Skip to content

Commit c3bea16

Browse files
authored
Merge pull request from GHSA-cf2j-vf36-c6w8
Default groups issue
2 parents f21b16c + 16cf19b commit c3bea16

File tree

4 files changed

+194
-6
lines changed

4 files changed

+194
-6
lines changed

Diff for: dspace-api/src/main/java/org/dspace/content/CollectionServiceImpl.java

+7-2
Original file line numberDiff line numberDiff line change
@@ -920,8 +920,7 @@ public Group createDefaultReadGroup(Context context, Collection collection, Stri
920920
int defaultRead)
921921
throws SQLException, AuthorizeException {
922922
Group role = groupService.create(context);
923-
groupService.setName(role, "COLLECTION_" + collection.getID().toString() + "_" + typeOfGroupString +
924-
"_DEFAULT_READ");
923+
groupService.setName(role, getDefaultReadGroupName(collection, typeOfGroupString));
925924

926925
// Remove existing privileges from the anonymous group.
927926
authorizeService.removePoliciesActionFilter(context, collection, defaultRead);
@@ -932,6 +931,12 @@ public Group createDefaultReadGroup(Context context, Collection collection, Stri
932931
return role;
933932
}
934933

934+
@Override
935+
public String getDefaultReadGroupName(Collection collection, String typeOfGroupString) {
936+
return "COLLECTION_" + collection.getID().toString() + "_" + typeOfGroupString +
937+
"_DEFAULT_READ";
938+
}
939+
935940
@Override
936941
public List<Collection> findCollectionsWithSubmit(String q, Context context, Community community,
937942
int offset, int limit) throws SQLException, SearchServiceException {

Diff for: dspace-api/src/main/java/org/dspace/content/service/CollectionService.java

+10
Original file line numberDiff line numberDiff line change
@@ -360,6 +360,16 @@ public List<Collection> findAuthorized(Context context, Community community, int
360360
Group createDefaultReadGroup(Context context, Collection collection, String typeOfGroupString, int defaultRead)
361361
throws SQLException, AuthorizeException;
362362

363+
/**
364+
* This method will return the name to give to the group created by the
365+
* {@link #createDefaultReadGroup(Context, Collection, String, int)} method
366+
*
367+
* @param collection The DSpace collection to use in the name generation
368+
* @param typeOfGroupString The type of group to use in the name generation
369+
* @return the name to give to the group that hold default read for the collection
370+
*/
371+
String getDefaultReadGroupName(Collection collection, String typeOfGroupString);
372+
363373
/**
364374
* Returns Collections for which the current user has 'submit' privileges.
365375
* NOTE: for better performance, this method retrieves its results from an

Diff for: dspace-api/src/main/java/org/dspace/eperson/GroupServiceImpl.java

+16-4
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
import java.util.List;
1616
import java.util.Map;
1717
import java.util.Objects;
18+
import java.util.Optional;
1819
import java.util.Set;
1920
import java.util.UUID;
2021

@@ -735,13 +736,24 @@ public DSpaceObject getParentObject(Context context, Group group) throws SQLExce
735736
groups.add(group);
736737
List<ResourcePolicy> policies = resourcePolicyService.find(context, null, groups,
737738
Constants.DEFAULT_ITEM_READ, Constants.COLLECTION);
738-
if (policies.size() > 0) {
739-
return policies.get(0).getdSpaceObject();
739+
740+
Optional<ResourcePolicy> defaultPolicy = policies.stream().filter(p -> StringUtils.equals(
741+
collectionService.getDefaultReadGroupName((Collection) p.getdSpaceObject(), "ITEM"),
742+
group.getName())).findFirst();
743+
744+
if (defaultPolicy.isPresent()) {
745+
return defaultPolicy.get().getdSpaceObject();
740746
}
741747
policies = resourcePolicyService.find(context, null, groups,
742748
Constants.DEFAULT_BITSTREAM_READ, Constants.COLLECTION);
743-
if (policies.size() > 0) {
744-
return policies.get(0).getdSpaceObject();
749+
750+
defaultPolicy = policies.stream()
751+
.filter(p -> StringUtils.equals(collectionService.getDefaultReadGroupName(
752+
(Collection) p.getdSpaceObject(), "BITSTREAM"), group.getName()))
753+
.findFirst();
754+
755+
if (defaultPolicy.isPresent()) {
756+
return defaultPolicy.get().getdSpaceObject();
745757
}
746758
}
747759
}

