|
53 | 53 | import org.dspace.builder.CommunityBuilder; |
54 | 54 | import org.dspace.builder.EPersonBuilder; |
55 | 55 | import org.dspace.builder.GroupBuilder; |
| 56 | +import org.dspace.builder.ResourcePolicyBuilder; |
56 | 57 | import org.dspace.content.Collection; |
57 | 58 | import org.dspace.content.Community; |
58 | 59 | import org.dspace.content.factory.ContentServiceFactory; |
@@ -3025,4 +3026,164 @@ public void findByMetadataPaginationTest() throws Exception { |
3025 | 3026 |
|
3026 | 3027 | } |
3027 | 3028 |
|
| 3029 | + @Test |
| 3030 | + public void commAdminAndColAdminCannotExploitItemReadGroupTest() throws Exception { |
| 3031 | + |
| 3032 | + GroupService groupService = EPersonServiceFactory.getInstance().getGroupService(); |
| 3033 | + |
| 3034 | + context.turnOffAuthorisationSystem(); |
| 3035 | + |
| 3036 | + EPerson adminChild1 = EPersonBuilder.createEPerson(context) |
| 3037 | + .withNameInMetadata("Oliver", "Rossi") |
| 3038 | + .withEmail("adminChild1@example.com") |
| 3039 | + .withPassword(password) |
| 3040 | + .build(); |
| 3041 | + EPerson adminCol1 = EPersonBuilder.createEPerson(context) |
| 3042 | + .withNameInMetadata("James", "Rossi") |
| 3043 | + .withEmail("adminCol1@example.com") |
| 3044 | + .withPassword(password) |
| 3045 | + .build(); |
| 3046 | + |
| 3047 | + parentCommunity = CommunityBuilder.createCommunity(context) |
| 3048 | + .withName("Parent Community") |
| 3049 | + .build(); |
| 3050 | + Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity) |
| 3051 | + .withName("Sub Community") |
| 3052 | + .withAdminGroup(adminChild1) |
| 3053 | + .build(); |
| 3054 | + |
| 3055 | + Collection col1 = CollectionBuilder.createCollection(context, child1) |
| 3056 | + .withName("Collection 1") |
| 3057 | + .withAdminGroup(adminCol1) |
| 3058 | + .withSubmitterGroup(eperson) |
| 3059 | + .build(); |
| 3060 | + |
| 3061 | + Group adminGroup = groupService.findByName(context, Group.ADMIN); |
| 3062 | + ResourcePolicyBuilder.createResourcePolicy(context).withAction(Constants.DEFAULT_ITEM_READ) |
| 3063 | + .withGroup(adminGroup).withDspaceObject(child1).build(); |
| 3064 | + ResourcePolicyBuilder.createResourcePolicy(context).withAction(Constants.DEFAULT_ITEM_READ) |
| 3065 | + .withGroup(adminGroup).withDspaceObject(col1).build(); |
| 3066 | + context.restoreAuthSystemState(); |
| 3067 | + |
| 3068 | + String tokenAdminComm = getAuthToken(adminChild1.getEmail(), password); |
| 3069 | + String tokenAdminCol = getAuthToken(adminChild1.getEmail(), password); |
| 3070 | + |
| 3071 | + assertFalse(groupService.isMember(context, adminChild1, adminGroup)); |
| 3072 | + assertFalse(groupService.isMember(context, adminCol1, adminGroup)); |
| 3073 | + |
| 3074 | + getClient(tokenAdminCol) |
| 3075 | + .perform(post("/api/eperson/groups/" + adminGroup.getID() + "/epersons") |
| 3076 | + .contentType(parseMediaType(TEXT_URI_LIST_VALUE)) |
| 3077 | + .content(REST_SERVER_URL + "eperson/groups/" + adminCol1.getID())) |
| 3078 | + .andExpect(status().isForbidden()); |
| 3079 | + |
| 3080 | + assertFalse(groupService.isMember(context, adminCol1, adminGroup)); |
| 3081 | + |
| 3082 | + getClient(tokenAdminComm) |
| 3083 | + .perform(post("/api/eperson/groups/" + adminGroup.getID() + "/epersons") |
| 3084 | + .contentType(parseMediaType(TEXT_URI_LIST_VALUE)) |
| 3085 | + .content(REST_SERVER_URL + "eperson/groups/" + adminChild1.getID())) |
| 3086 | + .andExpect(status().isForbidden()); |
| 3087 | + |
| 3088 | + assertFalse(groupService.isMember(context, adminChild1, adminGroup)); |
| 3089 | + |
| 3090 | + } |
| 3091 | + |
| 3092 | + @Test |
| 3093 | + public void commAdminAndColAdminCannotExpoloitBitstreamReadGroupTest() throws Exception { |
| 3094 | + |
| 3095 | + GroupService groupService = EPersonServiceFactory.getInstance().getGroupService(); |
| 3096 | + |
| 3097 | + context.turnOffAuthorisationSystem(); |
| 3098 | + |
| 3099 | + EPerson adminChild1 = EPersonBuilder.createEPerson(context) |
| 3100 | + .withNameInMetadata("Oliver", "Rossi") |
| 3101 | + .withEmail("adminChild1@example.com") |
| 3102 | + .withPassword(password) |
| 3103 | + .build(); |
| 3104 | + EPerson adminCol1 = EPersonBuilder.createEPerson(context) |
| 3105 | + .withNameInMetadata("James", "Rossi") |
| 3106 | + .withEmail("adminCol1@example.com") |
| 3107 | + .withPassword(password) |
| 3108 | + .build(); |
| 3109 | + |
| 3110 | + parentCommunity = CommunityBuilder.createCommunity(context) |
| 3111 | + .withName("Parent Community") |
| 3112 | + .build(); |
| 3113 | + Community child1 = CommunityBuilder.createSubCommunity(context, parentCommunity) |
| 3114 | + .withName("Sub Community") |
| 3115 | + .withAdminGroup(adminChild1) |
| 3116 | + .build(); |
| 3117 | + |
| 3118 | + Collection col1 = CollectionBuilder.createCollection(context, child1) |
| 3119 | + .withName("Collection 1") |
| 3120 | + .withAdminGroup(adminCol1) |
| 3121 | + .withSubmitterGroup(eperson) |
| 3122 | + .build(); |
| 3123 | + |
| 3124 | + Group adminGroup = groupService.findByName(context, Group.ADMIN); |
| 3125 | + ResourcePolicyBuilder.createResourcePolicy(context).withAction(Constants.DEFAULT_BITSTREAM_READ) |
| 3126 | + .withGroup(adminGroup).withDspaceObject(child1).build(); |
| 3127 | + ResourcePolicyBuilder.createResourcePolicy(context).withAction(Constants.DEFAULT_BITSTREAM_READ) |
| 3128 | + .withGroup(adminGroup).withDspaceObject(col1).build(); |
| 3129 | + context.restoreAuthSystemState(); |
| 3130 | + |
| 3131 | + String tokenAdminComm = getAuthToken(adminChild1.getEmail(), password); |
| 3132 | + String tokenAdminCol = getAuthToken(adminChild1.getEmail(), password); |
| 3133 | + |
| 3134 | + assertFalse(groupService.isMember(context, adminChild1, adminGroup)); |
| 3135 | + assertFalse(groupService.isMember(context, adminCol1, adminGroup)); |
| 3136 | + |
| 3137 | + getClient(tokenAdminCol) |
| 3138 | + .perform(post("/api/eperson/groups/" + adminGroup.getID() + "/epersons") |
| 3139 | + .contentType(parseMediaType(TEXT_URI_LIST_VALUE)) |
| 3140 | + .content(REST_SERVER_URL + "eperson/groups/" + adminCol1.getID())) |
| 3141 | + .andExpect(status().isForbidden()); |
| 3142 | + |
| 3143 | + assertFalse(groupService.isMember(context, adminCol1, adminGroup)); |
| 3144 | + |
| 3145 | + getClient(tokenAdminComm) |
| 3146 | + .perform(post("/api/eperson/groups/" + adminGroup.getID() + "/epersons") |
| 3147 | + .contentType(parseMediaType(TEXT_URI_LIST_VALUE)) |
| 3148 | + .content(REST_SERVER_URL + "eperson/groups/" + adminChild1.getID())) |
| 3149 | + .andExpect(status().isForbidden()); |
| 3150 | + |
| 3151 | + assertFalse(groupService.isMember(context, adminChild1, adminGroup)); |
| 3152 | + } |
| 3153 | + |
| 3154 | + @Test |
| 3155 | + /** |
| 3156 | + * Test for bug https://github.com/DSpace/DSpace/issues/7928 |
| 3157 | + * @throws Exception |
| 3158 | + */ |
| 3159 | + public void anonymousGroupParentObjectTest() throws Exception { |
| 3160 | + |
| 3161 | + GroupService groupService = EPersonServiceFactory.getInstance().getGroupService(); |
| 3162 | + Group anonGroup = groupService.findByName(context, Group.ANONYMOUS); |
| 3163 | + context.turnOffAuthorisationSystem(); |
| 3164 | + |
| 3165 | + parentCommunity = CommunityBuilder.createCommunity(context) |
| 3166 | + .withName("Parent Community") |
| 3167 | + .build(); |
| 3168 | + |
| 3169 | + Collection col1 = CollectionBuilder.createCollection(context, parentCommunity) |
| 3170 | + .withName("Collection 1") |
| 3171 | + .build(); |
| 3172 | + context.restoreAuthSystemState(); |
| 3173 | + |
| 3174 | + String tokenAdmin = getAuthToken(admin.getEmail(), password); |
| 3175 | + |
| 3176 | + getClient(tokenAdmin).perform(get("/api/eperson/groups/" + anonGroup.getID().toString()) |
| 3177 | + .param("projection", "full")) |
| 3178 | + .andExpect(status().isOk()) |
| 3179 | + .andExpect(content().contentType(contentType)) |
| 3180 | + .andExpect(jsonPath("$", GroupMatcher.matchFullEmbeds())) |
| 3181 | + .andExpect(jsonPath("$", GroupMatcher.matchLinks(anonGroup.getID()))) |
| 3182 | + .andExpect(jsonPath("$", Matchers.is( |
| 3183 | + GroupMatcher.matchGroupEntry(anonGroup.getID(), anonGroup.getName()) |
| 3184 | + ))) |
| 3185 | + .andExpect(jsonPath("$._embedded.object").doesNotExist()) |
| 3186 | + ; |
| 3187 | + } |
| 3188 | + |
3028 | 3189 | } |
0 commit comments