Commit 4f49d006 authored by Sascha Herzinger's avatar Sascha Herzinger
Browse files

Merge branch 'tmp' into '563-spring-security'

Reverting service changes

See merge request !579
parents 40e5ac89 0b1772b0
Pipeline #8259 failed with stage
in 2 minutes and 45 seconds
......@@ -43,7 +43,7 @@ public class ProjectController extends BaseController {
@PathVariable(value = "projectId") String projectId,
@CookieValue(value = Configuration.AUTH_TOKEN) String token
) throws SecurityException, ObjectNotFoundException {
return projectController.getProject(projectId);
return projectController.getProject(projectId, token);
}
@RequestMapping(value = "/projects/{projectId:.+}", method = { RequestMethod.PATCH }, produces = {
......@@ -55,7 +55,7 @@ public class ProjectController extends BaseController {
) throws SecurityException, IOException, QueryException {
Map<String, Object> node = parseBody(body);
Map<String, Object> data = getData(node, "project");
return projectController.updateProject(projectId, data);
return projectController.updateProject(token, projectId, data);
}
......@@ -66,7 +66,7 @@ public class ProjectController extends BaseController {
@PathVariable(value = "projectId") String projectId,
@CookieValue(value = Configuration.AUTH_TOKEN) String token
) throws SecurityException, IOException, QueryException {
return projectController.addProject(projectId, formData, context.getRealPath("/"));
return projectController.addProject(token, projectId, formData, context.getRealPath("/"));
}
......@@ -76,13 +76,15 @@ public class ProjectController extends BaseController {
@PathVariable(value = "projectId") String projectId,
@CookieValue(value = Configuration.AUTH_TOKEN) String token
) throws SecurityException, IOException, QueryException {
return projectController.removeProject(projectId, context.getRealPath("/"));
return projectController.removeProject(token, projectId, context.getRealPath("/"));
}
@RequestMapping(value = "/projects/", method = { RequestMethod.GET }, produces = { MediaType.APPLICATION_JSON_VALUE })
public List<Map<String, Object>> getProjects() {
return projectController.getProjects();
public List<Map<String, Object>> getProjects(
@CookieValue(value = Configuration.AUTH_TOKEN) String token
) throws SecurityException, ObjectNotFoundException {
return projectController.getProjects(token);
}
@RequestMapping(value = "/projects/{projectId}/statistics", method = { RequestMethod.GET }, produces = {
......
package lcsb.mapviewer.api.projects;
import java.awt.geom.Point2D;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.Serializable;
import java.security.MessageDigest;
......@@ -15,6 +16,7 @@ import java.util.Set;
import java.util.TreeMap;
import org.apache.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.MultiValueMap;
......@@ -51,6 +53,7 @@ import lcsb.mapviewer.model.map.model.SubmodelType;
import lcsb.mapviewer.model.map.reaction.Reaction;
import lcsb.mapviewer.model.map.species.Element;
import lcsb.mapviewer.model.user.ConfigurationElementType;
import lcsb.mapviewer.model.user.PrivilegeType;
import lcsb.mapviewer.model.user.User;
import lcsb.mapviewer.persist.dao.ProjectDao;
import lcsb.mapviewer.persist.dao.cache.UploadedFileEntryDao;
......@@ -89,8 +92,9 @@ public class ProjectRestImpl extends BaseRestImpl {
this.uploadedFileEntryDao = uploadedFileEntryDao;
}
public Map<String, Object> getProject(String projectId) throws ObjectNotFoundException {
Project project = getProjectService().getProjectByProjectId(projectId);
public Map<String, Object> getProject(String projectId, String token)
throws SecurityException, ObjectNotFoundException {
Project project = getProjectService().getProjectByProjectId(projectId, token);
if (project == null) {
throw new ObjectNotFoundException("Project with given id doesn't exist");
}
......@@ -199,8 +203,8 @@ public class ProjectRestImpl extends BaseRestImpl {
return result;
}
public FileEntry getSource(String token, String projectId) throws QueryException {
Project project = getProjectService().getProjectByProjectId(projectId);
public FileEntry getSource(String token, String projectId) throws SecurityException, QueryException {
Project project = getProjectService().getProjectByProjectId(projectId, token);
if (project == null) {
throw new ObjectNotFoundException("Project with given id doesn't exist");
}
......@@ -253,8 +257,8 @@ public class ProjectRestImpl extends BaseRestImpl {
return result;
}
public List<Map<String, Object>> getProjects() {
List<Project> projects = getProjectService().getAllProjects();
