hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-07 01:54:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

taskid 71855 The /authz/authorizations/search/object endpoint sometimes ignores the feature param

Browse Source
This commit is contained in:
Samuel
2020-07-17 14:59:40 +02:00
parent 109e75de40
commit 76d441b53f
7 changed files with 333 additions and 308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/AuthorizationRestRepository.java
View File

@@ -7,6 +7,10 @@
*/
package org.dspace.app.rest.repository;
import static java.util.Collections.emptyList;
import static java.util.Collections.singletonList;
import static org.apache.commons.lang3.StringUtils.isNotBlank;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;
@@ -145,9 +149,11 @@ public class AuthorizationRestRepository extends DSpaceRestRepository<Authorizat
@PreAuthorize("#epersonUuid==null || hasPermission(#epersonUuid, 'EPERSON', 'READ')")
@SearchRestMethod(name = "object")
public Page<AuthorizationRest> findByObject(@Parameter(value = "uri", required = true) String uri,
@Parameter(value = "eperson") UUID epersonUuid,
@Parameter(value = "eperson") UUID epersonUuid, @Parameter(value = "feature") String featureName,
Pageable pageable) throws AuthorizeException, SQLException {
Context context = obtainContext();
BaseObjectRest obj = utils.getBaseObjectRestFromUri(context, uri);
if (obj == null) {
return null;
@@ -162,11 +168,16 @@ public class AuthorizationRestRepository extends DSpaceRestRepository<Authorizat
context.switchContextUser(user);
}
List<AuthorizationFeature> features = authorizationFeatureService.findByResourceType(obj.getUniqueType());
List<Authorization> authorizations = new ArrayList<Authorization>();
for (AuthorizationFeature f : features) {
if (authorizationFeatureService.isAuthorized(context, f, obj)) {
authorizations.add(new Authorization(user, f, obj));
List<Authorization> authorizations;
if (isNotBlank(featureName)) {
authorizations = findByObjectAndFeature(context, user, obj, featureName);
} else {
List<AuthorizationFeature> features = authorizationFeatureService.findByResourceType(obj.getUniqueType());
authorizations = new ArrayList<>();
for (AuthorizationFeature f : features) {
if (authorizationFeatureService.isAuthorized(context, f, obj)) {
authorizations.add(new Authorization(user, f, obj));
}
}
}
@@ -177,57 +188,17 @@ public class AuthorizationRestRepository extends DSpaceRestRepository<Authorizat
return converter.toRestPage(authorizations, pageable, utils.obtainProjection());
}
/**
* It returns the authorization related to the requested feature if granted to the specified eperson or to the
* anonymous user. Only administrators and the user identified by the epersonUuid parameter can access this method
*
* @param uri
* the uri of the object to check the authorization against
* @param epersonUuid
* the eperson uuid to use in the authorization evaluation
* @param featureName
* limit the authorization check to only the feature identified via its name
* @param pageable
* the pagination options
* @return the list of matching authorization available for the requested user and object, filtered by feature if
* provided
* @throws AuthorizeException
* @throws SQLException
*/
@PreAuthorize("#epersonUuid==null || hasPermission(#epersonUuid, 'EPERSON', 'READ')")
@SearchRestMethod(name = "objectAndFeature")
public AuthorizationRest findByObjectAndFeature(@Parameter(value = "uri", required = true) String uri,
@Parameter(value = "eperson") UUID epersonUuid,
@Parameter(value = "feature", required = true) String featureName,
Pageable pageable) throws AuthorizeException, SQLException {
Context context = obtainContext();
BaseObjectRest obj = utils.getBaseObjectRestFromUri(context, uri);
if (obj == null) {
return null;
private List<Authorization> findByObjectAndFeature(
Context context, EPerson user, BaseObjectRest obj, String featureName
) throws SQLException {
AuthorizationFeature feature = authorizationFeatureService.find(featureName);
if (!authorizationFeatureService.isAuthorized(context, feature, obj)) {
return emptyList();
}
EPerson currUser = context.getCurrentUser();
// get the user specified in the requested parameters, can be null for anonymous
EPerson user = getUserFromRequestParameter(context, epersonUuid);
if (currUser != user) {
// Temporarily change the Context's current user in order to retrieve
// authorizations based on that user
context.switchContextUser(user);
}
AuthorizationFeature feature = authorizationFeatureService.find(featureName);
AuthorizationRest authorizationRest = null;
if (authorizationFeatureService.isAuthorized(context, feature, obj)) {
Authorization authz = new Authorization();
authz.setEperson(user);
authz.setFeature(feature);
authz.setObject(obj);
authorizationRest = converter.toRest(authz, utils.obtainProjection());
}
if (currUser != user) {
// restore the real current user
context.restoreContextUser();
}
return authorizationRest;
return singletonList(new Authorization(user, feature, obj));
}
/**

