Loading gms-ui/src/components/MembersPanel.vue +1 −1 Original line number Diff line number Diff line <template> <b-tab title="Members" v-if="model.permission === 'ADMIN' || model.permission === 'MANAGE_MEMBERS' || model.permission === 'VIEW_MEMBERS'"> <b-tab title="Members" :title-link-class="{ 'd-none': (model.permission === 'TRAVERSE') }"> <div v-if="model.membersPanel !== null"> <b-list-group v-for="member in model.membersPanel.items" id="members-list" v-bind:key="member.memberId"> <b-list-group-item href="#" @click.prevent="openUser(member)"> Loading gms-ui/src/components/PermissionsPanel.vue +1 −1 Original line number Diff line number Diff line <template> <b-tab title="Permissions" v-if="model.permission === 'ADMIN'"> <b-tab title="Permissions" :title-link-class="{ 'd-none': (model.permission !== 'ADMIN') }"> <div v-if="model.permissionsPanel !== null"> <table class="table b-table table-striped table-hover"> <thead> Loading gms/src/main/java/it/inaf/ia2/gms/controller/MembersController.java +2 −25 Original line number Diff line number Diff line Loading @@ -4,7 +4,6 @@ import it.inaf.ia2.gms.manager.MembershipManager; import it.inaf.ia2.gms.manager.PermissionsManager; import it.inaf.ia2.gms.model.request.AddMemberRequest; import it.inaf.ia2.gms.model.response.PaginatedData; import it.inaf.ia2.gms.model.Permission; import it.inaf.ia2.gms.model.RapUser; import it.inaf.ia2.gms.model.request.PaginatedModelRequest; import it.inaf.ia2.gms.model.request.RemoveMemberRequest; Loading Loading @@ -52,16 +51,7 @@ public class MembersController { GroupEntity group = groupsService.getGroupById(request.getGroupId()); membershipManager.addMember(group, request.getUserId()); Permission currentUserPermission = permissionsManager.getCurrentUserPermission(group); if (currentUserPermission == Permission.MANAGE_MEMBERS) { // Automatically assign the VIEW_MEMBERS permission ("Add collaborator" feature) permissionsManager.addPermission(group, request.getUserId(), Permission.VIEW_MEMBERS); } else if (request.getPermission() != null) { // Admin users can specify a permission permissionsManager.addPermission(group, request.getUserId(), request.getPermission()); } return new ResponseEntity<>(getMembersPanel(group, request), HttpStatus.CREATED); } Loading @@ -73,20 +63,7 @@ public class MembersController { membershipManager.removeMember(group, request.getUserId()); Permission currentUserPermission = permissionsManager.getCurrentUserPermission(group); // For users having the MANAGE_MEMBERS permission, the VIEW_MEMBERS permission // is automatically assigned when they add a member ("Add collaborator" feature). // We want to keep also the reverse behavior. // If the member permission is not VIEW_MEMBERS that means that it has been // changed by an ADMIN user, so we don't remove it. boolean removeCollaborator = currentUserPermission == Permission.MANAGE_MEMBERS && permissionsManager.getUserPermission(group, request.getUserId()) == Permission.VIEW_MEMBERS; // ADMIN users can choose if delete also the permission or not. boolean adminRemovePermission = currentUserPermission == Permission.ADMIN && request.isRemoveAlsoPermission(); if (removeCollaborator || adminRemovePermission) { if (request.isRemoveAlsoPermission()) { permissionsManager.removePermission(group, request.getUserId()); } Loading gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java +47 −12 Original line number Diff line number Diff line Loading @@ -15,6 +15,7 @@ import java.util.List; import java.util.Map; import java.util.Set; import java.util.function.Function; import java.util.function.Supplier; import java.util.stream.Collectors; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; Loading Loading @@ -72,16 +73,19 @@ public class PermissionsManager extends UserAwareComponent { return null; } public Permission getUserPermission(GroupEntity group, String userId) { verifyUserCanManagePermissions(group); List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, userId); return PermissionUtils.getGroupPermission(group, permissions).orElse(null); } public PermissionEntity addPermission(GroupEntity group, String userId, Permission permission) { verifyUserCanManagePermissions(group); Permission currentUserPermission = getCurrentUserPermission(group); if (currentUserPermission == Permission.MANAGE_MEMBERS && permission == Permission.VIEW_MEMBERS) { // Automatically assign the VIEW_MEMBERS permission ("Add collaborator" feature) return permissionsService.addPermission(group, userId, Permission.VIEW_MEMBERS); } else if (currentUserPermission == Permission.ADMIN) { // Admin users can specify a permission return permissionsService.addPermission(group, userId, permission); } throw unauthorizedExceptionSupplier(group).get(); } public PermissionEntity updatePermission(GroupEntity group, String userId, Permission permission) { verifyUserCanManagePermissions(group); Loading @@ -89,16 +93,47 @@ public class PermissionsManager extends UserAwareComponent { } public void removePermission(GroupEntity group, String userId) { verifyUserCanManagePermissions(group); Permission