public List<Map<String, Object>> getProjects(String token) throws SecurityException {
List<Project> projects = getProjectService().getAllProjects(token);
List<Map<String, Object>> result = new ArrayList<>();
for (Project project : projects) {
result.add(createData(project));
......@@ -262,11 +266,16 @@ public class ProjectRestImpl extends BaseRestImpl {
return result;
}
public Map<String, Object> updateProject(String projectId, Map<String, Object> data) throws SecurityException, QueryException {
Project project = getProjectService().getProjectByProjectId(projectId);
public Map<String, Object> updateProject(String token, String projectId, Map<String, Object> data)
throws SecurityException, QueryException {
Project project = getProjectService().getProjectByProjectId(projectId, token);
if (project == null) {
throw new ObjectNotFoundException("Project with given id doesn't exist");
}
boolean canModify = getUserService().userHasPrivilege(token, PrivilegeType.PROJECT_MANAGEMENT);
if (!canModify) {
throw new SecurityException("You cannot update projects");
}
Set<String> fields = data.keySet();
for (String fieldName : fields) {
Object value = data.get(fieldName);
......@@ -322,8 +331,8 @@ public class ProjectRestImpl extends BaseRestImpl {
throw new QueryException("Unknown field: " + fieldName);
}
}
getProjectService().updateProject(project);
return getProject(projectId);
getProjectService().updateProject(project, token);
return getProject(projectId, token);
}
private MiriamData updateMiriamData(MiriamData organism, Object res) {
......@@ -345,10 +354,10 @@ public class ProjectRestImpl extends BaseRestImpl {
}
}
public Map<String, Object> addProject(String projectId, MultiValueMap<String, Object> data, String path)
public Map<String, Object> addProject(String token, String projectId, MultiValueMap<String, Object> data, String path)
throws SecurityException, QueryException, IOException {
User user = getUserService().getUserByToken(token);
Project project = getProjectService().getProjectByProjectId(projectId);
Project project = getProjectService().getProjectByProjectId(projectId, token);
if (project != null) {
logger.debug(project.getProjectId());
throw new ObjectExistsException("Project with given id already exists");
......@@ -380,6 +389,7 @@ public class ProjectRestImpl extends BaseRestImpl {
params.async(true);
params.parser(parser);
params.authenticationToken(token);
params.autoResize(getFirstValue(data.get("auto-resize")));
params.cacheModel(getFirstValue(data.get("cache")));
params.description(getFirstValue(data.get("description")));
......@@ -414,7 +424,7 @@ public class ProjectRestImpl extends BaseRestImpl {
params.setAnnotatorParams(projectService.getAnnotatorsParams(user));
getProjectService().createProject(params);
return getProject(projectId);
return getProject(projectId, token);
}
protected String computePathForProject(String projectId, String path) {
......@@ -493,15 +503,15 @@ public class ProjectRestImpl extends BaseRestImpl {
return null;
}
public Map<String, Object> removeProject(String projectId, String path)
public Map<String, Object> removeProject(String token, String projectId, String path)
throws SecurityException, QueryException {
Project project = getProjectService().getProjectByProjectId(projectId);
Project project = getProjectService().getProjectByProjectId(projectId, token);
if (getConfigurationService().getConfigurationValue(ConfigurationElementType.DEFAULT_MAP)
.equals(project.getProjectId())) {
throw new OperationNotAllowedException("You cannot remove default map");
}
getProjectService().removeProject(project, path, true);
return getProject(projectId);
getProjectService().removeProject(project, path, true, token);
return getProject(projectId, token);
}
public UploadedFileEntryDao getUploadedFileEntryDao() {
......@@ -542,7 +552,7 @@ public class ProjectRestImpl extends BaseRestImpl {
public Map<String, Object> getLogs(String projectId, String level, String token, String startString, Integer length,
String sortColumn, String sortOrder, String search) throws SecurityException, QueryException {
Project project = getProjectService().getProjectByProjectId(projectId);
Project project = getProjectService().getProjectByProjectId(projectId, token);
if (project == null) {
throw new ObjectNotFoundException("Project with given id doesn't exist");
}
......
package lcsb.mapviewer.api.users;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
......@@ -12,6 +13,7 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
......