339
dspace-server-webapp/src/test/java/org/dspace/app/rest/AuthorizationRestRepositoryIT.java
View File

@@ -7,8 +7,12 @@
*/
package org.dspace.app.rest;
import static com.jayway.jsonpath.matchers.JsonPathMatchers.hasJsonPath;
import static org.hamcrest.Matchers.allOf;
import static org.hamcrest.Matchers.contains;
import static org.hamcrest.Matchers.greaterThanOrEqualTo;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.nullValue;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -982,94 +986,153 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
String adminToken = getAuthToken(admin.getEmail(), password);
// verify that it works for administrators - with eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", comUri)
.param("projection", "level")
.param("projection", "full")
.param("embedLevelDepth", "1")
.param("feature", alwaysTrue.getName())
.param("eperson", admin.getID().toString()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.type", is("authorization")))
.andExpect(jsonPath("$._embedded.feature.id", is(alwaysTrue.getName())))
.andExpect(jsonPath("$.id", Matchers.is(admin.getID().toString() + "_" + alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId())));
.andExpect(jsonPath("$.page.totalElements", is(1)))
.andExpect(jsonPath("$._embedded.authorizations", contains(
allOf(
hasJsonPath("$.id", is(admin.getID().toString() + "_" + alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId())),
hasJsonPath("$.type", is("authorization")),
hasJsonPath("$._embedded.feature.id", is(alwaysTrue.getName())),
hasJsonPath("$._embedded.eperson.id", is(admin.getID().toString()))
)
)));
// verify that it works for administrators - without eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", comUri)
.param("projection", "level")
.param("projection", "full")
.param("embedLevelDepth", "1")
.param("feature", alwaysTrue.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.type", is("authorization")))
.andExpect(jsonPath("$._embedded.feature.id", is(alwaysTrue.getName())))
.andExpect(jsonPath("$.id", Matchers.is(admin.getID().toString() + "_" + alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId())));
.andExpect(jsonPath("$.page.totalElements", is(1)))
.andExpect(jsonPath("$._embedded.authorizations", contains(
allOf(
hasJsonPath("$.id", is(
admin.getID().toString() + "_"
+ alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId()
)),
hasJsonPath("$.type", is("authorization")),
hasJsonPath("$._embedded.feature.id", is(alwaysTrue.getName())),
hasJsonPath("$._embedded.eperson.id", is(admin.getID().toString()))
)
)));
String epersonToken = getAuthToken(eperson.getEmail(), password);
// verify that it works for normal loggedin users - with eperson parameter
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", comUri)
.param("projection", "level")
.param("projection", "full")
.param("embedLevelDepth", "1")
.param("feature", alwaysTrue.getName())
.param("eperson", eperson.getID().toString()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.type", is("authorization")))
.andExpect(jsonPath("$._embedded.feature.id", is(alwaysTrue.getName())))
.andExpect(jsonPath("$.id", Matchers.is(eperson.getID().toString() + "_" + alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId())));
.andExpect(jsonPath("$.page.totalElements", is(1)))
.andExpect(jsonPath("$._embedded.authorizations", contains(
allOf(
hasJsonPath("$.id", is(
eperson.getID().toString() + "_"
+ alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId()
)),
hasJsonPath("$.type", is("authorization")),
hasJsonPath("$._embedded.feature.id", is(alwaysTrue.getName())),
hasJsonPath("$._embedded.eperson.id", is(eperson.getID().toString()))
)
)));
// verify that it works for normal loggedin users - without eperson parameter
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", comUri)
.param("projection", "level")
.param("projection", "full")
.param("embedLevelDepth", "1")
.param("feature", alwaysTrue.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.type", is("authorization")))
.andExpect(jsonPath("$._embedded.feature.id", is(alwaysTrue.getName())))
.andExpect(jsonPath("$.id", Matchers.is(eperson.getID().toString() + "_" + alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId())));
.andExpect(status().isOk())
.andExpect(jsonPath("$.page.totalElements", is(1)))
.andExpect(jsonPath("$._embedded.authorizations", contains(
allOf(
hasJsonPath("$.id", is(
eperson.getID().toString() + "_"
+ alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId()
)),
hasJsonPath("$.type", is("authorization")),
hasJsonPath("$._embedded.feature.id", is(alwaysTrue.getName())),
hasJsonPath("$._embedded.eperson.id", is(eperson.getID().toString()))
)
)));
// verify that it works for administators inspecting other users - by using the eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", comUri)
.param("projection", "level")
.param("projection", "full")
.param("embedLevelDepth", "1")
.param("feature", alwaysTrue.getName())
.param("eperson", eperson.getID().toString()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.type", is("authorization")))
.andExpect(jsonPath("$._embedded.feature.id", is(alwaysTrue.getName())))
.andExpect(jsonPath("$.id", Matchers.is(eperson.getID().toString() + "_" + alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId())));
.andExpect(jsonPath("$.page.totalElements", is(1)))
.andExpect(jsonPath("$._embedded.authorizations", contains(
allOf(
hasJsonPath("$.id", is(
eperson.getID().toString() + "_"
+ alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId()
)),
hasJsonPath("$.type", is("authorization")),
hasJsonPath("$._embedded.feature.id", is(alwaysTrue.getName())),
hasJsonPath("$._embedded.eperson.id", is(eperson.getID().toString()))
)
)));
// verify that it works for administators inspecting other users - by assuming login
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", comUri)
.param("projection", "level")
.param("projection", "full")
.param("embedLevelDepth", "1")
.param("feature", alwaysTrue.getName())
.header("X-On-Behalf-Of", eperson.getID()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.type", is("authorization")))
.andExpect(jsonPath("$._embedded.feature.id", is(alwaysTrue.getName())))
.andExpect(jsonPath("$.id", Matchers.is(eperson.getID().toString() + "_" + alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId())));
.andExpect(jsonPath("$.page.totalElements", is(1)))
.andExpect(jsonPath("$._embedded.authorizations", contains(
allOf(
hasJsonPath("$.id", is(
eperson.getID().toString() + "_"
+ alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId()
)),
hasJsonPath("$.type", is("authorization")),
hasJsonPath("$._embedded.feature.id", is(alwaysTrue.getName())),
hasJsonPath("$._embedded.eperson.id", is(eperson.getID().toString()))
)
)));
// verify that it works for anonymous users
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", comUri)
.param("projection", "level")
.param("projection", "full")
.param("embedLevelDepth", "1")
.param("feature", alwaysTrue.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.type", is("authorization")))
.andExpect(jsonPath("$._embedded.feature.id", is(alwaysTrue.getName())))
.andExpect(jsonPath("$.id",Matchers.is(alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId())));
.andExpect(status().isOk())
.andExpect(jsonPath("$.page.totalElements", is(1)))
.andExpect(jsonPath("$._embedded.authorizations", contains(
allOf(
hasJsonPath("$.id", is(
alwaysTrue.getName() + "_"
+ comRest.getUniqueType() + "_" + comRest.getId()
)),
hasJsonPath("$.type", is("authorization")),
hasJsonPath("$._embedded.feature.id", is(alwaysTrue.getName())),
hasJsonPath("$._embedded.eperson", nullValue())
)
)));
}
@Test
@@ -1086,52 +1149,52 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
String adminToken = getAuthToken(admin.getEmail(), password);
