=== removed file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AccessControlService.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AccessControlService.java 2014-03-27 05:13:32 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AccessControlService.java 1970-01-01 00:00:00 +0000 @@ -1,152 +0,0 @@ -package org.hisp.dhis.acl; - -/* - * Copyright (c) 2004-2014, University of Oslo - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * Neither the name of the HISP project nor the names of its contributors may - * be used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR - * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -import org.hisp.dhis.common.IdentifiableObject; -import org.hisp.dhis.user.User; - -import java.util.Arrays; -import java.util.List; - -/** - * @author Morten Olav Hansen - */ -public interface AccessControlService -{ - public static final List SHARING_OVERRIDE_AUTHORITIES = Arrays.asList( "ALL", "F_METADATA_IMPORT" ); - - boolean isSupported( String type ); - - boolean isSupported( Class klass ); - - boolean isShareable( Class klass ); - - /** - * Can user write to this object (create) - *

- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? - * 2. Is the user for the object null? - * 3. Is the user of the object equal to current user? - * 4. Is the object public write? - * 5. Does any of the userGroupAccesses contain public write and the current user is in that group - * - * @param user User to check against - * @param object Object to check - * @return Result of test - */ - boolean canWrite( User user, IdentifiableObject object ); - - /** - * Can user read this object - *

- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? - * 2. Is the user for the object null? - * 3. Is the user of the object equal to current user? - * 4. Is the object public read? - * 5. Does any of the userGroupAccesses contain public read and the current user is in that group - * - * @param user User to check against - * @param object Object to check - * @return Result of test - */ - boolean canRead( User user, IdentifiableObject object ); - - /** - * Can user update this object - *

- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? - * 2. Can user write to this object? - * - * @param user User to check against - * @param object Object to check - * @return Result of test - */ - boolean canUpdate( User user, IdentifiableObject object ); - - /** - * Can user delete this object - *

- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? - * 2. Can user write to this object? - * - * @param user User to check against - * @param object Object to check - * @return Result of test - */ - boolean canDelete( User user, IdentifiableObject object ); - - /** - * Can user manage (make public) this object - *

- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? - * 2. Can user write to this object? - * - * @param user User to check against - * @param object Object to check - * @return Result of test - */ - boolean canManage( User user, IdentifiableObject object ); - - /** - * Checks if a user can create a public instance of a certain object. - *

- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? - * 2. Does user have the authority to create public instances of that object - * - * @param user User to check against - * @param klass Class to check - * @return Result of test - */ - boolean canCreatePublic( User user, Class klass ); - - /** - * Checks if a user can create a private instance of a certain object. - *

- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? - * 2. Does user have the authority to create private instances of that object - * - * @param user User to check against - * @param klass Class to check - * @return Result of test - */ - boolean canCreatePrivate( User user, Class klass ); - - /** - * Can user make this object external? (read with no login) - * - * @param user User to check against - * @param klass Type to check - * @return Result of test - */ - boolean canExternalize( User user, Class klass ); - - boolean defaultPublic( Class klass ); - - Class classForType( String type ); -} === added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AclService.java' --- dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AclService.java 1970-01-01 00:00:00 +0000 +++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/acl/AclService.java 2014-03-27 06:07:15 +0000 @@ -0,0 +1,154 @@ +package org.hisp.dhis.acl; + +/* + * Copyright (c) 2004-2014, University of Oslo + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * Neither the name of the HISP project nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +import org.hisp.dhis.common.IdentifiableObject; +import org.hisp.dhis.user.User; + +import java.util.Arrays; +import java.util.List; + +/** + * @author Morten Olav Hansen + */ +public interface AclService +{ + public static final List SHARING_OVERRIDE_AUTHORITIES = Arrays.asList( "ALL", "F_METADATA_IMPORT" ); + + boolean isSupported( String type ); + + boolean isSupported( Class klass ); + + boolean isShareable( String type ); + + boolean isShareable( Class klass ); + + /** + * Can user write to this object (create) + *

+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? + * 2. Is the user for the object null? + * 3. Is the user of the object equal to current user? + * 4. Is the object public write? + * 5. Does any of the userGroupAccesses contain public write and the current user is in that group + * + * @param user User to check against + * @param object Object to check + * @return Result of test + */ + boolean canWrite( User user, IdentifiableObject object ); + + /** + * Can user read this object + *

