dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #28829
[Branch ~dhis2-devs-core/dhis2/trunk] Rev 14465: moved AccessControlService into its own package
------------------------------------------------------------
revno: 14465
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Thu 2014-03-27 05:40:10 +0100
message:
moved AccessControlService into its own package
removed:
dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/
dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/Access.java
dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessControlService.java
dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessStringHelper.java
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultAccessControlService.java
added:
dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/
dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/Access.java
dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessControlService.java
dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessStringHelper.java
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol/
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol/DefaultAccessControlService.java
modified:
dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java
dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/IdentifiableObject.java
dhis-2/dhis-api/src/main/java/org/hisp/dhis/interpretation/Interpretation.java
dhis-2/dhis-api/src/test/java/org/hisp/dhis/common/AccessStringHelperTest.java
dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java
dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml
dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java
dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java
dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java
dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java
dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== added directory 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol'
=== added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/Access.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/Access.java 1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/Access.java 2014-03-27 04:40:10 +0000
@@ -0,0 +1,129 @@
+package org.hisp.dhis.accesscontrol;
+
+/*
+ * Copyright (c) 2004-2014, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
+import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
+import org.hisp.dhis.common.DxfNamespaces;
+
+/**
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+@JacksonXmlRootElement( localName = "access", namespace = DxfNamespaces.DXF_2_0 )
+public class Access
+{
+ private boolean manage;
+
+ private boolean externalize;
+
+ private boolean write;
+
+ private boolean read;
+
+ private boolean update;
+
+ private boolean delete;
+
+ public Access()
+ {
+ }
+
+ @JsonProperty
+ @JacksonXmlProperty( localName = "manage", namespace = DxfNamespaces.DXF_2_0 )
+ public boolean isManage()
+ {
+ return manage;
+ }
+
+ public void setManage( boolean manage )
+ {
+ this.manage = manage;
+ }
+
+ @JsonProperty
+ @JacksonXmlProperty( localName = "externalize", namespace = DxfNamespaces.DXF_2_0 )
+ public boolean isExternalize()
+ {
+ return externalize;
+ }
+
+ public void setExternalize( boolean externalize )
+ {
+ this.externalize = externalize;
+ }
+
+ @JsonProperty
+ @JacksonXmlProperty( localName = "write", namespace = DxfNamespaces.DXF_2_0 )
+ public boolean isWrite()
+ {
+ return write;
+ }
+
+ public void setWrite( boolean write )
+ {
+ this.write = write;
+ }
+
+ @JsonProperty
+ @JacksonXmlProperty( localName = "read", namespace = DxfNamespaces.DXF_2_0 )
+ public boolean isRead()
+ {
+ return read;
+ }
+
+ public void setRead( boolean read )
+ {
+ this.read = read;
+ }
+
+ @JsonProperty
+ @JacksonXmlProperty( localName = "update", namespace = DxfNamespaces.DXF_2_0 )
+ public boolean isUpdate()
+ {
+ return update;
+ }
+
+ public void setUpdate( boolean update )
+ {
+ this.update = update;
+ }
+
+ @JsonProperty
+ @JacksonXmlProperty( localName = "delete", namespace = DxfNamespaces.DXF_2_0 )
+ public boolean isDelete()
+ {
+ return delete;
+ }
+
+ public void setDelete( boolean delete )
+ {
+ this.delete = delete;
+ }
+}
=== added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessControlService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessControlService.java 1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessControlService.java 2014-03-27 04:40:10 +0000
@@ -0,0 +1,150 @@
+package org.hisp.dhis.accesscontrol;
+
+/*
+ * Copyright (c) 2004-2014, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import org.hisp.dhis.common.IdentifiableObject;
+import org.hisp.dhis.user.User;
+
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+public interface AccessControlService
+{
+ public static final List<String> SHARING_OVERRIDE_AUTHORITIES = Arrays.asList( "ALL", "F_METADATA_IMPORT" );
+
+ boolean isSupported( String type );
+
+ boolean isSupported( Class<?> klass );
+
+ /**
+ * Can user write to this object (create)
+ * <p/>
+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+ * 2. Is the user for the object null?
+ * 3. Is the user of the object equal to current user?
+ * 4. Is the object public write?
+ * 5. Does any of the userGroupAccesses contain public write and the current user is in that group
+ *
+ * @param user User to check against
+ * @param object Object to check
+ * @return Result of test
+ */
+ boolean canWrite( User user, IdentifiableObject object );
+
+ /**
+ * Can user read this object
+ * <p/>
+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+ * 2. Is the user for the object null?
+ * 3. Is the user of the object equal to current user?
+ * 4. Is the object public read?
