private boolean hasEditOrCommentPrivilege(Set<String> privileges, String propertyName) { return hasPrivilege(privileges, Privilege.EDIT) || (isComment(propertyName) && hasPrivilege(privileges, Privilege.COMMENT)); }
private void appendACL(Collection<? extends ClientApiObject> clientApiObject, Ontology ontology, User user, String workspaceId) { Set<String> privileges = privilegeRepository.getPrivileges(user); for (ClientApiObject apiObject : clientApiObject) { appendACL(apiObject, ontology, privileges, user, workspaceId); } }
@Override public void handle(HttpServletRequest request, HttpServletResponse response, HandlerChain chain) throws Exception { User user = VisalloBaseParameterProvider.getUser(request, userRepository); if (!privilegeRepository.hasAllPrivileges(user, requiredPrivileges)) { throw new VisalloAccessDeniedException( "You do not have the required privileges: " + Privilege.toString(requiredPrivileges), user, "privileges" ); } chain.next(request, response); } }
Set<String> allPrivileges = privilegeRepository.getAllPrivileges().stream() .map(Privilege::getName) .collect(Collectors.toSet());
@Override public void updateUser(User user, AuthorizationContext authorizationContext) { Vertex userVertex = findByIdUserVertex(user.getUserId()); ExistingElementMutation<Vertex> m = userVertex.prepareMutation(); Date currentLoginDate = UserVisalloProperties.CURRENT_LOGIN_DATE.getPropertyValue(userVertex); if (currentLoginDate != null) { UserVisalloProperties.PREVIOUS_LOGIN_DATE.setProperty(m, currentLoginDate, VISIBILITY.getVisibility()); } String currentLoginRemoteAddr = UserVisalloProperties.CURRENT_LOGIN_REMOTE_ADDR.getPropertyValue(userVertex); if (currentLoginRemoteAddr != null) { UserVisalloProperties.PREVIOUS_LOGIN_REMOTE_ADDR.setProperty( m, currentLoginRemoteAddr, VISIBILITY.getVisibility() ); } UserVisalloProperties.CURRENT_LOGIN_DATE.setProperty(m, new Date(), VISIBILITY.getVisibility()); UserVisalloProperties.CURRENT_LOGIN_REMOTE_ADDR.setProperty( m, authorizationContext.getRemoteAddr(), VISIBILITY.getVisibility() ); int loginCount = UserVisalloProperties.LOGIN_COUNT.getPropertyValue(userVertex, 0); UserVisalloProperties.LOGIN_COUNT.setProperty(m, loginCount + 1, VISIBILITY.getVisibility()); m.save(authorizations); graph.flush(); getPrivilegeRepository().updateUser(user, authorizationContext); getAuthorizationRepository().updateUser(user, authorizationContext); fireUserLoginEvent(user, authorizationContext); }
public boolean hasPrivilege(User user, String privilege) { Set<String> privileges = getPrivileges(user); return PrivilegeRepository.hasPrivilege(privileges, privilege); }
public JSONObject toJsonWithAuths(User user) { JSONObject json = toJson(user); JSONArray authorizations = new JSONArray(); for (String a : authorizationRepository.getAuthorizations(user)) { authorizations.put(a); } json.put("authorizations", authorizations); json.put("uiPreferences", user.getUiPreferences()); Set<String> privileges = privilegeRepository.getPrivileges(user); json.put("privileges", Privilege.toJson(privileges)); return json; }
private boolean internalCanDeleteElement(ClientApiElement clientApiElement, OntologyElement ontologyElement, Ontology ontology, Set<String> privileges, User user, String workspaceId) { return hasPrivilege(privileges, Privilege.EDIT) && canDeleteElement(clientApiElement, ontologyElement, ontology, user, workspaceId); }
public final ClientApiObject appendACL(ClientApiObject clientApiObject, User user, String workspaceId) { if (user == null) { return clientApiObject; } Set<String> privileges = privilegeRepository.getPrivileges(user); Ontology ontology = ontologyRepository.getOntology(workspaceId); return appendACL(clientApiObject, ontology, privileges, user, workspaceId); }
private boolean internalCanUpdateElement(ClientApiElement clientApiElement, OntologyElement ontologyElement, Ontology ontology, Set<String> privileges, User user, String workspaceId) { return hasPrivilege(privileges, Privilege.EDIT) && canUpdateElement(clientApiElement, ontologyElement, ontology, user, workspaceId); }
private void checkCanDeleteProperty( ClientApiElement clientApiElement, OntologyElement ontologyElement, String propertyKey, String propertyName, Ontology ontology, Set<String> privileges, User user, String workspaceId ) throws VisalloAccessDeniedException { boolean canDelete = internalCanDeleteProperty(clientApiElement, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canDelete) { throw new VisalloAccessDeniedException( propertyName + " cannot be deleted due to ACL restriction", user, clientApiElement.getId()); } }
public String getWorkspaceIdOrNullIfPublish( String workspaceId, boolean shouldPublish, User user ) { if (shouldPublish) { if (privilegeRepository.hasPrivilege(user, Privilege.PUBLISH)) { workspaceId = null; } else { throw new VisalloAccessDeniedException( "The publish parameter was sent in the request, but the user does not have publish privilege.", user, "publish" ); } } else if (workspaceId == null) { throw new VisalloException("workspaceId parameter required"); } return workspaceId; }
private void checkCanDeleteProperty( Element element, OntologyElement ontologyElement, String propertyKey, String propertyName, Ontology ontology, Set<String> privileges, User user, String workspaceId ) throws VisalloAccessDeniedException { boolean canDelete = internalCanDeleteProperty(element, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canDelete) { throw new VisalloAccessDeniedException(propertyName + " cannot be deleted due to ACL restriction", user, element.getId()); } }