currentUserPermission = getCurrentUserPermission(group); // For users having the MANAGE_MEMBERS permission, the VIEW_MEMBERS permission // is automatically assigned when they add a member ("Add collaborator" feature). // We want to keep also the reverse behavior. if (currentUserPermission == Permission.MANAGE_MEMBERS) { if (getUserPermission(group, userId, false) == Permission.VIEW_MEMBERS) { permissionsService.removePermission(group, userId); } // If the member permission is not VIEW_MEMBERS that means that it has been // changed by an ADMIN user, so we don't remove it. } else if (currentUserPermission == Permission.ADMIN) { permissionsService.removePermission(group, userId); } else { throw unauthorizedExceptionSupplier(group).get(); } } public Permission getUserPermission(GroupEntity group, String userId) { return getUserPermission(group, userId, true); } private Permission getUserPermission(GroupEntity group, String userId, boolean verify) { if (verify) { verifyUserCanManagePermissions(group); } List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, userId); return PermissionUtils.getGroupPermission(group, permissions).orElse(null); } private void verifyUserCanManagePermissions(GroupEntity group) { Permission permission = getCurrentUserPermission(group); if (permission != Permission.ADMIN) { loggingDAO.logAction("Unauthorized attempt to manage permissions"); throw new UnauthorizedException("Only admin users can handle permissions"); throw unauthorizedExceptionSupplier(group).get(); } } private Supplier<UnauthorizedException> unauthorizedExceptionSupplier(GroupEntity group) { loggingDAO.logAction("Unauthorized attempt to manage permissions [group_id=" + group.getId() + "]"); return () -> new UnauthorizedException("You don't have the privileges for managing the requested permission"); } public List<PermissionEntity> getCurrentUserPermissions(GroupEntity group) { Loading gms/src/main/java/it/inaf/ia2/gms/model/request/AddMemberRequest.java +2 −5 Original line number Diff line number Diff line package it.inaf.ia2.gms.model.request; import it.inaf.ia2.gms.model.Permission; import javax.validation.constraints.NotNull; public class AddMemberRequest extends MemberRequest { /** * When adding a member it is possible to assign also a permission. This * field can be null (in that case the user is member of the group but * he/she can't do nothing (not even seeing him/her group membership). */ @NotNull private Permission permission; public Permission getPermission() { Loading Loading
gms-ui/src/components/MembersPanel.vue +1 −1 Original line number Diff line number Diff line <template> <b-tab title="Members" v-if="model.permission === 'ADMIN' || model.permission === 'MANAGE_MEMBERS' || model.permission === 'VIEW_MEMBERS'"> <b-tab title="Members" :title-link-class="{ 'd-none': (model.permission === 'TRAVERSE') }"> <div v-if="model.membersPanel !== null"> <b-list-group v-for="member in model.membersPanel.items" id="members-list" v-bind:key="member.memberId"> <b-list-group-item href="#" @click.prevent="openUser(member)"> Loading
gms-ui/src/components/PermissionsPanel.vue +1 −1 Original line number Diff line number Diff line <template> <b-tab title="Permissions" v-if="model.permission === 'ADMIN'"> <b-tab title="Permissions" :title-link-class="{ 'd-none': (model.permission !== 'ADMIN') }"> <div v-if="model.permissionsPanel !== null"> <table class="table b-table table-striped table-hover"> <thead> Loading
gms/src/main/java/it/inaf/ia2/gms/controller/MembersController.java +2 −25 Original line number Diff line number Diff line Loading @@ -4,7 +4,6 @@ import it.inaf.ia2.gms.manager.MembershipManager; import it.inaf.ia2.gms.manager.PermissionsManager; import it.inaf.ia2.gms.model.request.AddMemberRequest; import it.inaf.ia2.gms.model.response.PaginatedData; import it.inaf.ia2.gms.model.Permission; import it.inaf.ia2.gms.model.RapUser; import it.inaf.ia2.gms.model.request.PaginatedModelRequest; import it.inaf.ia2.gms.model.request.RemoveMemberRequest; Loading Loading @@ -52,16 +51,7 @@ public class MembersController { GroupEntity group = groupsService.getGroupById(request.getGroupId()); membershipManager.addMember(group, request.getUserId()); Permission currentUserPermission = permissionsManager.getCurrentUserPermission(group); if (currentUserPermission == Permission.MANAGE_MEMBERS) { // Automatically assign the VIEW_MEMBERS permission ("Add collaborator" feature) permissionsManager.addPermission(group, request.getUserId(), Permission.VIEW_MEMBERS); } else if (request.getPermission() != null) { // Admin users can specify a permission permissionsManager.addPermission(group, request.getUserId(), request.getPermission()); } return new ResponseEntity<>(getMembersPanel(group, request), HttpStatus.CREATED); } Loading @@ -73,20 +63,7 @@ public class MembersController { membershipManager.removeMember(group, request.getUserId()); Permission currentUserPermission = permissionsManager.getCurrentUserPermission(group); // For users having the MANAGE_MEMBERS permission, the VIEW_MEMBERS