@Override
 public Group getWorkflowRoleGroup(
     Context context, Collection collection, String roleName, Group roleGroup)
     throws SQLException, IOException, WorkflowException, AuthorizeException {
   try {
     Role role = WorkflowUtils.getCollectionAndRepositoryRoles(collection).get(roleName);
     if (role.getScope() == Role.Scope.COLLECTION || role.getScope() == Role.Scope.REPOSITORY) {
       roleGroup = WorkflowUtils.getRoleGroup(context, collection, role);
       if (roleGroup == null) {
         authorizeService.authorizeAction(context, collection, Constants.WRITE);
         roleGroup = groupService.create(context);
         if (role.getScope() == Role.Scope.COLLECTION) {
           groupService.setName(
               roleGroup,
               "COLLECTION_" + collection.getID().toString() + "_WORKFLOW_ROLE_" + roleName);
         } else {
           groupService.setName(roleGroup, role.getName());
         }
         groupService.update(context, roleGroup);
         authorizeService.addPolicy(context, collection, Constants.ADD, roleGroup);
         if (role.getScope() == Role.Scope.COLLECTION) {
           WorkflowUtils.createCollectionWorkflowRole(context, collection, roleName, roleGroup);
         }
       }
     }
     return roleGroup;
   } catch (WorkflowConfigurationException e) {
     throw new WorkflowException(e);
   }
 }
  /*
   * Add authenticated users to the group defined in dspace.cfg by
   * the authentication-ldap.login.groupmap.* key.
   */
  private void assignGroups(String dn, String group, Context context) {
    if (StringUtils.isNotBlank(dn)) {
      System.out.println("dn:" + dn);
      int i = 1;
      String groupMap =
          ConfigurationManager.getProperty("authentication-ldap", "login.groupmap." + i);

      boolean cmp;

      while (groupMap != null) {
        String t[] = groupMap.split(":");
        String ldapSearchString = t[0];
        String dspaceGroupName = t[1];

        if (group == null) {
          cmp = StringUtils.containsIgnoreCase(dn, ldapSearchString + ",");
        } else {
          cmp = StringUtils.equalsIgnoreCase(group, ldapSearchString);
        }

        if (cmp) {
          // assign user to this group
          try {
            Group ldapGroup = groupService.findByName(context, dspaceGroupName);
            if (ldapGroup != null) {
              groupService.addMember(context, ldapGroup, context.getCurrentUser());
              groupService.update(context, ldapGroup);
            } else {
              // The group does not exist
              log.warn(
                  LogManager.getHeader(
                      context,
                      "ldap_assignGroupsBasedOnLdapDn",
                      "Group defined in authentication-ldap.login.groupmap."
                          + i
                          + " does not exist :: "
                          + dspaceGroupName));
            }
          } catch (AuthorizeException ae) {
            log.debug(
                LogManager.getHeader(
                    context,
                    "assignGroupsBasedOnLdapDn could not authorize addition to group",
                    dspaceGroupName));
          } catch (SQLException e) {
            log.debug(
                LogManager.getHeader(
                    context, "assignGroupsBasedOnLdapDn could not find group", dspaceGroupName));
          }
        }

        groupMap = ConfigurationManager.getProperty("authentication-ldap", "login.groupmap." + ++i);
      }
    }
  }
 /*
  * Add authenticated users to the group defined in dspace.cfg by
  * the login.specialgroup key.
  */
 @Override
 public List<Group> getSpecialGroups(Context context, HttpServletRequest request) {
   // Prevents anonymous users from being added to this group, and the second check
   // ensures they are LDAP users
   try {
     if (!context.getCurrentUser().getNetid().equals("")) {
       String groupName =
           ConfigurationManager.getProperty("authentication-ldap", "login.specialgroup");
       if ((groupName != null) && (!groupName.trim().equals(""))) {
         Group ldapGroup = groupService.findByName(context, groupName);
         if (ldapGroup == null) {
           // Oops - the group isn't there.
           log.warn(
               LogManager.getHeader(
                   context,
                   "ldap_specialgroup",
                   "Group defined in login.specialgroup does not exist"));
           return ListUtils.EMPTY_LIST;
         } else {
           return Arrays.asList(ldapGroup);
         }
       }
     }
   } catch (Exception npe) {
     // The user is not an LDAP user, so we don't need to worry about them
   }
   return ListUtils.EMPTY_LIST;
 }
Exemple #4
0
  public void addListGroups(String groupID, List form, int errorFlag, Collection owningCollection)
      throws WingException, SQLException {

    if (isAdvancedFormEnabled) {
      // currently set group
      form.addLabel(T_groups);
      Select groupSelect = form.addItem().addSelect("group_id");
      groupSelect.setMultiple(false);

      java.util.List<Group> loadedGroups = null;

