpace/DSpace.git
synced 2025-10-07 01:54:22 +00:00
added security on item version link end point
This commit is contained in:
Mykhaylo
@@ -49,7 +49,7 @@ public class ItemVersionLinkRepository extends AbstractDSpaceRestRepository
|
||||
* itemUuid param as UUID
|
||||
* @throws SQLException If something goes wrong
|
||||
*/
|
||||
@PreAuthorize("hasPermission(#itemUuid, 'ITEM', 'READ')")
|
||||
@PreAuthorize("hasPermission(@extractorOf.getVersionIdByItemUUID(#request, #itemUuid), 'VERSION', 'READ')")
|
||||
public VersionRest getItemVersion(@Nullable HttpServletRequest request,
|
||||
UUID itemUuid,
|
||||
@Nullable Pageable optionalPageable,
|
||||
|
||||
@@ -8,19 +8,25 @@
|
||||
package org.dspace.app.rest.security;
|
||||
import java.sql.SQLException;
|
||||
import java.util.Objects;
|
||||
import java.util.UUID;
|
||||
import javax.annotation.Nullable;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.apache.commons.lang.StringUtils;
|
||||
import org.dspace.app.rest.model.WorkflowItemRest;
|
||||
import org.dspace.app.rest.model.WorkspaceItemRest;
|
||||
import org.dspace.app.rest.utils.ContextUtil;
|
||||
import org.dspace.content.Item;
|
||||
import org.dspace.content.WorkspaceItem;
|
||||
import org.dspace.content.service.ItemService;
|
||||
import org.dspace.content.service.WorkspaceItemService;
|
||||
import org.dspace.core.Context;
|
||||
import org.dspace.services.RequestService;
|
||||
import org.dspace.versioning.Version;
|
||||
import org.dspace.versioning.VersionHistory;
|
||||
import org.dspace.versioning.service.VersionHistoryService;
|
||||
import org.dspace.versioning.service.VersioningService;
|
||||
import org.dspace.workflow.WorkflowItem;
|
||||
import org.dspace.workflow.WorkflowItemService;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
@@ -42,6 +48,15 @@ public class ExtractorOfAInprogressSubmissionInformations {
|
||||
@Autowired
|
||||
private VersionHistoryService versionHistoryService;
|
||||
|
||||
@Autowired
|
||||
private VersioningService versionService;
|
||||
|
||||
@Autowired
|
||||
private ItemService itemService;
|
||||
|
||||
@Autowired
|
||||
private RequestService requestService;
|
||||
|
||||
public Integer getAInprogressSubmissionID(@Nullable HttpServletRequest request, Integer versionHistoryId) {
|
||||
Context context = getContext(request);
|
||||
if (Objects.nonNull(versionHistoryId)) {
|
||||
@@ -88,8 +103,26 @@ public class ExtractorOfAInprogressSubmissionInformations {
|
||||
return StringUtils.EMPTY;
|
||||
}
|
||||
|
||||
public Integer getVersionIdByItemUUID(@Nullable HttpServletRequest request, UUID uuid) {
|
||||
Context context = getContext(request);
|
||||
if (Objects.nonNull(uuid)) {
|
||||
try {
|
||||
Item item = itemService.find(context, uuid);
|
||||
if (Objects.nonNull(item)) {
|
||||
Version version = versionService.getVersion(context, item);
|
||||
return Objects.nonNull(version) ? version.getID() : null;
|
||||
}
|
||||
} catch (SQLException e) {
|
||||
throw new RuntimeException(e.getMessage(), e);
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
private Context getContext(HttpServletRequest request) {
|
||||
return Objects.nonNull(request) ? ContextUtil.obtainContext(request) : null;
|
||||
ServletRequest currentRequest = requestService.getCurrentRequest().getServletRequest();
|
||||
return Objects.nonNull(request) ? ContextUtil.obtainContext(request)
|
||||
: ContextUtil.obtainContext(currentRequest);
|
||||
}
|
||||
|
||||
}
|
||||
@@ -9,6 +9,7 @@ package org.dspace.app.rest.security;
|
||||
|
||||
import java.io.Serializable;
|
||||
import java.sql.SQLException;
|
||||
import java.util.Objects;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.dspace.app.rest.model.VersionRest;
