diff --git a/components/dsl/resources/ome/dsl/object.vm b/components/dsl/resources/ome/dsl/object.vm
index 9c9f4f0a77a..f3febc22848 100644
--- a/components/dsl/resources/ome/dsl/object.vm
+++ b/components/dsl/resources/ome/dsl/object.vm
@@ -75,7 +75,144 @@ import ome.model.*;
@org.hibernate.annotations.Filter(name="${efilter}", condition=":eventId = event_id"),
@org.hibernate.annotations.Filter(name="${pfilter}", condition=":permsStr = permissions"),
@org.hibernate.annotations.Filter(name="OneGroupSecurityFilter"),
- @org.hibernate.annotations.Filter(name="AllGroupsSecurityFilter")
+ @org.hibernate.annotations.Filter(name="AllGroupsSecurityFilter"),
+#if($type.id.equals("ome.model.acquisition.Detector"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT detector.id FROM detector*, image* WHERE " +
+ "detector.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.DetectorSettings"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT detectorsettings.id FROM detectorsettings*, detector*, image* WHERE " +
+ "detectorsettings.detector = detector.id AND detector.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.Dichroic"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT dichroic.id FROM dichroic*, image* WHERE " +
+ "dichroic.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.Filter"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT filter.id FROM filter*, image* WHERE " +
+ "filter.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.FilterSet"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT filterset.id FROM filterset*, image* WHERE " +
+ "filterset.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.FilterSetEmissionFilterLink"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT link.id FROM filtersetemissionfilterlink AS link*, filter*, image* WHERE " +
+ "link.child = filter.id AND filter.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.FilterSetExcitationFilterLink"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT link.id FROM filtersetexcitationfilterlink AS link*, filter*, image* WHERE " +
+ "link.child = filter.id AND filter.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.ImagingEnvironment"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT imagingenvironment FROM image* WHERE " +
+ "id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.Instrument"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT instrument FROM image* WHERE " +
+ "id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.LightPath"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT logicalchannel.lightpath FROM logicalchannel*, channel*, pixels* WHERE " +
+ "logicalchannel.id = channel.logicalchannel AND channel.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.LightPathEmissionFilterLink"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT link.id FROM lightpathemissionfilterlink AS link*, filter*, image* WHERE " +
+ "link.child = filter.id AND filter.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.LightPathExcitationFilterLink"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT link.id FROM lightpathexcitationfilterlink AS link*, filter*, image* WHERE " +
+ "link.child = filter.id AND filter.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.LightSettings"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT lightsettings.id FROM lightsettings*, logicalchannel*, channel*, pixels* WHERE " +
+ "lightsettings.id = logicalchannel.lightsourcesettings AND logicalchannel.id = channel.logicalchannel AND channel.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.LightSource"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT lightsource.id FROM lightsource*, image* WHERE " +
+ "lightsource.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.Microscope"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT instrument.microscope FROM instrument*, image* WHERE " +
+ "instrument.id = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.Objective"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT objective.id FROM objective*, image* WHERE " +
+ "objective.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.ObjectiveSettings"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT objectivesettings FROM image* WHERE " +
+ "id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.OTF"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT otf.id FROM otf*, image* WHERE " +
+ "otf.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.StageLabel"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT stagelabel FROM image* WHERE " +
+ "id IN (:images)))")
+#elseif($type.id.equals("ome.model.acquisition.TransmittanceRange"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT filter.transmittancerange FROM filter*, image* WHERE " +
+ "filter.instrument = image.instrument AND image.id IN (:images)))")
+#elseif($type.id.equals("ome.model.core.Channel"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT channel.id FROM channel*, pixels* WHERE " +
+ "channel.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.core.Image"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (:images))")
+#elseif($type.id.equals("ome.model.core.LogicalChannel"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT channel.logicalchannel FROM channel*, pixels* WHERE " +
+ "channel.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.core.OriginalFile"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT pofm.parent FROM pixelsoriginalfilemap AS pofm*, pixels* WHERE " +
+ "pofm.child = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.core.Pixels"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "image IN (:images))")