Diff for: dspace-server-webapp/src/test/java/org/dspace/app/rest/GroupRestRepositoryIT.java

+161
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@
5353
import org.dspace.builder.CommunityBuilder;
5454
import org.dspace.builder.EPersonBuilder;
5555
import org.dspace.builder.GroupBuilder;
56+
import org.dspace.builder.ResourcePolicyBuilder;
5657
import org.dspace.content.Collection;
5758
import org.dspace.content.Community;
5859
import org.dspace.content.factory.ContentServiceFactory;
@@ -3025,4 +3026,164 @@ public void findByMetadataPaginationTest() throws Exception {
30253026

30263027
}
30273028

3029+
@Test
3030+
public void commAdminAndColAdminCannotExploitItemReadGroupTest() throws Exception {
3031+
3032+
GroupService groupService = EPersonServiceFactory.getInstance().getGroupService();
3033+
3034+
context.turnOffAuthorisationSystem();
3035+
3036+
EPerson adminChild1 = EPersonBuilder.createEPerson(context)
3037+
.withNameInMetadata("Oliver", "Rossi")
3038+
.withEmail("adminChild1@example.com")
3039+
.withPassword(password)
3040+
.build();
3041+
EPerson adminCol1 = EPersonBuilder.createEPerson(context)
3042+
.withNameInMetadata("James", "Rossi")
3043+
.withEmail("adminCol1@example.com")
3044+
.withPassword(password)
3045+
.build();
3046+
3047+
parentCommunity = CommunityBuilder.createCommunity(context)
3048+
.withName("Parent Community")
3049+
.build();
3050+
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
3051+
.withName("Sub Community")
3052+
.withAdminGroup(adminChild1)
3053+
.build();
3054+
3055+
Collection col1 = CollectionBuilder.createCollection(context, child1)
3056+
.withName("Collection 1")
3057+
.withAdminGroup(adminCol1)
3058+
.withSubmitterGroup(eperson)
3059+
.build();
3060+
3061+
Group adminGroup = groupService.findByName(context, Group.ADMIN);
3062+
ResourcePolicyBuilder.createResourcePolicy(context).withAction(Constants.DEFAULT_ITEM_READ)
3063+
.withGroup(adminGroup).withDspaceObject(child1).build();
3064+
ResourcePolicyBuilder.createResourcePolicy(context).withAction(Constants.DEFAULT_ITEM_READ)
3065+
.withGroup(adminGroup).withDspaceObject(col1).build();
3066+
context.restoreAuthSystemState();
3067+
3068+
String tokenAdminComm = getAuthToken(adminChild1.getEmail(), password);
3069+
String tokenAdminCol = getAuthToken(adminChild1.getEmail(), password);
3070+
3071+
assertFalse(groupService.isMember(context, adminChild1, adminGroup));
3072+
assertFalse(groupService.isMember(context, adminCol1, adminGroup));
3073+
3074+
getClient(tokenAdminCol)
3075+
.perform(post("/api/eperson/groups/" + adminGroup.getID() + "/epersons")
3076+
.contentType(parseMediaType(TEXT_URI_LIST_VALUE))
3077+
.content(REST_SERVER_URL + "eperson/groups/" + adminCol1.getID()))
3078+
.andExpect(status().isForbidden());
3079+
3080+
assertFalse(groupService.isMember(context, adminCol1, adminGroup));
3081+
3082+
getClient(tokenAdminComm)
3083+
.perform(post("/api/eperson/groups/" + adminGroup.getID() + "/epersons")
3084+
.contentType(parseMediaType(TEXT_URI_LIST_VALUE))
3085+
.content(REST_SERVER_URL + "eperson/groups/" + adminChild1.getID()))
3086+
.andExpect(status().isForbidden());
3087+
3088+
assertFalse(groupService.isMember(context, adminChild1, adminGroup));
3089+
3090+
}
3091+
3092+
@Test
3093+
public void commAdminAndColAdminCannotExpoloitBitstreamReadGroupTest() throws Exception {
3094+
3095+
GroupService groupService = EPersonServiceFactory.getInstance().getGroupService();
3096+
3097+
context.turnOffAuthorisationSystem();
3098+
3099+
EPerson adminChild1 = EPersonBuilder.createEPerson(context)
3100+
.withNameInMetadata("Oliver", "Rossi")
3101+
.withEmail("adminChild1@example.com")
