org.dspace.core.Constants
+ *
+ * @throws AuthorizeException
+ * if the user is denied
+ */
+ public static void authorizeAction(Context c, DSpaceObject o, int action, boolean useInheritance)
+ throws AuthorizeException, SQLException
{
if (o == null)
{
@@ -164,7 +188,7 @@ public class AuthorizeManager
+ actionText + " by user " + userid);
}
- if (!authorize(c, o, action, c.getCurrentUser()))
+ if (!authorize(c, o, action, c.getCurrentUser(), useInheritance))
{
// denied, assemble and throw exception
int otype = o.getType();
@@ -218,6 +242,30 @@ public class AuthorizeManager
*/
public static boolean authorizeActionBoolean(Context c, DSpaceObject o,
int a) throws SQLException
+ {
+ return authorizeActionBoolean(c, o, a, true);
+ }
+
+ /**
+ * same authorize, returns boolean for those who don't want to deal with
+ * catching exceptions.
+ *
+ * @param c
+ * DSpace context, containing current user
+ * @param o
+ * DSpaceObject
+ * @param a
+ * action being attempted, from
+ * org.dspace.core.Constants
+ * @param useInheritance
+ * flag to say if ADMIN action on the current object or parent
+ * object can be used
+ *
+ * @return true if the current user in the context is
+ * authorized to perform the given action on the given object
+ */
+ public static boolean authorizeActionBoolean(Context c, DSpaceObject o,
+ int a, boolean useInheritance) throws SQLException
{
boolean isAuthorized = true;
@@ -228,7 +276,7 @@ public class AuthorizeManager
try
{
- authorizeAction(c, o, a);
+ authorizeAction(c, o, a, useInheritance);
}
catch (AuthorizeException e)
{
@@ -253,12 +301,15 @@ public class AuthorizeManager
* org.dspace.core.Constants
* @param e
* user attempting action
+ * @param useInheritance
+ * flag to say if ADMIN action on the current object or parent
+ * object can be used
* @return true if user is authorized to perform the given
* action, false otherwise
* @throws SQLException
*/
private static boolean authorize(Context c, DSpaceObject o, int action,
- EPerson e) throws SQLException
+ EPerson e, boolean useInheritance) throws SQLException
{
int userid;
@@ -285,7 +336,9 @@ public class AuthorizeManager
// perform isAdmin check to see
// if user is an Admin on this object
- if (isAdmin(c,o))
+ DSpaceObject testObject = useInheritance?o.getAdminObject(action):null;
+
+ if (isAdmin(c, testObject))
{
return true;
}
@@ -319,25 +372,31 @@ public class AuthorizeManager
// admin check methods
///////////////////////////////////////////////
-
- /**
- * Check to see if the current user is an Administrator of a given
- * object within DSpace. Always return true if the
- * user is a System Admin
- *
+ /**
+ * Check to see if the current user is an Administrator of a given object
+ * within DSpace. Always return true if the user is a System
+ * Admin
+ *
* @param c
* current context
* @param o
- * current DSpace Object
- *
- * @return true if user has administrative privileges
- * on the given DSpace object
+ * current DSpace Object, if null the call will be
+ * equivalent to a call to the isAdmin(Context c)
+ * method
+ *
+ * @return true if user has administrative privileges on the
+ * given DSpace object
*/
public static boolean isAdmin(Context c, DSpaceObject o) throws SQLException {
if (isAdmin(c))
{
return true;
}
+
+ if (o == null)
+ {
+ return false;
+ }
//
// First, check all Resource Policies directly on this object
@@ -365,152 +424,15 @@ public class AuthorizeManager
}
}
- //
// If user doesn't have specific Admin permissions on this object,
// check the *parent* objects of this object. This allows Admin
// permissions to be inherited automatically (e.g. Admin on Community
// is also an Admin of all Collections/Items in that Community)
- switch (o.getType()) {
- case Constants.BITSTREAM:
- {
- Bitstream bitstream = (Bitstream) o;
- Bundle[] bundles = bitstream.getBundles();
- if (bundles != null && (bundles.length > 0 && bundles[0] != null))
- {
- return isAdmin(c,bundles[0]);
- }
- else
- {
- // is the bitstream a logo for a community or a collection?
- TableRow qResult = DatabaseManager.querySingle(c,
- "SELECT collection_id FROM collection " +
- "WHERE logo_bitstream_id = ?",o.getID());
- if (qResult != null)
- {
- Collection collection = Collection.find(c,qResult.getIntColumn("collection_id"));
- return isAdmin(c,collection);
- }
- else
- {
- // is the group releated to a community?
- qResult = DatabaseManager.querySingle(c,
- "SELECT community_id FROM community " +
- "WHERE logo_bitstream_id = ?",o.getID());
-
- if (qResult != null)
- {
- Community community = Community.find(c,qResult.getIntColumn("community_id"));
- return isAdmin(c,community);
- }
- else
- {
- return false;
- }
- }
- }
- }
-
- case Constants.BUNDLE:
- {
- Bundle bundle = (Bundle) o;
- Item[] items = bundle.getItems();
-
- if (items != null && (items.length > 0 && items[0] != null))
- {
- return isAdmin(c,items[0]);
- }
- else
- {
- return false;
- }
- }
-
- case Constants.ITEM:
- {
- Item item = (Item) o;
- Collection ownCollection = item.getOwningCollection();
- if (ownCollection != null)
- {
- return isAdmin(c,ownCollection);
- }
- else
- {
- // is a template item?
- TableRow qResult = DatabaseManager.querySingle(c,
- "SELECT collection_id FROM collection " +
- "WHERE template_item_id = ?",o.getID());
- if (qResult != null)
- {
- Collection collection = Collection.find(c,qResult.getIntColumn("collection_id"));
- return isAdmin(c,collection);
- }
- return false;
- }
- }
-
- case Constants.COLLECTION:
- {
- Collection collection = (Collection) o;
- Community[] communities = collection.getCommunities();
- if (communities != null && (communities.length > 0 && communities[0] != null))
- {
- return isAdmin(c,communities[0]);
- }
- else
- {
- return false;
- }
- }
-
- case Constants.COMMUNITY:
- {
- Community community = (Community) o;
- Community pCommunity = community.getParentCommunity();
- if (pCommunity != null)
- {
- return isAdmin(c,pCommunity);
- }
- else
- {
- return false;
- }
- }
-
- case Constants.GROUP:
- {
- // is the group releated to a collection?
- TableRow qResult = DatabaseManager.querySingle(c,
- "SELECT collection_id FROM collection " +
- "WHERE workflow_step_1 = ? OR " +
- " workflow_step_2 = ? OR " +
- " workflow_step_3 = ? OR " +
- " submitter = ? OR " +
- " admin = ?",o.getID(),o.getID(),o.getID(),o.getID(),o.getID());
- if (qResult != null)
- {
- Collection collection = Collection.find(c,qResult.getIntColumn("collection_id"));
- return isAdmin(c,collection);
- }
- else
- { // is the group releated to a community?
- qResult = DatabaseManager.querySingle(c,
- "SELECT community_id FROM community " +
- "WHERE admin = ?",o.getID());
-
- if (qResult != null)
- {
- Community community = Community.find(c,qResult.getIntColumn("community_id"));
- return isAdmin(c,community);
- }
- else
- {
- return false;
- }
- }
-
- }
- }
-
+ DSpaceObject parent = o.getParentObject();
+ if (parent != null)
+ {
+ return isAdmin(c, parent);
+ }
return false;
}
diff --git a/dspace-api/src/main/java/org/dspace/content/Bitstream.java b/dspace-api/src/main/java/org/dspace/content/Bitstream.java
index f9a2e9960a..84f45ceacc 100644
--- a/dspace-api/src/main/java/org/dspace/content/Bitstream.java
+++ b/dspace-api/src/main/java/org/dspace/content/Bitstream.java
@@ -640,4 +640,51 @@ public class Bitstream extends DSpaceObject
public int getStoreNumber() {
return bRow.getIntColumn("store_number");
}
+
+ public DSpaceObject getParentObject() throws SQLException
+ {
+ Bundle[] bundles = getBundles();
+ if (bundles != null && (bundles.length > 0 && bundles[0] != null))
+ {
+ // the ADMIN action is not allowed on Bundle object so skip to the item
+ Item[] items = bundles[0].getItems();
+ if (items != null && items.length > 0)
+ {
+ return items[0];
+ }
+ else
+ {
+ return null;
+ }
+ }
+ else
+ {
+ // is the bitstream a logo for a community or a collection?
