diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/CategoryController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/CategoryController.java index c93d9cd..119a53f 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/CategoryController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/CategoryController.java @@ -4,11 +4,15 @@ import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.ArrayList; +import java.util.Date; import java.util.Iterator; import java.util.List; @@ -17,6 +21,9 @@ import java.util.List; public class CategoryController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @@ -29,12 +36,6 @@ public class CategoryController { @Autowired private SubCategoryDAO subCategoryDAO; - @Autowired - private SectionDAO sectionDAO; - - @Autowired - private IndicatorDAO indicatorDAO; - @Autowired private SubCategoryController subCategoryController; @@ -51,12 +52,20 @@ public class CategoryController { categoryFull.setSubCategories(subCategoriesFull); category.setSubCategories(subCategories); + Date date = new Date(); + category.setCreationDate(date); + category.setUpdateDate(date); + + categoryFull.setCreationDate(date); + categoryFull.setUpdateDate(date); + categoryDAO.save(category); categoryFull.setId(category.getId()); return categoryFull; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/save", method = RequestMethod.POST) public Category saveCategory(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -67,6 +76,13 @@ public class CategoryController { Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if(stakeholder != null) { + + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Save Category: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Category oldCategory = null; if(categoryFull.getId() != null) { oldCategory = categoryDAO.findById(categoryFull.getId()); @@ -75,8 +91,17 @@ public class CategoryController { Topic topic = topicDAO.findById(topicId); if(topic != null) { if(stakeholder.getTopics().contains(topicId)) { + Category category = new Category<>(categoryFull); + + Date date = new Date(); + category.setUpdateDate(date); + categoryFull.setUpdateDate(date); + // if category not exists (no id), create a new default subcategory, identical to category if(categoryFull.getId() == null) { + category.setCreationDate(date); + categoryFull.setCreationDate(date); + SubCategory subCategory = new SubCategory<>(); subCategory.createOverviewSubCategory(categoryFull); @@ -85,23 +110,22 @@ public class CategoryController { subCategories.add(subCategory); } - - Category category = new Category<>(categoryFull); - List subCategories = new ArrayList<>(); for(SubCategory subCategory : categoryFull.getSubCategories()) { subCategories.add(subCategory.getId()); } category.setSubCategories(subCategories); - categoryDAO.save(category); - if(stakeholder.getDefaultId() == null) { if(categoryFull.getId() == null) { + categoryDAO.save(category); onSaveDefaultCategory(category, topicId); } else { onUpdateDefaultCategory(category, oldCategory); + categoryDAO.save(category); } + } else { + categoryDAO.save(category); } List categories = topic.getCategories(); @@ -178,10 +202,12 @@ public class CategoryController { // categoryBasedOnDefault.setName(category.getName()); // categoryBasedOnDefault.setDescription(category.getDescription()); + categoryBasedOnDefault.setUpdateDate(category.getUpdateDate()); categoryDAO.save(categoryBasedOnDefault); } } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/delete", method = RequestMethod.DELETE) public boolean deleteCategory(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -194,6 +220,12 @@ public class CategoryController { if(stakeholder != null) { + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete category: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic != null) { if(stakeholder.getTopics().contains(topicId)) { @@ -201,6 +233,12 @@ public class CategoryController { Category category = categoryDAO.findById(categoryId); if(category != null) { + if(category.getDefaultId() != null && !rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete category: You are not authorized to delete a default Category in stakeholder with id: "+stakeholderId); + } + + List categories = topic.getCategories(); int index = categories.indexOf(categoryId); if(index != -1) { @@ -321,6 +359,7 @@ public class CategoryController { return true; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/reorder", method = RequestMethod.POST) public List reorderCategories(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -342,42 +381,63 @@ public class CategoryController { return categoriesFull; } - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/toggle-status", method = RequestMethod.POST) - public Boolean toggleCategoryStatus(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId) { - log.debug("toggle category status (isActive)"); +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/toggle-status", method = RequestMethod.POST) +// public Boolean toggleCategoryStatus(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId) { +// log.debug("toggle category status (isActive)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId); +// +// Category category = categoryDAO.findById(categoryId); +// if (category == null) { +// // EXCEPTION - Category not found +// throw new EntityNotFoundException("Toggle category status: Category with id: "+categoryId+" not found"); +// } +// category.setIsActive(!category.getIsActive()); +// +// this.toggleCategory(stakeholderId, topicId, category); +// +// return category.getIsActive(); +// } +// +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/toggle-access", method = RequestMethod.POST) +// public Boolean toggleCategoryAccess(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId) { +// log.debug("toggle category access (isPublic)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId); +// +// Category category = categoryDAO.findById(categoryId); +// if (category == null) { +// // EXCEPTION - Category not found +// throw new EntityNotFoundException("Toggle category access: Category with id: "+categoryId+" not found"); +// } +// category.setIsPublic(!category.getIsPublic()); +// +// this.toggleCategory(stakeholderId, topicId, category); +// +// return category.getIsPublic(); +// } + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/change-visibility", method = RequestMethod.POST) + public Visibility changeCategoryVisibility(@PathVariable("stakeholderId") String stakeholderId, + @PathVariable("topicId") String topicId, + @PathVariable("categoryId") String categoryId, + @RequestParam("visibility") Visibility visibility) { + log.debug("change category visibility: "+visibility); log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId); Category category = categoryDAO.findById(categoryId); if (category == null) { // EXCEPTION - Category not found - throw new EntityNotFoundException("Toggle category status: Category with id: "+categoryId+" not found"); + throw new EntityNotFoundException("Change topic visibility: Category with id: "+categoryId+" not found"); } - category.setIsActive(!category.getIsActive()); + category.setVisibility(visibility); this.toggleCategory(stakeholderId, topicId, category); - return category.getIsActive(); - } - - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/toggle-access", method = RequestMethod.POST) - public Boolean toggleCategoryAccess(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId) { - log.debug("toggle category access (isPublic)"); - log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId); - - Category category = categoryDAO.findById(categoryId); - if (category == null) { - // EXCEPTION - Category not found - throw new EntityNotFoundException("Toggle category access: Category with id: "+categoryId+" not found"); - } - category.setIsPublic(!category.getIsPublic()); - - this.toggleCategory(stakeholderId, topicId, category); - - return category.getIsPublic(); + return category.getVisibility(); } public void toggleCategory(String stakeholderId, String topicId, Category category) { @@ -385,6 +445,12 @@ public class CategoryController { if (stakeholder != null) { + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Toggle category: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if (topic != null) { if (stakeholder.getTopics().contains(topicId)) { @@ -419,6 +485,12 @@ public class CategoryController { throw new EntityNotFoundException("checkForExceptions category: Stakeholder with id: " + stakeholderId + " not found"); } + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("checkForExceptions category: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic == null) { // EXCEPTION - Topic not found diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/IndicatorController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/IndicatorController.java index 380e308..6c718a2 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/IndicatorController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/IndicatorController.java @@ -5,8 +5,11 @@ import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.io.UnsupportedEncodingException; @@ -18,6 +21,9 @@ import java.util.