+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? + * 2. Is the user for the object null? + * 3. Is the user of the object equal to current user? + * 4. Is the object public read? + * 5. Does any of the userGroupAccesses contain public read and the current user is in that group + * + * @param user User to check against + * @param object Object to check + * @return Result of test + */ + boolean canRead( User user, IdentifiableObject object ); + + /** + * Can user update this object + *

+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? + * 2. Can user write to this object? + * + * @param user User to check against + * @param object Object to check + * @return Result of test + */ + boolean canUpdate( User user, IdentifiableObject object ); + + /** + * Can user delete this object + *

+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? + * 2. Can user write to this object? + * + * @param user User to check against + * @param object Object to check + * @return Result of test + */ + boolean canDelete( User user, IdentifiableObject object ); + + /** + * Can user manage (make public) this object + *

+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? + * 2. Can user write to this object? + * + * @param user User to check against + * @param object Object to check + * @return Result of test + */ + boolean canManage( User user, IdentifiableObject object ); + + /** + * Checks if a user can create a public instance of a certain object. + *

+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? + * 2. Does user have the authority to create public instances of that object + * + * @param user User to check against + * @param klass Class to check + * @return Result of test + */ + boolean canCreatePublic( User user, Class klass ); + + /** + * Checks if a user can create a private instance of a certain object. + *

+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority? + * 2. Does user have the authority to create private instances of that object + * + * @param user User to check against + * @param klass Class to check + * @return Result of test + */ + boolean canCreatePrivate( User user, Class klass ); + + /** + * Can user make this object external? (read with no login) + * + * @param user User to check against + * @param klass Type to check + * @return Result of test + */ + boolean canExternalize( User user, Class klass ); + + boolean defaultPublic( Class klass ); + + Class classForType( String type ); +} === modified file 'dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java' --- dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java 2014-03-27 04:44:41 +0000 +++ dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java 2014-03-27 06:07:15 +0000 @@ -28,6 +28,7 @@ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +import org.hisp.dhis.acl.AclService; import org.hisp.dhis.common.BaseAnalyticalObject; import org.hisp.dhis.common.DimensionService; import org.hisp.dhis.common.DimensionType; @@ -56,7 +57,6 @@ import org.hisp.dhis.period.PeriodType; import org.hisp.dhis.period.RelativePeriodEnum; import org.hisp.dhis.period.RelativePeriods; -import org.hisp.dhis.acl.AccessControlService; import org.hisp.dhis.system.util.UniqueArrayList; import org.hisp.dhis.trackedentity.TrackedEntityAttribute; import org.hisp.dhis.trackedentity.TrackedEntityAttributeDimension; @@ -100,7 +100,7 @@ private DataElementService dataElementService; @Autowired - private AccessControlService accessControlService; + private AclService aclService; @Autowired private CurrentUserService currentUserService; @@ -169,7 +169,7 @@ for ( NameableObject item : dimension.getItems() ) { - boolean canRead = accessControlService.canRead( user, item ); + boolean canRead = aclService.canRead( user, item ); if ( canRead ) { === removed file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAccessControlService.java' --- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAccessControlService.java 2014-03-27 05:13:32 +0000 +++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAccessControlService.java 1970-01-01 00:00:00 +0000 @@ -1,284 +0,0 @@ -package org.hisp.dhis.acl; - -/* - * Copyright (c) 2004-2014, University of Oslo - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * Neither the name of the HISP project nor the names of its contributors may - * be used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR - * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -import org.hisp.dhis.common.IdentifiableObject; -import org.hisp.dhis.dashboard.Dashboard; -import org.hisp.dhis.schema.AuthorityType; -import org.hisp.dhis.schema.Schema; -import org.hisp.dhis.schema.SchemaService; -import org.hisp.dhis.user.User; -import org.hisp.dhis.user.UserGroup; -import org.hisp.dhis.user.UserGroupAccess; -import org.springframework.beans.factory.annotation.Autowired; - -import java.util.Collection; -import java.util.HashSet; -import java.util.Set; - -import static org.springframework.util.CollectionUtils.containsAny; - -/** - * @author Morten Olav Hansen - */ -public class DefaultAccessControlService implements AccessControlService -{ - @Autowired - private SchemaService schemaService; - - @Override - public boolean isSupported( String type ) - { - Schema schema = schemaService.getSchemaBySingularName( type ); - return schema != null && schema.isShareable(); - } - - @Override - public boolean isSupported( Class