private boolean removePermitted(MetaClass metaClass) { return entityOpPermitted(metaClass, EntityOp.DELETE); }
/** * Checks if the user have permissions to remove all of the requested entities. * * @param removeInstances entities to remove * @return true - if the user can remove all of the requested entities, false - * if he don't have permissions to remove at least one of the entities. */ private boolean removePermitted(Collection removeInstances) { for (Object removeInstance : removeInstances) { Entity next = (Entity) removeInstance; if (!removePermitted(next.getMetaClass())) return false; } return true; }
if (!connect(sessionId, response)) return; assignUuidToNewInstances(commitInstances, newInstanceIds); && !isNewInstance(newInstanceIds, commitInstance) && !PersistenceHelper.isDetached(commitInstance)) { PersistenceHelper.makePatch((BaseGenericIdEntity) commitInstance); if (!commitPermitted(commitInstances, newInstanceIds)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; if (!removePermitted(removeInstances)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; Entity e = getEntityById(commitContext.getCommitInstances(), refEntity.getId()); ((AbstractInstance) entity).setValue(property.getName(), e, false); } else if (BaseGenericIdEntity.class.isAssignableFrom(refEntity.getMetaClass().getJavaClass())) { writeResponse(response, converted, converter.getMimeType()); } catch (RowLevelSecurityException e) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The operation with entity " + e.getEntity() + " is denied"); } catch (Throwable e) { sendError(request, response, e); } finally { authentication.end();
HttpServletResponse response) throws IOException, InvocationTargetException, NoSuchMethodException, IllegalAccessException { if (!connect(sessionId, response)) return; if (!entityOpPermitted(metaClass, EntityOp.READ)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; Object parsedParam = parseQueryParameter(paramKey, paramValue, queryParams); query.setParameter(paramKey, parsedParam); Converter converter = conversionFactory.getConverter(type); String result = converter.process(entities, metaClass, loadCtx.getView()); writeResponse(response, result, converter.getMimeType()); } catch (Throwable e) { sendError(request, response, e); } finally { authentication.end();
HttpServletResponse response) throws IOException, InvocationTargetException, NoSuchMethodException, IllegalAccessException { if (!connect(sessionId, response)) return; if (!readPermitted(metaClass)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; Converter converter = conversionFactory.getConverter(type); String result = converter.process(entity, metaClass, loadCtx.getView()); writeResponse(response, result, converter.getMimeType()); sendError(request, response, e); } finally { authentication.end();
HttpServletRequest request, HttpServletResponse response) throws IOException { if (!connect(sessionId, response)) return; writeResponse(response, converted, converter.getMimeType()); } catch (Throwable e) { sendError(request, response, e); } finally { authentication.end();
if (!entityOpPermitted(metaClass, EntityOp.READ)) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; writeResponse(response, result, converter.getMimeType()); } catch (RowLevelSecurityException e) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The operation with entity " + e.getEntity() + " is denied"); } catch (Throwable e) { sendError(request, response, e); } finally { authentication.end();
@RequestMapping(value = "/api/deployViews", method = RequestMethod.POST) public void deployViews(@RequestParam(value = "s") String sessionId, @RequestBody String requestContent, HttpServletRequest request, HttpServletResponse response) throws IOException, InvocationTargetException, NoSuchMethodException, IllegalAccessException { if (!connect(sessionId, response)) return; try { ViewRepository viewRepository = metadata.getViewRepository(); ((AbstractViewRepository) viewRepository).deployViews(new StringReader(requestContent)); } catch (Throwable e) { sendError(request, response, e); } finally { authentication.end(); } }
/** * Checks if the user have permissions to commit (create or update) * all of the entities. * * @param commitInstances entities to commit * @param newInstanceIds ids of the new entities * @return true - if the user can commit all of the requested entities, false - * if he don't have permissions to commit at least one of the entities. */ private boolean commitPermitted(Collection commitInstances, Collection newInstanceIds) { for (Object commitInstance : commitInstances) { Entity entity = (Entity) commitInstance; String fullId = entity.getMetaClass().getName() + "-" + entity.getId(); if (newInstanceIds.contains(fullId)) { if (!createPermitted(entity.getMetaClass())) return false; } else if (!updatePermitted(entity.getMetaClass())) { return false; } } return true; }
@RequestMapping(value = "/api/service", method = RequestMethod.POST) public void serviceByPost(@RequestParam(value = "s") String sessionId, @RequestHeader(value = "Content-Type") MimeType contentType, @RequestBody String requestContent, HttpServletRequest request, HttpServletResponse response) throws IOException, JSONException { if (!connect(sessionId, response)) return; try { Converter converter = conversionFactory.getConverter(contentType); ServiceRequest serviceRequest = converter.parseServiceRequest(requestContent); if (!restServicePermissions.isPermitted(serviceRequest.getServiceName(), serviceRequest.getMethodName())) { response.sendError(HttpServletResponse.SC_FORBIDDEN); return; } Object result = serviceRequest.invokeMethod(); String converted = converter.processServiceMethodResult(result, serviceRequest.getMethodReturnType()); writeResponse(response, converted, converter.getMimeType()); } catch (RestServiceException e) { response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); log.error("Error processing request: " + request.getRequestURI() + "?" + request.getQueryString(), e); } catch (Throwable e) { sendError(request, response, e); } finally { authentication.end(); } }
@RequestMapping(value = "/api/printDomain", method = RequestMethod.GET) public void printDomain(@RequestParam(value = "s") String sessionId, HttpServletRequest request, HttpServletResponse response) throws IOException, InvocationTargetException, NoSuchMethodException, IllegalAccessException, TemplateException { if (!connect(sessionId, response)) return; try { response.setContentType("text/html"); response.setCharacterEncoding(StandardCharsets.UTF_8.name()); response.setLocale(userSessionSource.getLocale()); String domainDescription = domainDescriptionService.getDomainDescription(); response.getWriter().write(domainDescription); } catch (Throwable e) { sendError(request, response, e); } finally { authentication.end(); } }
private boolean createPermitted(MetaClass metaClass) { return entityOpPermitted(metaClass, EntityOp.CREATE); }
private boolean readPermitted(MetaClass metaClass) { return entityOpPermitted(metaClass, EntityOp.READ); }
private boolean updatePermitted(MetaClass metaClass) { return entityOpPermitted(metaClass, EntityOp.UPDATE); }