=== removed file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/AccessUtils.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/AccessUtils.java 2013-01-14 21:35:56 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/AccessUtils.java 1970-01-01 00:00:00 +0000 @@ -1,99 +0,0 @@ -package org.hisp.dhis.common; - -/* - * Copyright (c) 2004-2012, University of Oslo - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * * Neither the name of the HISP project nor the names of its contributors may - * be used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR - * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -import org.hisp.dhis.user.User; -import org.hisp.dhis.user.UserGroupAccess; - -/** - * @author Morten Olav Hansen - */ -public class AccessUtils -{ - public static boolean canWrite( User user, IdentifiableObject object ) - { - if ( defaultAccessIsNull( object ) ) return true; - - if ( user.equals( object.getUser() ) || AccessStringHelper.canWrite( object.getPublicAccess() ) ) - { - return true; - } - - for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() ) - { - if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() ) - && userGroupAccess.getUserGroup().getMembers().contains( user ) ) - { - return true; - } - } - - return false; - } - - public static boolean canRead( User user, IdentifiableObject object ) - { - if ( defaultAccessIsNull( object ) ) return true; - - if ( user.equals( object.getUser() ) || AccessStringHelper.canRead( object.getPublicAccess() ) ) - { - return true; - } - - for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() ) - { - if ( AccessStringHelper.canRead( userGroupAccess.getAccess() ) - && userGroupAccess.getUserGroup().getMembers().contains( user ) ) - { - return true; - } - } - - return false; - } - - public static boolean canUpdate( User user, IdentifiableObject object ) - { - return canWrite( user, object ); - } - - public static boolean canDelete( User user, IdentifiableObject object ) - { - return canWrite( user, object ); - } - - public static boolean canManage( User user, IdentifiableObject object ) - { - return user.getUserCredentials().getAllAuthorities().contains( "ALL" ) || !defaultAccessIsNull( object ) && canWrite( user, object ); - } - - private static boolean defaultAccessIsNull( IdentifiableObject identifiableObject ) - { - return identifiableObject.getUser() == null; - } -} === modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java 2013-01-14 21:35:56 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java 2013-01-18 12:58:45 +0000 @@ -333,14 +333,6 @@ setUid( CodeGenerator.generateCode() ); } - if ( user == null && publicAccess == null && userGroupAccesses.isEmpty() ) - { - publicAccess = AccessStringHelper.newInstance() - .enable( AccessStringHelper.Permission.READ ) - .enable( AccessStringHelper.Permission.WRITE ) - .build(); - } - Date date = new Date(); if ( created == null ) === added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/SharingUtils.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/SharingUtils.java 1970-01-01 00:00:00 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/SharingUtils.java 2013-01-18 12:58:45 +0000 @@ -0,0 +1,157 @@ +package org.hisp.dhis.common; + +/* + * Copyright (c) 2004-2012, University of Oslo + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * * Neither the name of the HISP project nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +import org.hisp.dhis.document.Document; +import org.hisp.dhis.report.Report; +import org.hisp.dhis.reporttable.ReportTable; +import org.hisp.dhis.user.User; +import org.hisp.dhis.user.UserGroupAccess; + +import java.util.HashMap; +import java.util.Map; +import java.util.Set; + +/** + * @author Morten Olav Hansen + */ +public class SharingUtils +{ + public static Map, String> PUBLIC_AUTHORITIES = new HashMap, String>(); + + public static Map, String> PRIVATE_AUTHORITIES = new HashMap, String>(); + + public static final Map> SUPPORTED_TYPES = new HashMap>(); + + public static final String SHARING_OVERRIDE_AUTHORITY = "ALL"; + + static + { + SUPPORTED_TYPES.put( "document", Document.class ); + PUBLIC_AUTHORITIES.put( Document.class, "F_DOCUMENT_PUBLIC_ADD" ); + PRIVATE_AUTHORITIES.put( Document.class, "F_DOCUMENT_PRIVATE_ADD" ); + + SUPPORTED_TYPES.put( "report", Report.class ); + PUBLIC_AUTHORITIES.put( Report.class, "F_REPORT_PUBLIC_ADD" ); + PRIVATE_AUTHORITIES.put( Report.class, "F_REPORT_PRIVATE_ADD" ); + + SUPPORTED_TYPES.put( "reportTable", ReportTable.class ); + PUBLIC_AUTHORITIES.put( ReportTable.class, "F_REPORTTABLE_PUBLIC_ADD" ); + PRIVATE_AUTHORITIES.put( ReportTable.class, "F_REPORTTABLE_PRIVATE_ADD" ); + } + + public