+ * 5. Does any of the userGroupAccesses contain public read and the current user is in that group
+ *
+ * @param user User to check against
+ * @param object Object to check
+ * @return Result of test
+ */
+ boolean canRead( User user, IdentifiableObject object );
+
+ /**
+ * Can user update this object
+ * <p/>
+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+ * 2. Can user write to this object?
+ *
+ * @param user User to check against
+ * @param object Object to check
+ * @return Result of test
+ */
+ boolean canUpdate( User user, IdentifiableObject object );
+
+ /**
+ * Can user delete this object
+ * <p/>
+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+ * 2. Can user write to this object?
+ *
+ * @param user User to check against
+ * @param object Object to check
+ * @return Result of test
+ */
+ boolean canDelete( User user, IdentifiableObject object );
+
+ /**
+ * Can user manage (make public) this object
+ * <p/>
+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+ * 2. Can user write to this object?
+ *
+ * @param user User to check against
+ * @param object Object to check
+ * @return Result of test
+ */
+ boolean canManage( User user, IdentifiableObject object );
+
+ /**
+ * Checks if a user can create a public instance of a certain object.
+ * <p/>
+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+ * 2. Does user have the authority to create public instances of that object
+ *
+ * @param user User to check against
+ * @param klass Class to check
+ * @return Result of test
+ */
+ <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass );
+
+ /**
+ * Checks if a user can create a private instance of a certain object.
+ * <p/>
+ * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
+ * 2. Does user have the authority to create private instances of that object
+ *
+ * @param user User to check against
+ * @param klass Class to check
+ * @return Result of test
+ */
+ <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass );
+
+ /**
+ * Can user make this object external? (read with no login)
+ *
+ * @param user User to check against
+ * @param klass Type to check
+ * @return Result of test
+ */
+ <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass );
+
+ <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass );
+
+ Class<? extends IdentifiableObject> classForType( String type );
+}
=== added file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessStringHelper.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessStringHelper.java 1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/accesscontrol/AccessStringHelper.java 2014-03-27 04:40:10 +0000
@@ -0,0 +1,129 @@
+package org.hisp.dhis.accesscontrol;
+
+/*
+ * Copyright (c) 2004-2014, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * Currently only the two first positions in the access string are used - rw.
+ *
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+public class AccessStringHelper
+{
+ public static final String DEFAULT_ACCESS = "--------";
+
+ public static enum Permission
+ {
+ READ( 'r', 0 ), WRITE( 'w', 1 );
+
+ private char value;
+
+ private int position;
+
+ private Permission( char value, int position )
+ {
+ this.value = value;
+ this.position = position;
+ }
+
+ public char getValue()
+ {
+ return value;
+ }
+
+ public int getPosition()
+ {
+ return position;
+ }
+ }
+
+ private char[] access = DEFAULT_ACCESS.toCharArray();
+
+ public AccessStringHelper()
+ {
+ }
+
+ public AccessStringHelper( char[] access )
+ {
+ this.access = access;
+ }
+
+ public AccessStringHelper( String access )
+ {
+ this.access = access.toCharArray();
+ }
+
+ public static AccessStringHelper newInstance()
+ {
+ return new AccessStringHelper();
+ }
+
+ public static AccessStringHelper newInstance( char[] access )
+ {
+ return new AccessStringHelper( access );
+ }
+
+ public AccessStringHelper enable( Permission permission )
+ {
+ access[permission.getPosition()] = permission.getValue();
+
+ return this;
+ }
+
+ public AccessStringHelper disable( Permission permission )
+ {
+ access[permission.getPosition()] = '-';
+
+ return this;
+ }
+
+ public String build()
+ {
+ return new String( access );
+ }
+
+ public String toString()
+ {
+ return build();
+ }
+
+ public static boolean canRead( String access )
+ {
+ return isEnabled( access, Permission.READ );
+ }
+
+ public static boolean canWrite( String access )
+ {
+ return isEnabled( access, Permission.WRITE );
+ }
+
+ public static boolean isEnabled( String access, Permission permission )
+ {
+ return access != null && access.charAt( permission.getPosition() ) == permission.getValue();
+ }
+}
=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java 2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/BaseIdentifiableObject.java 2014-03-27 04:40:10 +0000
@@ -40,7 +40,7 @@
import org.hisp.dhis.common.view.SharingBasicView;
import org.hisp.dhis.common.view.SharingDetailedView;
import org.hisp.dhis.common.view.SharingExportView;
-import org.hisp.dhis.sharing.Access;
+import org.hisp.dhis.accesscontrol.Access;
import org.hisp.dhis.user.User;
import org.hisp.dhis.user.UserGroupAccess;
=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/IdentifiableObject.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/IdentifiableObject.java 2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/IdentifiableObject.java 2014-03-27 04:40:10 +0000
