[DS-3097] Bitstreams of embargoed and/or withdrawn items can be accessed by anyone

2025-10-14 13:33:08 +00:00 · 2016-09-01 15:06:44 -04:00
parent ad4d1a8de3
commit 98ae2bd071
7 changed files with 132 additions and 13 deletions
--- a/dspace-api/src/main/java/org/dspace/authorize/AuthorizeServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/authorize/AuthorizeServiceImpl.java
@@ -498,6 +498,15 @@ public class AuthorizeServiceImpl implements AuthorizeService
        addPolicies(c, nonAdminPolicies, dest);
    }
    
+    @Override
+    public void switchPoliciesAction(Context context, DSpaceObject dso, int fromAction, int toAction) throws SQLException, AuthorizeException {
+		List<ResourcePolicy> rps = getPoliciesActionFilter(context, dso, fromAction);
+        for (ResourcePolicy rp : rps) {
+        	rp.setAction(toAction);
+        }
+        resourcePolicyService.update(context, rps);
+	}
+
    @Override
    public void addPolicies(Context c, List<ResourcePolicy> policies, DSpaceObject dest)
            throws SQLException, AuthorizeException
--- a/dspace-api/src/main/java/org/dspace/authorize/service/AuthorizeService.java
+++ b/dspace-api/src/main/java/org/dspace/authorize/service/AuthorizeService.java
@@ -428,4 +428,21 @@ public interface AuthorizeService {

    public ResourcePolicy createOrModifyPolicy(ResourcePolicy policy, Context context, String name, Group group, EPerson ePerson, Date embargoDate, int action, String reason, DSpaceObject dso) throws AuthorizeException, SQLException;

+	/**
+	 * Change all the policies related to the action (fromPolicy) of the
+	 * specified object to the new action (toPolicy)
+	 * 
+	 * @param context
+	 * @param dso
+	 *            the dspace object
+	 * @param fromAction
+	 *            the action to change
+	 * @param toAction
+	 *            the new action to set
+	 * @throws SQLException
+	 * @throws AuthorizeException
+	 */
+	void switchPoliciesAction(Context context, DSpaceObject dso, int fromAction, int toAction)
+			throws SQLException, AuthorizeException;
+
 }
--- a/dspace-api/src/main/java/org/dspace/content/ItemServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/ItemServiceImpl.java
@@ -531,8 +531,14 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It
        context.addEvent(new Event(Event.MODIFY, Constants.ITEM, item.getID(),
                "WITHDRAW", getIdentifiers(context, item)));

-        // remove all authorization policies, saving the custom ones
-        authorizeService.removeAllPoliciesByDSOAndTypeNotEqualsTo(context, item, ResourcePolicy.TYPE_CUSTOM);
+        // switch all READ authorization policies to WITHDRAWN_READ
+        authorizeService.switchPoliciesAction(context, item, Constants.READ, Constants.WITHDRAWN_READ);
+        for (Bundle bnd : item.getBundles()) {
+        	authorizeService.switchPoliciesAction(context, bnd, Constants.READ, Constants.WITHDRAWN_READ);
+        	for (Bitstream bs : bnd.getBitstreams()) {
+        		authorizeService.switchPoliciesAction(context, bs, Constants.READ, Constants.WITHDRAWN_READ);
+        	}
+        }

        // Write log
        log.info(LogManager.getHeader(context, "withdraw_item", "user="
@@ -580,14 +586,26 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It
        context.addEvent(new Event(Event.MODIFY, Constants.ITEM, item.getID(),
                "REINSTATE", getIdentifiers(context, item)));

+		// restore all WITHDRAWN_READ authorization policies back to READ
+		for (Bundle bnd : item.getBundles()) {
+			authorizeService.switchPoliciesAction(context, bnd, Constants.WITHDRAWN_READ, Constants.READ);
+			for (Bitstream bs : bnd.getBitstreams()) {
+				authorizeService.switchPoliciesAction(context, bs, Constants.WITHDRAWN_READ, Constants.READ);
+			}
+		}
+
+        // check if the item was withdrawn before the fix DS-3097
+        if (authorizeService.getPoliciesActionFilter(context, item, Constants.WITHDRAWN_READ).size() != 0) {
+        	authorizeService.switchPoliciesAction(context, item, Constants.WITHDRAWN_READ, Constants.READ);
+        }
+        else {
 	        // authorization policies
 	        if (colls.size() > 0)
 	        {
-            // FIXME: not multiple inclusion friendly - just apply access
-            // policies from first collection
 	            // remove the item's policies and replace them with
 	            // the defaults from the collection
-            inheritCollectionDefaultPolicies(context, item, colls.iterator().next());
+	        	adjustItemPolicies(context, item, item.getOwningCollection());
+	        }
        }
        
