private boolean isUserAuthorizedForNonRolePage(
PageDef pageDef, HttpServletRequest request, LoginBean loginBean, UserGroup ipUserGroup) {
VDCUser user = null;
if (loginBean != null) {
user = loginBean.getUser();
}
if (user != null
&& user.getNetworkRole() != null
&& user.getNetworkRole().getName().equals(NetworkRoleServiceLocal.ADMIN)) {
// If you are network admin, you can do anything!
return true;
}
VDC currentVDC = vdcService.getVDCFromRequest(request);
if (currentVDC != null && !isTermsOfUsePage(pageDef) && isVdcRestricted(pageDef, request)) {
if (currentVDC.isVDCRestrictedForUser(user, ipUserGroup)) {
return false;
}
} else if (pageDef != null
&& (pageDef.getName().equals(PageDefServiceLocal.DV_OPTIONS_PAGE)
|| pageDef.getName().equals(PageDefServiceLocal.ACCOUNT_OPTIONS_PAGE)
|| pageDef.getName().equals(PageDefServiceLocal.ACCOUNT_PAGE)
|| pageDef.getName().equals(PageDefServiceLocal.MANAGE_STUDIES_PAGE))) {
// For these pages, the only requirement is
// to be logged in.
if (user == null) {
return false;
}
String userParam = request.getParameter("userId");
if (userParam != null && !userParam.equals(user.getId().toString())) {
// To view other users, logged in user must be an admin or curator
if (!(user.isAdmin(currentVDC) || user.isCurator(currentVDC))) {
return false;
}
}
} else if (isViewStudyPage(pageDef)) {
Study study = null;
StudyVersion studyVersion = null;
String studyId = VDCBaseBean.getParamFromRequestOrComponent("studyId", request);
String versionNumber = VDCBaseBean.getParamFromRequestOrComponent("versionNumber", request);
if (studyId != null) {
study = studyService.getStudy(Long.parseLong(studyId));
if (versionNumber != null) {
studyVersion =
studyService.getStudyVersion(Long.parseLong(studyId), new Long(versionNumber));
}
} else {
study =
studyService.getStudyByGlobalId(
VDCBaseBean.getParamFromRequestOrComponent("globalId", request));
}
if (study.isStudyRestrictedForUser(user, ipUserGroup)) {
return false;
}
if (studyVersion != null) {
// If study has been deaccessioned,
// only show the page if the user is authorized to edit
if (study.isDeaccessioned() && (user == null || !study.isUserAuthorizedToEdit(user))) {
return false;
}
// If this is a draft version, only show the version if the user is authorized to edit
if (studyVersion.isWorkingCopy() && (user == null || !study.isUserAuthorizedToEdit(user))) {
return false;
}
}
} else if (isVersionDiffPage(pageDef)) {
Study study = null;
StudyVersion studyVersion1 = null;
StudyVersion studyVersion2 = null;
String studyId = VDCBaseBean.getParamFromRequestOrComponent("studyId", request);
Long[] versionList = VDCRequestBean.parseVersionNumberList(request);
studyVersion1 = studyService.getStudyVersion(Long.parseLong(studyId), versionList[0]);
studyVersion2 = studyService.getStudyVersion(Long.parseLong(studyId), versionList[1]);
if (studyId != null) {
study = studyService.getStudy(Long.parseLong(studyId));
} else {
study =
studyService.getStudyByGlobalId(
VDCBaseBean.getParamFromRequestOrComponent("globalId", request));
}
if (study.isStudyRestrictedForUser(user, ipUserGroup)) {
return false;
}
// If study has been deaccessioned,
// only show the page if the user is authorized to edit
if (study.isDeaccessioned() && (user == null || !study.isUserAuthorizedToEdit(user))) {
return false;
}
// If this is a draft version, only show the version if the user is authorized to edit
if ((studyVersion1.isWorkingCopy() || studyVersion2.isWorkingCopy())
&& (user == null || !study.isUserAuthorizedToEdit(user))) {
return false;
}
if ("confirmRelease".equals(request.getParameter("actionMode"))
&& !study.isUserAuthorizedToRelease(user)) {
return false;
}
} else if (isSubsettingPage(pageDef)) {
String dtId = VDCBaseBean.getParamFromRequestOrComponent("dtId", request);
DataTable dataTable = variableService.getDataTable(Long.parseLong(dtId));
Study study = dataTable.getStudyFile().getStudy();
if (study.isStudyRestrictedForUser(user, ipUserGroup)) {
return false;
}
} else if (isExploreDataPage(pageDef)) {
String fileId = VDCBaseBean.getParamFromRequestOrComponent("fileId", request);
StudyFile sf = studyFileService.getStudyFile(Long.parseLong(fileId));
if (sf.isFileRestrictedForUser(user, currentVDC, ipUserGroup)) {
return false;
}
} else if (isEditAccountPage(pageDef)) {
String userId = VDCBaseBean.getParamFromRequestOrComponent("userId", request);
if (user == null || user.getId() != Long.parseLong(userId)) {
return false;
}
} else if (isManifestPage(pageDef)) {
LockssConfig chkLockssConfig = getLockssConfig(currentVDC);
if (chkLockssConfig == null) {
return false;
} else if (chkLockssConfig.getserverAccess().equals(ServerAccess.GROUP)) {
VDCRole userRole = null;
String userVDCRoleName = null;
if (user != null && currentVDC != null) {
userRole = loginBean.getVDCRole(currentVDC);
}
if (user != null && userRole != null && user.isAdmin(currentVDC)) {
return true;
}
if (user != null
&& user.getNetworkRole() != null
&& user.getNetworkRole().getName().equals(NetworkRoleServiceLocal.ADMIN)) {
// If you are network admin, you can do anything!
