[DS-3097] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone

dspace-api/src/main/java/org/dspace/authorize/AuthorizeServiceImpl.java

@@ -497,6 +497,15 @@ public class AuthorizeServiceImpl implements AuthorizeService
         }
         addPolicies(c, nonAdminPolicies, dest);
     }
+    
+    @Override
+    public void switchPoliciesAction(Context context, DSpaceObject dso, int fromAction, int toAction) throws SQLException, AuthorizeException {
+		List<ResourcePolicy> rps = getPoliciesActionFilter(context, dso, fromAction);
+        for (ResourcePolicy rp : rps) {
+        	rp.setAction(toAction);
+        }
+        resourcePolicyService.update(context, rps);
+	}
 
     @Override
     public void addPolicies(Context c, List<ResourcePolicy> policies, DSpaceObject dest)

dspace-api/src/main/java/org/dspace/authorize/service/AuthorizeService.java

@@ -428,4 +428,21 @@ public interface AuthorizeService {
 
     public ResourcePolicy createOrModifyPolicy(ResourcePolicy policy, Context context, String name, Group group, EPerson ePerson, Date embargoDate, int action, String reason, DSpaceObject dso) throws AuthorizeException, SQLException;
 
+	/**
+	 * Change all the policies related to the action (fromPolicy) of the
+	 * specified object to the new action (toPolicy)
+	 * 
+	 * @param context
+	 * @param dso
+	 *            the dspace object
+	 * @param fromAction
+	 *            the action to change
+	 * @param toAction
+	 *            the new action to set
+	 * @throws SQLException
+	 * @throws AuthorizeException
+	 */
+	void switchPoliciesAction(Context context, DSpaceObject dso, int fromAction, int toAction)
+			throws SQLException, AuthorizeException;
+
 }

dspace-api/src/main/java/org/dspace/content/ItemServiceImpl.java

@@ -531,8 +531,14 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It
         context.addEvent(new Event(Event.MODIFY, Constants.ITEM, item.getID(),
                 "WITHDRAW", getIdentifiers(context, item)));
 
-        // remove all authorization policies, saving the custom ones
+        // switch all READ authorization policies to WITHDRAWN_READ
-        authorizeService.removeAllPoliciesByDSOAndTypeNotEqualsTo(context, item, ResourcePolicy.TYPE_CUSTOM);
+        authorizeService.switchPoliciesAction(context, item, Constants.READ, Constants.WITHDRAWN_READ);
+        for (Bundle bnd : item.getBundles()) {
+        	authorizeService.switchPoliciesAction(context, bnd, Constants.READ, Constants.WITHDRAWN_READ);
+        	for (Bitstream bs : bnd.getBitstreams()) {
+        		authorizeService.switchPoliciesAction(context, bs, Constants.READ, Constants.WITHDRAWN_READ);
+        	}
+        }
 
         // Write log
         log.info(LogManager.getHeader(context, "withdraw_item", "user="
@@ -580,16 +586,28 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It
         context.addEvent(new Event(Event.MODIFY, Constants.ITEM, item.getID(),
                 "REINSTATE", getIdentifiers(context, item)));
 
-        // authorization policies
+		// restore all WITHDRAWN_READ authorization policies back to READ
-        if (colls.size() > 0)
+		for (Bundle bnd : item.getBundles()) {
-        {
+			authorizeService.switchPoliciesAction(context, bnd, Constants.WITHDRAWN_READ, Constants.READ);
-            // FIXME: not multiple inclusion friendly - just apply access
+			for (Bitstream bs : bnd.getBitstreams()) {
-            // policies from first collection
+				authorizeService.switchPoliciesAction(context, bs, Constants.WITHDRAWN_READ, Constants.READ);
-            // remove the item's policies and replace them with
+			}
-            // the defaults from the collection
+		}
-            inheritCollectionDefaultPolicies(context, item, colls.iterator().next());
-        }
 
