From 1a784f29bdbfbfee35c38f2af87b425e160ce3ff Mon Sep 17 00:00:00 2001 From: "konstantina.galouni" Date: Wed, 11 Nov 2020 12:45:59 +0000 Subject: [PATCH] [Trunk | Monitor Service]: 1. RolesUtils.java: New class connected to "AuthorizationService" and returns helper methods for roles and authorities. 2. StakeholderController.java & TopicController.java & CategoryController.java & SubCategoryController.java & SectionController.java & IndicatorController.java: a. Add authorization checks according to user roles (authorization library). b. Handle new fields "createDate" and "updateDate" (StakeholderController.java already had these fields). c. [Bug fix] On save method, if it is default entity, add it before "onSaveDefault...()" or after "onUpdateDefault...()". d. (not in SectionController) Comment methods for toggling status and access and add method for changing visibility. e.g. "changeIndicatorVisibility()" (/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/change-visibility). 3. StakeholderController.java: Method "getAllRealStakeholders()" (/stakeholder) returns now basic Stakeholder info (topicIds, not full entities). 4. IndicatorController.java: a. [Bug fix] On "onUpdateDefaultIndicator()", "changed" is set to false for each indicatorBasedOnDefault. b. On "onUpdateDefaultIndicator()" handle update policy for "description" and "additionalDescription". c. [Bug fix] On "onUpdateDefaultIndicator()", bug fixes when updating "jsonPath". --- .../controllers/CategoryController.java | 148 ++++++--- .../controllers/IndicatorController.java | 223 +++++++++---- .../controllers/SectionController.java | 48 ++- .../controllers/StakeholderController.java | 306 +++++++++++++++--- .../controllers/SubCategoryController.java | 130 ++++++-- .../controllers/TopicController.java | 149 ++++++--- .../handlers/utils/RolesUtils.java | 65 ++++ 7 files changed, 854 insertions(+), 215 deletions(-) create mode 100644 src/main/java/eu/dnetlib/uoamonitorservice/handlers/utils/RolesUtils.java diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/CategoryController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/CategoryController.java index c93d9cd..119a53f 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/CategoryController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/CategoryController.java @@ -4,11 +4,15 @@ import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.ArrayList; +import java.util.Date; import java.util.Iterator; import java.util.List; @@ -17,6 +21,9 @@ import java.util.List; public class CategoryController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @@ -29,12 +36,6 @@ public class CategoryController { @Autowired private SubCategoryDAO subCategoryDAO; - @Autowired - private SectionDAO sectionDAO; - - @Autowired - private IndicatorDAO indicatorDAO; - @Autowired private SubCategoryController subCategoryController; @@ -51,12 +52,20 @@ public class CategoryController { categoryFull.setSubCategories(subCategoriesFull); category.setSubCategories(subCategories); + Date date = new Date(); + category.setCreationDate(date); + category.setUpdateDate(date); + + categoryFull.setCreationDate(date); + categoryFull.setUpdateDate(date); + categoryDAO.save(category); categoryFull.setId(category.getId()); return categoryFull; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/save", method = RequestMethod.POST) public Category saveCategory(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -67,6 +76,13 @@ public class CategoryController { Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if(stakeholder != null) { + + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Save Category: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Category oldCategory = null; if(categoryFull.getId() != null) { oldCategory = categoryDAO.findById(categoryFull.getId()); @@ -75,8 +91,17 @@ public class CategoryController { Topic topic = topicDAO.findById(topicId); if(topic != null) { if(stakeholder.getTopics().contains(topicId)) { + Category category = new Category<>(categoryFull); + + Date date = new Date(); + category.setUpdateDate(date); + categoryFull.setUpdateDate(date); + // if category not exists (no id), create a new default subcategory, identical to category if(categoryFull.getId() == null) { + category.setCreationDate(date); + categoryFull.setCreationDate(date); + SubCategory subCategory = new SubCategory<>(); subCategory.createOverviewSubCategory(categoryFull); @@ -85,23 +110,22 @@ public class CategoryController { subCategories.add(subCategory); } - - Category category = new Category<>(categoryFull); - List subCategories = new ArrayList<>(); for(SubCategory subCategory : categoryFull.getSubCategories()) { subCategories.add(subCategory.getId()); } category.setSubCategories(subCategories); - categoryDAO.save(category); - if(stakeholder.getDefaultId() == null) { if(categoryFull.getId() == null) { + categoryDAO.save(category); onSaveDefaultCategory(category, topicId); } else { onUpdateDefaultCategory(category, oldCategory); + categoryDAO.save(category); } + } else { + categoryDAO.save(category); } List categories = topic.getCategories(); @@ -178,10 +202,12 @@ public class CategoryController { // categoryBasedOnDefault.setName(category.getName()); // categoryBasedOnDefault.setDescription(category.getDescription()); + categoryBasedOnDefault.setUpdateDate(category.getUpdateDate()); categoryDAO.save(categoryBasedOnDefault); } } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/delete", method = RequestMethod.DELETE) public boolean deleteCategory(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -194,6 +220,12 @@ public class CategoryController { if(stakeholder != null) { + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete category: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic != null) { if(stakeholder.getTopics().contains(topicId)) { @@ -201,6 +233,12 @@ public class CategoryController { Category category = categoryDAO.findById(categoryId); if(category != null) { + if(category.getDefaultId() != null && !rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete category: You are not authorized to delete a default Category in stakeholder with id: "+stakeholderId); + } + + List categories = topic.getCategories(); int index = categories.indexOf(categoryId); if(index != -1) { @@ -321,6 +359,7 @@ public class CategoryController { return true; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/reorder", method = RequestMethod.POST) public List reorderCategories(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -342,42 +381,63 @@ public class CategoryController { return categoriesFull; } - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/toggle-status", method = RequestMethod.POST) - public Boolean toggleCategoryStatus(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId) { - log.debug("toggle category status (isActive)"); +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/toggle-status", method = RequestMethod.POST) +// public Boolean toggleCategoryStatus(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId) { +// log.debug("toggle category status (isActive)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId); +// +// Category category = categoryDAO.findById(categoryId); +// if (category == null) { +// // EXCEPTION - Category not found +// throw new EntityNotFoundException("Toggle category status: Category with id: "+categoryId+" not found"); +// } +// category.setIsActive(!category.getIsActive()); +// +// this.toggleCategory(stakeholderId, topicId, category); +// +// return category.getIsActive(); +// } +// +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/toggle-access", method = RequestMethod.POST) +// public Boolean toggleCategoryAccess(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId) { +// log.debug("toggle category access (isPublic)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId); +// +// Category category = categoryDAO.findById(categoryId); +// if (category == null) { +// // EXCEPTION - Category not found +// throw new EntityNotFoundException("Toggle category access: Category with id: "+categoryId+" not found"); +// } +// category.setIsPublic(!category.getIsPublic()); +// +// this.toggleCategory(stakeholderId, topicId, category); +// +// return category.getIsPublic(); +// } + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/change-visibility", method = RequestMethod.POST) + public Visibility changeCategoryVisibility(@PathVariable("stakeholderId") String stakeholderId, + @PathVariable("topicId") String