@@ -28,7 +28,7 @@
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-import org.hisp.dhis.sharing.Access;
+import org.hisp.dhis.accesscontrol.Access;
import org.hisp.dhis.user.User;
import org.hisp.dhis.user.UserGroupAccess;
=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/interpretation/Interpretation.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/interpretation/Interpretation.java 2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/interpretation/Interpretation.java 2014-03-27 04:40:10 +0000
@@ -35,7 +35,7 @@
import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
import org.hisp.dhis.chart.Chart;
-import org.hisp.dhis.sharing.AccessStringHelper;
+import org.hisp.dhis.accesscontrol.AccessStringHelper;
import org.hisp.dhis.common.BaseIdentifiableObject;
import org.hisp.dhis.common.DxfNamespaces;
import org.hisp.dhis.common.IdentifiableObject;
=== removed directory 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing'
=== removed file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/Access.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/Access.java 2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/Access.java 1970-01-01 00:00:00 +0000
@@ -1,129 +0,0 @@
-package org.hisp.dhis.sharing;
-
-/*
- * Copyright (c) 2004-2014, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
-import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
-import org.hisp.dhis.common.DxfNamespaces;
-
-/**
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-@JacksonXmlRootElement( localName = "access", namespace = DxfNamespaces.DXF_2_0 )
-public class Access
-{
- private boolean manage;
-
- private boolean externalize;
-
- private boolean write;
-
- private boolean read;
-
- private boolean update;
-
- private boolean delete;
-
- public Access()
- {
- }
-
- @JsonProperty
- @JacksonXmlProperty( localName = "manage", namespace = DxfNamespaces.DXF_2_0 )
- public boolean isManage()
- {
- return manage;
- }
-
- public void setManage( boolean manage )
- {
- this.manage = manage;
- }
-
- @JsonProperty
- @JacksonXmlProperty( localName = "externalize", namespace = DxfNamespaces.DXF_2_0 )
- public boolean isExternalize()
- {
- return externalize;
- }
-
- public void setExternalize( boolean externalize )
- {
- this.externalize = externalize;
- }
-
- @JsonProperty
- @JacksonXmlProperty( localName = "write", namespace = DxfNamespaces.DXF_2_0 )
- public boolean isWrite()
- {
- return write;
- }
-
- public void setWrite( boolean write )
- {
- this.write = write;
- }
-
- @JsonProperty
- @JacksonXmlProperty( localName = "read", namespace = DxfNamespaces.DXF_2_0 )
- public boolean isRead()
- {
- return read;
- }
-
- public void setRead( boolean read )
- {
- this.read = read;
- }
-
- @JsonProperty
- @JacksonXmlProperty( localName = "update", namespace = DxfNamespaces.DXF_2_0 )
- public boolean isUpdate()
- {
- return update;
- }
-
- public void setUpdate( boolean update )
- {
- this.update = update;
- }
-
- @JsonProperty
- @JacksonXmlProperty( localName = "delete", namespace = DxfNamespaces.DXF_2_0 )
- public boolean isDelete()
- {
- return delete;
- }
-
- public void setDelete( boolean delete )
- {
- this.delete = delete;
- }
-}
=== removed file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessControlService.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessControlService.java 2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessControlService.java 1970-01-01 00:00:00 +0000
@@ -1,150 +0,0 @@
-package org.hisp.dhis.sharing;
-
-/*
- * Copyright (c) 2004-2014, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import org.hisp.dhis.common.IdentifiableObject;
-import org.hisp.dhis.user.User;
-
-import java.util.Arrays;
-import java.util.List;
-
-/**
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-public interface AccessControlService
-{
- public static final List<String> SHARING_OVERRIDE_AUTHORITIES = Arrays.asList( "ALL", "F_METADATA_IMPORT" );
-
- boolean isSupported( String type );
-
- boolean isSupported( Class<?> klass );
-
- /**
- * Can user write to this object (create)
- * <p/>
- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
- * 2. Is the user for the object null?
- * 3. Is the user of the object equal to current user?
- * 4. Is the object public write?
- * 5. Does any of the userGroupAccesses contain public write and the current user is in that group
- *
- * @param user User to check against
- * @param object Object to check
- * @return Result of test
- */
- boolean canWrite( User user, IdentifiableObject object );
-
- /**
- * Can user read this object
- * <p/>
- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
- * 2. Is the user for the object null?
- * 3. Is the user of the object equal to current user?
- * 4. Is the object public read?
- * 5. Does any of the userGroupAccesses contain public read and the current user is in that group
- *
- * @param user User to check against
- * @param object Object to check
- * @return Result of test
- */
- boolean canRead( User user, IdentifiableObject object );
-
- /**
- * Can user update this object
- * <p/>
- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
- * 2. Can user write to this object?
