From 5da565264e84eabe53df561334d72fa21a924932 Mon Sep 17 00:00:00 2001 From: qqmyers Date: Tue, 19 Oct 2021 17:02:35 -0400 Subject: [PATCH 01/17] add permission definition --- .../edu/harvard/iq/dataverse/authorization/Permission.java | 4 +++- src/main/java/propertyFiles/Bundle.properties | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java b/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java index 7fd7a40587f..ec52e764b4a 100644 --- a/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java +++ b/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java @@ -50,7 +50,9 @@ public enum Permission implements java.io.Serializable { PublishDataset(BundleUtil.getStringFromBundle("permission.publishDataset"), true, Dataset.class, Dataverse.class), // Delete DeleteDataverse(BundleUtil.getStringFromBundle("permission.deleteDataverse"), true, Dataverse.class), - DeleteDatasetDraft(BundleUtil.getStringFromBundle("permission.deleteDataset"), true, Dataset.class); + DeleteDatasetDraft(BundleUtil.getStringFromBundle("permission.deleteDataset"), true, Dataset.class), + //Update again + ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDatasetFiles"), true, Dataset.class); // FUTURE: //RestrictMetadata("Mark metadata as restricted", DvObject.class), diff --git a/src/main/java/propertyFiles/Bundle.properties b/src/main/java/propertyFiles/Bundle.properties index 625602addcd..a0d5797d992 100644 --- a/src/main/java/propertyFiles/Bundle.properties +++ b/src/main/java/propertyFiles/Bundle.properties @@ -2175,6 +2175,7 @@ permission.downloadFile=Download a file permission.viewUnpublishedDataset=View an unpublished dataset and its files permission.viewUnpublishedDataverse=View an unpublished dataverse permission.addDatasetDataverse=Add a dataset to a dataverse +permission.managePermissionsDatasetFiles=Manage permissions for a dataset's file #DataverseUserPage.java userPage.informationUpdated=Your account information has been successfully updated. From af2291a23e9f21a80c774c2f2c311d36d5f2ea6a Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 21 Oct 2021 12:32:18 -0400 Subject: [PATCH 02/17] update to use ManageFilePermission --- .../edu/harvard/iq/dataverse/FileDownloadServiceBean.java | 2 +- .../edu/harvard/iq/dataverse/ManageFilePermissionsPage.java | 2 +- src/main/java/edu/harvard/iq/dataverse/api/Access.java | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/FileDownloadServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/FileDownloadServiceBean.java index 22bfc191921..8e12e7ca7bd 100644 --- a/src/main/java/edu/harvard/iq/dataverse/FileDownloadServiceBean.java +++ b/src/main/java/edu/harvard/iq/dataverse/FileDownloadServiceBean.java @@ -501,7 +501,7 @@ public boolean requestAccess(Long fileId) { } public void sendRequestFileAccessNotification(Dataset dataset, Long fileId, AuthenticatedUser requestor) { - permissionService.getUsersWithPermissionOn(Permission.ManageDatasetPermissions, dataset).stream().forEach((au) -> { + permissionService.getUsersWithPermissionOn(Permission.ManageFilePermissions, dataset).stream().forEach((au) -> { userNotificationService.sendNotification(au, new Timestamp(new Date().getTime()), UserNotification.Type.REQUESTFILEACCESS, fileId, null, requestor, false); }); diff --git a/src/main/java/edu/harvard/iq/dataverse/ManageFilePermissionsPage.java b/src/main/java/edu/harvard/iq/dataverse/ManageFilePermissionsPage.java index c728062a5a8..09f067f772c 100644 --- a/src/main/java/edu/harvard/iq/dataverse/ManageFilePermissionsPage.java +++ b/src/main/java/edu/harvard/iq/dataverse/ManageFilePermissionsPage.java @@ -136,7 +136,7 @@ public String init() { return permissionsWrapper.notFound(); } - if (!permissionService.on(dataset).has(Permission.ManageDatasetPermissions)) { + if (!permissionService.on(dataset).has(Permission.ManageFilePermissions)) { return permissionsWrapper.notAuthorized(); } initMaps(); diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Access.java b/src/main/java/edu/harvard/iq/dataverse/api/Access.java index 9fd63a5fe04..cc146173d79 100644 --- a/src/main/java/edu/harvard/iq/dataverse/api/Access.java +++ b/src/main/java/edu/harvard/iq/dataverse/api/Access.java @@ -1394,7 +1394,7 @@ public Response listFileAccessRequests(@PathParam("id") String fileToRequestAcce return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.fileAccess.failure.noUser", args)); } - if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile.getOwner()).has(Permission.ManageDatasetPermissions))) { + if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile.getOwner()).has(Permission.ManageFilePermissions))) { return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.rejectAccess.failure.noPermissions")); } @@ -1588,7 +1588,7 @@ public Response rejectFileAccess(@PathParam("id") String fileToRequestAccessId, return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.fileAccess.failure.noUser", args)); } - if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile.getOwner()).has(Permission.ManageDatasetPermissions))) { + if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile.getOwner()).has(Permission.ManageFilePermissions))) { return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.rejectAccess.failure.noPermissions")); } From 93a7b52920ef5672e7a62a26f275798b7ba1b648 Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 21 Oct 2021 13:06:48 -0400 Subject: [PATCH 03/17] update curator role to add managefilepermission --- scripts/api/data/role-curator.json | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/api/data/role-curator.json b/scripts/api/data/role-curator.json index 2de5b2aefd1..91cb7ec43e2 100644 --- a/scripts/api/data/role-curator.json +++ b/scripts/api/data/role-curator.json @@ -9,6 +9,7 @@ "DeleteDatasetDraft", "PublishDataset", "ManageDatasetPermissions", + "ManageFilePermissions", "AddDataverse", "AddDataset", "ViewUnpublishedDataverse" From 7541c04e39ba31647dc72d22233ab1f5794ad653 Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 21 Oct 2021 13:07:16 -0400 Subject: [PATCH 04/17] flyway script to add managefileperm to roles that have managedatasetperm --- .../db/migration/V5.7.0.1__8109-add-manage-files-permission.sql | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 src/main/resources/db/migration/V5.7.0.1__8109-add-manage-files-permission.sql diff --git a/src/main/resources/db/migration/V5.7.0.1__8109-add-manage-files-permission.sql b/src/main/resources/db/migration/V5.7.0.1__8109-add-manage-files-permission.sql new file mode 100644 index 00000000000..8f73d56d699 --- /dev/null +++ b/src/main/resources/db/migration/V5.7.0.1__8109-add-manage-files-permission.sql @@ -0,0 +1,2 @@ +UPDATE dataverserole SET permissionbits=permissionbits + 8192 WHERE (permissionbits & 256 >0) AND (permissionbits & 8192 = 0); + From e7a5801595afc5dc94702b5290619b693369cec5 Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 21 Oct 2021 13:48:59 -0400 Subject: [PATCH 05/17] add labels and flyway script name change --- src/main/java/propertyFiles/Bundle.properties | 3 +++ ...sion.sql => V5.7.0.2__8109-add-manage-files-permission.sql} | 0 2 files changed, 3 insertions(+) rename src/main/resources/db/migration/{V5.7.0.1__8109-add-manage-files-permission.sql => V5.7.0.2__8109-add-manage-files-permission.sql} (100%) diff --git a/src/main/java/propertyFiles/Bundle.properties b/src/main/java/propertyFiles/Bundle.properties index a0d5797d992..2efb1e65130 100644 --- a/src/main/java/propertyFiles/Bundle.properties +++ b/src/main/java/propertyFiles/Bundle.properties @@ -2479,6 +2479,7 @@ permission.PublishDataverse.label=PublishDataverse