      // retrieve groups
      String name = ConfigurationManager.getProperty("webui.submission.restrictstep.groups");
      if (name != null) {
        Group uiGroup = groupService.findByName(context, name);
        if (uiGroup != null) loadedGroups = uiGroup.getMemberGroups();
      }
      if (loadedGroups == null || loadedGroups.size() == 0) {
        loadedGroups = groupService.findAll(context, GroupService.NAME);
      }

      // if no group selected for default set anonymous
      if (groupID == null || groupID.equals("")) groupID = "0";
      // when we're just loading the main step, also default to anonymous
      if (errorFlag == AccessStep.STATUS_COMPLETE) {
        groupID = "0";
      }
      for (Group group : loadedGroups) {
        boolean selectGroup = group.getID().toString().equals(groupID);
        groupSelect.addOption(selectGroup, group.getID().toString(), group.getName());
      }

      if (errorFlag == AccessStep.STATUS_DUPLICATED_POLICY
          || errorFlag == AccessStep.EDIT_POLICY_STATUS_DUPLICATED_POLICY
          || errorFlag == UploadWithEmbargoStep.STATUS_EDIT_POLICIES_DUPLICATED_POLICY
          || errorFlag == UploadWithEmbargoStep.STATUS_EDIT_POLICY_DUPLICATED_POLICY) {
        groupSelect.addError(T_error_duplicated_policy);
      }
    }
  }
  /**
   * Internal method to remove the community and all its children from the database, and perform any
   * pre/post-cleanup
   *
   * @throws SQLException
   * @throws AuthorizeException
   * @throws IOException
   */
  protected void rawDelete(Context context, Community community)
      throws SQLException, AuthorizeException, IOException {
    log.info(
        LogManager.getHeader(context, "delete_community", "community_id=" + community.getID()));

    context.addEvent(
        new Event(
            Event.DELETE,
            Constants.COMMUNITY,
            community.getID(),
            community.getHandle(),
            getIdentifiers(context, community)));

    // Remove collections
    Iterator<Collection> collections = community.getCollections().iterator();

    while (collections.hasNext()) {
      Collection collection = collections.next();
      collections.remove();
      removeCollection(context, community, collection);
    }
    // delete subcommunities
    Iterator<Community> subCommunities = community.getSubcommunities().iterator();

    while (subCommunities.hasNext()) {
      Community subComm = subCommunities.next();
      subCommunities.remove();
      delete(context, subComm);
    }

    // Remove the logo
    setLogo(context, community, null);

    // Remove all authorization policies
    authorizeService.removeAllPolicies(context, community);

    // Remove any Handle
    handleService.unbindHandle(context, community);

    deleteMetadata(context, community);

    Group g = community.getAdministrators();

    // Delete community row
    communityDAO.delete(context, community);

    // Remove administrators group - must happen after deleting community

    if (g != null) {
      groupService.delete(context, g);
    }
  }
  @Override
  public Group createAdministrators(Context context, Community community)
      throws SQLException, AuthorizeException {
    // Check authorisation - Must be an Admin to create more Admins
    AuthorizeUtil.authorizeManageAdminGroup(context, community);

    Group admins = community.getAdministrators();
    if (admins == null) {
      // turn off authorization so that Community Admins can create Sub-Community Admins
      context.turnOffAuthorisationSystem();
      admins = groupService.create(context);
      context.restoreAuthSystemState();

      admins.setName(context, "COMMUNITY_" + community.getID() + "_ADMIN");
      groupService.update(context, admins);
    }

    authorizeService.addPolicy(context, community, Constants.ADMIN, admins);

