/
UsersApi.java
362 lines (309 loc) · 13.7 KB
/
UsersApi.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
/*
* Copyright (C) 2001-2016 Food and Agriculture Organization of the
* United Nations (FAO-UN), United Nations World Food Programme (WFP)
* and United Nations Environment Programme (UNEP)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*
* Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2,
* Rome - Italy. email: geonetwork@osgeo.org
*/
package org.fao.geonet.api.users;
import com.vividsolutions.jts.util.Assert;
import io.swagger.annotations.ApiParam;
import org.fao.geonet.ApplicationContextHolder;
import org.fao.geonet.api.API;
import org.fao.geonet.api.ApiUtils;
import org.fao.geonet.api.exception.ResourceNotFoundException;
import org.fao.geonet.constants.Params;
import org.fao.geonet.domain.*;
import org.fao.geonet.exceptions.OperationNotAllowedEx;
import org.fao.geonet.kernel.DataManager;
import org.fao.geonet.repository.*;
import org.fao.geonet.repository.specification.UserGroupSpecs;
import org.fao.geonet.repository.specification.UserSpecs;
import org.fao.geonet.util.PasswordUtil;
import org.springframework.context.ApplicationContext;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import jeeves.server.UserSession;
import springfox.documentation.annotations.ApiIgnore;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpSession;
import static org.fao.geonet.repository.specification.UserGroupSpecs.hasUserId;
import static org.springframework.data.jpa.domain.Specifications.where;
@RequestMapping(value = {
"/api/users",
"/api/" + API.VERSION_0_1 +
"/users"
})
@Api(value = "users",
tags = "users",
description = "User operations")
@Controller("users")
public class UsersApi {
@ApiOperation(
value = "Get users",
notes = "",
nickname = "getUsers")
@RequestMapping(
produces = MediaType.APPLICATION_JSON_VALUE,
method = RequestMethod.GET)
@ResponseStatus(value = HttpStatus.OK)
@PreAuthorize("isAuthenticated()")
@ResponseBody
public List<User> getUsers(
@ApiIgnore
HttpSession httpSession
) throws Exception {
UserSession session = ApiUtils.getUserSession(httpSession);
Profile profile = session.getProfile();
UserRepository userRepository = ApplicationContextHolder.get().getBean(UserRepository.class);
if (profile == Profile.Administrator) {
return userRepository.findAll(SortUtils.createSort(User_.name));
} else if (profile != Profile.UserAdmin) {
return userRepository.findAll(UserSpecs.hasUserId(session.getUserIdAsInt()));
} else if (profile == Profile.UserAdmin) {
int userId = session.getUserIdAsInt();
final List<Integer> userGroupIds =
getGroupIds(userId);
List<User> allUsers = userRepository.findAll(SortUtils.createSort(User_.name));
// Filter users which are not in current user admin groups
allUsers.removeIf(u -> userGroupIds.containsAll(getGroupIds(u.getId())));
// TODO-API: Check why there was this check on profiles ?
// if (!profileSet.contains(profile))
// alToRemove.add(elRec);
return allUsers;
}
return null;
}
@ApiOperation(
value = "Get user",
notes = "",
nickname = "getUser")
@RequestMapping(
value = "/{userIdentifier}",
produces = MediaType.APPLICATION_JSON_VALUE,
method = RequestMethod.GET)
@ResponseStatus(value = HttpStatus.OK)
@PreAuthorize("isAuthenticated()")
@ResponseBody
public User getUser(
@ApiParam(
value = "User identifier."
)
@PathVariable
Integer userIdentifier,
@ApiIgnore
HttpSession httpSession
) throws Exception {
UserSession session = ApiUtils.getUserSession(httpSession);
Profile myProfile = session.getProfile();
String myUserId = session.getUserId();
if (myProfile == Profile.Administrator || myProfile == Profile.UserAdmin || myUserId.equals(userIdentifier)) {
UserRepository userRepository = ApplicationContextHolder.get().getBean(UserRepository.class);
User user = userRepository.findOne(Integer.valueOf(userIdentifier));
return user;
} else {
throw new IllegalArgumentException("You don't have rights to do this");
}
}
@ApiOperation(
value = "Delete a user",
notes = "Deletes a catalog user by identifier.",
nickname = "deleteUser")
@RequestMapping(value = "/{userIdentifier}",
produces = MediaType.APPLICATION_JSON_VALUE,
method = RequestMethod.DELETE)
@ResponseStatus(value = HttpStatus.OK)
@PreAuthorize("hasRole('UserAdmin') or hasRole('Administrator')")
@ResponseBody
public ResponseEntity<String> deleteUser(
@ApiParam(
value = "User identifier."