// verify that it works for administrators - with eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysFalse.getName())
.param("eperson", admin.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// verify that it works for administrators - without eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysFalse.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
String epersonToken = getAuthToken(eperson.getEmail(), password);
// verify that it works for normal loggedin users - with eperson parameter
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForAdmins.getName())
.param("eperson", eperson.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// verify that it works for normal loggedin users - without eperson parameter
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForAdmins.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// verify that it works for administators inspecting other users - by using the eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForAdmins.getName())
.param("eperson", eperson.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// verify that it works for administators inspecting other users - by assuming login
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForAdmins.getName())
.header("X-On-Behalf-Of", eperson.getID()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// verify that it works for anonymous users
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForLoggedUsers.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -1153,98 +1216,99 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
String adminToken = getAuthToken(admin.getEmail(), password);
// verify that it works for administrators, no result - with eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", wrongSiteUri)
.param("feature", alwaysTrue.getName())
.param("eperson", admin.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(status().isOk())
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", "not-existing-feature")
.param("eperson", admin.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// verify that it works for administrators, no result - without eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", wrongSiteUri)
.param("feature", alwaysTrue.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", "not-existing-feature"))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
String epersonToken = getAuthToken(eperson.getEmail(), password);
// verify that it works for normal loggedin users - with eperson parameter
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", wrongSiteUri)
.param("feature", alwaysTrue.getName())
.param("eperson", eperson.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", "not-existing-feature")
.param("eperson", eperson.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// verify that it works for normal loggedin users - without eperson parameter
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", wrongSiteUri)
.param("feature", alwaysTrue.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", "not-existing-feature"))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// verify that it works for administators inspecting other users - by using the eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", wrongSiteUri)
.param("feature", alwaysTrue.getName())
.param("eperson", eperson.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", "not-existing-feature")
.param("eperson", eperson.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// verify that it works for administators inspecting other users - by assuming login
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", wrongSiteUri)
.param("feature", alwaysTrue.getName())
.header("X-On-Behalf-Of", eperson.getID()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", "not-existing-feature")
.header("X-On-Behalf-Of", eperson.getID()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// verify that it works for anonymous users
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", wrongSiteUri)
.param("feature", alwaysTrue.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", "not-existing-feature"))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
/**
* Verify that the findByObject return the 400 Bad Request response for invalid or missing URI or feature (required
* parameters)
*
*
* @throws Exception
*/
public void findByObjectAndFeatureBadRequestTest() throws Exception {
@@ -1266,34 +1330,34 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
log.debug("findByObjectAndFeatureBadRequestTest - Testing the URI: " + invalidUri);
// verify that it works for administrators with an invalid or missing uri - with eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", invalidUri)
.param("feature", alwaysTrue.getName())
.param("eperson", admin.getID().toString()))
.andExpect(status().isBadRequest());
// verify that it works for administrators with an invalid or missing uri - without eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", invalidUri)
.param("feature", alwaysTrue.getName()))
.andExpect(status().isBadRequest());
// verify that it works for normal loggedin users with an invalid or missing uri - with eperson parameter
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", invalidUri)
.param("feature", alwaysTrue.getName())
.param("eperson", eperson.getID().toString()))
.andExpect(status().isBadRequest());
// verify that it works for normal loggedin users with an invalid or missing uri - without eperson parameter
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", invalidUri)
.param("feature", alwaysTrue.getName()))
.andExpect(status().isBadRequest());
// verify that it works for administators inspecting other users with an invalid or missing uri - by
// using the eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", invalidUri)
.param("feature", alwaysTrue.getName())
.param("eperson", eperson.getID().toString()))
@@ -1301,51 +1365,18 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
// verify that it works for administators inspecting other users with an invalid or missing uri - by
// assuming login
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", invalidUri)
.param("feature", alwaysTrue.getName())
.header("X-On-Behalf-Of", eperson.getID()))
.andExpect(status().isBadRequest());
// verify that it works for anonymous users with an invalid or missing uri
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", invalidUri)
.param("feature", alwaysTrue.getName()))
.andExpect(status().isBadRequest());
}
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("eperson", admin.getID().toString()))
.andExpect(status().isBadRequest());
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("eperson", eperson.getID().toString()))
.andExpect(status().isBadRequest());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("eperson", eperson.getID().toString()))
.andExpect(status().isBadRequest());
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature"))
.andExpect(status().isBadRequest());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature"))
.andExpect(status().isBadRequest());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("uri", siteUri)
.param("eperson", admin.getID().toString()))
.andExpect(status().isBadRequest());
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("uri", siteUri)
.param("eperson", eperson.getID().toString()))
.andExpect(status().isBadRequest());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("uri", siteUri)
.param("eperson", eperson.getID().toString()))
.andExpect(status().isBadRequest());
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("uri", siteUri))
.andExpect(status().isBadRequest());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("uri", siteUri.toString()))
.andExpect(status().isBadRequest());
}
@Test