permission // is automatically assigned when they add a member ("Add collaborator" feature). // We want to keep also the reverse behavior. // If the member permission is not VIEW_MEMBERS that means that it has been // changed by an ADMIN user, so we don't remove it. boolean removeCollaborator = currentUserPermission == Permission.MANAGE_MEMBERS && permissionsManager.getUserPermission(group, request.getUserId()) == Permission.VIEW_MEMBERS; // ADMIN users can choose if delete also the permission or not. boolean adminRemovePermission = currentUserPermission == Permission.ADMIN && request.isRemoveAlsoPermission(); if (removeCollaborator || adminRemovePermission) { if (request.isRemoveAlsoPermission()) { permissionsManager.removePermission(group, request.getUserId()); } Loading
gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java +47 −12 Original line number Diff line number Diff line Loading @@ -15,6 +15,7 @@ import java.util.List; import java.util.Map; import java.util.Set; import java.util.function.Function; import java.util.function.Supplier; import java.util.stream.Collectors; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; Loading Loading @@ -72,16 +73,19 @@ public class PermissionsManager extends UserAwareComponent { return null; } public Permission getUserPermission(GroupEntity group, String userId) { verifyUserCanManagePermissions(group); List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, userId); return PermissionUtils.getGroupPermission(group, permissions).orElse(null); } public PermissionEntity addPermission(GroupEntity group, String userId, Permission permission) { verifyUserCanManagePermissions(group); Permission currentUserPermission = getCurrentUserPermission(group); if (currentUserPermission == Permission.MANAGE_MEMBERS && permission == Permission.VIEW_MEMBERS) { // Automatically assign the VIEW_MEMBERS permission ("Add collaborator" feature) return permissionsService.addPermission(group, userId, Permission.VIEW_MEMBERS); } else if (currentUserPermission == Permission.ADMIN) { // Admin users can specify a permission return permissionsService.addPermission(group, userId, permission); } throw unauthorizedExceptionSupplier(group).get(); } public PermissionEntity updatePermission(GroupEntity group, String userId, Permission permission) { verifyUserCanManagePermissions(group); Loading @@ -89,16 +93,47 @@ public class PermissionsManager extends UserAwareComponent { } public void removePermission(GroupEntity group, String userId) { verifyUserCanManagePermissions(group); Permission currentUserPermission = getCurrentUserPermission(group); // For users having the MANAGE_MEMBERS permission, the VIEW_MEMBERS permission // is automatically assigned when they add a member ("Add collaborator" feature). // We want to keep also the reverse behavior. if (currentUserPermission == Permission.MANAGE_MEMBERS) { if (getUserPermission(group, userId, false) == Permission.VIEW_MEMBERS) { permissionsService.removePermission(group, userId); } // If the member permission is not VIEW_MEMBERS that means that it has been // changed by an ADMIN user, so we don't remove it. } else if (currentUserPermission == Permission.ADMIN) { permissionsService.removePermission(group, userId); } else { throw unauthorizedExceptionSupplier(group).get(); } } public Permission getUserPermission(GroupEntity group, String userId) { return getUserPermission(group, userId, true); } private Permission getUserPermission(GroupEntity group, String userId, boolean verify) { if (verify) { verifyUserCanManagePermissions(group); } List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, userId); return PermissionUtils.getGroupPermission(group, permissions).orElse(null); } private void verifyUserCanManagePermissions(GroupEntity group) { Permission permission = getCurrentUserPermission(group); if (permission != Permission.ADMIN) { loggingDAO.logAction("Unauthorized attempt to manage permissions"); throw new UnauthorizedException("Only admin users can handle permissions"); throw unauthorizedExceptionSupplier(group).get(); } } private Supplier<UnauthorizedException> unauthorizedExceptionSupplier(GroupEntity group) { loggingDAO.logAction("Unauthorized attempt to manage permissions [group_id=" + group.getId() + "]"); return () -> new UnauthorizedException("You don't have the privileges for managing the requested permission"); } public List<PermissionEntity> getCurrentUserPermissions(GroupEntity group) { Loading
gms/src/main/java/it/inaf/ia2/gms/model/request/AddMemberRequest.java +2 −5 Original line number Diff line number Diff line package it.inaf.ia2.gms.model.request; import it.inaf.ia2.gms.model.Permission; import javax.validation.constraints.NotNull; public class AddMemberRequest extends MemberRequest { /** * When adding a member it is possible to assign also a permission. This * field can be null (in that case the user is member of the group but * he/she can't do nothing (not even seeing him/her group membership). */ @NotNull private Permission permission; public Permission getPermission() { Loading