- *
- * @param user User to check against
- * @param object Object to check
- * @return Result of test
- */
- boolean canUpdate( User user, IdentifiableObject object );
-
- /**
- * Can user delete this object
- * <p/>
- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
- * 2. Can user write to this object?
- *
- * @param user User to check against
- * @param object Object to check
- * @return Result of test
- */
- boolean canDelete( User user, IdentifiableObject object );
-
- /**
- * Can user manage (make public) this object
- * <p/>
- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
- * 2. Can user write to this object?
- *
- * @param user User to check against
- * @param object Object to check
- * @return Result of test
- */
- boolean canManage( User user, IdentifiableObject object );
-
- /**
- * Checks if a user can create a public instance of a certain object.
- * <p/>
- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
- * 2. Does user have the authority to create public instances of that object
- *
- * @param user User to check against
- * @param klass Class to check
- * @return Result of test
- */
- <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass );
-
- /**
- * Checks if a user can create a private instance of a certain object.
- * <p/>
- * 1. Does user have SHARING_OVERRIDE_AUTHORITY authority?
- * 2. Does user have the authority to create private instances of that object
- *
- * @param user User to check against
- * @param klass Class to check
- * @return Result of test
- */
- <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass );
-
- /**
- * Can user make this object external? (read with no login)
- *
- * @param user User to check against
- * @param klass Type to check
- * @return Result of test
- */
- <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass );
-
- <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass );
-
- Class<? extends IdentifiableObject> classForType( String type );
-}
=== removed file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessStringHelper.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessStringHelper.java 2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/sharing/AccessStringHelper.java 1970-01-01 00:00:00 +0000
@@ -1,129 +0,0 @@
-package org.hisp.dhis.sharing;
-
-/*
- * Copyright (c) 2004-2014, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- * Currently only the two first positions in the access string are used - rw.
- *
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-public class AccessStringHelper
-{
- public static final String DEFAULT_ACCESS = "--------";
-
- public static enum Permission
- {
- READ( 'r', 0 ), WRITE( 'w', 1 );
-
- private char value;
-
- private int position;
-
- private Permission( char value, int position )
- {
- this.value = value;
- this.position = position;
- }
-
- public char getValue()
- {
- return value;
- }
-
- public int getPosition()
- {
- return position;
- }
- }
-
- private char[] access = DEFAULT_ACCESS.toCharArray();
-
- public AccessStringHelper()
- {
- }
-
- public AccessStringHelper( char[] access )
- {
- this.access = access;
- }
-
- public AccessStringHelper( String access )
- {
- this.access = access.toCharArray();
- }
-
- public static AccessStringHelper newInstance()
- {
- return new AccessStringHelper();
- }
-
- public static AccessStringHelper newInstance( char[] access )
- {
- return new AccessStringHelper( access );
- }
-
- public AccessStringHelper enable( Permission permission )
- {
- access[permission.getPosition()] = permission.getValue();
-
- return this;
- }
-
- public AccessStringHelper disable( Permission permission )
- {
- access[permission.getPosition()] = '-';
-
- return this;
- }
-
- public String build()
- {
- return new String( access );
- }
-
- public String toString()
- {
- return build();
- }
-
- public static boolean canRead( String access )
- {
- return isEnabled( access, Permission.READ );
- }
-
- public static boolean canWrite( String access )
- {
- return isEnabled( access, Permission.WRITE );
- }
-
- public static boolean isEnabled( String access, Permission permission )
- {
- return access != null && access.charAt( permission.getPosition() ) == permission.getValue();
- }
-}
=== modified file 'dhis-2/dhis-api/src/test/java/org/hisp/dhis/common/AccessStringHelperTest.java'
--- dhis-2/dhis-api/src/test/java/org/hisp/dhis/common/AccessStringHelperTest.java 2014-03-21 09:41:08 +0000
+++ dhis-2/dhis-api/src/test/java/org/hisp/dhis/common/AccessStringHelperTest.java 2014-03-27 04:40:10 +0000
@@ -28,7 +28,7 @@
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-import org.hisp.dhis.sharing.AccessStringHelper;
+import org.hisp.dhis.accesscontrol.AccessStringHelper;
import org.junit.Assert;
import org.junit.Test;
=== modified file 'dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java'
--- dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java 2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-services/dhis-service-analytics/src/main/java/org/hisp/dhis/analytics/dimension/DefaultDimensionService.java 2014-03-27 04:40:10 +0000