@@ -1363,28 +1394,28 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
configurationService.setProperty("org.dspace.app.rest.authorization.AlwaysThrowExceptionFeature.turnoff", true);
// verify that it works for an anonymous user inspecting an admin user - by using the eperson parameter
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysTrue.getName())
.param("eperson", admin.getID().toString()))
.andExpect(status().isUnauthorized());
// verify that it works for an anonymous user inspecting an admin user - by assuming login
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysTrue.getName())
.header("X-On-Behalf-Of", admin.getID()))
.andExpect(status().isUnauthorized());
// verify that it works for an anonymous user inspecting a normal user - by using the eperson parameter
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysTrue.getName())
.param("eperson", eperson.getID().toString()))
.andExpect(status().isUnauthorized());
// verify that it works for an anonymous user inspecting a normal user - by assuming login
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysTrue.getName())
.header("X-On-Behalf-Of", eperson.getID()))
@@ -1411,28 +1442,28 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
String anotherToken = getAuthToken(anotherEperson.getEmail(), password);
// verify that he cannot search the admin authorizations - by using the eperson parameter
getClient(anotherToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(anotherToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysTrue.getName())
.param("eperson", admin.getID().toString()))
.andExpect(status().isForbidden());
// verify that he cannot search the admin authorizations - by assuming login
getClient(anotherToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(anotherToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysTrue.getName())
.header("X-On-Behalf-Of", admin.getID()))
.andExpect(status().isForbidden());
// verify that he cannot search the authorizations of another "normal" eperson - by using the eperson parameter
getClient(anotherToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(anotherToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysTrue.getName())
.param("eperson", eperson.getID().toString()))
.andExpect(status().isForbidden());
// verify that he cannot search the authorizations of another "normal" eperson - by assuming login
getClient(anotherToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(anotherToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysTrue.getName())
.header("X-On-Behalf-Of", eperson.getID()))
@@ -1452,14 +1483,14 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
String adminToken = getAuthToken(admin.getEmail(), password);
// verify that it works for administrators - with eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysException.getName())
.param("eperson", admin.getID().toString()))
.andExpect(status().isInternalServerError());
// verify that it works for administrators - without eperson parameter
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysException.getName()))
.andExpect(status().isInternalServerError());
@@ -1467,20 +1498,20 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
String epersonToken = getAuthToken(eperson.getEmail(), password);
// verify that it works for normal loggedin users - with eperson parameter
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysException.getName())
.param("eperson", eperson.getID().toString()))
.andExpect(status().isInternalServerError());
// verify that it works for normal loggedin users - without eperson parameter
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysException.getName()))
.andExpect(status().isInternalServerError());
// verify that it works for anonymous users
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", alwaysException.getName()))
.andExpect(status().isInternalServerError());
@@ -1520,31 +1551,31 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
// check both via direct access than via a search method
getClient(adminToken).perform(get("/api/authz/authorizations/" + authAdminSite.getID()))
.andExpect(status().isNotFound());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForUsersInGroupTest.getName())
.param("eperson", admin.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// nor the normal user both directly than if checked by the admin
getClient(adminToken).perform(get("/api/authz/authorizations/" + authNormalUserSite.getID()))
.andExpect(status().isNotFound());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForUsersInGroupTest.getName())
.param("eperson", normalUser.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(normalUserToken).perform(get("/api/authz/authorizations/" + authNormalUserSite.getID()))
.andExpect(status().isNotFound());
getClient(normalUserToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(normalUserToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForUsersInGroupTest.getName())
.param("eperson", normalUser.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// instead the member user has
getClient(adminToken).perform(get("/api/authz/authorizations/" + authMemberSite.getID()))
.andExpect(status().isOk());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForUsersInGroupTest.getName())
.param("eperson", memberOfTestGroup.getID().toString()))
@@ -1552,7 +1583,7 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
// so it can also check itself the permission
getClient(memberToken).perform(get("/api/authz/authorizations/" + authMemberSite.getID()))
.andExpect(status().isOk());
getClient(memberToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(memberToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForUsersInGroupTest.getName())
.param("eperson", memberOfTestGroup.getID().toString()))
@@ -1568,7 +1599,7 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
// our admin now should have the authorization
getClient(adminToken).perform(get("/api/authz/authorizations/" + authAdminSite.getID()))
.andExpect(status().isOk());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForUsersInGroupTest.getName())
.param("eperson", admin.getID().toString()))
@@ -1576,15 +1607,15 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
// our normal user when checked via the admin should still not have the authorization
getClient(adminToken).perform(get("/api/authz/authorizations/" + authNormalUserSite.getID()))
.andExpect(status().isNotFound());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForUsersInGroupTest.getName())
.param("eperson", normalUser.getID().toString()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// but he should have the authorization if loggedin directly
getClient(normalUserToken).perform(get("/api/authz/authorizations/" + authNormalUserSite.getID()))
.andExpect(status().isOk());
getClient(normalUserToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(normalUserToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForUsersInGroupTest.getName())
.param("eperson", normalUser.getID().toString()))
@@ -1592,14 +1623,14 @@ public class AuthorizationRestRepositoryIT extends AbstractControllerIntegration
// for our direct member user we don't expect differences
getClient(adminToken).perform(get("/api/authz/authorizations/" + authMemberSite.getID()))
.andExpect(status().isOk());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForUsersInGroupTest.getName())
.param("eperson", memberOfTestGroup.getID().toString()))
.andExpect(status().isOk());
getClient(memberToken).perform(get("/api/authz/authorizations/" + authMemberSite.getID()))
.andExpect(status().isOk());
getClient(memberToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(memberToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", trueForUsersInGroupTest.getName())
.param("eperson", memberOfTestGroup.getID().toString()))

