protected void checkDeletePrivileges(User user, String workspaceId) { if (user != null && user.getUserType() == UserType.SYSTEM) { return; } if (user == null) { throw new VisalloAccessDeniedException("You must provide a valid user to perform this action", null, null); } if (workspaceId == null) { throw new VisalloAccessDeniedException("User does not have access to delete published ontology items", user, null); } else if (!getPrivilegeRepository().hasPrivilege(user, Privilege.ADMIN)) { throw new VisalloAccessDeniedException("User does not have admin privilege", user, null); } }
public String getWorkspaceIdOrNullIfPublish( String workspaceId, boolean shouldPublish, User user ) { if (shouldPublish) { if (privilegeRepository.hasPrivilege(user, Privilege.PUBLISH)) { workspaceId = null; } else { throw new VisalloAccessDeniedException( "The publish parameter was sent in the request, but the user does not have publish privilege.", user, "publish" ); } } else if (workspaceId == null) { throw new VisalloException("workspaceId parameter required"); } return workspaceId; }
@Override public void deleteSearch(final String id, User user) { checkNotNull(user, "User is required"); Authorizations authorizations = authorizationRepository.getGraphAuthorizations( user, VISIBILITY_STRING, UserRepository.VISIBILITY_STRING ); Vertex searchVertex = graph.getVertex(id, authorizations); checkNotNull(searchVertex, "Could not find search with id " + id); if (isSearchGlobal(id, authorizations)) { if (!privilegeRepository.hasPrivilege(user, Privilege.SEARCH_SAVE_GLOBAL)) { throw new VisalloAccessDeniedException( "User does not have the privilege to delete a global search", user, id); } } else if (!isSearchPrivateToUser(id, user, authorizations)) { throw new VisalloAccessDeniedException("User does not own this this search", user, id); } graph.deleteVertex(searchVertex, authorizations); graph.flush(); }
@Override public void handle(HttpServletRequest request, HttpServletResponse response, HandlerChain chain) throws Exception { User user = VisalloBaseParameterProvider.getUser(request, userRepository); if (!privilegeRepository.hasAllPrivileges(user, requiredPrivileges)) { throw new VisalloAccessDeniedException( "You do not have the required privileges: " + Privilege.toString(requiredPrivileges), user, "privileges" ); } chain.next(request, response); } }
private void checkCanDeleteProperty( Element element, OntologyElement ontologyElement, String propertyKey, String propertyName, Ontology ontology, Set<String> privileges, User user, String workspaceId ) throws VisalloAccessDeniedException { boolean canDelete = internalCanDeleteProperty(element, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canDelete) { throw new VisalloAccessDeniedException(propertyName + " cannot be deleted due to ACL restriction", user, element.getId()); } }
@Override public Iterable<Workspace> findAll(User user) { if (!user.equals(userRepository.getSystemUser())) { throw new VisalloAccessDeniedException("Only system user can access all workspaces", user, null); } Authorizations authorizations = getAuthorizationRepository().getGraphAuthorizations( user, VISIBILITY_STRING, UserRepository.VISIBILITY_STRING ); QueryResultsIterable<Vertex> workspaceVertices = getGraph().query(authorizations) .has(VisalloProperties.CONCEPT_TYPE.getPropertyName(), Compare.EQUAL, WORKSPACE_CONCEPT_IRI) .vertices(); return stream(workspaceVertices) .map((Vertex workspaceVertex) -> { String cacheKey = getUserWorkspaceVertexCacheKey(workspaceVertex.getId(), user); userWorkspaceVertexCache.put(cacheKey, workspaceVertex); return new VertexiumWorkspace(workspaceVertex); }) .collect(Collectors.toList()); }
private void checkCanDeleteProperty( ClientApiElement clientApiElement, OntologyElement ontologyElement, String propertyKey, String propertyName, Ontology ontology, Set<String> privileges, User user, String workspaceId ) throws VisalloAccessDeniedException { boolean canDelete = internalCanDeleteProperty(clientApiElement, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canDelete) { throw new VisalloAccessDeniedException( propertyName + " cannot be deleted due to ACL restriction", user, clientApiElement.getId()); } }
