From e9cbf27295301cc23ae1c5e3e34942a4b59cd9ad Mon Sep 17 00:00:00 2001 From: sgiannopoulos Date: Wed, 13 Mar 2024 17:45:25 +0200 Subject: [PATCH] authz changes --- .../AuthorizationContentResolver.java | 4 +- .../AuthorizationContentResolverImpl.java | 7 ++- .../eu/eudat/model/builder/DmpBuilder.java | 6 +- .../referencedefinition/DefinitionCensor.java | 2 +- .../referencedefinition/FieldCensor.java | 2 +- .../eu/eudat/service/dmp/DmpServiceImpl.java | 58 ++++++++++--------- .../src/main/resources/config/permissions.yml | 6 ++ .../dmp-editor.component.ts | 3 +- .../dmp-editor.routing.ts | 4 +- 9 files changed, 54 insertions(+), 38 deletions(-) diff --git a/dmp-backend/core/src/main/java/eu/eudat/authorization/authorizationcontentresolver/AuthorizationContentResolver.java b/dmp-backend/core/src/main/java/eu/eudat/authorization/authorizationcontentresolver/AuthorizationContentResolver.java index f44af1597..846ed310e 100644 --- a/dmp-backend/core/src/main/java/eu/eudat/authorization/authorizationcontentresolver/AuthorizationContentResolver.java +++ b/dmp-backend/core/src/main/java/eu/eudat/authorization/authorizationcontentresolver/AuthorizationContentResolver.java @@ -9,5 +9,7 @@ import java.util.UUID; public interface AuthorizationContentResolver { List getPermissionNames(); - Map dmpAffiliation(List ids); + AffiliatedResource dmpAffiliation(UUID id); + + Map dmpsAffiliation(List ids); } diff --git a/dmp-backend/core/src/main/java/eu/eudat/authorization/authorizationcontentresolver/AuthorizationContentResolverImpl.java b/dmp-backend/core/src/main/java/eu/eudat/authorization/authorizationcontentresolver/AuthorizationContentResolverImpl.java index 72c8bdbc3..98f004fd7 100644 --- a/dmp-backend/core/src/main/java/eu/eudat/authorization/authorizationcontentresolver/AuthorizationContentResolverImpl.java +++ b/dmp-backend/core/src/main/java/eu/eudat/authorization/authorizationcontentresolver/AuthorizationContentResolverImpl.java @@ -33,8 +33,13 @@ public class AuthorizationContentResolverImpl implements AuthorizationContentRes public List getPermissionNames() { return permissionNameProvider.getPermissions(); } + @Override - public Map dmpAffiliation(List ids){ + public AffiliatedResource dmpAffiliation(UUID id) { + return this.dmpsAffiliation(List.of(id)).getOrDefault(id, new AffiliatedResource()); + } + @Override + public Map dmpsAffiliation(List ids){ UUID userId = this.userScope.getUserIdSafe(); Map affiliatedResources = new HashMap<>(); for (UUID id : ids){ diff --git a/dmp-backend/core/src/main/java/eu/eudat/model/builder/DmpBuilder.java b/dmp-backend/core/src/main/java/eu/eudat/model/builder/DmpBuilder.java index 9ab100b9e..2a3d9d168 100644 --- a/dmp-backend/core/src/main/java/eu/eudat/model/builder/DmpBuilder.java +++ b/dmp-backend/core/src/main/java/eu/eudat/model/builder/DmpBuilder.java @@ -2,17 +2,13 @@ package eu.eudat.model.builder; import eu.eudat.authorization.AffiliatedResource; import eu.eudat.authorization.AuthorizationFlags; -import eu.eudat.authorization.Permission; import eu.eudat.authorization.authorizationcontentresolver.AuthorizationContentResolver; import eu.eudat.commons.JsonHandlingService; import eu.eudat.commons.enums.EntityType; -import eu.eudat.commons.types.description.PropertyDefinitionEntity; import eu.eudat.commons.types.dmp.DmpPropertiesEntity; import eu.eudat.convention.ConventionService; -import eu.eudat.data.DmpDescriptionTemplateEntity; import eu.eudat.data.DmpEntity; import eu.eudat.model.*; -import eu.eudat.model.builder.descriptionpropertiesdefinition.PropertyDefinitionBuilder; import eu.eudat.model.builder.dmpproperties.DmpPropertiesBuilder; import eu.eudat.query.*; import gr.cite.commons.web.authz.service.AuthorizationService; @@ -94,7 +90,7 @@ public class DmpBuilder extends BaseBuilder { Set authorizationFlags = this.extractAuthorizationFlags(fields, Dmp._authorizationFlags, this.authorizationContentResolver.getPermissionNames()); - Map affiliatedResourceMap = authorizationFlags == null || authorizationFlags.isEmpty() ? null : this.authorizationContentResolver.dmpAffiliation(data.stream().map(DmpEntity::getId).collect(Collectors.toList())); + Map affiliatedResourceMap = authorizationFlags == null || authorizationFlags.isEmpty() ? null : this.authorizationContentResolver.dmpsAffiliation(data.stream().map(DmpEntity::getId).collect(Collectors.toList())); FieldSet propertiesFields = fields.extractPrefixed(this.asPrefix(Dmp._properties)); for (DmpEntity d : data) { diff --git a/dmp-backend/core/src/main/java/eu/eudat/model/censorship/referencedefinition/DefinitionCensor.java b/dmp-backend/core/src/main/java/eu/eudat/model/censorship/referencedefinition/DefinitionCensor.java index 399c5e4c4..1c7e885fb 100644 --- a/dmp-backend/core/src/main/java/eu/eudat/model/censorship/referencedefinition/DefinitionCensor.java +++ b/dmp-backend/core/src/main/java/eu/eudat/model/censorship/referencedefinition/DefinitionCensor.java @@ -38,7 +38,7 @@ public class DefinitionCensor extends BaseCensor { if (fields == null || fields.isEmpty()) return; - this.authService.authorizeForce(Permission.BrowseReference); + this.authService.authorizeForce(Permission.BrowseReference, Permission.DeferredAffiliation); FieldSet fieldsFields = fields.extractPrefixed(this.asIndexerPrefix(Definition._fields)); this.censorFactory.censor(FieldCensor.class).censor(fieldsFields, userId); } diff --git a/dmp-backend/core/src/main/java/eu/eudat/model/censorship/referencedefinition/FieldCensor.java b/dmp-backend/core/src/main/java/eu/eudat/model/censorship/referencedefinition/FieldCensor.java index bf832be9a..7afe0f277 100644 --- a/dmp-backend/core/src/main/java/eu/eudat/model/censorship/referencedefinition/FieldCensor.java +++ b/dmp-backend/core/src/main/java/eu/eudat/model/censorship/referencedefinition/FieldCensor.java @@ -33,7 +33,7 @@ public class FieldCensor extends BaseCensor { if (fields == null || fields.isEmpty()) return; - this.authService.authorizeForce(Permission.BrowseReference); + this.authService.authorizeForce(Permission.BrowseReference, Permission.DeferredAffiliation); } } diff --git a/dmp-backend/core/src/main/java/eu/eudat/service/dmp/DmpServiceImpl.java b/dmp-backend/core/src/main/java/eu/eudat/service/dmp/DmpServiceImpl.java index a092d4604..05463eedb 100644 --- a/dmp-backend/core/src/main/java/eu/eudat/service/dmp/DmpServiceImpl.java +++ b/dmp-backend/core/src/main/java/eu/eudat/service/dmp/DmpServiceImpl.java @@ -3,6 +3,7 @@ package eu.eudat.service.dmp; import com.fasterxml.jackson.core.JsonProcessingException; import eu.eudat.authorization.AuthorizationFlags; import eu.eudat.authorization.Permission; +import eu.eudat.authorization.authorizationcontentresolver.AuthorizationContentResolver; import eu.eudat.commons.JsonHandlingService; import eu.eudat.commons.XmlHandlingService; import eu.eudat.commons.enums.*; @@ -124,30 +125,31 @@ public class DmpServiceImpl implements DmpService { private final DmpTouchedIntegrationEventHandler dmpTouchedIntegrationEventHandler; private final AnnotationEntityTouchedIntegrationEventHandler annotationEntityTouchedIntegrationEventHandler; + private final AuthorizationContentResolver authorizationContentResolver; @Autowired public DmpServiceImpl( - EntityManager entityManager, - AuthorizationService authorizationService, - DeleterFactory deleterFactory, - BuilderFactory builderFactory, - QueryFactory queryFactory, - ConventionService conventionService, - ErrorThesaurusProperties errors, - MessageSource messageSource, - XmlHandlingService xmlHandlingService, - JsonHandlingService jsonHandlingService, - UserScope userScope, - EventBroker eventBroker, - DescriptionService descriptionService, - NotifyIntegrationEventHandler eventHandler, - NotificationProperties notificationProperties, - ActionConfirmationService actionConfirmationService, - FileTransformerService fileTransformerService, - ValidatorFactory validatorFactory, - ElasticService elasticService, - DmpTouchedIntegrationEventHandler dmpTouchedIntegrationEventHandler, - AnnotationEntityTouchedIntegrationEventHandler annotationEntityTouchedIntegrationEventHandler) { + EntityManager entityManager, + AuthorizationService authorizationService, + DeleterFactory deleterFactory, + BuilderFactory builderFactory, + QueryFactory queryFactory, + ConventionService conventionService, + ErrorThesaurusProperties errors, + MessageSource messageSource, + XmlHandlingService xmlHandlingService, + JsonHandlingService jsonHandlingService, + UserScope userScope, + EventBroker eventBroker, + DescriptionService descriptionService, + NotifyIntegrationEventHandler eventHandler, + NotificationProperties notificationProperties, + ActionConfirmationService actionConfirmationService, + FileTransformerService fileTransformerService, + ValidatorFactory validatorFactory, + ElasticService elasticService, + DmpTouchedIntegrationEventHandler