@Override
public boolean isAdmin(Context c) throws SQLException {
// if we're ignoring authorization, user is member of admin
if (c.ignoreAuthorization()) {
return true;
}
EPerson e = c.getCurrentUser();
if (e == null) {
return false; // anonymous users can't be admins....
} else {
return groupService.isMember(c, Group.ADMIN);
}
}
@Override
public boolean isAdmin(Context c, DSpaceObject o) throws SQLException {
// return true if user is an Administrator
if (isAdmin(c)) {
return true;
}
if (o == null) {
return false;
}
//
// First, check all Resource Policies directly on this object
//
List<ResourcePolicy> policies = getPoliciesActionFilter(c, o, Constants.ADMIN);
for (ResourcePolicy rp : policies) {
// check policies for date validity
if (resourcePolicyService.isDateValid(rp)) {
if (rp.getEPerson() != null && rp.getEPerson().equals(c.getCurrentUser())) {
return true; // match
}
if ((rp.getGroup() != null) && (groupService.isMember(c, rp.getGroup()))) {
// group was set, and eperson is a member
// of that group
return true;
}
}
}
// If user doesn't have specific Admin permissions on this object,
// check the *parent* objects of this object. This allows Admin
// permissions to be inherited automatically (e.g. Admin on Community
// is also an Admin of all Collections/Items in that Community)
DSpaceObject parent = serviceFactory.getDSpaceObjectService(o).getParentObject(c, o);
if (parent != null) {
return isAdmin(c, parent);
}
return false;
}
/**
* Check to see if the given user can perform the given action on the given object. Always returns
* true if the ignore authorization flat is set in the current context.
*
* @param c current context. User is irrelevant; "ignore authorization" flag is relevant
* @param o object action is being attempted on
* @param action ID of action being attempted, from <code>org.dspace.core.Constants</code>
* @param e user attempting action
* @param useInheritance flag to say if ADMIN action on the current object or parent object can be
* used
* @return <code>true</code> if user is authorized to perform the given action, <code>false</code>
* otherwise
* @throws SQLException if database error
*/
protected boolean authorize(
Context c, DSpaceObject o, int action, EPerson e, boolean useInheritance)
throws SQLException {
// return FALSE if there is no DSpaceObject
if (o == null) {
return false;
}
// is authorization disabled for this context?
if (c.ignoreAuthorization()) {
return true;
}
// is eperson set? if not, userToCheck = null (anonymous)
EPerson userToCheck = null;
if (e != null) {
userToCheck = e;
// perform isAdmin check to see
// if user is an Admin on this object
DSpaceObject adminObject =
useInheritance
? serviceFactory.getDSpaceObjectService(o).getAdminObject(c, o, action)
: null;
if (isAdmin(c, adminObject)) {
return true;
}
}
// In case the dso is an bundle or bitstream we must ignore custom
// policies if it does not belong to at least one installed item (see
// DS-2614).
// In case the dso is an item and a corresponding workspace or workflow
// item exist, we have to ignore custom policies (see DS-2614).
boolean ignoreCustomPolicies = false;
if (o instanceof Bitstream) {
Bitstream b = (Bitstream) o;
// Ensure that this is not a collection or community logo
DSpaceObject parent = bitstreamService.getParentObject(c, b);
if (!(parent instanceof Collection) && !(parent instanceof Community)) {
ignoreCustomPolicies = !isAnyItemInstalled(c, b.getBundles());
}
}
if (o instanceof Bundle) {
ignoreCustomPolicies = !isAnyItemInstalled(c, Arrays.asList(((Bundle) o)));
}
if (o instanceof Item) {
if (workspaceItemService.findByItem(c, (Item) o) != null
|| workflowItemService.findByItem(c, (Item) o) != null) {
ignoreCustomPolicies = true;
}
}
for (ResourcePolicy rp : getPoliciesActionFilter(c, o, action)) {
if (ignoreCustomPolicies && ResourcePolicy.TYPE_CUSTOM.equals(rp.getRpType())) {
continue;
}
// check policies for date validity
if (resourcePolicyService.isDateValid(rp)) {
if (rp.getEPerson() != null && rp.getEPerson().equals(userToCheck)) {
return true; // match
}
if ((rp.getGroup() != null) && (groupService.isMember(c, rp.getGroup()))) {
// group was set, and eperson is a member
// of that group
return true;
}
}
}
// default authorization is denial
return false;
}