topicId, + @PathVariable("categoryId") String categoryId, + @RequestParam("visibility") Visibility visibility) { + log.debug("change category visibility: "+visibility); log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId); Category category = categoryDAO.findById(categoryId); if (category == null) { // EXCEPTION - Category not found - throw new EntityNotFoundException("Toggle category status: Category with id: "+categoryId+" not found"); + throw new EntityNotFoundException("Change topic visibility: Category with id: "+categoryId+" not found"); } - category.setIsActive(!category.getIsActive()); + category.setVisibility(visibility); this.toggleCategory(stakeholderId, topicId, category); - return category.getIsActive(); - } - - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/toggle-access", method = RequestMethod.POST) - public Boolean toggleCategoryAccess(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId) { - log.debug("toggle category access (isPublic)"); - log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId); - - Category category = categoryDAO.findById(categoryId); - if (category == null) { - // EXCEPTION - Category not found - throw new EntityNotFoundException("Toggle category access: Category with id: "+categoryId+" not found"); - } - category.setIsPublic(!category.getIsPublic()); - - this.toggleCategory(stakeholderId, topicId, category); - - return category.getIsPublic(); + return category.getVisibility(); } public void toggleCategory(String stakeholderId, String topicId, Category category) { @@ -385,6 +445,12 @@ public class CategoryController { if (stakeholder != null) { + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Toggle category: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if (topic != null) { if (stakeholder.getTopics().contains(topicId)) { @@ -419,6 +485,12 @@ public class CategoryController { throw new EntityNotFoundException("checkForExceptions category: Stakeholder with id: " + stakeholderId + " not found"); } + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("checkForExceptions category: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic == null) { // EXCEPTION - Topic not found diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/IndicatorController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/IndicatorController.java index 380e308..6c718a2 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/IndicatorController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/IndicatorController.java @@ -5,8 +5,11 @@ import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.io.UnsupportedEncodingException; @@ -18,6 +21,9 @@ import java.util.*; public class IndicatorController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @@ -37,6 +43,7 @@ public class IndicatorController { private IndicatorDAO indicatorDAO; + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/save", method = RequestMethod.POST) public Indicator saveIndicator(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -49,23 +56,31 @@ public class IndicatorController { Section section = checkForExceptions(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator.getType()); + Date date = new Date(); + indicator.setUpdateDate(date); + Indicator oldIndicator = null; if(indicator.getId() != null) { oldIndicator = indicatorDAO.findById(indicator.getId()); + } else { // indicator does not exist in DB + indicator.setCreationDate(date); } String indicatorId = indicator.getId(); - indicatorDAO.save(indicator); Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); // this indicator belongs in default profile and it is new or it is updated if(stakeholder.getDefaultId() == null) { if(indicatorId == null) { + indicatorDAO.save(indicator); onSaveDefaultIndicator(indicator, sectionId); } else { onUpdateDefaultIndicator(indicator, stakeholder, oldIndicator); + indicatorDAO.save(indicator); } + } else { + indicatorDAO.save(indicator); } List indicators = section.getIndicators(); @@ -86,7 +101,7 @@ public class IndicatorController { // new indicator in default profile - add it on profiles of the same type List
sections = sectionDAO.findByDefaultId(defaultSectionId); - for (Section section : sections) { + for (Section section : sections) { Indicator indicatorNew = new Indicator(); indicatorNew.copyFromDefault(indicator); for (IndicatorPath indicatorPath : indicatorNew.getIndicatorPaths()) { @@ -108,10 +123,12 @@ public class IndicatorController { // indicator already exists - check if changed and update all indicators based on it - boolean changed = false; + boolean changed; List indicators = indicatorDAO.findByDefaultId(indicator.getId()); for(Indicator indicatorBasedOnDefault : indicators) { + changed = false; + if(indicator.getName() != null && !indicator.getName().equals(indicatorBasedOnDefault.getName()) && (oldIndicator.getName() == null || oldIndicator.getName().equals(indicatorBasedOnDefault.getName()))) { @@ -119,18 +136,30 @@ public class IndicatorController { changed = true; } - if(indicator.getDescription() != null && !indicator.getDescription().equals(indicatorBasedOnDefault.getDescription()) - && (oldIndicator.getDescription() == null || oldIndicator.getDescription().equals(indicatorBasedOnDefault.getDescription()))) { + if(indicator.getDescription() != null && !indicator.getDescription().equals(indicatorBasedOnDefault.getDescription())) { indicatorBasedOnDefault.setDescription(indicator.getDescription()); changed = true; } + if(indicator.getAdditionalDescription() != null && !indicator.getAdditionalDescription().equals(indicatorBasedOnDefault.getAdditionalDescription()) + && (oldIndicator.getAdditionalDescription() == null || oldIndicator.getAdditionalDescription().equals(indicatorBasedOnDefault.getAdditionalDescription()))) { + + indicatorBasedOnDefault.setAdditionalDescription(indicator.getAdditionalDescription()); + changed = true; + } + int i = 0; List indicatorPaths = indicatorBasedOnDefault.getIndicatorPaths(); + if(indicatorPaths == null && indicator.getIndicatorPaths() != null) { + indicatorPaths = new ArrayList<>(); + } for (IndicatorPath indicatorPath : indicator.getIndicatorPaths()) { - IndicatorPath indicatorPathBasedOnDefault = indicatorBasedOnDefault.getIndicatorPaths().get(i); + IndicatorPath indicatorPathBasedOnDefault = null; + if(i < indicatorPaths.size()) { + indicatorPathBasedOnDefault = indicatorPaths.get(i); + } if(indicatorPathBasedOnDefault == null) { // Add new indicator path in existing indicators @@ -142,7 +171,7 @@ public class IndicatorController { IndicatorPath oldIndicatorPath = oldIndicator.getIndicatorPaths().get(i); // Check if there are changes in indicator path and update existing indicators if needed - log.debug("update indicator path: "+i); + log.debug("update indicator path: "+i + " (indicator id: "+indicatorBasedOnDefault.getId()+")"); if(indicatorPath.getType() != null && !indicatorPath.getType().equals(indicatorPathBasedOnDefault.getType()) @@ -189,7 +218,7 @@ public class IndicatorController { for (Map.Entry parameter : indicatorPath.getParameters().entrySet()) { log.debug("\nindicatorPath: parameter.getKey(): "+parameter.getKey()+" - value: "+parameter.getValue() +"\nindicatorPathBasedOnDefault:parameters:key: "+ indicatorPathBasedOnDefault.getParameters().get(parameter.getKey()) - +"\noldIndicatorPath:parameters:key: "+ oldIndicatorPath.getParameters().get(parameter.getKey())); + +"\noldIndicatorPath:parameters:key: "+ (oldIndicatorPath.getParameters() == null ? "null" : oldIndicatorPath.getParameters().get(parameter.getKey()))); if (!indicatorPathBasedOnDefault.getParameters().containsKey(parameter.getKey()) || (oldIndicatorPath.getParameters() == null || (oldIndicatorPath.getParameters().get(parameter.getKey()).equals(indicatorPathBasedOnDefault.getParameters().get(parameter.getKey())) @@ -203,43 +232,82 @@ public class IndicatorController { // changed = true; // } } - parameterMapping(indicatorPathBasedOnDefault, stakeholder); + // TODO when deleting indicator path parameters... ??? + parameterMapping(indicatorPathBasedOnDefault, stakeholder); //} - log.debug("After parameters check: " + changed); } + log.debug("After parameters check: " + changed); if(indicatorPath.getJsonPath() != null) { - int j = 0; - for (String jsonString : indicatorPath.getJsonPath()) { - log.debug("indicatorPath.getJsonPath(): " + jsonString); - String jsonStringBasedOnDefault = null; - if(indicatorPathBasedOnDefault.getJsonPath() != null ) { - jsonStringBasedOnDefault = indicatorPathBasedOnDefault.getJsonPath().get(j); - } else { + boolean jsonPathChanged = false; + boolean breaked = false; + + int oldJsonPathSize = 0; + if(oldIndicatorPath.getJsonPath() != null) { + oldJsonPathSize = oldIndicatorPath.getJsonPath().size(); + } + int basedOnDefaultJsonPathSize = 0; + if(indicatorPathBasedOnDefault.getJsonPath() != null) { + basedOnDefaultJsonPathSize = indicatorPathBasedOnDefault.getJsonPath().size(); + } + log.debug("old: "+oldJsonPathSize+" - based on default: "+basedOnDefaultJsonPathSize+" - new: "+indicatorPath.getJsonPath().size()); + if(oldJsonPathSize == basedOnDefaultJsonPathSize) { + if(indicatorPathBasedOnDefault.getJsonPath() == null && indicatorPath.getJsonPath().size() > 0) { indicatorPathBasedOnDefault.setJsonPath(new ArrayList<>()); } - log.debug("indicatorPathBasedOnDefault.getJsonPath().get(" + j + "): " + jsonStringBasedOnDefault); - if (!jsonString.equals(jsonStringBasedOnDefault) - && (oldIndicatorPath.getJsonPath() == null - || oldIndicatorPath.getJsonPath().get(i).equals(jsonStringBasedOnDefault)) - ) { - indicatorPathBasedOnDefault.getJsonPath().set(j, jsonString); + int basedOnDefaultIndex = 0; + int oldIndex = 0; + + Iterator jsonStringBasedOnDefaultIterator = indicatorPathBasedOnDefault.getJsonPath().iterator(); + while (jsonStringBasedOnDefaultIterator.hasNext()) { + String jsonStringBasedOnDefault = jsonStringBasedOnDefaultIterator.next(); + if(oldIndicatorPath.getJsonPath().get(oldIndex).equals(jsonStringBasedOnDefault)) { + if(basedOnDefaultIndex >= indicatorPath.getJsonPath().size()) { // string deleted + jsonStringBasedOnDefaultIterator.remove(); + jsonPathChanged = true; + } else { // check if string changed + if(!indicatorPath.getJsonPath().get(basedOnDefaultIndex).equals(jsonStringBasedOnDefault)) { + indicatorPathBasedOnDefault.getJsonPath().set(basedOnDefaultIndex, indicatorPath.getJsonPath().get(basedOnDefaultIndex)); + jsonPathChanged = true; + } + basedOnDefaultIndex++; + } + oldIndex++; + } else { + breaked = true; + jsonPathChanged = false; + log.debug("not the same: "+oldIndex); + break; + } + } + + int index=0; + if(!breaked && indicatorPath.getJsonPath().size() > indicatorPathBasedOnDefault.getJsonPath().size()) { // strings added + jsonPathChanged = true; + for(index=indicatorPathBasedOnDefault.getJsonPath().size(); index < indicatorPath.getJsonPath().size(); index++) { + indicatorPathBasedOnDefault.getJsonPath().add(indicatorPath.getJsonPath().get(index)); + } + } + + if(jsonPathChanged) { changed = true; } - j++; } - log.debug("After jsonPath check: " + changed); + // TODO when deleting indicator path json path strings... } + log.debug("After jsonPath check: " + changed); } i++; } + // TODO when deleting indicator paths... if(!changed) { // break; continue; } + indicatorBasedOnDefault.setUpdateDate(indicator.getUpdateDate()); indicatorDAO.save(indicatorBasedOnDefault); } } @@ -299,6 +367,7 @@ public class IndicatorController { return indicatorPathField; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/delete", method = RequestMethod.DELETE) public boolean deleteIndicator(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -314,6 +383,13 @@ public class IndicatorController { if(indicator != null) { Section section = checkForExceptions(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator.getType()); + Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); + List roles = rolesUtils.getRoles(); + if(indicator.getDefaultId() != null && !rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete indicator: You are not authorized to delete a default Indicator in stakeholder with id: "+stakeholderId); + } + List indicators = section.getIndicators(); int index = indicators.indexOf(indicatorId); @@ -484,6 +560,7 @@ public class IndicatorController { // return true; // } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{type}/reorder", method = RequestMethod.POST) public List reorderIndicators(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -509,48 +586,72 @@ public class IndicatorController { return indicatorsFull; } - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/toggle-status", method = RequestMethod.POST) - public Boolean toggleIndicatorStatus(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId, - @PathVariable("subcategoryId") String subcategoryId, - @PathVariable("sectionId") String sectionId, - @PathVariable("indicatorId") String indicatorId) { - log.debug("toggle indicator status (isActive)"); +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/toggle-status", method = RequestMethod.POST) +// public Boolean toggleIndicatorStatus(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId, +// @PathVariable("subcategoryId") String subcategoryId, +// @PathVariable("sectionId") String sectionId, +// @PathVariable("indicatorId") String indicatorId) { +// log.debug("toggle indicator status (isActive)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId + " - Section: "+sectionId+ " - Indicator: "+indicatorId); +// +// Indicator indicator = indicatorDAO.findById(indicatorId); +// if (indicator == null) { +// // EXCEPTION - Indicator not found +// throw new EntityNotFoundException("Toggle indicator status: Indicator with id: "+indicatorId+" not found"); +// } +// indicator.setIsActive(!indicator.getIsActive()); +// +// this.toggleIndicator(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator); +// +// return indicator.getIsActive(); +// } +// +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/toggle-access", method = RequestMethod.POST) +// public Boolean toggleIndicatorAccess(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId, +// @PathVariable("subcategoryId") String subcategoryId, +// @PathVariable("sectionId") String sectionId, +// @PathVariable("indicatorId") String indicatorId) { +// log.debug("toggle indicator access (isPublic)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId + " - Section: "+sectionId+ " - Indicator: "+indicatorId); +// +// Indicator indicator = indicatorDAO.findById(indicatorId); +// if (indicator == null) { +// // EXCEPTION - Indicator not found +// throw new EntityNotFoundException("Toggle indicator access: Indicator with id: "+indicatorId+" not found"); +// } +// indicator.setIsPublic(!indicator.getIsPublic()); +// +// this.toggleIndicator(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator); +// +// return indicator.getIsPublic(); +// } + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/change-visibility", method = RequestMethod.POST) + public Visibility changeTopicVisibility(@PathVariable("stakeholderId") String stakeholderId, + @PathVariable("topicId") String topicId, + @PathVariable("categoryId") String categoryId, + @PathVariable("subcategoryId") String subcategoryId, + @PathVariable("sectionId") String sectionId, + @PathVariable("indicatorId") String indicatorId, + @RequestParam("visibility") Visibility visibility) { + log.debug("change indicator visibility: "+visibility); log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId + " - Section: "+sectionId+ " - Indicator: "+indicatorId); Indicator indicator = indicatorDAO.findById(indicatorId); if (indicator == null) { // EXCEPTION - Indicator not found - throw new EntityNotFoundException("Toggle indicator status: Indicator with id: "+indicatorId+" not found"); + throw new EntityNotFoundException("Change indicator visibility: Indicator with id: "+indicatorId+" not found"); } - indicator.setIsActive(!indicator.getIsActive()); + indicator.setVisibility(visibility); this.toggleIndicator(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator); - return indicator.getIsActive(); - } - - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/{indicatorId}/toggle-access", method = RequestMethod.POST) - public Boolean toggleIndicatorAccess(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId, - @PathVariable("subcategoryId") String subcategoryId, - @PathVariable("sectionId") String sectionId, - @PathVariable("indicatorId") String indicatorId) { - log.debug("toggle indicator access (isPublic)"); - log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId + " - Section: "+sectionId+ " - Indicator: "+indicatorId); - - Indicator indicator = indicatorDAO.findById(indicatorId); - if (indicator == null) { - // EXCEPTION - Indicator not found - throw new EntityNotFoundException("Toggle indicator access: Indicator with id: "+indicatorId+" not found"); - } - indicator.setIsPublic(!indicator.getIsPublic()); - - this.toggleIndicator(stakeholderId, topicId, categoryId, subcategoryId, sectionId, indicator); - - return