dmpTouchedIntegrationEventHandler, + AnnotationEntityTouchedIntegrationEventHandler annotationEntityTouchedIntegrationEventHandler, AuthorizationContentResolver authorizationContentResolver) { this.entityManager = entityManager; this.authorizationService = authorizationService; this.deleterFactory = deleterFactory; @@ -169,11 +171,15 @@ public class DmpServiceImpl implements DmpService { this.elasticService = elasticService; this.dmpTouchedIntegrationEventHandler = dmpTouchedIntegrationEventHandler; this.annotationEntityTouchedIntegrationEventHandler = annotationEntityTouchedIntegrationEventHandler; + this.authorizationContentResolver = authorizationContentResolver; } public Dmp persist(DmpPersist model, FieldSet fields) throws MyForbiddenException, MyValidationException, MyApplicationException, MyNotFoundException, InvalidApplicationException, JAXBException, IOException { - this.authorizationService.authorizeForce(Permission.EditDmp); - + + Boolean isUpdate = this.conventionService.isValidGuid(model.getId()); + if (isUpdate) this.authorizationService.authorizeAtLeastOneForce(List.of(this.authorizationContentResolver.dmpAffiliation(model.getId())), Permission.EditDmp); + else this.authorizationService.authorizeForce(Permission.NewDmp); + DmpEntity data = this.patchAndSave(model); DmpBlueprintEntity blueprintEntity = this.entityManager.find(DmpBlueprintEntity.class, data.getBlueprintId()); @@ -196,8 +202,8 @@ public class DmpServiceImpl implements DmpService { if (!this.conventionService.isListNullOrEmpty(model.getUsers())){ this.inviteUsers(data.getId(), model.getUsers()); }else{ - this.assignUsers(data.getId(), new ArrayList<>(), null); this.addOwner(data); + this.assignUsers(data.getId(), new ArrayList<>(), null); } this.elasticService.persistDmp(data); @@ -477,8 +483,8 @@ public class DmpServiceImpl implements DmpService { @Override public List assignUsers(UUID dmpId, List model, FieldSet fieldSet) throws InvalidApplicationException, IOException { - this.authorizationService.authorizeForce(Permission.AssignDmpUsers); - + this.authorizationService.authorizeAtLeastOneForce(List.of(this.authorizationContentResolver.dmpAffiliation(dmpId)), Permission.AssignDmpUsers); + DmpEntity dmpEntity = this.entityManager.find(DmpEntity.class, dmpId); if (dmpEntity == null) throw new MyNotFoundException(messageSource.getMessage("General_ItemNotFound", new Object[]{dmpId, Dmp.class.getSimpleName()}, LocaleContextHolder.getLocale())); diff --git a/dmp-backend/web/src/main/resources/config/permissions.yml b/dmp-backend/web/src/main/resources/config/permissions.yml index db2d3d94a..8a491b84f 100644 --- a/dmp-backend/web/src/main/resources/config/permissions.yml +++ b/dmp-backend/web/src/main/resources/config/permissions.yml @@ -377,6 +377,12 @@ permissions: AssignDmpUsers: roles: - Admin + dmp: + roles: + - Owner + - User + - DescriptionContributor + - Reviewer claims: [ ] clients: [ ] allowAnonymous: false diff --git a/dmp-frontend/src/app/ui/dmp/dmp-editor-blueprint/dmp-editor.component.ts b/dmp-frontend/src/app/ui/dmp/dmp-editor-blueprint/dmp-editor.component.ts index 8c4b1ffc7..7fd742b87 100644 --- a/dmp-frontend/src/app/ui/dmp/dmp-editor-blueprint/dmp-editor.component.ts +++ b/dmp-frontend/src/app/ui/dmp/dmp-editor-blueprint/dmp-editor.component.ts @@ -196,7 +196,8 @@ export class DmpEditorComponent extends BaseEditor implemen } buildForm() { - this.formGroup = this.editorModel.buildForm(null, this.isDeleted || !this.authService.hasPermission(AppPermission.EditDmp)); + const canedit = this.isNew ? this.authService.hasPermission(AppPermission.NewDmp) : this.authService.hasPermission(AppPermission.EditDmp); + this.formGroup = this.editorModel.buildForm(null, this.isDeleted || !canedit); if (this.editorModel.status == DmpStatus.Finalized || this.isDeleted) { this.formGroup.disable(); diff --git a/dmp-frontend/src/app/ui/dmp/dmp-editor-blueprint/dmp-editor.routing.ts b/dmp-frontend/src/app/ui/dmp/dmp-editor-blueprint/dmp-editor.routing.ts index 806c89d2d..10dc021f4 100644 --- a/dmp-frontend/src/app/ui/dmp/dmp-editor-blueprint/dmp-editor.routing.ts +++ b/dmp-frontend/src/app/ui/dmp/dmp-editor-blueprint/dmp-editor.routing.ts @@ -20,7 +20,7 @@ const routes: Routes = [ title: 'BREADCRUMBS.NEW-DMP' }), authContext: { - permissions: [AppPermission.EditDmp] + permissions: [AppPermission.NewDmp] } } }, @@ -41,7 +41,7 @@ const routes: Routes = [ } } }, - + // { // path: 'edit/:id', // component: DmpEditorBlueprintComponent,