+#elseif($type.id.equals("ome.model.core.PixelsOriginalFileMap"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT pofm.id FROM pixelsoriginalfilemap AS pofm*, pixels* WHERE " +
+ "pofm.child = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.core.PlaneInfo"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT planeinfo.id FROM planeinfo*, pixels* WHERE " +
+ "planeinfo.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.display.ChannelBinding"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT channelbinding.id FROM channelbinding*, renderingdef*, pixels* WHERE " +
+ "channelbinding.renderingdef = renderingdef.id AND renderingdef.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.display.CodomainMapContext"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT codomainmapcontext.id FROM codomainmapcontext*, renderingdef*, pixels* WHERE " +
+ "codomainmapcontext.renderingdef = renderingdef.id AND renderingdef.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.display.ProjectionDef"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT projectiondef.id FROM projectiondef*, renderingdef*, pixels* WHERE " +
+ "projectiondef.renderingdef = renderingdef.id AND renderingdef.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.display.QuantumDef"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT renderingdef.quantization FROM renderingdef*, pixels* WHERE " +
+ "renderingdef.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.display.RenderingDef"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT renderingdef.id FROM renderingdef*, pixels* WHERE " +
+ "renderingdef.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.display.Thumbnail"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT thumbnail.id FROM thumbnail*, pixels* WHERE " +
+ "thumbnail.pixels = pixels.id AND pixels.image IN (:images)))")
+#elseif($type.id.equals("ome.model.stats.StatsInfo"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT channel.statsinfo FROM channel*, pixels* WHERE " +
+ "channel.pixels = pixels.id AND pixels.image IN (:images)))")
+#else
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0)")
+#end
})
#elseif($type.id.equals("ome.model.meta.Session"))
@org.hibernate.annotations.FilterDefs({
@@ -461,6 +598,143 @@ implements java.io.Serializable, IObject
@org.hibernate.annotations.Filters({
@org.hibernate.annotations.Filter(name="OneGroupSecurityFilter"),
@org.hibernate.annotations.Filter(name="AllGroupsSecurityFilter"),
+#if($prop.type.equals("ome.model.acquisition.Detector"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT detector.id FROM detector*, image* WHERE " +
+ "detector.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.DetectorSettings"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT detectorsettings.id FROM detectorsettings*, detector*, image* WHERE " +
+ "detectorsettings.detector = detector.id AND detector.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.Dichroic"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT dichroic.id FROM dichroic*, image* WHERE " +
+ "dichroic.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.Filter"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT filter.id FROM filter*, image* WHERE " +
+ "filter.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.FilterSet"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT filterset.id FROM filterset*, image* WHERE " +
+ "filterset.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.FilterSetEmissionFilterLink"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT link.id FROM filtersetemissionfilterlink AS link*, filter*, image* WHERE " +
+ "link.child = filter.id AND filter.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.FilterSetExcitationFilterLink"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT link.id FROM filtersetexcitationfilterlink AS link*, filter*, image* WHERE " +
+ "link.child = filter.id AND filter.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.ImagingEnvironment"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT imagingenvironment FROM image* WHERE " +
+ "id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.Instrument"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT instrument FROM image* WHERE " +
+ "id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.LightPath"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT logicalchannel.lightpath FROM logicalchannel*, channel*, pixels* WHERE " +
+ "logicalchannel.id = channel.logicalchannel AND channel.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.LightPathEmissionFilterLink"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT link.id FROM lightpathemissionfilterlink AS link*, filter*, image* WHERE " +
+ "link.child = filter.id AND filter.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.LightPathExcitationFilterLink"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT link.id FROM lightpathexcitationfilterlink AS link*, filter*, image* WHERE " +
+ "link.child = filter.id AND filter.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.LightSettings"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT lightsettings.id FROM lightsettings*, logicalchannel*, channel*, pixels* WHERE " +
+ "lightsettings.id = logicalchannel.lightsourcesettings AND logicalchannel.id = channel.logicalchannel AND channel.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.LightSource"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT lightsource.id FROM lightsource*, image* WHERE " +
+ "lightsource.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.Microscope"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT instrument.microscope FROM instrument*, image* WHERE " +