+ TableRow qResult = DatabaseManager.querySingle(bContext,
+ "SELECT collection_id FROM collection " +
+ "WHERE logo_bitstream_id = ?",getID());
+ if (qResult != null)
+ {
+ Collection collection = Collection.find(bContext,qResult.getIntColumn("collection_id"));
+ return collection;
+ }
+ else
+ {
+ // is the bitstream related to a community?
+ qResult = DatabaseManager.querySingle(bContext,
+ "SELECT community_id FROM community " +
+ "WHERE logo_bitstream_id = ?",getID());
+
+ if (qResult != null)
+ {
+ Community community = Community.find(bContext,qResult.getIntColumn("community_id"));
+ return community;
+ }
+ else
+ {
+ return null;
+ }
+ }
+ }
+ }
}
diff --git a/dspace-api/src/main/java/org/dspace/content/Bundle.java b/dspace-api/src/main/java/org/dspace/content/Bundle.java
index 5153975dda..590a194a2d 100644
--- a/dspace-api/src/main/java/org/dspace/content/Bundle.java
+++ b/dspace-api/src/main/java/org/dspace/content/Bundle.java
@@ -46,6 +46,7 @@ import java.util.List;
import java.util.ListIterator;
import org.apache.log4j.Logger;
+import org.dspace.authorize.AuthorizeConfiguration;
import org.dspace.authorize.AuthorizeException;
import org.dspace.authorize.AuthorizeManager;
import org.dspace.authorize.ResourcePolicy;
@@ -657,4 +658,79 @@ public class Bundle extends DSpaceObject
AuthorizeManager.removeAllPolicies(ourContext, this);
AuthorizeManager.addPolicies(ourContext, newpolicies, this);
}
+
+ public DSpaceObject getAdminObject(int action) throws SQLException
+ {
+ DSpaceObject adminObject = null;
+ Item[] items = getItems();
+ Item item = null;
+ Collection collection = null;
+ Community community = null;
+ if (items != null && items.length > 0)
+ {
+ item = items[0];
+ collection = item.getOwningCollection();
+ if (collection != null)
+ {
+ Community[] communities = collection.getCommunities();
+ if (communities != null && communities.length > 0)
+ {
+ community = communities[0];
+ }
+ }
+ }
+ switch (action)
+ {
+ case Constants.REMOVE:
+ if (AuthorizeConfiguration.canItemAdminPerformBitstreamDeletion())
+ {
+ adminObject = item;
+ }
+ else if (AuthorizeConfiguration.canCollectionAdminPerformBitstreamDeletion())
+ {
+ adminObject = collection;
+ }
+ else if (AuthorizeConfiguration
+ .canCommunityAdminPerformBitstreamDeletion())
+ {
+ adminObject = community;
+ }
+ break;
+ case Constants.ADD:
+ if (AuthorizeConfiguration.canItemAdminPerformBitstreamCreation())
+ {
+ adminObject = item;
+ }
+ else if (AuthorizeConfiguration
+ .canCollectionAdminPerformBitstreamCreation())
+ {
+ adminObject = collection;
+ }
+ else if (AuthorizeConfiguration
+ .canCommunityAdminPerformBitstreamCreation())
+ {
+ adminObject = community;
+ }
+ break;
+
+ default:
+ adminObject = this;
+ break;
+ }
+ return adminObject;
+ }
+
+ public DSpaceObject getParentObject() throws SQLException
+ {
+ Item[] items = getItems();
+
+ if (items != null && (items.length > 0 && items[0] != null))
+ {
+ return items[0];
+ }
+ else
+ {
+ return null;
+ }
+ }
}
diff --git a/dspace-api/src/main/java/org/dspace/content/Collection.java b/dspace-api/src/main/java/org/dspace/content/Collection.java
index 25845a5dad..28d56ef551 100644
--- a/dspace-api/src/main/java/org/dspace/content/Collection.java
+++ b/dspace-api/src/main/java/org/dspace/content/Collection.java
@@ -47,6 +47,8 @@ import java.util.List;
import java.util.MissingResourceException;
import org.apache.log4j.Logger;
+import org.dspace.app.util.AuthorizeUtil;
+import org.dspace.authorize.AuthorizeConfiguration;
import org.dspace.authorize.AuthorizeException;
import org.dspace.authorize.AuthorizeManager;
import org.dspace.authorize.ResourcePolicy;
@@ -486,7 +488,7 @@ public class Collection extends DSpaceObject
if (!((is == null) && AuthorizeManager.authorizeActionBoolean(
ourContext, this, Constants.DELETE)))
{
- canEdit();
+ canEdit(true);
}
// First, delete any existing logo
@@ -541,8 +543,8 @@ public class Collection extends DSpaceObject
public Group createWorkflowGroup(int step) throws SQLException,
AuthorizeException
{
- // Check authorisation - Must be an Admin to create Submitters Group
- AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
+ // Check authorisation - Must be an Admin to create Workflow Group
+ AuthorizeUtil.authorizeManageWorkflowsGroup(ourContext, this);
if (workflowGroup[step - 1] == null)
{
@@ -614,7 +616,7 @@ public class Collection extends DSpaceObject
public Group createSubmitters() throws SQLException, AuthorizeException
{
// Check authorisation - Must be an Admin to create Submitters Group
- AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
+ AuthorizeUtil.authorizeManageSubmittersGroup(ourContext, this);
if (submitters == null)
{
@@ -645,7 +647,7 @@ public class Collection extends DSpaceObject
public void removeSubmitters() throws SQLException, AuthorizeException
{
// Check authorisation - Must be an Admin to delete Submitters Group
- AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
+ AuthorizeUtil.authorizeManageSubmittersGroup(ourContext, this);
// just return if there is no administrative group.
if (submitters == null)
@@ -687,7 +689,7 @@ public class Collection extends DSpaceObject
public Group createAdministrators() throws SQLException, AuthorizeException
{
// Check authorisation - Must be an Admin to create more Admins
- AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
+ AuthorizeUtil.authorizeManageAdminGroup(ourContext, this);
if (admins == null)
{
@@ -706,13 +708,6 @@ public class Collection extends DSpaceObject
// register this as the admin group
collectionRow.setColumn("admin", admins.getID());
- // administrators also get ADD on the submitter group
- if (submitters != null)
- {
- AuthorizeManager.addPolicy(ourContext, submitters, Constants.ADD,
- admins);
- }
-
modified = true;
return admins;
}
@@ -726,19 +721,7 @@ public class Collection extends DSpaceObject
public void removeAdministrators() throws SQLException, AuthorizeException
{
// Check authorisation - Must be an Admin of the parent community to delete Admin Group
- Community[] parentCommunities = getCommunities();
- if (parentCommunities != null && parentCommunities.length > 0)
- {
- AuthorizeManager.authorizeAction(ourContext, this.getCommunities()[0], Constants.ADMIN);
- }
- else if (!AuthorizeManager.isAdmin(ourContext))
- {
- // this should never happen, a collection should always have at least one parent community!
- // anyway...
- throw new AuthorizeException(
- "Only system admin can remove the admin group of a collection outside any community",
- this, Constants.ADMIN);
- }
+ AuthorizeUtil.authorizeRemoveAdminGroup(ourContext, this);
// just return if there is no administrative group.
if (admins == null)
@@ -847,7 +830,7 @@ public class Collection extends DSpaceObject
public void createTemplateItem() throws SQLException, AuthorizeException
{
// Check authorisation
- canEdit();
+ AuthorizeUtil.authorizeManageTemplateItem(ourContext, this);
if (template == null)
{
@@ -876,7 +859,7 @@ public class Collection extends DSpaceObject
IOException
{
// Check authorisation
- canEdit();
+ AuthorizeUtil.authorizeManageTemplateItem(ourContext, this);
collectionRow.setColumnNull("template_item_id");
DatabaseManager.update(ourContext, collectionRow);
@@ -938,46 +921,27 @@ public class Collection extends DSpaceObject
// Check authorisation
AuthorizeManager.authorizeAction(ourContext, this, Constants.REMOVE);
+ // will be the item an orphan?
+ TableRow row = DatabaseManager.querySingle(ourContext,
+ "SELECT COUNT(DISTINCT collection_id) AS num FROM collection2item WHERE item_id= ? ",
+ item.getID());
+
+ DatabaseManager.setConstraintDeferred(ourContext, "coll2item_item_fk");
+ if (row.getLongColumn("num") == 1)
+ {
+ // Orphan; delete it
+ item.delete();
+ }
log.info(LogManager.getHeader(ourContext, "remove_item",
"collection_id=" + getID() + ",item_id=" + item.getID()));
-
+
DatabaseManager.updateQuery(ourContext,
"DELETE FROM collection2item WHERE collection_id= ? "+
"AND item_id= ? ",
getID(), item.getID());
-
+ DatabaseManager.setConstraintImmediate(ourContext, "coll2item_item_fk");
+
ourContext.addEvent(new Event(Event.REMOVE, Constants.COLLECTION, getID(), Constants.ITEM, item.getID(), item.getHandle()));
-
- // Is the item an orphan?
