airavata-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From machris...@apache.org
Subject [airavata] branch group-based-auth updated: AIRAVATA-2835 Require OWNER permission to change sharing
Date Thu, 05 Jul 2018 15:15:58 GMT
This is an automated email from the ASF dual-hosted git repository.

machristie pushed a commit to branch group-based-auth
in repository https://gitbox.apache.org/repos/asf/airavata.git


The following commit(s) were added to refs/heads/group-based-auth by this push:
     new 826ccb8  AIRAVATA-2835 Require OWNER permission to change sharing
826ccb8 is described below

commit 826ccb8eca3b470f75d893af23788da6870bb561
Author: Marcus Christie <machristie@apache.org>
AuthorDate: Thu Jul 5 11:14:41 2018 -0400

    AIRAVATA-2835 Require OWNER permission to change sharing
    
    We already require this on the frontend but the backend should verify as
    well.
---
 .../api/server/handler/AiravataServerHandler.java        | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
index 131fa14..4a638d5 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
@@ -4999,10 +4999,12 @@ public class AiravataServerHandler implements Airavata.Iface {
     public boolean shareResourceWithUsers(AuthzToken authzToken, String resourceId,
                                           Map<String, ResourcePermissionType> userPermissionList)
throws InvalidRequestException,
             AiravataClientException, AiravataSystemException, AuthorizationException, TException
{
-        // TODO: first verify that authenticating user is OWNER of the resource
         RegistryService.Client regClient = registryClientPool.getResource();
         SharingRegistryService.Client sharingClient = sharingClientPool.getResource();
         try {
+            if (!userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER))
{
+                throw new AuthorizationException("User is not allowed to change sharing because
the user is not the resource owner.");
+            }
             for(Map.Entry<String, ResourcePermissionType> userPermission : userPermissionList.entrySet()){
                 String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
                 if(userPermission.getValue().equals(ResourcePermissionType.WRITE))
@@ -5035,10 +5037,12 @@ public class AiravataServerHandler implements Airavata.Iface {
     public boolean shareResourceWithGroups(AuthzToken authzToken, String resourceId,
                                            Map<String, ResourcePermissionType> groupPermissionList)
             throws InvalidRequestException, AiravataClientException, AiravataSystemException,
AuthorizationException, TException {
-        // TODO: first verify that authenticating user is OWNER of the resource
         RegistryService.Client regClient = registryClientPool.getResource();
         SharingRegistryService.Client sharingClient = sharingClientPool.getResource();
         try {
+            if (!userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER))
{
+                throw new AuthorizationException("User is not allowed to change sharing because
the user is not the resource owner.");
+            }
             for(Map.Entry<String, ResourcePermissionType> groupPermission : groupPermissionList.entrySet()){
                 String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
                 if(groupPermission.getValue().equals(ResourcePermissionType.WRITE))
@@ -5070,10 +5074,12 @@ public class AiravataServerHandler implements Airavata.Iface {
     @SecurityCheck
     public boolean revokeSharingOfResourceFromUsers(AuthzToken authzToken, String resourceId,
                                                     Map<String, ResourcePermissionType>
userPermissionList) throws InvalidRequestException, AiravataClientException, AiravataSystemException,
AuthorizationException, TException {
-        // TODO: first verify that authenticating user is OWNER of the resource
         RegistryService.Client regClient = registryClientPool.getResource();
         SharingRegistryService.Client sharingClient = sharingClientPool.getResource();
         try {
+            if (!userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER))
{
+                throw new AuthorizationException("User is not allowed to change sharing because
the user is not the resource owner.");
+            }
             for(Map.Entry<String, ResourcePermissionType> userPermission : userPermissionList.entrySet()){
                 String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
                 if(userPermission.getValue().equals(ResourcePermissionType.WRITE))
@@ -5106,11 +5112,13 @@ public class AiravataServerHandler implements Airavata.Iface {
     public boolean revokeSharingOfResourceFromGroups(AuthzToken authzToken, String resourceId,
                                                      Map<String, ResourcePermissionType>
groupPermissionList) 
             throws InvalidRequestException, AiravataClientException, AiravataSystemException,
AuthorizationException, TException {
-        // TODO: first verify that authenticating user is OWNER of the resource
         RegistryService.Client regClient = registryClientPool.getResource();
         SharingRegistryService.Client sharingClient = sharingClientPool.getResource();
         final String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
         try {
+            if (!userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER))
{
+                throw new AuthorizationException("User is not allowed to change sharing because
the user is not the resource owner.");
+            }
             // Prevent removing Admins WRITE access and Read Only Admins READ access
             GatewayGroups gatewayGroups = retrieveGatewayGroups(regClient, gatewayId);
             if (groupPermissionList.containsKey(gatewayGroups.getAdminsGroupId())


Mime
View raw message