+        // check if the item was withdrawn before the fix DS-3097
+        if (authorizeService.getPoliciesActionFilter(context, item, Constants.WITHDRAWN_READ).size() != 0) {
+        	authorizeService.switchPoliciesAction(context, item, Constants.WITHDRAWN_READ, Constants.READ);
+        }
+        else {
+	        // authorization policies
+	        if (colls.size() > 0)
+	        {
+	            // remove the item's policies and replace them with
+	            // the defaults from the collection
+	        	adjustItemPolicies(context, item, item.getOwningCollection());
+	        }
+        }
+        
         // Write log
         log.info(LogManager.getHeader(context, "reinstate_item", "user="
                 + e.getEmail() + ",item_id=" + item.getID()));

dspace-api/src/main/java/org/dspace/core/Constants.java

@@ -127,6 +127,8 @@ public class Constants
      */
     public static final int ADMIN = 11;
     
+    public static final int WITHDRAWN_READ = 12;
+    
     /** Position of front page news item -- top box */
     public static final int NEWS_TOP = 0;
 
@@ -139,7 +141,7 @@ public class Constants
     public static final String[] actionText = { "READ", "WRITE",
             "OBSOLETE (DELETE)", "ADD", "REMOVE", "WORKFLOW_STEP_1",
             "WORKFLOW_STEP_2", "WORKFLOW_STEP_3", "WORKFLOW_ABORT",
-            "DEFAULT_BITSTREAM_READ", "DEFAULT_ITEM_READ", "ADMIN" };
+            "DEFAULT_BITSTREAM_READ", "DEFAULT_ITEM_READ", "ADMIN", "WITHDRAWN_READ" };
 
     /**
      * generating constants for the relevance array dynamically is simple: just
@@ -175,7 +177,8 @@ public class Constants
             0, // 8 - WORKFLOW_ABORT
             RCOLLECTION, // 9 - DEFAULT_BITSTREAM_READ
             RCOLLECTION, // 10 - DEFAULT_ITEM_READ
-            RITEM | RCOLLECTION | RCOMMUNITY // 11 - ADMIN
+            RITEM | RCOLLECTION | RCOMMUNITY, // 11 - ADMIN
+            RBITSTREAM | RBUNDLE | RITEM // 12 - WITHDRAWN_READ
     };
 
     public static final String DEFAULT_ENCODING = "UTF-8";

dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/h2/V6.0_2016.08.23__DS-3097.sql

@@ -0,0 +1,24 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+------------------------------------------------------
+-- DS-3097 introduced new action id for WITHDRAWN_READ 
+------------------------------------------------------
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT bundle2bitstream.bitstream_id FROM bundle2bitstream
+		LEFT JOIN item2bundle ON bundle2bitstream.bundle_id = item2bundle.bundle_id
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = 1
+);
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT item2bundle.bundle_id FROM item2bundle
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = 1
+);

dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/oracle/V6.0_2016.08.23__DS-3097.sql

@@ -0,0 +1,24 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+------------------------------------------------------
+-- DS-3097 introduced new action id for WITHDRAWN_READ 
+------------------------------------------------------
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT bundle2bitstream.bitstream_id FROM bundle2bitstream
+		LEFT JOIN item2bundle ON bundle2bitstream.bundle_id = item2bundle.bundle_id
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = 1
+);
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT item2bundle.bundle_id FROM item2bundle
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = 1
+);

dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/postgres/V6.0_2016.08.23__DS-3097.sql

@@ -0,0 +1,24 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+------------------------------------------------------
+-- DS-3097 introduced new action id for WITHDRAWN_READ 
+------------------------------------------------------
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT bundle2bitstream.bitstream_id FROM bundle2bitstream
+		LEFT JOIN item2bundle ON bundle2bitstream.bundle_id = item2bundle.bundle_id
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = true
+);
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT item2bundle.bundle_id FROM item2bundle
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = true
+);