@Override
public void switchPoliciesAction(Context context, DSpaceObject dso, int fromAction, int toAction)
throws SQLException, AuthorizeException {
List<ResourcePolicy> rps = getPoliciesActionFilter(context, dso, fromAction);
for (ResourcePolicy rp : rps) {
rp.setAction(toAction);
}
resourcePolicyService.update(context, rps);
}
@Override
public List<Group> getAuthorizedGroups(Context c, DSpaceObject o, int actionID)
throws java.sql.SQLException {
List<ResourcePolicy> policies = getPoliciesActionFilter(c, o, actionID);
List<Group> groups = new ArrayList<Group>();
for (ResourcePolicy resourcePolicy : policies) {
if (resourcePolicy.getGroup() != null) {
groups.add(resourcePolicy.getGroup());
}
}
return groups;
}
@Override
public void inheritPolicies(Context c, DSpaceObject src, DSpaceObject dest)
throws SQLException, AuthorizeException {
// find all policies for the source object
List<ResourcePolicy> policies = getPolicies(c, src);
// Only inherit non-ADMIN policies (since ADMIN policies are automatically inherited)
List<ResourcePolicy> nonAdminPolicies = new ArrayList<ResourcePolicy>();
for (ResourcePolicy rp : policies) {
if (rp.getAction() != Constants.ADMIN) {
nonAdminPolicies.add(rp);
}
}
addPolicies(c, nonAdminPolicies, dest);
}
@Override
public boolean isAdmin(Context c, DSpaceObject o) throws SQLException {
// return true if user is an Administrator
if (isAdmin(c)) {
return true;
}
if (o == null) {
return false;
}
//
// First, check all Resource Policies directly on this object
//
List<ResourcePolicy> policies = getPoliciesActionFilter(c, o, Constants.ADMIN);
for (ResourcePolicy rp : policies) {
// check policies for date validity
if (resourcePolicyService.isDateValid(rp)) {
if (rp.getEPerson() != null && rp.getEPerson().equals(c.getCurrentUser())) {
return true; // match
}
if ((rp.getGroup() != null) && (groupService.isMember(c, rp.getGroup()))) {
// group was set, and eperson is a member
// of that group
return true;
}
}
}
// If user doesn't have specific Admin permissions on this object,
// check the *parent* objects of this object. This allows Admin
// permissions to be inherited automatically (e.g. Admin on Community
// is also an Admin of all Collections/Items in that Community)
DSpaceObject parent = serviceFactory.getDSpaceObjectService(o).getParentObject(c, o);
if (parent != null) {
return isAdmin(c, parent);
}
return false;
}
@Override
public ResourcePolicy createOrModifyPolicy(
ResourcePolicy policy,
Context context,
String name,
Group group,
EPerson ePerson,
Date embargoDate,
int action,
String reason,
DSpaceObject dso)
throws AuthorizeException, SQLException {
int policyID = -1;
if (policy != null) policyID = policy.getID();
// if an identical policy (same Action and same Group) is already in place modify it...
