From 1b666f8881d43ea0ba6dc2ad17b84684be726d72 Mon Sep 17 00:00:00 2001 From: terrypacker Date: Thu, 5 Mar 2020 06:45:33 -1000 Subject: [PATCH] Add global view permission for events as per #1546 --- Core/RELEASE-NOTES | 1 + .../spring/service/EventInstanceService.java | 17 ++++++++++- .../spring/service/PermissionService.java | 30 +++++++++++++++++-- .../EventsViewPermissionDefinition.java | 3 ++ 4 files changed, 48 insertions(+), 3 deletions(-) diff --git a/Core/RELEASE-NOTES b/Core/RELEASE-NOTES index 3662f3e126..9f0e76b949 100644 --- a/Core/RELEASE-NOTES +++ b/Core/RELEASE-NOTES @@ -20,6 +20,7 @@ * Add new types to Mailing List to allow any phone number and User phone numbers * Adding a system setting that allows control over what tags are displayed this defaults to all tags * Add read and edit permission to event detectors default to previous behavior if no permissions are set +* Add events view permission that has a default of the user role to be consistent with previous versions of Mango this permission can restrict a user to not be able to see any events *Version 3.7.4* * Improve work item failure logging diff --git a/Core/src/com/infiniteautomation/mango/spring/service/EventInstanceService.java b/Core/src/com/infiniteautomation/mango/spring/service/EventInstanceService.java index b89bb6c1d6..75776971b7 100644 --- a/Core/src/com/infiniteautomation/mango/spring/service/EventInstanceService.java +++ b/Core/src/com/infiniteautomation/mango/spring/service/EventInstanceService.java @@ -9,6 +9,7 @@ import java.util.LinkedHashMap; import java.util.List; import java.util.Map; +import java.util.Objects; import org.jooq.Field; import org.springframework.beans.factory.annotation.Autowired; @@ -70,6 +71,10 @@ public boolean hasReadPermission(PermissionHolder user, EventInstanceVO vo) { * @throws PermissionException */ public List getActiveSummary() throws PermissionException { + PermissionHolder user = Common.getUser(); + Objects.requireNonNull(user, "Permission holder must be set in security context"); + this.permissionService.ensureEventsVewPermission(user); + Map summaries = new EnumMap<>(AlarmLevels.class); for (AlarmLevels level : AlarmLevels.values()) { if(level == AlarmLevels.IGNORE) { @@ -90,6 +95,10 @@ public List getActiveSummary() throws PermissionException * @return */ public List getUnacknowledgedSummary() { + PermissionHolder user = Common.getUser(); + Objects.requireNonNull(user, "Permission holder must be set in security context"); + this.permissionService.ensureEventsVewPermission(user); + Map summaries = new EnumMap<>(AlarmLevels.class); for (AlarmLevels level : AlarmLevels.values()) { if(level == AlarmLevels.IGNORE) { @@ -115,6 +124,10 @@ public List getUnacknowledgedSummary() { * @throws PermissionException */ public Collection getDataPointEventSummaries(String[] dataPointXids) throws NotFoundException, PermissionException { + PermissionHolder user = Common.getUser(); + Objects.requireNonNull(user, "Permission holder must be set in security context"); + this.permissionService.ensureEventsVewPermission(user); + Map map = new LinkedHashMap<>(); for(String xid : dataPointXids) { Integer point = dataPointService.getDao().getIdByXid(xid); @@ -139,7 +152,9 @@ public Collection getDataPointEventSummaries(String[ */ public List getAllActiveUserEvents() { PermissionHolder user = Common.getUser(); - this.permissionService.ensureValidPermissionHolder(user); + Objects.requireNonNull(user, "Permission holder must be set in security context"); + this.permissionService.ensureEventsVewPermission(user); + return Common.eventManager.getAllActiveUserEvents(user); } diff --git a/Core/src/com/infiniteautomation/mango/spring/service/PermissionService.java b/Core/src/com/infiniteautomation/mango/spring/service/PermissionService.java index 4c25edf39b..4477039502 100644 --- a/Core/src/com/infiniteautomation/mango/spring/service/PermissionService.java +++ b/Core/src/com/infiniteautomation/mango/spring/service/PermissionService.java @@ -30,6 +30,7 @@ import com.serotonin.m2m2.module.ModuleRegistry; import com.serotonin.m2m2.module.PermissionDefinition; import com.serotonin.m2m2.module.definitions.permissions.DataSourcePermissionDefinition; +import com.serotonin.m2m2.module.definitions.permissions.EventsViewPermissionDefinition; import com.serotonin.m2m2.rt.event.type.EventType; import com.serotonin.m2m2.vo.AbstractVO; import com.serotonin.m2m2.vo.DataPointVO; @@ -59,14 +60,17 @@ public class PermissionService { private final RoleDao roleDao; private final DataSourcePermissionDefinition dataSourcePermission; private final PermissionHolder systemSuperadmin; + private final EventsViewPermissionDefinition eventsViewPermission; @Autowired public PermissionService(RoleDao roleDao, @Qualifier(MangoRuntimeContextConfiguration.SYSTEM_SUPERADMIN_PERMISSION_HOLDER) - PermissionHolder systemSuperadmin) { + PermissionHolder systemSuperadmin, + EventsViewPermissionDefinition eventsView) { this.roleDao = roleDao; this.dataSourcePermission = (DataSourcePermissionDefinition) ModuleRegistry.getPermissionDefinition(DataSourcePermissionDefinition.PERMISSION); this.systemSuperadmin = systemSuperadmin; + this.eventsViewPermission = eventsView; } /** @@ -399,7 +403,7 @@ public boolean hasDataPointSetPermission(PermissionHolder user, int dataPointId) * @return */ public boolean hasEventTypePermission(PermissionHolder user, EventType eventType) { - return hasAdminRole(user) || eventType.hasPermission(user, this); + return hasAdminRole(user) || (hasEventsViewPermission(user) && eventType.hasPermission(user, this)); } /** @@ -423,6 +427,28 @@ public void ensureEventTypePermission(PermissionHolder user, EventTypeVO eventTy ensureEventTypePermission(user, eventType.getEventType()); } + /** + * Can this user view any events? + * @param user + * @return + */ + public boolean hasEventsViewPermission (PermissionHolder user) { + if (!isValidPermissionHolder(user)) return false; + + if(user.hasAdminRole()) return true; + + return hasPermission(user, eventsViewPermission.getPermission()); + } + + /** + * Ensure this user can view any events? + * @param user + */ + public void ensureEventsVewPermission(PermissionHolder user) { + if (!hasEventsViewPermission(user)) + throw new PermissionException(new TranslatableMessage("permission.exception.event", user.getPermissionHolderName()), user); + } + /** * Does this permission holder have at least one of the required roles * @param user diff --git a/Core/src/com/serotonin/m2m2/module/definitions/permissions/EventsViewPermissionDefinition.java b/Core/src/com/serotonin/m2m2/module/definitions/permissions/EventsViewPermissionDefinition.java index 52131a9da1..710b6c64db 100644 --- a/Core/src/com/serotonin/m2m2/module/definitions/permissions/EventsViewPermissionDefinition.java +++ b/Core/src/com/serotonin/m2m2/module/definitions/permissions/EventsViewPermissionDefinition.java @@ -13,6 +13,9 @@ import com.serotonin.m2m2.vo.role.Role; /** + * Permission to view any events, each individual event is also restricted + * based on the event type permission. + * * @author Terry Packer * */