indicator.getIsPublic(); + return indicator.getVisibility(); } public void toggleIndicator(String stakeholderId, String topicId, String categoryId, String subcategoryId, String sectionId, Indicator indicator) { @@ -576,6 +677,12 @@ public class IndicatorController { throw new EntityNotFoundException("Save indicator: Stakeholder with id: " + stakeholderId + " not found"); } + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("CheckForExceptions Indicator: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic == null) { // EXCEPTION - Topic not found diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SectionController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SectionController.java index 8661148..b02f7a3 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SectionController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SectionController.java @@ -4,11 +4,15 @@ import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.ArrayList; +import java.util.Date; import java.util.Iterator; import java.util.List; @@ -17,6 +21,9 @@ import java.util.List; public class SectionController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @@ -52,12 +59,20 @@ public class SectionController { sectionFull.setIndicators(indicatorsFull); section.setIndicators(indicators); + Date date = new Date(); + section.setCreationDate(date); + section.setUpdateDate(date); + + sectionFull.setCreationDate(date); + sectionFull.setUpdateDate(date); + sectionDAO.save(section); sectionFull.setId(section.getId()); return sectionFull; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/save/{index}", method = RequestMethod.POST) public Section saveSection(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -70,30 +85,40 @@ public class SectionController { SubCategory subCategory = checkForExceptions(stakeholderId, topicId, categoryId, subcategoryId); + Section section = new Section<>(sectionFull); + + Date date = new Date(); + section.setUpdateDate(date); + sectionFull.setUpdateDate(date); + Section oldSection = null; if(sectionFull.getId() != null) { oldSection = sectionDAO.findById(sectionFull.getId()); + } else { // section does not exist in DB + section.setCreationDate(date); + sectionFull.setCreationDate(date); } - Section section = new Section<>(sectionFull); - String sectionId = sectionFull.getId(); List indicators = new ArrayList<>(); for(Indicator indicator : sectionFull.getIndicators()) { indicators.add(indicator.getId()); } section.setIndicators(indicators); - sectionDAO.save(section); Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); // this section belongs in default profile and it is new or it is updated if(stakeholder.getDefaultId() == null) { if(sectionId == null) { + sectionDAO.save(section); onSaveDefaultSection(section, topicId, categoryId, subcategoryId, stakeholder); } else { onUpdateDefaultSection(section, stakeholder, oldSection); + sectionDAO.save(section); } + } else { + sectionDAO.save(section); } List sections = null; @@ -174,10 +199,12 @@ public class SectionController { } // sectionBasedOnDefault.setTitle(section.getTitle()); + sectionBasedOnDefault.setUpdateDate(section.getUpdateDate()); sectionDAO.save(sectionBasedOnDefault); } } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{sectionId}/delete", method = RequestMethod.DELETE) public boolean deleteSection(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -192,6 +219,13 @@ public class SectionController { if(section != null) { SubCategory subCategory = checkForExceptions(stakeholderId, topicId, categoryId, subcategoryId); + Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); + List roles = rolesUtils.getRoles(); + if(section.getDefaultId() != null && !rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete section: You are not authorized to delete a default Section in stakeholder with id: "+stakeholderId); + } + String type = ""; List sections = null; if (section.getType().equals("chart")) { @@ -273,6 +307,7 @@ public class SectionController { return true; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/{type}/reorder", method = RequestMethod.POST) public List
reorderSections(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -343,6 +378,7 @@ public class SectionController { // return section.getIsPublic(); // } + public void toggleSection(String stakeholderId, String topicId, String categoryId, String subcategoryId, Section section) { SubCategory subCategory = checkForExceptions(stakeholderId, topicId, categoryId, subcategoryId); @@ -372,6 +408,12 @@ public class SectionController { throw new EntityNotFoundException("Save indicator: Stakeholder with id: " + stakeholderId + " not found"); } + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("CheckForExceptions Section: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic == null) { // EXCEPTION - Topic not found diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/StakeholderController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/StakeholderController.java index f6b1ba5..dbdb6aa 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/StakeholderController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/StakeholderController.java @@ -1,17 +1,19 @@ package eu.dnetlib.uoamonitorservice.controllers; -//import com.fasterxml.jackson.core.type.TypeReference; -//import com.fasterxml.jackson.databind.ObjectMapper; import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; -import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; + +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.ArrayList; import java.util.Date; +import java.util.Iterator; import java.util.List; @RestController @@ -19,6 +21,9 @@ import java.util.List; public class StakeholderController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @@ -40,6 +45,10 @@ public class StakeholderController { @Autowired private TopicController topicController; +// @PreAuthorize("isAuthenticated()") + @PreAuthorize("hasAnyAuthority(" + + "@AuthorizationService.PORTAL_ADMIN, " + + "@AuthorizationService.curator(#stakeholderFull.getType()))") @RequestMapping(value = "/build-stakeholder", method = RequestMethod.POST) public Stakeholder>>>> buildFullStakeholder(@RequestBody Stakeholder>>>> stakeholderFull) { log.debug("build stakeholder"); @@ -70,7 +79,28 @@ public class StakeholderController { //return null; } - public Stakeholder setFullEntities(Stakeholder stakeholder) { + public Stakeholder setFullEntities(Stakeholder stakeholder, List roles) { + boolean addAll = false; + boolean addPublicAndRestricted = false; + +// if(roles == null +// || roles.contains(authorizationService.PORTAL_ADMIN) +// || roles.contains(authorizationService.curator(stakeholder.getType())) +// || roles.contains(authorizationService.manager(stakeholder.getType(), stakeholder.getAlias()))) { + if(rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + //if(visibility == null || visibility == (Visibility.PRIVATE)) { + addAll = true; + //} + //if(visibility == null || visibility == (Visibility.PRIVATE) || visibility == (Visibility.RESTRICTED)) { + addPublicAndRestricted = true; + //} +// } else if(roles != null && roles.contains(authorizationService.member(stakeholder.getType(), stakeholder.getAlias()))) { + } else if(rolesUtils.isMember(roles, stakeholder.getType(), stakeholder.getAlias())) { + //if(visibility == null || visibility == (Visibility.PRIVATE) || visibility == (Visibility.RESTRICTED)) { + addPublicAndRestricted = true; + //} + } + Stakeholder stakeholderFull = new Stakeholder<>(stakeholder); List topics = new ArrayList<>(); @@ -81,6 +111,12 @@ public class StakeholderController { // EXCEPTION - Topic not found throw new EntityNotFoundException("Get stakeholder: Topic with id: "+topicId+" not found (topic exists in stakeholder: "+stakeholder.getId()+")"); } + + if((!addAll && topic.getVisibility() == Visibility.PRIVATE) + || (!addPublicAndRestricted && topic.getVisibility() == Visibility.RESTRICTED)) { + continue; + } + Topic topicFull = new Topic(topic); List categories = new ArrayList<>(); @@ -91,6 +127,12 @@ public class StakeholderController { // EXCEPTION - Category not found throw new EntityNotFoundException("Get stakeholder: Category with id: "+categoryId+" not found (category exists in topic: "+topicId+")"); } + + if((!addAll && category.getVisibility() == Visibility.PRIVATE) + || (!addPublicAndRestricted && category.getVisibility() == Visibility.RESTRICTED)) { + continue; + } + Category categoryFull = new Category(category); List subCategories = new ArrayList<>(); @@ -101,19 +143,25 @@ public class StakeholderController { // EXCEPTION - SubCategory not found throw new EntityNotFoundException("Get stakeholder: SubCategory with id: "+subCategoryId+" not found (subCategory exists in category: "+categoryId+")"); } + + if((!addAll && subCategory.getVisibility() == Visibility.PRIVATE) + || (!addPublicAndRestricted && subCategory.getVisibility() == Visibility.RESTRICTED)) { + continue; + } + SubCategory subCategoryFull = new SubCategory>(subCategory); List