- TableRowIterator tri = DatabaseManager.query(ourContext,
- "SELECT * FROM collection2item WHERE item_id= ? ",
- item.getID());
-
- try
- {
- if (!tri.hasNext())
- {
- //make the right to remove the item explicit because the implicit
- // relation
- //has been removed. This only has to concern the currentUser
- // because
- //he started the removal process and he will end it too.
- //also add right to remove from the item to remove it's bundles.
- AuthorizeManager.addPolicy(ourContext, item, Constants.DELETE,
- ourContext.getCurrentUser());
- AuthorizeManager.addPolicy(ourContext, item, Constants.REMOVE,
- ourContext.getCurrentUser());
-
- // Orphan; delete it
- item.delete();
- }
- }
- finally
- {
- // close the TableRowIterator to free up resources
- if (tri != null)
- tri.close();
- }
}
/**
@@ -991,7 +955,7 @@ public class Collection extends DSpaceObject
public void update() throws SQLException, IOException, AuthorizeException
{
// Check authorisation
- canEdit();
+ canEdit(true);
log.info(LogManager.getHeader(ourContext, "update_collection",
"collection_id=" + getID()));
@@ -1010,12 +974,17 @@ public class Collection extends DSpaceObject
clearDetails();
}
}
-
+
public boolean canEditBoolean() throws java.sql.SQLException
+ {
+ return canEditBoolean(true);
+ }
+
+ public boolean canEditBoolean(boolean useInheritance) throws java.sql.SQLException
{
try
{
- canEdit();
+ canEdit(useInheritance);
return true;
}
@@ -1025,27 +994,31 @@ public class Collection extends DSpaceObject
}
}
- public void canEdit() throws AuthorizeException, SQLException
+ public void canEdit() throws AuthorizeException, SQLException
+ {
+ canEdit(true);
+ }
+
+ public void canEdit(boolean useInheritance) throws AuthorizeException, SQLException
{
Community[] parents = getCommunities();
for (int i = 0; i < parents.length; i++)
{
if (AuthorizeManager.authorizeActionBoolean(ourContext, parents[i],
- Constants.WRITE))
+ Constants.WRITE, useInheritance))
{
return;
}
if (AuthorizeManager.authorizeActionBoolean(ourContext, parents[i],
- Constants.ADD))
+ Constants.ADD, useInheritance))
{
return;
}
}
- AuthorizeManager.authorizeAnyOf(ourContext, this, new int[] {
- Constants.WRITE, Constants.ADMIN });
+ AuthorizeManager.authorizeAction(ourContext, this, Constants.WRITE, useInheritance);
}
/**
@@ -1400,4 +1373,54 @@ public class Collection extends DSpaceObject
return itemcount;
}
+
+ public DSpaceObject getAdminObject(int action) throws SQLException
+ {
+ DSpaceObject adminObject = null;
+ Community community = null;
+ Community[] communities = getCommunities();
+ if (communities != null && communities.length > 0)
+ {
+ community = communities[0];
+ }
+
+ switch (action)
+ {
+ case Constants.REMOVE:
+ if (AuthorizeConfiguration.canCollectionAdminPerformItemDeletion())
+ {
+ adminObject = this;
+ }
+ else if (AuthorizeConfiguration.canCommunityAdminPerformItemDeletion())
+ {
+ adminObject = community;
+ }
+ break;
+
+ case Constants.DELETE:
+ if (AuthorizeConfiguration.canCommunityAdminPerformSubelementDeletion())
+ {
+ adminObject = community;
+ }
+ break;
+ default:
+ adminObject = this;
+ break;
+ }
+ return adminObject;
+ }
+
+ @Override
+ public DSpaceObject getParentObject() throws SQLException
+ {
+ Community[] communities = this.getCommunities();
+ if (communities != null && (communities.length > 0 && communities[0] != null))
+ {
+ return communities[0];
+ }
+ else
+ {
+ return null;
+ }
+ }
}
diff --git a/dspace-api/src/main/java/org/dspace/content/Community.java b/dspace-api/src/main/java/org/dspace/content/Community.java
index cfef6fbad8..7469f70337 100644
--- a/dspace-api/src/main/java/org/dspace/content/Community.java
+++ b/dspace-api/src/main/java/org/dspace/content/Community.java
@@ -45,6 +45,8 @@ import java.util.List;
import java.util.MissingResourceException;
import org.apache.log4j.Logger;
+import org.dspace.app.util.AuthorizeUtil;
+import org.dspace.authorize.AuthorizeConfiguration;
import org.dspace.authorize.AuthorizeException;
import org.dspace.authorize.AuthorizeManager;
import org.dspace.authorize.ResourcePolicy;
@@ -525,7 +527,7 @@ public class Community extends DSpaceObject
public Group createAdministrators() throws SQLException, AuthorizeException
{
// Check authorisation - Must be an Admin to create more Admins
- AuthorizeManager.authorizeAction(ourContext, this, Constants.ADMIN);
+ AuthorizeUtil.authorizeManageAdminGroup(ourContext, this);
if (admins == null)
{
@@ -556,17 +558,7 @@ public class Community extends DSpaceObject
public void removeAdministrators() throws SQLException, AuthorizeException
{
// Check authorisation - Must be an Admin of the parent community (or system admin) to delete Admin group
- Community parentCommunity = getParentCommunity();
- if (parentCommunity != null)
- {
- AuthorizeManager.authorizeAction(ourContext, parentCommunity, Constants.ADMIN);
- }
- else if (!AuthorizeManager.isAdmin(ourContext))
- {
- throw new AuthorizeException(
- "Only system admin can remove the admin group of a top community",
- this, Constants.ADMIN);
- }
+ AuthorizeUtil.authorizeRemoveAdminGroup(ourContext, this);
// just return if there is no administrative group.
if (admins == null)
@@ -913,45 +905,29 @@ public class Community extends DSpaceObject
// Check authorisation
AuthorizeManager.authorizeAction(ourContext, this, Constants.REMOVE);
+ // will be the collection an orphan?
+ TableRow trow = DatabaseManager.querySingle(ourContext,
+ "SELECT COUNT(DISTINCT community_id) AS num FROM community2collection WHERE collection_id= ? ",
+ c.getID());
+ DatabaseManager.setConstraintDeferred(ourContext, "comm2coll_collection_fk");
+
+ if (trow.getLongColumn("num") == 1)
+ {
+ // Orphan; delete it
+ c.delete();
+ }
+
log.info(LogManager.getHeader(ourContext, "remove_collection",
"community_id=" + getID() + ",collection_id=" + c.getID()));
-
+
// Remove any mappings
DatabaseManager.updateQuery(ourContext,
"DELETE FROM community2collection WHERE community_id= ? "+
"AND collection_id= ? ", getID(), c.getID());
+ DatabaseManager.setConstraintImmediate(ourContext, "comm2coll_collection_fk");
+
ourContext.addEvent(new Event(Event.REMOVE, Constants.COMMUNITY, getID(), Constants.COLLECTION, c.getID(), c.getHandle()));
-
- // Is the community an orphan?
- TableRowIterator tri = DatabaseManager.query(ourContext,
- "SELECT * FROM community2collection WHERE collection_id= ? ",
- c.getID());
-
- try
- {
- if (!tri.hasNext())
- {
- //make the right to remove the collection explicit because the
- // implicit relation
- //has been removed. This only has to concern the currentUser
- // because
- //he started the removal process and he will end it too.
- //also add right to remove from the collection to remove it's
- // items.
- AuthorizeManager.addPolicy(ourContext, c, Constants.ADMIN,
- ourContext.getCurrentUser());
-
- // Orphan; delete it
- c.delete();
- }
- }
- finally
- {
- // close the TableRowIterator to free up resources
- if (tri != null)
- tri.close();
- }
}
/**
@@ -966,47 +942,29 @@ public class Community extends DSpaceObject
// Check authorisation
AuthorizeManager.authorizeAction(ourContext, this, Constants.REMOVE);
+ // will be the subcommunity an orphan?
