Include ownership in write privilege check in CreateNodeController. (61569219) · Commits · VOSpace INAF / vospace-rest

src/main/java/it/inaf/oats/vospace/CreateNodeController.java

+28 −8

Original line number	Diff line number	Diff line
		@@ -32,14 +32,17 @@ public class CreateNodeController extends BaseNodeController {

		List<String> userGroups = principal.getGroups();

		// Validate payload node URI
		if (!isValidURI(node.getUri())) {
		throw new InvalidURIException(node.getUri());
		}

		// Check if payload URI is consistent with http request
		if (!isUrlConsistentWithPayloadURI(node.getUri(), path)) {
		throw new InvalidURIException(node.getUri(), path);
		}

		// Check if another node is already present at specified path
		// This checks if the user is trying to insert the root node at "/" too
		if (nodeDao.listNode(path).isPresent()) {
		throw new DuplicateNodeException(path);
		@@ -49,26 +52,30 @@ public class CreateNodeController extends BaseNodeController {
		Node parentNode = nodeDao.listNode(getParentPath(path))
		.orElseThrow(() -> new ContainerNotFoundException(getParentPath(path)));

		List<String> groupWritePropValues = parentNode.getProperties().stream()
		.filter((i) -> i.getUri()
		.equals("ivo://ivoa.net/vospace/core#groupwrite"))
		.map((i) -> i.getValue())
		.collect(Collectors.toList());
		// Check user write/ownership privilege against parent node
		List<String> groupWritePropValues
		= getNodePropertyByURI(parentNode, "ivo://ivoa.net/vospace/core#groupwrite");

		if (groupWritePropValues.isEmpty()) {
		throw new PermissionDeniedException(path);
		}

		List<String> nodeGroups
		= Arrays.asList(groupWritePropValues.get(0).split(",", -1));
		= Arrays.asList(groupWritePropValues.get(0).split(" ", -1));

		if (!nodeGroups.stream().anyMatch((i) -> userGroups.contains(i))) {
		// If groups don't match check ownership at least
		List<String> nodeOwner
		= getNodePropertyByURI(parentNode, "ivo://ivoa.net/vospace/core#creator");

		if (nodeOwner.isEmpty()
		\|\| !nodeOwner.get(0).equals(principal.getName())) {
		throw new PermissionDeniedException(path);
		}
		}

		// Check if parent node is not a Container node and in case throw
		// appropriate exception

		if (!parentNode.getType().equals("vos:ContainerNode")) {
		if (parentNode.getType().equals("vos:LinkNode")) {
		throw new LinkFoundException(getParentPath(path));
		@@ -117,4 +124,17 @@ public class CreateNodeController extends BaseNodeController {

		return sb.toString();
		}

		// Returns all properties stored inside the node under the requested
		// property URI.
		private List<String> getNodePropertyByURI(Node node, String propertyURI) {

		List<String> propertyList = node.getProperties().stream()
		.filter((i) -> i.getUri()
		.equals(propertyURI))
		.map((i) -> i.getValue())
		.collect(Collectors.toList());

		return propertyList;
		}
		}

src/test/java/it/inaf/oats/vospace/CreateNodeControllerTest.java

+2 −2

Original line number	Diff line number	Diff line
		@@ -48,7 +48,7 @@ public class CreateNodeControllerTest {
		// Set groupwrite property
		Property groups = new Property();
		groups.setUri("ivo://ivoa.net/vospace/core#groupwrite");
		groups.setValue("test1,test2");
		groups.setValue("test1 test2");
		parentNode.setProperties(List.of(groups));
		return parentNode;
		}
		@@ -60,7 +60,7 @@ public class CreateNodeControllerTest {
		// Set groupwrite property
		Property groups = new Property();
		groups.setUri("ivo://ivoa.net/vospace/core#groupwrite");
		groups.setValue("test1,test2");
		groups.setValue("test1 test2");
		parentNode.setProperties(List.of(groups));
		return parentNode;
		}