klass ) - { - Schema schema = schemaService.getSchema( klass ); - return schema != null && schema.isShareable(); - } - - @Override - public boolean isShareable( Class klass ) - { - Schema schema = schemaService.getSchema( klass ); - return schema != null && schema.isShareable(); - } - - @Override - public boolean canWrite( User user, IdentifiableObject object ) - { - Schema schema = schemaService.getSchema( object.getClass() ); - - if ( schema == null || !schema.isShareable() ) - { - return false; - } - - //TODO ( (object instanceof User) && canCreatePrivate( user, object ) ): review possible security breaches and best way to give update access upon user import - if ( haveOverrideAuthority( user ) - || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty()) - || (user != null && user.equals( object.getUser() )) - //|| authorities.contains( PRIVATE_AUTHORITIES.get( object.getClass() ) ) - || ((object instanceof User) && canCreatePrivate( user, object.getClass() )) - || AccessStringHelper.canWrite( object.getPublicAccess() ) ) - { - return true; - } - - for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() ) - { - if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() ) - && userGroupAccess.getUserGroup().getMembers().contains( user ) ) - { - return true; - } - } - - return false; - } - - @Override - public boolean canRead( User user, IdentifiableObject object ) - { - Schema schema = schemaService.getSchema( object.getClass() ); - - if ( schema == null || !schema.isShareable() ) - { - return false; - } - - if ( haveOverrideAuthority( user ) - || UserGroup.class.isAssignableFrom( object.getClass() ) - || object.getUser() == null - || user.equals( object.getUser() ) - || AccessStringHelper.canRead( object.getPublicAccess() ) ) - { - return true; - } - - for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() ) - { - if ( AccessStringHelper.canRead( userGroupAccess.getAccess() ) - && userGroupAccess.getUserGroup().getMembers().contains( user ) ) - { - return true; - } - } - - return false; - } - - @Override - public boolean canUpdate( User user, IdentifiableObject object ) - { - Schema schema = schemaService.getSchema( object.getClass() ); - - if ( schema == null || !schema.isShareable() ) - { - return false; - } - - if ( schema.getAuthorityByType( AuthorityType.UPDATE ).isEmpty() ) - { - return canWrite( user, object ); - } - - return canAccess( user, schema.getAuthorityByType( AuthorityType.UPDATE ) ) && canWrite( user, object ); - } - - @Override - public boolean canDelete( User user, IdentifiableObject object ) - { - Schema schema = schemaService.getSchema( object.getClass() ); - - if ( schema == null || !schema.isShareable() ) - { - return false; - } - - if ( schema.getAuthorityByType( AuthorityType.DELETE ).isEmpty() ) - { - return canWrite( user, object ); - } - - return canAccess( user, schema.getAuthorityByType( AuthorityType.DELETE ) ) && canWrite( user, object ); - } - - private boolean canAccess( User user, Collection requiredAuthorities ) - { - Set userAuthorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet(); - - return user == null || containsAny( userAuthorities, SHARING_OVERRIDE_AUTHORITIES ) || - containsAny( userAuthorities, requiredAuthorities ); - } - - @Override - public boolean canManage( User user, IdentifiableObject object ) - { - Schema schema = schemaService.getSchema( object.getClass() ); - - if ( schema == null || !schema.isShareable() ) - { - return false; - } - - if ( haveOverrideAuthority( user ) - || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty()) - || user.equals( object.getUser() ) - || AccessStringHelper.canWrite( object.getPublicAccess() ) ) - { - return true; - } - - for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() ) - { - if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() ) - && userGroupAccess.getUserGroup().getMembers().contains( user ) ) - { - return true; - } - } - - return false; - } - - @Override - public boolean canCreatePublic( User user, Class klass ) - { - Set authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet(); - - Schema schema = schemaService.getSchema( klass ); - - if ( schema == null || !schema.isShareable() ) - { - return false; - } - - return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PUBLIC ) ); - } - - @Override - public boolean canCreatePrivate( User user, Class klass ) - { - Set authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet(); - - Schema schema = schemaService.getSchema( klass ); - - if ( schema == null || !schema.isShareable() ) - { - return false; - } - - return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ) ); - } - - @Override - public boolean canExternalize( User user, Class klass ) - { - Set authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet(); - - Schema schema = schemaService.getSchema( klass ); - - if ( schema == null || !schema.isShareable() ) - { - return false; - } - - return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.EXTERNALIZE ) ); - } - - @Override - public boolean defaultPublic( Class klass ) - { - // TODO this is quite nasty, should probably be added to schema - return !Dashboard.class.isAssignableFrom( klass ); - } - - @Override - @SuppressWarnings( "unchecked" ) - public Class classForType( String type ) - { - Schema schema = schemaService.getSchemaBySingularName( type ); - - if ( schema != null && schema.isShareable() && schema.isIdentifiableObject() ) - { - return (Class) schema.getKlass(); - } - - return null; - } - - private