+ TableRow trow = DatabaseManager.querySingle(ourContext,
+ "SELECT COUNT(DISTINCT parent_comm_id) AS num FROM community2community WHERE child_comm_id= ? ",
+ c.getID());
+
+ DatabaseManager.setConstraintDeferred(ourContext, "com2com_child_fk");
+ if (trow.getLongColumn("num") == 1)
+ {
+ // Orphan; delete it
+ c.rawDelete();
+ }
+
log.info(LogManager.getHeader(ourContext, "remove_subcommunity",
"parent_comm_id=" + getID() + ",child_comm_id=" + c.getID()));
-
+
// Remove any mappings
DatabaseManager.updateQuery(ourContext,
"DELETE FROM community2community WHERE parent_comm_id= ? " +
" AND child_comm_id= ? ", getID(),c.getID());
ourContext.addEvent(new Event(Event.REMOVE, Constants.COMMUNITY, getID(), Constants.COMMUNITY, c.getID(), c.getHandle()));
-
- // Is the subcommunity an orphan?
- TableRowIterator tri = DatabaseManager.query(ourContext,
- "SELECT * FROM community2community WHERE child_comm_id= ? ",
- c.getID());
-
- try
- {
- if (!tri.hasNext())
- {
- //make the right to remove the sub explicit because the implicit
- // relation
- //has been removed. This only has to concern the currentUser
- // because
- //he started the removal process and he will end it too.
- //also add right to remove from the subcommunity to remove it's
- // children.
- AuthorizeManager.addPolicy(ourContext, c, Constants.DELETE,
- ourContext.getCurrentUser());
- AuthorizeManager.addPolicy(ourContext, c, Constants.REMOVE,
- ourContext.getCurrentUser());
-
- // Orphan; delete it
- c.delete();
- }
- }
- finally
- {
- // close the TableRowIterator to free up resources
- if (tri != null)
- tri.close();
- }
+
+ DatabaseManager.setConstraintImmediate(ourContext, "com2com_child_fk");
}
/**
@@ -1030,7 +988,7 @@ public class Community extends DSpaceObject
}
// If not a top-level community, have parent remove me; this
- // will call delete() after removing the linkage
+ // will call rawDelete() before removing the linkage
Community parent = getParentCommunity();
if (parent != null)
@@ -1040,6 +998,14 @@ public class Community extends DSpaceObject
return;
}
+ rawDelete();
+ }
+
+ /**
+ * Internal method to remove the community and all its childs from the database without aware of eventually parent
+ */
+ private void rawDelete() throws SQLException, AuthorizeException, IOException
+ {
log.info(LogManager.getHeader(ourContext, "delete_community",
"community_id=" + getID()));
@@ -1073,14 +1039,14 @@ public class Community extends DSpaceObject
// get rid of the content count cache if it exists
try
{
- ItemCounter ic = new ItemCounter(ourContext);
- ic.remove(this);
+ ItemCounter ic = new ItemCounter(ourContext);
+ ic.remove(this);
}
catch (ItemCountException e)
{
- // FIXME: upside down exception handling due to lack of good
- // exception framework
- throw new RuntimeException(e.getMessage(),e);
+ // FIXME: upside down exception handling due to lack of good
+ // exception framework
+ throw new RuntimeException(e.getMessage(),e);
}
// Delete community row
@@ -1205,4 +1171,48 @@ public class Community extends DSpaceObject
}
return total;
}
+
+ public DSpaceObject getAdminObject(int action) throws SQLException
+ {
+ DSpaceObject adminObject = null;
+ switch (action)
+ {
+ case Constants.REMOVE:
+ if (AuthorizeConfiguration.canCommunityAdminPerformSubelementDeletion())
+ {
+ adminObject = this;
+ }
+ break;
+
+ case Constants.DELETE:
+ if (AuthorizeConfiguration.canCommunityAdminPerformSubelementDeletion())
+ {
+ adminObject = getParentCommunity();
+ }
+ break;
+ case Constants.ADD:
+ if (AuthorizeConfiguration.canCommunityAdminPerformSubelementCreation())
+ {
+ adminObject = this;
+ }
+ break;
+ default:
+ adminObject = this;
+ break;
+ }
+ return adminObject;
+ }
+
+ public DSpaceObject getParentObject() throws SQLException
+ {
+ Community pCommunity = getParentCommunity();
+ if (pCommunity != null)
+ {
+ return pCommunity;
+ }
+ else
+ {
+ return null;
+ }
+ }
}
diff --git a/dspace-api/src/main/java/org/dspace/content/DSpaceObject.java b/dspace-api/src/main/java/org/dspace/content/DSpaceObject.java
index 726dd08c0e..4746a4079d 100644
--- a/dspace-api/src/main/java/org/dspace/content/DSpaceObject.java
+++ b/dspace-api/src/main/java/org/dspace/content/DSpaceObject.java
@@ -141,4 +141,50 @@ public abstract class DSpaceObject
}
return null;
}
+
+ /**
+ * Return the dspace object where an ADMIN action right is sufficient to
+ * grant the initial authorize check.
+ *
+ * Default behaviour is ADMIN right on the object grant right on all other
+ * action on the object itself. Subclass should override this method as
+ * need.
+ *
+ * @param action
+ * ID of action being attempted, from
+ * org.dspace.core.Constants. The ADMIN action is
+ * not a valid parameter for this method, an
+ * IllegalArgumentException should be thrown
+ * @return the dspace object, if any, where an ADMIN action is sufficient to
+ * grant the original action
+ * @throws SQLException
+ * @throws IllegalArgumentException
+ * if the ADMIN action is supplied as parameter of the method
+ * call
+ */
+ public DSpaceObject getAdminObject(int action) throws SQLException
+ {
+ if (action == Constants.ADMIN)
+ {
+ throw new IllegalArgumentException("Illegal call to the DSpaceObject.getAdminObject method");
+ }
+ return this;
+ }
+
+ /**
+ * Return the dspace object that "own" the current object in the hierarchy.
+ * Note that this method has a meaning slightly different from the
+ * getAdminObject because it is independent of the action but it is in a way
+ * related to it. It defines the "first" dspace object OTHER then the
+ * current one, where allowed ADMIN actions imply allowed ADMIN actions on
+ * the object self.
+ *
+ * @return the dspace object that "own" the current object in
+ * the hierarchy
+ * @throws SQLException
+ */
+ public DSpaceObject getParentObject() throws SQLException
+ {
+ return null;
+ }
}
diff --git a/dspace-api/src/main/java/org/dspace/content/Item.java b/dspace-api/src/main/java/org/dspace/content/Item.java
index d5f7599e6c..68a87708ea 100644
--- a/dspace-api/src/main/java/org/dspace/content/Item.java
+++ b/dspace-api/src/main/java/org/dspace/content/Item.java
@@ -50,6 +50,8 @@ import java.util.Map;
import java.util.StringTokenizer;
import org.apache.log4j.Logger;
+import org.dspace.app.util.AuthorizeUtil;
+import org.dspace.authorize.AuthorizeConfiguration;
import org.dspace.authorize.AuthorizeException;
import org.dspace.authorize.AuthorizeManager;
import org.dspace.authorize.ResourcePolicy;
@@ -1696,6 +1698,10 @@ public class Item extends DSpaceObject
{
String timestamp = DCDate.getCurrent().toString();
+ // Check permission. User either has to have REMOVE on owning collection
+ // or be COLLECTION_EDITOR of owning collection
+ AuthorizeUtil.authorizeWithdrawItem(ourContext, this);
+
// Build some provenance data while we're at it.
String collectionProv = "";
Collection[] colls = getCollections();
@@ -1706,21 +1712,6 @@ public class Item extends DSpaceObject
+ " (ID: " + colls[i].getID() + ")\n";
}
- // Check permission. User either has to have REMOVE on owning collection
- // or be COLLECTION_EDITOR of owning collection
- if (AuthorizeManager.authorizeActionBoolean(ourContext,
- getOwningCollection(), Constants.ADMIN)
- || AuthorizeManager.authorizeActionBoolean(ourContext,
- getOwningCollection(), Constants.REMOVE))
- {
- // authorized
- }
- else
- {
- throw new AuthorizeException(
- "To withdraw item must be COLLECTION_ADMIN or have REMOVE authorization on owning Collection");
- }
-
// Set withdrawn flag. timestamp will be set; last_modified in update()
itemRow.setColumn("withdrawn", true);
@@ -1768,14 +1759,15 @@ public class Item extends DSpaceObject
String collectionProv = "";
Collection[] colls = getCollections();
+ // check authorization
+ AuthorizeUtil.authorizeReinstateItem(ourContext, this);
+
for (int i = 0; i < colls.length; i++)
{
collectionProv = collectionProv + colls[i].getMetadata("name")
+ " (ID: " + colls[i].getID() + ")\n";
- AuthorizeManager.authorizeAction(ourContext, colls[i],
- Constants.ADD);
}
-
+
// Clear withdrawn flag
itemRow.setColumn("withdrawn", false);
@@ -2250,26 +2242,20 @@ public class Item extends DSpaceObject
}
// is this person an COLLECTION_EDITOR for the owning collection?
