dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #32854
[Branch ~dhis2-devs-core/dhis2/trunk] Rev 16728: removed ALL/F_METADATA_IMPORT (and EXPORT) restriction on /api/metadata, security is handled by A...
------------------------------------------------------------
revno: 16728
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2014-09-16 12:18:47 +0700
message:
removed ALL/F_METADATA_IMPORT (and EXPORT) restriction on /api/metadata, security is handled by AclService
modified:
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java
dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java
dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/MetaDataController.java
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java 2014-08-15 07:02:10 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/acl/DefaultAclService.java 2014-09-16 05:18:47 +0000
@@ -254,7 +254,7 @@
}
@Override
- @SuppressWarnings("unchecked")
+ @SuppressWarnings( "unchecked" )
public Class<? extends IdentifiableObject> classForType( String type )
{
Schema schema = schemaService.getSchemaBySingularName( type );
=== modified file 'dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java'
--- dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java 2014-09-14 08:48:18 +0000
+++ dhis-2/dhis-services/dhis-service-dxf2/src/main/java/org/hisp/dhis/dxf2/metadata/importers/DefaultIdentifiableObjectImporter.java 2014-09-16 05:18:47 +0000
@@ -41,6 +41,7 @@
import org.hisp.dhis.common.BaseIdentifiableObject;
import org.hisp.dhis.common.IdentifiableObject;
import org.hisp.dhis.common.NameableObject;
+import org.hisp.dhis.dashboard.DashboardItem;
import org.hisp.dhis.dataelement.DataElementOperand;
import org.hisp.dhis.dataelement.DataElementOperandService;
import org.hisp.dhis.dataentryform.DataEntryForm;
@@ -220,9 +221,9 @@
if ( !aclService.canDelete( user, persistedObject ) )
{
summaryType.getImportConflicts().add(
- new ImportConflict( ImportUtils.getDisplayName( persistedObject ), "You do not have delete access to class type." ) );
+ new ImportConflict( ImportUtils.getDisplayName( persistedObject ), "Permission denied for deletion of object " + persistedObject.getUid() ) );
- log.debug( "You do not have delete access to class type." );
+ log.debug( "Permission denied for deletion of object " + persistedObject.getUid() );
return false;
}
@@ -258,9 +259,9 @@
if ( !aclService.canCreate( user, object.getClass() ) )
{
summaryType.getImportConflicts().add(
- new ImportConflict( ImportUtils.getDisplayName( object ), "You do not have create access to class type." ) );
+ new ImportConflict( ImportUtils.getDisplayName( object ), "Permission denied, you are not allowed to create objects of type " + object.getClass() ) );
- log.debug( "You do not have create access to class type." );
+ log.debug( "Permission denied, you are not allowed to create objects of type " + object.getClass() );
return false;
}
@@ -344,7 +345,9 @@
if ( !aclService.canUpdate( user, persistedObject ) )
{
summaryType.getImportConflicts().add(
- new ImportConflict( ImportUtils.getDisplayName( object ), "You do not have update access to object." ) );
+ new ImportConflict( ImportUtils.getDisplayName( persistedObject ), "Permission denied for update of object " + persistedObject.getUid() ) );
+
+ log.debug( "Permission denied for update of object " + persistedObject.getUid() );
return false;
}
@@ -514,7 +517,8 @@
return success;
}
- if ( object.getName() == null || object.getName().length() == 0 )
+ if ( (object.getName() == null || object.getName().length() == 0)
+ && !DashboardItem.class.isInstance( object ) )
{
conflict = new ImportConflict( ImportUtils.getDisplayName( object ), "Empty name for object " + object );
}
@@ -526,7 +530,8 @@
if ( (nameableObject.getShortName() == null || nameableObject.getShortName().length() == 0)
// this is nasty, but we have types in the system which have shortName, but which do -not- require not-null )
&& !TrackedEntityAttribute.class.isAssignableFrom( object.getClass() )
- && !TrackedEntity.class.isAssignableFrom( object.getClass() ) )
+ && !TrackedEntity.class.isAssignableFrom( object.getClass() )
+ && !DashboardItem.class.isAssignableFrom( object.getClass() ) )
{
conflict = new ImportConflict( ImportUtils.getDisplayName( object ), "Empty shortName for object " + object );
}
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/MetaDataController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/MetaDataController.java 2014-06-18 11:19:27 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/MetaDataController.java 2014-09-16 05:18:47 +0000
@@ -91,7 +91,6 @@
//--------------------------------------------------------------------------
@RequestMapping( value = MetaDataController.RESOURCE_PATH )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_EXPORT')" )
public String export( @RequestParam Map<String, String> parameters, Model model )
{
WebOptions options = new WebOptions( parameters );
@@ -104,33 +103,30 @@
}
@RequestMapping( value = MetaDataController.RESOURCE_PATH + ".xml", produces = "*/*" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_EXPORT')" )
