- Timestamp:
- 2017-03-27T21:35:40+13:00 (7 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/trunk/greenstone3/src/java/org/greenstone/gsdl3/service/GS2Construct.java
r31540 r31541 68 68 static Logger logger = Logger.getLogger(org.greenstone.gsdl3.service.GS2Construct.class.getName()); 69 69 70 // default error message 71 private static final String NO_PERMISSIONS_ERROR = "This user does not have the required permissions to perform this action."; 72 70 73 // services offered 71 74 private static final String NEW_SERVICE = "NewCollection"; … … 160 163 { 161 164 if (!userHasCollectionEditPermissions(request)) { 162 Document result_doc = XMLConverter.newDOM(); 163 Element result = GSXML.createBasicResponse(result_doc, "processNewCollection"); 164 GSXML.addError(result, "This user does not have the required permissions to perform this action."); 165 return result; 165 return errorResponse("processNewCollection", NO_PERMISSIONS_ERROR); 166 166 } 167 167 return runCommand(request, GS2PerlConstructor.NEW); … … 172 172 { 173 173 if (!userHasCollectionEditPermissions(request)) { 174 Document result_doc = XMLConverter.newDOM(); 175 Element result = GSXML.createBasicResponse(result_doc, "processAddDocument"); 176 GSXML.addError(result, "This user does not have the required permissions to perform this action."); 177 return result; 174 return errorResponse("processAddDocument", NO_PERMISSIONS_ERROR); 178 175 } 179 176 … … 197 194 // check permissions 198 195 if (!userHasCollectionEditPermissions(request)) { 199 Document result_doc = XMLConverter.newDOM(); 200 Element result = GSXML.createBasicResponse(result_doc, "processBuildAndActivateCollection"); 201 GSXML.addError(result, "This user does not have the required permissions to perform this action."); 202 return result; 196 return errorResponse("processBuildAndActivateCollection", NO_PERMISSIONS_ERROR); 203 197 } 204 198 … … 239 233 { 240 234 if (!userHasCollectionEditPermissions(request)) { 241 Document result_doc = XMLConverter.newDOM(); 242 Element result = GSXML.createBasicResponse(result_doc, "processImportCollection"); 243 GSXML.addError(result, "This user does not have the required permissions to perform this action."); 244 return result; 235 return errorResponse("processImportCollection", NO_PERMISSIONS_ERROR); 245 236 } 246 237 … … 309 300 { 310 301 if (!userHasCollectionEditPermissions(request)) { 311 Document result_doc = XMLConverter.newDOM(); 312 Element result = GSXML.createBasicResponse(result_doc, "processBuildCollection"); 313 GSXML.addError(result, "This user does not have the required permissions to perform this action."); 314 return result; 302 return errorResponse("processBuildCollection", NO_PERMISSIONS_ERROR); 315 303 } 316 304 … … 328 316 Element param_list = (Element) GSXML.getChildByTagName(request, GSXML.PARAM_ELEM + GSXML.LIST_MODIFIER); 329 317 HashMap<String, Serializable> params = GSXML.extractParams(param_list, false); 330 331 // If a user is only adding comments, they don't need to have editing powers over a collection 332 // but they need to be logged in 333 String[] docids = getDocIDsifAddingUserComments(params); //isAddingUserComments(request, params); 334 boolean isAddingUserComments = (docids == null) ? false : true; 335 336 if(isAddingUserComments) { // adding user comments, check if user logged in 318 319 String metaserver_command = (String) params.get("a"); // e.g. set-archives-metadata or set-metadata-array 320 boolean supportsSettingMultipleMeta = metaserver_command.equals("set-metadata-array") ? true : false; 321 String json_str = (String) params.get("json"); // String or null if no param named "json" 322 323 String[] docids = null; 324 325 326 if (userHasCollectionEditPermissions(request, params)) { // means user can modify ANY metadata 327 328 // if dealing with an array of meta, then parse out the docids from the json 329 if(supportsSettingMultipleMeta) { 330 docids = getDocIdsWithOptFilter(json_str, null); 331 } // else set-meta operation on single metadata field of single doc, 332 // and docid will be obtained in runCommand() where it's needed 333 334 } else { 335 // check if user logged in 336 // shouldn't be able to do any meta modification if not logged in 337 337 338 UserContext context = new UserContext(request); 338 339 // A restricted set of metadata is modifiable when adding user comments: 340 // only the username, usertimestamp and usercomment metadata fields. 341 // If that's all that's being modified, isAddingUserComments() would have returned true, 342 // so finally check if the caller is logged in as a user. 343 if (context.getUsername().equals("")) { 344 Document result_doc = XMLConverter.newDOM(); 345 Element result = GSXML.createBasicResponse(result_doc, "processModifyMetadata"); 346 GSXML.addError(result, "Cannot add user comments if not logged in."); // or if attempting to set meta not related to user comments. 347 return result; // not logged in 348 } 349 350 } 351 else if (!userHasCollectionEditPermissions(request, params)) { 352 Document result_doc = XMLConverter.newDOM(); 353 Element result = GSXML.createBasicResponse(result_doc, "processModifyMetadata"); 354 GSXML.addError(result, "This user does not have the required permissions to perform this action."); // also get here if user was attempting to set meta not related to user comments. 