#18: ACL check for groups

2025-12-13 17:56:20 +00:00 · 2016-03-15 22:44:50 +01:00
parent 6012cdd9a5
commit de3f055323
13 changed files with 87 additions and 72 deletions
--- a/docs-web/src/main/java/com/sismics/docs/rest/resource/AclResource.java
+++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/AclResource.java
@@ -14,6 +14,7 @@ import javax.ws.rs.PathParam;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Response;

+import com.google.common.collect.Lists;
 import com.sismics.docs.core.constant.AclTargetType;
 import com.sismics.docs.core.constant.PermType;
 import com.sismics.docs.core.dao.jpa.AclDao;
@@ -51,6 +52,7 @@ public class AclResource extends BaseResource {
            throw new ForbiddenClientException();
        }
        
+        // TODO Allow group input
        // Validate input
        ValidationUtil.validateRequired(sourceId, "source");
        PermType perm = PermType.valueOf(ValidationUtil.validateLength(permStr, "perm", 1, 30, false));
@@ -65,7 +67,7 @@ public class AclResource extends BaseResource {
        
        // Check permission on the source by the principal
        AclDao aclDao = new AclDao();
-        if (!aclDao.checkPermission(sourceId, PermType.WRITE, principal.getId())) {
+        if (!aclDao.checkPermission(sourceId, PermType.WRITE, getTargetIdList(null))) {
            throw new ForbiddenClientException();
        }
        
@@ -76,7 +78,7 @@ public class AclResource extends BaseResource {
        acl.setTargetId(user.getId());
        
        // Avoid duplicates
-        if (!aclDao.checkPermission(acl.getSourceId(), acl.getPerm(), acl.getTargetId())) {
+        if (!aclDao.checkPermission(acl.getSourceId(), acl.getPerm(), Lists.newArrayList(acl.getTargetId()))) {
            aclDao.create(acl, principal.getId());
            
            // Returns the ACL
@@ -114,7 +116,7 @@ public class AclResource extends BaseResource {

        // Check permission on the source by the principal
        AclDao aclDao = new AclDao();
-        if (!aclDao.checkPermission(sourceId, PermType.WRITE, principal.getId())) {
+        if (!aclDao.checkPermission(sourceId, PermType.WRITE, getTargetIdList(null))) {
            throw new ForbiddenClientException();
        }
        
@@ -163,6 +165,8 @@ public class AclResource extends BaseResource {
                    .add("username", userDto.getUsername()));
        }
        
+        // TODO Returns groups too
+        
        JsonObjectBuilder response = Json.createObjectBuilder()
                .add("users", users);
        return Response.ok().entity(response.build()).build();
--- a/docs-web/src/main/java/com/sismics/docs/rest/resource/AuditLogResource.java
+++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/AuditLogResource.java
@@ -49,7 +49,7 @@ public class AuditLogResource extends BaseResource {
        } else {
            // Check ACL on the document
            AclDao aclDao = new AclDao();
-            if (!aclDao.checkPermission(documentId, PermType.READ, principal.getId())) {
+            if (!aclDao.checkPermission(documentId, PermType.READ, getTargetIdList(null))) {
                return Response.status(Status.NOT_FOUND).build();
            }
            criteria.setDocumentId(documentId);
--- a/docs-web/src/main/java/com/sismics/docs/rest/resource/BaseResource.java
+++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/BaseResource.java
@@ -1,12 +1,14 @@
 package com.sismics.docs.rest.resource;

 import java.security.Principal;
+import java.util.List;
 import java.util.Set;

 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Context;

+import com.google.common.collect.Lists;
 import com.sismics.docs.rest.constant.BaseFunction;
 import com.sismics.rest.exception.ForbiddenClientException;
 import com.sismics.security.IPrincipal;
@@ -77,4 +79,21 @@ public abstract class BaseResource {
        Set<String> baseFunctionSet = ((UserPrincipal) principal).getBaseFunctionSet();
        return baseFunctionSet != null && baseFunctionSet.contains(baseFunction.name());
    }
+    
+    /**
+     * Returns a list of ACL target ID.
+     * 
+     * @param shareId Share ID (optional)
+     * @return List of ACL target ID
+     */
+    protected List<String> getTargetIdList(String shareId) {
+        List<String> targetIdList = Lists.newArrayList(principal.getGroupIdList());
+        if (principal.getId() != null) {
+            targetIdList.add(principal.getId());
+        }
+        if (shareId != null) {
+            targetIdList.add(shareId);
+        }
+        return targetIdList;
+    }
 }
--- a/docs-web/src/main/java/com/sismics/docs/rest/resource/CommentResource.java
+++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/CommentResource.java
@@ -51,7 +51,7 @@ public class CommentResource extends BaseResource {
        