|
||||
@@ -53,7 +54,7 @@ public class VersionRestPermissionEvaluatorPlugin extends RestObjectPermissionEv
|
||||
DSpaceRestPermission restPermission) {
|
||||
|
||||
|
||||
if (!StringUtils.equalsIgnoreCase(targetType, VersionRest.NAME)) {
|
||||
if (!StringUtils.equalsIgnoreCase(targetType, VersionRest.NAME) || Objects.isNull(targetId)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
@@ -78,6 +78,7 @@ import org.dspace.content.service.CollectionService;
|
||||
import org.dspace.core.Constants;
|
||||
import org.dspace.eperson.EPerson;
|
||||
import org.dspace.eperson.Group;
|
||||
import org.dspace.services.ConfigurationService;
|
||||
import org.dspace.versioning.Version;
|
||||
import org.dspace.workflow.WorkflowItem;
|
||||
import org.hamcrest.Matcher;
|
||||
@@ -91,6 +92,9 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
|
||||
@Autowired
|
||||
private CollectionService collectionService;
|
||||
|
||||
@Autowired
|
||||
private ConfigurationService configurationService;
|
||||
|
||||
private Item publication1;
|
||||
private Item author1;
|
||||
private Item author2;
|
||||
@@ -4147,6 +4151,8 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
|
||||
|
||||
@Test
|
||||
public void findVersionItemUnauthorizedTest() throws Exception {
|
||||
configurationService.setProperty("versioning.item.history.view.admin", true);
|
||||
|
||||
context.turnOffAuthorisationSystem();
|
||||
|
||||
parentCommunity = CommunityBuilder.createCommunity(context)
|
||||
@@ -4169,10 +4175,14 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
|
||||
|
||||
getClient().perform(get("/api/core/items/" + item.getID() + "/version"))
|
||||
.andExpect(status().isUnauthorized());
|
||||
|
||||
configurationService.setProperty("versioning.item.history.view.admin", true);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void findVersionForItemForbiddenTest() throws Exception {
|
||||
configurationService.setProperty("versioning.item.history.view.admin", true);
|
||||
|
||||
context.turnOffAuthorisationSystem();
|
||||
|
||||
parentCommunity = CommunityBuilder.createCommunity(context)
|
||||
@@ -4197,5 +4207,39 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
|
||||
String epersonToken = getAuthToken(eperson.getEmail(), password);
|
||||
getClient(epersonToken).perform(get("/api/core/items/" + item.getID() + "/version"))
|
||||
.andExpect(status().isForbidden());
|
||||
|
||||
configurationService.setProperty("versioning.item.history.view.admin", true);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void findVersionForItemBadRequestTest() throws Exception {
|
||||
context.turnOffAuthorisationSystem();
|
||||
|
||||
parentCommunity = CommunityBuilder.createCommunity(context)
|
||||
.withName("Parent Community")
|
||||
.build();
|
||||
|
||||
Collection col = CollectionBuilder.createCollection(context, parentCommunity)
|
||||
.withName("Collection test")
|
||||
.build();
|
||||
|
||||
Item item = ItemBuilder.createItem(context, col)
|
||||
.withTitle("Public test item")
|
||||
.withIssueDate("2021-04-27")
|
||||
.withAuthor("Doe, John")
|
||||
.withSubject("ExtraEntry")
|
||||
.build();
|
||||
|
||||
VersionBuilder.createVersion(context, item, "test").build();
|
||||
|
||||
context.restoreAuthSystemState();
|
||||
|
||||
String epersonToken = getAuthToken(eperson.getEmail(), password);
|
||||
getClient(epersonToken).perform(get("/api/core/items/wrongID/version"))
|
||||
.andExpect(status().isBadRequest());
|
||||
|
||||
getClient(epersonToken).perform(get("/api/core/items/1/version"))
|
||||
.andExpect(status().isBadRequest());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user