Skip to content

Commit

Permalink
remove reviewer to access level setup. Add security check for registe…
Browse files Browse the repository at this point in the history 
…red user level for viewing data.
  • Loading branch information
@wangf1122
wangf1122 committed Nov 6, 2023
1 parent 7709646 commit ac9d91c
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 20 deletions.
20 changes: 17 additions & 3 deletions services/src/main/java/org/fao/geonet/api/records/MetadataWorkflowApi.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -640,6 +640,7 @@ public void deleteAllRecordStatus(
@io.swagger.v3.oas.annotations.Operation(summary = "Search status", description = "")
@RequestMapping(produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.GET, path = "/status/search")
@ResponseStatus(value = HttpStatus.OK)
@PreAuthorize("hasAuthority('RegisteredUser')")
@ResponseBody
public List<MetadataStatusResponse> getWorkflowStatusByType(
@Parameter(description = "One or more types to retrieve (ie. worflow, event, task). Default is all.",
Expand Down Expand Up @@ -699,7 +700,10 @@ public List<MetadataStatusResponse> getWorkflowStatusByType(
checkUserProfileToViewMetadataHistory(context.getUserSession());

Profile profile = context.getUserSession().getProfile();
if (profile != Profile.Administrator && profile != Profile.RegisteredUser) {
String allowedProfileLevel = org.apache.commons.lang.StringUtils.defaultIfBlank(settingManager.getValue(Settings.METADATA_HISTORY_ACCESS_LEVEL), Profile.Editor.toString());
Profile allowedAccessLevelProfile = Profile.valueOf(allowedProfileLevel);

if (profile != Profile.Administrator) {
if (CollectionUtils.isEmpty(recordIdentifier) &&
CollectionUtils.isEmpty(uuid)) {
throw new NotAllowedException(
Expand All @@ -709,7 +713,12 @@ public List<MetadataStatusResponse> getWorkflowStatusByType(
if (!CollectionUtils.isEmpty(recordIdentifier)) {
for (Integer recordId : recordIdentifier) {
try {
ApiUtils.canEditRecord(String.valueOf(recordId), request);
if (allowedAccessLevelProfile == Profile.RegisteredUser) {
ApiUtils.canViewRecord(String.valueOf(recordId), request);
} else {
ApiUtils.canEditRecord(String.valueOf(recordId), request);
}

} catch (SecurityException e) {
throw new NotAllowedException(ApiParams.API_RESPONSE_NOT_ALLOWED_CAN_EDIT);
}
Expand All @@ -718,7 +727,12 @@ public List<MetadataStatusResponse> getWorkflowStatusByType(
if (!CollectionUtils.isEmpty(uuid)) {
for (String recordId : uuid) {
try {
ApiUtils.canEditRecord(recordId, request);
if (allowedAccessLevelProfile == Profile.RegisteredUser) {
ApiUtils.canViewRecord(recordId, request);
} else {
ApiUtils.canEditRecord(recordId, request);
}

} catch (SecurityException e) {
throw new NotAllowedException(ApiParams.API_RESPONSE_NOT_ALLOWED_CAN_EDIT);
}
Expand Down
11 changes: 7 additions & 4 deletions web-ui/src/main/resources/catalog/js/CatController.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1842,11 +1842,14 @@
return angular.isFunction(this[fnName]) ? this[fnName]() : false;
},
canViewMetadataHistory: function () {
var profile = gnConfig["metadata.history.accesslevel"] || 'Editor',
var profile = gnConfig["metadata.history.accesslevel"] || "Editor",
fnName =
profile !== ''
? 'is' + profile[0].toUpperCase() + profile.substring(1) + 'OrMore'
: '';
profile !== ""
? "is" + profile[0].toUpperCase() + profile.substring(1) + "OrMore"
: "";
if (profile ==="RegisteredUser") {
return true;
}
return angular.isFunction(this[fnName]) ? this[fnName]() : false;
},
canDeletePublishedMetadata: function () {
Expand Down
2 changes: 1 addition & 1 deletion web-ui/src/main/resources/catalog/locales/en-admin.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -876,7 +876,7 @@
"metadata/publication/profileUnpublishMetadata-help": "Minimum user profile allowed to un-publish metadata (Reviewer or Administrator). The default value is Reviewer.",
"metadata/history": "Metadata History",
"metadata/history/accesslevel": "Select the minimum user profile allowed to view metadata history",
"metadata/history/accesslevel-help": "Select the minimum user profile allowed to view metadata history (Registered User, Editor, Reviewer or Administrator). The default value is Editor.",
"metadata/history/accesslevel-help": "Select the minimum user profile allowed to view metadata history (Registered User, Editor or Administrator). The default value is Editor.",
"filterStatusByAuthor":"Status author",
"filterStatusByOwner":"Status owner",
"filterStatusByRecordId":"Record identifier",
Expand Down
26 changes: 14 additions & 12 deletions web-ui/src/main/resources/catalog/templates/admin/settings/system.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,20 +254,22 @@ <h3>{{section2.name | translate}}</h3>
</option>
</select>

<select data-ng-switch-when="metadata/history/accesslevel"
class="form-control"
name="{{s.name}}">
<option value="RegisteredUser"
ng-selected="'RegisteredUser' == s.value">{{'RegisteredUser' | translate}}
</option>
<option value="Editor"
ng-selected="'Editor' == s.value">{{'Editor' | translate}}
<select
data-ng-switch-when="metadata/history/accesslevel"
class="form-control"
name="{{s.name}}"
>
<option value="Editor" ng-selected="'RegisteredUser' == s.value">
{{'RegisteredUser' | translate}}
</option>
<option value="Reviewer"
ng-selected="'Reviewer' == s.value">{{'Reviewer' | translate}}
<option value="Editor" ng-selected="'Editor' == s.value">
{{'Editor' | translate}}
</option>
<option value="Administrator"
ng-selected="'Administrator' == s.value">{{'Administrator' | translate}}
<option
value="Administrator"
ng-selected="'Administrator' == s.value"
>
{{'Administrator' | translate}}
</option>
</select>

Expand Down

0 comments on commit ac9d91c

Please sign in to comment.