Changeset 38219 for main/trunk/greenstone3/src

Timestamp:

2023-09-25T23:16:31+13:00 (8 months ago)

Author:

anupama

Message:

Runtime server side changes to recognise remove-metadata-array method. It is not like set-metadata-array, which for UserComments means it's in add user comments mode and thus can be done by any logged in user. If remove-metadata-array is called, presumably the user should have collection editing permissions, or if usercomments are involved, then they certainly have to be (as specified by Dr Bainbridge) in the administrator group. Note that I still have issues with actually using remove_metadata_array to delete user comments as admin: things fail when attempting to remove_archives_metadata(_array), which I will be investigating next. But I wanted the code committed, so it won't get lost when we move to a new room this week, which could take place at any time possibly.

File:

• main/trunk/greenstone3/src/java/org/greenstone/gsdl3/service/GS2Construct.java (modified) (10 diffs)

main/trunk/greenstone3/src/java/org/greenstone/gsdl3/service/GS2Construct.java

@@ -320 +320 @@
     {
 
-        // There are two types of operations whereby metadata gets modified:
+        // There are now 3 types of operations whereby metadata gets modified:
         // - document including document-meta editing: user needs document editing powers
         // - adding user comments: user just needs an account and needs to be logged in
-        // We handle both cases in this service.
+        // - removing user comments: user needs to be in administrator group
+        // We handle all 3 cases in this service.
 
         Element param_list = (Element) GSXML.getChildByTagName(request, GSXML.PARAM_ELEM + GSXML.LIST_MODIFIER);
@@ -333 +334 @@
 
         String[] docids = null;
+
+        // For user comments (setting or removing), these are the allowed metadata fields
+        Pattern allowedMetaFieldsPattern = Pattern.compile("^(username|usertimestamp|usercomment)$");
+        String lang = request.getAttribute(GSXML.LANG_ATT);
         
-
-        if (userHasCollectionEditPermissions(request, params)) { // means user can modify ANY metadata
+        boolean isAdminRemovingUserComments = false;
+        
+        // Have to be admin to do remove-metadata-array for user comments meta fields
+        if (metaserver_command.equals("remove-metadata-array")) {
+        // check if only removing user comments metadata fields
+        docids = getDocIdsWithOptFilter(json_str, allowedMetaFieldsPattern);
+        if(docids != null) {
+            isAdminRemovingUserComments = true;
+        }
+
+        if(!userIsAdministrator(request, params)) {
+            isAdminRemovingUserComments = false;
+            return errorResponse("processModifyMetadata", NO_PERMISSIONS_ERROR, lang);
+        }       
+        }
+
+        if(isAdminRemovingUserComments) {
+        // everything is set up already now for admin to remove user comments
+        }       
+        else if (userHasCollectionEditPermissions(request, params)) { // means user can modify ANY metadata
 
         // if dealing with an array of meta, then parse out the docids from the json
         if(supportsSettingMultipleMeta) {
             docids = getDocIdsWithOptFilter(json_str, null);
+        } else if (metaserver_command.equals("remove-metadata-array")) {
+            // removing multiple metadata that are Not user comments
+            // can be done by any user with collection edit permissions
+            docids = getDocIdsWithOptFilter(json_str, null);
         } // else set-meta operation on single metadata field of single doc, 
           // and docid will be obtained in runCommand() where it's needed
@@ -348 +375 @@
 
         UserContext context = new UserContext(request);
-        String lang = request.getAttribute(GSXML.LANG_ATT);
         if (context.getUsername().equals("")) {
             
@@ -358 +384 @@
             
             boolean isAddingUserComments = false;
-            Pattern allowedMetaFieldsPattern = Pattern.compile("^(username|usertimestamp|usercomment)$");
+            
             if(supportsSettingMultipleMeta) {
             
@@ -367 +393 @@
             } else {
             String metaname = (String) params.get("metaname");
-            if(isAllowedToSetMeta(metaname, allowedMetaFieldsPattern)) {
+            if(isAllowedToModifyMeta(metaname, allowedMetaFieldsPattern)) {
                 isAddingUserComments = true;
             }
@@ -743 +769 @@
 
     protected Element runCommand(Element request, int type) {
-        return runCommand(request, type, null);
+        return runCommand(request, type, null);
     }
 
     /** returns a response element */
     protected Element runCommand(Element request, int type, String[] docids)
-    {
+    {       
         Document result_doc = XMLConverter.newDOM();
         // the response to send back
@@ -869 +895 @@
                 }
             }
+            
+            // Mark files for reindexing (e.g. if set-meta or remove-meta was called)
+            // Note that remove-meta doesn't mean the document should be marked for
+            // Deletion: only meta was removed.
             
             if (oid != null) { // if we have only one oid
@@ -1102 +1132 @@
     }
 
-    protected boolean isAllowedToSetMeta(String metaname, Pattern allowedMetaFieldsPattern) 
+    protected boolean isAllowedToModifyMeta(String metaname, Pattern allowedMetaFieldsPattern) 
     {
     if(allowedMetaFieldsPattern == null) { // null when user has edit permissions, so they can set any meta
@@ -1153 +1183 @@
             ///logger.info("### metaname: " + metaname);
             
-            if(!isAllowedToSetMeta(metaname, filterFields)) {
+            if(!isAllowedToModifyMeta(metaname, filterFields)) {
                 return null;
             }
@@ -1192 +1222 @@
     return userHasCollectionEditPermissions(request, params);
 
+    }
+
+    protected boolean userIsAdministrator(Element request, HashMap<String, Serializable> params) {
+    
+    UserContext context = new UserContext(request); 
+    
+    for (String group : context.getGroups()) {
+        // administrator always has permission
+        if (group.equals("administrator")) {
+        return true;
+        }
+    }
+
+    return false;
     }