@Override
public Group getWorkflowRoleGroup(
Context context, Collection collection, String roleName, Group roleGroup)
throws SQLException, IOException, WorkflowException, AuthorizeException {
try {
Role role = WorkflowUtils.getCollectionAndRepositoryRoles(collection).get(roleName);
if (role.getScope() == Role.Scope.COLLECTION || role.getScope() == Role.Scope.REPOSITORY) {
roleGroup = WorkflowUtils.getRoleGroup(context, collection, role);
if (roleGroup == null) {
authorizeService.authorizeAction(context, collection, Constants.WRITE);
roleGroup = groupService.create(context);
if (role.getScope() == Role.Scope.COLLECTION) {
groupService.setName(
roleGroup,
"COLLECTION_" + collection.getID().toString() + "_WORKFLOW_ROLE_" + roleName);
} else {
groupService.setName(roleGroup, role.getName());
}
groupService.update(context, roleGroup);
authorizeService.addPolicy(context, collection, Constants.ADD, roleGroup);
if (role.getScope() == Role.Scope.COLLECTION) {
WorkflowUtils.createCollectionWorkflowRole(context, collection, roleName, roleGroup);
}
}
}
return roleGroup;
} catch (WorkflowConfigurationException e) {
throw new WorkflowException(e);
}
}
/*
* Add authenticated users to the group defined in dspace.cfg by
* the authentication-ldap.login.groupmap.* key.
*/
private void assignGroups(String dn, String group, Context context) {
if (StringUtils.isNotBlank(dn)) {
System.out.println("dn:" + dn);
int i = 1;
String groupMap =
ConfigurationManager.getProperty("authentication-ldap", "login.groupmap." + i);
boolean cmp;
while (groupMap != null) {
String t[] = groupMap.split(":");
String ldapSearchString = t[0];
String dspaceGroupName = t[1];
if (group == null) {
cmp = StringUtils.containsIgnoreCase(dn, ldapSearchString + ",");
} else {
cmp = StringUtils.equalsIgnoreCase(group, ldapSearchString);
}
if (cmp) {
// assign user to this group
try {
Group ldapGroup = groupService.findByName(context, dspaceGroupName);
if (ldapGroup != null) {
groupService.addMember(context, ldapGroup, context.getCurrentUser());
groupService.update(context, ldapGroup);
} else {
// The group does not exist
log.warn(
LogManager.getHeader(
context,
"ldap_assignGroupsBasedOnLdapDn",
"Group defined in authentication-ldap.login.groupmap."
+ i
+ " does not exist :: "
+ dspaceGroupName));
}
} catch (AuthorizeException ae) {
log.debug(
LogManager.getHeader(
context,
"assignGroupsBasedOnLdapDn could not authorize addition to group",
dspaceGroupName));
} catch (SQLException e) {
log.debug(
LogManager.getHeader(
context, "assignGroupsBasedOnLdapDn could not find group", dspaceGroupName));
}
}
groupMap = ConfigurationManager.getProperty("authentication-ldap", "login.groupmap." + ++i);
}
}
}
/*
* Add authenticated users to the group defined in dspace.cfg by
* the login.specialgroup key.
*/
@Override
public List<Group> getSpecialGroups(Context context, HttpServletRequest request) {
// Prevents anonymous users from being added to this group, and the second check
// ensures they are LDAP users
try {
if (!context.getCurrentUser().getNetid().equals("")) {
String groupName =
ConfigurationManager.getProperty("authentication-ldap", "login.specialgroup");
if ((groupName != null) && (!groupName.trim().equals(""))) {
Group ldapGroup = groupService.findByName(context, groupName);
if (ldapGroup == null) {
// Oops - the group isn't there.