private boolean internalCanAddProperty( ClientApiElement clientApiElement, OntologyElement ontologyElement, String propertyKey, String propertyName, Ontology ontology, Set<String> privileges, User user, String workspaceId ) { boolean canAdd = hasEditOrCommentPrivilege(privileges, propertyName) && canAddProperty(clientApiElement, ontologyElement, propertyKey, propertyName, ontology, user, workspaceId); if (canAdd && isComment(propertyName)) { canAdd = hasPrivilege(privileges, Privilege.COMMENT); } return canAdd; }
/** * This is different from the non-private method in that it returns authorizations, * long running processes, etc for that user. */ public ClientApiUser toClientApiPrivate(User user) { ClientApiUser u = toClientApi(user); for (String a : authorizationRepository.getAuthorizations(user)) { u.addAuthorization(a); } for (JSONObject json : getLongRunningProcesses(user)) { u.getLongRunningProcesses().add(ClientApiConverter.toClientApiValue(json)); } u.setUiPreferences(JSONUtil.toJsonNode(user.getUiPreferences())); u.getProperties().putAll(user.getCustomProperties()); Set<String> privileges = privilegeRepository.getPrivileges(user); u.getPrivileges().addAll(privileges); return u; }
protected void checkDeletePrivileges(User user, String workspaceId) { if (user != null && user.getUserType() == UserType.SYSTEM) { return; } if (user == null) { throw new VisalloAccessDeniedException("You must provide a valid user to perform this action", null, null); } if (workspaceId == null) { throw new VisalloAccessDeniedException("User does not have access to delete published ontology items", user, null); } else if (!getPrivilegeRepository().hasPrivilege(user, Privilege.ADMIN)) { throw new VisalloAccessDeniedException("User does not have admin privilege", user, null); } }
private void checkCanAddOrUpdateProperty( ClientApiElement clientApiElement, OntologyElement ontologyElement, Ontology ontology, String propertyKey, String propertyName, User user, String workspaceId ) throws VisalloAccessDeniedException { Set<String> privileges = privilegeRepository.getPrivileges(user); boolean isUpdate = clientApiElement.getProperty(propertyKey, propertyName) != null; boolean canAddOrUpdate = isUpdate ? internalCanUpdateProperty(clientApiElement, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId) : internalCanAddProperty(clientApiElement, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canAddOrUpdate) { throw new VisalloAccessDeniedException( propertyName + " cannot be added or updated due to ACL restriction", user, clientApiElement.getId()); } }
@Override public void deleteSearch(final String id, User user) { checkNotNull(user, "User is required"); Authorizations authorizations = authorizationRepository.getGraphAuthorizations( user, VISIBILITY_STRING, UserRepository.VISIBILITY_STRING ); Vertex searchVertex = graph.getVertex(id, authorizations); checkNotNull(searchVertex, "Could not find search with id " + id); if (isSearchGlobal(id, authorizations)) { if (!privilegeRepository.hasPrivilege(user, Privilege.SEARCH_SAVE_GLOBAL)) { throw new VisalloAccessDeniedException( "User does not have the privilege to delete a global search", user, id); } } else if (!isSearchPrivateToUser(id, user, authorizations)) { throw new VisalloAccessDeniedException("User does not own this this search", user, id); } graph.deleteVertex(searchVertex, authorizations); graph.flush(); }
private void checkCanAddOrUpdateProperty( Element element, OntologyElement ontologyElement, String propertyKey, String propertyName, Ontology ontology, Set<String> privileges, User user, String workspaceId ) throws VisalloAccessDeniedException { boolean isUpdate = element.getProperty(propertyKey, propertyName) != null; boolean canAddOrUpdate = isUpdate ? internalCanUpdateProperty(element, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId) : internalCanAddProperty(element, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canAddOrUpdate) { throw new VisalloAccessDeniedException( propertyName + " cannot be added or updated due to ACL restriction", user, element.getId()); } }
protected void checkPrivileges(User user, String workspaceId) { if (user != null && user.getUserType() == UserType.SYSTEM) { return; } if (user == null) { throw new VisalloAccessDeniedException("You must provide a valid user to perform this action", null, null); } if (isPublic(workspaceId)) { if (!getPrivilegeRepository().hasPrivilege(user, Privilege.ONTOLOGY_PUBLISH)) { throw new VisalloAccessDeniedException("User does not have ONTOLOGY_PUBLISH privilege", user, null); } } else { List<WorkspaceUser> users = getWorkspaceRepository().findUsersWithAccess(workspaceId, user); boolean access = users.stream() .anyMatch(workspaceUser -> workspaceUser.getUserId().equals(user.getUserId()) && workspaceUser.getWorkspaceAccess().equals(WorkspaceAccess.WRITE)); if (!access) { throw new VisalloAccessDeniedException("User does not have access to workspace", user, null); } if (!getPrivilegeRepository().hasPrivilege(user, Privilege.ONTOLOGY_ADD)) { throw new VisalloAccessDeniedException("User does not have ONTOLOGY_ADD privilege", user, null); } } }