57
dspace-server-webapp/src/test/java/org/dspace/app/rest/authorization/CCLicenseFeatureRestIT.java
View File

@@ -7,6 +7,8 @@
*/
package org.dspace.app.rest.authorization;
import static org.hamcrest.Matchers.contains;
import static org.hamcrest.Matchers.is;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -81,13 +83,14 @@ public class CCLicenseFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))));
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", admin.getID().toString())
.param("feature", ccLicenseFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))))
);
}
@Test
@@ -110,13 +113,14 @@ public class CCLicenseFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))));
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", ccLicenseFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))))
);
// verify that the property core.authorization.collection-admin.item-admin.cc-license = false is respected
// the community admins should be still authorized
@@ -127,13 +131,14 @@ public class CCLicenseFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))));
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", ccLicenseFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))))
);
// now verify that the property core.authorization.community-admin.item-admin.cc-license = false is respected
// and also community admins are blocked
@@ -143,11 +148,11 @@ public class CCLicenseFeatureRestIT extends AbstractControllerIntegrationTest {
getClient(comAdminToken).perform(get("/api/authz/authorizations/" + authAdminCCLicense.getID()))
.andExpect(status().isNotFound());
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", ccLicenseFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -170,24 +175,25 @@ public class CCLicenseFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))));
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", ccLicenseFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))))
);
// verify that the property core.authorization.collection-admin.item-admin.cc-license = false is respected
configurationService.setProperty("core.authorization.item-admin.cc-license", false);
configurationService.setProperty("core.authorization.collection-admin.item-admin.cc-license", false);
getClient(colAdminToken).perform(get("/api/authz/authorizations/" + authAdminCCLicense.getID()))
.andExpect(status().isNotFound());
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", ccLicenseFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -211,23 +217,24 @@ public class CCLicenseFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))));
getClient(itemAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(itemAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", ccLicenseFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminCCLicense))))
);
// verify that the property core.authorization.item-admin.cc-license = false is respected
configurationService.setProperty("core.authorization.item-admin.cc-license", false);
getClient(itemAdminToken).perform(get("/api/authz/authorizations/" + authAdminCCLicense.getID()))
.andExpect(status().isNotFound());
getClient(itemAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(itemAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", ccLicenseFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -248,19 +255,19 @@ public class CCLicenseFeatureRestIT extends AbstractControllerIntegrationTest {
getClient(epersonToken).perform(get("/api/authz/authorizations/" + authEpersonCCLicense.getID()))
.andExpect(status().isNotFound());
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", ccLicenseFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// check the authorization for the anonymous user
getClient().perform(get("/api/authz/authorizations/" + authAnonymousCCLicense.getID()))
.andExpect(status().isNotFound());
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("feature", ccLicenseFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
}