log.warn(
LogManager.getHeader(
context,
"ldap_specialgroup",
"Group defined in login.specialgroup does not exist"));
return ListUtils.EMPTY_LIST;
} else {
return Arrays.asList(ldapGroup);
}
}
}
} catch (Exception npe) {
// The user is not an LDAP user, so we don't need to worry about them
}
return ListUtils.EMPTY_LIST;
}
public void addListGroups(String groupID, List form, int errorFlag, Collection owningCollection)
throws WingException, SQLException {
if (isAdvancedFormEnabled) {
// currently set group
form.addLabel(T_groups);
Select groupSelect = form.addItem().addSelect("group_id");
groupSelect.setMultiple(false);
java.util.List<Group> loadedGroups = null;
// retrieve groups
String name = ConfigurationManager.getProperty("webui.submission.restrictstep.groups");
if (name != null) {
Group uiGroup = groupService.findByName(context, name);
if (uiGroup != null) loadedGroups = uiGroup.getMemberGroups();
}
if (loadedGroups == null || loadedGroups.size() == 0) {
loadedGroups = groupService.findAll(context, GroupService.NAME);
}
// if no group selected for default set anonymous
if (groupID == null || groupID.equals("")) groupID = "0";
// when we're just loading the main step, also default to anonymous
if (errorFlag == AccessStep.STATUS_COMPLETE) {
groupID = "0";
}
for (Group group : loadedGroups) {
boolean selectGroup = group.getID().toString().equals(groupID);
groupSelect.addOption(selectGroup, group.getID().toString(), group.getName());
}
if (errorFlag == AccessStep.STATUS_DUPLICATED_POLICY
|| errorFlag == AccessStep.EDIT_POLICY_STATUS_DUPLICATED_POLICY
|| errorFlag == UploadWithEmbargoStep.STATUS_EDIT_POLICIES_DUPLICATED_POLICY
|| errorFlag == UploadWithEmbargoStep.STATUS_EDIT_POLICY_DUPLICATED_POLICY) {
groupSelect.addError(T_error_duplicated_policy);
}
}
}
/**
* Internal method to remove the community and all its children from the database, and perform any
* pre/post-cleanup
*
* @throws SQLException
* @throws AuthorizeException
* @throws IOException
*/
protected void rawDelete(Context context, Community community)
throws SQLException, AuthorizeException, IOException {
log.info(
LogManager.getHeader(context, "delete_community", "community_id=" + community.getID()));
context.addEvent(
new Event(
Event.DELETE,
Constants.COMMUNITY,
community.getID(),
community.getHandle(),
getIdentifiers(context, community)));
// Remove collections
Iterator<Collection> collections = community.getCollections().iterator();
while (collections.hasNext()) {
Collection collection = collections.next();
collections.remove();
removeCollection(context, community, collection);
}
// delete subcommunities
Iterator<Community> subCommunities = community.getSubcommunities().iterator();
while (subCommunities.hasNext()) {
Community subComm = subCommunities.next();
subCommunities.remove();
delete(context, subComm);
}
// Remove the logo
setLogo(context, community, null);
// Remove all authorization policies
authorizeService.removeAllPolicies(context, community);
// Remove any Handle
handleService.unbindHandle(context, community);
deleteMetadata(context, community);
Group g = community.getAdministrators();
// Delete community row
communityDAO.delete(context, community);
// Remove administrators group - must happen after deleting community
if (g != null) {
groupService.delete(context, g);
}
}
@Override
public Group createAdministrators(Context context, Community community)
throws SQLException, AuthorizeException {
// Check authorisation - Must be an Admin to create more Admins
AuthorizeUtil.authorizeManageAdminGroup(context, community);
Group admins = community.getAdministrators();
if (admins == null) {
// turn off authorization so that Community Admins can create Sub-Community Admins
context.turnOffAuthorisationSystem();
admins = groupService.create(context);
context.restoreAuthSystemState();
admins.setName(context, "COMMUNITY_" + community.getID() + "_ADMIN");
groupService.update(context, admins);
}
authorizeService.addPolicy(context, community, Constants.ADMIN, admins);
// register this as the admin group
community.setAdmins(admins);
return admins;
}
/**
* Generate Policies policies READ for the date in input adding reason. New policies are assigned
* automatically at the groups that have right on the collection. E.g., if the anonymous can
* access the collection policies are assigned to anonymous.
*
* @param context The relevant DSpace Context.