        // Write log
--- a/dspace-api/src/main/java/org/dspace/core/Constants.java
+++ b/dspace-api/src/main/java/org/dspace/core/Constants.java
@@ -127,6 +127,8 @@ public class Constants
     */
    public static final int ADMIN = 11;
    
+    public static final int WITHDRAWN_READ = 12;
+    
    /** Position of front page news item -- top box */
    public static final int NEWS_TOP = 0;

@@ -139,7 +141,7 @@ public class Constants
    public static final String[] actionText = { "READ", "WRITE",
            "OBSOLETE (DELETE)", "ADD", "REMOVE", "WORKFLOW_STEP_1",
            "WORKFLOW_STEP_2", "WORKFLOW_STEP_3", "WORKFLOW_ABORT",
-            "DEFAULT_BITSTREAM_READ", "DEFAULT_ITEM_READ", "ADMIN" };
+            "DEFAULT_BITSTREAM_READ", "DEFAULT_ITEM_READ", "ADMIN", "WITHDRAWN_READ" };

    /**
     * generating constants for the relevance array dynamically is simple: just
@@ -175,7 +177,8 @@ public class Constants
            0, // 8 - WORKFLOW_ABORT
            RCOLLECTION, // 9 - DEFAULT_BITSTREAM_READ
            RCOLLECTION, // 10 - DEFAULT_ITEM_READ
-            RITEM | RCOLLECTION | RCOMMUNITY // 11 - ADMIN
+            RITEM | RCOLLECTION | RCOMMUNITY, // 11 - ADMIN
+            RBITSTREAM | RBUNDLE | RITEM // 12 - WITHDRAWN_READ
    };

    public static final String DEFAULT_ENCODING = "UTF-8";
--- a/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/h2/V6.0_2016.08.23__DS-3097.sql
+++ b/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/h2/V6.0_2016.08.23__DS-3097.sql
@@ -0,0 +1,24 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+------------------------------------------------------
+-- DS-3097 introduced new action id for WITHDRAWN_READ 
+------------------------------------------------------
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT bundle2bitstream.bitstream_id FROM bundle2bitstream
+		LEFT JOIN item2bundle ON bundle2bitstream.bundle_id = item2bundle.bundle_id
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = 1
+);
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT item2bundle.bundle_id FROM item2bundle
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = 1
+);
--- a/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/oracle/V6.0_2016.08.23__DS-3097.sql
+++ b/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/oracle/V6.0_2016.08.23__DS-3097.sql
@@ -0,0 +1,24 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+------------------------------------------------------
+-- DS-3097 introduced new action id for WITHDRAWN_READ 
+------------------------------------------------------
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT bundle2bitstream.bitstream_id FROM bundle2bitstream
+		LEFT JOIN item2bundle ON bundle2bitstream.bundle_id = item2bundle.bundle_id
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = 1
+);
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT item2bundle.bundle_id FROM item2bundle
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = 1
+);
--- a/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/postgres/V6.0_2016.08.23__DS-3097.sql
+++ b/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/postgres/V6.0_2016.08.23__DS-3097.sql
@@ -0,0 +1,24 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+------------------------------------------------------
+-- DS-3097 introduced new action id for WITHDRAWN_READ 
+------------------------------------------------------
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT bundle2bitstream.bitstream_id FROM bundle2bitstream
+		LEFT JOIN item2bundle ON bundle2bitstream.bundle_id = item2bundle.bundle_id
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = true
+);
+
+UPDATE resourcepolicy SET action_id = 12 where action_id = 0 and dspace_object in (
+	SELECT item2bundle.bundle_id FROM item2bundle
+		LEFT JOIN item ON item2bundle.item_id = item.uuid
+		WHERE item.withdrawn = true
+);