- if (getOwningCollection().canEditBoolean())
- {
- return true;
- }
-
- // is this person an COLLECTION_EDITOR for the owning collection?
- if (AuthorizeManager.authorizeActionBoolean(ourContext,
- getOwningCollection(), Constants.ADMIN))
+ if (getOwningCollection().canEditBoolean(false))
{
return true;
}
return false;
}
+
public String getName()
{
DCValue t[] = getMetadata("dc", "title", null, Item.ANY);
return (t.length >= 1) ? t[0].value : null;
}
-
+
/**
* Returns an iterator of Items possessing the passed metadata field, or only
* those matching the passed value, if value is not Item.ANY
@@ -2309,5 +2295,140 @@ public class Item extends DSpaceObject
}
return new ItemIterator(context, rows);
}
-
+
+ public DSpaceObject getAdminObject(int action) throws SQLException
+ {
+ DSpaceObject adminObject = null;
+ Collection collection = getOwningCollection();
+ Community community = null;
+ if (collection != null)
+ {
+ Community[] communities = collection.getCommunities();
+ if (communities != null && communities.length > 0)
+ {
+ community = communities[0];
+ }
+ }
+ else
+ {
+ // is a template item?
+ TableRow qResult = DatabaseManager.querySingle(ourContext,
+ "SELECT collection_id FROM collection " +
+ "WHERE template_item_id = ?",getID());
+ if (qResult != null)
+ {
+ collection = Collection.find(ourContext, qResult.getIntColumn("collection_id"));
+ Community[] communities = collection.getCommunities();
+ if (communities != null && communities.length > 0)
+ {
+ community = communities[0];
+ }
+ }
+ }
+
+ switch (action)
+ {
+ case Constants.ADD:
+ // ADD a cc license is less general then add a bitstream but we can't/wan't
+ // add complex logic here to know if the ADD action on the item is required by a cc or
+ // a generic bitstream so simply we ignore it.. UI need to enforce the requirements.
+ if (AuthorizeConfiguration.canItemAdminPerformBitstreamCreation())
+ {
+ adminObject = this;
+ }
+ else if (AuthorizeConfiguration.canCollectionAdminPerformBitstreamCreation())
+ {
+ adminObject = collection;
+ }
+ else if (AuthorizeConfiguration.canCommunityAdminPerformBitstreamCreation())
+ {
+ adminObject = community;
+ }
+ break;
+ case Constants.REMOVE:
+ // see comments on ADD action, same things...
+ if (AuthorizeConfiguration.canItemAdminPerformBitstreamDeletion())
+ {
+ adminObject = this;
+ }
+ else if (AuthorizeConfiguration.canCollectionAdminPerformBitstreamDeletion())
+ {
+ adminObject = collection;
+ }
+ else if (AuthorizeConfiguration.canCommunityAdminPerformBitstreamDeletion())
+ {
+ adminObject = community;
+ }
+ break;
+ case Constants.DELETE:
+ if (getOwningCollection() != null)
+ {
+ if (AuthorizeConfiguration.canCollectionAdminPerformItemDeletion())
+ {
+ adminObject = collection;
+ }
+ else if (AuthorizeConfiguration.canCommunityAdminPerformItemDeletion())
+ {
+ adminObject = community;
+ }
+ }
+ else
+ {
+ if (AuthorizeConfiguration.canCollectionAdminManageTemplateItem())
+ {
+ adminObject = collection;
+ }
+ else if (AuthorizeConfiguration.canCommunityAdminManageCollectionTemplateItem())
+ {
+ adminObject = community;
+ }
+ }
+ break;
+ case Constants.WRITE:
+ // if it is a template item we need to check the
+ // collection/community admin configuration
+ if (getOwningCollection() == null)
+ {
+ if (AuthorizeConfiguration.canCollectionAdminManageTemplateItem())
+ {
+ adminObject = collection;
+ }
+ else if (AuthorizeConfiguration.canCommunityAdminManageCollectionTemplateItem())
+ {
+ adminObject = community;
+ }
+ }
+ else
+ {
+ adminObject = this;
+ }
+ break;
+ default:
+ adminObject = this;
+ break;
+ }
+ return adminObject;
+ }
+
+ public DSpaceObject getParentObject() throws SQLException
+ {
+ Collection ownCollection = getOwningCollection();
+ if (ownCollection != null)
+ {
+ return ownCollection;
+ }
+ else
+ {
+ // is a template item?
+ TableRow qResult = DatabaseManager.querySingle(ourContext,
+ "SELECT collection_id FROM collection " +
+ "WHERE template_item_id = ?",getID());
+ if (qResult != null)
+ {
+ Collection collection = Collection.find(ourContext,qResult.getIntColumn("collection_id"));
+ return collection;
+ }
+ return null;
+ }
+ }
}
diff --git a/dspace-api/src/main/java/org/dspace/core/Constants.java b/dspace-api/src/main/java/org/dspace/core/Constants.java
index f5eea117cb..fb1bb02c6e 100644
--- a/dspace-api/src/main/java/org/dspace/core/Constants.java
+++ b/dspace-api/src/main/java/org/dspace/core/Constants.java
@@ -205,7 +205,7 @@ public class Constants
0, // 8 - WORKFLOW_ABORT
RCOLLECTION, // 9 - DEFAULT_BITSTREAM_READ
RCOLLECTION, // 10 - DEFAULT_ITEM_READ
- RBUNDLE | RITEM | RCOLLECTION | RCOMMUNITY // 11 - ADMIN
+ RITEM | RCOLLECTION | RCOMMUNITY // 11 - ADMIN
};
public static final String DEFAULT_ENCODING = "UTF-8";
diff --git a/dspace-api/src/main/java/org/dspace/eperson/Group.java b/dspace-api/src/main/java/org/dspace/eperson/Group.java
index caae51ada9..f5becdf289 100644
--- a/dspace-api/src/main/java/org/dspace/eperson/Group.java
+++ b/dspace-api/src/main/java/org/dspace/eperson/Group.java
@@ -48,8 +48,12 @@ import java.util.Set;
import java.io.IOException;
import org.apache.log4j.Logger;
+import org.dspace.app.util.AuthorizeUtil;
+import org.dspace.authorize.AuthorizeConfiguration;
import org.dspace.authorize.AuthorizeException;
import org.dspace.authorize.AuthorizeManager;
+import org.dspace.content.Collection;
+import org.dspace.content.Community;
import org.dspace.content.DSpaceObject;
import org.dspace.core.ConfigurationManager;
import org.dspace.core.Constants;
@@ -1325,4 +1329,91 @@ public class Group extends DSpaceObject
return myChildren;
}
+
+ public DSpaceObject getParentObject() throws SQLException
+ {
+ // could a collection/community admin manage related groups?
+ // check before the configuration options could give a performance gain
+ // if all group management are disallowed
+ if (AuthorizeConfiguration.canCollectionAdminManageAdminGroup()
+ || AuthorizeConfiguration.canCollectionAdminManageSubmitters()
+ || AuthorizeConfiguration.canCollectionAdminManageWorkflows()
+ || AuthorizeConfiguration.canCommunityAdminManageAdminGroup()
+ || AuthorizeConfiguration
+ .canCommunityAdminManageCollectionAdminGroup()
+ || AuthorizeConfiguration
+ .canCommunityAdminManageCollectionSubmitters()
+ || AuthorizeConfiguration
+ .canCommunityAdminManageCollectionWorkflows())
+ {
+ // is this a collection related group?
