Changeset 29869

Show
Ignore:
Timestamp:
12.05.2015 21:47:35 (4 years ago)
Author:
ak19
Message:

First part of commit for ensuring the user is authenticated when running the scripts used by the online metadata editor. Running metaserver, BuildAndActivate? and other GS2Construct.java commands should not be possible from a web browser.

Location:
main/trunk/greenstone3
Files:
4 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/build/CollectionConstructor.java

    r25538 r29869  
    2828    /** Stores the name of the manifest file (if one is needed) */ 
    2929    protected String manifest_file = null; 
     30    /** The URL params constructed as a query string, representing the CGI QUERY_STRING to */ 
     31    protected String query_string = null; 
    3032 
    3133    public CollectionConstructor(String name) 
     
    6466    { 
    6567        this.collection_name = coll_name; 
     68    } 
     69 
     70        public void setQueryString(String querystring) 
     71    { 
     72        this.query_string = querystring; 
    6673    } 
    6774 
  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/build/GS2PerlConstructor.java

    r29576 r29869  
    3333    public static final int BUILD = 2; 
    3434    public static final int ACTIVATE = 3; 
     35    public static final int SET_METADATA_SERVER = 4; 
    3536 
    3637    /** 
     
    118119        case ACTIVATE: 
    119120            activateCollection(); 
     121            break; 
     122        case SET_METADATA_SERVER: 
     123            setMetadataForCollection(); 
    120124            break; 
    121125        default: 
     
    202206        command.add("-collectdir"); 
    203207        command.add(GSFile.collectDir(this.site_home)); 
     208        command.add("-removeold"); // saves some seconds processing time when this flag's added in explicitly 
    204209        command.addAll(extractParameters(this.process_params)); 
    205210        command.add(this.collection_name); 
     
    272277        command.add("-collectdir"); 
    273278        command.add(GSFile.collectDir(this.site_home)); 
     279        command.add("-removeold"); // saves some seconds processing time when this flag's added in explicitly 
    274280        command.addAll(extractParameters(this.process_params)); 
    275281        command.add(this.collection_name); 
     
    279285 
    280286        if (runPerlCommand(command_str)) 
     287        { 
     288            // success!! - need to send the final completed message 
     289            sendProcessComplete(new ConstructionEvent(this, GSStatus.COMPLETED, "")); 
     290        }// else an error message has already been sent, do nothing      
     291 
     292    } 
     293 
     294 
     295    protected void setMetadataForCollection() 
     296    { 
     297        sendMessage(new ConstructionEvent(this, GSStatus.INFO, "Collection metadata: setMetadata for collection.")); 
     298 
     299        Vector<String> command = new Vector<String>(); 
     300 
     301        String perlPath = GlobalProperties.getProperty("perl.path", "perl"); 
     302        if (perlPath.charAt(perlPath.length() - 1) != File.separatorChar) 
     303        { 
     304            perlPath = perlPath + File.separator; 
     305        } 
     306 
     307        String cgi_directory = GlobalProperties.getGSDL3Home() + File.separator + "WEB-INF" + File.separator + "cgi"; 
     308        command.add(perlPath + "perl"); 
     309        command.add("-S"); 
     310        //command.add(GlobalProperties.getGSDL3Home() + File.separator + "WEB-INF" + File.separator + "cgi" + File.separator + "metadata-server.pl"); 
     311        command.add(cgi_directory + File.separator + "metadata-server.pl"); 
     312         
     313        // Need to set QUERY_STRING and REQUEST_METHOD=GET in environment 
     314        // http://www.cgi101.com/class/ch3/text.html 
     315        String[] envvars = { 
     316            "QUERY_STRING=" + this.query_string, 
     317            "REQUEST_METHOD=GET" 
     318        }; 
     319 
     320        String[] command_str = {}; 
     321        command_str = command.toArray(command_str); 
     322 
     323        // http://www.cgi101.com/class/ch3/text.html 
     324        // setenv QUERY_STRING and REQUEST_METHOD = GET. 
     325        if (runPerlCommand(command_str, envvars, new File(cgi_directory))) 
     326                   //new File(GlobalProperties.getGSDL3Home() + File.separator + "WEB-INF" + File.separator + "cgi"))) 
    281327        { 
    282328            // success!! - need to send the final completed message 
     