+ "instrument.id = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.Objective"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT objective.id FROM objective*, image* WHERE " +
+ "objective.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.ObjectiveSettings"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT objectivesettings FROM image* WHERE " +
+ "id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.OTF"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT otf.id FROM otf*, image* WHERE " +
+ "otf.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.StageLabel"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT stagelabel FROM image* WHERE " +
+ "id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.acquisition.TransmittanceRange"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT filter.transmittancerange FROM filter*, image* WHERE " +
+ "filter.instrument = image.instrument AND image.id IN (:images)))"),
+#elseif($prop.type.equals("ome.model.core.Channel"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT channel.id FROM channel*, pixels* WHERE " +
+ "channel.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.core.Image"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (:images))"),
+#elseif($prop.type.equals("ome.model.core.LogicalChannel"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT channel.logicalchannel FROM channel*, pixels* WHERE " +
+ "channel.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.core.OriginalFile"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT pofm.parent FROM pixelsoriginalfilemap AS pofm*, pixels* WHERE " +
+ "pofm.child = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.core.Pixels"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "image IN (:images))"),
+#elseif($prop.type.equals("ome.model.core.PixelsOriginalFileMap"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT pofm.id FROM pixelsoriginalfilemap AS pofm*, pixels* WHERE " +
+ "pofm.child = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.core.PlaneInfo"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT planeinfo.id FROM planeinfo*, pixels* WHERE " +
+ "planeinfo.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.display.ChannelBinding"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT channelbinding.id FROM channelbinding*, renderingdef*, pixels* WHERE " +
+ "channelbinding.renderingdef = renderingdef.id AND renderingdef.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.display.CodomainMapContext"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT codomainmapcontext.id FROM codomainmapcontext*, renderingdef*, pixels* WHERE " +
+ "codomainmapcontext.renderingdef = renderingdef.id AND renderingdef.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.display.ProjectionDef"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT projectiondef.id FROM projectiondef*, renderingdef*, pixels* WHERE " +
+ "projectiondef.renderingdef = renderingdef.id AND renderingdef.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.display.QuantumDef"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT renderingdef.quantization FROM renderingdef*, pixels* WHERE " +
+ "renderingdef.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.display.RenderingDef"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT renderingdef.id FROM renderingdef*, pixels* WHERE " +
+ "renderingdef.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.display.Thumbnail"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT thumbnail.id FROM thumbnail*, pixels* WHERE " +
+ "thumbnail.pixels = pixels.id AND pixels.image IN (:images)))"),
+#elseif($prop.type.equals("ome.model.stats.StatsInfo"))
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0 OR " +
+ "id IN (SELECT channel.statsinfo FROM channel*, pixels* WHERE " +
+ "channel.pixels = pixels.id AND pixels.image IN (:images)))"),
+#else
+ @org.hibernate.annotations.Filter(name="SharingSecurityFilter", condition="(:is_admin = 1 OR :is_share = 0)"),
+#end
@org.hibernate.annotations.Filter(name=OWNER_FILTER_${prop.nameUpper}, condition=":ownerId = owner_id"),
@org.hibernate.annotations.Filter(name=GROUP_FILTER_${prop.nameUpper}, condition=":groupId = group_id"),
@org.hibernate.annotations.Filter(name=EVENT_FILTER_${prop.nameUpper}, condition=":eventId = event_id"),
@@ -1377,7 +1651,7 @@ implements java.io.Serializable, IObject
@Override
@javax.persistence.ManyToOne(fetch = javax.persistence.FetchType.LAZY, cascade = {${cascadeEjb}})
@org.hibernate.annotations.Cascade({${cascadeHib}})
- @javax.persistence.JoinColumn(name = "external_id", nullable = true, unique = true, insertable = true, updatable = false)
+ @javax.persistence.JoinColumn(name = "external_id", nullable = true, unique = true, insertable = true, updatable = true)
#set($fkvalue = "FK${type.table}_external_id_externalinfo")
#set($fkvalue = "${type.fk($fkvalue)}")
@org.hibernate.annotations.ForeignKey(name = "${fkvalue}")
diff --git a/components/model/resources/mock_filters.hbm.xml b/components/model/resources/mock_filters.hbm.xml
index 9780ec4f78b..df87a189a4b 100644
--- a/components/model/resources/mock_filters.hbm.xml
+++ b/components/model/resources/mock_filters.hbm.xml
@@ -6,4 +6,5 @@
+
diff --git a/components/server/resources/ome/services/hibernate.xml b/components/server/resources/ome/services/hibernate.xml
index 9eb48d7205c..5c261d35e08 100644
--- a/components/server/resources/ome/services/hibernate.xml
+++ b/components/server/resources/ome/services/hibernate.xml
@@ -3,7 +3,7 @@
+
@@ -58,6 +57,11 @@
+
+
+
+
+