@@ -56,7 +56,7 @@
import org.hisp.dhis.period.PeriodType;
import org.hisp.dhis.period.RelativePeriodEnum;
import org.hisp.dhis.period.RelativePeriods;
-import org.hisp.dhis.sharing.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessControlService;
import org.hisp.dhis.system.util.UniqueArrayList;
import org.hisp.dhis.trackedentity.TrackedEntityAttribute;
import org.hisp.dhis.trackedentity.TrackedEntityAttributeDimension;
=== added directory 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol'
=== added file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol/DefaultAccessControlService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol/DefaultAccessControlService.java 1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/accesscontrol/DefaultAccessControlService.java 2014-03-27 04:40:10 +0000
@@ -0,0 +1,279 @@
+package org.hisp.dhis.accesscontrol;
+
+/*
+ * Copyright (c) 2004-2014, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import org.hisp.dhis.common.IdentifiableObject;
+import org.hisp.dhis.dashboard.Dashboard;
+import org.hisp.dhis.schema.AuthorityType;
+import org.hisp.dhis.schema.Schema;
+import org.hisp.dhis.schema.SchemaService;
+import org.hisp.dhis.user.User;
+import org.hisp.dhis.user.UserGroup;
+import org.hisp.dhis.user.UserGroupAccess;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+import static org.springframework.util.CollectionUtils.containsAny;
+
+/**
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+public class DefaultAccessControlService implements AccessControlService
+{
+ @Autowired
+ private SchemaService schemaService;
+
+ @Override
+ public boolean isSupported( String type )
+ {
+ Schema schema = schemaService.getSchemaBySingularName( type );
+ return schema != null && schema.isShareable();
+ }
+
+ @Override
+ public boolean isSupported( Class<?> klass )
+ {
+ Schema schema = schemaService.getSchema( klass );
+ return schema != null && schema.isShareable();
+ }
+
+ @Override
+ public boolean canWrite( User user, IdentifiableObject object )
+ {
+ Schema schema = schemaService.getSchema( object.getClass() );
+
+ if ( schema == null || !schema.isShareable() )
+ {
+ return false;
+ }
+
+ //TODO ( (object instanceof User) && canCreatePrivate( user, object ) ): review possible security breaches and best way to give update access upon user import
+ if ( haveOverrideAuthority( user )
+ || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
+ || (user != null && user.equals( object.getUser() ))
+ //|| authorities.contains( PRIVATE_AUTHORITIES.get( object.getClass() ) )
+ || ((object instanceof User) && canCreatePrivate( user, object.getClass() ))
+ || AccessStringHelper.canWrite( object.getPublicAccess() ) )
+ {
+ return true;
+ }
+
+ for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
+ {
+ if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
+ && userGroupAccess.getUserGroup().getMembers().contains( user ) )
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ @Override
+ public boolean canRead( User user, IdentifiableObject object )
+ {
+ Schema schema = schemaService.getSchema( object.getClass() );
+
+ if ( schema == null || !schema.isShareable() )
+ {
+ return false;
+ }
+
+ if ( haveOverrideAuthority( user )
+ || UserGroup.class.isAssignableFrom( object.getClass() )
+ || object.getUser() == null
+ || user.equals( object.getUser() )
+ || AccessStringHelper.canRead( object.getPublicAccess() ) )
+ {
+ return true;
+ }
+
+ for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
+ {
+ if ( AccessStringHelper.canRead( userGroupAccess.getAccess() )
+ && userGroupAccess.getUserGroup().getMembers().contains( user ) )
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ @Override
+ public boolean canUpdate( User user, IdentifiableObject object )
+ {
+ Schema schema = schemaService.getSchema( object.getClass() );
+
+ if ( schema == null || !schema.isShareable() )
+ {
+ return false;
+ }
+
+ if ( schema.getAuthorityByType( AuthorityType.UPDATE ).isEmpty() )
+ {
+ return canWrite( user, object );
+ }
+
+ Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+ return canAccess( authorities, schema.getAuthorityByType( AuthorityType.UPDATE ) ) && canWrite( user, object );
+ }
+
+ @Override
+ public boolean canDelete( User user, IdentifiableObject object )
+ {
+ Schema schema = schemaService.getSchema( object.getClass() );
+
+ if ( schema == null || !schema.isShareable() )
+ {
+ return false;
+ }
+
+ if ( schema.getAuthorityByType( AuthorityType.DELETE ).isEmpty() )
+ {
+ return canWrite( user, object );
+ }
+
+ Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+ return canAccess( authorities, schema.getAuthorityByType( AuthorityType.DELETE ) ) && canWrite( user, object );
+ }
+
+ private boolean canAccess( Collection<String> userAuthorities, Collection<String> requiredAuthorities )
+ {
+ return containsAny( userAuthorities, SHARING_OVERRIDE_AUTHORITIES ) ||