3102+
.withPassword(password)
3103+
.build();
3104+
EPerson adminCol1 = EPersonBuilder.createEPerson(context)
3105+
.withNameInMetadata("James", "Rossi")
3106+
.withEmail("adminCol1@example.com")
3107+
.withPassword(password)
3108+
.build();
3109+
3110+
parentCommunity = CommunityBuilder.createCommunity(context)
3111+
.withName("Parent Community")
3112+
.build();
3113+
Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity)
3114+
.withName("Sub Community")
3115+
.withAdminGroup(adminChild1)
3116+
.build();
3117+
3118+
Collection col1 = CollectionBuilder.createCollection(context, child1)
3119+
.withName("Collection 1")
3120+
.withAdminGroup(adminCol1)
3121+
.withSubmitterGroup(eperson)
3122+
.build();
3123+
3124+
Group adminGroup = groupService.findByName(context, Group.ADMIN);
3125+
ResourcePolicyBuilder.createResourcePolicy(context).withAction(Constants.DEFAULT_BITSTREAM_READ)
3126+
.withGroup(adminGroup).withDspaceObject(child1).build();
3127+
ResourcePolicyBuilder.createResourcePolicy(context).withAction(Constants.DEFAULT_BITSTREAM_READ)
3128+
.withGroup(adminGroup).withDspaceObject(col1).build();
3129+
context.restoreAuthSystemState();
3130+
3131+
String tokenAdminComm = getAuthToken(adminChild1.getEmail(), password);
3132+
String tokenAdminCol = getAuthToken(adminChild1.getEmail(), password);
3133+
3134+
assertFalse(groupService.isMember(context, adminChild1, adminGroup));
3135+
assertFalse(groupService.isMember(context, adminCol1, adminGroup));
3136+
3137+
getClient(tokenAdminCol)
3138+
.perform(post("/api/eperson/groups/" + adminGroup.getID() + "/epersons")
3139+
.contentType(parseMediaType(TEXT_URI_LIST_VALUE))
3140+
.content(REST_SERVER_URL + "eperson/groups/" + adminCol1.getID()))
3141+
.andExpect(status().isForbidden());
3142+
3143+
assertFalse(groupService.isMember(context, adminCol1, adminGroup));
3144+
3145+
getClient(tokenAdminComm)
3146+
.perform(post("/api/eperson/groups/" + adminGroup.getID() + "/epersons")
3147+
.contentType(parseMediaType(TEXT_URI_LIST_VALUE))
3148+
.content(REST_SERVER_URL + "eperson/groups/" + adminChild1.getID()))
3149+
.andExpect(status().isForbidden());
3150+
3151+
assertFalse(groupService.isMember(context, adminChild1, adminGroup));
3152+
}
3153+
3154+
@Test
3155+
/**
3156+
* Test for bug https://github.com/DSpace/DSpace/issues/7928
3157+
* @throws Exception
3158+
*/
3159+
public void anonymousGroupParentObjectTest() throws Exception {
3160+
3161+
GroupService groupService = EPersonServiceFactory.getInstance().getGroupService();
3162+
Group anonGroup = groupService.findByName(context, Group.ANONYMOUS);
3163+
context.turnOffAuthorisationSystem();
3164+
3165+
parentCommunity = CommunityBuilder.createCommunity(context)
3166+
.withName("Parent Community")
3167+
.build();
3168+
3169+
Collection col1 = CollectionBuilder.createCollection(context, parentCommunity)
3170+
.withName("Collection 1")
3171+
.build();
3172+
context.restoreAuthSystemState();
3173+
3174+
String tokenAdmin = getAuthToken(admin.getEmail(), password);
3175+
3176+
getClient(tokenAdmin).perform(get("/api/eperson/groups/" + anonGroup.getID().toString())
3177+
.param("projection", "full"))
3178+
.andExpect(status().isOk())
3179+
.andExpect(content().contentType(contentType))
3180+
.andExpect(jsonPath("$", GroupMatcher.matchFullEmbeds()))
3181+
.andExpect(jsonPath("$", GroupMatcher.matchLinks(anonGroup.getID())))
3182+
.andExpect(jsonPath("$", Matchers.is(
3183+
GroupMatcher.matchGroupEntry(anonGroup.getID(), anonGroup.getName())
3184+
)))
3185+
.andExpect(jsonPath("$._embedded.object").doesNotExist())
3186+
;
3187+
}
3188+
30283189
}

0 commit comments

Comments
 (0)