35
dspace-server-webapp/src/test/java/org/dspace/app/rest/authorization/EPersonRegistrationFeatureIT.java
View File

@@ -7,7 +7,10 @@
*/
package org.dspace.app.rest.authorization;
import static org.hamcrest.Matchers.greaterThan;
import static org.hamcrest.Matchers.is;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.dspace.app.rest.authorization.impl.EPersonRegistrationFeature;
@@ -63,10 +66,11 @@ public class EPersonRegistrationFeatureIT extends AbstractControllerIntegrationT
String siteUri = utils.linkToSingleResource(SiteRest, "self").getHref();
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", epersonRegistrationFeature.getName()))
.andExpect(status().isOk());
.andExpect(status().isOk())
.andExpect(jsonPath("$.page.totalElements", greaterThan(0)));
}
@Test
@@ -78,10 +82,11 @@ public class EPersonRegistrationFeatureIT extends AbstractControllerIntegrationT
configurationService.setProperty("user.registration", false);
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("uri", siteUri)
.param("feature", epersonRegistrationFeature.getName()))
.andExpect(status().isNoContent());
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", epersonRegistrationFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@@ -94,18 +99,20 @@ public class EPersonRegistrationFeatureIT extends AbstractControllerIntegrationT
String siteUri = utils.linkToSingleResource(SiteRest, "self").getHref();
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("uri", siteUri)
.param("feature", epersonRegistrationFeature.getName()))
.andExpect(status().isOk());
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", epersonRegistrationFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.page.totalElements", greaterThan(0)));
//Enable Shibboleth and password login
configurationService.setProperty("plugin.sequence.org.dspace.authenticate.AuthenticationMethod", SHIB_ONLY);
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
.param("uri", siteUri)
.param("feature", epersonRegistrationFeature.getName()))
.andExpect(status().isNoContent());
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", siteUri)
.param("feature", epersonRegistrationFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
}

