added implementations for support for Collection/Community role-based groups for Community/Collection Admins

dspace-api/src/main/java/org/dspace/app/util/AuthorizeUtil.java

@@ -601,4 +601,38 @@ public class AuthorizeUtil {
 
         throw new AuthorizeException("not authorized to manage this group");
     }
+
+    /**
+     * This method checks if the community Admin can manage accounts
+     * 
+     * @return true if is able
+     */
+    public static boolean canCommunityAdminManageAccounts() {
+        boolean isAble = false;
+        if (AuthorizeConfiguration.canCommunityAdminManagePolicies()
+            || AuthorizeConfiguration.canCommunityAdminManageAdminGroup()
+            || AuthorizeConfiguration.canCommunityAdminManageCollectionPolicies()
+            || AuthorizeConfiguration.canCommunityAdminManageCollectionSubmitters()
+            || AuthorizeConfiguration.canCommunityAdminManageCollectionWorkflows()
+            || AuthorizeConfiguration.canCommunityAdminManageCollectionAdminGroup()) {
+            isAble = true;
+        }
+        return isAble;
+    }
+
+    /**
+     * This method checks if the Collection Admin can manage accounts
+     * 
+     * @return true if is able
+     */
+    public static boolean canCollectionAdminManageAccounts() {
+        boolean isAble = false;
+        if (AuthorizeConfiguration.canCollectionAdminManagePolicies()
+            || AuthorizeConfiguration.canCollectionAdminManageSubmitters()
+            || AuthorizeConfiguration.canCollectionAdminManageWorkflows()
+            || AuthorizeConfiguration.canCollectionAdminManageAdminGroup()) {
+            isAble = true;
+        }
+        return isAble;
+    }
 }

dspace-api/src/main/java/org/dspace/authorize/AuthorizeServiceImpl.java

@@ -430,7 +430,10 @@ public class AuthorizeServiceImpl implements AuthorizeService {
 
     public boolean isCommunityAdmin(Context c) throws SQLException {
         EPerson e = c.getCurrentUser();
+        return isCommunityAdmin(c, e);
+    }
 
+    public boolean isCommunityAdmin(Context c, EPerson e) throws SQLException {
         if (e != null) {
             List<ResourcePolicy> policies = resourcePolicyService.find(c, e,
                                                                        groupService.allMemberGroups(c, e),
@@ -446,7 +449,10 @@ public class AuthorizeServiceImpl implements AuthorizeService {
 
     public boolean isCollectionAdmin(Context c) throws SQLException {
         EPerson e = c.getCurrentUser();
+        return isCollectionAdmin(c, e);
+    }
 
+    public boolean isCollectionAdmin(Context c, EPerson e) throws SQLException {
         if (e != null) {
             List<ResourcePolicy> policies = resourcePolicyService.find(c, e,
                                                                        groupService.allMemberGroups(c, e),

dspace-api/src/main/java/org/dspace/authorize/service/AuthorizeService.java

@@ -213,6 +213,26 @@ public interface AuthorizeService {
 
     public boolean isCollectionAdmin(Context c) throws SQLException;
 
+    /**
+     * Check to see if a specific user is Community admin
+     * 
+     * @param c current context
+     * @param e the user to check
+     * @return true if user is an admin of some community
+     * @throws SQLException
+     */
+    public boolean isCommunityAdmin(Context c, EPerson e) throws SQLException;
+
+    /**
+     * Check to see if a specific user is Collection admin
+     * 
+     * @param c current context
+     * @param e the user to check
+     * @return true if user is an admin of some collection
+     * @throws SQLException if database error
+     */
+    public boolean isCollectionAdmin(Context c, EPerson e) throws SQLException;
+
     ///////////////////////////////////////////////
     // policy manipulation methods
     ///////////////////////////////////////////////

dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/EPersonRestRepository.java

@@ -147,7 +147,7 @@ public class EPersonRestRepository extends DSpaceObjectRestRepository<EPerson, E
      *            contains the pagination information
      * @return a Page of EPersonRest instances matching the user query
      */
-    @PreAuthorize("hasAuthority('ADMIN')")
+    @PreAuthorize("hasAuthority('ADMIN') || hasAuthority('ACCOUNT_ADMIN')")
     @SearchRestMethod(name = "byMetadata")
     public Page<EPersonRest> findByMetadata(@Parameter(value = "query", required = true) String query,
             Pageable pageable) {

dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/GroupRestRepository.java

@@ -131,7 +131,7 @@ public class GroupRestRepository extends DSpaceObjectRestRepository<Group, Group
      * @param pageable contains the pagination information
      * @return a Page of GroupRest instances matching the user query
      */
-    @PreAuthorize("hasAuthority('ADMIN')")
+    @PreAuthorize("hasAuthority('ADMIN') || hasAuthority('ACCOUNT_ADMIN')")
     @SearchRestMethod(name = "byMetadata")
     public Page<GroupRest> findByMetadata(@Parameter(value = "query", required = true) String query,
                                           Pageable pageable) {

dspace-server-webapp/src/main/java/org/dspace/app/rest/security/EPersonRestAuthenticationProvider.java

