[DS-3125] Submitters cannot delete bistreams of workspaceitems

2025-10-15 22:13:08 +00:00 · 2016-04-15 13:00:37 +02:00
parent b1e32fc1a7
commit bc9798c753
9 changed files with 86 additions and 6 deletions
--- a/dspace-api/src/main/java/org/dspace/content/BitstreamServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/BitstreamServiceImpl.java
@@ -238,7 +238,7 @@ public class BitstreamServiceImpl extends DSpaceObjectServiceImpl<Bitstream> imp
    @Override
    public void delete(Context context, Bitstream bitstream) throws SQLException, AuthorizeException {

-        // changed to a check on remove
+        // changed to a check on delete
        // Check authorisation
        authorizeService.authorizeAction(context, bitstream, Constants.DELETE);
        log.info(LogManager.getHeader(context, "delete_bitstream",
@@ -249,15 +249,13 @@ public class BitstreamServiceImpl extends DSpaceObjectServiceImpl<Bitstream> imp

        bitstream.getBundles().clear();

-
-        // Remove policies
-        authorizeService.removeAllPolicies(context, bitstream);
-
        deleteMetadata(context, bitstream);

        // Remove bitstream itself
        bitstream.setDeleted(true);
        update(context, bitstream);
+        // Remove policies from the file, we do this at the end since the methods above still require write rights.
+        authorizeService.removeAllPolicies(context, bitstream);
    }

    @Override
--- a/dspace-api/src/main/java/org/dspace/content/BundleServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/BundleServiceImpl.java
@@ -386,6 +386,8 @@ public class BundleServiceImpl extends DSpaceObjectServiceImpl<Bundle> implement
        log.info(LogManager.getHeader(context, "delete_bundle", "bundle_id="
                + bundle.getID()));

+        authorizeService.authorizeAction(context, bundle, Constants.DELETE);
+
        context.addEvent(new Event(Event.DELETE, Constants.BUNDLE, bundle.getID(),
                bundle.getName(), getIdentifiers(context, bundle)));

--- a/dspace-api/src/main/java/org/dspace/content/ItemServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/ItemServiceImpl.java
@@ -577,7 +577,7 @@ public class ItemServiceImpl extends DSpaceObjectServiceImpl<Item> implements It

    @Override
    public void delete(Context context, Item item) throws SQLException, AuthorizeException, IOException {
-        authorizeService.authorizeAction(context, item, Constants.REMOVE);
+        authorizeService.authorizeAction(context, item, Constants.DELETE);
        item.getCollections().clear();
        item.setOwningCollection(null);
        rawDelete(context,  item);
--- a/dspace-api/src/main/java/org/dspace/content/WorkspaceItemServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/WorkspaceItemServiceImpl.java
@@ -106,6 +106,8 @@ public class WorkspaceItemServiceImpl implements WorkspaceItemService {
        authorizeService.addPolicy(context, item, Constants.ADD, item.getSubmitter(), ResourcePolicy.TYPE_SUBMISSION);
        // remove contents permission
        authorizeService.addPolicy(context, item, Constants.REMOVE, item.getSubmitter(), ResourcePolicy.TYPE_SUBMISSION);
+        // delete permission
+        authorizeService.addPolicy(context, item, Constants.DELETE, item.getSubmitter(), ResourcePolicy.TYPE_SUBMISSION);