        // Read access on doc gives access to write comments 
        DocumentDao documentDao = new DocumentDao();
-        if (documentDao.getDocument(documentId, PermType.READ, principal.getId()) == null) {
+        if (documentDao.getDocument(documentId, PermType.READ, getTargetIdList(null)) == null) {
            return Response.status(Status.NOT_FOUND).build();
        }
        
@@ -97,7 +97,7 @@ public class CommentResource extends BaseResource {
        if (!comment.getUserId().equals(principal.getId())) {
            // Get the associated document
            DocumentDao documentDao = new DocumentDao();
-            if (documentDao.getDocument(comment.getDocumentId(), PermType.WRITE, principal.getId()) == null) {
+            if (documentDao.getDocument(comment.getDocumentId(), PermType.WRITE, getTargetIdList(null)) == null) {
                return Response.status(Status.NOT_FOUND).build();
            }
        }
@@ -125,7 +125,7 @@ public class CommentResource extends BaseResource {
        
        // Read access on doc gives access to read comments 
        DocumentDao documentDao = new DocumentDao();
-        if (documentDao.getDocument(documentId, PermType.READ, shareId == null ? principal.getId() : shareId) == null) {
+        if (documentDao.getDocument(documentId, PermType.READ, getTargetIdList(shareId)) == null) {
            return Response.status(Status.NOT_FOUND).build();
        }
        
--- a/docs-web/src/main/java/com/sismics/docs/rest/resource/DocumentResource.java
+++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/DocumentResource.java
@@ -94,7 +94,7 @@ public class DocumentResource extends BaseResource {
        
        DocumentDao documentDao = new DocumentDao();
        AclDao aclDao = new AclDao();
-        DocumentDto documentDto = documentDao.getDocument(documentId, PermType.READ, shareId == null ? principal.getId() : shareId);
+        DocumentDto documentDto = documentDao.getDocument(documentId, PermType.READ, getTargetIdList(shareId));
        if (documentDto == null) {
            return Response.status(Status.NOT_FOUND).build();
        }
@@ -148,7 +148,8 @@ public class DocumentResource extends BaseResource {
                    .add("type", aclDto.getTargetType()));
            
            if (!principal.isAnonymous()
-                    && aclDto.getTargetId().equals(principal.getId())
+                    && (aclDto.getTargetId().equals(principal.getId())
+                            || principal.getGroupIdList().contains(aclDto.getTargetId()))
                    && aclDto.getPerm() == PermType.WRITE) {
                // The document is writable for the current user
                writable = true;
@@ -205,7 +206,7 @@ public class DocumentResource extends BaseResource {
        
        // Get document and check read permission
        DocumentDao documentDao = new DocumentDao();
-        final DocumentDto documentDto = documentDao.getDocument(documentId, PermType.READ, shareId == null ? principal.getId() : shareId);
+        final DocumentDto documentDto = documentDao.getDocument(documentId, PermType.READ, getTargetIdList(shareId));
        if (documentDto == null) {
            return Response.status(Status.NOT_FOUND).build();
        }
@@ -268,7 +269,7 @@ public class DocumentResource extends BaseResource {
        PaginatedList<DocumentDto> paginatedList = PaginatedLists.create(limit, offset);
        SortCriteria sortCriteria = new SortCriteria(sortColumn, asc);
        DocumentCriteria documentCriteria = parseSearchQuery(search);
-        documentCriteria.setUserId(principal.getId());
+        documentCriteria.setTargetIdList(getTargetIdList(null));
        try {
            documentDao.findByCriteria(paginatedList, documentCriteria, sortCriteria);
        } catch (Exception e) {
@@ -564,7 +565,7 @@ public class DocumentResource extends BaseResource {
        
        // Check write permission
        AclDao aclDao = new AclDao();
-        if (!aclDao.checkPermission(id, PermType.WRITE, principal.getId())) {
+        if (!aclDao.checkPermission(id, PermType.WRITE, getTargetIdList(null))) {
            throw new ForbiddenClientException();
        }
        
