From c22682198817c4d1cf6a39857b5c4d8bc7ce1120 Mon Sep 17 00:00:00 2001 From: Alexander Sulfrian Date: Wed, 19 Jun 2019 16:11:45 +0200 Subject: [PATCH 1/3] DSpaceMETSGenerator: Check permissions Ensure that the metadata of objects are not accessible via the mets file, if the current user doesn't have sufficient permissions. --- .../app/xmlui/cocoon/DSpaceMETSGenerator.java | 24 ++++++++++++------- .../xmlui/objectmanager/AbstractAdapter.java | 13 ++++++++++ .../xmlui/objectmanager/ContainerAdapter.java | 6 +++++ .../app/xmlui/objectmanager/ItemAdapter.java | 6 +++++ .../objectmanager/RepositoryAdapter.java | 6 +++++ 5 files changed, 47 insertions(+), 8 deletions(-) diff --git a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceMETSGenerator.java b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceMETSGenerator.java index 6f0a5ba885e6..90abe27e4f6b 100644 --- a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceMETSGenerator.java +++ b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceMETSGenerator.java @@ -15,6 +15,7 @@ import org.apache.cocoon.ResourceNotFoundException; import org.apache.cocoon.environment.ObjectModelHelper; import org.apache.cocoon.environment.Request; +import org.apache.cocoon.environment.Response; import org.apache.cocoon.generation.AbstractGenerator; import org.dspace.app.xmlui.objectmanager.AbstractAdapter; import org.dspace.app.xmlui.objectmanager.ContainerAdapter; @@ -107,14 +108,21 @@ public void generate() throws IOException, SAXException, ProcessingException { throw new ResourceNotFoundException("Unable to locate object."); } - // Configure the adapter for this request. - configureAdapter(adapter); - - // Generate the METS document - contentHandler.startDocument(); - adapter.renderMETS(context, contentHandler,lexicalHandler); - contentHandler.endDocument(); - + if (adapter.isAuthorized()) + { + // Configure the adapter for this request. + configureAdapter(adapter); + + // Generate the METS document + contentHandler.startDocument(); + adapter.renderMETS(context, contentHandler, lexicalHandler); + contentHandler.endDocument(); + } + else + { + Response response = ObjectModelHelper.getResponse(objectModel); + response.setStatus(403); + } } catch (WingException we) { throw new ProcessingException(we); } catch (CrosswalkException ce) { diff --git a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/AbstractAdapter.java b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/AbstractAdapter.java index f8fb240f3ae7..157679fd9a0e 100644 --- a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/AbstractAdapter.java +++ b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/AbstractAdapter.java @@ -19,6 +19,9 @@ import org.dspace.app.xmlui.wing.AttributeMap; import org.dspace.app.xmlui.wing.Namespace; import org.dspace.app.xmlui.wing.WingException; +import org.dspace.authenticate.factory.AuthenticateServiceFactory; +import org.dspace.authorize.factory.AuthorizeServiceFactory; +import org.dspace.authorize.service.AuthorizeService; import org.dspace.content.Bitstream; import org.dspace.content.BitstreamFormat; import org.dspace.content.Item; @@ -85,6 +88,8 @@ protected ContentHandler contentHandler; protected LexicalHandler lexicalHandler; protected NamespaceSupport namespaces; + + protected AuthorizeService authorizeService = AuthorizeServiceFactory.getInstance().getAuthorizeService(); /** * Construct a new adapter, implementers must call this method so @@ -628,6 +633,14 @@ public final boolean isDefinedMETStype(String metadataType) return false; } + /** + * Check if the current user is allowed to read the contents + * of the adapter. + * + * @return True if the user has sufficient permissions + * @throws SQLException passed through. + */ + abstract public boolean isAuthorized() throws SQLException; diff --git a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/ContainerAdapter.java b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/ContainerAdapter.java index 895434cf55e7..ec5a9a772341 100644 --- a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/ContainerAdapter.java +++ b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/ContainerAdapter.java @@ -820,4 +820,10 @@ private void createField(String schema, String element, String qualifier, String // Close out field endElement(DIM,"field"); } + + @Override + public boolean isAuthorized() throws SQLException + { + return authorizeService.authorizeActionBoolean(dspaceContext, dso, Constants.READ); + } } diff --git a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/ItemAdapter.java b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/ItemAdapter.java index fdac0922f792..e54e694babf7 100644 --- a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/ItemAdapter.java +++ b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/ItemAdapter.java @@ -984,6 +984,12 @@ protected void renderExtraSections() throws SAXException, SQLException, IOExcept } } + @Override + public boolean isAuthorized() throws SQLException + { + return