sectionsCharts = new ArrayList<>(); for(String sectionId : subCategory.getCharts()) { - sectionsCharts.add(getSectionFull(sectionId, subCategoryId)); + sectionsCharts.add(getSectionFull(sectionId, subCategoryId, addAll, addPublicAndRestricted)); } subCategoryFull.setCharts(sectionsCharts); List
sectionsNumbers = new ArrayList<>(); for(String sectionId : subCategory.getNumbers()) { - sectionsNumbers.add(getSectionFull(sectionId, subCategoryId)); + sectionsNumbers.add(getSectionFull(sectionId, subCategoryId, addAll, addPublicAndRestricted)); } subCategoryFull.setNumbers(sectionsNumbers); @@ -154,12 +202,13 @@ public class StakeholderController { return stakeholderFull; } - private Section getSectionFull(String sectionId, String subCategoryId) { + private Section getSectionFull(String sectionId, String subCategoryId, boolean addAll, boolean addPublicAndRestricted) { Section section = sectionDAO.findById(sectionId); if (section == null) { // EXCEPTION - Section not found throw new EntityNotFoundException("Get stakeholder: Section with id: " + sectionId + " not found (section exists in subCategory: " + subCategoryId + ")"); } + Section sectionFull = new Section(section); List indicators = new ArrayList<>(); @@ -169,6 +218,12 @@ public class StakeholderController { // EXCEPTION - Indicator not found throw new EntityNotFoundException("Get stakeholder: Indicator with id: " + indicatorId + " not found (indicator exists in section: " + sectionId + ")"); } + + if((!addAll && indicator.getVisibility() == Visibility.PRIVATE) + || (!addPublicAndRestricted && indicator.getVisibility() == Visibility.RESTRICTED)) { + continue; + } + indicators.add(indicator); } sectionFull.setIndicators(indicators); @@ -176,6 +231,8 @@ public class StakeholderController { return sectionFull; } + @PreAuthorize("hasAnyAuthority(" + + "@AuthorizationService.PORTAL_ADMIN)") @RequestMapping(value = "/stakeholder/all", method = RequestMethod.GET) public List getAllStakeholders(@RequestParam(required = false) String type) { log.debug("get all stakeholders" + (type != null ? " with type: "+type : "")); @@ -189,12 +246,14 @@ public class StakeholderController { List stakeholdersFull = new ArrayList<>(); for(Stakeholder stakeholder : stakeholders) { - stakeholdersFull.add(this.setFullEntities(stakeholder)); + List roles = rolesUtils.getRoles(); + stakeholdersFull.add(this.setFullEntities(stakeholder, roles)); } return stakeholdersFull; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/stakeholder/default", method = RequestMethod.GET) public List getAllDefaultStakeholders(@RequestParam(required = false) String type) { log.debug("get all default stakeholders" + (type != null ? " with type: "+type : "")); @@ -207,9 +266,34 @@ public class StakeholderController { } List stakeholdersFull = new ArrayList<>(); - for(Stakeholder stakeholder : stakeholders) { - stakeholdersFull.add(this.setFullEntities(stakeholder)); + + // Remove stakeholders for which i do not have authority + if(stakeholders != null && stakeholders.size() > 0) { + List roles = rolesUtils.getRoles(); +// log.debug("ROLES: "); +// roles.forEach(role -> log.debug(role)); +// +// if (roles.contains(authorizationService.PORTAL_ADMIN)) { + if (rolesUtils.isPortalAdmin(roles)) { + for(Stakeholder stakeholder : stakeholders) { + stakeholdersFull.add(this.setFullEntities(stakeholder, roles)); + } + return stakeholdersFull; + } + + Iterator stakeholderIterator = stakeholders.iterator(); + while(stakeholderIterator.hasNext()) { + Stakeholder stakeholder = stakeholderIterator.next(); + +// if(roles.contains(authorizationService.curator(stakeholder.getType()))) { + if(rolesUtils.isCurator(roles, stakeholder.getType())) { + stakeholdersFull.add(this.setFullEntities(stakeholder, roles)); + continue; + } + stakeholderIterator.remove(); + } } + return stakeholdersFull; } @@ -224,11 +308,90 @@ public class StakeholderController { stakeholders = stakeholderDAO.findByDefaultIdNotAndType(null, type); } - List stakeholdersFull = new ArrayList<>(); - for(Stakeholder stakeholder : stakeholders) { - stakeholdersFull.add(this.setFullEntities(stakeholder)); + //List stakeholdersFull = new ArrayList<>(); + + if(stakeholders != null && stakeholders.size() > 0) { +// List roles = authorizationService.getRoles(); + List roles = rolesUtils.getRoles(); + +// if (roles.contains(authorizationService.PORTAL_ADMIN)) { + if (rolesUtils.isPortalAdmin(roles)) { +// for(Stakeholder stakeholder : stakeholders) { +// stakeholdersFull.add(this.setFullEntities(stakeholder)); +// } +// return stakeholdersFull; + return stakeholders; + } + + Iterator stakeholderIterator = stakeholders.iterator(); + while(stakeholderIterator.hasNext()) { + Stakeholder stakeholder = stakeholderIterator.next(); + +// if(roles.contains(authorizationService.curator(stakeholder.getType())) +// || roles.contains(authorizationService.manager(stakeholder.getType(), stakeholder.getAlias())) +// || stakeholder.getVisibility() == Visibility.PUBLIC +// || (stakeholder.getVisibility() == Visibility.RESTRICTED && roles.contains(authorizationService.member(stakeholder.getType(), stakeholder.getAlias())))) { + if(rolesUtils.isCurator(roles, stakeholder.getType()) + || rolesUtils.isManager(roles, stakeholder.getType(), stakeholder.getAlias()) + || stakeholder.getVisibility() == Visibility.PUBLIC + || (stakeholder.getVisibility() == Visibility.RESTRICTED && rolesUtils.isMember(roles, stakeholder.getType(), stakeholder.getAlias()))) { + //stakeholdersFull.add(this.setFullEntities(stakeholder)); + continue; + } + stakeholderIterator.remove(); + } } - log.debug(new Date()); + +// log.debug(new Date()); + +// return stakeholdersFull; + return stakeholders; + } + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/my-stakeholder", method = RequestMethod.GET) + public List getMyRealStakeholders(@RequestParam(required = false) String type) { + log.debug("get my NOT default stakeholders" + (type != null ? " with type: "+type : "")); + + List stakeholders; + if(type == null) { + stakeholders = stakeholderDAO.findByDefaultIdNot(null); + } else { + stakeholders = stakeholderDAO.findByDefaultIdNotAndType(null, type); + } + + List stakeholdersFull = new ArrayList<>(); + + if(stakeholders != null && stakeholders.size() > 0) { +// List roles = authorizationService.getRoles(); + List roles = rolesUtils.getRoles(); +// log.debug("ROLES: "); +// roles.forEach(role -> log.debug(role)); + +// if (roles.contains(authorizationService.PORTAL_ADMIN)) { + if (rolesUtils.isPortalAdmin(roles)) { + for(Stakeholder stakeholder : stakeholders) { + stakeholdersFull.add(this.setFullEntities(stakeholder, roles)); + } + return stakeholdersFull; + } + + Iterator stakeholderIterator = stakeholders.iterator(); + while(stakeholderIterator.hasNext()) { + Stakeholder stakeholder = stakeholderIterator.next(); + +// if(roles.contains(authorizationService.curator(stakeholder.getType())) +// || roles.contains(authorizationService.manager(stakeholder.getType(), stakeholder.getAlias()))) { + if(rolesUtils.isCurator(roles, stakeholder.getType()) + || rolesUtils.isManager(roles, stakeholder.getType(), stakeholder.getAlias())) { + stakeholdersFull.add(this.setFullEntities(stakeholder, roles)); + continue; + } + stakeholderIterator.remove(); + } + } + +// log.debug(new Date()); return stakeholdersFull; } @@ -242,9 +405,30 @@ public class StakeholderController { // EXCEPTION - Stakeholder not found throw new EntityNotFoundException("Get stakeholder: Stakeholder with alias: "+alias+" not found"); } - return this.setFullEntities(stakeholder); + +// List roles = authorizationService.getRoles(); + List roles = rolesUtils.getRoles(); + + if((stakeholder.getVisibility() == Visibility.PRIVATE && !rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias()) + || (stakeholder.getVisibility() == Visibility.RESTRICTED && !rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias()) && !rolesUtils.isMember(roles, stakeholder.getType(), stakeholder.getAlias())))) { +// // EXCEPTION - Access denied +// throw new AccessDeniedException("Get stakeholder: You are not authorized to get stakeholder with alias: "+alias); + List topicsEmpty = stakeholder.getTopics(); + topicsEmpty.clear(); + stakeholder.setTopics(topicsEmpty); + stakeholder.setVisibility(Visibility.PRIVATE); + return stakeholder; + } + + return this.setFullEntities(stakeholder, roles); } +// @PreAuthorize("isAuthenticated()") + @PreAuthorize("hasAnyAuthority(" + + "@AuthorizationService.PORTAL_ADMIN, " + + "@AuthorizationService.curator(#stakeholderFull.getType()), " + + "@AuthorizationService.manager(#stakeholderFull.getType(), #stakeholderFull.getAlias()) " + + ")") @RequestMapping(value = "/save", method = RequestMethod.POST) public Stakeholder saveStakeholder(@RequestBody Stakeholder stakeholderFull) { log.debug("save stakeholder"); @@ -283,7 +467,7 @@ public class StakeholderController { return stakeholderFull; } - + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/delete", method = RequestMethod.DELETE) public boolean deleteStakeholder(@PathVariable("stakeholderId") String stakeholderId) { log.debug("delete stakeholder"); @@ -292,6 +476,15 @@ public class StakeholderController { Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if(stakeholder != null) { +// List roles = authorizationService.getRoles(); + List roles = rolesUtils.getRoles(); + +// if(!roles.contains(authorizationService.PORTAL_ADMIN) +// && !roles.contains(authorizationService.curator(stakeholder.getType()))) { + if(!rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete stakeholder: You are not authorized to delete stakeholder with id: "+stakeholderId); + } // for(String topicId : stakeholder.getTopics()) { // Topic topic = topicDAO.findById(topicId); @@ -364,43 +557,74 @@ public class StakeholderController { } - @RequestMapping(value = "/{stakeholderId}/toggle-status", method = RequestMethod.POST) - public Boolean toggleStakeholderStatus(@PathVariable("stakeholderId") String stakeholderId) { - log.debug("toggle stakeholder status (isActive)"); +// @RequestMapping(value = "/{stakeholderId}/toggle-status", method = RequestMethod.POST) +// public Boolean toggleStakeholderStatus(@PathVariable("stakeholderId") String stakeholderId) { +// log.debug("toggle stakeholder status (isActive)"); +// log.debug("Stakeholder: "+stakeholderId); +// +// Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); +// if (stakeholder == null) { +// // EXCEPTION - Stakeholder not found +// throw new EntityNotFoundException("Toggle stakeholder status: Stakeholder with id: "+stakeholderId+" not found"); +// } +// stakeholder.setIsActive(!stakeholder.getIsActive()); +// +// stakeholderDAO.save(stakeholder); +// log.debug("Stakeholder toggled!"); +// +// return stakeholder.getIsActive(); +// } +// +// @RequestMapping(value = "/{stakeholderId}/toggle-access", method = RequestMethod.POST) +// public Boolean toggleStakeholderAccess(@PathVariable("stakeholderId") String stakeholderId) { +// log.debug("toggle stakeholder access (isPublic)"); +// log.debug("Stakeholder: "+stakeholderId); +// +// Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); +// if (stakeholder == null) { +// // EXCEPTION - Stakeholder not found +// throw new EntityNotFoundException("Toggle stakeholder access: Stakeholder with id: "+stakeholderId+" not found"); +// } +// stakeholder.setIsPublic(!stakeholder.getIsPublic()); +// +// stakeholderDAO.save(stakeholder); +// log.debug("Stakeholder toggled!"); +// +// return stakeholder.getIsPublic(); +// } + + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/{stakeholderId}/change-visibility", method = RequestMethod.POST) + public Visibility toggleStakeholderAccess(@PathVariable("stakeholderId") String stakeholderId, + @RequestParam("visibility") Visibility visibility) { + log.debug("change stakeholder visibility: "+visibility); log.debug("Stakeholder: "+stakeholderId); Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if (stakeholder == null) { // EXCEPTION - Stakeholder not found - throw new EntityNotFoundException("Toggle stakeholder status: Stakeholder with id: "+stakeholderId+" not found"); + throw new EntityNotFoundException("Change stakeholder visibility: Stakeholder with id: "+stakeholderId+" not found"); } - stakeholder.setIsActive(!stakeholder.getIsActive()); + +// List roles = authorizationService.getRoles(); + List roles = rolesUtils.getRoles(); + +// if(!roles.contains(authorizationService.PORTAL_ADMIN) +// && !roles.contains(authorizationService.curator(stakeholder.getType())) +// && !roles.contains(authorizationService.manager(stakeholder.getType(), stakeholder.getAlias()))) { + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Change stakeholder visibility: You are not authorized to update stakeholder with id: "+stakeholderId); + } + stakeholder.setVisibility(visibility); stakeholderDAO.save(stakeholder); log.debug("Stakeholder toggled!"); - return stakeholder.getIsActive(); + return stakeholder.getVisibility(); } - @RequestMapping(value = "/{stakeholderId}/toggle-access", method = RequestMethod.POST) - public Boolean toggleStakeholderAccess(@PathVariable("stakeholderId") String stakeholderId) { - log.debug("toggle stakeholder access (isPublic)"); - log.debug("Stakeholder: "+stakeholderId); - - Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); - if (stakeholder == null) { - // EXCEPTION - Stakeholder not found - throw new EntityNotFoundException("Toggle stakeholder access: Stakeholder with id: "+stakeholderId+" not found"); - } - stakeholder.setIsPublic(!stakeholder.getIsPublic()); - - stakeholderDAO.save(stakeholder); - log.debug("Stakeholder toggled!"); - - return stakeholder.getIsPublic(); - } - - // The following are not supposed to be used // @RequestMapping(value = "/stakeholder/dates", method = RequestMethod.GET) // public List getAllStakeholderDates() { diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SubCategoryController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SubCategoryController.java index 463185f..854f448 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SubCategoryController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/SubCategoryController.java @@ -4,11 +4,15 @@ import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.ArrayList; +import java.util.Date; import java.util.Iterator; import java.util.List; @@ -17,6 +21,9 @@ import java.util.List; public class SubCategoryController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @@ -63,12 +70,21 @@ public class SubCategoryController { subcategoryFull.setNumbers(sectionNumbersFull); subCategory.setNumbers(sectionNumbers); + Date date = new Date(); + subCategory.setCreationDate(date); + subCategory.setUpdateDate(date); + + subcategoryFull.setCreationDate(date); + subcategoryFull.setUpdateDate(date); + + subCategoryDAO.save(subCategory); subcategoryFull.setId(subCategory.getId()); return subcategoryFull; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/save", method = RequestMethod.POST) public SubCategory> saveSubCategory(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -79,13 +95,20 @@ public class SubCategoryController { Category category = checkForExceptions(stakeholderId, topicId, categoryId); + SubCategory subCategory = new SubCategory<>(subcategoryFull); + + Date date = new Date(); + subCategory.setUpdateDate(date); + subcategoryFull.setUpdateDate(date); + SubCategory oldSubcategory = null; if(subcategoryFull.getId() != null) { oldSubcategory = subCategoryDAO.findById(subcategoryFull.getId()); + } else { // subcategory does not exist in DB + subCategory.setCreationDate(date); + subcategoryFull.setCreationDate(date); } - SubCategory subCategory = new SubCategory<>(subcategoryFull); - // List charts = new ArrayList<>(); // for(Indicator chart : subcategoryFull.getCharts()) { // charts.add(chart.getId()); @@ -110,15 +133,17 @@ public class SubCategoryController { } subCategory.setNumbers(numberSections); - subCategoryDAO.save(subCategory); - Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if(stakeholder.getDefaultId() == null) { if(subcategoryFull.getId() == null) { + subCategoryDAO.save(subCategory); onSaveDefaultSubCategory(subCategory, categoryId); } else { onUpdateDefaultSubCategory(subCategory, oldSubcategory); + subCategoryDAO.save(subCategory); } + } else { + subCategoryDAO.save(subCategory); } List subcategories = category.getSubCategories(); @@ -182,10 +207,12 @@ public class SubCategoryController { // subCategoryBasedOnDefault.setName(subCategory.getName()); // subCategoryBasedOnDefault.setDescription(subCategory.getDescription()); + subCategoryBasedOnDefault.setUpdateDate(subCategory.getUpdateDate()); subCategoryDAO.save(subCategoryBasedOnDefault); } } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/delete", method = RequestMethod.DELETE) public boolean deleteSubCategory(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -199,6 +226,14 @@ public class SubCategoryController { SubCategory subcategory = subCategoryDAO.findById(subcategoryId); if(subcategory != null) { + + Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); + List roles = rolesUtils.getRoles(); + if(subcategory.getDefaultId() != null && !rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete subcategory: You are not authorized to delete a default SubCategory in stakeholder with id: "+stakeholderId); + } + List subcategories = category.getSubCategories(); int index = subcategories.indexOf(subcategoryId); if(index != -1) { @@ -298,6 +333,7 @@ public class SubCategoryController { return true; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/reorder", method = RequestMethod.POST) public List reorderSubCategories(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -320,44 +356,66 @@ public class SubCategoryController { return subCategoriesFull; } - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/toggle-status", method = RequestMethod.POST) - public Boolean toggleSubCategoryStatus(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId, - @PathVariable("subcategoryId") String subcategoryId) { - log.debug("toggle subCategory status (isActive)"); +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/toggle-status", method = RequestMethod.POST) +// public Boolean toggleSubCategoryStatus(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId, +// @PathVariable("subcategoryId") String subcategoryId) { +// log.debug("toggle subCategory status (isActive)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId); +// +// SubCategory subCategory = subCategoryDAO.findById(subcategoryId); +// if (subCategory == null) { +// // EXCEPTION - SubCategory not found +// throw new EntityNotFoundException("Toggle subCategory status: SubCategory with id: "+subcategoryId+" not found"); +// } +// subCategory.setIsActive(!subCategory.getIsActive()); +// +// this.toggleSubCategory(stakeholderId, topicId, categoryId, subCategory); +// +// return subCategory.getIsActive(); +// } +// +// @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/toggle-access", method = RequestMethod.POST) +// public Boolean toggleSubCategoryAccess(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId, +// @PathVariable("categoryId") String categoryId, +// @PathVariable("subcategoryId") String subcategoryId) { +// log.debug("toggle subCategory access (isPublic)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId); +// +// SubCategory subCategory = subCategoryDAO.findById(subcategoryId); +// if (subCategory == null) { +// // EXCEPTION - SubCategory not found +// throw new EntityNotFoundException("Toggle subCategory access: SubCategory with id: "+subcategoryId+" not found"); +// } +// subCategory.setIsPublic(!subCategory.getIsPublic()); +// +// this.toggleSubCategory(stakeholderId, topicId, categoryId, subCategory); +// +// return subCategory.getIsPublic(); +// } + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/change-visibility", method = RequestMethod.POST) + public Visibility changeTopicVisibility(@PathVariable("stakeholderId") String stakeholderId, + @PathVariable("topicId") String topicId, + @PathVariable("categoryId") String categoryId, + @PathVariable("subcategoryId") String subcategoryId, + @RequestParam("visibility") Visibility visibility) { + log.debug("change subCategory visibility: "+visibility); log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId); SubCategory subCategory = subCategoryDAO.findById(subcategoryId); if (subCategory == null) { // EXCEPTION - SubCategory not found - throw new EntityNotFoundException("Toggle subCategory status: SubCategory with id: "+subcategoryId+" not found"); + throw new EntityNotFoundException("Change subCategory visibility: SubCategory with id: "+subcategoryId+" not found"); } - subCategory.setIsActive(!subCategory.getIsActive()); + subCategory.setVisibility(visibility); this.toggleSubCategory(stakeholderId, topicId, categoryId, subCategory); - return subCategory.getIsActive(); - } - - @RequestMapping(value = "/{stakeholderId}/{topicId}/{categoryId}/{subcategoryId}/toggle-access", method = RequestMethod.POST) - public Boolean toggleSubCategoryAccess(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId, - @PathVariable("categoryId") String categoryId, - @PathVariable("subcategoryId") String subcategoryId) { - log.debug("toggle subCategory access (isPublic)"); - log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId + " - Category: "+categoryId+ " - SubCategory: "+subcategoryId); - - SubCategory subCategory = subCategoryDAO.findById(subcategoryId); - if (subCategory == null) { - // EXCEPTION - SubCategory not found - throw new EntityNotFoundException("Toggle subCategory access: SubCategory with id: "+subcategoryId+" not found"); - } - subCategory.setIsPublic(!subCategory.getIsPublic()); - - this.toggleSubCategory(stakeholderId, topicId, categoryId, subCategory); - - return subCategory.getIsPublic(); + return subCategory.getVisibility(); } public void toggleSubCategory(String stakeholderId, String topicId, String categoryId, SubCategory subcategory) { @@ -382,6 +440,12 @@ public class SubCategoryController { throw new EntityNotFoundException("Save indicator: Stakeholder with id: " + stakeholderId + " not found"); } + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("CheckForExceptions SubCategory: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic == null) { // EXCEPTION - Topic not found diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/TopicController.java b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/TopicController.java index 677e249..9442415 100644 --- a/src/main/java/eu/dnetlib/uoamonitorservice/controllers/TopicController.java +++ b/src/main/java/eu/dnetlib/uoamonitorservice/controllers/TopicController.java @@ -4,11 +4,15 @@ import eu.dnetlib.uoamonitorservice.dao.*; import eu.dnetlib.uoamonitorservice.entities.*; import eu.dnetlib.uoamonitorservice.handlers.EntityNotFoundException; import eu.dnetlib.uoamonitorservice.handlers.PathNotValidException; +import eu.dnetlib.uoamonitorservice.handlers.utils.RolesUtils; import org.apache.log4j.Logger; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.ArrayList; +import java.util.Date; import java.util.Iterator; import java.util.List; @@ -17,24 +21,15 @@ import java.util.List; public class TopicController { private final Logger log = Logger.getLogger(this.getClass()); + @Autowired + private RolesUtils rolesUtils; + @Autowired private StakeholderDAO stakeholderDAO; @Autowired private TopicDAO topicDAO; - @Autowired - private CategoryDAO categoryDAO; - - @Autowired - private SubCategoryDAO subCategoryDAO; - - @Autowired - private SectionDAO sectionDAO; - - @Autowired - private IndicatorDAO indicatorDAO; - @Autowired private CategoryController categoryController; @@ -51,12 +46,20 @@ public class TopicController { topicFull.setCategories(categoriesFull); topic.setCategories(categories); + Date date = new Date(); + topic.setCreationDate(date); + topic.setUpdateDate(date); + + topicFull.setCreationDate(date); + topicFull.setUpdateDate(date); + topicDAO.save(topic); topicFull.setId(topic.getId()); return topicFull; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/save", method = RequestMethod.POST) public Topic saveTopic(@PathVariable("stakeholderId") String stakeholderId, @RequestBody Topic topicFull) { @@ -66,12 +69,24 @@ public class TopicController { Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if(stakeholder != null) { - Topic oldTopic = null; - if(topicFull.getId() != null) { - oldTopic = topicDAO.findById(topicFull.getId()); + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Save Topic: You are not authorized to update stakeholder with id: "+stakeholderId); } Topic topic = new Topic<>(topicFull); + Date date = new Date(); + topic.setUpdateDate(date); + topicFull.setUpdateDate(date); + + Topic oldTopic = null; + if(topicFull.getId() != null) { + oldTopic = topicDAO.findById(topicFull.getId()); + } else { // topic does