diff --git a/components/server/src/ome/security/SecurityFilterHolder.java b/components/server/src/ome/security/SecurityFilterHolder.java
index 76dd816c53a..3058f436551 100644
--- a/components/server/src/ome/security/SecurityFilterHolder.java
+++ b/components/server/src/ome/security/SecurityFilterHolder.java
@@ -13,6 +13,7 @@
import ome.security.basic.AllGroupsSecurityFilter;
import ome.security.basic.CurrentDetails;
import ome.security.basic.OneGroupSecurityFilter;
+import ome.security.basic.SharingSecurityFilter;
import ome.system.EventContext;
/**
@@ -29,6 +30,8 @@ public class SecurityFilterHolder implements SecurityFilter {
final protected OneGroupSecurityFilter onegroup;
+ final protected SharingSecurityFilter share;
+
final protected CurrentDetails cd;
protected ThreadLocal current = new ThreadLocal() {
@@ -40,15 +43,21 @@ protected SecurityFilter initialValue() {
public SecurityFilterHolder(CurrentDetails cd,
OneGroupSecurityFilter onegroup,
- AllGroupsSecurityFilter allgroups) {
+ AllGroupsSecurityFilter allgroups,
+ SharingSecurityFilter share) {
this.cd = cd;
this.onegroup = onegroup;
this.allgroups = allgroups;
+ this.share = share;
}
public SecurityFilter choose() {
- Long groupId = cd.getCurrentEventContext().getCurrentGroupId();
- if (groupId < 0) {
+ final EventContext ec = cd.getCurrentEventContext();
+ final Long groupId = ec.getCurrentGroupId();
+ final Long shareId = ec.getCurrentShareId();
+ if (shareId != null && shareId >= 0) {
+ return share;
+ } else if (groupId < 0) {
return allgroups;
} else {
return onegroup;
diff --git a/components/server/src/ome/security/basic/BasicSecuritySystem.java b/components/server/src/ome/security/basic/BasicSecuritySystem.java
index 4a1fa240255..26c7dca760c 100644
--- a/components/server/src/ome/security/basic/BasicSecuritySystem.java
+++ b/components/server/src/ome/security/basic/BasicSecuritySystem.java
@@ -126,7 +126,8 @@ public static BasicSecuritySystem selfConfigure(SessionManager sm,
Roles roles = new Roles();
SecurityFilterHolder holder = new SecurityFilterHolder(
cd, new OneGroupSecurityFilter(roles),
- new AllGroupsSecurityFilter(null, roles));
+ new AllGroupsSecurityFilter(null, roles),
+ new SharingSecurityFilter(roles, null));
BasicSecuritySystem sec = new BasicSecuritySystem(oi, st, cd, sm,
roles, sf, new TokenHolder(), holder, new DefaultPolicyService());
return sec;
diff --git a/components/server/src/ome/security/basic/OmeroInterceptor.java b/components/server/src/ome/security/basic/OmeroInterceptor.java
index aa50435b06b..c85d083e7b8 100644
--- a/components/server/src/ome/security/basic/OmeroInterceptor.java
+++ b/components/server/src/ome/security/basic/OmeroInterceptor.java
@@ -708,7 +708,7 @@ else if ((bec.getCurrentGroupId() < 0) &&
}
// EXTERNALINFO
- // useres _are_ allowed to set the external info on a new object.
+ // users _are_ allowed to set the external info on a new object.
// subsequent operations, however, will not be able to edit this
// value.
newDetails.setExternalInfo(source.getExternalInfo());
@@ -818,10 +818,9 @@ else if (currentDetails == null) {
// the object doesn't have owner/group
final boolean sysType = sysTypes.isSystemType(iobj.getClass());
- // isGlobal implies nothing (currently) about external info
- // see mapping.vm for more.
- altered |= managedExternalInfo(privileged, iobj,
- previousDetails, currentDetails, newDetails);
+ // As of 5.2, we are no longer being restrictive about external
+ // info. It is now a user-concern and can be changed like other
+ // fields.
// implies that owner doesn't matter
if (!sysType) {
@@ -858,7 +857,8 @@ else if (currentDetails == null) {
/**
* responsible for guaranteeing that external info is not modified by any
- * users, including root.
+ * users, including root. This does not apply to the "client concern" fields
+ * which can be modified after the fact.
*
* @param privileged if the user is privileged
* @param obj the model object
@@ -871,6 +871,7 @@ else if (currentDetails == null) {
* {@link Permissions}
* @return true if the {@link Permissions} of newDetails are changed.
*/
+ @Deprecated
protected boolean managedExternalInfo(boolean privileged,
IObject obj, Details previousDetails, Details currentDetails,
Details newDetails) {
@@ -884,9 +885,10 @@ protected boolean managedExternalInfo(boolean privileged,
.getExternalInfo();
if (previous == null) {
- // do we allow a change?
- newDetails.setExternalInfo(current);
- altered |= newDetails.getExternalInfo() != current;
+ if (current != null) {
+ newDetails.setExternalInfo(current);
+ altered = true;
+ }
}
// The ExternalInfo was previously set. We do not allow it to be
diff --git a/components/server/src/ome/security/basic/SharingSecurityFilter.java b/components/server/src/ome/security/basic/SharingSecurityFilter.java
new file mode 100644
index 00000000000..7a72577e8b9
--- /dev/null
+++ b/components/server/src/ome/security/basic/SharingSecurityFilter.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2016 University of Dundee & Open Microscopy Environment.
+ * All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+package ome.security.basic;
+
+import java.util.List;
+import java.util.Map;
+
+import ome.model.core.Image;
+import ome.model.internal.Details;
+import ome.services.sharing.ShareStore;
+import ome.services.sharing.data.ShareData;
+import ome.system.EventContext;
+import ome.system.Roles;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.hibernate.Filter;
+import org.hibernate.Session;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+
+/**
+ * The sharing security filter provides database-level access protection for share contexts.
