@AroundInvoke public Object invoke(InvocationContext ctx) throws Exception { Object[] params = ctx.getParameters(); Secured secureAnnotation = ctx.getMethod().getAnnotation(Secured.class); if (params.length > 0) { // just verify first attribute Object param = params[0]; SecuredEntity se = param.getClass().getAnnotation(SecuredEntity.class); if (se != null && param instanceof Entity<?>) { Entity<?> entity = (Entity<?>) param; if (entity.getId() == null) { // create mode, need to verify parent entity entity = (Entity<?>) PropertyUtils.getProperty(entity, se.parent()); } if (!authorizationService.isUserAuthorizedFor(secureAnnotation.accessType(), entity)) { throw new org.perfrepo.web.security.SecurityException( "securityException.permissionDenied", ctx.getMethod().getName(), param.getClass().getSimpleName(), ((Entity<?>) param).getId().toString()); } } } return ctx.proceed(); }
@Override public void filter(final ContainerRequestContext requestContext) throws IOException { String method = requestContext.getMethod(); String requestUrl = requestContext.getUriInfo().getPath(); // We do allow wadl to be retrieve if (method.equals("GET") && (requestUrl.indexOf("application.wadl") > -1 || requestUrl.indexOf("api-docs") > -1)) { return; } // Get the authentification passed in HTTP headers parameters String authToken = requestContext.getHeaderString("authorization"); SecurityContext context = null; if (StringUtils.isNotBlank(authToken)) { AuthorizationRequestContext authRequestContext = AuthorizationRequestContext.with() .httpMethod(method) .requestUrl(requestUrl) .authorizationToken(authToken) .build(); context = authorizationService.authorize(authRequestContext); } else { context = new SecurityContextImpl(); } requestContext.setSecurityContext(context); }
@Override public List<Integer> getOrganizationProfiles(int organizationId) { if (!authService.isUserAuthorized(ROLE_CURATOR, organizationId)) { throw new NotAuthorizedException(); } return profilePersister.getProfileIdsForOrganization(organizationId); }
@Override public Profile updateProfile(Profile profile) { if (!authService.isUserAuthorized(ROLE_CURATOR, profile)) { throw new NotAuthorizedException(); } return profilePersister.update(profile); }
@Override public ProfileSummary createProfile(Profile profile) { User loggedInUser = userService.getLoggedInUser(); if (profile.getUserId() != null && profile.getUserId() == loggedInUser.getId() || authService.isUserAuthorized(ROLE_ADMIN, profile.getOrganizationId())) { return profilePersister.create(profile); } else { throw new NotAuthorizedException(); } }
@Override public void delete(int id) { if (!authService.isUserAuthorized(AuthConstants.ROLE_ADMIN, id)) { throw new NotAuthorizedException(); } try { // Let FK handle profile dependencies profilePersister.delete(id); } catch (GeneralException ignored) { throw new BadRequestException(); } }
@Override public ProfileSummary get(int id) { ProfileSummary profileSummary = profilePersister.getProfileSummary(id); if (profileSummary == null) { throw new NotFoundException(); } if (!authService.canRead(profileSummary.getProfile())) { throw new NotAuthorizedException(); } return profileSummary; }
@Override public Profile getProfile(int id) { Profile profile = profilePersister.get(id); if (profile == null) { throw new NotFoundException(); } if (!authService.isUserAuthorized(ROLE_READER, profile)) { throw new NotAuthorizedException(); } return profile; }
@Override public StoryExport<StoryTellerCsv> exportStoryTellers( int profileId, Integer collectionId, Integer questionnaireId, int window) { try { int windowSize = 75; User user = userService.getUserForProfile(profileId); Profile userProfile = profilePersister.get(profileId); int organizationContext = userProfile.getOrganizationId(); int accessMode = ACCESS_MODE_PRIVILEGED; if (authService.isSuperUser(user)) { accessMode = ACCESS_MODE_ROOT; } List<StoryTellerCsv> storyTellers = new ArrayList<StoryTellerCsv>(); try { StoryTellersParams countParams = new StoryTellersParams( 0, 1, StorySortField.CREATED_OLD, false, collectionId, questionnaireId, accessMode, userService.getEffectiveSubject(user), null); int countStories = storyService.getStorytellerCount(countParams); // window starts at 0; bail out if we're asked for a window beyond what's available if (window * windowSize >= countStories) { return new StoryExport<StoryTellerCsv>(storyTellers, countStories); } try { SolrQuery sQuery = new SolrQuery("*:*"); if (collectionId != null) { sQuery.addFilterQuery("collections:" + collectionId); sQuery.setSort("lastStoryDateByCollection_" + collectionId, SolrQuery.ORDER.desc); } if (questionnaireId != null) { sQuery.addFilterQuery("questionnaires:" + questionnaireId); sQuery.setSort("lastStoryDateByCollection_" + questionnaireId, SolrQuery.ORDER.desc); } if (!authService.isSuperUser(user)) { sQuery.addFilterQuery("readAuths:" + organizationContext); } sQuery.setRows(windowSize); sQuery.setStart(window * windowSize); QueryResponse result = solrPersonServer.query(sQuery); if (result.getResults().getNumFound() > 0) { for (SolrDocument entries : result.getResults()) { ProfileDocument doc = new ProfileDocument(entries); Profile profile = profilePersister.get(doc.getId()); StoryTellerCsv storyTellerCsv = new StoryTellerCsv(doc, profile); storyTellers.add(storyTellerCsv); } } return new StoryExport<StoryTellerCsv>(storyTellers, countStories); } catch (Exception e) { throw new GeneralException(e); } } catch (Exception e) { e.printStackTrace(); } return new StoryExport<StoryTellerCsv>(storyTellers, 0); } catch (NotLoggedInException e) { throw new GeneralException(e); } }