* @param embargoDate embargo end date
* @param reason embargo reason
* @param dso DSpace object
* @param owningCollection collection to get group policies from
* @throws SQLException if database error
* @throws AuthorizeException if authorization error
*/
@Override
public void generateAutomaticPolicies(
Context context,
Date embargoDate,
String reason,
DSpaceObject dso,
Collection owningCollection)
throws SQLException, AuthorizeException {
if (embargoDate != null || (embargoDate == null && dso instanceof Bitstream)) {
List<Group> authorizedGroups =
getAuthorizedGroups(context, owningCollection, Constants.DEFAULT_ITEM_READ);
removeAllPoliciesByDSOAndType(context, dso, ResourcePolicy.TYPE_CUSTOM);
// look for anonymous
boolean isAnonymousInPlace = false;
for (Group g : authorizedGroups) {
if (StringUtils.equals(g.getName(), Group.ANONYMOUS)) {
isAnonymousInPlace = true;
}
}
if (!isAnonymousInPlace) {
// add policies for all the groups
for (Group g : authorizedGroups) {
ResourcePolicy rp =
createOrModifyPolicy(
null, context, null, g, null, embargoDate, Constants.READ, reason, dso);
if (rp != null) resourcePolicyService.update(context, rp);
}
} else {
// add policy just for anonymous
ResourcePolicy rp =
createOrModifyPolicy(
null,
context,
null,
groupService.findByName(context, Group.ANONYMOUS),
null,
embargoDate,
Constants.READ,
reason,
dso);
if (rp != null) resourcePolicyService.update(context, rp);
}
}
}
public boolean isCollectionAdmin(Context c) throws SQLException {
EPerson e = c.getCurrentUser();
if (e != null) {
List<ResourcePolicy> policies =
resourcePolicyService.find(
c, e, groupService.allMemberGroups(c, e), Constants.ADMIN, Constants.COLLECTION);
if (CollectionUtils.isNotEmpty(policies)) {
return true;
}
}
return false;
}
@Override
public boolean isAdmin(Context c) throws SQLException {
// if we're ignoring authorization, user is member of admin
if (c.ignoreAuthorization()) {
return true;
}
EPerson e = c.getCurrentUser();
if (e == null) {
return false; // anonymous users can't be admins....
} else {
return groupService.isMember(c, Group.ADMIN);
}
}
@Override
public boolean isAdmin(Context c, DSpaceObject o) throws SQLException {
// return true if user is an Administrator
if (isAdmin(c)) {
return true;
}
if (o == null) {
return false;
}
//
// First, check all Resource Policies directly on this object
//
List<ResourcePolicy> policies = getPoliciesActionFilter(c, o, Constants.ADMIN);
for (ResourcePolicy rp : policies) {
// check policies for date validity
if (resourcePolicyService.isDateValid(rp)) {
if (rp.getEPerson() != null && rp.getEPerson().equals(c.getCurrentUser())) {
return true; // match
}
if ((rp.getGroup() != null) && (groupService.isMember(c, rp.getGroup()))) {
// group was set, and eperson is a member
// of that group
return true;
}
}
}
// If user doesn't have specific Admin permissions on this object,
// check the *parent* objects of this object. This allows Admin
// permissions to be inherited automatically (e.g. Admin on Community
// is also an Admin of all Collections/Items in that Community)
DSpaceObject parent = serviceFactory.getDSpaceObjectService(o).getParentObject(c, o);
if (parent != null) {
return isAdmin(c, parent);
}
return false;
}
@Override
public Community create(Community parent, Context context, String handle)
throws SQLException, AuthorizeException {
if (!(authorizeService.isAdmin(context)
|| (parent != null
&& authorizeService.authorizeActionBoolean(context, parent, Constants.ADD)))) {
throw new AuthorizeException("Only administrators can create communities");
}
Community newCommunity = communityDAO.create(context, new Community());
try {
if (handle == null) {
handleService.createHandle(context, newCommunity);
} else {
handleService.createHandle(context, newCommunity, handle);
}
} catch (IllegalStateException ie) {
// If an IllegalStateException is thrown, then an existing object is already using this handle
throw ie;
}
if (parent != null) {
parent.addSubCommunity(newCommunity);
newCommunity.addParentCommunity(parent);
}
// create the default authorization policy for communities
// of 'anonymous' READ
Group anonymousGroup = groupService.findByName(context, Group.ANONYMOUS);
authorizeService.createResourcePolicy(
context, newCommunity, anonymousGroup, null, Constants.READ, null);
communityDAO.save(context, newCommunity);
context.addEvent(
new Event(
Event.CREATE,
Constants.COMMUNITY,
newCommunity.getID(),
newCommunity.getHandle(),
getIdentifiers(context, newCommunity)));
// if creating a top-level Community, simulate an ADD event at the Site.