+ * @see ome.security.sharing.SharingACLVoter
+ * @author m.t.b.carroll@dundee.ac.uk
+ * @since 5.2.5
+ */
+public class SharingSecurityFilter extends AbstractSecurityFilter {
+
+ private static final ImmutableMap PARAMETER_TYPES =
+ ImmutableMap.of("is_admin", "int",
+ "is_share", "int",
+ "images", "long");
+
+ private ShareStore shares;
+
+ /**
+ * Construct a new sharing security filter.
+ * @param roles the users and groups that are special to OMERO
+ * @param shares the shares
+ */
+ public SharingSecurityFilter(Roles roles, ShareStore shares) {
+ super(roles);
+ this.shares = shares;
+ }
+
+ @Override
+ public Map getParameterTypes() {
+ return PARAMETER_TYPES;
+ }
+
+ @Override
+ public String getDefaultCondition() {
+ /* provided instead by annotations */
+ return null;
+ }
+
+ @Override
+ public boolean passesFilter(Session session, Details details, EventContext ec) {
+ final Long shareId = ec.getCurrentShareId();
+ if (shareId == null) {
+ return true;
+ }
+ final ShareData share = shares.get(shareId);
+ return ec.isCurrentUserAdmin() || share != null && share.enabled;
+ }
+
+ @Override
+ public void enable(Session session, EventContext ec) {
+ List imageIds = null;
+ final Long shareId = ec.getCurrentShareId();
+ if (shareId != null) {
+ final ShareData shareData = shares.get(shareId);
+ if (shareData != null && shareData.enabled) {
+ imageIds = shareData.objectMap.get(Image.class.getName());
+ }
+ }
+ if (CollectionUtils.isEmpty(imageIds)) {
+ imageIds = ImmutableList.of(-1L);
+ }
+ final int isAdmin01 = ec.isCurrentUserAdmin() ? 1 : 0;
+ final int isShare01 = isShare(ec) ? 1 : 0;
+
+ final Filter filter = session.enableFilter(getName());
+ filter.setParameter("is_admin", isAdmin01);
+ filter.setParameter("is_share", isShare01);
+ filter.setParameterList("images", imageIds);
+ enableBaseFilters(session, isAdmin01, ec.getCurrentUserId());
+ }
+}
diff --git a/components/tools/OmeroPy/test/integration/test_ishare.py b/components/tools/OmeroPy/test/integration/test_ishare.py
index 5436598bc89..f2e1a32ca85 100644
--- a/components/tools/OmeroPy/test/integration/test_ishare.py
+++ b/components/tools/OmeroPy/test/integration/test_ishare.py
@@ -278,6 +278,7 @@ def test1157(self):
c2 = len(share2.getComments(sid))
assert 2 == c2
+ @pytest.mark.broken(reason="shares are image-centric for now")
def test1172(self):
uuid = self.root.sf.getAdminService().getEventContext().sessionUuid
share = self.root.sf.getShareService()
diff --git a/components/tools/OmeroPy/test/integration/test_iupdate.py b/components/tools/OmeroPy/test/integration/test_iupdate.py
index e97889ad256..fb43b1c3122 100644
--- a/components/tools/OmeroPy/test/integration/test_iupdate.py
+++ b/components/tools/OmeroPy/test/integration/test_iupdate.py
@@ -12,6 +12,7 @@
import library as lib
import omero
+import pytest
class TestIUpdate(lib.ITest):
@@ -35,3 +36,97 @@ def testSaveCollection(self):
"""
tags = self.tags()
self.update.saveCollection(tags)
+
+ def testExternalInfoOnCreation(self):
+ ds = self.mkdataset(True)
+ ds = self.update.saveAndReturnObject(ds)
+ assert ds.details.externalInfo
+ self.assert_type(ds, "test")
+
+ def testExternalInfoAfterCreationTransient(self):
+ ds = self.mkdataset(False)
+ ds = self.update.saveAndReturnObject(ds)
+ assert not ds.details.externalInfo
+ ds.details.externalInfo = self.mkinfo("late")
+ ds = self.update.saveAndReturnObject(ds)
+ assert ds.details.externalInfo
+ self.assert_type(ds, "late")
+
+ def testExternalInfoAfterCreationManaged(self):
+ ds = self.mkdataset(False)
+ ds = self.update.saveAndReturnObject(ds)
+ assert not ds.details.externalInfo
+ info = self.mkinfo("late")
+ info = self.update.saveAndReturnObject(info)
+ ds.details.externalInfo = info
+ ds = self.update.saveAndReturnObject(ds)
+ assert ds.details.externalInfo
+ self.assert_type(ds, "late")
+
+ def testExternalInfoNewInstance(self):
+ ds = self.mkdataset(True)
+ ds = self.update.saveAndReturnObject(ds)
+ info = self.mkinfo(type="updated")
+ ds.details.externalInfo = info
+ ds = self.update.saveAndReturnObject(ds)
+ self.assert_type(ds, "updated")
+
+ def testExternalInfoNullInstance(self):
+ ds = self.mkdataset(True)
+ ds = self.update.saveAndReturnObject(ds)
+ ds.details.externalInfo = None
+ ds = self.update.saveAndReturnObject(ds)
+ self.assert_type(ds, None)
+
+ def testExternalInfoUpdateInstance(self):
+ ds = self.mkdataset(True)
+ ds = self.update.saveAndReturnObject(ds)
+ self.assert_type(ds, "test")
+ info = ds.details.externalInfo
+ info.entityType = omero.rtypes.rstring("updated")
+ ds = self.update.saveAndReturnObject(ds)
+ # This is still disallowed since the ExternalInfo
+ # object itself is immutable (it has no update_id
+ # column).
+ with pytest.raises(Exception):
+ self.assert_type(ds, "updated")
+
+ # Helpers
+
+ def reload(self, ds):
+ return self.query.findByQuery((
+ "select ds from Dataset ds "
+ "left outer join fetch ds.details.externalInfo "
+ "where ds.id = :id"), omero.sys.ParametersI().addId(ds.id))
+
+ def mkdataset(self, info):
+ ds = omero.model.DatasetI()
+ ds.name = omero.rtypes.rstring("testExternalInfo")
+ if info:
+ ds.details.externalInfo = self.mkinfo()
+ return ds
+
+ def mkinfo(self, type="test"):
+ info = omero.model.ExternalInfoI()
+ info.entityType = omero.rtypes.rstring(type)
+ info.entityId = omero.rtypes.rlong(1)
+ return info
+
+ def assert_type(self, ds, value):
+ if value is None:
+ assert ds.details.externalInfo is None
+ else:
+ assert ds.details.externalInfo.entityType.val == value
+ ds = self.reload(ds)
+ if value is None:
+ assert ds.details.externalInfo is None
+ else:
+ assert ds.details.externalInfo.entityType.val == value
+ return ds
+
+ def incr(self, ds):
+ if ds.version is None:
+ ds.version = omero.rtypes.rint(0)
+ else:
+ i = ds.version.val
+ ds.version = omero.rtypes.rint(i+1)
diff --git a/history.txt b/history.txt
index 184b676bac7..02eb97d66a3 100644
--- a/history.txt
+++ b/history.txt
@@ -1,6 +1,34 @@
OMERO version history
=====================
+5.2.5 (August 2016)
+-------------------
+
+This is a security release to fix the access privileges of the share function,
+which were potentially allowing users to access private data belonging to
+other users via the API.
+
+See :secvuln:`2016-SV2-share` for details. Shares will now respect user
+privileges as set by the group permission level. Note that Shares now
+**only** support images even when used via the API.
+
+It is highly recommended that you upgrade your server. For those not in a
+position to do so as a matter of urgency, a workaround is provided which
+deletes all shares and disables their creation.
+
+5.2.4 (May 2016)
+----------------
+
+This is a security release to fix the cleanse.py script used by the "bin/omero
+admin cleanse" command, which was not properly respecting user permissions and
+may lead to data loss.
+
+See :secvuln:`2016-SV1-cleanse` for details. The script and command have now
+been made admin-only.
+
+It is highly suggested that you upgrade your server or apply the patch
+available from the security page.
+
5.2.3 (May 2016)
----------------
diff --git a/sql/psql/OMERO5.1__1/OMERO5.1-delete-and-disable-shares.sql b/sql/psql/OMERO5.1__1/OMERO5.1-delete-and-disable-shares.sql
new file mode 100644
index 00000000000..f9736cfdff3
--- /dev/null
+++ b/sql/psql/OMERO5.1__1/OMERO5.1-delete-and-disable-shares.sql
@@ -0,0 +1,77 @@
+-- Copyright (C) 2016 Glencoe Software, Inc. All rights reserved.
+-- Use is subject to license terms supplied in LICENSE.txt
+--
+-- This program is free software; you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation; either version 2 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License along
+-- with this program; if not, write to the Free Software Foundation, Inc.,
+-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+--
+
+---
+--- OMERO5 in-place upgrade for the OMERO5.1__1 database to disable shares.
+---
+
+BEGIN;
+
+
+--
+-- check OMERO database version
+--
+
+CREATE OR REPLACE FUNCTION omero_assert_db_version(expected_version VARCHAR, expected_patch INTEGER) RETURNS void AS $$
+
+DECLARE
+ current_version VARCHAR;
+ current_patch INTEGER;
+
+BEGIN
+ SELECT currentversion, currentpatch INTO STRICT current_version, current_patch
+ FROM dbpatch ORDER BY id DESC LIMIT 1;
+
+ IF current_version <> expected_version OR current_patch <> expected_patch THEN
+ RAISE EXCEPTION 'wrong OMERO database version for this upgrade script';
+ END IF;
+
+END;$$ LANGUAGE plpgsql;
+
+SELECT omero_assert_db_version('OMERO5.1', 1);
+DROP FUNCTION omero_assert_db_version(varchar, int);
+
+
+--
+-- Actual upgrade
+--
+
+
+DELETE FROM sharemember;
+DELETE FROM share;
+CREATE OR REPLACE FUNCTION disable_shares() RETURNS trigger LANGUAGE plpgsql as $$
+BEGIN
+ RAISE EXCEPTION 'Shares are disabled';
+END $$;
+DROP TRIGGER IF EXISTS disable_shares ON share;
+CREATE TRIGGER disable_shares BEFORE INSERT ON share FOR EACH ROW EXECUTE PROCEDURE disable_shares();
+
+
+--
+-- FINISHED
+--
+
+UPDATE dbpatch SET message = 'Shares disabled.', finished = clock_timestamp()
+ WHERE currentVersion = 'OMERO5.1' AND
+ currentPatch = 1 AND
+ previousVersion = 'OMERO5.1' AND
+ previousPatch = 1;
+
+SELECT CHR(10)||CHR(10)||CHR(10)||'SHARES HAVE BEEN DISABLED FOR OMERO5.1__1'||CHR(10)||CHR(10)||CHR(10) AS Status;
+
+COMMIT;
diff --git a/sql/psql/OMERO5.1__1/OMERO5.1-enable-shares.sql b/sql/psql/OMERO5.1__1/OMERO5.1-enable-shares.sql
new file mode 100644
index 00000000000..6b8e62b8bc3
--- /dev/null
+++ b/sql/psql/OMERO5.1__1/OMERO5.1-enable-shares.sql
@@ -0,0 +1,71 @@
+-- Copyright (C) 2016 Glencoe Software, Inc. All rights reserved.
+-- Use is subject to license terms supplied in LICENSE.txt
+--
+-- This program is free software; you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation; either version 2 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License along
+-- with this program; if not, write to the Free Software Foundation, Inc.,
+-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+--
+
+---
+--- OMERO5 in-place upgrade for the OMERO5.1__1 database to re-enable shares.
+---
+
+BEGIN;
+
+
+--
+-- check OMERO database version
+--
+
+CREATE OR REPLACE FUNCTION omero_assert_db_version(expected_version VARCHAR, expected_patch INTEGER) RETURNS void AS $$
+
+DECLARE
+ current_version VARCHAR;
+ current_patch INTEGER;
+
+BEGIN
+ SELECT currentversion, currentpatch INTO STRICT current_version, current_patch
+ FROM dbpatch ORDER BY id DESC LIMIT 1;
+
+ IF current_version <> expected_version OR current_patch <> expected_patch THEN
+ RAISE EXCEPTION 'wrong OMERO database version for this upgrade script';
+ END IF;
+
+END;$$ LANGUAGE plpgsql;
+
+SELECT omero_assert_db_version('OMERO5.1', 1);
+DROP FUNCTION omero_assert_db_version(varchar, int);
+
+
+--
+-- Actual upgrade
+--
+
+
+DROP TRIGGER IF EXISTS disable_shares ON share;
+DROP FUNCTION IF EXISTS disable_shares();
+
+
+--
+-- FINISHED
+--
+
+UPDATE dbpatch SET message = 'Shares re-enabled.', finished = clock_timestamp()
+ WHERE currentVersion = 'OMERO5.1' AND
+ currentPatch = 1 AND
+ previousVersion = 'OMERO5.1' AND
+ previousPatch = 1;
+
+SELECT CHR(10)||CHR(10)||CHR(10)||'SHARES HAVE BEEN RE-ENABLED FOR OMERO5.1__1'||CHR(10)||CHR(10)||CHR(10) AS Status;
+
+COMMIT;
diff --git a/sql/psql/OMERO5.2__0/OMERO5.2-delete-and-disable-shares.sql b/sql/psql/OMERO5.2__0/OMERO5.2-delete-and-disable-shares.sql
new file mode 100644
index 00000000000..2462cd48fa6
--- /dev/null
+++ b/sql/psql/OMERO5.2__0/OMERO5.2-delete-and-disable-shares.sql
@@ -0,0 +1,77 @@
+-- Copyright (C) 2016 Glencoe Software, Inc. All rights reserved.