boolean haveOverrideAuthority( User user ) - { - return user == null || containsAny( user.getUserCredentials().getAllAuthorities(), SHARING_OVERRIDE_AUTHORITIES ); - } -} === added file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java' --- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java 1970-01-01 00:00:00 +0000 +++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java 2014-03-27 06:07:15 +0000 @@ -0,0 +1,290 @@ +package org.hisp.dhis.acl; + +/* + * Copyright (c) 2004-2014, University of Oslo + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * Neither the name of the HISP project nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +import org.hisp.dhis.common.IdentifiableObject; +import org.hisp.dhis.dashboard.Dashboard; +import org.hisp.dhis.schema.AuthorityType; +import org.hisp.dhis.schema.Schema; +import org.hisp.dhis.schema.SchemaService; +import org.hisp.dhis.user.User; +import org.hisp.dhis.user.UserGroup; +import org.hisp.dhis.user.UserGroupAccess; +import org.springframework.beans.factory.annotation.Autowired; + +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; + +import static org.springframework.util.CollectionUtils.containsAny; + +/** + * Default ACL implementation that uses SchemaDescriptors to get authorities / sharing flags. + * + * @author Morten Olav Hansen + */ +public class DefaultAclService implements AclService +{ + @Autowired + private SchemaService schemaService; + + @Override + public boolean isSupported( String type ) + { + Schema schema = schemaService.getSchemaBySingularName( type ); + return schema != null && schema.isShareable(); + } + + @Override + public boolean isSupported( Class klass ) + { + Schema schema = schemaService.getSchema( klass ); + return schema != null && schema.isShareable(); + } + + @Override + public boolean isShareable( String type ) + { + Schema schema = schemaService.getSchemaBySingularName( type ); + return schema != null && schema.isShareable(); + } + + @Override + public boolean isShareable( Class klass ) + { + Schema schema = schemaService.getSchema( klass ); + return schema != null && schema.isShareable(); + } + + @Override + public boolean canWrite( User user, IdentifiableObject object ) + { + Schema schema = schemaService.getSchema( object.getClass() ); + + if ( schema == null || !schema.isShareable() ) + { + return false; + } + + //TODO ( (object instanceof User) && canCreatePrivate( user, object ) ): review possible security breaches and best way to give update access upon user import + if ( haveOverrideAuthority( user ) + || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty()) + || (user != null && user.equals( object.getUser() )) + //|| authorities.contains( PRIVATE_AUTHORITIES.get( object.getClass() ) ) + || ((object instanceof User) && canCreatePrivate( user, object.getClass() )) + || AccessStringHelper.canWrite( object.getPublicAccess() ) ) + { + return true; + } + + for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() ) + { + if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() ) + && userGroupAccess.getUserGroup().getMembers().contains( user ) ) + { + return true; + } + } + + return false; + } + + @Override + public boolean canRead( User user, IdentifiableObject object ) + { + Schema schema = schemaService.getSchema( object.getClass() ); + + if ( schema == null || !schema.isShareable() ) + { + return false; + } + + if ( haveOverrideAuthority( user ) + || UserGroup.class.isAssignableFrom( object.getClass() ) + || object.getUser() == null + || user.equals( object.getUser() ) + || AccessStringHelper.canRead( object.getPublicAccess() ) ) + { + return true; + } + + for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() ) + { + if ( AccessStringHelper.canRead( userGroupAccess.getAccess() ) + && userGroupAccess.getUserGroup().getMembers().contains( user ) ) + { + return true; + } + } + + return false; + } + + @Override + public boolean canUpdate( User user, IdentifiableObject object ) + { + Schema schema = schemaService.getSchema( object.getClass() ); + + if ( schema == null || !schema.isShareable() ) + { + return false; + } + + if ( schema.getAuthorityByType( AuthorityType.UPDATE ).isEmpty() ) + { + return canWrite( user, object ); + } + + return canAccess( user, schema.getAuthorityByType( AuthorityType.UPDATE ) ) && canWrite( user, object ); + } + + @Override + public boolean canDelete( User user, IdentifiableObject object ) + { + Schema schema = schemaService.getSchema( object.getClass() ); + + if ( schema == null || !schema.isShareable() ) + { + return false; + } + + if ( schema.getAuthorityByType( AuthorityType.DELETE ).isEmpty() ) + { + return canWrite( user, object ); + } + + return canAccess( user, schema.getAuthorityByType( AuthorityType.DELETE ) ) && canWrite( user, object ); + } + + @Override + public boolean canManage( User user, IdentifiableObject object ) + { + Schema schema = schemaService.getSchema( object.getClass() ); + + if ( schema == null || !schema.isShareable() ) + { + return false; + } + + if ( haveOverrideAuthority( user ) + || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty()) + || user.equals( object.getUser() ) + || AccessStringHelper.canWrite( object.getPublicAccess() ) ) + { + return true; + } + + for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() ) + { + if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() ) + && userGroupAccess.getUserGroup().getMembers().contains( user ) ) + { + return true; + } + } + + return false; + } + + @Override + public boolean