protected void checkDeletePrivileges(User user, String workspaceId) { if (user != null && user.getUserType() == UserType.SYSTEM) { return; } if (user == null) { throw new VisalloAccessDeniedException("You must provide a valid user to perform this action", null, null); } if (workspaceId == null) { throw new VisalloAccessDeniedException("User does not have access to delete published ontology items", user, null); } else if (!getPrivilegeRepository().hasPrivilege(user, Privilege.ADMIN)) { throw new VisalloAccessDeniedException("User does not have admin privilege", user, null); } }
public VisalloAccessDeniedException(String message, User user, Object resourceId) { super(message); this.user = user; this.resourceId = resourceId; try { AuditService auditService = getAuditService(); auditService.auditAccessDenied(message, user, resourceId); } catch (Exception ex) { LOGGER.error( "failed to audit access denied \"%s\" (userId: %s, resourceId: %s)", message, user == null ? "unknown" : user.getUserId(), resourceId, ex ); } }
private void handleAccessDenied(HttpServletResponse response, VisalloAccessDeniedException accessDenied) throws IOException { response.sendError(HttpServletResponse.SC_FORBIDDEN, accessDenied.getMessage()); }
try { if (!workspaceRepository.hasReadPermissions(workspaceId, user)) { throw new VisalloAccessDeniedException( "You do not have access to workspace: " + workspaceId, user, throw new VisalloAccessDeniedException( "Error getting access to requested workspace: " + workspaceId, user,
public String getWorkspaceIdOrNullIfPublish( String workspaceId, boolean shouldPublish, User user ) { if (shouldPublish) { if (privilegeRepository.hasPrivilege(user, Privilege.PUBLISH)) { workspaceId = null; } else { throw new VisalloAccessDeniedException( "The publish parameter was sent in the request, but the user does not have publish privilege.", user, "publish" ); } } else if (workspaceId == null) { throw new VisalloException("workspaceId parameter required"); } return workspaceId; }
@Override public void deleteSearch(final String id, User user) { checkNotNull(user, "User is required"); Authorizations authorizations = authorizationRepository.getGraphAuthorizations( user, VISIBILITY_STRING, UserRepository.VISIBILITY_STRING ); Vertex searchVertex = graph.getVertex(id, authorizations); checkNotNull(searchVertex, "Could not find search with id " + id); if (isSearchGlobal(id, authorizations)) { if (!privilegeRepository.hasPrivilege(user, Privilege.SEARCH_SAVE_GLOBAL)) { throw new VisalloAccessDeniedException( "User does not have the privilege to delete a global search", user, id); } } else if (!isSearchPrivateToUser(id, user, authorizations)) { throw new VisalloAccessDeniedException("User does not own this this search", user, id); } graph.deleteVertex(searchVertex, authorizations); graph.flush(); }
protected void checkPrivileges(User user, String workspaceId) { if (user != null && user.getUserType() == UserType.SYSTEM) { return; } if (user == null) { throw new VisalloAccessDeniedException("You must provide a valid user to perform this action", null, null); } if (isPublic(workspaceId)) { if (!getPrivilegeRepository().hasPrivilege(user, Privilege.ONTOLOGY_PUBLISH)) { throw new VisalloAccessDeniedException("User does not have ONTOLOGY_PUBLISH privilege", user, null); } } else { List<WorkspaceUser> users = getWorkspaceRepository().findUsersWithAccess(workspaceId, user); boolean access = users.stream() .anyMatch(workspaceUser -> workspaceUser.getUserId().equals(user.getUserId()) && workspaceUser.getWorkspaceAccess().equals(WorkspaceAccess.WRITE)); if (!access) { throw new VisalloAccessDeniedException("User does not have access to workspace", user, null); } if (!getPrivilegeRepository().hasPrivilege(user, Privilege.ONTOLOGY_ADD)) { throw new VisalloAccessDeniedException("User does not have ONTOLOGY_ADD privilege", user, null); } } }