+ containsAny( userAuthorities, requiredAuthorities );
+ }
+
+ @Override
+ public boolean canManage( User user, IdentifiableObject object )
+ {
+ Schema schema = schemaService.getSchema( object.getClass() );
+
+ if ( schema == null || !schema.isShareable() )
+ {
+ return false;
+ }
+
+ if ( haveOverrideAuthority( user )
+ || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
+ || user.equals( object.getUser() )
+ || AccessStringHelper.canWrite( object.getPublicAccess() ) )
+ {
+ return true;
+ }
+
+ for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
+ {
+ if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
+ && userGroupAccess.getUserGroup().getMembers().contains( user ) )
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ @Override
+ public <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass )
+ {
+ Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+ Schema schema = schemaService.getSchema( klass );
+
+ if ( schema == null || !schema.isShareable() )
+ {
+ return false;
+ }
+
+ return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PUBLIC ) );
+ }
+
+ @Override
+ public <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass )
+ {
+ Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+ Schema schema = schemaService.getSchema( klass );
+
+ if ( schema == null || !schema.isShareable() )
+ {
+ return false;
+ }
+
+ return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ) );
+ }
+
+ @Override
+ public <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass )
+ {
+ Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
+
+ Schema schema = schemaService.getSchema( klass );
+
+ if ( schema == null || !schema.isShareable() )
+ {
+ return false;
+ }
+
+ return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.EXTERNALIZE ) );
+ }
+
+ @Override
+ public <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass )
+ {
+ // TODO this is quite nasty, should probably be added to schema
+ return !Dashboard.class.isAssignableFrom( klass );
+ }
+
+ @Override
+ @SuppressWarnings( "unchecked" )
+ public Class<? extends IdentifiableObject> classForType( String type )
+ {
+ Schema schema = schemaService.getSchemaBySingularName( type );
+
+ if ( schema != null && schema.isShareable() && schema.isIdentifiableObject() )
+ {
+ return (Class<? extends IdentifiableObject>) schema.getKlass();
+ }
+
+ return null;
+ }
+
+ private boolean haveOverrideAuthority( User user )
+ {
+ return user == null || containsAny( user.getUserCredentials().getAllAuthorities(), SHARING_OVERRIDE_AUTHORITIES );
+ }
+}
=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java 2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java 2014-03-27 04:40:10 +0000
@@ -35,7 +35,7 @@
import org.hisp.dhis.message.MessageSender;
import org.hisp.dhis.period.Cal;
import org.hisp.dhis.setting.SystemSettingManager;
-import org.hisp.dhis.sharing.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessControlService;
import org.hisp.dhis.system.util.ValidationUtils;
import org.hisp.dhis.system.velocity.VelocityManager;
import org.hisp.dhis.user.CurrentUserService;
=== removed directory 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing'
=== removed file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultAccessControlService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultAccessControlService.java 2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/sharing/DefaultAccessControlService.java 1970-01-01 00:00:00 +0000
@@ -1,279 +0,0 @@
-package org.hisp.dhis.sharing;
-
-/*
- * Copyright (c) 2004-2014, University of Oslo
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- * Neither the name of the HISP project nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
- * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-import org.hisp.dhis.common.IdentifiableObject;
-import org.hisp.dhis.dashboard.Dashboard;
-import org.hisp.dhis.schema.AuthorityType;
-import org.hisp.dhis.schema.Schema;
-import org.hisp.dhis.schema.SchemaService;
-import org.hisp.dhis.user.User;
-import org.hisp.dhis.user.UserGroup;
-import org.hisp.dhis.user.UserGroupAccess;
-import org.springframework.beans.factory.annotation.Autowired;
-
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.Set;
-
-import static org.springframework.util.CollectionUtils.containsAny;
-
-/**
- * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
- */
-public class DefaultAccessControlService implements AccessControlService
-{
- @Autowired
- private SchemaService schemaService;
-
- @Override
- public boolean isSupported( String type )
- {
- Schema schema = schemaService.getSchemaBySingularName( type );
- return schema != null && schema.isShareable();
- }
-
- @Override
- public boolean isSupported( Class<?> klass )
- {
- Schema schema = schemaService.getSchema( klass );
- return schema != null && schema.isShareable();
- }
-
- @Override
- public boolean canWrite( User user, IdentifiableObject object )
- {