not exist in DB + topic.setCreationDate(date); + topicFull.setCreationDate(date); + } List categories = new ArrayList<>(); for(Category category : topicFull.getCategories()) { @@ -79,14 +94,16 @@ public class TopicController { } topic.setCategories(categories); - topicDAO.save(topic); - if(stakeholder.getDefaultId() == null) { if(topicFull.getId() == null) { + topicDAO.save(topic); onSaveDefaultTopic(topic, stakeholderId); } else { onUpdateDefaultTopic(topic, oldTopic); + topicDAO.save(topic); } + } else { + topicDAO.save(topic); } List topics = stakeholder.getTopics(); @@ -158,10 +175,12 @@ public class TopicController { // topicBasedOnDefault.setName(topic.getName()); // topicBasedOnDefault.setDescription(topic.getDescription()); + topicBasedOnDefault.setUpdateDate(topic.getUpdateDate()); topicDAO.save(topicBasedOnDefault); } } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/{topicId}/delete", method = RequestMethod.DELETE) public boolean deleteTopic(@PathVariable("stakeholderId") String stakeholderId, @PathVariable("topicId") String topicId, @@ -173,9 +192,20 @@ public class TopicController { if(stakeholder != null) { + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete topic: You are not authorized to update stakeholder with id: "+stakeholderId); + } + Topic topic = topicDAO.findById(topicId); if(topic != null) { + if(topic.getDefaultId() != null && !rolesUtils.hasCreateAndDeleteAuthority(roles, stakeholder.getType())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Delete topic: You are not authorized to delete a default Topic in stakeholder with id: "+stakeholderId); + } + List topics = stakeholder.getTopics(); int index = topics.indexOf(topicId); if(index != -1) { @@ -298,6 +328,7 @@ public class TopicController { return true; } + @PreAuthorize("isAuthenticated()") @RequestMapping(value = "/{stakeholderId}/reorder", method = RequestMethod.POST) public List reorderTopics(@PathVariable("stakeholderId") String stakeholderId, @RequestBody List topics) { @@ -307,6 +338,13 @@ public class TopicController { Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if(stakeholder != null) { + + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Reorder topics: You are not authorized to update stakeholder with id: "+stakeholderId); + } + stakeholder.setTopics(topics); stakeholderDAO.save(stakeholder); @@ -323,46 +361,73 @@ public class TopicController { } } - @RequestMapping(value = "/{stakeholderId}/{topicId}/toggle-status", method = RequestMethod.POST) - public Boolean toggleTopicStatus(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId) { - log.debug("toggle topic status (isActive)"); +// @RequestMapping(value = "/{stakeholderId}/{topicId}/toggle-status", method = RequestMethod.POST) +// public Boolean toggleTopicStatus(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId) { +// log.debug("toggle topic status (isActive)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId); +// +// Topic topic = topicDAO.findById(topicId); +// if (topic == null) { +// // EXCEPTION - Topic not found +// throw new EntityNotFoundException("Toggle topic status: Topic with id: "+topicId+" not found"); +// } +// topic.setIsActive(!topic.getIsActive()); +// +// this.toggleTopic(stakeholderId, topic); +// +// return topic.getIsActive(); +// } +// +// @RequestMapping(value = "/{stakeholderId}/{topicId}/toggle-access", method = RequestMethod.POST) +// public Boolean toggleTopicAccess(@PathVariable("stakeholderId") String stakeholderId, +// @PathVariable("topicId") String topicId) { +// log.debug("toggle topic access (isPublic)"); +// log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId); +// +// Topic topic = topicDAO.findById(topicId); +// if (topic == null) { +// // EXCEPTION - Topic not found +// throw new EntityNotFoundException("Toggle topic access: Topic with id: "+topicId+" not found"); +// } +// topic.setIsPublic(!topic.getIsPublic()); +// +// this.toggleTopic(stakeholderId, topic); +// +// return topic.getIsPublic(); +// } + + @PreAuthorize("isAuthenticated()") + @RequestMapping(value = "/{stakeholderId}/{topicId}/change-visibility", method = RequestMethod.POST) + public Visibility changeTopicVisibility(@PathVariable("stakeholderId") String stakeholderId, + @PathVariable("topicId") String topicId, + @RequestParam("visibility") Visibility visibility) { + log.debug("change topic visibility: "+visibility); log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId); Topic topic = topicDAO.findById(topicId); if (topic == null) { // EXCEPTION - Topic not found - throw new EntityNotFoundException("Toggle topic status: Topic with id: "+topicId+" not found"); + throw new EntityNotFoundException("Change topic visibility: Topic with id: "+topicId+" not found"); } - topic.setIsActive(!topic.getIsActive()); + topic.setVisibility(visibility); this.toggleTopic(stakeholderId, topic); - return topic.getIsActive(); - } - - @RequestMapping(value = "/{stakeholderId}/{topicId}/toggle-access", method = RequestMethod.POST) - public Boolean toggleTopicAccess(@PathVariable("stakeholderId") String stakeholderId, - @PathVariable("topicId") String topicId) { - log.debug("toggle topic access (isPublic)"); - log.debug("Stakeholder: "+stakeholderId + " - Topic: "+topicId); - - Topic topic = topicDAO.findById(topicId); - if (topic == null) { - // EXCEPTION - Topic not found - throw new EntityNotFoundException("Toggle topic access: Topic with id: "+topicId+" not found"); - } - topic.setIsPublic(!topic.getIsPublic()); - - this.toggleTopic(stakeholderId, topic); - - return topic.getIsPublic(); + return topic.getVisibility(); } public void toggleTopic(String stakeholderId, Topic topic) { Stakeholder stakeholder = stakeholderDAO.findById(stakeholderId); if (stakeholder != null) { + + List roles = rolesUtils.getRoles(); + if(!rolesUtils.hasUpdateAuthority(roles, stakeholder.getType(), stakeholder.getAlias())) { + // EXCEPTION - Access denied + throw new AccessDeniedException("Toggle topic: You are not authorized to update stakeholder with id: "+stakeholderId); + } + if (stakeholder.getTopics().contains(topic.getId())) { topicDAO.save(topic); log.debug("Topic toggled!"); diff --git a/src/main/java/eu/dnetlib/uoamonitorservice/handlers/utils/RolesUtils.java b/src/main/java/eu/dnetlib/uoamonitorservice/handlers/utils/RolesUtils.java new file mode 100644 index 0000000..43a449e --- /dev/null +++ b/src/main/java/eu/dnetlib/uoamonitorservice/handlers/utils/RolesUtils.java @@ -0,0 +1,65 @@ +package eu.dnetlib.uoamonitorservice.handlers.utils; + +import eu.dnetlib.uoaauthorizationlibrary.security.AuthorizationService; +import org.apache.log4j.Logger; + +import java.util.List; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class RolesUtils { + @Autowired + private AuthorizationService authorizationService; + + private final Logger log = Logger.getLogger(this.getClass()); + + public List getRoles() { + return authorizationService.getRoles(); + } + + public boolean isPortalAdmin(List roles) { + if(roles == null) { + return false; + } +// log.debug(authorizationService.PORTAL_ADMIN); +// log.debug("PortalAdmin: "+roles.contains(authorizationService.PORTAL_ADMIN)); + return roles.contains(authorizationService.PORTAL_ADMIN); + } + + public boolean isCurator(List roles, String type) { + if(roles == null) { + return false; + } +// log.debug(authorizationService.curator(type)); +// log.debug("Curator in "+type+": "+roles.contains(authorizationService.curator(type))); + return roles.contains(authorizationService.curator(type)); + } + + public boolean isManager(List roles, String type, String id) { + if(roles == null) { + return false; + } +// log.debug(authorizationService.manager(type, id)); +// log.debug("Manager in "+type+" - "+id+": "+roles.contains(authorizationService.manager(type, id))); + return roles.contains(authorizationService.manager(type, id)); + } + + public boolean isMember(List roles, String type, String id) { + if(roles == null) { + return false; + } +// log.debug(authorizationService.member(type, id)); +// log.debug("Member in "+type+" - "+id+": "+roles.contains(authorizationService.member(type, id))); + return roles.contains(authorizationService.member(type, id)); + } + + public boolean hasUpdateAuthority(List roles, String type, String id) { + return isPortalAdmin(roles) || isCurator(roles, type) || isManager(roles, type, id); + } + + public boolean hasCreateAndDeleteAuthority(List roles, String type) { + return isPortalAdmin(roles) || isCurator(roles, type); + } +}