*; public class IndicatorController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @@ -37,6 +43,7 @@ public class IndicatorController { private IndicatorDAO indicatorDAO; + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/save", method = RequestMethod.POST) public Indicator saveIndicator(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -49,23 +56,31 @@ public class IndicatorController { Section section = checkForExceptions(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator.getType()); + Date date = new Date(); + indicator.setUpdateDate(date); + Indicator oldIndicator = null; if(indicator.getId() != null) { oldIndicator = indicatorDAO.findById(indicator.getId()); + } else { // indicator does not exist in DB + indicator.setCreationDate(date); } String indicatorId = indicator.getId(); - indicatorDAO.save(indicator); Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); // this indicator belongs in default profile and it is new or it is updated if(stakeholder.getDefaultId() == null) { if(indicatorId == null) { + indicatorDAO.save(indicator); onSaveDefaultIndicator(indicator, sectionId); } else { onUpdateDefaultIndicator(indicator, stakeholder, oldIndicator); + indicatorDAO.save(indicator); } + } else { + indicatorDAO.save(indicator); } List indicators = section.getIndicators(); @@ -86,7 +101,7 @@ public class IndicatorController { // new indicator in default profile - add it on profiles of the same type List
sections = sectionDAO.findByDefaultId(defaultSectionId); - for (Section section : sections) { + for (Section section : sections) { Indicator indicatorNew = new Indicator(); indicatorNew.copyFromDefault(indicator); for (IndicatorPath indicatorPath : indicatorNew.getIndicatorPaths()) { @@ -108,10 +123,12 @@ public class IndicatorController { // indicator already exists - check if changed and update all indicators based on it - boolean changed = false; + boolean changed; List indicators = indicatorDAO.findByDefaultId(indicator.getId()); for(Indicator indicatorBasedOnDefault : indicators) { + changed = false; + if(indicator.getName() != null && !indicator.getName().equals(indicatorBasedOnDefault.getName()) && (oldIndicator.getName() == null || oldIndicator.getName().equals(indicatorBasedOnDefault.getName()))) { @@ -119,18 +136,30 @@ public class IndicatorController { changed = true; } - if(indicator.getDescription() != null && !indicator.getDescription().equals(indicatorBasedOnDefault.getDescription()) - && (oldIndicator.getDescription() == null || oldIndicator.getDescription().equals(indicatorBasedOnDefault.getDescription()))) { + if(indicator.getDescription() != null && !indicator.getDescription().equals(indicatorBasedOnDefault.getDescription())) { indicatorBasedOnDefault.setDescription(indicator.getDescription()); changed = true; } + if(indicator.getAdditionalDescription() != null && !indicator.getAdditionalDescription().equals(indicatorBasedOnDefault.getAdditionalDescription()) + && (oldIndicator.getAdditionalDescription() == null || oldIndicator.getAdditionalDescription().equals(indicatorBasedOnDefault.getAdditionalDescription()))) { + + indicatorBasedOnDefault.setAdditionalDescription(indicator.getAdditionalDescription()); + changed = true; + } + int i = 0; List indicatorPaths = indicatorBasedOnDefault.getIndicatorPaths(); + if(indicatorPaths == null && indicator.getIndicatorPaths() != null) { + indicatorPaths = new ArrayList<>(); + } for (IndicatorPath indicatorPath : indicator.getIndicatorPaths()) { - IndicatorPath indicatorPathBasedOnDefault = indicatorBasedOnDefault.getIndicatorPaths().get(i); + IndicatorPath indicatorPathBasedOnDefault = null; + if(i < indicatorPaths.size()) { + indicatorPathBasedOnDefault = indicatorPaths.get(i); + } if(indicatorPathBasedOnDefault == null) { // Add new indicator path in existing indicators @@ -142,7 +171,7 @@ public class IndicatorController { IndicatorPath oldIndicatorPath = oldIndicator.getIndicatorPaths().get(i); // Check if there are changes in indicator path and update existing indicators if needed - log.debug("update indicator path: "+i); + log.debug("update indicator path: "+i + " (indicator id: "+indicatorBasedOnDefault.getId()+")"); if(indicatorPath.getType() != null && !indicatorPath.getType().equals(indicatorPathBasedOnDefault.getType()) @@ -189,7 +218,7 @@ public class IndicatorController { for (Map.Entry parameter : indicatorPath.getParameters().entrySet()) { log.debug("\nindicatorPath: parameter.getKey(): "+parameter.getKey()+" - value: "+parameter.getValue() +"\nindicatorPathBasedOnDefault:parameters:key: "+ indicatorPathBasedOnDefault.getParameters().get(parameter.getKey()) - +"\noldIndicatorPath:parameters:key: "+ oldIndicatorPath.getParameters().get(parameter.getKey())); + +"\noldIndicatorPath:parameters:key: "+ (oldIndicatorPath.getParameters() == null ? "null" : oldIndicatorPath.getParameters().get(parameter.getKey()))); if (!indicatorPathBasedOnDefault.getParameters().containsKey(parameter.getKey()) || (oldIndicatorPath.getParameters() == null || (oldIndicatorPath.getParameters().get(parameter.getKey()).equals(indicatorPathBasedOnDefault.getParameters().get(parameter.getKey())) @@ -203,43 +232,82 @@ public class IndicatorController { // changed = true; // } } - parameterMapping(indicatorPathBasedOnDefault, stakeholder); + // TODO when deleting indicator path parameters... ??? + parameterMapping(indicatorPathBasedOnDefault, stakeholder); //} - log.debug("After parameters check: " + changed); } + log.debug("After parameters check: " + changed); if(indicatorPath.getJsonPath() != null) { - int j = 0; - for (String jsonString : indicatorPath.getJsonPath()) { - log.debug("indicatorPath.getJsonPath(): " + jsonString); - String jsonStringBasedOnDefault = null; - if(indicatorPathBasedOnDefault.getJsonPath() != null ) { - jsonStringBasedOnDefault = indicatorPathBasedOnDefault.getJsonPath().get(j); - } else { + boolean jsonPathChanged = false; + boolean breaked = false; + + int oldJsonPathSize = 0; + if(oldIndicatorPath.getJsonPath() != null) { + oldJsonPathSize = oldIndicatorPath.getJsonPath().size(); + } + int basedOnDefaultJsonPathSize = 0; + if(indicatorPathBasedOnDefault.getJsonPath() != null) { + basedOnDefaultJsonPathSize = indicatorPathBasedOnDefault.getJsonPath().size(); + } + log.debug("old: "+oldJsonPathSize+" - based on default: "+basedOnDefaultJsonPathSize+" - new: "+indicatorPath.getJsonPath().size()); + if(oldJsonPathSize == basedOnDefaultJsonPathSize) { + if(indicatorPathBasedOnDefault.getJsonPath() == null && indicatorPath.getJsonPath().size() > 0) { indicatorPathBasedOnDefault.setJsonPath(new ArrayList<>()); } - log.debug("indicatorPathBasedOnDefault.getJsonPath().get(" + j + "): " + jsonStringBasedOnDefault); - if (!jsonString.equals(jsonStringBasedOnDefault) - && (oldIndicatorPath.getJsonPath() == null - || oldIndicatorPath.getJsonPath().get(i).equals(jsonStringBasedOnDefault)) - ) { - indicatorPathBasedOnDefault.getJsonPath().set(j, jsonString); + int basedOnDefaultIndex = 0; + int oldIndex = 0; + + Iterator