@@ -676,7 +677,7 @@ public class DocumentResource extends BaseResource {
        // Get the document
        DocumentDao documentDao = new DocumentDao();
        FileDao fileDao = new FileDao();
-        DocumentDto documentDto = documentDao.getDocument(id, PermType.WRITE, principal.getId());
+        DocumentDto documentDto = documentDao.getDocument(id, PermType.WRITE, getTargetIdList(null));
        if (documentDto == null) {
            return Response.status(Status.NOT_FOUND).build();
        }
--- a/docs-web/src/main/java/com/sismics/docs/rest/resource/FileResource.java
+++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/FileResource.java
@@ -98,7 +98,7 @@ public class FileResource extends BaseResource {
            documentId = null;
        } else {
            DocumentDao documentDao = new DocumentDao();
-            documentDto = documentDao.getDocument(documentId, PermType.WRITE, principal.getId());
+            documentDto = documentDao.getDocument(documentId, PermType.WRITE, getTargetIdList(null));
            if (documentDto == null) {
                return Response.status(Status.NOT_FOUND).build();
            }
@@ -213,7 +213,7 @@ public class FileResource extends BaseResource {
        DocumentDao documentDao = new DocumentDao();
        FileDao fileDao = new FileDao();
        File file = fileDao.getFile(id, principal.getId());
-        DocumentDto documentDto = documentDao.getDocument(documentId, PermType.WRITE, principal.getId());
+        DocumentDto documentDto = documentDao.getDocument(documentId, PermType.WRITE, getTargetIdList(null));
        if (file == null || documentDto == null) {
            return Response.status(Status.NOT_FOUND).build();
        }
@@ -276,7 +276,7 @@ public class FileResource extends BaseResource {
        
        // Get the document
        DocumentDao documentDao = new DocumentDao();
-        if (documentDao.getDocument(documentId, PermType.WRITE, principal.getId()) == null) {
+        if (documentDao.getDocument(documentId, PermType.WRITE, getTargetIdList(null)) == null) {
            return Response.status(Status.NOT_FOUND).build();
        }
        
@@ -312,7 +312,7 @@ public class FileResource extends BaseResource {
        // Check document visibility
        if (documentId != null) {
            AclDao aclDao = new AclDao();
-            if (!aclDao.checkPermission(documentId, PermType.READ, shareId == null ? principal.getId() : shareId)) {
+            if (!aclDao.checkPermission(documentId, PermType.READ, getTargetIdList(shareId))) {
                return Response.status(Status.NOT_FOUND).build();
            }
        } else if (!authenticated) {
@@ -370,7 +370,7 @@ public class FileResource extends BaseResource {
                // But not ours
                throw new ForbiddenClientException();
            }
-        } else if ((documentDto = documentDao.getDocument(file.getDocumentId(), PermType.WRITE, principal.getId())) == null) {
+        } else if ((documentDto = documentDao.getDocument(file.getDocumentId(), PermType.WRITE, getTargetIdList(null))) == null) {
            return Response.status(Status.NOT_FOUND).build();
        }
        
@@ -445,7 +445,7 @@ public class FileResource extends BaseResource {
        } else {
            // Check document accessibility
            AclDao aclDao = new AclDao();
-            if (!aclDao.checkPermission(file.getDocumentId(), PermType.READ, shareId == null ? principal.getId() : shareId)) {
+            if (!aclDao.checkPermission(file.getDocumentId(), PermType.READ, getTargetIdList(shareId))) {
                throw new ForbiddenClientException();
            }
        }
@@ -519,7 +519,7 @@ public class FileResource extends BaseResource {
        
        // Get the document
        DocumentDao documentDao = new DocumentDao();
-        DocumentDto documentDto = documentDao.getDocument(documentId, PermType.READ, shareId == null ? principal.getId() : shareId);
+        DocumentDto documentDto = documentDao.getDocument(documentId, PermType.READ, getTargetIdList(shareId));
        if (documentDto == null) {
            return Response.status(Status.NOT_FOUND).build();
        }
--- a/docs-web/src/main/java/com/sismics/docs/rest/resource/ShareResource.java
+++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/ShareResource.java
@@ -53,7 +53,7 @@ public class ShareResource extends BaseResource {

        // Get the document
        DocumentDao documentDao = new DocumentDao();
-        if (documentDao.getDocument(documentId, PermType.WRITE, principal.getId()) == null) {
+        if (documentDao.getDocument(documentId, PermType.WRITE, getTargetIdList(null)) == null) {
            return Response.status(Status.NOT_FOUND).build();
        }
        
@@ -102,7 +102,7 @@ public class ShareResource extends BaseResource {
        }
        
        Acl acl = aclList.get(0);
-        if (!aclDao.checkPermission(acl.getSourceId(), PermType.WRITE, principal.getId())) {
+        if (!aclDao.checkPermission(acl.getSourceId(), PermType.WRITE, getTargetIdList(null))) {
            throw new ClientException("DocumentNotFound", MessageFormat.format("Document not found: {0}", acl.getSourceId()));
        }