Closes #245: admin group undeletable + admin can see all

2025-12-15 02:36:24 +00:00 · 2018-10-18 18:57:06 +02:00
parent 58af2b00cb
commit 0c257b763d
10 changed files with 67 additions and 28 deletions
--- a/docs-core/src/main/java/com/sismics/docs/core/dao/AclDao.java
+++ b/docs-core/src/main/java/com/sismics/docs/core/dao/AclDao.java
@@ -7,6 +7,7 @@ import com.sismics.docs.core.constant.PermType;
 import com.sismics.docs.core.dao.dto.AclDto;
 import com.sismics.docs.core.model.jpa.Acl;
 import com.sismics.docs.core.util.AuditLogUtil;
+import com.sismics.docs.core.util.SecurityUtil;
 import com.sismics.util.context.ThreadLocalContext;

 import javax.persistence.EntityManager;
@@ -124,6 +125,10 @@ public class AclDao {
     * @return True if the document is accessible
     */
    public boolean checkPermission(String sourceId, PermType perm, List<String> targetIdList) {
+        if (SecurityUtil.skipAclCheck(targetIdList)) {
+            return true;
+        }
+
        EntityManager em = ThreadLocalContext.get().getEntityManager();
        StringBuilder sb = new StringBuilder("select a.ACL_ID_C from T_ACL a ");
        sb.append(" where a.ACL_TARGETID_C in (:targetIdList) and a.ACL_SOURCEID_C = :sourceId and a.ACL_PERM_C = :perm and a.ACL_DELETEDATE_D is null ");
--- a/docs-core/src/main/java/com/sismics/docs/core/dao/TagDao.java
+++ b/docs-core/src/main/java/com/sismics/docs/core/dao/TagDao.java
@@ -7,6 +7,7 @@ import com.sismics.docs.core.dao.dto.TagDto;
 import com.sismics.docs.core.model.jpa.DocumentTag;
 import com.sismics.docs.core.model.jpa.Tag;
 import com.sismics.docs.core.util.AuditLogUtil;
+import com.sismics.docs.core.util.SecurityUtil;
 import com.sismics.docs.core.util.jpa.QueryParam;
 import com.sismics.docs.core.util.jpa.QueryUtil;
 import com.sismics.docs.core.util.jpa.SortCriteria;
@@ -185,7 +186,7 @@ public class TagDao {
            criteriaList.add("t.TAG_ID_C = :id");
            parameterMap.put("id", criteria.getId());
        }
-        if (criteria.getTargetIdList() != null) {
+        if (criteria.getTargetIdList() != null && !SecurityUtil.skipAclCheck(criteria.getTargetIdList())) {
            sb.append(" left join T_ACL a on a.ACL_TARGETID_C in (:targetIdList) and a.ACL_SOURCEID_C = t.TAG_ID_C and a.ACL_PERM_C = 'READ' and a.ACL_DELETEDATE_D is null ");
            criteriaList.add("a.ACL_ID_C is not null");
            parameterMap.put("targetIdList", criteria.getTargetIdList());
--- a/docs-core/src/main/java/com/sismics/docs/core/util/SecurityUtil.java
+++ b/docs-core/src/main/java/com/sismics/docs/core/util/SecurityUtil.java
@@ -6,6 +6,8 @@ import com.sismics.docs.core.dao.UserDao;
 import com.sismics.docs.core.model.jpa.Group;
 import com.sismics.docs.core.model.jpa.User;

+import java.util.List;
+
 /**
 * Security utilities.
 *
@@ -37,4 +39,14 @@ public class SecurityUtil {

        return null;
    }
+
+    /**
+     * Return true if the ACL targets provided don't need security checks (administrator users).
+     *
+     * @param targetIdList Target ID list
+     * @return True if skip ACL checks
+     */
+    public static boolean skipAclCheck(List<String> targetIdList) {
+        return targetIdList.contains("admin") || targetIdList.contains("administrators");
+    }
 }
--- a/docs-core/src/main/java/com/sismics/docs/core/util/indexing/LuceneIndexingHandler.java
+++ b/docs-core/src/main/java/com/sismics/docs/core/util/indexing/LuceneIndexingHandler.java
@@ -12,6 +12,7 @@ import com.sismics.docs.core.model.jpa.Config;
 import com.sismics.docs.core.model.jpa.Document;
 import com.sismics.docs.core.model.jpa.File;
 import com.sismics.docs.core.util.DirectoryUtil;
+import com.sismics.docs.core.util.SecurityUtil;
 import com.sismics.docs.core.util.jpa.PaginatedList;
 import com.sismics.docs.core.util.jpa.PaginatedLists;
 import com.sismics.docs.core.util.jpa.QueryParam;
@@ -229,11 +230,13 @@ public class LuceneIndexingHandler implements IndexingHandler {

        // Add search criterias
        if (criteria.getTargetIdList() != null) {
-            // Read permission is enough for searching
-            sb.append(" left join T_ACL a on a.ACL_TARGETID_C in (:targetIdList) and a.ACL_SOURCEID_C = d.DOC_ID_C and a.ACL_PERM_C = 'READ' and a.ACL_DELETEDATE_D is null ");
-            sb.append(" left join T_DOCUMENT_TAG dta on dta.DOT_IDDOCUMENT_C = d.DOC_ID_C and dta.DOT_DELETEDATE_D is null ");
-            sb.append(" left join T_ACL a2 on a2.ACL_TARGETID_C in (:targetIdList) and a2.ACL_SOURCEID_C = dta.DOT_IDTAG_C and a2.ACL_PERM_C = 'READ' and a2.ACL_DELETEDATE_D is null ");
-            criteriaList.add("(a.ACL_ID_C is not null or a2.ACL_ID_C is not null)");
+            if (!SecurityUtil.skipAclCheck(criteria.getTargetIdList())) {
+                // Read permission is enough for searching
+                sb.append(" left join T_ACL a on a.ACL_TARGETID_C in (:targetIdList) and a.ACL_SOURCEID_C = d.DOC_ID_C and a.ACL_PERM_C = 'READ' and a.ACL_DELETEDATE_D is null ");
+                sb.append(" left join T_DOCUMENT_TAG dta on dta.DOT_IDDOCUMENT_C = d.DOC_ID_C and dta.DOT_DELETEDATE_D is null ");
+                sb.append(" left join T_ACL a2 on a2.ACL_TARGETID_C in (:targetIdList) and a2.ACL_SOURCEID_C = dta.DOT_IDTAG_C and a2.ACL_PERM_C = 'READ' and a2.ACL_DELETEDATE_D is null ");
+                criteriaList.add("(a.ACL_ID_C is not null or a2.ACL_ID_C is not null)");
+            }
            parameterMap.put("targetIdList", criteria.getTargetIdList());
        }
        if (!Strings.isNullOrEmpty(criteria.getSearch()) || !Strings.isNullOrEmpty(criteria.getFullSearch())) {