)
@PathVariable
Integer userIdentifier,
@ApiIgnore
ServletRequest request,
@ApiIgnore
HttpSession httpSession
) throws Exception {
UserSession session = ApiUtils.getUserSession(httpSession);
Profile myProfile = session.getProfile();
String myUserId = session.getUserId();
UserRepository userRepository = ApplicationContextHolder.get().getBean(UserRepository.class);
UserGroupRepository userGroupRepository = ApplicationContextHolder.get().getBean(UserGroupRepository.class);
if (myUserId == null || new Integer(myUserId).equals(userIdentifier)) {
throw new IllegalArgumentException(
"You cannot delete yourself from the user database");
}
if (myProfile == Profile.UserAdmin) {
final Integer iMyUserId = Integer.valueOf(myUserId);
final List<Integer> groupIds = userGroupRepository
.findGroupIds(where(hasUserId(iMyUserId)).or(
hasUserId(userIdentifier)));
if (groupIds.isEmpty()) {
throw new IllegalArgumentException(
"You don't have rights to delete this user because the user is not part of your group");
}
}
DataManager dataManager = ApplicationContextHolder.get().getBean(DataManager.class);
// Before processing DELETE check that the user is not referenced
// elsewhere in the GeoNetwork database - an exception is thrown if
// this is the case
if (dataManager.isUserMetadataOwner(userIdentifier)) {
throw new IllegalArgumentException(
"Cannot delete a user that is also a metadata owner");
}
if (dataManager.isUserMetadataStatus(userIdentifier)) {
throw new IllegalArgumentException(
"Cannot delete a user that has set a metadata status");
}
userGroupRepository.deleteAllByIdAttribute(UserGroupId_.userId,
Arrays.asList(userIdentifier));
userRepository.delete(userIdentifier);
return new ResponseEntity(HttpStatus.NO_CONTENT);
}
@ApiOperation(
value = "Resets user password",
notes = "Resets the user password.",
nickname = "resetUserPassword")
@RequestMapping(value = "/{userIdentifier}/actions/forget-password",
produces = MediaType.APPLICATION_JSON_VALUE,
method = RequestMethod.POST)
@ResponseStatus(value = HttpStatus.OK)
@PreAuthorize("isAuthenticated()")
@ResponseBody
public ResponseEntity<String> resetUserPassword(
@ApiParam(
value = "User identifier."
)
@PathVariable
Integer userIdentifier,
@ApiParam(
value = "Password to change."
)
@RequestParam(value = Params.PASSWORD) String password,
@ApiParam(
value = "Password to change (repeat)."
)
@RequestParam(value = Params.PASSWORD + "2") String password2,
@ApiIgnore
ServletRequest request,
@ApiIgnore
HttpSession httpSession
) throws Exception {
Assert.equals(password, password2);
UserSession session = ApiUtils.getUserSession(httpSession);
Profile myProfile = session.getProfile();
String myUserId = session.getUserId();
if (myProfile != Profile.Administrator && myProfile != Profile.UserAdmin && !myUserId.equals(userIdentifier)) {
throw new IllegalArgumentException("You don't have rights to do this");
}
UserRepository userRepository = ApplicationContextHolder.get().getBean(UserRepository.class);
User user = userRepository.findOne(userIdentifier);
user.getSecurity().setPassword(
PasswordUtil.encoder(ApplicationContextHolder.get()).encode(
password));
userRepository.save(user);
return new ResponseEntity(HttpStatus.NO_CONTENT);
}
@ApiOperation(
value = "Retrieve user groups",
notes = "",
nickname = "retrieveUserGroups")
@RequestMapping(value = "/{userIdentifier}/groups",
produces = MediaType.APPLICATION_JSON_VALUE,
method = RequestMethod.GET
)
@ResponseStatus(value = HttpStatus.OK)
@PreAuthorize("isAuthenticated()")
@ResponseBody
public List<UserGroup> retrieveUserGroups(
@ApiParam(
value = "User identifier."
)
@PathVariable
Integer userIdentifier,
@ApiIgnore
ServletRequest request,
@ApiIgnore
HttpSession httpSession
) throws Exception {
UserSession session = ApiUtils.getUserSession(httpSession);
Profile myProfile = session.getProfile();
String myUserId = session.getUserId();
final UserRepository userRepository = ApplicationContextHolder.get().getBean(UserRepository.class);
final UserGroupRepository userGroupRepository = ApplicationContextHolder.get().getBean(UserGroupRepository.class);
if (myProfile == Profile.Administrator || myProfile == Profile.UserAdmin || myUserId.equals(userIdentifier)) {
// -- get the profile of the user id supplied
User user = userRepository.findOne(userIdentifier);
if (user == null) {
throw new IllegalArgumentException("user " + userIdentifier + " doesn't exist");
}
String userProfile = user.getProfile().name();
List<UserGroup> userGroups;
if (myProfile == Profile.Administrator && userProfile.equals(Profile.Administrator.name())) {
// Return all groups for administrator.
// TODO: Check if a better option returning instead of UserGroup a customised GroupDTO
// containing all group properties and user profile
userGroups = new ArrayList<UserGroup>();
final GroupRepository groupRepository = ApplicationContextHolder.get().getBean(GroupRepository.class);
List<Group> groups = groupRepository.findAll();
for (Group g : groups) {
UserGroup ug = new UserGroup();
UserGroupId ugId = new UserGroupId();
ugId.setProfile(Profile.Administrator);
ugId.setGroupId(g.getId());
ugId.setUserId(userIdentifier);
ug.setGroup(g);
ug.setUser(user);
ug.setProfile(Profile.Administrator);
ug.setId(ugId);
userGroups.add(ug);
}
} else {
if (!(myUserId.equals(userIdentifier)) && myProfile == Profile.UserAdmin) {
//--- retrieve session user groups and check to see whether this user is
//--- allowed to get this info
List<Integer> adminList = userGroupRepository.findGroupIds(where(UserGroupSpecs.hasUserId(Integer.valueOf(myUserId)))
.or(UserGroupSpecs.hasUserId(Integer.valueOf(userIdentifier))));
if (adminList.isEmpty()) {
throw new SecurityException("You don't have rights to do this because the user you want is not part of your group");
}
}
//--- retrieve user groups of the user id supplied
userGroups = userGroupRepository.findAll(UserGroupSpecs.hasUserId(Integer.valueOf(userIdentifier)));
}
return userGroups;
} else {
throw new SecurityException("You don't have rights to do get the groups for this user");
}
}
private List<Integer> getGroupIds(int userId) {
return ApplicationContextHolder.get().getBean(UserGroupRepository.class)
.findGroupIds(hasUserId(userId));
}
}