if (parent == null) {
context.addEvent(
new Event(
Event.ADD,
Constants.SITE,
siteService.findSite(context).getID(),
Constants.COMMUNITY,
newCommunity.getID(),
newCommunity.getHandle(),
getIdentifiers(context, newCommunity)));
}
log.info(
LogManager.getHeader(context, "create_community", "community_id=" + newCommunity.getID())
+ ",handle="
+ newCommunity.getHandle());
return newCommunity;
}
// returns true if archived
protected boolean doState(
Context context, BasicWorkflowItem workflowItem, int newstate, EPerson newowner)
throws SQLException, IOException, AuthorizeException {
Collection mycollection = workflowItem.getCollection();
Group mygroup = null;
boolean archived = false;
// Gather our old data for launching the workflow event
int oldState = workflowItem.getState();
workflowItem.setState(newstate);
switch (newstate) {
case WFSTATE_STEP1POOL:
// any reviewers?
// if so, add them to the tasklist
workflowItem.setOwner(null);
// get reviewers (group 1 )
mygroup = collectionService.getWorkflowGroup(mycollection, 1);
if ((mygroup != null) && !(groupService.isEmpty(mygroup))) {
// get a list of all epeople in group (or any subgroups)
List<EPerson> epa = groupService.allMembers(context, mygroup);
// there were reviewers, change the state
// and add them to the list
createTasks(context, workflowItem, epa);
workflowItemService.update(context, workflowItem);
// email notification
notifyGroupOfTask(context, workflowItem, mygroup, epa);
} else {
// no reviewers, skip ahead
workflowItem.setState(WFSTATE_STEP1);
archived = advance(context, workflowItem, null, true, false);
}
break;
case WFSTATE_STEP1:
// remove reviewers from tasklist
// assign owner
taskListItemService.deleteByWorkflowItem(context, workflowItem);
workflowItem.setOwner(newowner);
break;
case WFSTATE_STEP2POOL:
// clear owner
// any approvers?
// if so, add them to tasklist
// if not, skip to next state
workflowItem.setOwner(null);
// get approvers (group 2)
mygroup = collectionService.getWorkflowGroup(mycollection, 2);
if ((mygroup != null) && !(groupService.isEmpty(mygroup))) {
// get a list of all epeople in group (or any subgroups)
List<EPerson> epa = groupService.allMembers(context, mygroup);
// there were approvers, change the state
// timestamp, and add them to the list
createTasks(context, workflowItem, epa);
// email notification
notifyGroupOfTask(context, workflowItem, mygroup, epa);
} else {
// no reviewers, skip ahead
workflowItem.setState(WFSTATE_STEP2);
archived = advance(context, workflowItem, null, true, false);
}
break;
case WFSTATE_STEP2:
// remove admins from tasklist
// assign owner
taskListItemService.deleteByWorkflowItem(context, workflowItem);
workflowItem.setOwner(newowner);
break;
case WFSTATE_STEP3POOL:
// any editors?