authorizeService.authorizeActionBoolean(context, item, Constants.READ); + } + /** * Checks which Bundles of current item a user has requested. diff --git a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/RepositoryAdapter.java b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/RepositoryAdapter.java index 4015ae0d3b64..a3fcca7aadf3 100644 --- a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/RepositoryAdapter.java +++ b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/objectmanager/RepositoryAdapter.java @@ -280,6 +280,12 @@ protected void renderStructureMap() throws SQLException, SAXException } + @Override + public boolean isAuthorized() + { + return true; + } + /** * * From e94467ead69185302a01742de0ee938418375313 Mon Sep 17 00:00:00 2001 From: Alexander Sulfrian Date: Thu, 20 Jun 2019 15:04:18 +0200 Subject: [PATCH 2/3] DSpaceOREGenerator: Remove unused code This code was copied from the DSpaceMETSGenerator and is not used anymore. --- .../org/dspace/app/xmlui/cocoon/DSpaceOREGenerator.java | 6 ------ 1 file changed, 6 deletions(-) diff --git a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceOREGenerator.java b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceOREGenerator.java index 6b5f168ee89d..1cb57eb35715 100644 --- a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceOREGenerator.java +++ b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceOREGenerator.java @@ -66,12 +66,6 @@ public void generate() throws IOException, SAXException, Element ore = xwalk.disseminateElement(context, item); out.output(ore); - - /* Generate the METS document - contentHandler.startDocument(); - adapter.renderMETS(contentHandler,lexicalHandler); - contentHandler.endDocument();*/ - } catch (JDOMException je) { throw new ProcessingException(je); } catch (AuthorizeException ae) { From 621a0569eda2ce1d69d33c41805e10b7408dcef3 Mon Sep 17 00:00:00 2001 From: Alexander Sulfrian Date: Thu, 20 Jun 2019 15:15:02 +0200 Subject: [PATCH 3/3] DSpaceOREGenerator: Check permissions The DSpaceOREGenerator needs to check whether the item is readable by the current user before generating a XML document. --- .../app/xmlui/cocoon/DSpaceOREGenerator.java | 30 ++++++++++++++----- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceOREGenerator.java b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceOREGenerator.java index 1cb57eb35715..18110f1e874d 100644 --- a/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceOREGenerator.java +++ b/dspace-xmlui/src/main/java/org/dspace/app/xmlui/cocoon/DSpaceOREGenerator.java @@ -13,15 +13,20 @@ import org.apache.cocoon.ProcessingException; import org.apache.cocoon.ResourceNotFoundException; +import org.apache.cocoon.environment.ObjectModelHelper; +import org.apache.cocoon.environment.Response; import org.apache.cocoon.generation.AbstractGenerator; import org.dspace.app.xmlui.utils.ContextUtil; import org.dspace.authorize.AuthorizeException; +import org.dspace.authorize.factory.AuthorizeServiceFactory; +import org.dspace.authorize.service.AuthorizeService; import org.dspace.content.DSpaceObject; import org.dspace.content.Item; import org.dspace.content.crosswalk.CrosswalkException; import org.dspace.content.crosswalk.DisseminationCrosswalk; import org.dspace.content.factory.ContentServiceFactory; import org.dspace.content.service.ItemService; +import org.dspace.core.Constants; import org.dspace.core.Context; import org.dspace.core.factory.CoreServiceFactory; import org.dspace.handle.factory.HandleServiceFactory; @@ -43,6 +48,7 @@ public class DSpaceOREGenerator extends AbstractGenerator protected ItemService itemService = ContentServiceFactory.getInstance().getItemService(); protected HandleService handleService = HandleServiceFactory.getInstance().getHandleService(); + protected AuthorizeService authorizeService = AuthorizeServiceFactory.getInstance().getAuthorizeService(); /** * Generate the ORE Aggregation. @@ -59,13 +65,23 @@ public void generate() throws IOException, SAXException, throw new ResourceNotFoundException("Unable to locate object."); } - - // Instantiate and execute the ORE plugin - SAXOutputter out = new SAXOutputter(contentHandler); - DisseminationCrosswalk xwalk = (DisseminationCrosswalk)CoreServiceFactory.getInstance().getPluginService().getNamedPlugin(DisseminationCrosswalk.class,"ore"); - - Element ore = xwalk.disseminateElement(context, item); - out.output(ore); + if (authorizeService.authorizeActionBoolean(context, item, + Constants.READ)) + { + // Instantiate and execute the ORE plugin + SAXOutputter out = new SAXOutputter(contentHandler); + DisseminationCrosswalk xwalk = (DisseminationCrosswalk) CoreServiceFactory + .getInstance().getPluginService() + .getNamedPlugin(DisseminationCrosswalk.class, "ore"); + + Element ore = xwalk.disseminateElement(context, item); + out.output(ore); + } + else + { + Response response = ObjectModelHelper.getResponse(objectModel); + response.setStatus(403); + } } catch (JDOMException je) { throw new ProcessingException(je); } catch (AuthorizeException ae) {