ResourcePolicy policyTemp = findByTypeIdGroupAction(context, dso, group, action, policyID);
if (policyTemp != null) {
policy = policyTemp;
policy.setRpType(ResourcePolicy.TYPE_CUSTOM);
}
if (policy == null) {
policy =
createResourcePolicy(context, dso, group, ePerson, action, ResourcePolicy.TYPE_CUSTOM);
}
policy.setGroup(group);
policy.setEPerson(ePerson);
if (embargoDate != null) {
policy.setStartDate(embargoDate);
} else {
policy.setStartDate(null);
policy.setEndDate(null);
}
policy.setRpName(name);
policy.setRpDescription(reason);
return policy;
}
@Override
public ResourcePolicy createResourcePolicy(
Context context, DSpaceObject dso, Group group, EPerson eperson, int type, String rpType)
throws SQLException, AuthorizeException {
if (group == null && eperson == null) {
throw new IllegalArgumentException(
"We need at least an eperson or a group in order to create a resource policy.");
}
ResourcePolicy myPolicy = resourcePolicyService.create(context);
myPolicy.setdSpaceObject(dso);
myPolicy.setAction(type);
myPolicy.setGroup(group);
myPolicy.setEPerson(eperson);
myPolicy.setRpType(rpType);
resourcePolicyService.update(context, myPolicy);
return myPolicy;
}
@Override
public boolean isAnIdenticalPolicyAlreadyInPlace(Context c, DSpaceObject o, ResourcePolicy rp)
throws SQLException {
return isAnIdenticalPolicyAlreadyInPlace(c, o, rp.getGroup(), rp.getAction(), rp.getID());
}
@Override
public void addPolicies(Context c, List<ResourcePolicy> policies, DSpaceObject dest)
throws SQLException, AuthorizeException {
// now add them to the destination object
List<ResourcePolicy> newPolicies = new LinkedList<>();
for (ResourcePolicy srp : policies) {
ResourcePolicy rp = resourcePolicyService.create(c);
// copy over values
rp.setdSpaceObject(dest);
rp.setAction(srp.getAction());
rp.setEPerson(srp.getEPerson());
rp.setGroup(srp.getGroup());
rp.setStartDate(srp.getStartDate());
rp.setEndDate(srp.getEndDate());
rp.setRpName(srp.getRpName());
rp.setRpDescription(srp.getRpDescription());
rp.setRpType(srp.getRpType());
// and add policy to list of new policies
newPolicies.add(rp);
}
resourcePolicyService.update(c, newPolicies);
}
/**
* Check to see if the given user can perform the given action on the given object. Always returns
* true if the ignore authorization flat is set in the current context.
*
* @param c current context. User is irrelevant; "ignore authorization" flag is relevant
* @param o object action is being attempted on
* @param action ID of action being attempted, from <code>org.dspace.core.Constants</code>
* @param e user attempting action
* @param useInheritance flag to say if ADMIN action on the current object or parent object can be
* used
* @return <code>true</code> if user is authorized to perform the given action, <code>false</code>
* otherwise
* @throws SQLException if database error
*/
protected boolean authorize(
Context c, DSpaceObject o, int action, EPerson e, boolean useInheritance)
throws SQLException {
// return FALSE if there is no DSpaceObject
if (o == null) {
return false;
}
// is authorization disabled for this context?
if (c.ignoreAuthorization()) {
return true;
}
// is eperson set? if not, userToCheck = null (anonymous)
EPerson userToCheck = null;
if (e != null) {
userToCheck = e;
// perform isAdmin check to see
// if user is an Admin on this object
DSpaceObject adminObject =
useInheritance
? serviceFactory.getDSpaceObjectService(o).getAdminObject(c, o, action)
: null;
if (isAdmin(c, adminObject)) {
return true;
}
}
// In case the dso is an bundle or bitstream we must ignore custom
// policies if it does not belong to at least one installed item (see
// DS-2614).
// In case the dso is an item and a corresponding workspace or workflow
// item exist, we have to ignore custom policies (see DS-2614).
boolean ignoreCustomPolicies = false;
if (o instanceof Bitstream) {
Bitstream b = (Bitstream) o;
// Ensure that this is not a collection or community logo
DSpaceObject parent = bitstreamService.getParentObject(c, b);
if (!(parent instanceof Collection) && !(parent instanceof Community)) {
ignoreCustomPolicies = !isAnyItemInstalled(c, b.getBundles());
}
}
if (o instanceof Bundle) {
ignoreCustomPolicies = !isAnyItemInstalled(c, Arrays.asList(((Bundle) o)));
}
if (o instanceof Item) {
if (workspaceItemService.findByItem(c, (Item) o) != null
|| workflowItemService.findByItem(c, (Item) o) != null) {
ignoreCustomPolicies = true;
}
}
for (ResourcePolicy rp : getPoliciesActionFilter(c, o, action)) {
if (ignoreCustomPolicies && ResourcePolicy.TYPE_CUSTOM.equals(rp.getRpType())) {
continue;
}
// check policies for date validity
if (resourcePolicyService.isDateValid(rp)) {
if (rp.getEPerson() != null && rp.getEPerson().equals(userToCheck)) {
return true; // match
}
if ((rp.getGroup() != null) && (groupService.isMember(c, rp.getGroup()))) {
// group was set, and eperson is a member
// of that group
return true;
}
}
}
// default authorization is denial
return false;
}