    316362 
    317363    /** returns true if completed correctly, false otherwise */ 
    318     protected boolean runPerlCommand(String[] command) 
     364    protected boolean runPerlCommand(String[] command) { 
     365    return runPerlCommand(command, null, null); 
     366    } 
     367 
     368    protected boolean runPerlCommand(String[] command, String[] envvars, File dir) 
    319369    { 
    320370        int sepIndex = this.gsdl3home.lastIndexOf(File.separator); 
     
    329379        args.add("PERL_PERTURB_KEYS=0"); 
    330380 
     381        if(envvars != null) { 
     382            for(int i = 0; i < envvars.length; i++) { 
     383            args.add(envvars[i]); 
     384            } 
     385        } 
     386 
    331387        for (String a : System.getenv().keySet()) 
    332388        { 
     
    345401            Runtime rt = Runtime.getRuntime(); 
    346402            sendProcessBegun(new ConstructionEvent(this, GSStatus.ACCEPTED, "starting")); 
    347             Process prcs = rt.exec(command, args.toArray(new String[args.size()])); 
     403            Process prcs = (dir == null)  
     404                ? rt.exec(command, args.toArray(new String[args.size()])) 
     405                : rt.exec(command, args.toArray(new String[args.size()]), dir); 
    348406 
    349407            InputStreamReader eisr = new InputStreamReader(prcs.getErrorStream()); 
  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/service/GS2Construct.java

    r28966 r29869  
    2424import java.io.Serializable; 
    2525import java.util.Collections; 
     26import java.util.Iterator; 
     27import java.util.Map.Entry; 
    2628import java.util.HashMap; 
    2729import java.util.Map; 
     30import java.util.Set; 
    2831 
    2932import org.apache.log4j.Logger; 
     
    6366    private static final String DELETE_SERVICE = "DeleteCollection"; 
    6467    private static final String RELOAD_SERVICE = "ReloadCollection"; 
     68    private static final String SET_METADATA_SERVICE = "SetMetadata"; 
    6569 
    6670    // params used 
     
    120124                param_list.appendChild(param); 
    121125            } 
    122             else if (service.equals(ACTIVATE_SERVICE) || service.equals(IMPORT_SERVICE) || service.equals(BUILD_SERVICE) || service.equals(RELOAD_SERVICE) || service.equals(DELETE_SERVICE)) 
     126            else if (service.equals(ACTIVATE_SERVICE) || service.equals(IMPORT_SERVICE) || service.equals(BUILD_SERVICE) || service.equals(RELOAD_SERVICE) || service.equals(DELETE_SERVICE) || service.equals(SET_METADATA_SERVICE)) 
    123127            { 
    124128 
     
    140144    protected Element processNewCollection(Element request) 
    141145    { 
    142         return runCommand(request, GS2PerlConstructor.NEW); 
     146        if (!userHasCollectionEditPermissions(request)) { 
     147        Document result_doc = XMLConverter.newDOM(); 
     148        Element result = GSXML.createBasicResponse(result_doc, "processNewCollection"); 
     149        GSXML.addError(result, "This user does not have the required permissions to perform this action."); 
     150        return result; 
     151        } 
     152        return runCommand(request, GS2PerlConstructor.NEW); 
    143153    } 
    144154 
     
    146156    protected Element processAddDocument(Element request) 
    147157    { 
     158        if (!userHasCollectionEditPermissions(request)) { 
     159        Document result_doc = XMLConverter.newDOM(); 
     160        Element result = GSXML.createBasicResponse(result_doc, "processAddDocument"); 
     161        GSXML.addError(result, "This user does not have the required permissions to perform this action."); 
     162        return result; 
     163        } 
     164 
    148165      Document result_doc = XMLConverter.newDOM(); 
    149166        // decode the file name, add it to the import directory 
     