public void exportXml( @RequestParam Map<String, String> parameters, HttpServletResponse response ) throws IOException
{
WebOptions options = new WebOptions( parameters );
MetaData metaData = exportService.getMetaData( options );
- contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_XML, CacheStrategy.NO_CACHE, "metaData.xml", true );
+ contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_XML, CacheStrategy.NO_CACHE, "metadata.xml", true );
Class<?> viewClass = JacksonUtils.getViewClass( options.getViewClass( "export" ) );
JacksonUtils.toXmlWithView( response.getOutputStream(), metaData, viewClass );
}
@RequestMapping( value = MetaDataController.RESOURCE_PATH + ".json", produces = "*/*" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_EXPORT')" )
public void exportJson( @RequestParam Map<String, String> parameters, HttpServletResponse response ) throws IOException
{
WebOptions options = new WebOptions( parameters );
MetaData metaData = exportService.getMetaData( options );
- contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_JSON, CacheStrategy.NO_CACHE, "metaData.json", true );
+ contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_JSON, CacheStrategy.NO_CACHE, "metadata.json", true );
Class<?> viewClass = JacksonUtils.getViewClass( options.getViewClass( "export" ) );
JacksonUtils.toJsonWithView( response.getOutputStream(), metaData, viewClass );
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".zip" }, produces = "*/*" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_EXPORT')" )
public void exportZipped( @RequestParam Map<String, String> parameters, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
String accept = request.getHeader( "Accept" );
@@ -146,41 +142,38 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".xml.zip" }, produces = "*/*" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_EXPORT')" )
public void exportZippedXML( @RequestParam Map<String, String> parameters, HttpServletResponse response ) throws IOException
{
WebOptions options = new WebOptions( parameters );
MetaData metaData = exportService.getMetaData( options );
- contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_ZIP, CacheStrategy.NO_CACHE, "metaData.xml.zip", true );
+ contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_ZIP, CacheStrategy.NO_CACHE, "metadata.xml.zip", true );
response.addHeader( ContextUtils.HEADER_CONTENT_TRANSFER_ENCODING, "binary" );
ZipOutputStream zip = new ZipOutputStream( response.getOutputStream() );
- zip.putNextEntry( new ZipEntry( "metaData.xml" ) );
+ zip.putNextEntry( new ZipEntry( "metadata.xml" ) );
Class<?> viewClass = JacksonUtils.getViewClass( options.getViewClass( "export" ) );
JacksonUtils.toXmlWithView( zip, metaData, viewClass );
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".json.zip" }, produces = "*/*" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_EXPORT')" )
public void exportZippedJSON( @RequestParam Map<String, String> parameters, HttpServletResponse response ) throws IOException
{
WebOptions options = new WebOptions( parameters );
MetaData metaData = exportService.getMetaData( options );
- contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_ZIP, CacheStrategy.NO_CACHE, "metaData.json.zip", true );
+ contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_ZIP, CacheStrategy.NO_CACHE, "metadata.json.zip", true );
response.addHeader( ContextUtils.HEADER_CONTENT_TRANSFER_ENCODING, "binary" );
ZipOutputStream zip = new ZipOutputStream( response.getOutputStream() );
- zip.putNextEntry( new ZipEntry( "metaData.json" ) );
+ zip.putNextEntry( new ZipEntry( "metadata.json" ) );
Class<?> viewClass = JacksonUtils.getViewClass( options.getViewClass( "export" ) );
JacksonUtils.toJsonWithView( zip, metaData, viewClass );
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".gz" }, produces = "*/*" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_EXPORT')" )
public void exportGZipped( @RequestParam Map<String, String> parameters, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
String accept = request.getHeader( "Accept" );
@@ -196,13 +189,12 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".xml.gz" }, produces = "*/*" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_EXPORT')" )
public void exportGZippedXML( @RequestParam Map<String, String> parameters, HttpServletResponse response ) throws IOException
{
WebOptions options = new WebOptions( parameters );
MetaData metaData = exportService.getMetaData( options );
- contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_GZIP, CacheStrategy.NO_CACHE, "metaData.xml.gz", true );
+ contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_GZIP, CacheStrategy.NO_CACHE, "metadata.xml.gz", true );
response.addHeader( ContextUtils.HEADER_CONTENT_TRANSFER_ENCODING, "binary" );
GZIPOutputStream gzip = new GZIPOutputStream( response.getOutputStream() );
@@ -212,13 +204,12 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".json.gz" }, produces = "*/*" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_EXPORT')" )
public void exportGZippedJSON( @RequestParam Map<String, String> parameters, HttpServletResponse response ) throws IOException
{
