fix for incident #17623
This commit is contained in:
lucio
parent
82732af8d1
commit
d9a9cde064
|
|
@ -1,14 +0,0 @@
|
|||
<application mode='online'>
|
||||
<name>StorageHub</name>
|
||||
<group>DataAccess</group>
|
||||
<version>${version}</version>
|
||||
<description>Storage Hub webapp</description>
|
||||
|
||||
<!-- <proxy protocol="https">
|
||||
<hostname>workspace-repository.dev.d4science.org</hostname>
|
||||
<port>443</port>
|
||||
</proxy> -->
|
||||
|
||||
|
||||
<local-persistence location='target' />
|
||||
</application>
|
||||
|
|
@ -23,10 +23,17 @@ import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
|
|||
import org.gcube.common.storagehub.model.items.Item;
|
||||
import org.gcube.common.storagehub.model.items.SharedFolder;
|
||||
import org.gcube.data.access.storagehub.handlers.Node2ItemConverter;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import lombok.extern.java.Log;
|
||||
import lombok.extern.log4j.Log4j;
|
||||
|
||||
@Singleton
|
||||
public class AuthorizationChecker {
|
||||
|
||||
|
||||
private static Logger log = LoggerFactory.getLogger(AuthorizationChecker.class);
|
||||
|
||||
@Inject
|
||||
Node2ItemConverter node2Item;
|
||||
|
||||
|
|
@ -39,18 +46,23 @@ public class AuthorizationChecker {
|
|||
|
||||
if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id+": it's not a valid StorageHub node");
|
||||
|
||||
|
||||
|
||||
if (item.isShared()) {
|
||||
SharedFolder parentShared = node2Item.getItem(retrieveSharedFolderParent(node, session), Excludes.EXCLUDE_ACCOUNTING);
|
||||
|
||||
|
||||
if (parentShared.getUsers().getMap().keySet().contains(login)) return;
|
||||
|
||||
//CHECKING ACL FOR VREFOLDER AND SHARED FOLDER
|
||||
JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentShared.getPath());
|
||||
AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
|
||||
Authorizable UserAuthorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(login);
|
||||
Authorizable userAuthorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(login);
|
||||
for (AccessControlEntry entry: entries) {
|
||||
log.debug("checking access right for {} with compared with {}",login, entry.getPrincipal());
|
||||
Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(entry.getPrincipal());
|
||||
//TODO; check why sometimes the next line gets a nullpointer
|
||||
if (!authorizable.isGroup() && entry.getPrincipal().getName().equals(login)) return;
|
||||
if (authorizable.isGroup() && ((Group) authorizable).isMember(UserAuthorizable)) return;
|
||||
if (authorizable.isGroup() && ((Group) authorizable).isMember(userAuthorizable)) return;
|
||||
}
|
||||
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue