hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-17 15:03:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Processed feedback

Browse Source
This commit is contained in:
Raf Ponsaerts
2019-02-20 13:11:39 +01:00
parent 37c3ab9e17
commit a0ebd616f2
2 changed files with 470 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/RelationshipRestRepository.java
View File

@@ -135,8 +135,7 @@ public class RelationshipRestRepository extends DSpaceRestRepository<Relationshi
Item leftItem = (Item) dSpaceObjects.get(0); Item leftItem = (Item) dSpaceObjects.get(0);
Item rightItem = (Item) dSpaceObjects.get(1); Item rightItem = (Item) dSpaceObjects.get(1);
if (authorizeService.authorizeActionBoolean(context, leftItem, Constants.WRITE) || if (isAllowedToModifyRelationship(context, relationship, leftItem, rightItem)) {
authorizeService.authorizeActionBoolean(context, rightItem, Constants.WRITE)) {
relationship.setLeftItem(leftItem); relationship.setLeftItem(leftItem);
relationship.setRightItem(rightItem); relationship.setRightItem(rightItem);
@@ -153,6 +152,25 @@ public class RelationshipRestRepository extends DSpaceRestRepository<Relationshi
} }
/**
* This method will check with the current user has write rights on both one of the original items and one of the
* new items for the relationship.
* @param context The relevant DSpace context
* @param relationship The relationship to be checked on
* @param leftItem The new left Item
* @param rightItem The new right Item
* @return A boolean indicating whether the user is allowed or not
* @throws SQLException If something goes wrong
*/
private boolean isAllowedToModifyRelationship(Context context, Relationship relationship, Item leftItem,
Item rightItem) throws SQLException {
return (authorizeService.authorizeActionBoolean(context, leftItem, Constants.WRITE) ||
authorizeService.authorizeActionBoolean(context, rightItem, Constants.WRITE)) &&
(authorizeService.authorizeActionBoolean(context, relationship.getLeftItem(), Constants.WRITE) ||
authorizeService.authorizeActionBoolean(context, relationship.getRightItem(), Constants.WRITE)
);
}
@Override @Override
protected void delete(Context context, Integer id) throws AuthorizeException { protected void delete(Context context, Integer id) throws AuthorizeException {
Relationship relationship = null; Relationship relationship = null;

451
dspace-spring-rest/src/test/java/org/dspace/app/rest/RelationshipRestRepositoryIT.java
View File

@@ -400,7 +400,7 @@ public class RelationshipRestRepositoryIT extends AbstractControllerIntegrationT
} }
@Test @Test
public void putRelationshipAccess() throws Exception { public void putRelationshipAdminAccess() throws Exception {
context.turnOffAuthorisationSystem(); context.turnOffAuthorisationSystem();
@@ -473,4 +473,453 @@ public class RelationshipRestRepositoryIT extends AbstractControllerIntegrationT
.andExpect(jsonPath("$.rightId", is(author2.getID().toString()))); .andExpect(jsonPath("$.rightId", is(author2.getID().toString())));
} }
@Test
public void putRelationshipRightItemWriteAccess() throws Exception {
context.turnOffAuthorisationSystem();
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
Collection col2 = CollectionBuilder.createCollection(context, child1).withName("Collection 2").build();
Collection col3 = CollectionBuilder.createCollection(context, child1).withName("OrgUnits").build();
Item author1 = ItemBuilder.createItem(context, col1)
.withTitle("Author1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald")
.withRelationshipType("Person")
.build();
Item author2 = ItemBuilder.createItem(context, col1)
.withTitle("Author2")
.withIssueDate("2017-10-12")
.withAuthor("Smith, Donalaze")
.withRelationshipType("Person")
.build();
Item publication = ItemBuilder.createItem(context, col3)
.withTitle("Publication1")
.withAuthor("Testy, TEst")
.withIssueDate("2015-01-01")
.withRelationshipType("Publication")
.build();
RelationshipType isAuthorOfPublicationRelationshipType = relationshipTypeService
.findbyTypesAndLabels(context, entityTypeService.findByEntityType(context, "Publication"),
entityTypeService.findByEntityType(context, "Person"),
"isAuthorOfPublication", "isPublicationOfAuthor");
EPerson user = ePersonService.create(context);
user.setFirstName(context, "first");
user.setLastName(context, "last");
user.setEmail("rrarz@email.com");
user.setCanLogIn(true);
user.setLanguage(context, I18nUtil.getDefaultLocale().getLanguage());
ePersonService.setPassword(user, password);