13
dspace-server-webapp/src/test/java/org/dspace/app/rest/authorization/LoginOnBehalfOfFeatureRestIT.java
View File

@@ -7,6 +7,7 @@
*/
package org.dspace.app.rest.authorization;
import static org.hamcrest.Matchers.is;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -101,8 +102,7 @@ public class LoginOnBehalfOfFeatureRestIT extends AbstractControllerIntegrationT
.param("eperson", String.valueOf(admin.getID()))
.param("feature", loginOnBehalfOf.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$._embedded.authorizations", Matchers.not(Matchers.hasItem(
AuthorizationMatcher.matchAuthorization(loginOnBehalfOfAuthorization)))));
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -122,8 +122,7 @@ public class LoginOnBehalfOfFeatureRestIT extends AbstractControllerIntegrationT
.param("eperson", String.valueOf(eperson.getID()))
.param("feature", loginOnBehalfOf.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$._embedded.authorizations", Matchers.not(
Matchers.hasItem(AuthorizationMatcher.matchAuthorization(loginOnBehalfOfAuthorization)))));
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -143,8 +142,7 @@ public class LoginOnBehalfOfFeatureRestIT extends AbstractControllerIntegrationT
.param("eperson", String.valueOf(eperson.getID()))
.param("feature", loginOnBehalfOf.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$._embedded.authorizations", Matchers.not(
Matchers.hasItem(AuthorizationMatcher.matchAuthorization(loginOnBehalfOfAuthorization)))));
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -164,7 +162,6 @@ public class LoginOnBehalfOfFeatureRestIT extends AbstractControllerIntegrationT
.param("eperson", String.valueOf(admin.getID()))
.param("feature", loginOnBehalfOf.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$._embedded.authorizations", Matchers.not(
Matchers.hasItem(AuthorizationMatcher.matchAuthorization(loginOnBehalfOfAuthorization)))));
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
}

58
dspace-server-webapp/src/test/java/org/dspace/app/rest/authorization/ReinstateFeatureRestIT.java
View File

@@ -7,6 +7,8 @@
*/
package org.dspace.app.rest.authorization;
import static org.hamcrest.Matchers.contains;
import static org.hamcrest.Matchers.is;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -82,13 +84,14 @@ public class ReinstateFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", admin.getID().toString())
.param("feature", reinstateFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))))
);
}
@Test
@@ -111,13 +114,14 @@ public class ReinstateFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", reinstateFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))))
);
// verify that the property core.authorization.collection-admin.item.reinstatiate = false is respected
// the community admins should be still authorized
@@ -127,13 +131,14 @@ public class ReinstateFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", reinstateFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))))
);
// now verify that the property core.authorization.community-admin.item.reinstatiate = false is respected
// and also community admins are blocked
@@ -143,11 +148,11 @@ public class ReinstateFeatureRestIT extends AbstractControllerIntegrationTest {
getClient(comAdminToken).perform(get("/api/authz/authorizations/" + authAdminWithdraw.getID()))
.andExpect(status().isNotFound());
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", reinstateFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -170,23 +175,24 @@ public class ReinstateFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", reinstateFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))))
);
// verify that the property core.authorization.collection-admin.item.reinstatiate = false is respected
configurationService.setProperty("core.authorization.collection-admin.item.reinstatiate", false);
getClient(colAdminToken).perform(get("/api/authz/authorizations/" + authAdminWithdraw.getID()))
.andExpect(status().isNotFound());
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", reinstateFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -207,20 +213,20 @@ public class ReinstateFeatureRestIT extends AbstractControllerIntegrationTest {
getClient(epersonToken).perform(get("/api/authz/authorizations/" + authEpersonWithdraw.getID()))
.andExpect(status().isNotFound());
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", reinstateFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// check the authorization for the anonymous user
getClient().perform(get("/api/authz/authorizations/" + authAnonymousWithdraw.getID()))
.andExpect(status().isNotFound());
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("feature", reinstateFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -251,28 +257,28 @@ public class ReinstateFeatureRestIT extends AbstractControllerIntegrationTest {
getClient(adminToken).perform(get("/api/authz/authorizations/" + authWithdrawnItem.getID()))
.andExpect(status().isNotFound());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", archivedItemUri)
.param("eperson", eperson.getID().toString())
.param("feature", reinstateFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(adminToken).perform(get("/api/authz/authorizations/" + authWsItem.getID()))
.andExpect(status().isNotFound());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", wsItemUri)
.param("eperson", eperson.getID().toString())
.param("feature", reinstateFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(adminToken).perform(get("/api/authz/authorizations/" + authWFItem.getID()))
.andExpect(status().isNotFound());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", wfItemUri)
.param("eperson", eperson.getID().toString())
.param("feature", reinstateFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
}