+ TableRow qResult = DatabaseManager
+ .querySingle(
+ myContext,
+ "SELECT collection_id, workflow_step_1, workflow_step_2, " +
+ " workflow_step_3, submitter, admin FROM collection "
+ + " WHERE workflow_step_1 = ? OR "
+ + " workflow_step_2 = ? OR "
+ + " workflow_step_3 = ? OR "
+ + " submitter = ? OR " + " admin = ?",
+ getID(), getID(), getID(), getID(), getID());
+ if (qResult != null)
+ {
+ Collection collection = Collection.find(myContext, qResult
+ .getIntColumn("collection_id"));
+
+ if ((qResult.getIntColumn("workflow_step_1") == getID() ||
+ qResult.getIntColumn("workflow_step_2") == getID() ||
+ qResult.getIntColumn("workflow_step_3") == getID()))
+ {
+ if (AuthorizeConfiguration.canCollectionAdminManageWorkflows())
+ {
+ return collection;
+ }
+ else if (AuthorizeConfiguration.canCommunityAdminManageCollectionWorkflows())
+ {
+ return collection.getParentObject();
+ }
+ }
+ if (qResult.getIntColumn("submitter") == getID())
+ {
+ if (AuthorizeConfiguration.canCollectionAdminManageSubmitters())
+ {
+ return collection;
+ }
+ else if (AuthorizeConfiguration.canCommunityAdminManageCollectionSubmitters())
+ {
+ return collection.getParentObject();
+ }
+ }
+ if (qResult.getIntColumn("admin") == getID())
+ {
+ if (AuthorizeConfiguration.canCollectionAdminManageAdminGroup())
+ {
+ return collection;
+ }
+ else if (AuthorizeConfiguration.canCommunityAdminManageCollectionAdminGroup())
+ {
+ return collection.getParentObject();
+ }
+ }
+ }
+ // is the group releated to a community and community admin allowed
+ // to manage it?
+ else if (AuthorizeConfiguration.canCommunityAdminManageAdminGroup())
+ {
+ qResult = DatabaseManager.querySingle(myContext,
+ "SELECT community_id FROM community "
+ + "WHERE admin = ?", getID());
+
+ if (qResult != null)
+ {
+ Community community = Community.find(myContext, qResult
+ .getIntColumn("community_id"));
+ return community;
+ }
+ }
+ }
+ return null;
+ }
}
diff --git a/dspace-api/src/main/java/org/dspace/storage/rdbms/DatabaseManager.java b/dspace-api/src/main/java/org/dspace/storage/rdbms/DatabaseManager.java
index 20342ca7f8..22b6a4c29b 100644
--- a/dspace-api/src/main/java/org/dspace/storage/rdbms/DatabaseManager.java
+++ b/dspace-api/src/main/java/org/dspace/storage/rdbms/DatabaseManager.java
@@ -125,6 +125,76 @@ public class DatabaseManager
{
}
+ /**
+ * Set the constraint check to deferred (commit time)
+ *
+ * @param context
+ * The context object
+ * @param constraintName
+ * the constraint name to deferred
+ * @throws SQLException
+ */
+ public static void setConstraintDeferred(Context context,
+ String constraintName) throws SQLException
+ {
+ Statement statement = null;
+ try
+ {
+ statement = context.getDBConnection().createStatement();
+ statement
+ .execute("SET CONSTRAINTS " + constraintName + " DEFERRED");
+ statement.close();
+ }
+ finally
+ {
+ if (statement != null)
+ {
+ try
+ {
+ statement.close();
+ }
+ catch (SQLException sqle)
+ {
+ }
+ }
+ }
+ }
+
+ /**
+ * Set the constraint check to immediate (every query)
+ *
+ * @param context
+ * The context object
+ * @param constraintName
+ * the constraint name to check immediately after every query
+ * @throws SQLException
+ */
+ public static void setConstraintImmediate(Context context,
+ String constraintName) throws SQLException
+ {
+ Statement statement = null;
+ try
+ {
+ statement = context.getDBConnection().createStatement();
+ statement.execute("SET CONSTRAINTS " + constraintName
+ + " IMMEDIATE");
+ statement.close();
+ }
+ finally
+ {
+ if (statement != null)
+ {
+ try
+ {
+ statement.close();
+ }
+ catch (SQLException sqle)
+ {
+ }
+ }
+ }
+ }
+
/**
* Return an iterator with the results of the query. The table parameter
* indicates the type of result. If table is null, the column names are read
diff --git a/dspace-api/src/main/resources/Messages.properties b/dspace-api/src/main/resources/Messages.properties
index 30c22a85f1..1a184cb479 100644
--- a/dspace-api/src/main/resources/Messages.properties
+++ b/dspace-api/src/main/resources/Messages.properties
@@ -1077,6 +1077,7 @@ jsp.tools.edit-community.button.delete = Delete this Co
jsp.tools.edit-community.form.button.add-logo = Upload new logo...
jsp.tools.edit-community.form.button.cancel = Cancel
jsp.tools.edit-community.form.button.create = Create
+jsp.tools.edit-community.form.button.remove = Remove
jsp.tools.edit-community.form.button.delete-logo = Delete (no logo)
jsp.tools.edit-community.form.button.edit = Edit...
jsp.tools.edit-community.form.button.set-logo = Upload a logo...
diff --git a/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/HandleServlet.java b/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/HandleServlet.java
index 931d23d37f..d32a4f459d 100644
--- a/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/HandleServlet.java
+++ b/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/HandleServlet.java
@@ -546,7 +546,7 @@ public class HandleServlet extends DSpaceServlet
subscribed = Subscribe.isSubscribed(context, e, collection);
// is the user a COLLECTION_EDITOR?
- if (collection.canEditBoolean())
+ if (collection.canEditBoolean(true))
{
// set a variable to create an edit button
request.setAttribute("editor_button", new Boolean(true));
diff --git a/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/AuthorizeAdminServlet.java b/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/AuthorizeAdminServlet.java
index de7db4a76e..1fbef00eee 100644
--- a/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/AuthorizeAdminServlet.java
+++ b/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/AuthorizeAdminServlet.java
@@ -44,11 +44,14 @@ import java.sql.SQLException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.dspace.app.util.AuthorizeUtil;
import org.dspace.app.webui.servlet.DSpaceServlet;
import org.dspace.app.webui.util.JSPManager;
import org.dspace.app.webui.util.UIUtil;
@@ -93,6 +96,10 @@ public class AuthorizeAdminServlet extends DSpaceServlet
{
String button = UIUtil.getSubmitButton(request, "submit");
+ // check authorization!! the authorize servlet is available to all registred users
+ // it is need because also item/collection/community admin could be
+ // allowed to manage policies
+
if (button.equals("submit_collection"))
{
// select a collection to work on
@@ -176,6 +183,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
Item item = Item
.find(c, UIUtil.getIntParameter(request, "item_id"));
+ AuthorizeUtil.authorizeManageItemPolicy(c, item);
ResourcePolicy policy = ResourcePolicy.create(c);
policy.setResource(item);
policy.update();
@@ -201,6 +209,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
Item item = Item
.find(c, UIUtil.getIntParameter(request, "item_id"));
+ AuthorizeUtil.authorizeManageItemPolicy(c, item);
int policy_id = UIUtil.getIntParameter(request, "policy_id");
ResourcePolicy policy = null;
@@ -227,6 +236,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
Bundle bundle = Bundle.find(c, UIUtil.getIntParameter(request,
"bundle_id"));
+ AuthorizeUtil.authorizeManageBundlePolicy(c, bundle);
ResourcePolicy policy = ResourcePolicy.create(c);
policy.setResource(bundle);
policy.update();
@@ -255,6 +265,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
Bitstream bitstream = Bitstream.find(c, UIUtil.getIntParameter(
request, "bitstream_id"));
+ AuthorizeUtil.authorizeManageBitstreamPolicy(c, bitstream);
ResourcePolicy policy = ResourcePolicy.create(c);
policy.setResource(bitstream);
policy.update();
@@ -280,6 +291,8 @@ public class AuthorizeAdminServlet extends DSpaceServlet
// delete a permission from an item
Item item = Item
.find(c, UIUtil.getIntParameter(request, "item_id"));
+
+ AuthorizeUtil.authorizeManageItemPolicy(c, item);
ResourcePolicy policy = ResourcePolicy.find(c, UIUtil
.getIntParameter(request, "policy_id"));
@@ -299,6 +312,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
Collection collection = Collection.find(c, UIUtil.getIntParameter(
request, "collection_id"));
+ AuthorizeUtil.authorizeManageCollectionPolicy(c, collection);
ResourcePolicy policy = ResourcePolicy.create(c);
policy.setResource(collection);
policy.update();
@@ -336,6 +350,8 @@ public class AuthorizeAdminServlet extends DSpaceServlet
// delete a permission from a collection
Collection collection = Collection.find(c, UIUtil.getIntParameter(
request, "collection_id"));
+
+ AuthorizeUtil.authorizeManageCollectionPolicy(c, collection);
ResourcePolicy policy = ResourcePolicy.find(c, UIUtil
.getIntParameter(request, "policy_id"));
@@ -356,6 +372,8 @@ public class AuthorizeAdminServlet extends DSpaceServlet
// delete a permission from a community
Community community = Community.find(c, UIUtil.getIntParameter(
request, "community_id"));
+
+ AuthorizeUtil.authorizeManageCommunityPolicy(c, community);
ResourcePolicy policy = ResourcePolicy.find(c, UIUtil
.getIntParameter(request, "policy_id"));