@Handle public JSONObject handle( @Required(name = "user-name") String userName, @Required(name = "auth") String auth, User authUser ) throws Exception { User user = userRepository.findByUsername(userName); if (user == null) { throw new VisalloResourceNotFoundException("User " + userName + " not found"); } if (!(authorizationRepository instanceof UpdatableAuthorizationRepository)) { throw new VisalloAccessDeniedException("Authorization repository does not support updating", authUser, userName); } for (String authStr : auth.split(SEPARATOR)) { ((UpdatableAuthorizationRepository) authorizationRepository).addAuthorization(user, authStr, authUser); } return userRepository.toJsonWithAuths(user); } }
@Handle public ClientApiSuccess handle( @Required(name = "notificationIds[]") String[] notificationIds, User user ) throws Exception { for (String notificationId : notificationIds) { UserNotification notification = userNotificationRepository.getNotification(notificationId, user); if (notification == null) { throw new VisalloResourceNotFoundException("Could not find notification with id: " + notificationId); } if (!notification.getUserId().equals(user.getUserId())) { throw new VisalloAccessDeniedException( "Cannot mark notification read that do not belong to you", user, notificationId ); } } userNotificationRepository.markRead(notificationIds, user); return VisalloResponse.SUCCESS; } }
@Handle public JSONObject handle( @Required(name = "user-name") String userName, @Required(name = "auth") String auth, User authUser ) throws Exception { User user = userRepository.findByUsername(userName); if (user == null) { throw new VisalloResourceNotFoundException("Could not find user: " + userName); } if (!(authorizationRepository instanceof UpdatableAuthorizationRepository)) { throw new VisalloAccessDeniedException("Authorization repository does not support updating", authUser, userName); } ((UpdatableAuthorizationRepository) authorizationRepository).removeAuthorization(user, auth, authUser); return userRepository.toJsonWithAuths(user); } }
private void checkCanAddOrUpdateProperty( ClientApiElement clientApiElement, OntologyElement ontologyElement, Ontology ontology, String propertyKey, String propertyName, User user, String workspaceId ) throws VisalloAccessDeniedException { Set<String> privileges = privilegeRepository.getPrivileges(user); boolean isUpdate = clientApiElement.getProperty(propertyKey, propertyName) != null; boolean canAddOrUpdate = isUpdate ? internalCanUpdateProperty(clientApiElement, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId) : internalCanAddProperty(clientApiElement, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canAddOrUpdate) { throw new VisalloAccessDeniedException( propertyName + " cannot be added or updated due to ACL restriction", user, clientApiElement.getId()); } }
private void checkCanAddOrUpdateProperty( Element element, OntologyElement ontologyElement, String propertyKey, String propertyName, Ontology ontology, Set<String> privileges, User user, String workspaceId ) throws VisalloAccessDeniedException { boolean isUpdate = element.getProperty(propertyKey, propertyName) != null; boolean canAddOrUpdate = isUpdate ? internalCanUpdateProperty(element, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId) : internalCanAddProperty(element, ontologyElement, propertyKey, propertyName, ontology, privileges, user, workspaceId); if (!canAddOrUpdate) { throw new VisalloAccessDeniedException( propertyName + " cannot be added or updated due to ACL restriction", user, element.getId()); } }
@Override public List<WorkspaceEntity> findEntities(final Workspace workspace, final boolean fetchVertices, final User user) { if (!hasReadPermissions(workspace.getWorkspaceId(), user)) { throw new VisalloAccessDeniedException( "user " + user.getUserId() + " does not have read access to workspace " + workspace.getWorkspaceId(), user, workspace.getWorkspaceId() ); } return lockRepository.lock( getLockName(workspace), () -> findEntitiesNoLock(workspace, false, fetchVertices, user) ); }
@Handle public ClientApiWorkspace handle( @Required(name = "workspaceId") String workspaceId, User user, Authorizations authorizations ) throws Exception { LOGGER.info("Attempting to retrieve workspace: %s", workspaceId); try { final Workspace workspace = workspaceRepository.findById(workspaceId, user); if (workspace == null) { throw new VisalloResourceNotFoundException("Could not find workspace: " + workspaceId); } else { LOGGER.debug("Successfully found workspace"); return workspaceRepository.toClientApi(workspace, user, authorizations); } } catch (SecurityVertexiumException ex) { throw new VisalloAccessDeniedException("Could not get workspace " + workspaceId, user, workspaceId); } } }