        // Copy template if appropriate
--- a/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/h2/V6.0_2016.04.14__DS-3125-fix-bundle-bitstream-delete-rights.sql
+++ b/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/h2/V6.0_2016.04.14__DS-3125-fix-bundle-bitstream-delete-rights.sql
@@ -0,0 +1,33 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+---------------------------------------------------------------
+-- DS-3125 Submitters cannot delete bistreams of workspaceitems
+---------------------------------------------------------------
+-- This script will add delete rights on all bundles/bitstreams
+-- for people who already have REMOVE rights.
+-- In previous versions REMOVE rights was enough to ensure that
+-- you could delete an object.
+---------------------------------------------------------------
+INSERT INTO resourcepolicy (policy_id, resource_type_id, resource_id, action_id, start_date, end_date, rpname,
+rptype, rpdescription, eperson_id, epersongroup_id, dspace_object)
+SELECT
+resourcepolicy_seq.nextval AS policy_id,
+resource_type_id,
+resource_id,
+-- Insert the Constants.DELETE action
+2 AS action_id,
+start_date,
+end_date,
+rpname,
+rptype,
+rpdescription,
+eperson_id,
+epersongroup_id,
+dspace_object
+FROM resourcepolicy WHERE action_id=4 AND (resource_type_id=0 OR resource_type_id=1 OR resource_type_id=2);
--- a/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/postgres/V6.0_2016.04.14__DS-3125-fix-bundle-bitstream-delete-rights.sql
+++ b/dspace-api/src/main/resources/org/dspace/storage/rdbms/sqlmigration/postgres/V6.0_2016.04.14__DS-3125-fix-bundle-bitstream-delete-rights.sql
@@ -0,0 +1,33 @@
+--
+-- The contents of this file are subject to the license and copyright
+-- detailed in the LICENSE and NOTICE files at the root of the source
+-- tree and available online at
+--
+-- http://www.dspace.org/license/
+--
+
+---------------------------------------------------------------
+-- DS-3125 Submitters cannot delete bistreams of workspaceitems
+---------------------------------------------------------------
+-- This script will add delete rights on all bundles/bitstreams
+-- for people who already have REMOVE rights.
+-- In previous versions REMOVE rights was enough to ensure that
+-- you could delete an object.
+---------------------------------------------------------------
+INSERT INTO resourcepolicy (policy_id, resource_type_id, resource_id, action_id, start_date, end_date, rpname,
+rptype, rpdescription, eperson_id, epersongroup_id, dspace_object)
+SELECT
+getnextid('resourcepolicy') AS policy_id,
+resource_type_id,
+resource_id,
+-- Insert the Constants.DELETE action
+2 AS action_id,
+start_date,
+end_date,
+rpname,
+rptype,
+rpdescription,
+eperson_id,
+epersongroup_id,
+dspace_object
+FROM resourcepolicy WHERE action_id=4 AND (resource_type_id=0 OR resource_type_id=1 OR resource_type_id=2);
--- a/dspace-api/src/test/java/org/dspace/content/BundleTest.java
+++ b/dspace-api/src/test/java/org/dspace/content/BundleTest.java
@@ -567,6 +567,8 @@ public class BundleTest extends AbstractDSpaceObjectTest
            // Allow Bundle REMOVE perms (to test remove)
            authorizeService.authorizeAction((Context) any, (Bundle) any,
                    Constants.REMOVE); result = null;
+            authorizeService.authorizeAction((Context) any, (Bundle) any,
+                    Constants.DELETE); result = null;
        }};

        UUID id = b.getID();
--- a/dspace-api/src/test/java/org/dspace/content/CollectionTest.java
+++ b/dspace-api/src/test/java/org/dspace/content/CollectionTest.java
@@ -883,6 +883,8 @@ public class CollectionTest extends AbstractDSpaceObjectTest
                    Constants.REMOVE); result = null;
            authorizeService.authorizeAction((Context) any, (Item) any,
                    Constants.WRITE); result = null;
+            authorizeService.authorizeAction((Context) any, (Item) any,
+                    Constants.DELETE); result = null;
        }};

        WorkspaceItem workspaceItem = workspaceItemService.create(context, collection, false);
--- a/dspace-api/src/test/java/org/dspace/content/ItemTest.java
+++ b/dspace-api/src/test/java/org/dspace/content/ItemTest.java
@@ -785,6 +785,8 @@ public class ItemTest  extends AbstractDSpaceObjectTest
                    Constants.ADD); result = null;
            authorizeService.authorizeAction((Context) any, (Item) any,
                    Constants.REMOVE); result = null;
+            authorizeService.authorizeAction((Context) any, (Item) any,
+                    Constants.DELETE); result = null;
        }};

        String name = "bundle";
@@ -926,6 +928,8 @@ public class ItemTest  extends AbstractDSpaceObjectTest
                    Constants.ADD); result = null;
            authorizeService.authorizeAction((Context) any, (Item) any,
                    Constants.REMOVE); result = null;
+            authorizeService.authorizeAction((Context) any, (Item) any,
+                    Constants.DELETE); result = null;
        }};

        String name = "LICENSE";
@@ -1215,6 +1219,8 @@ public class ItemTest  extends AbstractDSpaceObjectTest
            // Allow Item REMOVE perms
            authorizeService.authorizeAction((Context) any, (Item) any,
                    Constants.REMOVE, true); result = null;
+            authorizeService.authorizeAction((Context) any, (Item) any,
+                    Constants.DELETE, true); result = null;
            authorizeService.authorizeAction((Context) any, (Item) any,
                Constants.WRITE); result = null;
        }};
@@ -1257,6 +1263,8 @@ public class ItemTest  extends AbstractDSpaceObjectTest
                Constants.WRITE); result = null;
            authorizeService.authorizeAction((Context) any, (Item) any,
                Constants.REMOVE); result = null;
+            authorizeService.authorizeAction((Context) any, (Item) any,
+                Constants.DELETE); result = null;

        }};