    163180    protected Element processBuildAndActivateCollection(Element request) 
    164181    { 
    165        
     182        // check permissions 
     183        if (!userHasCollectionEditPermissions(request)) { 
     184            Document result_doc = XMLConverter.newDOM(); 
     185            Element result = GSXML.createBasicResponse(result_doc, "processBuildAndActivateCollection"); 
     186            GSXML.addError(result, "This user does not have the required permissions to perform this action."); 
     187            return result; 
     188        } 
     189 
    166190        waitUntilReady(request); 
    167191        Element buildResponse = processBuildCollection(request); 
     
    197221    protected Element processImportCollection(Element request) 
    198222    { 
     223        if (!userHasCollectionEditPermissions(request)) { 
     224        Document result_doc = XMLConverter.newDOM(); 
     225        Element result = GSXML.createBasicResponse(result_doc, "processImportCollection"); 
     226        GSXML.addError(result, "This user does not have the required permissions to perform this action."); 
     227        return result; 
     228        } 
     229 
    199230        Element param_list = (Element) GSXML.getChildByTagName(request, GSXML.PARAM_ELEM + GSXML.LIST_MODIFIER); 
    200231        HashMap<String, Serializable> params = GSXML.extractParams(param_list, false); 
     
    260291    protected Element processBuildCollection(Element request) 
    261292    { 
     293        if (!userHasCollectionEditPermissions(request)) { 
     294        Document result_doc = XMLConverter.newDOM(); 
     295        Element result = GSXML.createBasicResponse(result_doc, "processBuildCollection"); 
     296        GSXML.addError(result, "This user does not have the required permissions to perform this action."); 
     297        return result; 
     298        } 
     299 
    262300        return runCommand(request, GS2PerlConstructor.BUILD); 
    263301    } 
    264302 
     303    protected Element processSetMetadata(Element request) 
     304    { 
     305        if (!userHasCollectionEditPermissions(request)) { 
     306        Document result_doc = XMLConverter.newDOM(); 
     307        Element result = GSXML.createBasicResponse(result_doc, "processSetMetadata"); 
     308        GSXML.addError(result, "This user does not have the required permissions to perform this action."); 
     309        return result; 
     310        } 
     311 
     312        return runCommand(request, GS2PerlConstructor.SET_METADATA_SERVER); 
     313    } 
     314 
    265315    protected Element processActivateCollection(Element request) 
    266316    { 
     317 
     318        if (!userHasCollectionEditPermissions(request)) { 
     319        Document result_doc = XMLConverter.newDOM(); 
     320        Element result = GSXML.createBasicResponse(result_doc, "processActivateCollection"); 
     321        GSXML.addError(result, "This user does not have the required permissions to perform this action."); 
     322        return result; 
     323        } 
     324 
    267325        // this activates the collection on disk. but now we need to tell 
    268326        // the MR about it. but we have to wait until the process is finished. 
     
    334392    protected Element processDeleteCollection(Element request) 
    335393    { 
     394        if (!userHasCollectionEditPermissions(request)) { 
     395        Document result_doc = XMLConverter.newDOM(); 
     396        Element result = GSXML.createBasicResponse(result_doc, "processDeleteCollection"); 
     397        GSXML.addError(result, "This user does not have the required permissions to perform this action."); 
     398        return result; 
     399        } 
     400 
    336401      Document result_doc = XMLConverter.newDOM(); 
    337402        // the response to send back 
     
    391456    protected Element processReloadCollection(Element request) 
    392457    { 
     458        if (!userHasCollectionEditPermissions(request)) { 
     459        Document result_doc = XMLConverter.newDOM(); 
     460        Element result = GSXML.createBasicResponse(result_doc, "processReloadCollection"); 
     461        GSXML.addError(result, "This user does not have the required permissions to perform this action."); 
     462        return result; 
     463        } 
     464 
    393465      Document result_doc = XMLConverter.newDOM(); 
    394466        // the response to send back 
     