    // register this as the admin group
    community.setAdmins(admins);
    return admins;
  }
  /**
   * Generate Policies policies READ for the date in input adding reason. New policies are assigned
   * automatically at the groups that have right on the collection. E.g., if the anonymous can
   * access the collection policies are assigned to anonymous.
   *
   * @param context The relevant DSpace Context.
   * @param embargoDate embargo end date
   * @param reason embargo reason
   * @param dso DSpace object
   * @param owningCollection collection to get group policies from
   * @throws SQLException if database error
   * @throws AuthorizeException if authorization error
   */
  @Override
  public void generateAutomaticPolicies(
      Context context,
      Date embargoDate,
      String reason,
      DSpaceObject dso,
      Collection owningCollection)
      throws SQLException, AuthorizeException {

    if (embargoDate != null || (embargoDate == null && dso instanceof Bitstream)) {

      List<Group> authorizedGroups =
          getAuthorizedGroups(context, owningCollection, Constants.DEFAULT_ITEM_READ);

      removeAllPoliciesByDSOAndType(context, dso, ResourcePolicy.TYPE_CUSTOM);

      // look for anonymous
      boolean isAnonymousInPlace = false;
      for (Group g : authorizedGroups) {
        if (StringUtils.equals(g.getName(), Group.ANONYMOUS)) {
          isAnonymousInPlace = true;
        }
      }
      if (!isAnonymousInPlace) {
        // add policies for all the groups
        for (Group g : authorizedGroups) {
          ResourcePolicy rp =
              createOrModifyPolicy(
                  null, context, null, g, null, embargoDate, Constants.READ, reason, dso);
          if (rp != null) resourcePolicyService.update(context, rp);
        }

      } else {
        // add policy just for anonymous
        ResourcePolicy rp =
            createOrModifyPolicy(
                null,
                context,
                null,
                groupService.findByName(context, Group.ANONYMOUS),
                null,
                embargoDate,
                Constants.READ,
                reason,
                dso);
        if (rp != null) resourcePolicyService.update(context, rp);
      }
    }
  }
  public boolean isCollectionAdmin(Context c) throws SQLException {
    EPerson e = c.getCurrentUser();

    if (e != null) {
      List<ResourcePolicy> policies =
          resourcePolicyService.find(
              c, e, groupService.allMemberGroups(c, e), Constants.ADMIN, Constants.COLLECTION);

      if (CollectionUtils.isNotEmpty(policies)) {
        return true;
      }
    }

    return false;
  }
  @Override
  public boolean isAdmin(Context c) throws SQLException {
    // if we're ignoring authorization, user is member of admin
    if (c.ignoreAuthorization()) {
      return true;
    }

    EPerson e = c.getCurrentUser();

    if (e == null) {
      return false; // anonymous users can't be admins....
    } else {
      return groupService.isMember(c, Group.ADMIN);
    }
  }
  @Override
  public boolean isAdmin(Context c, DSpaceObject o) throws SQLException {

    // return true if user is an Administrator
    if (isAdmin(c)) {
      return true;
    }

    if (o == null) {
      return false;
    }

    //
    // First, check all Resource Policies directly on this object
    //
    List<ResourcePolicy> policies = getPoliciesActionFilter(c, o, Constants.ADMIN);

    for (ResourcePolicy rp : policies) {
      // check policies for date validity
      if (resourcePolicyService.isDateValid(rp)) {
        if (rp.getEPerson() != null && rp.getEPerson().equals(c.getCurrentUser())) {
          return true; // match
        }

        if ((rp.getGroup() != null) && (groupService.isMember(c, rp.getGroup()))) {
          // group was set, and eperson is a member
          // of that group
          return true;
        }
      }
    }

    // If user doesn't have specific Admin permissions on this object,
    // check the *parent* objects of this object.  This allows Admin
    // permissions to be inherited automatically (e.g. Admin on Community
    // is also an Admin of all Collections/Items in that Community)
    DSpaceObject parent = serviceFactory.getDSpaceObjectService(o).getParentObject(c, o);
    if (parent != null) {
      return isAdmin(c, parent);
    }

    return false;
  }
  @Override
  public Community create(Community parent, Context context, String handle)
      throws SQLException, AuthorizeException {
    if (!(authorizeService.isAdmin(context)
        || (parent != null
            && authorizeService.authorizeActionBoolean(context, parent, Constants.ADD)))) {
      throw new AuthorizeException("Only administrators can create communities");
    }

    Community newCommunity = communityDAO.create(context, new Community());

    try {
      if (handle == null) {
        handleService.createHandle(context, newCommunity);
      } else {
        handleService.createHandle(context, newCommunity, handle);
      }
    } catch (IllegalStateException ie) {
      // If an IllegalStateException is thrown, then an existing object is already using this handle
      throw ie;
    }

    if (parent != null) {
      parent.addSubCommunity(newCommunity);
      newCommunity.addParentCommunity(parent);
    }

