コード例 #1
0
 /**
  * Creates a {@link Details} object for the current security context.
  *
  * <p>The {@link Permissions} on the instance are calculated from the current group as well as the
  * user's umask.
  *
  * @return
  * @see <a href="https://trac.openmicroscopy.org.uk/trac/omero/ticket:1434">ticket:1434</a>
  */
 public Details createDetails() {
   BasicEventContext c = current();
   Details d = Details.create();
   d.setCreationEvent(c.getEvent());
   d.setUpdateEvent(c.getEvent());
   d.setOwner(c.getOwner());
   d.setGroup(c.getGroup());
   // ticket:1434
   Permissions groupPerms = c.getCurrentGroupPermissions();
   Permissions userUmask = c.getCurrentUmask();
   Permissions p = new Permissions(groupPerms);
   p.revokeAll(userUmask);
   d.setPermissions(p);
   return d;
 }
コード例 #2
0
  /**
   * @see SecuritySystem#isGraphCritical()
   * @return
   */
  public boolean isGraphCritical() {
    EventContext ec = getCurrentEventContext();
    long gid = ec.getCurrentGroupId();
    Permissions perms = ec.getCurrentGroupPermissions();

    boolean admin = ec.isCurrentUserAdmin();
    boolean pi = ec.getLeaderOfGroupsList().contains(gid);

    if (perms.isGranted(Role.WORLD, Right.READ)) {
      // Public groups (rwrwrw) are always non-critical
      return false;
    } else if (perms.isGranted(Role.GROUP, Right.READ)) {
      // Since the object will be contained in the group,
      // then it will be readable regardless.
      return false;
    } else {
      // This is a private group. Any form of admin modification is
      // critical.
      return admin || pi;
    }
  }
コード例 #3
0
  private boolean allowUpdateOrDelete(IObject iObject, Details trustedDetails, boolean update) {
    Assert.notNull(iObject);

    BasicEventContext c = currentUser.current();
    Long uid = c.getCurrentUserId();

    boolean sysType =
        sysTypes.isSystemType(iObject.getClass()) || sysTypes.isInSystemGroup(iObject.getDetails());

    // needs no details info
    if (tokenHolder.hasPrivilegedToken(iObject)) {
      return true; // ticket:1794, allow move to "user
    } else if (update && !sysType && currentUser.isGraphCritical()) { // ticket:1769
      return objectBelongsToUser(iObject, uid);
    } else if (c.isCurrentUserAdmin()) {
      return true;
    } else if (sysType) {
      return false;
    }

    // previously we were taking the details directly from iObject
    // iObject, however, is in a critical state. Values such as
    // Permissions, owner, and group may have been changed.
    Details d = trustedDetails;

    // this can now only happen if a table doesn't have permissions
    // and there aren't any of those. so let it be updated.
    if (d == null) {
      return true;
    }

    // the owner and group information might be null if the type
    // is intended to be a system-type but isn't marked as one
    // via SecuritySystem.isSystemType(). A NPE here might imply
    // that that information is out of sync.
    Long o = d.getOwner() == null ? null : d.getOwner().getId();
    Long g = d.getGroup() == null ? null : d.getGroup().getId();

    // needs no permissions info
    if (g != null && c.getLeaderOfGroupsList().contains(g)) {
      return true;
    }

    Permissions p = d.getPermissions();

    // this should never occur.
    if (p == null) {
      throw new InternalException(
          "Permissions null! Security system "
              + "failure -- refusing to continue. The Permissions should "
              + "be set to a default value.");
    }

    // standard
    if (p.isGranted(WORLD, WRITE)) {
      return true;
    }
    if (p.isGranted(USER, WRITE) && o != null && o.equals(c.getOwner().getId())) {
      return true;
    }
    /* ticket:1992 - removing concept of GROUP-WRITE
    if (p.isGranted(GROUP, WRITE) && g != null
            && c.getMemberOfGroupsList().contains(g)) {
        return true;
    }
    */

    return false;
  }