Added proper authorization handling for the ExternalSources item create endpoint

2025-10-07 10:04:21 +00:00 · 2019-12-02 12:07:49 +01:00
parent 5b16e21980
commit daeab74815
3 changed files with 51 additions and 3 deletions
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/handler/ExternalSourceEntryUriListHandler.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/handler/ExternalSourceEntryUriListHandler.java
@@ -69,7 +69,7 @@ public class ExternalSourceEntryUriListHandler implements UriListHandler<Item> {

    @Override
    public boolean validate(Context context, HttpServletRequest request, List<String> uriList,
-                            Class clazz) {
+                            Class clazz) throws AuthorizeException {
        if (uriList.size() > 1) {
            return false;
        }
@@ -86,7 +86,7 @@ public class ExternalSourceEntryUriListHandler implements UriListHandler<Item> {
                return false;
            }
            if (!authorizeService.isAdmin(context)) {
-                return false;
+                throw new AuthorizeException("Only admins are allowed to create items using external data");
            }
        } catch (SQLException e) {
            log.error(e.getMessage(), e);
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/handler/UriListHandler.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/handler/UriListHandler.java
@@ -38,7 +38,8 @@ public interface UriListHandler<T> {
     * @param clazz     The class to be returned by the handle method
     * @return          A boolean indicating whether all this input is valid for the implementing UriListHandler
     */
-    boolean validate(Context context, HttpServletRequest request, List<String> uriList, Class clazz);
+    boolean validate(Context context, HttpServletRequest request, List<String> uriList, Class clazz)
+        throws AuthorizeException;

    /**
     * This method will perform the actual handle logic
--- a/dspace-server-webapp/src/test/java/org/dspace/app/rest/ItemRestRepositoryIT.java
+++ b/dspace-server-webapp/src/test/java/org/dspace/app/rest/ItemRestRepositoryIT.java
@@ -2042,4 +2042,51 @@ public class ItemRestRepositoryIT extends AbstractControllerIntegrationTest {
                                                  "mock/entryValues/azeazezaezeaz")).andExpect(status().is(404));

    }
+
+    @Test
+    public void createItemFromExternalSourcesForbidden() throws Exception {
+        //We turn off the authorization system in order to create the structure as defined below
+        context.turnOffAuthorisationSystem();
+        //** GIVEN **
+        //1. A community-collection structure with one parent community with sub-community and two collections.
+        parentCommunity = CommunityBuilder.createCommunity(context)
+                                          .withName("Parent Community")
+                                          .build();
+        Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
+                                           .withName("Sub Community")
+                                           .build();
+        Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
+
+        context.restoreAuthSystemState();
+
+        String token = getAuthToken(eperson.getEmail(), password);
+        getClient(token).perform(post("/api/core/items?owningCollection=" + col1.getID().toString())
+                                    .contentType(org.springframework.http.MediaType.parseMediaType(
+                                        org.springframework.data.rest.webmvc.RestMediaTypes.TEXT_URI_LIST_VALUE))
+                                    .content("https://localhost:8080/server/api/integration/externalsources/" +
+                                        "mock/entryValues/one")).andExpect(status().isForbidden());
+    }
+
+    @Test
+    public void createItemFromExternalSourcesUnauthorized() throws Exception {
+        //We turn off the authorization system in order to create the structure as defined below
+        context.turnOffAuthorisationSystem();
+        //** GIVEN **
+        //1. A community-collection structure with one parent community with sub-community and two collections.
+        parentCommunity = CommunityBuilder.createCommunity(context)
+                                          .withName("Parent Community")
+                                          .build();
+        Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
+                                           .withName("Sub Community")
+                                           .build();
+        Collection col1 = CollectionBuilder.createCollection(context, child1).withName("Collection 1").build();
+
+        context.restoreAuthSystemState();
+
+        getClient().perform(post("/api/core/items?owningCollection=" + col1.getID().toString())
+                                     .contentType(org.springframework.http.MediaType.parseMediaType(
+                                         org.springframework.data.rest.webmvc.RestMediaTypes.TEXT_URI_LIST_VALUE))
+                                     .content("https://localhost:8080/server/api/integration/externalsources/" +
+                                                  "mock/entryValues/one")).andExpect(status().isUnauthorized());
+    }
 }