58
dspace-server-webapp/src/test/java/org/dspace/app/rest/authorization/WithdrawFeatureRestIT.java
View File

@@ -7,6 +7,8 @@
*/
package org.dspace.app.rest.authorization;
import static org.hamcrest.Matchers.contains;
import static org.hamcrest.Matchers.is;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -82,13 +84,14 @@ public class WithdrawFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", admin.getID().toString())
.param("feature", withdrawFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))))
);
}
@Test
@@ -111,13 +114,14 @@ public class WithdrawFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", withdrawFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))))
);
// verify that the property core.authorization.collection-admin.item.withdraw = false is respected
// the community admins should be still authorized
@@ -127,13 +131,14 @@ public class WithdrawFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", withdrawFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))))
);
// now verify that the property core.authorization.community-admin.item.withdraw = false is respected
// and also community admins are blocked
@@ -143,11 +148,11 @@ public class WithdrawFeatureRestIT extends AbstractControllerIntegrationTest {
getClient(comAdminToken).perform(get("/api/authz/authorizations/" + authAdminWithdraw.getID()))
.andExpect(status().isNotFound());
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(comAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", withdrawFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -170,23 +175,24 @@ public class WithdrawFeatureRestIT extends AbstractControllerIntegrationTest {
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", withdrawFeature.getName()))
.andExpect(status().isOk())
.andExpect(jsonPath("$",
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))));
.andExpect(jsonPath("$._embedded.authorizations", contains(
Matchers.is(AuthorizationMatcher.matchAuthorization(authAdminWithdraw))))
);
// verify that the property core.authorization.collection-admin.item.withdraw = false is respected
configurationService.setProperty("core.authorization.collection-admin.item.withdraw", false);
getClient(colAdminToken).perform(get("/api/authz/authorizations/" + authAdminWithdraw.getID()))
.andExpect(status().isNotFound());
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(colAdminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", withdrawFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -207,20 +213,20 @@ public class WithdrawFeatureRestIT extends AbstractControllerIntegrationTest {
getClient(epersonToken).perform(get("/api/authz/authorizations/" + authEpersonWithdraw.getID()))
.andExpect(status().isNotFound());
getClient(epersonToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(epersonToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("eperson", eperson.getID().toString())
.param("feature", withdrawFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
// check the authorization for the anonymous user
getClient().perform(get("/api/authz/authorizations/" + authAnonymousWithdraw.getID()))
.andExpect(status().isNotFound());
getClient().perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient().perform(get("/api/authz/authorizations/search/object")
.param("uri", itemUri)
.param("feature", withdrawFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
@Test
@@ -252,28 +258,28 @@ public class WithdrawFeatureRestIT extends AbstractControllerIntegrationTest {
getClient(adminToken).perform(get("/api/authz/authorizations/" + authWithdrawnItem.getID()))
.andExpect(status().isNotFound());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", withdrawnItemUri)
.param("eperson", eperson.getID().toString())
.param("feature", withdrawFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(adminToken).perform(get("/api/authz/authorizations/" + authWsItem.getID()))
.andExpect(status().isNotFound());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", wsItemUri)
.param("eperson", eperson.getID().toString())
.param("feature", withdrawFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
getClient(adminToken).perform(get("/api/authz/authorizations/" + authWFItem.getID()))
.andExpect(status().isNotFound());
getClient(adminToken).perform(get("/api/authz/authorizations/search/objectAndFeature")
getClient(adminToken).perform(get("/api/authz/authorizations/search/object")
.param("uri", wfItemUri)
.param("eperson", eperson.getID().toString())
.param("feature", withdrawFeature.getName()))
.andExpect(status().isNoContent());
.andExpect(jsonPath("$.page.totalElements", is(0)));
}
}