    // create the default authorization policy for communities
    // of 'anonymous' READ
    Group anonymousGroup = groupService.findByName(context, Group.ANONYMOUS);

    authorizeService.createResourcePolicy(
        context, newCommunity, anonymousGroup, null, Constants.READ, null);

    communityDAO.save(context, newCommunity);

    context.addEvent(
        new Event(
            Event.CREATE,
            Constants.COMMUNITY,
            newCommunity.getID(),
            newCommunity.getHandle(),
            getIdentifiers(context, newCommunity)));

    // if creating a top-level Community, simulate an ADD event at the Site.
    if (parent == null) {
      context.addEvent(
          new Event(
              Event.ADD,
              Constants.SITE,
              siteService.findSite(context).getID(),
              Constants.COMMUNITY,
              newCommunity.getID(),
              newCommunity.getHandle(),
              getIdentifiers(context, newCommunity)));
    }

    log.info(
        LogManager.getHeader(context, "create_community", "community_id=" + newCommunity.getID())
            + ",handle="
            + newCommunity.getHandle());

    return newCommunity;
  }
  // returns true if archived
  protected boolean doState(
      Context context, BasicWorkflowItem workflowItem, int newstate, EPerson newowner)
      throws SQLException, IOException, AuthorizeException {
    Collection mycollection = workflowItem.getCollection();
    Group mygroup = null;
    boolean archived = false;

    // Gather our old data for launching the workflow event
    int oldState = workflowItem.getState();

    workflowItem.setState(newstate);

    switch (newstate) {
      case WFSTATE_STEP1POOL:

        // any reviewers?
        // if so, add them to the tasklist
        workflowItem.setOwner(null);

        // get reviewers (group 1 )
        mygroup = collectionService.getWorkflowGroup(mycollection, 1);

        if ((mygroup != null) && !(groupService.isEmpty(mygroup))) {
          // get a list of all epeople in group (or any subgroups)
          List<EPerson> epa = groupService.allMembers(context, mygroup);

          // there were reviewers, change the state
          //  and add them to the list
          createTasks(context, workflowItem, epa);
          workflowItemService.update(context, workflowItem);

          // email notification
          notifyGroupOfTask(context, workflowItem, mygroup, epa);
        } else {
          // no reviewers, skip ahead
          workflowItem.setState(WFSTATE_STEP1);
          archived = advance(context, workflowItem, null, true, false);
        }

        break;

      case WFSTATE_STEP1:

        // remove reviewers from tasklist
        // assign owner
        taskListItemService.deleteByWorkflowItem(context, workflowItem);
        workflowItem.setOwner(newowner);

        break;

      case WFSTATE_STEP2POOL:

        // clear owner
        // any approvers?
        // if so, add them to tasklist
        // if not, skip to next state
        workflowItem.setOwner(null);

        // get approvers (group 2)
        mygroup = collectionService.getWorkflowGroup(mycollection, 2);

        if ((mygroup != null) && !(groupService.isEmpty(mygroup))) {
          // get a list of all epeople in group (or any subgroups)
          List<EPerson> epa = groupService.allMembers(context, mygroup);

          // there were approvers, change the state
          //  timestamp, and add them to the list
          createTasks(context, workflowItem, epa);

          // email notification
          notifyGroupOfTask(context, workflowItem, mygroup, epa);
        } else {
          // no reviewers, skip ahead
          workflowItem.setState(WFSTATE_STEP2);
          archived = advance(context, workflowItem, null, true, false);
        }

        break;

      case WFSTATE_STEP2:

        // remove admins from tasklist
        // assign owner
        taskListItemService.deleteByWorkflowItem(context, workflowItem);
        workflowItem.setOwner(newowner);

        break;

      case WFSTATE_STEP3POOL:

        // any editors?
        // if so, add them to tasklist
        workflowItem.setOwner(null);
        mygroup = collectionService.getWorkflowGroup(mycollection, 3);

        if ((mygroup != null) && !(groupService.isEmpty(mygroup))) {
          // get a list of all epeople in group (or any subgroups)
          List<EPerson> epa = groupService.allMembers(context, mygroup);