+-- Use is subject to license terms supplied in LICENSE.txt
+--
+-- This program is free software; you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation; either version 2 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License along
+-- with this program; if not, write to the Free Software Foundation, Inc.,
+-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+--
+
+---
+--- OMERO5 in-place upgrade for the OMERO5.2__0 database to disable shares.
+---
+
+BEGIN;
+
+
+--
+-- check OMERO database version
+--
+
+CREATE OR REPLACE FUNCTION omero_assert_db_version(expected_version VARCHAR, expected_patch INTEGER) RETURNS void AS $$
+
+DECLARE
+ current_version VARCHAR;
+ current_patch INTEGER;
+
+BEGIN
+ SELECT currentversion, currentpatch INTO STRICT current_version, current_patch
+ FROM dbpatch ORDER BY id DESC LIMIT 1;
+
+ IF current_version <> expected_version OR current_patch <> expected_patch THEN
+ RAISE EXCEPTION 'wrong OMERO database version for this upgrade script';
+ END IF;
+
+END;$$ LANGUAGE plpgsql;
+
+SELECT omero_assert_db_version('OMERO5.2', 0);
+DROP FUNCTION omero_assert_db_version(varchar, int);
+
+
+--
+-- Actual upgrade
+--
+
+
+DELETE FROM sharemember;
+DELETE FROM share;
+CREATE OR REPLACE FUNCTION disable_shares() RETURNS trigger LANGUAGE plpgsql as $$
+BEGIN
+ RAISE EXCEPTION 'Shares are disabled';
+END $$;
+DROP TRIGGER IF EXISTS disable_shares ON share;
+CREATE TRIGGER disable_shares BEFORE INSERT ON share FOR EACH ROW EXECUTE PROCEDURE disable_shares();
+
+
+--
+-- FINISHED
+--
+
+UPDATE dbpatch SET message = 'Shares disabled.', finished = clock_timestamp()
+ WHERE currentVersion = 'OMERO5.2' AND
+ currentPatch = 0 AND
+ previousVersion = 'OMERO5.2' AND
+ previousPatch = 0;
+
+SELECT CHR(10)||CHR(10)||CHR(10)||'SHARES HAVE BEEN DISABLED FOR OMERO5.2__0'||CHR(10)||CHR(10)||CHR(10) AS Status;
+
+COMMIT;
diff --git a/sql/psql/OMERO5.2__0/OMERO5.2-enable-shares.sql b/sql/psql/OMERO5.2__0/OMERO5.2-enable-shares.sql
new file mode 100644
index 00000000000..d1748f037df
--- /dev/null
+++ b/sql/psql/OMERO5.2__0/OMERO5.2-enable-shares.sql
@@ -0,0 +1,71 @@
+-- Copyright (C) 2016 Glencoe Software, Inc. All rights reserved.
+-- Use is subject to license terms supplied in LICENSE.txt
+--
+-- This program is free software; you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation; either version 2 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License along
+-- with this program; if not, write to the Free Software Foundation, Inc.,
+-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+--
+
+---
+--- OMERO5 in-place upgrade for the OMERO5.2__0 database to re-enable shares.
+---
+
+BEGIN;
+
+
+--
+-- check OMERO database version
+--
+
+CREATE OR REPLACE FUNCTION omero_assert_db_version(expected_version VARCHAR, expected_patch INTEGER) RETURNS void AS $$
+
+DECLARE
+ current_version VARCHAR;
+ current_patch INTEGER;
+
+BEGIN
+ SELECT currentversion, currentpatch INTO STRICT current_version, current_patch
+ FROM dbpatch ORDER BY id DESC LIMIT 1;
+
+ IF current_version <> expected_version OR current_patch <> expected_patch THEN
+ RAISE EXCEPTION 'wrong OMERO database version for this upgrade script';
+ END IF;
+
+END;$$ LANGUAGE plpgsql;
+
+SELECT omero_assert_db_version('OMERO5.2', 0);
+DROP FUNCTION omero_assert_db_version(varchar, int);
+
+
+--
+-- Actual upgrade
+--
+
+
+DROP TRIGGER IF EXISTS disable_shares ON share;
+DROP FUNCTION IF EXISTS disable_shares();
+
+
+--
+-- FINISHED
+--
+
+UPDATE dbpatch SET message = 'Shares re-enabled.', finished = clock_timestamp()
+ WHERE currentVersion = 'OMERO5.2' AND
+ currentPatch = 0 AND
+ previousVersion = 'OMERO5.2' AND
+ previousPatch = 0;
+
+SELECT CHR(10)||CHR(10)||CHR(10)||'SHARES HAVE BEEN RE-ENABLED FOR OMERO5.2__0'||CHR(10)||CHR(10)||CHR(10) AS Status;
+
+COMMIT;