......@@ -126,7 +126,7 @@ public class ProjectRestImplTest extends RestTestFunctions {
public void testGetProjects() throws Exception {
try {
ProjectRestImpl projectRest = createMockProjectRest("testFiles/model/sample.xml");
List<Map<String, Object>> result = projectRest.getProjects();
List<Map<String, Object>> result = projectRest.getProjects(token);
Gson gson = new Gson();
assertNotNull(gson.toJson(result));
} catch (Exception e) {
......
......@@ -82,6 +82,7 @@ import lcsb.mapviewer.persist.dao.map.LayoutDao;
import lcsb.mapviewer.persist.dao.map.ModelDao;
import lcsb.mapviewer.persist.dao.user.UserDao;
import lcsb.mapviewer.services.SecurityException;
import lcsb.mapviewer.services.UserAccessException;
import lcsb.mapviewer.services.interfaces.ICommentService;
import lcsb.mapviewer.services.interfaces.IConfigurationService;
import lcsb.mapviewer.services.interfaces.IModelService;
......@@ -108,7 +109,7 @@ public class ProjectService implements IProjectService {
/**
* Size of the artificial buffer that will be released when
* {@link OutOfMemoryError} is thrown to gain some frImportant note: Some mentioned that there is an error in how the survival plot is created. The original authors used censoring whereas in the video data points were simply filtered out. This is a user error, by not providing a list of observed points (s. 3rd box in control panel) and likely the cause for the discrepancies between the two survival charts.ee memory and report
* {@link OutOfMemoryError} is thrown to gain some free memory and report
* problem.
*/
private static final int OUT_OF_MEMORY_BACKUP_BUFFER_SIZE = 10000;
......@@ -230,8 +231,17 @@ public class ProjectService implements IProjectService {
}
@Override
public Project getProjectByProjectId(String name) {
return projectDao.getProjectByProjectId(name);
public Project getProjectByProjectId(String name, String token) throws SecurityException {
Project result = projectDao.getProjectByProjectId(name);
if (result == null) {
return result;
}
if (userService.userHasPrivilege(token, PrivilegeType.VIEW_PROJECT, result)) {
return result;
} else if (userService.userHasPrivilege(token, PrivilegeType.ADD_MAP)) {
return result;
}
throw new UserAccessException("User cannot access project");
}
@Override
......@@ -243,8 +253,18 @@ public class ProjectService implements IProjectService {
}
@Override
public List<Project> getAllProjects() {
return projectDao.getAll();
public List<Project> getAllProjects(String token) throws SecurityException {
List<Project> projects = projectDao.getAll();
if (userService.userHasPrivilege(token, PrivilegeType.ADD_MAP)) {
return projects;
}
List<Project> result = new ArrayList<>();
for (Project project : projects) {
if (userService.userHasPrivilege(token, PrivilegeType.VIEW_PROJECT, project)) {
result.add(project);
}
}
return result;
}
/**
......@@ -263,7 +283,12 @@ public class ProjectService implements IProjectService {
}
@Override
public void removeProject(final Project p, final String dir, final boolean async) {
public void removeProject(final Project p, final String dir, final boolean async, String token)
throws SecurityException {
if (!userService.userHasPrivilege(userService.getUserByToken(token), PrivilegeType.PROJECT_MANAGEMENT)) {
throw new UserAccessException("User cannot remove project");
}
final String homeDir;
if (dir != null) {
if (p.getDirectory() != null) {
......@@ -348,7 +373,7 @@ public class ProjectService implements IProjectService {
} catch (HibernateException e) {
logger.error("Problem with database", e);
handleHibernateExceptionRemovingReporting(project, e);
handleHibernateExceptionRemovingReporting(project, e, token);
} finally {
if (async) {
// close the transaction for this thread
......@@ -377,7 +402,8 @@ public class ProjectService implements IProjectService {
* @param exception
* hibernate exception that caused problems
*/
protected void handleHibernateExceptionRemovingReporting(Project originalProject, HibernateException exception) {
protected void handleHibernateExceptionRemovingReporting(Project originalProject, HibernateException exception,