canCreatePublic( User user, Class klass ) + { + Set authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet(); + + Schema schema = schemaService.getSchema( klass ); + + if ( schema == null || !schema.isShareable() ) + { + return false; + } + + return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PUBLIC ) ); + } + + @Override + public boolean canCreatePrivate( User user, Class klass ) + { + Set authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet(); + + Schema schema = schemaService.getSchema( klass ); + + if ( schema == null || !schema.isShareable() ) + { + return false; + } + + return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ) ); + } + + @Override + public boolean canExternalize( User user, Class klass ) + { + Set authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet(); + + Schema schema = schemaService.getSchema( klass ); + + if ( schema == null || !schema.isShareable() ) + { + return false; + } + + return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.EXTERNALIZE ) ); + } + + @Override + public boolean defaultPublic( Class klass ) + { + // TODO this is quite nasty, should probably be added to schema + return !Dashboard.class.isAssignableFrom( klass ); + } + + @Override + @SuppressWarnings( "unchecked" ) + public Class classForType( String type ) + { + Schema schema = schemaService.getSchemaBySingularName( type ); + + if ( schema != null && schema.isShareable() && schema.isIdentifiableObject() ) + { + return (Class) schema.getKlass(); + } + + return null; + } + + private boolean haveOverrideAuthority( User user ) + { + return user == null || containsAny( user.getUserCredentials().getAllAuthorities(), SHARING_OVERRIDE_AUTHORITIES ); + } + + private boolean canAccess( User user, Collection requiredAuthorities ) + { + return haveOverrideAuthority( user ) || containsAny( user.getUserCredentials().getAllAuthorities(), requiredAuthorities ); + } +} === modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java' --- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java 2014-03-27 04:44:41 +0000 +++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java 2014-03-27 06:07:15 +0000 @@ -30,12 +30,12 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.hisp.dhis.acl.AclService; import org.hisp.dhis.common.CodeGenerator; import org.hisp.dhis.common.IdentifiableObject; import org.hisp.dhis.message.MessageSender; import org.hisp.dhis.period.Cal; import org.hisp.dhis.setting.SystemSettingManager; -import org.hisp.dhis.acl.AccessControlService; import org.hisp.dhis.system.util.ValidationUtils; import org.hisp.dhis.system.velocity.VelocityManager; import org.hisp.dhis.user.CurrentUserService; @@ -104,7 +104,7 @@ private CurrentUserService currentUserService; @Autowired - private AccessControlService accessControlService; + private AclService aclService; // ------------------------------------------------------------------------- // SecurityService implementation @@ -289,67 +289,67 @@ @Override public boolean canCreatePublic( IdentifiableObject identifiableObject ) { - return !accessControlService.isSupported( identifiableObject.getClass() ) - || accessControlService.canCreatePublic( currentUserService.getCurrentUser(), identifiableObject.getClass() ); + return !aclService.isSupported( identifiableObject.getClass() ) + || aclService.canCreatePublic( currentUserService.getCurrentUser(), identifiableObject.getClass() ); } @Override public boolean canCreatePublic( String type ) { - Class klass = accessControlService.classForType( type ); + Class klass = aclService.classForType( type ); - return !accessControlService.isSupported( klass ) - || accessControlService.canCreatePublic( currentUserService.getCurrentUser(), klass ); + return !aclService.isSupported( klass ) + || aclService.canCreatePublic( currentUserService.getCurrentUser(), klass ); } @Override public boolean canCreatePrivate( IdentifiableObject identifiableObject ) { - return !accessControlService.isSupported( identifiableObject.getClass() ) - || accessControlService.canCreatePrivate( currentUserService.getCurrentUser(), identifiableObject.getClass() ); + return !aclService.isSupported( identifiableObject.getClass() ) + || aclService.canCreatePrivate( currentUserService.getCurrentUser(), identifiableObject.getClass() ); } @Override public boolean canCreatePrivate( String type ) { - Class klass = accessControlService.classForType( type ); + Class klass = aclService.classForType( type ); - return !accessControlService.isSupported( klass ) - || accessControlService.canCreatePrivate( currentUserService.getCurrentUser(), klass ); + return !aclService.isSupported( klass ) + || aclService.canCreatePrivate( currentUserService.getCurrentUser(), klass ); } @Override public boolean canRead( IdentifiableObject identifiableObject ) { - return !accessControlService.isSupported( identifiableObject.getClass() ) - || accessControlService.canRead( currentUserService.getCurrentUser(), identifiableObject ); + return !aclService.isSupported( identifiableObject.getClass() ) + || aclService.canRead( currentUserService.getCurrentUser(), identifiableObject ); } @Override public boolean canWrite( IdentifiableObject identifiableObject ) { - return !accessControlService.isSupported( identifiableObject.getClass() ) - || accessControlService.canWrite( currentUserService.getCurrentUser(), identifiableObject ); + return !aclService.isSupported( identifiableObject.getClass() ) + || aclService.canWrite( currentUserService.getCurrentUser(), identifiableObject ); } @Override public boolean canUpdate( IdentifiableObject identifiableObject ) { - return !accessControlService.isSupported( identifiableObject.getClass() ) - || accessControlService.canUpdate( currentUserService.getCurrentUser(), identifiableObject ); + return !aclService.isSupported( identifiableObject.getClass() ) + || aclService.canUpdate( currentUserService.getCurrentUser(), identifiableObject ); } @Override public boolean canDelete( IdentifiableObject identifiableObject ) { - return !accessControlService.isSupported( identifiableObject.getClass() ) - || accessControlService.canDelete( currentUserService.getCurrentUser(), identifiableObject ); + return !aclService.isSupported( identifiableObject.getClass() ) + || aclService.canDelete( currentUserService.getCurrentUser(), identifiableObject ); } @Override public boolean canManage( IdentifiableObject identifiableObject ) { - return !accessControlService.isSupported( identifiableObject.getClass() ) - || accessControlService.canManage( currentUserService.getCurrentUser(), identifiableObject ); + return !aclService.isSupported( identifiableObject.getClass() ) + || aclService.canManage( currentUserService.getCurrentUser(), identifiableObject ); } } === modified file 'dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml' --- dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml 2014-03-27 04:44:41 +0000 +++ dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml 2014-03-27 06:07:15 +0000 @@ -11,7 +11,7 @@ - + === modified file 'dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java' --- dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java 2014-03-27 04:44:41 +0000 +++ dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java 2014-03-27 06:07:15 +0000 @@ -31,6 +31,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.hibernate.SessionFactory; +import org.hisp.dhis.acl.AclService; import org.hisp.dhis.attribute.Attribute; import org.hisp.dhis.attribute.AttributeService; import org.hisp.dhis.attribute.AttributeValue; @@ -55,7 +56,6 @@ import org.hisp.dhis.period.Period; import org.hisp.dhis.period.PeriodService; import org.hisp.dhis.period.PeriodType; -import org.hisp.dhis.acl.AccessControlService; import org.hisp.dhis.system.util.CollectionUtils; import org.hisp.dhis.system.util.ReflectionUtils; import org.hisp.dhis.system.util.functional.Function1; @@ -110,7 +110,7 @@ private SessionFactory sessionFactory; @Autowired - private AccessControlService accessControlService; + private AclService aclService; @Autowired( required = false ) private List> objectHandlers; @@ -414,7 +414,7 @@ */ protected boolean deleteObject( User user, T persistedObject ) { - if ( !accessControlService.canDelete( user, persistedObject ) ) + if ( !aclService.canDelete( user, persistedObject ) ) { summaryType.getImportConflicts().add( new ImportConflict( ImportUtils.getDisplayName( persistedObject ), "You do not have delete access to class type." ) ); @@ -452,7 +452,7 @@ */ protected boolean newObject( User user, T object ) { - if ( !accessControlService.canCreatePublic( user, object.getClass() ) && !accessControlService.canCreatePrivate( user, object.getClass() ) ) + if ( !aclService.canCreatePublic( user, object.getClass() ) && !aclService.canCreatePrivate( user, object.getClass() ) ) { summaryType.getImportConflicts().add( new ImportConflict( ImportUtils.getDisplayName( object ), "You do not have create access to class type." ) ); @@ -536,7 +536,7 @@ */ protected boolean updateObject( User user, T object, T persistedObject ) { - if ( !accessControlService.canUpdate( user, persistedObject ) ) + if ( !aclService.canUpdate( user, persistedObject ) ) { summaryType.getImportConflicts().add( new ImportConflict( ImportUtils.getDisplayName( object ), "You do not have update access to object." ) ); === modified file 'dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java' --- dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java 2014-03-27 04:44:41 +0000 +++ dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java 2014-03-27 06:07:15 +0000 @@ -36,6 +36,7 @@ import org.hibernate.Session; import org.hibernate.SessionFactory; import org.hibernate.criterion.Criterion; +import org.hisp.dhis.acl.AclService; import org.hisp.dhis.common.AuditLogUtil; import org.hisp.dhis.common.BaseIdentifiableObject; import org.hisp.dhis.common.GenericStore; @@ -46,7 +47,6 @@ import org.hisp.dhis.hibernate.exception.ReadAccessDeniedException; import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException; import org.hisp.dhis.interpretation.Interpretation; -import org.hisp.dhis.acl.AccessControlService; import org.hisp.dhis.acl.AccessStringHelper; import org.hisp.dhis.user.CurrentUserService; import org.hisp.dhis.user.UserGroupAccess; @@ -85,7 +85,7 @@ protected CurrentUserService currentUserService; @Autowired - protected AccessControlService accessControlService; + protected AclService aclService; protected Class clazz; @@ -227,7 +227,7 @@ @Override public int save( T object ) { - if ( !Interpretation.class.isAssignableFrom( clazz ) && currentUserService.getCurrentUser() != null && accessControlService.isSupported( clazz ) ) + if ( !Interpretation.class.isAssignableFrom( clazz ) && currentUserService.getCurrentUser() != null && aclService.isSupported( clazz ) ) { BaseIdentifiableObject identifiableObject = (BaseIdentifiableObject) object; @@ -240,9 +240,9 @@ identifiableObject.setUser( currentUserService.getCurrentUser() ); } - if ( accessControlService.canCreatePublic( currentUserService.getCurrentUser(), identifiableObject.getClass() ) ) + if ( aclService.canCreatePublic( currentUserService.getCurrentUser(), identifiableObject.getClass() ) ) { - if ( accessControlService.defaultPublic( identifiableObject.getClass() ) ) + if ( aclService.defaultPublic( identifiableObject.getClass() ) ) { String build = AccessStringHelper.newInstance() .enable( AccessStringHelper.Permission.READ ) @@ -257,7 +257,7 @@ identifiableObject.setPublicAccess( build ); } } - else if ( accessControlService.canCreatePrivate( currentUserService.getCurrentUser(), identifiableObject.getClass() ) ) + else if ( aclService.canCreatePrivate( currentUserService.getCurrentUser(), identifiableObject.getClass() ) ) { identifiableObject.setPublicAccess( AccessStringHelper.newInstance().build() ); } @@ -400,8 +400,8 @@ protected boolean sharingEnabled() { - boolean enabled = forceAcl() || (accessControlService.isSupported( clazz ) && !(currentUserService.getCurrentUser() == null || - CollectionUtils.containsAny( currentUserService.getCurrentUser().getUserCredentials().getAllAuthorities(), AccessControlService.SHARING_OVERRIDE_AUTHORITIES ))); + boolean enabled = forceAcl() || (aclService.isSupported( clazz ) && !(currentUserService.getCurrentUser() == null || + CollectionUtils.containsAny( currentUserService.getCurrentUser().getUserCredentials().getAllAuthorities(), AclService.SHARING_OVERRIDE_AUTHORITIES ))); return enabled; } @@ -414,7 +414,7 @@ if ( sharingEnabled() ) { - return accessControlService.canRead( currentUserService.getCurrentUser(), idObject ); + return aclService.canRead( currentUserService.getCurrentUser(), idObject ); } } @@ -429,7 +429,7 @@ if ( sharingEnabled() ) { - return accessControlService.canWrite( currentUserService.getCurrentUser(), idObject ); + return aclService.canWrite( currentUserService.getCurrentUser(), idObject ); } } @@ -442,9 +442,9 @@ { IdentifiableObject idObject = (IdentifiableObject) object; - if ( accessControlService.isSupported( clazz ) ) + if ( aclService.isSupported( clazz ) ) { - return accessControlService.canUpdate( currentUserService.getCurrentUser(), idObject ); + return aclService.canUpdate( currentUserService.getCurrentUser(), idObject ); } } @@ -457,9 +457,9 @@ { IdentifiableObject idObject = (IdentifiableObject) object; - if ( accessControlService.isSupported( clazz ) ) + if ( aclService.isSupported( clazz ) ) { - return accessControlService.canDelete( currentUserService.getCurrentUser(), idObject ); + return aclService.canDelete( currentUserService.getCurrentUser(), idObject ); } } === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java 2014-03-27 04:44:41 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java 2014-03-27 06:07:15 +0000 @@ -38,6 +38,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.hisp.dhis.acl.AclService; import org.hisp.dhis.api.controller.exception.NotFoundException; import org.hisp.dhis.api.utils.WebUtils; import org.hisp.dhis.common.BaseIdentifiableObject; @@ -52,7 +53,6 @@ import org.hisp.dhis.schema.Schema; import org.hisp.dhis.schema.SchemaService; import org.hisp.dhis.acl.Access; -import org.hisp.dhis.acl.AccessControlService; import org.hisp.dhis.system.util.ReflectionUtils; import org.hisp.dhis.user.CurrentUserService; import org.springframework.beans.factory.annotation.Autowired; @@ -89,7 +89,7 @@ protected FilterService filterService; @Autowired - protected AccessControlService accessControlService; + protected AclService aclService; @Autowired protected SchemaService schemaService; @@ -233,7 +233,7 @@ WebUtils.generateLinks( entity ); } - if ( accessControlService.isSupported( getEntityClass() ) ) + if ( aclService.isSupported( getEntityClass() ) ) { addAccessProperties( entity ); } @@ -372,12 +372,12 @@ protected void addAccessProperties( T object ) { Access access = new Access(); - access.setManage( accessControlService.canManage( currentUserService.getCurrentUser(), object ) ); - access.setExternalize( accessControlService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) ); - access.setWrite( accessControlService.canWrite( currentUserService.getCurrentUser(), object ) ); - access.setRead( accessControlService.canRead( currentUserService.getCurrentUser(), object ) ); - access.setUpdate( accessControlService.canUpdate( currentUserService.getCurrentUser(), object ) ); - access.setDelete( accessControlService.canDelete( currentUserService.getCurrentUser(), object ) ); + access.setManage( aclService.canManage( currentUserService.getCurrentUser(), object ) ); + access.setExternalize( aclService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) ); + access.setWrite( aclService.canWrite( currentUserService.getCurrentUser(), object ) ); + access.setRead( aclService.canRead( currentUserService.getCurrentUser(), object ) ); + access.setUpdate( aclService.canUpdate( currentUserService.getCurrentUser(), object ) ); + access.setDelete( aclService.canDelete( currentUserService.getCurrentUser(), object ) ); ((BaseIdentifiableObject) object).setAccess( access ); } @@ -394,7 +394,7 @@ return; } - if ( entityList != null && accessControlService.isSupported( getEntityClass() ) ) + if ( entityList != null && aclService.isSupported( getEntityClass() ) ) { for ( T object : entityList ) { === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java 2014-03-27 04:44:41 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java 2014-03-27 06:07:15 +0000 @@ -30,6 +30,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.hisp.dhis.acl.AclService; import