From 36f531fc7001e36080552b166137be3b392fd307 Mon Sep 17 00:00:00 2001 From: milanmajchrak Date: Thu, 31 Oct 2024 15:18:48 +0100 Subject: [PATCH] Authorize the submitter which is trying to take sharing item via shareToken. --- .../rest/repository/SubmissionController.java | 17 ++++++++--------- .../repository/WorkspaceItemRestRepository.java | 6 ++++-- ...kspaceItemRestPermissionEvaluatorPlugin.java | 14 ++++++++++++++ 3 files changed, 26 insertions(+), 11 deletions(-) diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/SubmissionController.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/SubmissionController.java index 75469280f3b5..fb7c06f606e8 100644 --- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/SubmissionController.java +++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/SubmissionController.java @@ -72,10 +72,11 @@ public class SubmissionController { @Autowired protected ConverterService converter; - @PreAuthorize("hasPermission(#wsoId, 'WORKSPACEITEM', 'ADD')") + @PreAuthorize("hasPermission(#wsoId, 'WORKSPACEITEM', 'WRITE')") @RequestMapping(method = RequestMethod.GET, value = "share") - public ResponseEntity generateShareLink(@RequestParam(name = "workspaceitemid", - required = false) Integer wsoId, HttpServletRequest request) throws SQLException, AuthorizeException { + public ResponseEntity generateShareLink(@RequestParam(name = "workspaceitemid") + Integer wsoId, HttpServletRequest request) + throws SQLException, AuthorizeException { Context context = ContextUtil.obtainContext(request); // Check the context is not null @@ -119,10 +120,10 @@ public ResponseEntity generateShareLink(@RequestParam(na return ResponseEntity.ok().body(shareSubmissionLinkDTO); } - @PreAuthorize("hasPermission(#wsoId, 'WORKSPACEITEM', 'ADD')") - @RequestMapping(method = RequestMethod.POST, value = "setOwner") - public WorkspaceItemRest setOwner(@RequestParam(name = "shareToken", required = false) String shareToken, - @RequestParam(name = "workspaceitemid", required = false) Integer wsoId, + @PreAuthorize("hasPermission(#wsoId, 'WORKSPACEITEM', 'WRITE')") + @RequestMapping(method = RequestMethod.GET, value = "setOwner") + public WorkspaceItemRest setOwner(@RequestParam(name = "shareToken") String shareToken, + @RequestParam(name = "workspaceitemid") Integer wsoId, HttpServletRequest request) throws SQLException, AuthorizeException { @@ -168,8 +169,6 @@ public WorkspaceItemRest setOwner(@RequestParam(name = "shareToken", required = return wsiRest; } - - private static String generateShareToken() { // UUID generates a 36-char string with hyphens, so we can strip them to get a 32-char string return UUID.randomUUID().toString().replace("-", "").substring(0, 32); diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/WorkspaceItemRestRepository.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/WorkspaceItemRestRepository.java index 03a708c4f8d6..e6ff59f2a729 100644 --- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/WorkspaceItemRestRepository.java +++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/WorkspaceItemRestRepository.java @@ -102,6 +102,8 @@ public class WorkspaceItemRestRepository extends DSpaceRestRepository findByShareToken(@Parameter(value = "shareToken", required = true) String shareToken, + @SearchRestMethod(name = SHARE_TOKEN) + public Page findByShareToken(@Parameter(value = SHARE_TOKEN, required = true) String shareToken, Pageable pageable) { try { Context context = obtainContext(); diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/WorkspaceItemRestPermissionEvaluatorPlugin.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/WorkspaceItemRestPermissionEvaluatorPlugin.java index c0efbd60f204..4f92b0f650a6 100644 --- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/WorkspaceItemRestPermissionEvaluatorPlugin.java +++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/security/WorkspaceItemRestPermissionEvaluatorPlugin.java @@ -7,8 +7,12 @@ */ package org.dspace.app.rest.security; +import static org.dspace.app.rest.repository.WorkspaceItemRestRepository.SHARE_TOKEN; + import java.io.Serializable; import java.sql.SQLException; +import java.util.Objects; +import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang3.StringUtils; import org.dspace.app.rest.model.WorkspaceItemRest; @@ -91,6 +95,16 @@ public boolean hasDSpacePermission(Authentication authentication, Serializable t } } + // Check the request has shareToken the same as the workspace item + if (witem.getShareToken() != null) { + HttpServletRequest req = request.getHttpServletRequest(); + if (Objects.nonNull(req)) { + if (witem.getShareToken().equals(req.getParameter(SHARE_TOKEN))) { + return true; + } + } + } + if (witem.getItem() != null) { if (supervisionOrderService.isSupervisor(context, ePerson, witem.getItem())) { return authorizeService.authorizeActionBoolean(context, ePerson, witem.getItem(),