74057: Features Endpoint - Search Statistics Permissions in REST

dspace-api/src/test/data/dspaceFolder/config/local.cfg

@@ -133,3 +133,4 @@ authentication-ip.Student = 6.6.6.6
 # Test config for the usage statistics authorization
 usage-statistics.authorization.admin.usage = true
 usage-statistics.authorization.admin.workflow = true
+usage-statistics.authorization.admin.search = true

dspace-server-webapp/src/main/java/org/dspace/app/rest/authorization/impl/ViewSearchStatisticsFeature.java

@@ -0,0 +1,66 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.rest.authorization.impl;
+
+import java.sql.SQLException;
+
+import org.dspace.app.rest.authorization.AuthorizationFeature;
+import org.dspace.app.rest.authorization.AuthorizationFeatureDocumentation;
+import org.dspace.app.rest.model.BaseObjectRest;
+import org.dspace.app.rest.model.SiteRest;
+import org.dspace.app.rest.utils.Utils;
+import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.content.DSpaceObject;
+import org.dspace.core.Context;
+import org.dspace.services.ConfigurationService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+/**
+ * The view search statistics feature. It can be used to verify if search statistics can be viewed.
+ *
+ * In case DSpace is configured to only show search statistics to administrators, authorization is granted if the
+ * current user is the site admin. Otherwise, authorization is granted if the current user can view the site.
+ */
+@Component
+@AuthorizationFeatureDocumentation(name = ViewSearchStatisticsFeature.NAME,
+    description = "It can be used to verify if the search statistics can be viewed")
+public class ViewSearchStatisticsFeature implements AuthorizationFeature {
+
+    public final static String NAME = "canViewSearchStatistics";
+
+    @Autowired
+    private ConfigurationService configurationService;
+
+    @Autowired
+    private AuthorizeService authorizeService;
+
+    @Autowired
+    private Utils utils;
+
+    @Override
+    public boolean isAuthorized(Context context, BaseObjectRest object) throws SQLException {
+        if (object instanceof SiteRest) {
+            if (configurationService.getBooleanProperty("usage-statistics.authorization.admin.search", true)) {
+                return authorizeService.isAdmin(context,
+                    (DSpaceObject)utils.getDSpaceAPIObjectFromRest(context, object));
+            } else {
+                return authorizeService.authorizeActionBoolean(context,
+                    (DSpaceObject)utils.getDSpaceAPIObjectFromRest(context, object), org.dspace.core.Constants.READ);
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public String[] getSupportedTypes() {
+        return new String[]{
+            SiteRest.CATEGORY + "." + SiteRest.NAME
+        };
+    }
+}

dspace-server-webapp/src/test/java/org/dspace/app/rest/authorization/ViewSearchStatisticsFeatureIT.java

@@ -0,0 +1,99 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.rest.authorization;
+
+import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.is;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.dspace.app.rest.converter.SiteConverter;
+import org.dspace.app.rest.model.SiteRest;
+import org.dspace.app.rest.projection.Projection;
+import org.dspace.app.rest.test.AbstractControllerIntegrationTest;
+import org.dspace.app.rest.utils.Utils;
+import org.dspace.content.Site;
+import org.dspace.content.service.SiteService;
+import org.dspace.services.ConfigurationService;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+
+/**
+ * Test for the canViewSearchStatistics authorization feature
+ */
+public class ViewSearchStatisticsFeatureIT extends AbstractControllerIntegrationTest {
+
+    @Autowired
+    private Utils utils;
+
+    @Autowired
+    private ConfigurationService configurationService;
+
+    @Autowired
+    private SiteConverter siteConverter;
+
+    @Autowired
+    SiteService siteService;
+
+    private Site site;
+    private SiteRest siteRest;
+
+    final String feature = "canViewSearchStatistics";
+
+    @Override
+    @Before
+    public void setUp() throws Exception {
+        super.setUp();
+
+        site = siteService.findSite(context);
+        siteRest = siteConverter.convert(site, Projection.DEFAULT);
+    }
+
+    @Test
+    public void adminSiteAdminRequiredSuccess() throws Exception {
+        String adminToken = getAuthToken(admin.getEmail(), password);
+        getClient(adminToken).perform(
+            get("/api/authz/authorizations/search/object")
+                .param("embed", "feature")
+                .param("feature", feature)
+                .param("uri", utils.linkToSingleResource(siteRest, "self").getHref()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$.page.totalElements", greaterThan(0)))
+            .andExpect(jsonPath("$._embedded").exists());
+    }
+
+    @Test
+    public void ePersonSiteAdminRequiredNotFound() throws Exception {
+        String epersonToken = getAuthToken(eperson.getEmail(), password);
+        getClient(epersonToken).perform(
+            get("/api/authz/authorizations/search/object")
+                .param("embed", "feature")
+                .param("feature", feature)
+                .param("uri", utils.linkToSingleResource(siteRest, "self").getHref()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$.page.totalElements", is(0)))
+            .andExpect(jsonPath("$._embedded").doesNotExist());
+    }
+
+    @Test
+    public void ePersonSiteAdminNotRequiredSuccess() throws Exception {
+        configurationService.setProperty("usage-statistics.authorization.admin.search", false);
+
+        String epersonToken = getAuthToken(eperson.getEmail(), password);
+        getClient(epersonToken).perform(
+            get("/api/authz/authorizations/search/object")
+                .param("embed", "feature")
+                .param("feature", feature)
+                .param("uri", utils.linkToSingleResource(siteRest, "self").getHref()))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$.page.totalElements", greaterThan(0)))
+            .andExpect(jsonPath("$._embedded").exists());
+    }
+}