@Override public DashboardItem findDashboardItemById(String workspaceId, String dashboardItemId, User user) { LOGGER.debug("findDashboardItemById(dashboardItemId: %s, userId: %s)", dashboardItemId, user.getUserId()); Authorizations authorizations = getAuthorizationRepository().getGraphAuthorizations( user, VISIBILITY_STRING, workspaceId ); Vertex dashboardItemVertex = getGraph().getVertex(dashboardItemId, authorizations); if (dashboardItemVertex == null) { return null; } if (!hasReadPermissions(workspaceId, user)) { throw new VisalloAccessDeniedException( "user " + user.getUserId() + " does not have read access to workspace " + workspaceId, user, workspaceId ); } return dashboardItemVertexToDashboardItem(dashboardItemVertex); }
@Override public Dashboard findDashboardById(String workspaceId, String dashboardId, User user) { LOGGER.debug("findDashboardById(dashboardId: %s, userId: %s)", dashboardId, user.getUserId()); Authorizations authorizations = getAuthorizationRepository().getGraphAuthorizations( user, VISIBILITY_STRING, workspaceId ); Vertex dashboardVertex = getGraph().getVertex(dashboardId, authorizations); if (dashboardVertex == null) { return null; } if (!hasReadPermissions(workspaceId, user)) { throw new VisalloAccessDeniedException( "user " + user.getUserId() + " does not have read access to workspace " + workspaceId, user, workspaceId ); } return dashboardVertexToDashboard(workspaceId, dashboardVertex, authorizations); }
@Override public void deleteDashboardItem(String workspaceId, String dashboardItemId, User user) { LOGGER.debug("deleteDashboardItem(dashboardItemId: %s, userId: %s)", dashboardItemId, user.getUserId()); if (!hasWritePermissions(workspaceId, user)) { throw new VisalloAccessDeniedException( "user " + user.getUserId() + " does not have write access to workspace " + workspaceId, user, workspaceId ); } Authorizations authorizations = getAuthorizationRepository().getGraphAuthorizations( user, VISIBILITY_STRING, workspaceId ); getGraph().softDeleteVertex(dashboardItemId, authorizations); getGraph().flush(); }
@Handle public ClientApiSuccess handle( @Required(name = "edgeId") String edgeId, @ActiveWorkspaceId String workspaceId, User user, Authorizations authorizations ) throws Exception { Edge edge = graph.getEdge(edgeId, authorizations); if (!aclProvider.canDeleteElement(edge, user, workspaceId)) { throw new VisalloAccessDeniedException("Edge " + edgeId + " is not deleteable", user, edge.getId()); } Vertex outVertex = edge.getVertex(Direction.OUT, authorizations); Vertex inVertex = edge.getVertex(Direction.IN, authorizations); SandboxStatus sandboxStatus = SandboxStatusUtil.getSandboxStatus(edge, workspaceId); boolean isPublicEdge = sandboxStatus == SandboxStatus.PUBLIC; workspaceHelper.deleteEdge(workspaceId, edge, outVertex, inVertex, isPublicEdge, Priority.HIGH, authorizations, user); return VisalloResponse.SUCCESS; } }
@Override public void setTitle(Workspace workspace, String title, User user) { if (!hasWritePermissions(workspace.getWorkspaceId(), user)) { throw new VisalloAccessDeniedException( "user " + user.getUserId() + " does not have write access to workspace " + workspace.getWorkspaceId(), user, workspace.getWorkspaceId() ); } Authorizations authorizations = getAuthorizationRepository().getGraphAuthorizations(user); Vertex workspaceVertex = getVertexFromWorkspace(workspace, false, authorizations); WorkspaceProperties.TITLE.setProperty(workspaceVertex, title, VISIBILITY.getVisibility(), authorizations); getGraph().flush(); }
@Override @Traced public ClientApiWorkspaceDiff getDiff( Workspace workspace, User user, FormulaEvaluator.UserContext userContext ) { if (!hasReadPermissions(workspace.getWorkspaceId(), user)) { throw new VisalloAccessDeniedException( "user " + user.getUserId() + " does not have read access to workspace " + workspace.getWorkspaceId(), user, workspace.getWorkspaceId() ); } return lockRepository.lock(getLockName(workspace), () -> { List<WorkspaceEntity> workspaceEntities = findEntitiesNoLock(workspace, true, true, user); Iterable<Edge> workspaceEdges = findModifiedEdges(workspace, workspaceEntities, true, user); return workspaceDiff.diff(workspace, workspaceEntities, workspaceEdges, userContext, user); }); }