@@ -377,6 +395,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
Collection collection = Collection.find(c, UIUtil.getIntParameter(
request, "collection_id"));
+ AuthorizeUtil.authorizeManageCollectionPolicy(c, collection);
int policy_id = UIUtil.getIntParameter(request, "policy_id");
ResourcePolicy policy = null;
@@ -411,6 +430,8 @@ public class AuthorizeAdminServlet extends DSpaceServlet
// edit a community's policy - set up and call policy editor
Community community = Community.find(c, UIUtil.getIntParameter(
request, "community_id"));
+
+ AuthorizeUtil.authorizeManageCommunityPolicy(c, community);
int policy_id = UIUtil.getIntParameter(request, "policy_id");
ResourcePolicy policy = null;
@@ -448,6 +469,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
Collection collection = Collection.find(c, UIUtil.getIntParameter(
request, "collection_id"));
+ AuthorizeUtil.authorizeManageCollectionPolicy(c, collection);
ResourcePolicy policy = ResourcePolicy.create(c);
policy.setResource(collection);
policy.update();
@@ -474,6 +496,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
Community community = Community.find(c, UIUtil.getIntParameter(
request, "community_id"));
+ AuthorizeUtil.authorizeManageCommunityPolicy(c, community);
ResourcePolicy policy = ResourcePolicy.create(c);
policy.setResource(community);
policy.update();
@@ -511,6 +534,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
String display_page = null;
ResourcePolicy policy = ResourcePolicy.find(c, policy_id);
+ AuthorizeUtil.authorizeManagePolicy(c, policy);
Group group = Group.find(c, group_id);
if (collection_id != -1)
@@ -602,6 +626,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
{
int policy_id = UIUtil.getIntParameter(request, "policy_id");
ResourcePolicy rp = ResourcePolicy.find(c, policy_id);
+ AuthorizeUtil.authorizeManagePolicy(c, rp);
rp.delete();
}
@@ -647,6 +672,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
}
else if (button.equals("submit_advanced_clear"))
{
+ AuthorizeUtil.requireAdminRole(c);
// remove all policies for a set of objects
int collection_id = UIUtil
.getIntParameter(request, "collection_id");
@@ -668,6 +694,7 @@ public class AuthorizeAdminServlet extends DSpaceServlet
}
else if (button.equals("submit_advanced_add"))
{
+ AuthorizeUtil.requireAdminRole(c);
// add a policy to a set of objects
int collection_id = UIUtil
.getIntParameter(request, "collection_id");
diff --git a/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/CollectionWizardServlet.java b/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/CollectionWizardServlet.java
index cb0f8edae6..ce13655267 100644
--- a/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/CollectionWizardServlet.java
+++ b/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/CollectionWizardServlet.java
@@ -52,6 +52,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
+import org.dspace.app.util.AuthorizeUtil;
import org.dspace.app.webui.servlet.DSpaceServlet;
import org.dspace.app.webui.util.FileUploadRequest;
import org.dspace.app.webui.util.JSPManager;
@@ -174,16 +175,49 @@ public class CollectionWizardServlet extends DSpaceServlet
// Create the collection
Collection newCollection = c.createCollection();
request.setAttribute("collection", newCollection);
- if (AuthorizeManager.isAdmin(context,c))
- {
- // set a variable to show all locale admin buttons
- request.setAttribute("admin_button", new Boolean(true));
- }
+
if (AuthorizeManager.isAdmin(context))
{
// set a variable to show all buttons
request.setAttribute("sysadmin_button", new Boolean(true));
}
+
+ try
+ {
+ AuthorizeUtil.authorizeManageAdminGroup(context, newCollection);
+ request.setAttribute("admin_create_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("admin_create_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeManageSubmittersGroup(context, newCollection);
+ request.setAttribute("submitters_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("submitters_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeManageWorkflowsGroup(context, newCollection);
+ request.setAttribute("workflows_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("workflows_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeManageTemplateItem(context, newCollection);
+ request.setAttribute("template_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("template_button", new Boolean(false));
+ }
+
JSPManager.showJSP(request, response,
"/dspace-admin/wizard-questions.jsp");
context.complete();
@@ -718,11 +752,7 @@ public class CollectionWizardServlet extends DSpaceServlet
Community[] communities = collection.getCommunities();
request.setAttribute("community", communities[0]);
- if (AuthorizeManager.isAdmin(context, collection))
- {
- // set a variable to show all buttons
- request.setAttribute("admin_button", new Boolean(true));
- }
+ EditCommunitiesServlet.storeAuthorizeAttributeCollectionEdit(context, request, collection);
}
JSPManager.showJSP(request, response, "/tools/edit-collection.jsp");
diff --git a/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/EditCommunitiesServlet.java b/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/EditCommunitiesServlet.java
index c185f2d85b..e3b36ae930 100644
--- a/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/EditCommunitiesServlet.java
+++ b/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/EditCommunitiesServlet.java
@@ -51,6 +51,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
+import org.dspace.app.util.AuthorizeUtil;
import org.dspace.app.webui.servlet.DSpaceServlet;
import org.dspace.app.webui.util.FileUploadRequest;
import org.dspace.app.webui.util.JSPManager;
@@ -170,19 +171,12 @@ public class EditCommunitiesServlet extends DSpaceServlet
return;
}
- if ((collection != null && AuthorizeManager.isAdmin(context, collection))
- || (collection == null && community != null && AuthorizeManager.isAdmin(context, community))
- || (collection == null && parentCommunity != null && AuthorizeManager.isAdmin(context, parentCommunity)))
- {
- // set a variable to show all buttons
- request.setAttribute("admin_button", new Boolean(true));
- }
-
// Now proceed according to "action" parameter
switch (action)
{
case START_EDIT_COMMUNITY:
-
+ storeAuthorizeAttributeCommunityEdit(context, request, community);
+
// Display the relevant "edit community" page
JSPManager.showJSP(request, response, "/tools/edit-community.jsp");
@@ -197,6 +191,9 @@ public class EditCommunitiesServlet extends DSpaceServlet
break;
case START_CREATE_COMMUNITY:
+ // no authorize attribute will be given to the jsp so a "clean" creation form
+ // will be always supplied, advanced setting on policies and admin group creation
+ // will be possible after to have completed the community creation
// Display edit community page with empty fields + create button
JSPManager.showJSP(request, response, "/tools/edit-community.jsp");
@@ -209,6 +206,8 @@ public class EditCommunitiesServlet extends DSpaceServlet
getIntParameter(request, "collection_id"));
request.setAttribute("harvestInstance", hc);
+ storeAuthorizeAttributeCollectionEdit(context, request, collection);
+
// Display the relevant "edit collection" page
JSPManager.showJSP(request, response, "/tools/edit-collection.jsp");
@@ -281,7 +280,9 @@ public class EditCommunitiesServlet extends DSpaceServlet
// Delete the collection
community.removeCollection(collection);
-
+ // remove the collection object from the request, so that the user
+ // will be redirected on the community home page
+ request.removeAttribute("collection");
// Show main control page
showControls(context, request, response);
@@ -299,6 +300,140 @@ public class EditCommunitiesServlet extends DSpaceServlet
}
}
+ /**
+ * Store in the request attribute to teach to the jsp which button are
+ * needed/allowed for the community edit form
+ *
+ * @param context
+ * @param request
+ * @param community
+ * @throws SQLException
+ */
+ private void storeAuthorizeAttributeCommunityEdit(Context context,
+ HttpServletRequest request, Community community) throws SQLException
+ {
+ try
+ {
+ AuthorizeUtil.authorizeManageAdminGroup(context, community);
+ request.setAttribute("admin_create_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("admin_create_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeRemoveAdminGroup(context, community);
+ request.setAttribute("admin_remove_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("admin_remove_button", new Boolean(false));
+ }
+
+ if (AuthorizeManager.authorizeActionBoolean(context, community, Constants.DELETE))
+ {
+ request.setAttribute("delete_button", new Boolean(true));
+ }
+ else
+ {
+ request.setAttribute("delete_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeManageCommunityPolicy(context, community);
+ request.setAttribute("policy_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("policy_button", new Boolean(false));
+ }
+ }
+
+ /**
+ * Store in the request attribute to teach to the jsp which button are
+ * needed/allowed for the collection edit form
+ *
+ * @param context
+ * @param request
+ * @param community
+ * @throws SQLException
+ */
+ static void storeAuthorizeAttributeCollectionEdit(Context context,
+ HttpServletRequest request, Collection collection) throws SQLException
+ {
+ if (AuthorizeManager.isAdmin(context, collection))
+ {
+ request.setAttribute("admin_collection", new Boolean(true));
+ }
+ else
+ {
+ request.setAttribute("admin_collection", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeManageAdminGroup(context, collection);
+ request.setAttribute("admin_create_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("admin_create_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeRemoveAdminGroup(context, collection);
+ request.setAttribute("admin_remove_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("admin_remove_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeManageSubmittersGroup(context, collection);
+ request.setAttribute("submitters_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("submitters_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeManageWorkflowsGroup(context, collection);
+ request.setAttribute("workflows_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("workflows_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeManageTemplateItem(context, collection);
+ request.setAttribute("template_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("template_button", new Boolean(false));
+ }
+
+ if (AuthorizeManager.authorizeActionBoolean(context, collection.getParentObject(), Constants.REMOVE))
+ {
+ request.setAttribute("delete_button", new Boolean(true));
+ }
+ else
+ {
+ request.setAttribute("delete_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeManageCollectionPolicy(context, collection);
+ request.setAttribute("policy_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex) {
+ request.setAttribute("policy_button", new Boolean(false));
+ }
+ }
+
/**
* Show community home page with admin controls
*
@@ -394,6 +529,8 @@ public class EditCommunitiesServlet extends DSpaceServlet
request.setAttribute("community", community);
}
+ storeAuthorizeAttributeCommunityEdit(context, request, community);
+
community.setMetadata("name", request.getParameter("name"));
community.setMetadata("short_description", request
.getParameter("short_description"));
@@ -452,7 +589,7 @@ public class EditCommunitiesServlet extends DSpaceServlet
// Forward to policy edit page
response.sendRedirect(response.encodeRedirectURL(request
.getContextPath()
- + "/dspace-admin/authorize?community_id="
+ + "/tools/authorize?community_id="
+ community.getID() + "&submit_community_select=1"));
}
else if (button.equals("submit_admins_create"))
@@ -466,6 +603,15 @@ public class EditCommunitiesServlet extends DSpaceServlet
.getContextPath()
+ "/tools/group-edit?group_id=" + newGroup.getID()));
}
+ else if (button.equals("submit_admins_remove"))
+ {
+ Group g = community.getAdministrators();
+ community.removeAdministrators();
+ community.update();
+ g.delete();
+ // Show edit page again - attributes set in doDSPost()
+ JSPManager.showJSP(request, response, "/tools/edit-community.jsp");
+ }
else if (button.equals("submit_admins_edit"))
{
// Edit 'community administrators' group
@@ -510,6 +656,8 @@ public class EditCommunitiesServlet extends DSpaceServlet
collection = community.createCollection();
request.setAttribute("collection", collection);
}
+
+ storeAuthorizeAttributeCollectionEdit(context, request, collection);
// Update the basic metadata
collection.setMetadata("name", request.getParameter("name"));
@@ -674,7 +822,7 @@ public class EditCommunitiesServlet extends DSpaceServlet
// Forward to policy edit page
response.sendRedirect(response.encodeRedirectURL(request
.getContextPath()
- + "/dspace-admin/authorize?collection_id="
+ + "/tools/authorize?collection_id="
+ collection.getID() + "&submit_collection_select=1"));
}
else if (button.startsWith("submit_wf_edit_"))
@@ -830,6 +978,7 @@ public class EditCommunitiesServlet extends DSpaceServlet
// Show community edit page
request.setAttribute("community", community);
+ storeAuthorizeAttributeCommunityEdit(context, request, community);
dso = community;
jsp = "/tools/edit-community.jsp";
}
@@ -840,6 +989,7 @@ public class EditCommunitiesServlet extends DSpaceServlet
// Show collection edit page
request.setAttribute("collection", collection);
request.setAttribute("community", community);
+ storeAuthorizeAttributeCollectionEdit(context, request, collection);
dso = collection;
jsp = "/tools/edit-collection.jsp";
}
diff --git a/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/EditItemServlet.java b/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/EditItemServlet.java
index 5b3beb28eb..98039af4b5 100644
--- a/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/EditItemServlet.java
+++ b/dspace-jspui/dspace-jspui-api/src/main/java/org/dspace/app/webui/servlet/admin/EditItemServlet.java
@@ -59,10 +59,12 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
+import org.dspace.app.util.AuthorizeUtil;
import org.dspace.app.webui.servlet.DSpaceServlet;
import org.dspace.app.webui.util.FileUploadRequest;
import org.dspace.app.webui.util.JSPManager;
import org.dspace.app.webui.util.UIUtil;
+import org.dspace.authorize.AuthorizeConfiguration;
import org.dspace.authorize.AuthorizeException;
import org.dspace.authorize.AuthorizeManager;
import org.dspace.content.Bitstream;
@@ -392,9 +394,16 @@ public class EditItemServlet extends DSpaceServlet
{
if ( request.getParameter("cc_license_url") != null )
{
- // set or replace existing CC license
+ // check authorization
+ AuthorizeUtil.authorizeManageCCLicense(context, item);
+
+ // turn off auth system to allow replace also to user that can't
+ // remove/add bitstream to the item
+ context.turnOffAuthorisationSystem();
+ // set or replace existing CC license
CreativeCommons.setLicense( context, item,
request.getParameter("cc_license_url") );
+ context.restoreAuthSystemState();
context.commit();
}
@@ -427,6 +436,82 @@ public class EditItemServlet extends DSpaceServlet
}
request.setAttribute("admin_button", AuthorizeManager.authorizeActionBoolean(context, item, Constants.ADMIN));
+ try
+ {
+ AuthorizeUtil.authorizeManageItemPolicy(context, item);
+ request.setAttribute("policy_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex)
+ {
+ request.setAttribute("policy_button", new Boolean(false));
+ }
+
+ if (AuthorizeManager.authorizeActionBoolean(context, item
+ .getParentObject(), Constants.REMOVE))
+ {
+ request.setAttribute("delete_button", new Boolean(true));
+ }
+ else
+ {
+ request.setAttribute("delete_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeManager.authorizeAction(context, item, Constants.ADD);
+ request.setAttribute("create_bitstream_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex)
+ {
+ request.setAttribute("create_bitstream_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeManager.authorizeAction(context, item, Constants.REMOVE);
+ request.setAttribute("remove_bitstream_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex)
+ {
+ request.setAttribute("remove_bitstream_button", new Boolean(false));
+ }
+
+ try
+ {
+ AuthorizeUtil.authorizeManageCCLicense(context, item);
+ request.setAttribute("cclicense_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex)
+ {
+ request.setAttribute("cclicense_button", new Boolean(false));
+ }
+
+ if (!item.isWithdrawn())
+ {
+ try
+ {
+ AuthorizeUtil.authorizeWithdrawItem(context, item);
+ request.setAttribute("withdraw_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex)
+ {
+ request.setAttribute("withdraw_button", new Boolean(false));
+ }
+ }
+ else
+ {
+ try
+ {
+ AuthorizeUtil.authorizeReinstateItem(context, item);
+ request.setAttribute("reinstate_button", new Boolean(true));
+ }
+ catch (AuthorizeException authex)
+ {
+ request.setAttribute("reinstate_button", new Boolean(false));
+ }
+ }
+
+
request.setAttribute("item", item);
request.setAttribute("handle", handle);
request.setAttribute("collections", collections);
@@ -532,9 +617,7 @@ public class EditItemServlet extends DSpaceServlet
item.addMetadata(schema, element, qualifier, language, value);
}
}
- // only process bitstreams if admin
- else if (p.startsWith("bitstream_name")
- && AuthorizeManager.isAdmin(context))
+ else if (p.startsWith("bitstream_name"))
{
// We have bitstream metadata
// First, get the bundle and bitstream ID
diff --git a/dspace-jspui/dspace-jspui-webapp/src/main/webapp/WEB-INF/web.xml b/dspace-jspui/dspace-jspui-webapp/src/main/webapp/WEB-INF/web.xml
index 500ad83ab3..6293915d9a 100644
--- a/dspace-jspui/dspace-jspui-webapp/src/main/webapp/WEB-INF/web.xml
+++ b/dspace-jspui/dspace-jspui-webapp/src/main/webapp/WEB-INF/web.xml
@@ -428,7 +428,7 @@