static boolean isSupported( String type ) + { + return SUPPORTED_TYPES.containsKey( type ); + } + + public static boolean isSupported( IdentifiableObject identifiableObject ) + { + return SUPPORTED_TYPES.containsValue( identifiableObject.getClass() ); + } + + public static Class classForType( String type ) + { + return SUPPORTED_TYPES.get( type ); + } + + public static boolean canCreatePublic( User user, IdentifiableObject identifiableObject ) + { + Set authorities = user.getUserCredentials().getAllAuthorities(); + return authorities.contains( SHARING_OVERRIDE_AUTHORITY ) || authorities.contains( PUBLIC_AUTHORITIES.get( identifiableObject.getClass() ) ); + } + + public static boolean canCreatePrivate( User user, IdentifiableObject identifiableObject ) + { + Set authorities = user.getUserCredentials().getAllAuthorities(); + return authorities.contains( SHARING_OVERRIDE_AUTHORITY ) || authorities.contains( PRIVATE_AUTHORITIES.get( identifiableObject.getClass() ) ); + } + + public static boolean canWrite( User user, IdentifiableObject object ) + { + if ( defaultAccessIsNull( object ) ) return true; + + if ( user.equals( object.getUser() ) || AccessStringHelper.canWrite( object.getPublicAccess() ) ) + { + return true; + } + + for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() ) + { + if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() ) + && userGroupAccess.getUserGroup().getMembers().contains( user ) ) + { + return true; + } + } + + return false; + } + + public static boolean canRead( User user, IdentifiableObject object ) + { + if ( defaultAccessIsNull( object ) ) return true; + + if ( user.equals( object.getUser() ) || AccessStringHelper.canRead( object.getPublicAccess() ) ) + { + return true; + } + + for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() ) + { + if ( AccessStringHelper.canRead( userGroupAccess.getAccess() ) + && userGroupAccess.getUserGroup().getMembers().contains( user ) ) + { + return true; + } + } + + return false; + } + + public static boolean canUpdate( User user, IdentifiableObject object ) + { + return canWrite( user, object ); + } + + public static boolean canDelete( User user, IdentifiableObject object ) + { + return canWrite( user, object ); + } + + public static boolean canManage( User user, IdentifiableObject object ) + { + return user.getUserCredentials().getAllAuthorities().contains( SHARING_OVERRIDE_AUTHORITY ) || + !defaultAccessIsNull( object ) && canWrite( user, object ); + } + + private static boolean defaultAccessIsNull( IdentifiableObject identifiableObject ) + { + return identifiableObject.getUser() == null; + } +} === modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java' --- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java 2013-01-08 16:31:45 +0000 +++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java 2013-01-18 12:58:45 +0000 @@ -29,7 +29,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.hisp.dhis.common.AccessUtils; +import org.hisp.dhis.common.SharingUtils; import org.hisp.dhis.common.CodeGenerator; import org.hisp.dhis.common.IdentifiableObject; import org.hisp.dhis.message.MessageSender; @@ -237,32 +237,44 @@ } @Override + public boolean canCreatePublic( IdentifiableObject identifiableObject ) + { + return SharingUtils.canCreatePublic( currentUserService.getCurrentUser(), identifiableObject ); + } + + @Override + public boolean canCreatePrivate( IdentifiableObject identifiableObject ) + { + return SharingUtils.canCreatePrivate( currentUserService.getCurrentUser(), identifiableObject ); + } + + @Override public boolean canRead( IdentifiableObject identifiableObject ) { - return AccessUtils.canRead( currentUserService.getCurrentUser(), identifiableObject ); + return SharingUtils.canRead( currentUserService.getCurrentUser(), identifiableObject ); } @Override public boolean canWrite( IdentifiableObject identifiableObject ) { - return AccessUtils.canWrite( currentUserService.getCurrentUser(), identifiableObject ); + return SharingUtils.canWrite( currentUserService.getCurrentUser(), identifiableObject ); } @Override public boolean canUpdate( IdentifiableObject identifiableObject ) { - return AccessUtils.canUpdate( currentUserService.getCurrentUser(), identifiableObject ); + return SharingUtils.canUpdate( currentUserService.getCurrentUser(), identifiableObject ); } @Override public boolean canDelete( IdentifiableObject identifiableObject ) { - return AccessUtils.canDelete( currentUserService.getCurrentUser(), identifiableObject ); + return SharingUtils.canDelete( currentUserService.getCurrentUser(), identifiableObject ); } @Override public boolean canManage( IdentifiableObject