String token) {
// we need to open separate thread because current one thrown db exception
// and transaction is corrupted and will be rolledback
Thread reportInSeparateThread = new Thread(new Runnable() {
......@@ -388,12 +414,14 @@ public class ProjectService implements IProjectService {
try {
// we need to get the project from db, because session where
// originalProject was retrieved is broken
Project project = getProjectByProjectId(originalProject.getProjectId());
Project project = getProjectByProjectId(originalProject.getProjectId(), token);
String errorMessage = "Severe problem with removing object. Underlaying eror:\n" + exception.getMessage()
+ "\nMore information can be found in log file.";
project.setErrors(errorMessage + "\n" + project.getErrors());
project.setStatus(ProjectStatus.FAIL);
projectDao.update(project);
} catch (SecurityException e) {
logger.error(e, e);
} finally {
dbUtils.closeSessionForCurrentThread();
}
......@@ -442,7 +470,7 @@ public class ProjectService implements IProjectService {
/**
* This method creates set of images for the model layouts.
*
* @param project
* @param originalModel
* model for which we create layout images
* @param params
* configuration parameters including set of layouts to generate
......@@ -688,7 +716,11 @@ public class ProjectService implements IProjectService {
}
@Override
public void createProject(final CreateProjectParams params) {
public void createProject(final CreateProjectParams params) throws SecurityException {
if (!userService.userHasPrivilege(params.getAuthenticationToken(), PrivilegeType.ADD_MAP)) {
throw new SecurityException("Adding projects not allowed.");
}
// this count down is used to wait for asynchronous thread to initialize
// data in the db (probably it would be better to move the initialization to
// main thread)
......@@ -935,7 +967,7 @@ public class ProjectService implements IProjectService {
/**
* Analyzes annotation of the model and put information about invalid
* annotations.
* annotations into the {@link Model#creationWarnings} field.
*
* @param originalModel
* model to analyze
......@@ -1170,15 +1202,17 @@ public class ProjectService implements IProjectService {
}
@Override
public void updateProject(Project project) {
public void updateProject(Project project, String token) throws SecurityException {
projectDao.update(project);
Model model = modelService.getLastModelByProjectId(project.getProjectId());
if (model != null) {
// TODO it's a hack to prevent lazy initialization of the project
project.setModels(model.getProject().getModels());
project.setLayouts(model.getProject().getLayouts());
project.setOverviewImages(model.getProject().getOverviewImages());
model.setProject(project);
if (token != null) {
Model model = modelService.getLastModelByProjectId(project.getProjectId(), token);
if (model != null) {
// TODO it's a hack to prevent lazy initialization of the project
project.setModels(model.getProject().getModels());
project.setLayouts(model.getProject().getLayouts());
project.setOverviewImages(model.getProject().getOverviewImages());
model.setProject(project);
}
}
}
......@@ -1201,7 +1235,7 @@ public class ProjectService implements IProjectService {
dbUtils.createSessionForCurrentThread();
try {
Project project = getProjectByProjectId(params.getProjectId());
Project project = getProjectByProjectId(params.getProjectId(), params.getAuthenticationToken());
String errorMessage = "Problem with uploading to database. "
+ "You might violated some unhandled constraints or you run out of memory. Underlaying eror:\n"
+ e.getMessage() + "\nMore information can be found in log file.";
......@@ -1261,6 +1295,11 @@ public class ProjectService implements IProjectService {
this.taxonomyBackend = taxonomyBackend;
}
@Override
public List<Project> getAllProjects() {
return projectDao.getAll();
}
private Project createProjectFromParams(final CreateProjectParams params) {
Project project = new Project(params.getProjectId());
project.setName(params.getProjectName());
......