- Schema schema = schemaService.getSchema( object.getClass() );
-
- if ( schema == null || !schema.isShareable() )
- {
- return false;
- }
-
- //TODO ( (object instanceof User) && canCreatePrivate( user, object ) ): review possible security breaches and best way to give update access upon user import
- if ( haveOverrideAuthority( user )
- || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
- || (user != null && user.equals( object.getUser() ))
- //|| authorities.contains( PRIVATE_AUTHORITIES.get( object.getClass() ) )
- || ((object instanceof User) && canCreatePrivate( user, object.getClass() ))
- || AccessStringHelper.canWrite( object.getPublicAccess() ) )
- {
- return true;
- }
-
- for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
- {
- if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
- && userGroupAccess.getUserGroup().getMembers().contains( user ) )
- {
- return true;
- }
- }
-
- return false;
- }
-
- @Override
- public boolean canRead( User user, IdentifiableObject object )
- {
- Schema schema = schemaService.getSchema( object.getClass() );
-
- if ( schema == null || !schema.isShareable() )
- {
- return false;
- }
-
- if ( haveOverrideAuthority( user )
- || UserGroup.class.isAssignableFrom( object.getClass() )
- || object.getUser() == null
- || user.equals( object.getUser() )
- || AccessStringHelper.canRead( object.getPublicAccess() ) )
- {
- return true;
- }
-
- for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
- {
- if ( AccessStringHelper.canRead( userGroupAccess.getAccess() )
- && userGroupAccess.getUserGroup().getMembers().contains( user ) )
- {
- return true;
- }
- }
-
- return false;
- }
-
- @Override
- public boolean canUpdate( User user, IdentifiableObject object )
- {
- Schema schema = schemaService.getSchema( object.getClass() );
-
- if ( schema == null || !schema.isShareable() )
- {
- return false;
- }
-
- if ( schema.getAuthorityByType( AuthorityType.UPDATE ).isEmpty() )
- {
- return canWrite( user, object );
- }
-
- Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
- return canAccess( authorities, schema.getAuthorityByType( AuthorityType.UPDATE ) ) && canWrite( user, object );
- }
-
- @Override
- public boolean canDelete( User user, IdentifiableObject object )
- {
- Schema schema = schemaService.getSchema( object.getClass() );
-
- if ( schema == null || !schema.isShareable() )
- {
- return false;
- }
-
- if ( schema.getAuthorityByType( AuthorityType.DELETE ).isEmpty() )
- {
- return canWrite( user, object );
- }
-
- Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
- return canAccess( authorities, schema.getAuthorityByType( AuthorityType.DELETE ) ) && canWrite( user, object );
- }
-
- private boolean canAccess( Collection<String> userAuthorities, Collection<String> requiredAuthorities )
- {
- return containsAny( userAuthorities, SHARING_OVERRIDE_AUTHORITIES ) ||
- containsAny( userAuthorities, requiredAuthorities );
- }
-
- @Override
- public boolean canManage( User user, IdentifiableObject object )
- {
- Schema schema = schemaService.getSchema( object.getClass() );
-
- if ( schema == null || !schema.isShareable() )
- {
- return false;
- }
-
- if ( haveOverrideAuthority( user )
- || (object.getUser() == null && canCreatePublic( user, object.getClass() ) && !schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ).isEmpty())
- || user.equals( object.getUser() )
- || AccessStringHelper.canWrite( object.getPublicAccess() ) )
- {
- return true;
- }
-
- for ( UserGroupAccess userGroupAccess : object.getUserGroupAccesses() )
- {
- if ( AccessStringHelper.canWrite( userGroupAccess.getAccess() )
- && userGroupAccess.getUserGroup().getMembers().contains( user ) )
- {
- return true;
- }
- }
-
- return false;
- }
-
- @Override
- public <T extends IdentifiableObject> boolean canCreatePublic( User user, Class<T> klass )
- {
- Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
- Schema schema = schemaService.getSchema( klass );
-
- if ( schema == null || !schema.isShareable() )
- {
- return false;
- }
-
- return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PUBLIC ) );
- }
-
- @Override
- public <T extends IdentifiableObject> boolean canCreatePrivate( User user, Class<T> klass )
- {
- Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
- Schema schema = schemaService.getSchema( klass );
-
- if ( schema == null || !schema.isShareable() )
- {
- return false;
- }
-
- return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.CREATE_PRIVATE ) );
- }
-
- @Override
- public <T extends IdentifiableObject> boolean canExternalize( User user, Class<T> klass )
- {
- Set<String> authorities = user != null ? user.getUserCredentials().getAllAuthorities() : new HashSet<String>();
-
- Schema schema = schemaService.getSchema( klass );
-
- if ( schema == null || !schema.isShareable() )
- {
- return false;
- }
-
- return containsAny( authorities, SHARING_OVERRIDE_AUTHORITIES ) || containsAny( authorities, schema.getAuthorityByType( AuthorityType.EXTERNALIZE ) );
- }
-
- @Override