@Override public void handle(HttpServletRequest request, HttpServletResponse response, HandlerChain chain) throws Exception { User user = VisalloBaseParameterProvider.getUser(request, userRepository); if (!privilegeRepository.hasAllPrivileges(user, requiredPrivileges)) { throw new VisalloAccessDeniedException( "You do not have the required privileges: " + Privilege.toString(requiredPrivileges), user, "privileges" ); } chain.next(request, response); } }
private void checkCanDeleteProperty( Element element, OntologyElement ontologyElement, String propertyKey, String propertyName, Ontology ontology, Set<String> privileges, User user, String workspaceId ) throws VisalloAccessDeniedException { boolean canDelete = internalCanDeleteProperty(element, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canDelete) { throw new VisalloAccessDeniedException(propertyName + " cannot be deleted due to ACL restriction", user, element.getId()); } }
@Override public Iterable<Workspace> findAll(User user) { if (!user.equals(userRepository.getSystemUser())) { throw new VisalloAccessDeniedException("Only system user can access all workspaces", user, null); } Authorizations authorizations = getAuthorizationRepository().getGraphAuthorizations( user, VISIBILITY_STRING, UserRepository.VISIBILITY_STRING ); QueryResultsIterable<Vertex> workspaceVertices = getGraph().query(authorizations) .has(VisalloProperties.CONCEPT_TYPE.getPropertyName(), Compare.EQUAL, WORKSPACE_CONCEPT_IRI) .vertices(); return stream(workspaceVertices) .map((Vertex workspaceVertex) -> { String cacheKey = getUserWorkspaceVertexCacheKey(workspaceVertex.getId(), user); userWorkspaceVertexCache.put(cacheKey, workspaceVertex); return new VertexiumWorkspace(workspaceVertex); }) .collect(Collectors.toList()); }
private void checkCanDeleteProperty( ClientApiElement clientApiElement, OntologyElement ontologyElement, String propertyKey, String propertyName, Ontology ontology, Set<String> privileges, User user, String workspaceId ) throws VisalloAccessDeniedException { boolean canDelete = internalCanDeleteProperty(clientApiElement, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canDelete) { throw new VisalloAccessDeniedException( propertyName + " cannot be deleted due to ACL restriction", user, clientApiElement.getId()); } }
@Handle public JSONObject handle( @Required(name = "user-name") String userName, @Required(name = "auth") String auth, User authUser ) throws Exception { User user = userRepository.findByUsername(userName); if (user == null) { throw new VisalloResourceNotFoundException("User " + userName + " not found"); } if (!(authorizationRepository instanceof UpdatableAuthorizationRepository)) { throw new VisalloAccessDeniedException("Authorization repository does not support updating", authUser, userName); } for (String authStr : auth.split(SEPARATOR)) { ((UpdatableAuthorizationRepository) authorizationRepository).addAuthorization(user, authStr, authUser); } return userRepository.toJsonWithAuths(user); } }
@Handle public ClientApiSuccess handle( @Required(name = "notificationIds[]") String[] notificationIds, User user ) throws Exception { for (String notificationId : notificationIds) { UserNotification notification = userNotificationRepository.getNotification(notificationId, user); if (notification == null) { throw new VisalloResourceNotFoundException("Could not find notification with id: " + notificationId); } if (!notification.getUserId().equals(user.getUserId())) { throw new VisalloAccessDeniedException( "Cannot mark notification read that do not belong to you", user, notificationId ); } } userNotificationRepository.markRead(notificationIds, user); return VisalloResponse.SUCCESS; } }
@Override public Collection<Dashboard> findAllDashboardsForWorkspace(final String workspaceId, User user) { LOGGER.debug("findAllDashboardsForWorkspace(workspaceId: %s, userId: %s)", workspaceId, user.getUserId()); final Authorizations authorizations = getAuthorizationRepository().getGraphAuthorizations( user, VISIBILITY_STRING, workspaceId ); final Vertex workspaceVertex = getVertex(workspaceId, user); if (workspaceVertex == null) { return null; } if (!hasReadPermissions(workspaceId, user)) { throw new VisalloAccessDeniedException( "user " + user.getUserId() + " does not have read access to workspace " + workspaceId, user, workspaceId ); } Iterable<Vertex> dashboardVertices = workspaceVertex.getVertices( Direction.OUT, WorkspaceProperties.WORKSPACE_TO_DASHBOARD_RELATIONSHIP_IRI, authorizations ); return stream(dashboardVertices) .map(dashboardVertex -> dashboardVertexToDashboard(workspaceId, dashboardVertex, authorizations)) .collect(Collectors.toList()); }
