@ -23,10 +23,17 @@ import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
import org.gcube.common.storagehub.model.items.Item ;
import org.gcube.common.storagehub.model.items.SharedFolder ;
import org.gcube.data.access.storagehub.handlers.Node2ItemConverter ;
import org.slf4j.Logger ;
import org.slf4j.LoggerFactory ;
import lombok.extern.java.Log ;
import lombok.extern.log4j.Log4j ;
@Singleton
public class AuthorizationChecker {
private static Logger log = LoggerFactory . getLogger ( AuthorizationChecker . class ) ;
@Inject
Node2ItemConverter node2Item ;
@ -39,18 +46,23 @@ public class AuthorizationChecker {
if ( item = = null ) throw new UserNotAuthorizedException ( "Insufficent Provileges for user " + login + " to read node with id " + id + ": it's not a valid StorageHub node" ) ;
if ( item . isShared ( ) ) {
SharedFolder parentShared = node2Item . getItem ( retrieveSharedFolderParent ( node , session ) , Excludes . EXCLUDE_ACCOUNTING ) ;
if ( parentShared . getUsers ( ) . getMap ( ) . keySet ( ) . contains ( login ) ) return ;
//CHECKING ACL FOR VREFOLDER AND SHARED FOLDER
JackrabbitAccessControlList accessControlList = AccessControlUtils . getAccessControlList ( session , parentShared . getPath ( ) ) ;
AccessControlEntry [ ] entries = accessControlList . getAccessControlEntries ( ) ;
Authorizable U serAuthorizable = ( ( JackrabbitSession ) session ) . getUserManager ( ) . getAuthorizable ( login ) ;
Authorizable u serAuthorizable = ( ( JackrabbitSession ) session ) . getUserManager ( ) . getAuthorizable ( login ) ;
for ( AccessControlEntry entry : entries ) {
log . debug ( "checking access right for {} with compared with {}" , login , entry . getPrincipal ( ) ) ;
Authorizable authorizable = ( ( JackrabbitSession ) session ) . getUserManager ( ) . getAuthorizable ( entry . getPrincipal ( ) ) ;
//TODO; check why sometimes the next line gets a nullpointer
if ( ! authorizable . isGroup ( ) & & entry . getPrincipal ( ) . getName ( ) . equals ( login ) ) return ;
if ( authorizable . isGroup ( ) & & ( ( Group ) authorizable ) . isMember ( U serAuthorizable) ) return ;
if ( authorizable . isGroup ( ) & & ( ( Group ) authorizable ) . isMember ( u serAuthorizable) ) return ;
}
throw new UserNotAuthorizedException ( "Insufficent Provileges for user " + login + " to read node with id " + id ) ;