// actually save the eperson to unit testing DB
ePersonService.update(context, user);
context.setCurrentUser(user);
authorizeService.addPolicy(context, author1, Constants.WRITE, user);
authorizeService.addPolicy(context, author2, Constants.WRITE, user);
String token = getAuthToken(user.getEmail(), password);
MvcResult mvcResult = getClient(token).perform(post("/api/core/relationships")
.param("relationshipType",
isAuthorOfPublicationRelationshipType.getID()
.toString())
.contentType(MediaType.parseMediaType("text/uri-list"))
.content(
"https://localhost:8080/spring-rest/api/core/items/" + publication.getID() + "\n" +
"https://localhost:8080/spring-rest/api/core/items/" + author1.getID()))
.andExpect(status().isCreated())
.andReturn();
ObjectMapper mapper = new ObjectMapper();
String content = mvcResult.getResponse().getContentAsString();
Map<String,Object> map = mapper.readValue(content, Map.class);
String id = String.valueOf(map.get("id"));
MvcResult mvcResult2 = getClient(token).perform(put("/api/core/relationships/" + id)
.contentType(MediaType.parseMediaType("text/uri-list"))
.content(
"https://localhost:8080/spring-rest/api/core/items/" + publication.getID() + "\n" +
"https://localhost:8080/spring-rest/api/core/items/" + author2.getID()))
.andExpect(status().isOk())
.andReturn();
getClient(token).perform(get("/api/core/relationships/" + id))
.andExpect(status().isOk())
.andExpect(jsonPath("$.rightId", is(author2.getID().toString())));
}
@Test
public void putRelationshipNewRightItemWriteAccess() throws Exception {
context.turnOffAuthorisationSystem();
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
Collection col2 = CollectionBuilder.createCollection(context, child1).withName("Collection 2").build();
Collection col3 = CollectionBuilder.createCollection(context, child1).withName("OrgUnits").build();
Item author1 = ItemBuilder.createItem(context, col1)
.withTitle("Author1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald")
.withRelationshipType("Person")
.build();
Item author2 = ItemBuilder.createItem(context, col1)
.withTitle("Author2")
.withIssueDate("2017-10-12")
.withAuthor("Smith, Donalaze")
.withRelationshipType("Person")
.build();
Item publication = ItemBuilder.createItem(context, col3)
.withTitle("Publication1")
.withAuthor("Testy, TEst")
.withIssueDate("2015-01-01")
.withRelationshipType("Publication")
.build();
RelationshipType isAuthorOfPublicationRelationshipType = relationshipTypeService
.findbyTypesAndLabels(context, entityTypeService.findByEntityType(context, "Publication"),
entityTypeService.findByEntityType(context, "Person"),
"isAuthorOfPublication", "isPublicationOfAuthor");
EPerson user = ePersonService.create(context);
user.setFirstName(context, "first");
user.setLastName(context, "last");
user.setEmail("uiytirthery@email.com");
user.setCanLogIn(true);
user.setLanguage(context, I18nUtil.getDefaultLocale().getLanguage());
ePersonService.setPassword(user, password);
// actually save the eperson to unit testing DB
ePersonService.update(context, user);
context.setCurrentUser(user);
authorizeService.addPolicy(context, author1, Constants.WRITE, user);
authorizeService.addPolicy(context, author2, Constants.WRITE, user);
String token = getAuthToken(user.getEmail(), password);
MvcResult mvcResult = getClient(token).perform(post("/api/core/relationships")
.param("relationshipType",
isAuthorOfPublicationRelationshipType.getID()
.toString())
.contentType(MediaType.parseMediaType("text/uri-list"))
.content(
"https://localhost:8080/spring-rest/api/core/items/" + publication.getID() + "\n" +
"https://localhost:8080/spring-rest/api/core/items/" + author1.getID()))
.andExpect(status().isCreated())
.andReturn();
ObjectMapper mapper = new ObjectMapper();
String content = mvcResult.getResponse().getContentAsString();
Map<String,Object> map = mapper.readValue(content, Map.class);
String id = String.valueOf(map.get("id"));
MvcResult mvcResult2 = getClient(token).perform(put("/api/core/relationships/" + id)
.contentType(MediaType.parseMediaType("text/uri-list"))
.content(
"https://localhost:8080/spring-rest/api/core/items/" + publication.getID() + "\n" +
"https://localhost:8080/spring-rest/api/core/items/" + author2.getID()))
.andExpect(status().isOk())
.andReturn();
getClient(token).perform(get("/api/core/relationships/" + id))
.andExpect(status().isOk())
.andExpect(jsonPath("$.rightId", is(author2.getID().toString())));
}
@Test