WebOptions options = new WebOptions( parameters );
MetaData metaData = exportService.getMetaData( options );
- contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_GZIP, CacheStrategy.NO_CACHE, "metaData.json.gz", true );
+ contextUtils.configureResponse( response, ContextUtils.CONTENT_TYPE_GZIP, CacheStrategy.NO_CACHE, "metadata.json.gz", true );
response.addHeader( ContextUtils.HEADER_CONTENT_TRANSFER_ENCODING, "binary" );
GZIPOutputStream gzip = new GZIPOutputStream( response.getOutputStream() );
@@ -232,7 +223,6 @@
//--------------------------------------------------------------------------
@RequestMapping( value = MetaDataController.RESOURCE_PATH, method = RequestMethod.POST, consumes = { "application/xml", "text/*" } )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void importXml( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
MetaData metaData = JacksonUtils.fromXml( request.getInputStream(), MetaData.class );
@@ -248,7 +238,6 @@
}
@RequestMapping( value = MetaDataController.RESOURCE_PATH, method = RequestMethod.DELETE, consumes = { "application/xml", "text/*" } )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void deleteXml( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
importOptions.setImportStrategy( ImportStrategy.DELETE.name() );
@@ -256,7 +245,6 @@
}
@RequestMapping( value = MetaDataController.RESOURCE_PATH, method = RequestMethod.POST, consumes = "application/json" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void importJson( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
MetaData metaData = JacksonUtils.fromJson( request.getInputStream(), MetaData.class );
@@ -272,7 +260,6 @@
}
@RequestMapping( value = MetaDataController.RESOURCE_PATH, method = RequestMethod.DELETE, consumes = "application/json" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void deleteJson( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
importOptions.setImportStrategy( ImportStrategy.DELETE.name() );
@@ -280,7 +267,6 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".zip", MetaDataController.RESOURCE_PATH + ".xml.zip" }, method = RequestMethod.POST, consumes = { "application/xml", "text/*" } )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void importZippedXml( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
ZipInputStream zip = new ZipInputStream( request.getInputStream() );
@@ -299,7 +285,6 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".zip", MetaDataController.RESOURCE_PATH + ".xml.zip" }, method = RequestMethod.DELETE, consumes = { "application/xml", "text/*" } )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void deleteZippedXml( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
importOptions.setImportStrategy( ImportStrategy.DELETE.name() );
@@ -307,7 +292,6 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".zip", MetaDataController.RESOURCE_PATH + ".json.zip" }, method = RequestMethod.POST, consumes = "application/json" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void importZippedJson( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
ZipInputStream zip = new ZipInputStream( request.getInputStream() );
@@ -326,7 +310,6 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".zip", MetaDataController.RESOURCE_PATH + ".json.zip" }, method = RequestMethod.DELETE, consumes = "application/json" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void deleteZippedJson( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
importOptions.setImportStrategy( ImportStrategy.DELETE.name() );
@@ -334,7 +317,6 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".gz", MetaDataController.RESOURCE_PATH + ".xml.gz" }, method = RequestMethod.POST, consumes = { "application/xml", "text/*" } )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void importGZippedXml( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
GZIPInputStream gzip = new GZIPInputStream( request.getInputStream() );
@@ -351,7 +333,6 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".gz", MetaDataController.RESOURCE_PATH + ".xml.gz" }, method = RequestMethod.DELETE, consumes = { "application/xml", "text/*" } )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void deleteGZippedXml( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
importOptions.setImportStrategy( ImportStrategy.DELETE.name() );
@@ -359,7 +340,6 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".gz", MetaDataController.RESOURCE_PATH + ".json.gz" }, method = RequestMethod.POST, consumes = "application/json" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void importGZippedJson( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
GZIPInputStream gzip = new GZIPInputStream( request.getInputStream() );
@@ -376,7 +356,6 @@
}
@RequestMapping( value = { MetaDataController.RESOURCE_PATH + ".gz", MetaDataController.RESOURCE_PATH + ".json.gz" }, method = RequestMethod.DELETE, consumes = "application/json" )
- @PreAuthorize( "hasRole('ALL') or hasRole('F_METADATA_IMPORT')" )
public void deleteGZippedJson( ImportOptions importOptions, HttpServletResponse response, HttpServletRequest request ) throws IOException
{
importOptions.setImportStrategy( ImportStrategy.DELETE.name() );