          // there were editors, change the state
          //  timestamp, and add them to the list
          createTasks(context, workflowItem, epa);

          // email notification
          notifyGroupOfTask(context, workflowItem, mygroup, epa);
        } else {
          // no editors, skip ahead
          workflowItem.setState(WFSTATE_STEP3);
          archived = advance(context, workflowItem, null, true, false);
        }

        break;

      case WFSTATE_STEP3:

        // remove editors from tasklist
        // assign owner
        taskListItemService.deleteByWorkflowItem(context, workflowItem);
        workflowItem.setOwner(newowner);

        break;

      case WFSTATE_ARCHIVE:

        // put in archive in one transaction
        // remove workflow tasks
        taskListItemService.deleteByWorkflowItem(context, workflowItem);

        mycollection = workflowItem.getCollection();

        Item myitem = archive(context, workflowItem);

        // now email notification
        notifyOfArchive(context, myitem, mycollection);
        archived = true;

        break;
    }

    logWorkflowEvent(
        context,
        workflowItem.getItem(),
        workflowItem,
        context.getCurrentUser(),
        newstate,
        newowner,
        mycollection,
        oldState,
        mygroup);

    if (!archived) {
      workflowItemService.update(context, workflowItem);
    }

    return archived;
  }
  /**
   * Check to see if the given user can perform the given action on the given object. Always returns
   * true if the ignore authorization flat is set in the current context.
   *
   * @param c current context. User is irrelevant; "ignore authorization" flag is relevant
   * @param o object action is being attempted on
   * @param action ID of action being attempted, from <code>org.dspace.core.Constants</code>
   * @param e user attempting action
   * @param useInheritance flag to say if ADMIN action on the current object or parent object can be
   *     used
   * @return <code>true</code> if user is authorized to perform the given action, <code>false</code>
   *     otherwise
   * @throws SQLException if database error
   */
  protected boolean authorize(
      Context c, DSpaceObject o, int action, EPerson e, boolean useInheritance)
      throws SQLException {
    // return FALSE if there is no DSpaceObject
    if (o == null) {
      return false;
    }

    // is authorization disabled for this context?
    if (c.ignoreAuthorization()) {
      return true;
    }

    // is eperson set? if not, userToCheck = null (anonymous)
    EPerson userToCheck = null;
    if (e != null) {
      userToCheck = e;

      // perform isAdmin check to see
      // if user is an Admin on this object
      DSpaceObject adminObject =
          useInheritance
              ? serviceFactory.getDSpaceObjectService(o).getAdminObject(c, o, action)
              : null;

      if (isAdmin(c, adminObject)) {
        return true;
      }
    }

    // In case the dso is an bundle or bitstream we must ignore custom
    // policies if it does not belong to at least one installed item (see
    // DS-2614).
    // In case the dso is an item and a corresponding workspace or workflow
    // item exist, we have to ignore custom policies (see DS-2614).
    boolean ignoreCustomPolicies = false;
    if (o instanceof Bitstream) {
      Bitstream b = (Bitstream) o;

      // Ensure that this is not a collection or community logo
      DSpaceObject parent = bitstreamService.getParentObject(c, b);
      if (!(parent instanceof Collection) && !(parent instanceof Community)) {
        ignoreCustomPolicies = !isAnyItemInstalled(c, b.getBundles());
      }
    }
    if (o instanceof Bundle) {
      ignoreCustomPolicies = !isAnyItemInstalled(c, Arrays.asList(((Bundle) o)));
    }
    if (o instanceof Item) {
      if (workspaceItemService.findByItem(c, (Item) o) != null
          || workflowItemService.findByItem(c, (Item) o) != null) {
        ignoreCustomPolicies = true;
      }
    }

    for (ResourcePolicy rp : getPoliciesActionFilter(c, o, action)) {

      if (ignoreCustomPolicies && ResourcePolicy.TYPE_CUSTOM.equals(rp.getRpType())) {
        continue;
      }

      // check policies for date validity
      if (resourcePolicyService.isDateValid(rp)) {
        if (rp.getEPerson() != null && rp.getEPerson().equals(userToCheck)) {
          return true; // match
        }

        if ((rp.getGroup() != null) && (groupService.isMember(c, rp.getGroup()))) {
          // group was set, and eperson is a member
          // of that group
          return true;
        }
      }
    }

    // default authorization is denial
    return false;
  }