return true;
}
if (!lockssAuth.isAuthorizedLockssServer(currentVDC, request)) {
return false;
}
}
}
return true;
}
/**
* @param request The servlet request we are processing
* @param result The servlet response we are creating
* @param chain The filter chain we are processing
* @exception IOException if an input/output error occurs
* @exception ServletException if a servlet error occurs
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
String requestPath = httpRequest.getPathInfo();
VDC currentVDC = vdcService.getVDCFromRequest(httpRequest);
if (requestPath != null && requestPath.endsWith(".jsp")) {
String redirectURL = httpRequest.getContextPath();
if (currentVDC != null) {
redirectURL += "/dv/" + currentVDC.getAlias();
}
httpResponse.sendRedirect(redirectURL + "/faces/NotFoundPage.xhtml");
return;
}
PageDef pageDef = pageDefService.findByPath(requestPath);
// check for invalid study Id or study versionNumber
// for right now, do this with a sendRedirect, though we should try to figure out a solution
// with a forward isntead; that way the user can fix the issue in the URL and easily try again
if (isViewStudyPage(pageDef) || isEditStudyPage(pageDef) || isVersionDiffPage(pageDef)) {
Long studyId = determineStudyId(pageDef, httpRequest);
if (isVersionDiffPage(pageDef)) {
Long[] versionDiffNumbers = VDCRequestBean.parseVersionNumberList(httpRequest);
if (versionDiffNumbers == null || studyId == null) {
String redirectURL = httpRequest.getContextPath();
if (currentVDC != null) {
redirectURL += "/dv/" + currentVDC.getAlias();
}
httpResponse.sendRedirect(redirectURL + "/faces/NotFoundPage.xhtml");
return;
} else {
try {
// Get the studyVersions to test that the versionNumbers exist for this study.
// If they don't exist, an EJBException will be thrown.
StudyVersion sv1 = studyService.getStudyVersion(studyId, versionDiffNumbers[0]);
StudyVersion sv2 = studyService.getStudyVersion(studyId, versionDiffNumbers[1]);
} catch (EJBException e) {
if (e.getCause() instanceof IllegalArgumentException) {
String redirectURL = httpRequest.getContextPath();
if (currentVDC != null) {
redirectURL += "/dv/" + currentVDC.getAlias();
}
httpResponse.sendRedirect(redirectURL + "/faces/IdDoesNotExistPage.xhtml");
return;
} else {
throw e;
}
}
}
} else if (studyId != null) {
try {
String versionNumberParam = httpRequest.getParameter("versionNumber");
if (versionNumberParam != null) {
Long versionNumber = new Long(versionNumberParam);
StudyVersion sv = studyService.getStudyVersion(studyId, versionNumber);
} else {
// Get the study to make sure that the studyId exists.
// If it doesn't exist, and EJBException will be thrown.
Study study = studyService.getStudy(studyId);
}
} catch (EJBException e) {
if (e.getCause() instanceof IllegalArgumentException) {
String redirectURL = httpRequest.getContextPath();
if (currentVDC != null) {
redirectURL += "/dv/" + currentVDC.getAlias();
}
httpResponse.sendRedirect(redirectURL + "/faces/IdDoesNotExistPage.xhtml");
return;
} else {
throw e;
}
} catch (NumberFormatException e) {
String redirectURL = httpRequest.getContextPath();
if (currentVDC != null) {
redirectURL += "/dv/" + currentVDC.getAlias();
}
httpResponse.sendRedirect(redirectURL + "/faces/NotFoundPage.xhtml");
return;
}
}
}
setOriginalUrl(httpRequest, httpResponse, currentVDC);
LoginBean loginBean = getLoginBean(request);
UserGroup ipUserGroup = null;
if (loginBean == null) {
ipUserGroup = getIpGroup(httpRequest);
} else {
HttpSession session = ((HttpServletRequest) request).getSession(false);
}
String loginURI = (String) httpRequest.getSession().getAttribute("LOGIN_REDIRECT");
if (loginURI != null) {
httpRequest.getSession().removeAttribute("LOGIN_REDIRECT");
httpResponse.sendRedirect(loginURI);
} else {
boolean authorized = false;
if (isRolePage(pageDef, httpRequest)) {
if (isUserAuthorizedForRolePage(pageDef, httpRequest, loginBean)) {
authorized = true;
}
} else if (isUserAuthorizedForNonRolePage(pageDef, httpRequest, loginBean, ipUserGroup)) {
authorized = true;
}
if (!authorized) {
if (loginBean == null) {
redirectToLogin(httpRequest, httpResponse, currentVDC);
} else {
PageDef redirectPageDef =
pageDefService.findByName(PageDefServiceLocal.UNAUTHORIZED_PAGE);
httpResponse.sendRedirect(
httpRequest.getContextPath() + "/faces" + redirectPageDef.getPath());
}
} else {
if (isCheckLockPage(pageDef) && studyLockedMessage(pageDef, httpRequest) != null) {
PageDef redirectPageDef = pageDefService.findByName(PageDefServiceLocal.STUDYLOCKED_PAGE);
httpResponse.sendRedirect(
httpRequest.getContextPath()
+ "/faces"
+ redirectPageDef.getPath()
+ "?message="
+ studyLockedMessage(pageDef, httpRequest));
} else {
try {
chain.doFilter(request, response);
} catch (Throwable t) {
//
// If an exception is thrown somewhere down the filter chain,
// we still want to execute our after processing, and then
// rethrow the problem after that.
//
t.printStackTrace();
}
}
}
}
}