    539611        //this.short_service_info.appendChild(e); 
    540612 
     613        e = this.desc_doc.createElement(GSXML.SERVICE_ELEM); 
     614        e.setAttribute(GSXML.TYPE_ATT, GSXML.SERVICE_TYPE_PROCESS); 
     615        e.setAttribute(GSXML.NAME_ATT, SET_METADATA_SERVICE); 
     616        this.short_service_info.appendChild(e); 
     617 
    541618        return true; 
    542619    } 
     
    592669        } 
    593670 
    594         // do teh actual command 
     671        // do the actual command 
    595672        String coll_name = null; 
    596673        if (type == GS2PerlConstructor.NEW) 
     
    624701        { 
    625702            constructor.setManifestFile(this.site_home + File.separator + "collect" + File.separator + params.get(COL_PARAM) + File.separator + "manifests" + File.separator + "tempManifest.xml"); 
     703        } 
     704        else if (type == GS2PerlConstructor.SET_METADATA_SERVER) { 
     705            StringBuffer querystring = new StringBuffer(); 
     706             
     707            // convert params into a single string again? 
     708            Set<Map.Entry<String, Serializable>> entries = params.entrySet(); 
     709            Iterator<Map.Entry<String, Serializable>> i = entries.iterator(); 
     710            while(i.hasNext()) { 
     711             
     712            Map.Entry<String, Serializable> entry = i.next(); 
     713            String paramname = entry.getKey(); 
     714            paramname = paramname.replace("s1.", ""); // replaces all occurrences 
     715            if(paramname.equals("collection")) { 
     716                paramname = "c"; 
     717            } 
     718            String paramvalue = (String)entry.getValue(); 
     719 
     720            querystring.append(paramname + "=" + paramvalue); 
     721            if(i.hasNext()) { 
     722                querystring.append("&"); 
     723            } 
     724            } 
     725            constructor.setQueryString(querystring.toString()); 
    626726        } 
    627727 
     
    805905        return false; 
    806906    } 
     907 
     908 
     909    /** Copy from DebugService.userHasEditPermissions 
     910     This function checks that the user is logged in and that the user  
     911     is in the right group to edit the collection */ 
     912    protected boolean userHasCollectionEditPermissions(Element request) { 
     913    Element param_list = (Element) GSXML.getChildByTagName(request, GSXML.PARAM_ELEM + GSXML.LIST_MODIFIER); 
     914    HashMap<String, Serializable> params = GSXML.extractParams(param_list, false); 
     915    String collection = (String) params.get(COL_PARAM); // could be null on newcoll operation 
     916 
     917    UserContext context = new UserContext(request); 
     918    if(collection == null) { 
     919    return !context.getUsername().equals(""); 
     920    } 
     921    for (String group : context.getGroups()) { 
     922      // administrator always has permission 
     923      if (group.equals("administrator")) { 
     924    return true; 
     925      } 
     926      // all-collections-editor can edit any collection 
     927      if (!collection.equals("")) { 
     928    if (group.equals("all-collections-editor")) { 
     929      return true; 
     930    } 
     931    if (group.equals(collection+"-collection-editor")) { 
     932      return true; 
     933    } 
     934      } 
     935    } 
     936    // haven't found a group with edit permissions 
     937    return false; 
     938     
     939  } 
    807940} 
  • main/trunk/greenstone3/web/interfaces/default/js/javascript-global-functions.js

    r27811 r29869  
    424424function callMetadataServer(callingFunction, url, responseFunction) 
    425425{ 
     426    // rewrite URLs to call GS2Construct's SetMetadata service instead 
     427    url = url.replace("&c=",  "&collection="); // c is a special param name for GS2Construct 
     428    url = url.replace(/(&|\?)([^=]*=)/g, "$1"+"s1.$2"); // prefix param names with "s1." 
     429    url = url.replace("cgi-bin/metadata-server.pl?",  gs.xsltParams.library_name + "?a=g&rt=r&ro=1&s=SetMetadata&"); 
     430 
     431 
    426432    $.ajax(url) 
    427433    .success(function(response)