Changeset 7008


Ignore:
Timestamp:
Nov 11, 2015, 3:37:51 PM (7 years ago)
Author:
Nicklas Nordborg
Message:

References #1965: Users can access reporter information even if their role permissions is set to DENIED

The permission should now be checked in all queries that return ReporterData objects. When the query is started at some other item (eg. reporters linked from the raw data in a raw bioassay or reporters linked from features on an array design) we only check for explicitely DENIED permission (eg. we treat the reporters as child items). When the query is based directly on reporters we require explicit READ permission.

This doesn't solve the DENIED problem when doing it in two steps (which is the case on the raw data and feature list pages). For example, first loading RAWDATA and then navigating to the reporter via RawData.getReporter(). It is not possible to solved this within the BASE Core API. A possible solution is to let the web client handle this case by simply not include any reporter-related columns in raw data or feature listings if an explicit DENIED permission has been set.

Then there is also the case with dynamic queries generated from the experiment level...

Location:
branches/3.6-stable/src/core/net/sf/basedb/core
Files:
1 added
6 edited

Legend:

Unmodified
Added
Removed
  • branches/3.6-stable/src/core/net/sf/basedb/core/ArrayDesign.java

    r6881 r7008  
    2929import net.sf.basedb.core.data.ReporterData;
    3030import net.sf.basedb.core.query.Hql;
     31import net.sf.basedb.core.query.PermissionRestriction;
    3132import net.sf.basedb.core.query.Restrictions;
    3233
     
    762763    DataQuery<ReporterData> query =
    763764      new DataQuery<ReporterData>(ReporterData.class, Item.FEATURE, null, "reporter");
     765    // We allow reporters without READ permission unless it has been explicitely DENIED
     766    query.restrictPermanent(new PermissionRestriction(Permission.DENIED, Item.REPORTER));
    764767    query.restrictPermanent(
    765768        Restrictions.eq(
  • branches/3.6-stable/src/core/net/sf/basedb/core/Plate.java

    r6881 r7008  
    3030import net.sf.basedb.core.query.Restrictions;
    3131import net.sf.basedb.core.query.Hql;
     32import net.sf.basedb.core.query.PermissionRestriction;
    3233
    3334import java.util.Date;
     
    521522    DataQuery<ReporterData> query =
    522523      new DataQuery<ReporterData>(ReporterData.class, Item.WELL, null, "reporter");
     524    // We allow reporters without READ permission unless it has been explicitely DENIED
     525    query.restrictPermanent(new PermissionRestriction(Permission.DENIED, Item.REPORTER));
    523526    query.restrictPermanent(
    524527        Restrictions.eq(
  • branches/3.6-stable/src/core/net/sf/basedb/core/RawBioAssay.java

    r6924 r7008  
    3434import net.sf.basedb.core.query.Restrictions;
    3535import net.sf.basedb.core.query.Hql;
     36import net.sf.basedb.core.query.PermissionRestriction;
    3637import net.sf.basedb.core.query.Dynamic;
    3738import net.sf.basedb.core.query.Expressions;
     
    11751176    DataQuery<ReporterData> query =
    11761177      new DataQuery<ReporterData>(ReporterData.class, Item.RAWDATA, rdt.getEntityName(), "reporter");
     1178    // We allow reporters without READ permission unless it has been explicitely DENIED
     1179    query.restrictPermanent(new PermissionRestriction(Permission.DENIED, Item.REPORTER));
    11771180    query.restrictPermanent(
    11781181      Restrictions.eq(
  • branches/3.6-stable/src/core/net/sf/basedb/core/Reporter.java

    r6468 r7008  
    2828import net.sf.basedb.core.data.ReporterData;
    2929import net.sf.basedb.core.data.ReporterTypeData;
     30import net.sf.basedb.core.query.PermissionRestriction;
    3031
    3132import org.hibernate.SQLQuery;
     
    226227  public static DataQuery<ReporterData> getQuery()
    227228  {
    228     return new DataQuery<ReporterData>(ReporterData.class, null);
     229    DataQuery<ReporterData> query = new DataQuery<ReporterData>(ReporterData.class, null);
     230    // We only allow reporters if there is an excplicit READ permission
     231    query.restrictPermanent(new PermissionRestriction(Permission.READ, Item.REPORTER));
     232    return query;
    229233  }
    230234
  • branches/3.6-stable/src/core/net/sf/basedb/core/ReporterScore.java

    r4517 r7008  
    2525import net.sf.basedb.core.data.ReporterListScoreData;
    2626import net.sf.basedb.core.query.Hql;
     27import net.sf.basedb.core.query.PermissionRestriction;
    2728import net.sf.basedb.core.query.Restrictions;
    2829
     
    4647  {
    4748    ReporterScoreQuery query = new ReporterScoreQuery();
     49    // We allow reporters without READ permission unless it has been explicitely DENIED
     50    query.restrictPermanent(new PermissionRestriction(Permission.DENIED, Item.REPORTER));
    4851    // Join reporters with prefetch to avoid additional selects for each reporter
    4952    query.joinPermanent(Hql.innerJoin(null, "reporter", Item.REPORTER.getAlias(), true));
  • branches/3.6-stable/src/core/net/sf/basedb/core/SessionControl.java

    r6930 r7008  
    10841084    if (Permission.hasPermission(permissions, Permission.DENIED))
    10851085    {
    1086       return false;
     1086      return permission == Permission.DENIED;
    10871087    }
    10881088    else
Note: See TracChangeset for help on using the changeset viewer.