@Override public Collection<Product> findAllProductsForWorkspace(String workspaceId, User user) { LOGGER.debug("findAllProductsForWorkspace(workspaceId: %s, userId: %s)", workspaceId, user.getUserId()); final Authorizations authorizations = getAuthorizationRepository().getGraphAuthorizations( user, VISIBILITY_STRING, workspaceId ); final Vertex workspaceVertex = getVertex(workspaceId, user); if (workspaceVertex == null) { return null; } if (!hasReadPermissions(workspaceId, user)) { throw new VisalloAccessDeniedException( "user " + user.getUserId() + " does not have read access to workspace " + workspaceId, user, workspaceId ); } Iterable<Vertex> productVertices = workspaceVertex.getVertices( Direction.OUT, WorkspaceProperties.WORKSPACE_TO_PRODUCT_RELATIONSHIP_IRI, authorizations ); return stream(productVertices) .map(productVertex -> productVertexToProduct(workspaceId, productVertex, false, null, authorizations, user)) .collect(Collectors.toList()); }
throw new VisalloAccessDeniedException( message, user, throw new VisalloAccessDeniedException( "user " + user.getUserId() + " does not have read access to workspace " + workspaceId, user,
@Handle public JSONObject handle( @Required(name = "user-name") String userName, @Required(name = "auth") String auth, User authUser ) throws Exception { User user = userRepository.findByUsername(userName); if (user == null) { throw new VisalloResourceNotFoundException("Could not find user: " + userName); } if (!(authorizationRepository instanceof UpdatableAuthorizationRepository)) { throw new VisalloAccessDeniedException("Authorization repository does not support updating", authUser, userName); } ((UpdatableAuthorizationRepository) authorizationRepository).removeAuthorization(user, auth, authUser); return userRepository.toJsonWithAuths(user); } }
private void checkCanAddOrUpdateProperty( ClientApiElement clientApiElement, OntologyElement ontologyElement, Ontology ontology, String propertyKey, String propertyName, User user, String workspaceId ) throws VisalloAccessDeniedException { Set<String> privileges = privilegeRepository.getPrivileges(user); boolean isUpdate = clientApiElement.getProperty(propertyKey, propertyName) != null; boolean canAddOrUpdate = isUpdate ? internalCanUpdateProperty(clientApiElement, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId) : internalCanAddProperty(clientApiElement, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canAddOrUpdate) { throw new VisalloAccessDeniedException( propertyName + " cannot be added or updated due to ACL restriction", user, clientApiElement.getId()); } }
@Override public List<WorkspaceEntity> findEntities(final Workspace workspace, final boolean fetchVertices, final User user) { if (!hasReadPermissions(workspace.getWorkspaceId(), user)) { throw new VisalloAccessDeniedException( "user " + user.getUserId() + " does not have read access to workspace " + workspace.getWorkspaceId(), user, workspace.getWorkspaceId() ); } return lockRepository.lock( getLockName(workspace), () -> findEntitiesNoLock(workspace, false, fetchVertices, user) ); }
private void checkCanAddOrUpdateProperty( Element element, OntologyElement ontologyElement, String propertyKey, String propertyName, Ontology ontology, Set<String> privileges, User user, String workspaceId ) throws VisalloAccessDeniedException { boolean isUpdate = element.getProperty(propertyKey, propertyName) != null; boolean canAddOrUpdate = isUpdate ? internalCanUpdateProperty(element, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId) : internalCanAddProperty(element, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canAddOrUpdate) { throw new VisalloAccessDeniedException( propertyName + " cannot be added or updated due to ACL restriction", user, element.getId()); } }