jsonStringBasedOnDefaultIterator = indicatorPathBasedOnDefault.getJsonPath().iterator(); + while (jsonStringBasedOnDefaultIterator.hasNext()) { + String jsonStringBasedOnDefault = jsonStringBasedOnDefaultIterator.next(); + if(oldIndicatorPath.getJsonPath().get(oldIndex).equals(jsonStringBasedOnDefault)) { + if(basedOnDefaultIndex >= indicatorPath.getJsonPath().size()) { // string deleted + jsonStringBasedOnDefaultIterator.remove(); + jsonPathChanged = true; + } else { // check if string changed + if(!indicatorPath.getJsonPath().get(basedOnDefaultIndex).equals(jsonStringBasedOnDefault)) { + indicatorPathBasedOnDefault.getJsonPath().set(basedOnDefaultIndex, indicatorPath.getJsonPath().get(basedOnDefaultIndex)); + jsonPathChanged = true; + } + basedOnDefaultIndex++; + } + oldIndex++; + } else { + breaked = true; + jsonPathChanged = false; + log.debug("not the same: "+oldIndex); + break; + } + } + + int index=0; + if(!breaked && indicatorPath.getJsonPath().size() > indicatorPathBasedOnDefault.getJsonPath().size()) { // strings added + jsonPathChanged = true; + for(index=indicatorPathBasedOnDefault.getJsonPath().size(); index < indicatorPath.getJsonPath().size(); index++) { + indicatorPathBasedOnDefault.getJsonPath().add(indicatorPath.getJsonPath().get(index)); + } + } + + if(jsonPathChanged) { changed = true; } - j++; } - log.debug("After jsonPath check: " + changed); + // TODO when deleting indicator path json path strings... } + log.debug("After jsonPath check: " + changed); } i++; } + // TODO when deleting indicator paths... if(!changed) { // break; continue; } + indicatorBasedOnDefault.setUpdateDate(indicator.getUpdateDate()); indicatorDAO.save(indicatorBasedOnDefault); } } @@ -299,6 +367,7 @@ public class IndicatorController { return indicatorPathField; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/delete", method = RequestMethod.DELETE) public boolean deleteIndicator(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -314,6 +383,13 @@ public class IndicatorController { if(indicator != null) { Section section = checkForExceptions(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator.getType()); + Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); + List roles = rolesUtils.getRoles(); + if(indicator.getDefaultId() != null && !rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete indicator: You are not authorized to delete a default Indicator in stakeholder with id: "+stakeholderId); + } + List indicators = section.getIndicators(); int index = indicators.indexOf(indicatorId); @@ -484,6 +560,7 @@ public class IndicatorController { // return true; // } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{type}/reorder", method = RequestMethod.POST) public List reorderIndicators(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -509,48 +586,72 @@ public class IndicatorController { return indicatorsFull; } - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/toggle-status", method = RequestMethod.POST) - public Boolean toggleIndicatorStatus(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId, - @PathVariable("subcategoryId") String subcategoryId, - @PathVariable("sectionId") String sectionId, - @PathVariable("indicatorId") String indicatorId) { - log.debug("toggle indicator status (isActive)"); +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/toggle-status", method = RequestMethod.POST) +// public Boolean toggleIndicatorStatus(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId, +// @PathVariable("subcategoryId") String subcategoryId, +// @PathVariable("sectionId") String sectionId, +// @PathVariable("indicatorId") String indicatorId) { +// log.debug("toggle indicator status (isActive)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId + " - Section: "+sectionId+ " - Indicator: "+indicatorId); +// +// Indicator indicator = indicatorDAO.findById(indicatorId); +// if (indicator == null) { +// // EXCEPTION - Indicator not found +// throw new EntityNotFoundException("Toggle indicator status: Indicator with id: "+indicatorId+" not found"); +// } +// indicator.setIsActive(!indicator.getIsActive()); +// +// this.toggleIndicator(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator); +// +// return indicator.getIsActive(); +// } +// +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/toggle-access", method = RequestMethod.POST) +// public Boolean toggleIndicatorAccess(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId, +// @PathVariable("subcategoryId") String subcategoryId, +// @PathVariable("sectionId") String sectionId, +// @PathVariable("indicatorId") String indicatorId) { +// log.debug("toggle indicator access (isPublic)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId + " - Section: "+sectionId+ " - Indicator: "+indicatorId); +// +// Indicator indicator = indicatorDAO.findById(indicatorId); +// if (indicator == null) { +// // EXCEPTION - Indicator not found +// throw new EntityNotFoundException("Toggle indicator access: Indicator with id: "+indicatorId+" not found"); +// } +// indicator.setIsPublic(!indicator.getIsPublic()); +// +// this.toggleIndicator(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator); +// +// return indicator.getIsPublic(); +// } + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/change-visibility", method = RequestMethod.POST) + public Visibility changeTopicVisibility(@PathVariable("stakeholderId") String stakeholderId, + @PathVariable("topicId") String topicId, + @PathVariable("categoryId") String categoryId, + @PathVariable("subcategoryId") String subcategoryId, + @PathVariable("sectionId") String sectionId, + @PathVariable("indicatorId") String indicatorId, + @RequestParam("visibility") Visibility visibility) { + log.debug("change indicator visibility: "+visibility); log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId + " - Section: "+sectionId+ " - Indicator: "+indicatorId); Indicator indicator = indicatorDAO.findById(indicatorId); if (indicator == null) { // EXCEPTION - Indicator not found - throw new EntityNotFoundException("Toggle indicator status: Indicator with id: "+indicatorId+" not found"); + throw new EntityNotFoundException("Change indicator visibility: Indicator with id: "+indicatorId+" not found"); } - indicator.setIsActive(!indicator.getIsActive()); + indicator.setVisibility(visibility); this.toggleIndicator(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator); - return indicator.getIsActive(); - } - - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/toggle-access", method = RequestMethod.POST) - public Boolean toggleIndicatorAccess(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId, - @PathVariable("subcategoryId") String subcategoryId, - @PathVariable("sectionId") String sectionId, - @PathVariable("indicatorId") String indicatorId) { - log.debug("toggle indicator access (isPublic)"); - log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId + " - Section: "+sectionId+ " - Indicator: "+indicatorId); - - Indicator indicator = indicatorDAO.findById(indicatorId); - if (indicator == null) { - // EXCEPTION - Indicator not found - throw new EntityNotFoundException("Toggle indicator access: Indicator with id: "+indicatorId+" not found"); - } - indicator.setIsPublic(!indicator.getIsPublic()); - - this.toggleIndicator(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator); - - return indicator.getIsPublic(); + return indicator.getVisibility(); } public void toggleIndicator(String stakeholderId, String topicId, String categoryId, String subcategoryId, String sectionId, Indicator indicator) { @@ -576,6 +677,12 @@ public class IndicatorController { throw new EntityNotFoundException("Save indicator: Stakeholder with id: " + stakeholderId + " not found"); } + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("CheckForExceptions Indicator: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic == null) { // EXCEPTION - Topic not found diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SectionController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SectionController.java index 8661148..b02f7a3 