// if so, add them to tasklist
workflowItem.setOwner(null);
mygroup = collectionService.getWorkflowGroup(mycollection, 3);
if ((mygroup != null) && !(groupService.isEmpty(mygroup))) {
// get a list of all epeople in group (or any subgroups)
List<EPerson> epa = groupService.allMembers(context, mygroup);
// there were editors, change the state
// timestamp, and add them to the list
createTasks(context, workflowItem, epa);
// email notification
notifyGroupOfTask(context, workflowItem, mygroup, epa);
} else {
// no editors, skip ahead
workflowItem.setState(WFSTATE_STEP3);
archived = advance(context, workflowItem, null, true, false);
}
break;
case WFSTATE_STEP3:
// remove editors from tasklist
// assign owner
taskListItemService.deleteByWorkflowItem(context, workflowItem);
workflowItem.setOwner(newowner);
break;
case WFSTATE_ARCHIVE:
// put in archive in one transaction
// remove workflow tasks
taskListItemService.deleteByWorkflowItem(context, workflowItem);
mycollection = workflowItem.getCollection();
Item myitem = archive(context, workflowItem);
// now email notification
notifyOfArchive(context, myitem, mycollection);
archived = true;
break;
}
logWorkflowEvent(
context,
workflowItem.getItem(),
workflowItem,
context.getCurrentUser(),
newstate,
newowner,
mycollection,
oldState,
mygroup);
if (!archived) {
workflowItemService.update(context, workflowItem);
}
return archived;
}
/**
* Check to see if the given user can perform the given action on the given object. Always returns
* true if the ignore authorization flat is set in the current context.
*
* @param c current context. User is irrelevant; "ignore authorization" flag is relevant
* @param o object action is being attempted on
* @param action ID of action being attempted, from <code>org.dspace.core.Constants</code>
* @param e user attempting action
* @param useInheritance flag to say if ADMIN action on the current object or parent object can be
* used
* @return <code>true</code> if user is authorized to perform the given action, <code>false</code>
* otherwise
* @throws SQLException if database error
*/
protected boolean authorize(
Context c, DSpaceObject o, int action, EPerson e, boolean useInheritance)
throws SQLException {
// return FALSE if there is no DSpaceObject
if (o == null) {
return false;
}
// is authorization disabled for this context?
if (c.ignoreAuthorization()) {
return true;
}
// is eperson set? if not, userToCheck = null (anonymous)
EPerson userToCheck = null;
if (e != null) {
userToCheck = e;
// perform isAdmin check to see
// if user is an Admin on this object
DSpaceObject adminObject =
useInheritance
? serviceFactory.getDSpaceObjectService(o).getAdminObject(c, o, action)
: null;
if (isAdmin(c, adminObject)) {
return true;
}
}
// In case the dso is an bundle or bitstream we must ignore custom
// policies if it does not belong to at least one installed item (see
// DS-2614).
// In case the dso is an item and a corresponding workspace or workflow
// item exist, we have to ignore custom policies (see DS-2614).
boolean ignoreCustomPolicies = false;
if (o instanceof Bitstream) {
Bitstream b = (Bitstream) o;
// Ensure that this is not a collection or community logo
DSpaceObject parent = bitstreamService.getParentObject(c, b);
if (!(parent instanceof Collection) && !(parent instanceof Community)) {
ignoreCustomPolicies = !isAnyItemInstalled(c, b.getBundles());
}
}
if (o instanceof Bundle) {
ignoreCustomPolicies = !isAnyItemInstalled(c, Arrays.asList(((Bundle) o)));
}
if (o instanceof Item) {
if (workspaceItemService.findByItem(c, (Item) o) != null
|| workflowItemService.findByItem(c, (Item) o) != null) {
ignoreCustomPolicies = true;
}
}
for (ResourcePolicy rp : getPoliciesActionFilter(c, o, action)) {
if (ignoreCustomPolicies && ResourcePolicy.TYPE_CUSTOM.equals(rp.getRpType())) {
continue;
}
// check policies for date validity
if (resourcePolicyService.isDateValid(rp)) {
if (rp.getEPerson() != null && rp.getEPerson().equals(userToCheck)) {
return true; // match
}
if ((rp.getGroup() != null) && (groupService.isMember(c, rp.getGroup()))) {
// group was set, and eperson is a member
// of that group
return true;
}
}
}
// default authorization is denial
return false;
}