public void putRelationshipLeftItemWriteAccess() throws Exception {
context.turnOffAuthorisationSystem();
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
Collection col2 = CollectionBuilder.createCollection(context, child1).withName("Collection 2").build();
Collection col3 = CollectionBuilder.createCollection(context, child1).withName("OrgUnits").build();
Item author1 = ItemBuilder.createItem(context, col1)
.withTitle("Author1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald")
.withRelationshipType("Person")
.build();
Item author2 = ItemBuilder.createItem(context, col1)
.withTitle("Author2")
.withIssueDate("2017-10-12")
.withAuthor("Smith, Donalaze")
.withRelationshipType("Person")
.build();
Item publication = ItemBuilder.createItem(context, col3)
.withTitle("Publication1")
.withAuthor("Testy, TEst")
.withIssueDate("2015-01-01")
.withRelationshipType("Publication")
.build();
RelationshipType isAuthorOfPublicationRelationshipType = relationshipTypeService
.findbyTypesAndLabels(context, entityTypeService.findByEntityType(context, "Publication"),
entityTypeService.findByEntityType(context, "Person"),
"isAuthorOfPublication", "isPublicationOfAuthor");
EPerson user = ePersonService.create(context);
user.setFirstName(context, "first");
user.setLastName(context, "last");
user.setEmail("tturturu@email.com");
user.setCanLogIn(true);
user.setLanguage(context, I18nUtil.getDefaultLocale().getLanguage());
ePersonService.setPassword(user, password);
// actually save the eperson to unit testing DB
ePersonService.update(context, user);
context.setCurrentUser(user);
authorizeService.addPolicy(context, publication, Constants.WRITE, user);
String token = getAuthToken(user.getEmail(), password);
MvcResult mvcResult = getClient(token).perform(post("/api/core/relationships")
.param("relationshipType",
isAuthorOfPublicationRelationshipType.getID()
.toString())
.contentType(MediaType.parseMediaType("text/uri-list"))
.content(
"https://localhost:8080/spring-rest/api/core/items/" + publication.getID() + "\n" +
"https://localhost:8080/spring-rest/api/core/items/" + author1.getID()))
.andExpect(status().isCreated())
.andReturn();
ObjectMapper mapper = new ObjectMapper();
String content = mvcResult.getResponse().getContentAsString();
Map<String,Object> map = mapper.readValue(content, Map.class);
String id = String.valueOf(map.get("id"));
MvcResult mvcResult2 = getClient(token).perform(put("/api/core/relationships/" + id)
.contentType(MediaType.parseMediaType("text/uri-list"))
.content(
"https://localhost:8080/spring-rest/api/core/items/" + publication.getID() + "\n" +
"https://localhost:8080/spring-rest/api/core/items/" + author2.getID()))
.andExpect(status().isOk())
.andReturn();
getClient(token).perform(get("/api/core/relationships/" + id))
.andExpect(status().isOk())
.andExpect(jsonPath("$.rightId", is(author2.getID().toString())));
}
@Test
public void putRelationshipNewLeftItemWriteAccess() throws Exception {
context.turnOffAuthorisationSystem();
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
Collection col2 = CollectionBuilder.createCollection(context, child1).withName("Collection 2").build();
Collection col3 = CollectionBuilder.createCollection(context, child1).withName("OrgUnits").build();
Item author1 = ItemBuilder.createItem(context, col1)
.withTitle("Author1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald")
.withRelationshipType("Person")
.build();
Item author2 = ItemBuilder.createItem(context, col1)
.withTitle("Author2")
.withIssueDate("2017-10-12")
.withAuthor("Smith, Donalaze")
.withRelationshipType("Person")
.build();
Item publication = ItemBuilder.createItem(context, col3)
.withTitle("Publication1")
.withAuthor("Testy, TEst")
.withIssueDate("2015-01-01")
.withRelationshipType("Publication")
.build();
Item publication2 = ItemBuilder.createItem(context, col3)
.withTitle("Publication2")
.withAuthor("Testy, TEstzea")
.withIssueDate("2015-01-01")
.withRelationshipType("Publication")
.build();
RelationshipType isAuthorOfPublicationRelationshipType = relationshipTypeService
.findbyTypesAndLabels(context, entityTypeService.findByEntityType(context, "Publication"),
entityTypeService.findByEntityType(context, "Person"),
"isAuthorOfPublication", "isPublicationOfAuthor");
EPerson user = ePersonService.create(context);
user.setFirstName(context, "first");
user.setLastName(context, "last");
user.setEmail("tryhrtureery@email.com");
user.setCanLogIn(true);
user.setLanguage(context, I18nUtil.getDefaultLocale().getLanguage());