......@@ -9,10 +9,8 @@ import lcsb.mapviewer.model.user.User;
import lcsb.mapviewer.model.user.UserAnnotationSchema;
import lcsb.mapviewer.model.user.UserAnnotatorsParam;
import lcsb.mapviewer.services.SecurityException;
import lcsb.mapviewer.services.UserAccessException;
import lcsb.mapviewer.services.utils.CreateProjectParams;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PostFilter;
import org.springframework.security.access.prepost.PreAuthorize;
/**
* Service that manages projects.
......@@ -23,21 +21,21 @@ import org.springframework.security.access.prepost.PreAuthorize;
public interface IProjectService {
/**
* Returns a project with a give {@link Project#getProjectId() project identifier}.
* Returns a project with a give {@link Project#projectId project identifier}.
*
* @param projectId
* {@link Project#getProjectId() project identifier}
* {@link Project#projectId project identifier}
* @return project with an identifier given as parameter. Null if such project
* doesn't exist.
* @throws SecurityException
*/
@PostAuthorize("hasAnyAuthority('ADD_MAP', 'VIEW_PROJECT' + returnObject.id)")
Project getProjectByProjectId(String projectId);
Project getProjectByProjectId(String projectId, String token) throws UserAccessException, SecurityException;
/**
* Checks if project with a given {@link Project#getProjectId() identifier} exists.
* Checks if project with a given {@link Project#projectId identifier} exists.
*
* @param projectId
* {@link Project#getProjectId() project identifier}
* {@link Project#projectId project identifier}
* @return <code>true</code> if the project with the given name exists,
* <code>false</code> otherwise
*/
......@@ -47,9 +45,9 @@ public interface IProjectService {
* Returns list of all projects.
*
* @return list of all projects.
* @throws SecurityException
*/
@PostFilter("hasAnyAuthority('ADD_MAP', 'VIEW_PROJECT' + filterObject.id)")
List<Project> getAllProjects();
List<Project> getAllProjects(String token) throws SecurityException;
/**
* Removes project from the system.
......@@ -60,9 +58,9 @@ public interface IProjectService {
* object to remove
* @param async
* should the operation be done asynchronously
* @throws SecurityException
*/
@PreAuthorize("hasAuthority('PROJECT_MANAGEMENT')")
void removeProject(Project project, String homeDir, boolean async);
void removeProject(Project project, String homeDir, boolean async, String token) throws SecurityException;
/**
* Adds project to the system.
......@@ -77,9 +75,9 @@ public interface IProjectService {
*
* @param params
* information about project to create
* @throws SecurityException
*/
@PreAuthorize("hasAuthority('ADD_MAP')")
void createProject(CreateProjectParams params);
void createProject(CreateProjectParams params) throws SecurityException;
/**
* Creates {@link TreeNode} that contains information about all classes that can
......@@ -102,11 +100,11 @@ public interface IProjectService {
* user for which we update information
* @param sbgnFormat
* new
* {@link UserAnnotationSchema#getSbgnFormat()}}
* {@link lcsb.mapviewer.model.user.UserAnnotationSchema#sbgnFormat}
* value
* @param networkLayoutAsDefault
* new
* {@link UserAnnotationSchema#getNetworkLayoutAsDefault()}
* {@link lcsb.mapviewer.model.user.UserAnnotationSchema#networkLayoutAsDefault}
* value
* @param annotatorsTree
* {@link TreeNode} that contains information about all classes that
......@@ -120,9 +118,9 @@ public interface IProjectService {
*
* @param project
* project to update
* @throws SecurityException
*/
@PreAuthorize("hasAuthority('PROJECT_MANAGEMENT')")
void updateProject(Project project) throws SecurityException;
void updateProject(Project project, String token) throws SecurityException;
UserAnnotationSchema prepareUserAnnotationSchema(User user);
......@@ -133,4 +131,6 @@ public interface IProjectService {
*/
List<UserAnnotatorsParam> getAnnotatorsParams(User user);
List<Project> getAllProjects();
}
......@@ -3,5 +3,4 @@ package lcsb.mapviewer.web.config;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
public class SpringSecurityWebInitializer extends AbstractSecurityWebApplicationInitializer {
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment