private boolean isAuthorizedToEditStudy( PageDef pageDef, VDCUser user, HttpServletRequest request, VDC currentVDC) { boolean authorized = false; // If this is a new study being created, then user is authorized if he or she is admin, curator // or contributor // in currentVDC if (pageDef.getName().equals(PageDefServiceLocal.EDIT_STUDY_PAGE) && (getStudyIdFromRequest(request) == null || Integer.parseInt(getStudyIdFromRequest(request)) < 0)) { String currentVDCRoleName = null; if (currentVDC != null && currentVDC.isAllowRegisteredUsersToContribute()) { authorized = true; } else { if (currentVDC != null && user.getVDCRole(currentVDC) != null) { currentVDCRoleName = user.getVDCRole(currentVDC).getRole().getName(); } if (currentVDCRoleName != null && (currentVDCRoleName.equals(RoleServiceLocal.ADMIN) || currentVDCRoleName.equals(RoleServiceLocal.CURATOR) || currentVDCRoleName.equals(RoleServiceLocal.CONTRIBUTOR))) { authorized = true; } } } else { // If we are editing an existing study, then the authorization depends on the study Long studyId = Long.parseLong(getStudyIdFromRequest(request)); Study study = studyService.getStudy(studyId); authorized = study.isUserAuthorizedToEdit(user); } return authorized; }
private boolean isUserStudyCreator(VDCUser user, HttpServletRequest request) { boolean ret = false; String studyIdParam = getStudyIdFromRequest(request); if (studyIdParam != null) { Long studyId = new Long(Long.parseLong(studyIdParam)); Study study = studyService.getStudy(studyId); if (study.getCreator().getId().equals(user.getId())) { ret = true; } } return ret; }
private String studyLockedMessage(PageDef pageDef, HttpServletRequest request) { Long studyId = determineStudyId(pageDef, request); String studyLockMessage = null; StudyLock studyLock = null; if (studyId != null) { Study study = null; if (studyId > 0) { // If Id<0, this means we are adding a new study, no need to check for a lock study = studyService.getStudy(studyId); studyLock = study.getStudyLock(); } if (studyLock != null) { studyLockMessage = "Study upload details: " + study.getGlobalId() + " - " + studyLock.getDetail(); } } System.out.println("Study locked = " + studyLock != null); return studyLockMessage; }
private boolean isUserAuthorizedForNonRolePage( PageDef pageDef, HttpServletRequest request, LoginBean loginBean, UserGroup ipUserGroup) { VDCUser user = null; if (loginBean != null) { user = loginBean.getUser(); } if (user != null && user.getNetworkRole() != null && user.getNetworkRole().getName().equals(NetworkRoleServiceLocal.ADMIN)) { // If you are network admin, you can do anything! return true; } VDC currentVDC = vdcService.getVDCFromRequest(request); if (currentVDC != null && !isTermsOfUsePage(pageDef) && isVdcRestricted(pageDef, request)) { if (currentVDC.isVDCRestrictedForUser(user, ipUserGroup)) { return false; } } else if (pageDef != null && (pageDef.getName().equals(PageDefServiceLocal.DV_OPTIONS_PAGE) || pageDef.getName().equals(PageDefServiceLocal.ACCOUNT_OPTIONS_PAGE) || pageDef.getName().equals(PageDefServiceLocal.ACCOUNT_PAGE) || pageDef.getName().equals(PageDefServiceLocal.MANAGE_STUDIES_PAGE))) { // For these pages, the only requirement is // to be logged in. if (user == null) { return false; } String userParam = request.getParameter("userId"); if (userParam != null && !userParam.equals(user.getId().toString())) { // To view other users, logged in user must be an admin or curator if (!(user.isAdmin(currentVDC) || user.isCurator(currentVDC))) { return false; } } } else if (isViewStudyPage(pageDef)) { Study study = null; StudyVersion studyVersion = null; String studyId = VDCBaseBean.getParamFromRequestOrComponent("studyId", request); String versionNumber = VDCBaseBean.getParamFromRequestOrComponent("versionNumber", request); if (studyId != null) { study = studyService.getStudy(Long.parseLong(studyId)); if (versionNumber != null) { studyVersion = studyService.getStudyVersion(Long.parseLong(studyId), new Long(versionNumber)); } } else { study = studyService.getStudyByGlobalId( VDCBaseBean.getParamFromRequestOrComponent("globalId", request)); } if (study.isStudyRestrictedForUser(user, ipUserGroup)) { return false; } if (studyVersion != null) { // If study has been deaccessioned, // only show the page if the user is authorized to edit if (study.isDeaccessioned() && (user == null || !study.isUserAuthorizedToEdit(user))) { return false; } // If this is a draft version, only show the version if the user is authorized to edit if (studyVersion.isWorkingCopy() && (user == null || !study.isUserAuthorizedToEdit(user))) { return false; } } } else if (isVersionDiffPage(pageDef)) { Study study = null; StudyVersion studyVersion1 = null; StudyVersion studyVersion2 = null; String studyId = VDCBaseBean.getParamFromRequestOrComponent("studyId", request); Long[] versionList = VDCRequestBean.parseVersionNumberList(request); studyVersion1 = studyService.getStudyVersion(Long.parseLong(studyId), versionList[0]); studyVersion2 = studyService.getStudyVersion(Long.parseLong(studyId), versionList[1]); if (studyId != null) { study = studyService.getStudy(Long.parseLong(studyId)); } else { study = studyService.getStudyByGlobalId( VDCBaseBean.getParamFromRequestOrComponent("globalId", request)); } if (study.isStudyRestrictedForUser(user, ipUserGroup)) { return false; } // If study has been deaccessioned, // only show the page if the user is authorized to edit if (study.isDeaccessioned() && (user == null || !study.isUserAuthorizedToEdit(user))) { return false; } // If this is a draft version, only show the version if the user is authorized to edit if ((studyVersion1.isWorkingCopy() || studyVersion2.isWorkingCopy()) && (user == null || !study.isUserAuthorizedToEdit(user))) { return false; } if ("confirmRelease".equals(request.getParameter("actionMode")) && !study.isUserAuthorizedToRelease(user)) { return false; } } else if (isSubsettingPage(pageDef)) { String dtId = VDCBaseBean.getParamFromRequestOrComponent("dtId", request); DataTable dataTable = variableService.getDataTable(Long.parseLong(dtId)); Study study = dataTable.getStudyFile().getStudy(); if (study.isStudyRestrictedForUser(user, ipUserGroup)) { return false; } } else if (isExploreDataPage(pageDef)) { String fileId = VDCBaseBean.getParamFromRequestOrComponent("fileId", request); StudyFile sf = studyFileService.getStudyFile(Long.parseLong(fileId)); if (sf.isFileRestrictedForUser(user, currentVDC, ipUserGroup)) { return false; } } else if (isEditAccountPage(pageDef)) { String userId = VDCBaseBean.getParamFromRequestOrComponent("userId", request); if (user == null || user.getId() != Long.parseLong(userId)) { return false; } } else if (isManifestPage(pageDef)) { LockssConfig chkLockssConfig = getLockssConfig(currentVDC); if (chkLockssConfig == null) { return false; } else if (chkLockssConfig.getserverAccess().equals(ServerAccess.GROUP)) { VDCRole userRole = null; String userVDCRoleName = null; if (user != null && currentVDC != null) { userRole = loginBean.getVDCRole(currentVDC); } if (user != null && userRole != null && user.isAdmin(currentVDC)) { return true; } if (user != null && user.getNetworkRole() != null && user.getNetworkRole().getName().equals(NetworkRoleServiceLocal.ADMIN)) { // If you are network admin, you can do anything! return true; } if (!lockssAuth.isAuthorizedLockssServer(currentVDC, request)) { return false; } } } return true; }
/** * @param request The servlet request we are processing * @param result The servlet response we are creating * @param chain The filter chain we are processing * @exception IOException if an input/output error occurs * @exception ServletException if a servlet error occurs */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; String requestPath = httpRequest.getPathInfo(); VDC currentVDC = vdcService.getVDCFromRequest(httpRequest); if (requestPath != null && requestPath.endsWith(".jsp")) { String redirectURL = httpRequest.getContextPath(); if (currentVDC != null) { redirectURL += "/dv/" + currentVDC.getAlias(); } httpResponse.sendRedirect(redirectURL + "/faces/NotFoundPage.xhtml"); return; } PageDef pageDef = pageDefService.findByPath(requestPath); // check for invalid study Id or study versionNumber // for right now, do this with a sendRedirect, though we should try to figure out a solution // with a forward isntead; that way the user can fix the issue in the URL and easily try again if (isViewStudyPage(pageDef) || isEditStudyPage(pageDef) || isVersionDiffPage(pageDef)) { Long studyId = determineStudyId(pageDef, httpRequest); if (isVersionDiffPage(pageDef)) { Long[] versionDiffNumbers = VDCRequestBean.parseVersionNumberList(httpRequest); if (versionDiffNumbers == null || studyId == null) { String redirectURL = httpRequest.getContextPath(); if (currentVDC != null) { redirectURL += "/dv/" + currentVDC.getAlias(); } httpResponse.sendRedirect(redirectURL + "/faces/NotFoundPage.xhtml"); return; } else { try { // Get the studyVersions to test that the versionNumbers exist for this study. // If they don't exist, an EJBException will be thrown. StudyVersion sv1 = studyService.getStudyVersion(studyId, versionDiffNumbers[0]); StudyVersion sv2 = studyService.getStudyVersion(studyId, versionDiffNumbers[1]); } catch (EJBException e) { if (e.getCause() instanceof IllegalArgumentException) { String redirectURL = httpRequest.getContextPath(); if (currentVDC != null) { redirectURL += "/dv/" + currentVDC.getAlias(); } httpResponse.sendRedirect(redirectURL + "/faces/IdDoesNotExistPage.xhtml"); return; } else { throw e; } } } } else if (studyId != null) { try { String versionNumberParam = httpRequest.getParameter("versionNumber"); if (versionNumberParam != null) { Long versionNumber = new Long(versionNumberParam); StudyVersion sv = studyService.getStudyVersion(studyId, versionNumber); } else { // Get the study to make sure that the studyId exists. // If it doesn't exist, and EJBException will be thrown. Study study = studyService.getStudy(studyId); } } catch (EJBException e) { if (e.getCause() instanceof IllegalArgumentException) { String redirectURL = httpRequest.getContextPath(); if (currentVDC != null) { redirectURL += "/dv/" + currentVDC.getAlias(); } httpResponse.sendRedirect(redirectURL + "/faces/IdDoesNotExistPage.xhtml"); return; } else { throw e; } } catch (NumberFormatException e) { String redirectURL = httpRequest.getContextPath(); if (currentVDC != null) { redirectURL += "/dv/" + currentVDC.getAlias(); } httpResponse.sendRedirect(redirectURL + "/faces/NotFoundPage.xhtml"); return; } } } setOriginalUrl(httpRequest, httpResponse, currentVDC); LoginBean loginBean = getLoginBean(request); UserGroup ipUserGroup = null; if (loginBean == null) { ipUserGroup = getIpGroup(httpRequest); } else { HttpSession session = ((HttpServletRequest) request).getSession(false); } String loginURI = (String) httpRequest.getSession().getAttribute("LOGIN_REDIRECT"); if (loginURI != null) { httpRequest.getSession().removeAttribute("LOGIN_REDIRECT"); httpResponse.sendRedirect(loginURI); } else { boolean authorized = false; if (isRolePage(pageDef, httpRequest)) { if (isUserAuthorizedForRolePage(pageDef, httpRequest, loginBean)) { authorized = true; } } else if (isUserAuthorizedForNonRolePage(pageDef, httpRequest, loginBean, ipUserGroup)) { authorized = true; } if (!authorized) { if (loginBean == null) { redirectToLogin(httpRequest, httpResponse, currentVDC); } else { PageDef redirectPageDef = pageDefService.findByName(PageDefServiceLocal.UNAUTHORIZED_PAGE); httpResponse.sendRedirect( httpRequest.getContextPath() + "/faces" + redirectPageDef.getPath()); } } else { if (isCheckLockPage(pageDef) && studyLockedMessage(pageDef, httpRequest) != null) { PageDef redirectPageDef = pageDefService.findByName(PageDefServiceLocal.STUDYLOCKED_PAGE); httpResponse.sendRedirect( httpRequest.getContextPath() + "/faces" + redirectPageDef.getPath() + "?message=" + studyLockedMessage(pageDef, httpRequest)); } else { try { chain.doFilter(request, response); } catch (Throwable t) { // // If an exception is thrown somewhere down the filter chain, // we still want to execute our after processing, and then // rethrow the problem after that. // t.printStackTrace(); } } } } }
public void delete(Long vdcId) { VDC vdc = em.find(VDC.class, vdcId); em.refresh(vdc); List studyIds = new ArrayList(); // Get the studyIds separately, to avoid a ConcurrentAccess Exception // (This is necessary because the studies are deleted in Native SQL) for (Iterator it = vdc.getOwnedStudies().iterator(); it.hasNext(); ) { Study elem = (Study) it.next(); studyIds.add(elem.getId()); } if (!studyIds.isEmpty()) { studyService.deleteStudyList(studyIds); } vdc.getOwnedStudies().clear(); vdc.setRootCollection(null); for (Iterator it = vdc.getOwnedCollections().iterator(); it.hasNext(); ) { VDCCollection elem = (VDCCollection) it.next(); elem.setParentCollection(null); elem.setOwner(null); // Remove this Collection from all linked VDCs for (Iterator itc = elem.getLinkedVDCs().iterator(); itc.hasNext(); ) { VDC linkedVDC = (VDC) itc.next(); linkedVDC.getLinkedCollections().remove(elem); } } for (Iterator it = vdc.getLinkedCollections().iterator(); it.hasNext(); ) { VDCCollection elem = (VDCCollection) it.next(); VDCCollection coll = em.find(VDCCollection.class, elem.getId()); coll.getLinkedVDCs().remove(vdc); } for (Iterator it = vdc.getVdcGroups().iterator(); it.hasNext(); ) { VDCGroup vdcGroup = (VDCGroup) it.next(); vdcGroup.getVdcs().remove(vdc); } for (Iterator it = vdc.getVdcRoles().iterator(); it.hasNext(); ) { VDCRole vdcRole = (VDCRole) it.next(); VDCUser vdcUser = vdcRole.getVdcUser(); vdcUser.getVdcRoles().remove(vdcRole); } if (vdc.isHarvestingDv()) { harvesterService.removeHarvestTimer(vdc.getHarvestingDataverse()); } // If the vdc Default Template is in the list of dataverse templates // (not the Network Default Template), then remove the reference before deleting the dataverse. // If not removed, you will get a foreign key violation when the persistence logic deletes // the collection of templates. if (vdc.getTemplates().contains(vdc.getDefaultTemplate())) { vdc.setDefaultTemplate(null); } em.remove(vdc); }