@@ -18,6 +18,7 @@ import javax.servlet.http.HttpServletRequest;
 
 import org.apache.commons.lang3.StringUtils;
 import org.dspace.app.rest.utils.ContextUtil;
+import org.dspace.app.util.AuthorizeUtil;
 import org.dspace.authenticate.AuthenticationMethod;
 import org.dspace.authenticate.service.AuthenticationService;
 import org.dspace.authorize.service.AuthorizeService;
@@ -47,6 +48,8 @@ public class EPersonRestAuthenticationProvider implements AuthenticationProvider
 
     private static final Logger log = LoggerFactory.getLogger(EPersonRestAuthenticationProvider.class);
 
+    public static final String ACCOUNT_ADMIN_GRANT = "ACCOUNT_ADMIN";
+
     @Autowired
     private AuthenticationService authenticationService;
 
@@ -140,14 +143,21 @@ public class EPersonRestAuthenticationProvider implements AuthenticationProvider
 
         if (eperson != null) {
             boolean isAdmin = false;
+            boolean isCommunityAdmin = false;
+            boolean isColectionAdmin = false;
             try {
                 isAdmin = authorizeService.isAdmin(context, eperson);
+                isCommunityAdmin = authorizeService.isCommunityAdmin(context, eperson);
+                isColectionAdmin = authorizeService.isCollectionAdmin(context, eperson);
             } catch (SQLException e) {
                 log.error("SQL error while checking for admin rights", e);
             }
 
             if (isAdmin) {
                 authorities.add(new SimpleGrantedAuthority(ADMIN_GRANT));
+            } else if ((isCommunityAdmin && AuthorizeUtil.canCommunityAdminManageAccounts())
+                       || (isColectionAdmin && AuthorizeUtil.canCollectionAdminManageAccounts())) {
+                authorities.add(new SimpleGrantedAuthority(ACCOUNT_ADMIN_GRANT));
             }
 
             authorities.add(new SimpleGrantedAuthority(AUTHENTICATED_GRANT));

dspace-server-webapp/src/main/java/org/dspace/app/rest/security/EPersonRestPermissionEvaluatorPlugin.java

@@ -17,6 +17,7 @@ import org.dspace.app.rest.model.patch.Patch;
 import org.dspace.app.rest.repository.patch.operation.DSpaceObjectMetadataPatchUtils;
 import org.dspace.app.rest.repository.patch.operation.EPersonPasswordReplaceOperation;
 import org.dspace.app.rest.utils.ContextUtil;
+import org.dspace.app.util.AuthorizeUtil;
 import org.dspace.authorize.service.AuthorizeService;
 import org.dspace.core.Constants;
 import org.dspace.core.Context;
@@ -74,9 +75,13 @@ public class EPersonRestPermissionEvaluatorPlugin extends RestObjectPermissionEv
             // anonymous user
             if (ePerson == null) {
                 return false;
-            }
-
-            if (dsoId.equals(ePerson.getID())) {
+            } else if (dsoId.equals(ePerson.getID())) {
+                return true;
+            } else if (authorizeService.isCommunityAdmin(context, ePerson)
+                       && AuthorizeUtil.canCommunityAdminManageAccounts()) {
+                return true;
+            } else if (authorizeService.isCollectionAdmin(context, ePerson)
+                       && AuthorizeUtil.canCollectionAdminManageAccounts()) {
                 return true;
             }
 

dspace-server-webapp/src/main/java/org/dspace/app/rest/security/GroupRestPermissionEvaluatorPlugin.java

@@ -12,6 +12,8 @@ import java.sql.SQLException;
 import java.util.UUID;
 
 import org.dspace.app.rest.utils.ContextUtil;
+import org.dspace.app.util.AuthorizeUtil;
+import org.dspace.authorize.service.AuthorizeService;
 import org.dspace.core.Constants;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
@@ -44,6 +46,9 @@ public class GroupRestPermissionEvaluatorPlugin extends RestObjectPermissionEval
     @Autowired
     private EPersonService ePersonService;
 
+    @Autowired
+    AuthorizeService authorizeService;
+
     @Override
     public boolean hasDSpacePermission(Authentication authentication, Serializable targetId,
                                  String targetType, DSpaceRestPermission permission) {
@@ -64,7 +69,16 @@ public class GroupRestPermissionEvaluatorPlugin extends RestObjectPermissionEval
 
             Group group = groupService.find(context, dsoId);
 
-            if (groupService.isMember(context, ePerson, group)) {
+            // anonymous user
+            if (ePerson == null) {
+                return false;
+            } else if (groupService.isMember(context, ePerson, group)) {
+                return true;
+            } else if (authorizeService.isCommunityAdmin(context, ePerson)
+                       && AuthorizeUtil.canCommunityAdminManageAccounts()) {
+                return true;
+            } else if (authorizeService.isCollectionAdmin(context, ePerson)
+                    && AuthorizeUtil.canCollectionAdminManageAccounts()) {
                 return true;
             }