gCubeSystem
/
storagehub
16
0
Fork 0
Code Issues Pull Requests Releases 2 Wiki Activity

fix for incident #17623

This commit is contained in:
lucio 2019-09-30 09:41:48 +02:00
parent 82732af8d1
commit d9a9cde064
2 changed files with 16 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
distro/gcube-app.xml
View File

@ -1,14 +0,0 @@
<application mode='online'>
<name>StorageHub</name>
<group>DataAccess</group>
<version>${version}</version>
<description>Storage Hub webapp</description>
<!-- <proxy protocol="https">
<hostname>workspace-repository.dev.d4science.org</hostname>
<port>443</port>
</proxy> -->
<local-persistence location='target' />
</application>

20
src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java
View File

@ -23,10 +23,17 @@ import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
import org.gcube.common.storagehub.model.items.Item; import org.gcube.common.storagehub.model.items.Item;
import org.gcube.common.storagehub.model.items.SharedFolder; import org.gcube.common.storagehub.model.items.SharedFolder;
import org.gcube.data.access.storagehub.handlers.Node2ItemConverter; import org.gcube.data.access.storagehub.handlers.Node2ItemConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import lombok.extern.java.Log;
import lombok.extern.log4j.Log4j;
@Singleton @Singleton
public class AuthorizationChecker { public class AuthorizationChecker {
private static Logger log = LoggerFactory.getLogger(AuthorizationChecker.class);
@Inject @Inject
Node2ItemConverter node2Item; Node2ItemConverter node2Item;
@ -39,18 +46,23 @@ public class AuthorizationChecker {
if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id+": it's not a valid StorageHub node"); if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id+": it's not a valid StorageHub node");
if (item.isShared()) { if (item.isShared()) {
SharedFolder parentShared = node2Item.getItem(retrieveSharedFolderParent(node, session), Excludes.EXCLUDE_ACCOUNTING); SharedFolder parentShared = node2Item.getItem(retrieveSharedFolderParent(node, session), Excludes.EXCLUDE_ACCOUNTING);
if (parentShared.getUsers().getMap().keySet().contains(login)) return;
//CHECKING ACL FOR VREFOLDER AND SHARED FOLDER //CHECKING ACL FOR VREFOLDER AND SHARED FOLDER
JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentShared.getPath()); JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentShared.getPath());
AccessControlEntry[] entries = accessControlList.getAccessControlEntries(); AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
Authorizable UserAuthorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(login); Authorizable userAuthorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(login);
for (AccessControlEntry entry: entries) { for (AccessControlEntry entry: entries) {
log.debug("checking access right for {} with compared with {}",login, entry.getPrincipal());
Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(entry.getPrincipal()); Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(entry.getPrincipal());
//TODO; check why sometimes the next line gets a nullpointer //TODO; check why sometimes the next line gets a nullpointer
if (!authorizable.isGroup() && entry.getPrincipal().getName().equals(login)) return; if (!authorizable.isGroup() && entry.getPrincipal().getName().equals(login)) return;
if (authorizable.isGroup() && ((Group) authorizable).isMember(UserAuthorizable)) return; if (authorizable.isGroup() && ((Group) authorizable).isMember(userAuthorizable)) return;
} }
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id); throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);