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SectionController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SectionController.java @@ -4,11 +4,15 @@ import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.ArrayList; +import java.util.Date; import java.util.Iterator; import java.util.List; @@ -17,6 +21,9 @@ import java.util.List; public class SectionController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @@ -52,12 +59,20 @@ public class SectionController { sectionFull.setIndicators(indicatorsFull); section.setIndicators(indicators); + Date date = new Date(); + section.setCreationDate(date); + section.setUpdateDate(date); + + sectionFull.setCreationDate(date); + sectionFull.setUpdateDate(date); + sectionDAO.save(section); sectionFull.setId(section.getId()); return sectionFull; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/save/{index}", method = RequestMethod.POST) public Section saveSection(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -70,30 +85,40 @@ public class SectionController { SubCategory subCategory = checkForExceptions(stakeholderId, topicId, categoryId, subcategoryId); + Section section = new Section<>(sectionFull); + + Date date = new Date(); + section.setUpdateDate(date); + sectionFull.setUpdateDate(date); + Section oldSection = null; if(sectionFull.getId() != null) { oldSection = sectionDAO.findById(sectionFull.getId()); + } else { // section does not exist in DB + section.setCreationDate(date); + sectionFull.setCreationDate(date); } - Section section = new Section<>(sectionFull); - String sectionId = sectionFull.getId(); List indicators = new ArrayList<>(); for(Indicator indicator : sectionFull.getIndicators()) { indicators.add(indicator.getId()); } section.setIndicators(indicators); - sectionDAO.save(section); Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); // this section belongs in default profile and it is new or it is updated if(stakeholder.getDefaultId() == null) { if(sectionId == null) { + sectionDAO.save(section); onSaveDefaultSection(section, topicId, categoryId, subcategoryId, stakeholder); } else { onUpdateDefaultSection(section, stakeholder, oldSection); + sectionDAO.save(section); } + } else { + sectionDAO.save(section); } List sections = null; @@ -174,10 +199,12 @@ public class SectionController { } // sectionBasedOnDefault.setTitle(section.getTitle()); + sectionBasedOnDefault.setUpdateDate(section.getUpdateDate()); sectionDAO.save(sectionBasedOnDefault); } } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/delete", method = RequestMethod.DELETE) public boolean deleteSection(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -192,6 +219,13 @@ public class SectionController { if(section != null) { SubCategory subCategory = checkForExceptions(stakeholderId, topicId, categoryId, subcategoryId); + Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); + List roles = rolesUtils.getRoles(); + if(section.getDefaultId() != null && !rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete section: You are not authorized to delete a default Section in stakeholder with id: "+stakeholderId); + } + String type = ""; List sections = null; if (section.getType().equals("chart")) { @@ -273,6 +307,7 @@ public class SectionController { return true; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{type}/reorder", method = RequestMethod.POST) public List
reorderSections(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -343,6 +378,7 @@ public class SectionController { // return section.getIsPublic(); // } + public void toggleSection(String stakeholderId, String topicId, String categoryId, String subcategoryId, Section section) { SubCategory subCategory = checkForExceptions(stakeholderId, topicId, categoryId, subcategoryId); @@ -372,6 +408,12 @@ public class SectionController { throw new EntityNotFoundException("Save indicator: Stakeholder with id: " + stakeholderId + " not found"); } + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("CheckForExceptions Section: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic == null) { // EXCEPTION - Topic not found diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/StakeholderController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/StakeholderController.java index f6b1ba5..dbdb6aa 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/StakeholderController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/StakeholderController.java @@ -1,17 +1,19 @@ package eu.dnetlib.uoamonitorservice.controllers; -//import com.fasterxml.jackson.core.type.TypeReference; -//import com.fasterxml.jackson.databind.ObjectMapper; import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; -import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; + +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.ArrayList; import java.util.Date; +import java.util.Iterator; import java.util.List; @RestController @@ -19,6 +21,9 @@ import java.util.List; public class StakeholderController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @@ -40,6 +45,10 @@ public class StakeholderController { @Autowired private TopicController topicController; +// @PreAuthorize("isAuthenticated()") + @PreAuthorize("hasAnyAuthority(" + + "@AuthorizationService.PORTAL_ADMIN, " + + "@AuthorizationService.curator(#stakeholderFull.getType()))") @RequestMapping(value = "/build-stakeholder", method = RequestMethod.POST) public Stakeholder>>>> buildFullStakeholder(@RequestBody Stakeholder>>>> stakeholderFull) { log.debug("build stakeholder"); @@ -70,7 +79,28 @@ public class StakeholderController { //return null; } - public Stakeholder setFullEntities(Stakeholder stakeholder) { + public Stakeholder setFullEntities(Stakeholder stakeholder, List roles) { + boolean addAll = false; + boolean addPublicAndRestricted = false; + +// if(roles == null +// || roles.contains(authorizationService.PORTAL_ADMIN) +// || roles.contains(authorizationService.curator(stakeholder.getType())) +// || roles.contains(authorizationService.manager(stakeholder.getType(), stakeholder.getAlias()))) { + if(rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + //if(visibility == null || visibility == (Visibility.PRIVATE)) { + addAll = true; + //} + //if(visibility == null || visibility == (Visibility.PRIVATE) || visibility == (Visibility.RESTRICTED)) { + addPublicAndRestricted = true; + //} +// } else if(roles != null && roles.contains(authorizationService.member(stakeholder.getType(), stakeholder.getAlias()))) { + } else if(rolesUtils.isMember(roles, stakeholder.getType(), stakeholder.getAlias())) { + //if(visibility == null || visibility == (Visibility.PRIVATE) || visibility == (Visibility.RESTRICTED)) { + addPublicAndRestricted = true; + //} + } + Stakeholder stakeholderFull = new Stakeholder<>(stakeholder); List topics = new ArrayList<>(); @@ -81,6 +111,12 @@ public class StakeholderController { // EXCEPTION - Topic not found throw new EntityNotFoundException("Get stakeholder: Topic with id: "+topicId+" not found (topic exists in stakeholder: "+stakeholder.getId()+")"); } + + if((!addAll && topic.getVisibility() == Visibility.PRIVATE) + || (!addPublicAndRestricted && topic.getVisibility() == Visibility.RESTRICTED)) { + continue; + } + Topic topicFull = new Topic(topic); List categories = new ArrayList<>(); @@ -91,6 +127,12 @@ public class StakeholderController { // EXCEPTION - Category not found throw new EntityNotFoundException("Get stakeholder: Category with id: "+categoryId+" not found (category exists in topic: "+topicId+")"); } + + if((!addAll && category.getVisibility() == Visibility.PRIVATE) + || (!addPublicAndRestricted && category.getVisibility() == Visibility.RESTRICTED)) { + continue; + } + Category categoryFull = new Category(category); List subCategories = new ArrayList<>(); @@ -101,19 +143,25 @@ public class StakeholderController { // EXCEPTION - SubCategory not found throw new EntityNotFoundException("Get stakeholder: SubCategory with id: "+subCategoryId+" not found (subCategory exists in category: "+categoryId+")"); } + + if((!addAll && subCategory.getVisibility() == Visibility.PRIVATE) + || (!addPublicAndRestricted && subCategory.getVisibility() == Visibility.RESTRICTED)) { + continue; + } + SubCategory subCategoryFull = new SubCategory>(subCategory); List