355 return result; 339 if (context.getUsername().equals("")) { 340 341 return errorResponse("processModifyMetadata", "Cannot modify any metadata when not logged in."); 342 } else { // User is logged in at least, see whether they can do any restricted set-meta ops 343 // that are open to regular users (those without permissions to edit this collection). 344 // For now, there's only one restricted set-meta operation open to any logged in users 345 // who don't otherwise have editing permissions for the collection: adding user comments. 346 347 boolean isAddingUserComments = false; 348 Pattern allowedMetaFieldsPattern = Pattern.compile("^(username|usertimestamp|usercomment)$"); 349 if(supportsSettingMultipleMeta) { 350 351 docids = getDocIdsWithOptFilter(json_str, allowedMetaFieldsPattern); 352 if(docids != null) { 353 isAddingUserComments = true; 354 } 355 } else { 356 String metaname = (String) params.get("metaname"); 357 if(isAllowedToSetMeta(metaname, allowedMetaFieldsPattern)) { 358 isAddingUserComments = true; 359 } 360 } 361 362 if(!isAddingUserComments) { // logged in user is attempting to set meta outside restricted set, 363 // In this case, they're attempting to set meta not related to user comments 364 return errorResponse("processModifyMetadata", NO_PERMISSIONS_ERROR); 365 } 366 } 356 367 } 357 368 … … 400 411 401 412 if (!userHasCollectionEditPermissions(request)) { 402 Document result_doc = XMLConverter.newDOM(); 403 Element result = GSXML.createBasicResponse(result_doc, "processActivateCollection"); 404 GSXML.addError(result, "This user does not have the required permissions to perform this action."); 405 return result; 413 return errorResponse("processActivateCollection", NO_PERMISSIONS_ERROR); 406 414 } 407 415 … … 478 486 { 479 487 if (!userHasCollectionEditPermissions(request)) { 480 Document result_doc = XMLConverter.newDOM(); 481 Element result = GSXML.createBasicResponse(result_doc, "processDeleteCollection"); 482 GSXML.addError(result, "This user does not have the required permissions to perform this action."); 483 return result; 488 return errorResponse("processDeleteCollection", NO_PERMISSIONS_ERROR); 484 489 } 485 490 … … 542 547 { 543 548 if (!userHasCollectionEditPermissions(request)) { 544 Document result_doc = XMLConverter.newDOM(); 545 Element result = GSXML.createBasicResponse(result_doc, "processReloadCollection"); 546 GSXML.addError(result, "This user does not have the required permissions to perform this action."); 547 return result; 549 return errorResponse("processReloadCollection", NO_PERMISSIONS_ERROR); 548 550 } 549 551 … … 1021 1023 } 1022 1024 1023 // getDocIdsWithOptFilter(JSONArray json, Pattern filterFields, boolean strictOrPermissible) 1024 protected String[] getDocIDsifAddingUserComments(HashMap<String, Serializable> params) { 1025 1026 String metaserver_command = (String) params.get("a"); // e.g. set-archives-metadata or set-metadata-array 1027 // quickest test: 1028 // if not calling set-metadata-array, then it definitely won't be a set-usercomments operation 1029 if(!metaserver_command.equals("set-metadata-array")) { 1025 protected boolean isAllowedToSetMeta(String metaname, Pattern allowedMetaFieldsPattern) 1026 { 1027 if(metaname == null) { 1028 logger.info("### Can't check null metaname against pattern"); 1029 return false; 1030 } 1031 1032 Matcher m = allowedMetaFieldsPattern.matcher(metaname); 1033 if(!m.matches()) { 1034 logger.info("### metaname: " + metaname + " doesn't match allowed allowed fields: " + allowedMetaFieldsPattern.toString()); 1035 return false; 1036 } else { 1037 return true; 1038 } 1039 } 1040 1041 protected String[] getDocIdsWithOptFilter(String json_str, Pattern filterFields) // boolean strictOrPermissible 1042 { 1043 if(json_str == null) { 1044 logger.error("### Shouldn't be happening: null json string"); 1030 1045 return null; 1031 1046 } 1032 1047 1033 // Confirm that the set-meta-array operation is only attempting to modify user comments metadata1034 1035 1048 String[] docids = null; 1036 String json_str = (String) params.get("json"); // will have a "json" field if doing set-meta-array 1037 Pattern p = Pattern.compile("^(username|usertimestamp|usercomment)$"); 1038 1039 // check that the name of each that's metadata to be set is one of username|usercomment|usertimestamp 1040 // Anything else means something more than adding user comments is being attempted, which is invalid 1049 1050 // check that the name of each metadata being set matches the pattern filterFields. 1051 // The presence of any other meta means something other than adding user comments is being attempted, 1052 // which is invalid 1041 1053 try { 1042 1054 … … 1057 1069 String metaname = meta.getString("metaname"); 1058 1070 logger.info("### metaname: " + metaname); 1059 Matcher m = p.matcher(metaname); 1060 if(!m.matches()) { 1061 logger.info("### metaname: " + metaname + " doesn't match"); 1071 1072 if(!isAllowedToSetMeta(metaname, filterFields)) { 1062 1073 return null; 1063 1074 } … … 1079 1090 return docids; 1080 1091 1092 } 1093 1094 protected Element errorResponse(String serviceName, String errorMsg) { 1095 Document result_doc = XMLConverter.newDOM(); 1096 Element result = GSXML.createBasicResponse(result_doc, serviceName); 1097 GSXML.addError(result, errorMsg); 1098 return result; 1081 1099 } 1082 1100
Note:
See TracChangeset
for help on using the changeset viewer.