org.hisp.dhis.api.utils.ContextUtils; import org.hisp.dhis.api.webdomain.sharing.Sharing; import org.hisp.dhis.api.webdomain.sharing.SharingUserGroupAccess; @@ -38,7 +39,6 @@ import org.hisp.dhis.common.IdentifiableObject; import org.hisp.dhis.common.IdentifiableObjectManager; import org.hisp.dhis.dxf2.utils.JacksonUtils; -import org.hisp.dhis.acl.AccessControlService; import org.hisp.dhis.acl.AccessStringHelper; import org.hisp.dhis.user.CurrentUserService; import org.hisp.dhis.user.UserGroup; @@ -81,18 +81,18 @@ private UserGroupAccessService userGroupAccessService; @Autowired - private AccessControlService accessControlService; + private AclService aclService; @RequestMapping( value = "", produces = { "application/json", "text/*" } ) public void getSharing( @RequestParam String type, @RequestParam String id, HttpServletResponse response ) throws IOException { - if ( !accessControlService.isSupported( type ) ) + if ( !aclService.isShareable( type ) ) { ContextUtils.notFoundResponse( response, "Type " + type + " is not supported." ); return; } - Class klass = accessControlService.classForType( type ); + Class klass = aclService.classForType( type ); IdentifiableObject object = manager.get( klass, id ); if ( object == null ) @@ -101,15 +101,15 @@ return; } - if ( !accessControlService.canManage( currentUserService.getCurrentUser(), object ) ) + if ( !aclService.canManage( currentUserService.getCurrentUser(), object ) ) { throw new AccessDeniedException( "You do not have manage access to this object." ); } Sharing sharing = new Sharing(); - sharing.getMeta().setAllowPublicAccess( accessControlService.canCreatePublic( currentUserService.getCurrentUser(), object.getClass() ) ); - sharing.getMeta().setAllowExternalAccess( accessControlService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) ); + sharing.getMeta().setAllowPublicAccess( aclService.canCreatePublic( currentUserService.getCurrentUser(), object.getClass() ) ); + sharing.getMeta().setAllowExternalAccess( aclService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) ); sharing.getObject().setId( object.getUid() ); sharing.getObject().setName( object.getDisplayName() ); @@ -119,7 +119,7 @@ { String access; - if ( accessControlService.canCreatePublic( currentUserService.getCurrentUser(), klass ) ) + if ( aclService.canCreatePublic( currentUserService.getCurrentUser(), klass ) ) { access = AccessStringHelper.newInstance().enable( AccessStringHelper.Permission.READ ).enable( AccessStringHelper.Permission.WRITE ).build(); } @@ -157,7 +157,7 @@ @RequestMapping( value = "", method = { RequestMethod.POST, RequestMethod.PUT }, consumes = "application/json" ) public void setSharing( @RequestParam String type, @RequestParam String id, HttpServletResponse response, HttpServletRequest request ) throws IOException { - BaseIdentifiableObject object = (BaseIdentifiableObject) manager.get( accessControlService.classForType( type ), id ); + BaseIdentifiableObject object = (BaseIdentifiableObject) manager.get( aclService.classForType( type ), id ); if ( object == null ) { @@ -165,7 +165,7 @@ return; } - if ( !accessControlService.canManage( currentUserService.getCurrentUser(), object ) ) + if ( !aclService.canManage( currentUserService.getCurrentUser(), object ) ) { throw new AccessDeniedException( "You do not have manage access to this object." ); } @@ -173,13 +173,13 @@ Sharing sharing = JacksonUtils.fromJson( request.getInputStream(), Sharing.class ); // Ignore externalAccess if user is not allowed to make objects external - if ( accessControlService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) ) + if ( aclService.canExternalize( currentUserService.getCurrentUser(), object.getClass() ) ) { object.setExternalAccess( sharing.getObject().hasExternalAccess() ); } // Ignore publicAccess if user is not allowed to make objects public - if ( accessControlService.canCreatePublic( currentUserService.getCurrentUser(), object.getClass() ) ) + if ( aclService.canCreatePublic( currentUserService.getCurrentUser(), object.getClass() ) ) { object.setPublicAccess( sharing.getObject().getPublicAccess() ); } === modified file 'dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java' --- dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java 2014-03-27 04:44:41 +0000 +++ dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java 2014-03-27 06:07:15 +0000 @@ -29,6 +29,7 @@ */ import com.opensymphony.xwork2.Action; +import org.hisp.dhis.acl.AclService; import org.hisp.dhis.common.ListMap; import org.hisp.dhis.common.comparator.IdentifiableObjectNameComparator; import org.hisp.dhis.dataelement.DataElement; @@ -44,7 +45,6 @@ import org.hisp.dhis.indicator.IndicatorService; import org.hisp.dhis.organisationunit.OrganisationUnitDataSetAssociationSet; import org.hisp.dhis.organisationunit.OrganisationUnitService; -import org.hisp.dhis.acl.AccessControlService; import org.hisp.dhis.user.CurrentUserService; import org.hisp.dhis.user.User; import org.springframework.beans.factory.annotation.Autowired; @@ -117,7 +117,7 @@ } @Autowired - protected AccessControlService accessControlService; + protected AclService aclService; // ------------------------------------------------------------------------- // Output @@ -272,7 +272,7 @@ { for ( DataElementCategoryOption categoryOption : category.getCategoryOptions() ) { - if ( accessControlService.canRead( user, categoryOption ) ) + if ( aclService.canRead( user, categoryOption ) ) { categoryOptionMap.putValue( category.getUid(), categoryOption ); }