- public <T extends IdentifiableObject> boolean defaultPublic( Class<T> klass )
- {
- // TODO this is quite nasty, should probably be added to schema
- return !Dashboard.class.isAssignableFrom( klass );
- }
-
- @Override
- @SuppressWarnings( "unchecked" )
- public Class<? extends IdentifiableObject> classForType( String type )
- {
- Schema schema = schemaService.getSchemaBySingularName( type );
-
- if ( schema != null && schema.isShareable() && schema.isIdentifiableObject() )
- {
- return (Class<? extends IdentifiableObject>) schema.getKlass();
- }
-
- return null;
- }
-
- private boolean haveOverrideAuthority( User user )
- {
- return user == null || containsAny( user.getUserCredentials().getAllAuthorities(), SHARING_OVERRIDE_AUTHORITIES );
- }
-}
=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml'
--- dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml 2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/resources/META-INF/dhis/beans.xml 2014-03-27 04:40:10 +0000
@@ -11,7 +11,7 @@
<bean id="org.hisp.dhis.schema.PropertyIntrospectorService" class="org.hisp.dhis.schema.DefaultPropertyIntrospectorService" />
- <bean id="org.hisp.dhis.sharing.AccessControlService" class="org.hisp.dhis.sharing.DefaultAccessControlService" />
+ <bean id="org.hisp.dhis.sharing.AccessControlService" class="org.hisp.dhis.accesscontrol.DefaultAccessControlService" />
<!-- Store definitions -->
=== modified file 'dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java'
--- dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java 2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java 2014-03-27 04:40:10 +0000
@@ -55,7 +55,7 @@
import org.hisp.dhis.period.Period;
import org.hisp.dhis.period.PeriodService;
import org.hisp.dhis.period.PeriodType;
-import org.hisp.dhis.sharing.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessControlService;
import org.hisp.dhis.system.util.CollectionUtils;
import org.hisp.dhis.system.util.ReflectionUtils;
import org.hisp.dhis.system.util.functional.Function1;
=== modified file 'dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java'
--- dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java 2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-support/dhis-support-hibernate/src/main/java/org/hisp/dhis/hibernate/HibernateGenericStore.java 2014-03-27 04:40:10 +0000
@@ -46,8 +46,8 @@
import org.hisp.dhis.hibernate.exception.ReadAccessDeniedException;
import org.hisp.dhis.hibernate.exception.UpdateAccessDeniedException;
import org.hisp.dhis.interpretation.Interpretation;
-import org.hisp.dhis.sharing.AccessControlService;
-import org.hisp.dhis.sharing.AccessStringHelper;
+import org.hisp.dhis.accesscontrol.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessStringHelper;
import org.hisp.dhis.user.CurrentUserService;
import org.hisp.dhis.user.UserGroupAccess;
import org.springframework.beans.factory.annotation.Autowired;
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java 2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/AbstractCrudController.java 2014-03-27 04:40:10 +0000
@@ -51,8 +51,8 @@
import org.hisp.dhis.dxf2.utils.JacksonUtils;
import org.hisp.dhis.schema.Schema;
import org.hisp.dhis.schema.SchemaService;
-import org.hisp.dhis.sharing.Access;
-import org.hisp.dhis.sharing.AccessControlService;
+import org.hisp.dhis.accesscontrol.Access;
+import org.hisp.dhis.accesscontrol.AccessControlService;
import org.hisp.dhis.system.util.ReflectionUtils;
import org.hisp.dhis.user.CurrentUserService;
import org.springframework.beans.factory.annotation.Autowired;
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java 2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/SharingController.java 2014-03-27 04:40:10 +0000
@@ -38,8 +38,8 @@
import org.hisp.dhis.common.IdentifiableObject;
import org.hisp.dhis.common.IdentifiableObjectManager;
import org.hisp.dhis.dxf2.utils.JacksonUtils;
-import org.hisp.dhis.sharing.AccessControlService;
-import org.hisp.dhis.sharing.AccessStringHelper;
+import org.hisp.dhis.accesscontrol.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessStringHelper;
import org.hisp.dhis.user.CurrentUserService;
import org.hisp.dhis.user.UserGroup;
import org.hisp.dhis.user.UserGroupAccess;
=== modified file 'dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java'
--- dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java 2014-03-27 04:38:53 +0000
+++ dhis-2/dhis-web/dhis-web-dataentry/src/main/java/org/hisp/dhis/de/action/GetMetaDataAction.java 2014-03-27 04:40:10 +0000
@@ -44,7 +44,7 @@
import org.hisp.dhis.indicator.IndicatorService;
import org.hisp.dhis.organisationunit.OrganisationUnitDataSetAssociationSet;
import org.hisp.dhis.organisationunit.OrganisationUnitService;
-import org.hisp.dhis.sharing.AccessControlService;
+import org.hisp.dhis.accesscontrol.AccessControlService;
import org.hisp.dhis.user.CurrentUserService;
import org.hisp.dhis.user.User;
import org.springframework.beans.factory.annotation.Autowired;