sectionsCharts = new ArrayList<>(); for(String sectionId : subCategory.getCharts()) { - sectionsCharts.add(getSectionFull(sectionId, subCategoryId)); + sectionsCharts.add(getSectionFull(sectionId, subCategoryId, addAll, addPublicAndRestricted)); } subCategoryFull.setCharts(sectionsCharts); List
sectionsNumbers = new ArrayList<>(); for(String sectionId : subCategory.getNumbers()) { - sectionsNumbers.add(getSectionFull(sectionId, subCategoryId)); + sectionsNumbers.add(getSectionFull(sectionId, subCategoryId, addAll, addPublicAndRestricted)); } subCategoryFull.setNumbers(sectionsNumbers); @@ -154,12 +202,13 @@ public class StakeholderController { return stakeholderFull; } - private Section getSectionFull(String sectionId, String subCategoryId) { + private Section getSectionFull(String sectionId, String subCategoryId, boolean addAll, boolean addPublicAndRestricted) { Section section = sectionDAO.findById(sectionId); if (section == null) { // EXCEPTION - Section not found throw new EntityNotFoundException("Get stakeholder: Section with id: " + sectionId + " not found (section exists in subCategory: " + subCategoryId + ")"); } + Section sectionFull = new Section(section); List indicators = new ArrayList<>(); @@ -169,6 +218,12 @@ public class StakeholderController { // EXCEPTION - Indicator not found throw new EntityNotFoundException("Get stakeholder: Indicator with id: " + indicatorId + " not found (indicator exists in section: " + sectionId + ")"); } + + if((!addAll && indicator.getVisibility() == Visibility.PRIVATE) + || (!addPublicAndRestricted && indicator.getVisibility() == Visibility.RESTRICTED)) { + continue; + } + indicators.add(indicator); } sectionFull.setIndicators(indicators); @@ -176,6 +231,8 @@ public class StakeholderController { return sectionFull; } + @PreAuthorize("hasAnyAuthority(" + + "@AuthorizationService.PORTAL_ADMIN)") @RequestMapping(value = "/stakeholder/all", method = RequestMethod.GET) public List getAllStakeholders(@RequestParam(required = false) String type) { log.debug("get all stakeholders" + (type != null ? " with type: "+type : "")); @@ -189,12 +246,14 @@ public class StakeholderController { List stakeholdersFull = new ArrayList<>(); for(Stakeholder stakeholder : stakeholders) { - stakeholdersFull.add(this.setFullEntities(stakeholder)); + List roles = rolesUtils.getRoles(); + stakeholdersFull.add(this.setFullEntities(stakeholder, roles)); } return stakeholdersFull; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/stakeholder/default", method = RequestMethod.GET) public List getAllDefaultStakeholders(@RequestParam(required = false) String type) { log.debug("get all default stakeholders" + (type != null ? " with type: "+type : "")); @@ -207,9 +266,34 @@ public class StakeholderController { } List stakeholdersFull = new ArrayList<>(); - for(Stakeholder stakeholder : stakeholders) { - stakeholdersFull.add(this.setFullEntities(stakeholder)); + + // Remove stakeholders for which i do not have authority + if(stakeholders != null && stakeholders.size() > 0) { + List roles = rolesUtils.getRoles(); +// log.debug("ROLES: "); +// roles.forEach(role -> log.debug(role)); +// +// if (roles.contains(authorizationService.PORTAL_ADMIN)) { + if (rolesUtils.isPortalAdmin(roles)) { + for(Stakeholder stakeholder : stakeholders) { + stakeholdersFull.add(this.setFullEntities(stakeholder, roles)); + } + return stakeholdersFull; + } + + Iterator stakeholderIterator = stakeholders.iterator(); + while(stakeholderIterator.hasNext()) { + Stakeholder stakeholder = stakeholderIterator.next(); + +// if(roles.contains(authorizationService.curator(stakeholder.getType()))) { + if(rolesUtils.isCurator(roles, stakeholder.getType())) { + stakeholdersFull.add(this.setFullEntities(stakeholder, roles)); + continue; + } + stakeholderIterator.remove(); + } } + return stakeholdersFull; } @@ -224,11 +308,90 @@ public class StakeholderController { stakeholders = stakeholderDAO.findByDefaultIdNotAndType(null, type); } - List stakeholdersFull = new ArrayList<>(); - for(Stakeholder stakeholder : stakeholders) { - stakeholdersFull.add(this.setFullEntities(stakeholder)); + //List stakeholdersFull = new ArrayList<>(); + + if(stakeholders != null && stakeholders.size() > 0) { +// List roles = authorizationService.getRoles(); + List roles = rolesUtils.getRoles(); + +// if (roles.contains(authorizationService.PORTAL_ADMIN)) { + if (rolesUtils.isPortalAdmin(roles)) { +// for(Stakeholder stakeholder : stakeholders) { +// stakeholdersFull.add(this.setFullEntities(stakeholder)); +// } +// return stakeholdersFull; + return stakeholders; + } + + Iterator stakeholderIterator = stakeholders.iterator(); + while(stakeholderIterator.hasNext()) { + Stakeholder stakeholder = stakeholderIterator.next(); + +// if(roles.contains(authorizationService.curator(stakeholder.getType())) +// || roles.contains(authorizationService.manager(stakeholder.getType(), stakeholder.getAlias())) +// || stakeholder.getVisibility() == Visibility.PUBLIC +// || (stakeholder.getVisibility() == Visibility.RESTRICTED && roles.contains(authorizationService.member(stakeholder.getType(), stakeholder.getAlias())))) { + if(rolesUtils.isCurator(roles, stakeholder.getType()) + || rolesUtils.isManager(roles, stakeholder.getType(), stakeholder.getAlias()) + || stakeholder.getVisibility() == Visibility.PUBLIC + || (stakeholder.getVisibility() == Visibility.RESTRICTED && rolesUtils.isMember(roles, stakeholder.getType(), stakeholder.getAlias()))) { + //stakeholdersFull.add(this.setFullEntities(stakeholder)); + continue; + } + stakeholderIterator.remove(); + } } - log.debug(new Date()); + +// log.debug(new Date()); + +// return stakeholdersFull; + return stakeholders; + } + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/my-stakeholder", method = RequestMethod.GET) + public List getMyRealStakeholders(@RequestParam(required = false) String type) { + log.debug("get my NOT default stakeholders" + (type != null ? " with type: "+type : "")); + + List stakeholders; + if(type == null) { + stakeholders = stakeholderDAO.findByDefaultIdNot(null); + } else { + stakeholders = stakeholderDAO.findByDefaultIdNotAndType(null, type); + } + + List stakeholdersFull = new ArrayList<>(); + + if(stakeholders != null && stakeholders.size() > 0) { +// List roles = authorizationService.getRoles(); + List roles = rolesUtils.getRoles(); +// log.debug("ROLES: "); +// roles.forEach(role -> log.debug(role)); + +// if (roles.contains(authorizationService.PORTAL_ADMIN)) { + if (rolesUtils.isPortalAdmin(roles)) { + for(Stakeholder stakeholder : stakeholders) { + stakeholdersFull.add(this.setFullEntities(stakeholder, roles)); + } + return stakeholdersFull; + } + + Iterator stakeholderIterator = stakeholders.iterator(); + while(stakeholderIterator.hasNext()) { + Stakeholder stakeholder = stakeholderIterator.next(); + +// if(roles.contains(authorizationService.curator(stakeholder.getType())) +// || roles.contains(authorizationService.manager(stakeholder.getType(), stakeholder.getAlias()))) { + if(rolesUtils.isCurator(roles, stakeholder.getType()) + || rolesUtils.isManager(roles, stakeholder.getType(), stakeholder.getAlias())) { + stakeholdersFull.add(this.setFullEntities(stakeholder, roles)); + continue; + } + stakeholderIterator.remove(); + } + } + +// log.debug(new Date()); return stakeholdersFull; } @@ -242,9 +405,30 @@ public class StakeholderController { // EXCEPTION - Stakeholder not found throw new EntityNotFoundException("Get stakeholder: Stakeholder with alias: "+alias+" not found"); } - return this.setFullEntities(stakeholder); + +// List roles = authorizationService.getRoles(); + List roles = rolesUtils.getRoles(); + + if((stakeholder.getVisibility() == Visibility.PRIVATE && !rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias()) + || (stakeholder.getVisibility() == Visibility.RESTRICTED && !rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias()) && !rolesUtils.isMember(roles, stakeholder.getType(), stakeholder.getAlias())))) { +// // EXCEPTION - Access denied +// throw new AccessDeniedException("Get stakeholder: You are not authorized to get stakeholder with alias: "+alias); + List topicsEmpty = stakeholder.getTopics(); + topicsEmpty.clear(); + stakeholder.setTopics(topicsEmpty); + stakeholder.setVisibility(Visibility.PRIVATE); + return stakeholder; + } + + return this.setFullEntities(stakeholder, roles); } +// @PreAuthorize("isAuthenticated()") + @PreAuthorize("hasAnyAuthority(" + + "@AuthorizationService.PORTAL_ADMIN, " + + "@AuthorizationService.curator(#stakeholderFull.getType()), " + + "@AuthorizationService.manager(#stakeholderFull.getType(), #stakeholderFull.getAlias()) " + + ")") @RequestMapping(value = "/save", method = RequestMethod.POST) public Stakeholder saveStakeholder(@RequestBody Stakeholder stakeholderFull) { log.debug("save stakeholder"); @@ -283,7 +467,7 @@ public class StakeholderController { return stakeholderFull; } - + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/delete", method = RequestMethod.DELETE) public boolean deleteStakeholder(@PathVariable("stakeholderId") String stakeholderId) { log.debug("delete stakeholder"); @@ -292,6 +476,15 @@ public class StakeholderController { Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if(stakeholder != null) { +// List roles = authorizationService.getRoles(); + List roles = rolesUtils.getRoles(); + +// if(!roles.contains(authorizationService.PORTAL_ADMIN) +// && !roles.contains(authorizationService.curator(stakeholder.getType()))) { + if(!rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete stakeholder: You are not authorized to delete stakeholder with id: "+stakeholderId); + } // for(String topicId : stakeholder.getTopics()) { // Topic topic = topicDAO.findById(topicId); @@ -364,43 +557,74 @@ public class StakeholderController { } - @RequestMapping(value = "/{stakeholderId}/toggle-status", method = RequestMethod.POST) - public Boolean toggleStakeholderStatus(@PathVariable("stakeholderId") String stakeholderId) { - log.debug("toggle stakeholder status (isActive)"); +// @RequestMapping(value = "/{stakeholderId}/toggle-status", method = RequestMethod.POST) +// public Boolean toggleStakeholderStatus(@PathVariable("stakeholderId") String stakeholderId) { +// log.debug("toggle stakeholder status (isActive)"); +// log.debug("Stakeholder: "+stakeholderId); +// +// Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); +// if (stakeholder == null) { +// // EXCEPTION - Stakeholder not found +// throw new EntityNotFoundException("Toggle stakeholder status: Stakeholder with id: "+stakeholderId+" not found"); +// } +// stakeholder.setIsActive(!stakeholder.getIsActive()); +// +// stakeholderDAO.save(stakeholder); +// log.debug("Stakeholder toggled!"); +// +// return stakeholder.getIsActive(); +// } +// +// @RequestMapping(value = "/{stakeholderId}/toggle-access", method = RequestMethod.POST) +// public Boolean toggleStakeholderAccess(@PathVariable("stakeholderId") String stakeholderId) { +// log.debug("toggle stakeholder access (isPublic)"); +// log.debug("Stakeholder: "+stakeholderId); +// +// Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); +// if (stakeholder == null) { +// // EXCEPTION - Stakeholder not found +// throw new EntityNotFoundException("Toggle stakeholder access: Stakeholder with id: "+stakeholderId+" not found"); +// } +// stakeholder.setIsPublic(!stakeholder.getIsPublic()); +// +// stakeholderDAO.save(stakeholder); +// log.debug("Stakeholder toggled!"); +// +// return stakeholder.getIsPublic(); +// } + + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/{stakeholderId}/change-visibility", method = RequestMethod.POST) + public Visibility toggleStakeholderAccess(@PathVariable("stakeholderId") String stakeholderId, + @RequestParam("visibility") Visibility visibility) { + log.debug("change stakeholder visibility: "+visibility); log.debug("Stakeholder: "+stakeholderId); Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if (stakeholder == null) { // EXCEPTION - Stakeholder not found - throw new EntityNotFoundException("Toggle stakeholder status: Stakeholder with id: "+stakeholderId+" not found"); + throw new EntityNotFoundException("Change stakeholder visibility: Stakeholder with id: "+stakeholderId+" not found"); } - stakeholder.setIsActive(!stakeholder.getIsActive()); + +// List roles = authorizationService.getRoles(); + List roles = rolesUtils.getRoles(); + +// if(!roles.contains(authorizationService.PORTAL_ADMIN) +// && !roles.contains(authorizationService.curator(stakeholder.getType())) +// && !roles.contains(authorizationService.manager(stakeholder.getType(), stakeholder.getAlias()))) { + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Change stakeholder visibility: You are not authorized to update stakeholder with id: "+stakeholderId); + } + stakeholder.setVisibility(visibility); stakeholderDAO.save(stakeholder); log.debug("Stakeholder toggled!"); - return stakeholder.getIsActive(); + return stakeholder.getVisibility(); } - @RequestMapping(value = "/{stakeholderId}/toggle-access", method = RequestMethod.POST) - public Boolean toggleStakeholderAccess(@PathVariable("stakeholderId") String stakeholderId) { - log.debug("toggle stakeholder access (isPublic)"); - log.debug("Stakeholder: "+stakeholderId); - - Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); - if (stakeholder == null) { - // EXCEPTION - Stakeholder not found - throw new EntityNotFoundException("Toggle stakeholder access: Stakeholder with id: "+stakeholderId+" not found"); - } - stakeholder.setIsPublic(!stakeholder.getIsPublic()); - - stakeholderDAO.save(stakeholder); - log.debug("Stakeholder toggled!"); - - return stakeholder.getIsPublic(); - } - - // The following are not supposed to be used // @RequestMapping(value = "/stakeholder/dates", method = RequestMethod.GET) // public List getAllStakeholderDates() { diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SubCategoryController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SubCategoryController.java index 463185f..854f448 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SubCategoryController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SubCategoryController.java @@ -4,11 +4,15 @@ import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.ArrayList; +import java.util.Date; import java.util.Iterator; import java.util.List; @@ -17,6 +21,9 @@ import java.util.List; public class SubCategoryController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @@ -63,12 +70,21 @@ public class SubCategoryController { subcategoryFull.setNumbers(sectionNumbersFull); subCategory.setNumbers(sectionNumbers); + Date date = new Date(); + subCategory.setCreationDate(date); + subCategory.setUpdateDate(date); + + subcategoryFull.setCreationDate(date); + subcategoryFull.setUpdateDate(date); + + subCategoryDAO.save(subCategory); subcategoryFull.setId(subCategory.getId()); return subcategoryFull; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/save", method = RequestMethod.POST) public SubCategory> saveSubCategory(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -79,13 +95,20 @@ public class SubCategoryController { Category category = checkForExceptions(stakeholderId, topicId, categoryId); + SubCategory subCategory = new SubCategory<>(subcategoryFull); + + Date date = new Date(); + subCategory.setUpdateDate(date); + subcategoryFull.setUpdateDate(date); + SubCategory oldSubcategory = null; if(subcategoryFull.getId() != null) { oldSubcategory = subCategoryDAO.findById(subcategoryFull.getId()); + } else { // subcategory does not exist in DB + subCategory.setCreationDate(date); + subcategoryFull.setCreationDate(date); } - SubCategory subCategory = new SubCategory<>(subcategoryFull); - // List charts = new ArrayList<>(); // for(Indicator chart : subcategoryFull.getCharts()) { // charts.add(chart.getId()); @@ -110,15 +133,17 @@ public class SubCategoryController { } subCategory.setNumbers(numberSections); - subCategoryDAO.save(subCategory); - Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if(stakeholder.getDefaultId() == null) { if(subcategoryFull.getId() == null) { + subCategoryDAO.save(subCategory); onSaveDefaultSubCategory(subCategory, categoryId); } else { onUpdateDefaultSubCategory(subCategory, oldSubcategory); + subCategoryDAO.save(subCategory); } + } else { + subCategoryDAO.save(subCategory); } List subcategories = category.getSubCategories(); @@ -182,10 +207,12 @@ public class SubCategoryController { // subCategoryBasedOnDefault.setName(subCategory.getName()); // subCategoryBasedOnDefault.setDescription(subCategory.getDescription()); + subCategoryBasedOnDefault.setUpdateDate(subCategory.getUpdateDate()); subCategoryDAO.save(subCategoryBasedOnDefault); } } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/delete", method = RequestMethod.DELETE) public boolean deleteSubCategory(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -199,6 +226,14 @@ public class SubCategoryController { SubCategory subcategory = subCategoryDAO.findById(subcategoryId); if(subcategory != null) { + + Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); + List roles = rolesUtils.getRoles(); + if(subcategory.getDefaultId() != null && !rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete subcategory: You are not authorized to delete a default SubCategory in stakeholder with id: "+stakeholderId); + } + List subcategories = category.getSubCategories(); int index = subcategories.indexOf(subcategoryId); if(index != -1) { @@ -298,6 +333,7 @@ public class SubCategoryController { return true; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/reorder", method = RequestMethod.POST) public List reorderSubCategories(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -320,44 +356,66 @@ public class SubCategoryController { return subCategoriesFull; } - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/toggle-status", method = RequestMethod.POST) - public Boolean toggleSubCategoryStatus(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId, - @PathVariable("subcategoryId") String subcategoryId) { - log.debug("toggle subCategory status (isActive)"); +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/toggle-status", method = RequestMethod.POST) +// public Boolean toggleSubCategoryStatus(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId, +// @PathVariable("subcategoryId") String subcategoryId) { +// log.debug("toggle subCategory status (isActive)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId); +// +// SubCategory subCategory = subCategoryDAO.findById(subcategoryId); +// if (subCategory == null) { +// // EXCEPTION - SubCategory not found +// throw new EntityNotFoundException("Toggle subCategory status: SubCategory with id: "+subcategoryId+" not found"); +// } +// subCategory.setIsActive(!subCategory.getIsActive()); +// +// this.toggleSubCategory(stakeholderId, topicId, categoryId, subCategory); +// +// return subCategory.getIsActive(); +// } +// +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/toggle-access", method = RequestMethod.POST) +// public Boolean toggleSubCategoryAccess(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId, +// @PathVariable("subcategoryId") String subcategoryId) { +// log.debug("toggle subCategory access (isPublic)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId); +// +// SubCategory subCategory = subCategoryDAO.findById(subcategoryId); +// if (subCategory == null) { +// // EXCEPTION - SubCategory not found +// throw new EntityNotFoundException("Toggle subCategory access: SubCategory with id: "+subcategoryId+" not found"); +// } +// subCategory.setIsPublic(!subCategory.getIsPublic()); +// +// this.toggleSubCategory(stakeholderId, topicId, categoryId, subCategory); +// +// return subCategory.getIsPublic(); +// } + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/change-visibility", method = RequestMethod.POST) + public Visibility changeTopicVisibility(@PathVariable("stakeholderId") String stakeholderId, + @PathVariable("topicId") String topicId, + @PathVariable("categoryId") String categoryId, + @PathVariable("subcategoryId") String subcategoryId, + @RequestParam("visibility") Visibility visibility) { + log.debug("change subCategory visibility: "+visibility); log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId); SubCategory subCategory = subCategoryDAO.findById(subcategoryId); if (subCategory == null) { // EXCEPTION - SubCategory not found - throw new EntityNotFoundException("Toggle subCategory status: SubCategory with id: "+subcategoryId+" not found"); + throw new EntityNotFoundException("Change subCategory visibility: SubCategory with id: "+subcategoryId+" not found"); } - subCategory.setIsActive(!subCategory.getIsActive()); + subCategory.setVisibility(visibility); this.toggleSubCategory(stakeholderId, topicId, categoryId, subCategory); - return subCategory.getIsActive(); - } - - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/toggle-access", method = RequestMethod.POST) - public Boolean toggleSubCategoryAccess(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId, - @PathVariable("subcategoryId") String subcategoryId) { - log.debug("toggle subCategory access (isPublic)"); - log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId); - - SubCategory subCategory = subCategoryDAO.findById(subcategoryId); - if (subCategory == null) { - // EXCEPTION - SubCategory not found - throw new EntityNotFoundException("Toggle subCategory access: SubCategory with id: "+subcategoryId+" not found"); - } - subCategory.setIsPublic(!subCategory.getIsPublic()); - - this.toggleSubCategory(stakeholderId, topicId, categoryId, subCategory); - - return subCategory.getIsPublic(); + return subCategory.getVisibility(); } public void toggleSubCategory(String stakeholderId, String topicId, String categoryId, SubCategory subcategory) { @@ -382,6 +440,12 @@ public class SubCategoryController { throw new EntityNotFoundException("Save indicator: Stakeholder with id: " + stakeholderId + " not found"); } + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("CheckForExceptions SubCategory: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic == null) { // EXCEPTION - Topic not found diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/TopicController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/TopicController.java index 677e249..9442415 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/TopicController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/TopicController.java @@ -4,11 +4,15 @@ import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.ArrayList; +import java.util.Date; import java.util.Iterator; import java.util.List; @@ -17,24 +21,15 @@ import java.util.List; public class TopicController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @Autowired private TopicDAO topicDAO; - @Autowired - private CategoryDAO categoryDAO; - - @Autowired - private SubCategoryDAO subCategoryDAO; - - @Autowired - private SectionDAO sectionDAO; - - @Autowired - private IndicatorDAO indicatorDAO; - @Autowired private CategoryController categoryController; @@ -51,12 +46,20 @@ public class TopicController { topicFull.setCategories(categoriesFull); topic.setCategories(categories); + Date date = new Date(); + topic.setCreationDate(date); + topic.setUpdateDate(date); + + topicFull.setCreationDate(date); + topicFull.setUpdateDate(date); + topicDAO.save(topic); topicFull.setId(topic.getId()); return topicFull; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/save", method = RequestMethod.POST) public Topic saveTopic(@PathVariable("stakeholderId") String stakeholderId, @RequestBody Topic topicFull) { @@ -66,12 +69,24 @@ public class TopicController { Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if(stakeholder != null) { - Topic oldTopic = null; - if(topicFull.getId() != null) { - oldTopic = topicDAO.findById(topicFull.getId()); + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Save Topic: You are not authorized to update stakeholder with id: "+stakeholderId); } Topic topic = new Topic<>(topicFull); + Date date = new Date(); + topic.setUpdateDate(date); + topicFull.setUpdateDate(date); + + Topic oldTopic = null; + if(topicFull.getId() != null) { + oldTopic = topicDAO.findById(topicFull.getId()); + } else { // topic does not exist in DB + topic.setCreationDate(date); + topicFull.setCreationDate(date); + } List categories = new ArrayList<>(); for(Category category : topicFull.getCategories()) { @@ -79,14 +94,16 @@ public class TopicController { } topic.setCategories(categories); - topicDAO.save(topic); - if(stakeholder.getDefaultId() == null) { if(topicFull.getId() == null) { + topicDAO.save(topic); onSaveDefaultTopic(topic, stakeholderId); } else { onUpdateDefaultTopic(topic, oldTopic); + topicDAO.save(topic); } + } else { + topicDAO.save(topic); } List topics = stakeholder.getTopics(); @@ -158,10 +175,12 @@ public class TopicController { // topicBasedOnDefault.setName(topic.getName()); // topicBasedOnDefault.setDescription(topic.getDescription()); + topicBasedOnDefault.setUpdateDate(topic.getUpdateDate()); topicDAO.save(topicBasedOnDefault); } } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/delete", method = RequestMethod.DELETE) public boolean deleteTopic(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -173,9 +192,20 @@ public class TopicController { if(stakeholder != null) { + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete topic: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic != null) { + if(topic.getDefaultId() != null && !rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete topic: You are not authorized to delete a default Topic in stakeholder with id: "+stakeholderId); + } + List topics = stakeholder.getTopics(); int index = topics.indexOf(topicId); if(index != -1) { @@ -298,6 +328,7 @@ public class TopicController { return true; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/reorder", method = RequestMethod.POST) public List reorderTopics(@PathVariable("stakeholderId") String stakeholderId, @RequestBody List topics) { @@ -307,6 +338,13 @@ public class TopicController { Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if(stakeholder != null) { + + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Reorder topics: You are not authorized to update stakeholder with id: "+stakeholderId); + } + stakeholder.setTopics(topics); stakeholderDAO.save(stakeholder); @@ -323,46 +361,73 @@ public class TopicController { } } - @RequestMapping(value = "/{stakeholderId}/{topicId}/toggle-status", method = RequestMethod.POST) - public Boolean toggleTopicStatus(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId) { - log.debug("toggle topic status (isActive)"); +// @RequestMapping(value = "/{stakeholderId}/{topicId}/toggle-status", method = RequestMethod.POST) +// public Boolean toggleTopicStatus(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId) { +// log.debug("toggle topic status (isActive)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId); +// +// Topic topic = topicDAO.findById(topicId); +// if (topic == null) { +// // EXCEPTION - Topic not found +// throw new EntityNotFoundException("Toggle topic status: Topic with id: "+topicId+" not found"); +// } +// topic.setIsActive(!topic.getIsActive()); +// +// this.toggleTopic(stakeholderId, topic); +// +// return topic.getIsActive(); +// } +// +// @RequestMapping(value = "/{stakeholderId}/{topicId}/toggle-access", method = RequestMethod.POST) +// public Boolean toggleTopicAccess(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId) { +// log.debug("toggle topic access (isPublic)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId); +// +// Topic topic = topicDAO.findById(topicId); +// if (topic == null) { +// // EXCEPTION - Topic not found +// throw new EntityNotFoundException("Toggle topic access: Topic with id: "+topicId+" not found"); +// } +// topic.setIsPublic(!topic.getIsPublic()); +// +// this.toggleTopic(stakeholderId, topic); +// +// return topic.getIsPublic(); +// } + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/{stakeholderId}/{topicId}/change-visibility", method = RequestMethod.POST) + public Visibility changeTopicVisibility(@PathVariable("stakeholderId") String stakeholderId, + @PathVariable("topicId") String topicId, + @RequestParam("visibility") Visibility visibility) { + log.debug("change topic visibility: "+visibility); log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId); Topic topic = topicDAO.findById(topicId); if (topic == null) { // EXCEPTION - Topic not found - throw new EntityNotFoundException("Toggle topic status: Topic with id: "+topicId+" not found"); + throw new EntityNotFoundException("Change topic visibility: Topic with id: "+topicId+" not found"); } - topic.setIsActive(!topic.getIsActive()); + topic.setVisibility(visibility); this.toggleTopic(stakeholderId, topic); - return topic.getIsActive(); - } - - @RequestMapping(value = "/{stakeholderId}/{topicId}/toggle-access", method = RequestMethod.POST) - public Boolean toggleTopicAccess(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId) { - log.debug("toggle topic access (isPublic)"); - log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId); - - Topic topic = topicDAO.findById(topicId); - if (topic == null) { - // EXCEPTION - Topic not found - throw new EntityNotFoundException("Toggle topic access: Topic with id: "+topicId+" not found"); - } - topic.setIsPublic(!topic.getIsPublic()); - - this.toggleTopic(stakeholderId, topic); - - return topic.getIsPublic(); + return topic.getVisibility(); } public void toggleTopic(String stakeholderId, Topic topic) { Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if (stakeholder != null) { + + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Toggle topic: You are not authorized to update stakeholder with id: "+stakeholderId); + } + if (stakeholder.getTopics().contains(topic.getId())) { topicDAO.save(topic); log.debug("Topic toggled!"); diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/handlers/utils/RolesUtils.java b/src/main/java/eu/dnetlib/uoamonitorservice/handlers/utils/RolesUtils.java new file mode 100644 index 0000000..43a449e --- /dev/null +++ b/src/main/java/eu/dnetlib/uoamonitorservice/handlers/utils/RolesUtils.java @@ -0,0 +1,65 @@ +package eu.dnetlib.uoamonitorservice.handlers.utils; + +import eu.dnetlib.uoaauthorizationlibrary.security.AuthorizationService; +import org.apache.log4j.Logger; + +import java.util.List; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class RolesUtils { + @Autowired + private AuthorizationService authorizationService; + + private final Logger log = Logger.getLogger(this.getClass()); + + public List getRoles() { + return authorizationService.getRoles(); + } + + public boolean isPortalAdmin(List roles) { + if(roles == null) { + return false; + } +// log.debug(authorizationService.PORTAL_ADMIN); +// log.debug("PortalAdmin: "+roles.contains(authorizationService.PORTAL_ADMIN)); + return roles.contains(authorizationService.PORTAL_ADMIN); + } + + public boolean isCurator(List roles, String type) { + if(roles == null) { + return false; + } +// log.debug(authorizationService.curator(type)); +// log.debug("Curator in "+type+": "+roles.contains(authorizationService.curator(type))); + return roles.contains(authorizationService.curator(type)); + } + + public boolean isManager(List roles, String type, String id) { + if(roles == null) { + return false; + } +// log.debug(authorizationService.manager(type, id)); +// log.debug("Manager in "+type+" - "+id+": "+roles.contains(authorizationService.manager(type, id))); + return roles.contains(authorizationService.manager(type, id)); + } + + public boolean isMember(List roles, String type, String id) { + if(roles == null) { + return false; + } +// log.debug(authorizationService.member(type, id)); +// log.debug("Member in "+type+" - "+id+": "+roles.contains(authorizationService.member(type, id))); + return roles.contains(authorizationService.member(type, id)); + } + + public boolean hasUpdateAuthority(List roles, String type, String id) { + return isPortalAdmin(roles) || isCurator(roles, type) || isManager(roles, type, id); + } + + public boolean hasCreateAndDeleteAuthority(List roles, String type) { + return isPortalAdmin(roles) || isCurator(roles, type); + } +}