ePersonService.setPassword(user, password);
// actually save the eperson to unit testing DB
ePersonService.update(context, user);
context.setCurrentUser(user);
authorizeService.addPolicy(context, author1, Constants.WRITE, user);
authorizeService.addPolicy(context, publication2, Constants.WRITE, user);
String token = getAuthToken(user.getEmail(), password);
MvcResult mvcResult = getClient(getAuthToken(admin.getEmail(), password))
.perform(post("/api/core/relationships")
.param("relationshipType",
isAuthorOfPublicationRelationshipType.getID()
.toString())
.contentType(MediaType.parseMediaType("text/uri-list"))
.content(
"https://localhost:8080/spring-rest/api/core/items/" + publication.getID() + "\n" +
"https://localhost:8080/spring-rest/api/core/items/" + author1.getID()))
.andExpect(status().isCreated())
.andReturn();
ObjectMapper mapper = new ObjectMapper();
String content = mvcResult.getResponse().getContentAsString();
Map<String,Object> map = mapper.readValue(content, Map.class);
String id = String.valueOf(map.get("id"));
MvcResult mvcResult2 = getClient(token).perform(put("/api/core/relationships/" + id)
.contentType(MediaType.parseMediaType("text/uri-list"))
.content(
"https://localhost:8080/spring-rest/api/core/items/" + publication2.getID() + "\n" +
"https://localhost:8080/spring-rest/api/core/items/" + author1.getID()))
.andExpect(status().isOk())
.andReturn();
getClient(token).perform(get("/api/core/relationships/" + id))
.andExpect(status().isOk())
.andExpect(jsonPath("$.leftId", is(publication2.getID().toString())));
}
@Test
public void putRelationshipNoAccess() throws Exception {
context.turnOffAuthorisationSystem();
parentCommunity = CommunityBuilder.createCommunity(context)
.withName("Parent Community")
.build();
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
.withName("Sub Community")
.build();
Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
Collection col2 = CollectionBuilder.createCollection(context, child1).withName("Collection 2").build();
Collection col3 = CollectionBuilder.createCollection(context, child1).withName("OrgUnits").build();
Item author1 = ItemBuilder.createItem(context, col1)
.withTitle("Author1")
.withIssueDate("2017-10-17")
.withAuthor("Smith, Donald")
.withRelationshipType("Person")
.build();
Item author2 = ItemBuilder.createItem(context, col1)
.withTitle("Author2")
.withIssueDate("2017-10-12")
.withAuthor("Smith, Donalaze")
.withRelationshipType("Person")
.build();
Item publication = ItemBuilder.createItem(context, col3)
.withTitle("Publication1")
.withAuthor("Testy, TEst")
.withIssueDate("2015-01-01")
.withRelationshipType("Publication")
.build();
RelationshipType isAuthorOfPublicationRelationshipType = relationshipTypeService
.findbyTypesAndLabels(context, entityTypeService.findByEntityType(context, "Publication"),
entityTypeService.findByEntityType(context, "Person"),
"isAuthorOfPublication", "isPublicationOfAuthor");
EPerson user = ePersonService.create(context);
user.setFirstName(context, "first");
user.setLastName(context, "last");
user.setEmail("ytureye@email.com");
user.setCanLogIn(true);
user.setLanguage(context, I18nUtil.getDefaultLocale().getLanguage());
ePersonService.setPassword(user, password);
// actually save the eperson to unit testing DB
ePersonService.update(context, user);
context.setCurrentUser(user);
String token = getAuthToken(admin.getEmail(), password);
MvcResult mvcResult = getClient(token).perform(post("/api/core/relationships")
.param("relationshipType",
isAuthorOfPublicationRelationshipType.getID()
.toString())
.contentType(MediaType.parseMediaType("text/uri-list"))
.content(
"https://localhost:8080/spring-rest/api/core/items/" + publication.getID() + "\n" +
"https://localhost:8080/spring-rest/api/core/items/" + author1.getID()))
.andExpect(status().isCreated())
.andReturn();
ObjectMapper mapper = new ObjectMapper();
String content = mvcResult.getResponse().getContentAsString();
Map<String,Object> map = mapper.readValue(content, Map.class);
String id = String.valueOf(map.get("id"));
token = getAuthToken(user.getEmail(), password);
MvcResult mvcResult2 = getClient(token).perform(put("/api/core/relationships/" + id)
.contentType(MediaType.parseMediaType("text/uri-list"))
.content(
"https://localhost:8080/spring-rest/api/core/items/" + publication.getID() + "\n" +
"https://localhost:8080/spring-rest/api/core/items/" + author2.getID()))
.andExpect(status().isForbidden())
.andReturn();
}
} }