Skip to content

Commit

Permalink
Authorize the submitter which is trying to take sharing item via shar…
Browse files Browse the repository at this point in the history
…eToken.
  • Loading branch information
milanmajchrak committed Oct 31, 2024
1 parent a2149e6 commit 36f531f
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -72,10 +72,11 @@ public class SubmissionController {
@Autowired
protected ConverterService converter;

@PreAuthorize("hasPermission(#wsoId, 'WORKSPACEITEM', 'ADD')")
@PreAuthorize("hasPermission(#wsoId, 'WORKSPACEITEM', 'WRITE')")
@RequestMapping(method = RequestMethod.GET, value = "share")
public ResponseEntity<ShareSubmissionLinkDTO> generateShareLink(@RequestParam(name = "workspaceitemid",
required = false) Integer wsoId, HttpServletRequest request) throws SQLException, AuthorizeException {
public ResponseEntity<ShareSubmissionLinkDTO> generateShareLink(@RequestParam(name = "workspaceitemid")
Integer wsoId, HttpServletRequest request)
throws SQLException, AuthorizeException {

Context context = ContextUtil.obtainContext(request);
// Check the context is not null
Expand Down Expand Up @@ -119,10 +120,10 @@ public ResponseEntity<ShareSubmissionLinkDTO> generateShareLink(@RequestParam(na
return ResponseEntity.ok().body(shareSubmissionLinkDTO);
}

@PreAuthorize("hasPermission(#wsoId, 'WORKSPACEITEM', 'ADD')")
@RequestMapping(method = RequestMethod.POST, value = "setOwner")
public WorkspaceItemRest setOwner(@RequestParam(name = "shareToken", required = false) String shareToken,
@RequestParam(name = "workspaceitemid", required = false) Integer wsoId,
@PreAuthorize("hasPermission(#wsoId, 'WORKSPACEITEM', 'WRITE')")
@RequestMapping(method = RequestMethod.GET, value = "setOwner")
public WorkspaceItemRest setOwner(@RequestParam(name = "shareToken") String shareToken,
@RequestParam(name = "workspaceitemid") Integer wsoId,
HttpServletRequest request)
throws SQLException, AuthorizeException {

Expand Down Expand Up @@ -168,8 +169,6 @@ public WorkspaceItemRest setOwner(@RequestParam(name = "shareToken", required =
return wsiRest;
}



private static String generateShareToken() {
// UUID generates a 36-char string with hyphens, so we can strip them to get a 32-char string
return UUID.randomUUID().toString().replace("-", "").substring(0, 32);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,8 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository<WorkspaceI

public static final String OPERATION_PATH_SECTIONS = "sections";

public static final String SHARE_TOKEN = "shareToken";

private static final Logger log = org.apache.logging.log4j.LogManager.getLogger(WorkspaceItemRestRepository.class);

@Autowired
Expand Down Expand Up @@ -481,8 +483,8 @@ private void uploadFileFromURL(Context context, HttpServletRequest request, Inte
}
}

@SearchRestMethod(name = "shareToken")
public Page<WorkspaceItemRest> findByShareToken(@Parameter(value = "shareToken", required = true) String shareToken,
@SearchRestMethod(name = SHARE_TOKEN)
public Page<WorkspaceItemRest> findByShareToken(@Parameter(value = SHARE_TOKEN, required = true) String shareToken,
Pageable pageable) {
try {
Context context = obtainContext();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,12 @@
*/
package org.dspace.app.rest.security;

import static org.dspace.app.rest.repository.WorkspaceItemRestRepository.SHARE_TOKEN;

import java.io.Serializable;
import java.sql.SQLException;
import java.util.Objects;
import javax.servlet.http.HttpServletRequest;

import org.apache.commons.lang3.StringUtils;
import org.dspace.app.rest.model.WorkspaceItemRest;
Expand Down Expand Up @@ -91,6 +95,16 @@ public boolean hasDSpacePermission(Authentication authentication, Serializable t
}
}

// Check the request has shareToken the same as the workspace item
if (witem.getShareToken() != null) {
HttpServletRequest req = request.getHttpServletRequest();
if (Objects.nonNull(req)) {
if (witem.getShareToken().equals(req.getParameter(SHARE_TOKEN))) {
return true;
}
}
}

if (witem.getItem() != null) {
if (supervisionOrderService.isSupervisor(context, ePerson, witem.getItem())) {
return authorizeService.authorizeActionBoolean(context, ePerson, witem.getItem(),
Expand Down

0 comments on commit 36f531f

Please sign in to comment.