identifiableObject ) { - return AccessUtils.canManage( currentUserService.getCurrentUser(), identifiableObject ); + return SharingUtils.canManage( currentUserService.getCurrentUser(), identifiableObject ); } } === modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/SecurityService.java' --- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/SecurityService.java 2013-01-03 12:51:34 +0000 +++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/SecurityService.java 2013-01-18 12:58:45 +0000 @@ -95,7 +95,7 @@ boolean canRead( IdentifiableObject identifiableObject ); /** - * Checks whether current user has write access to object. + * Checks whether current user has create access to object. * * @param identifiableObject Object to check for write access. * @return true of false depending on outcome of write check @@ -103,6 +103,22 @@ boolean canWrite( IdentifiableObject identifiableObject ); /** + * Checks whether current user can create public instances of the object. + * + * @param identifiableObject Object to check for write access. + * @return true of false depending on outcome of write check + */ + boolean canCreatePublic( IdentifiableObject identifiableObject ); + + /** + * Checks whether current user can create private instances of the object. + * + * @param identifiableObject Object to check for write access. + * @return true of false depending on outcome of write check + */ + boolean canCreatePrivate( IdentifiableObject identifiableObject ); + + /** * Checks whether current user has update access to object. * * @param identifiableObject Object to check for update access. === modified file 'dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java' --- dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java 2013-01-17 15:31:26 +0000 +++ dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java 2013-01-18 12:58:45 +0000 @@ -37,10 +37,12 @@ import org.hibernate.criterion.Criterion; import org.hibernate.criterion.Order; import org.hibernate.criterion.Restrictions; -import org.hisp.dhis.common.AccessUtils; +import org.hisp.dhis.common.AccessStringHelper; import org.hisp.dhis.common.AuditLogUtil; +import org.hisp.dhis.common.BaseIdentifiableObject; import org.hisp.dhis.common.GenericNameableObjectStore; import org.hisp.dhis.common.IdentifiableObject; +import org.hisp.dhis.common.SharingUtils; import org.hisp.dhis.user.CurrentUserService; import org.hisp.dhis.user.User; import org.springframework.beans.factory.annotation.Autowired; @@ -215,6 +217,30 @@ throw new AccessDeniedException( "You do not have write access to object" ); } + if ( hasShareProperties() ) + { + BaseIdentifiableObject identifiableObject = (BaseIdentifiableObject) object; + + if ( identifiableObject.getUser() == null ) + { + identifiableObject.setUser( currentUserService.getCurrentUser() ); + } + + if ( SharingUtils.canCreatePublic( currentUserService.getCurrentUser(), identifiableObject ) ) + { + identifiableObject.setPublicAccess( AccessStringHelper.newInstance().enable( AccessStringHelper.Permission.READ ).build() ); + } + else if ( SharingUtils.canCreatePrivate( currentUserService.getCurrentUser(), identifiableObject ) ) + { + identifiableObject.setPublicAccess( AccessStringHelper.newInstance().build() ); + } + else + { + AuditLogUtil.infoWrapper( log, currentUserService.getCurrentUsername(), object, AuditLogUtil.ACTION_CREATE_DENIED ); + throw new AccessDeniedException( "You are not allowed to create public or private objects of this kind" ); + } + } + AuditLogUtil.infoWrapper( log, currentUserService.getCurrentUsername(), object, AuditLogUtil.ACTION_CREATE ); return (Integer) sessionFactory.getCurrentSession().save( object ); } @@ -780,8 +806,8 @@ private boolean sharingEnabled() { - return hasShareProperties() - && !(currentUserService.getCurrentUser() == null || currentUserService.getCurrentUser().getUserCredentials().getAllAuthorities().contains( "ALL" )); + return hasShareProperties() && !(currentUserService.getCurrentUser() == null || + currentUserService.getCurrentUser().getUserCredentials().getAllAuthorities().contains( SharingUtils.SHARING_OVERRIDE_AUTHORITY )); } private boolean hasShareProperties() @@ -805,9 +831,9 @@ { IdentifiableObject idObject = (IdentifiableObject) object; - if ( hasShareProperties() ) + if ( sharingEnabled() ) { - return AccessUtils.canRead( currentUserService.getCurrentUser(), idObject ); + return SharingUtils.canRead( currentUserService.getCurrentUser(), idObject ); } } @@ -820,9 +846,9 @@ { IdentifiableObject idObject = (IdentifiableObject) object; - if ( hasShareProperties() ) + if ( sharingEnabled() ) { - return AccessUtils.canWrite( currentUserService.getCurrentUser(), idObject ); + return SharingUtils.canWrite( currentUserService.getCurrentUser(), idObject ); } } @@ -837,7 +863,7 @@ if ( hasShareProperties() ) { - return AccessUtils.canUpdate( currentUserService.getCurrentUser(), idObject ); + return SharingUtils.canUpdate( currentUserService.getCurrentUser(), idObject ); } } @@ -852,7 +878,7 @@ if ( hasShareProperties() ) { - return AccessUtils.canDelete( currentUserService.getCurrentUser(), idObject ); + return SharingUtils.canDelete( currentUserService.getCurrentUser(), idObject ); } } === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java 2013-01-17 15:31:26 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java 2013-01-18 12:58:45 +0000 @@ -34,10 +34,8 @@ import org.hisp.dhis.common.BaseIdentifiableObject; import org.hisp.dhis.common.IdentifiableObject; import org.hisp.dhis.common.IdentifiableObjectManager; -import org.hisp.dhis.document.Document; +import org.hisp.dhis.common.SharingUtils; import org.hisp.dhis.dxf2.utils.JacksonUtils; -import org.hisp.dhis.report.Report; -import org.hisp.dhis.reporttable.ReportTable; import org.hisp.dhis.security.SecurityService; import org.hisp.dhis.user.CurrentUserService; import org.hisp.dhis.user.UserGroup; @@ -54,28 +52,17 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; -import java.util.HashMap; import java.util.Iterator; -import java.util.Map; /** * @author Morten Olav Hansen */ @Controller -@RequestMapping( value = SharingController.RESOURCE_PATH, method = RequestMethod.GET ) +@RequestMapping(value = SharingController.RESOURCE_PATH, method = RequestMethod.GET) public class SharingController { public static final String RESOURCE_PATH = "/sharing"; - public static final Map> TYPE_MAP = new HashMap>(); - - static - { - TYPE_MAP.put( "document", Document.class ); - TYPE_MAP.put( "report", Report.class ); - TYPE_MAP.put( "reportTable", ReportTable.class ); - } - @Autowired private CurrentUserService currentUserService; @@ -91,16 +78,16 @@ @Autowired private UserGroupAccessService userGroupAccessService; - @RequestMapping( value = "", produces = { "application/json", "text/*" } ) + @RequestMapping(value = "", produces = { "application/json", "text/*" }) public void getSharing( @RequestParam String type, @RequestParam String id, HttpServletResponse response ) throws IOException { - if ( !TYPE_MAP.containsKey( type ) ) + if ( !SharingUtils.isSupported( type ) ) { ContextUtils.notFoundResponse( response, "Type " + type + " is not supported." ); return; } - IdentifiableObject object = manager.get( TYPE_MAP.get( type ), id ); + IdentifiableObject object = manager.get( SharingUtils.classForType( type ), id ); if ( object == null ) { @@ -116,7 +103,6 @@ Sharing sharing = new Sharing(); sharing.getObject().setId( object.getUid() ); - sharing.getObject().setClazz( TYPE_MAP.get( type ).getName() ); sharing.getObject().setName( object.getDisplayName() ); sharing.getObject().setPublicAccess( object.getPublicAccess() ); @@ -139,10 +125,10 @@ JacksonUtils.toJson( response.getOutputStream(), sharing ); } - @RequestMapping( value = "", method = RequestMethod.POST, consumes = "application/json" ) + @RequestMapping(value = "", method = RequestMethod.POST, consumes = "application/json") public void setSharing( @RequestParam String type, @RequestParam String id, HttpServletResponse response, HttpServletRequest request ) throws IOException { - BaseIdentifiableObject object = (BaseIdentifiableObject) manager.get( TYPE_MAP.get( type ), id ); + BaseIdentifiableObject object = (BaseIdentifiableObject) manager.get( SharingUtils.classForType( type ), id ); if ( object == null ) { @@ -193,7 +179,7 @@ manager.update( object ); } - @RequestMapping( value = "/search", produces = { "application/json", "text/*" } ) + @RequestMapping(value = "/search", produces = { "application/json", "text/*" }) public void searchUserGroups( @RequestParam String key, HttpServletResponse response ) throws IOException { SharingUserGroups sharingUserGroups = new SharingUserGroups(); === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/webdomain/sharing/SharingObject.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/webdomain/sharing/SharingObject.java 2013-01-03 12:43:44 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/webdomain/sharing/SharingObject.java 2013-01-18 12:58:45 +0000 @@ -41,9 +41,6 @@ private String id; @JsonProperty - private String clazz; - - @JsonProperty private String name; @JsonProperty @@ -69,16 +66,6 @@ this.id = id; } - public String getClazz() - { - return clazz; - } - - public void setClazz( String clazz ) - { - this.clazz = clazz; - } - public String getName() { return name;