permission.PublishDataset.label=PublishDataset permission.DeleteDataverse.label=DeleteDataverse permission.DeleteDatasetDraft.label=DeleteDatasetDraft +permission.ManageFilePermissions.label=ManageFilePermissions permission.AddDataverse.desc=Add a dataverse within another dataverse permission.DeleteDatasetDraft.desc=Delete a dataset draft @@ -2493,6 +2494,8 @@ permission.DownloadFile.desc=Download a file permission.ViewUnpublishedDataset.desc=View an unpublished dataset and its files permission.ViewUnpublishedDataverse.desc=View an unpublished dataverse permission.AddDataset.desc=Add a dataset to a dataverse +permission.ManageFilePermissions.desc=Manage permissions for a file + packageDownload.title=Package File Download packageDownload.instructions=Use the Download URL in a Wget command or a download manager to download this package file. Download via web browser is not recommended. User Guide - Downloading a Dataverse Package via URL diff --git a/src/main/resources/db/migration/V5.7.0.1__8109-add-manage-files-permission.sql b/src/main/resources/db/migration/V5.7.0.2__8109-add-manage-files-permission.sql similarity index 100% rename from src/main/resources/db/migration/V5.7.0.1__8109-add-manage-files-permission.sql rename to src/main/resources/db/migration/V5.7.0.2__8109-add-manage-files-permission.sql From 4111ee33632458c016ba192bc1b7bc609c19db8a Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 21 Oct 2021 14:13:58 -0400 Subject: [PATCH 06/17] require manage file perm on file target --- .../iq/dataverse/engine/command/impl/AssignRoleCommand.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/AssignRoleCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/AssignRoleCommand.java index b2af28befb5..95dca62c7f5 100644 --- a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/AssignRoleCommand.java +++ b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/AssignRoleCommand.java @@ -76,7 +76,7 @@ public Map> getRequiredPermissions() { // for data file check permission on owning dataset return Collections.singletonMap("", defPoint instanceof Dataverse ? Collections.singleton(Permission.ManageDataversePermissions) - : Collections.singleton(Permission.ManageDatasetPermissions)); + : defPoint instanceof Dataset ? Collections.singleton(Permission.ManageDatasetPermissions) : Collections.singleton(Permission.ManageFilePermissions)); } @Override From 6736d377fc819bde46d4f2a5736be8a687b945e0 Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 21 Oct 2021 15:04:35 -0400 Subject: [PATCH 07/17] adjust set permissions menu --- .../java/edu/harvard/iq/dataverse/PermissionsWrapper.java | 4 +++- src/main/webapp/dataset.xhtml | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/PermissionsWrapper.java b/src/main/java/edu/harvard/iq/dataverse/PermissionsWrapper.java index 92892a7fe77..d255d2ec394 100644 --- a/src/main/java/edu/harvard/iq/dataverse/PermissionsWrapper.java +++ b/src/main/java/edu/harvard/iq/dataverse/PermissionsWrapper.java @@ -142,7 +142,9 @@ public boolean canUpdateDataset(DataverseRequest dr, Dataset dataset) { return doesSessionUserHaveDataSetPermission(dr, dataset, Permission.EditDataset); } - + public boolean canManageFilesOnDataset(Dataset dataset) { + return doesSessionUserHaveDataSetPermission(dvRequestService.getDataverseRequest(), dataset, Permission.ManageFilePermissions); + } /** * (Using Raman's implementation in DatasetPage - moving it here, so that diff --git a/src/main/webapp/dataset.xhtml b/src/main/webapp/dataset.xhtml index dffe8256eb8..2cfe72d69bf 100644 --- a/src/main/webapp/dataset.xhtml +++ b/src/main/webapp/dataset.xhtml @@ -374,18 +374,18 @@ - +
  • #{bundle['dataset.editBtn.itemLabel.permissions']}
      -
    • +
      • -
    • +
    • From 0e159912f68cf9bd2a35e7909885d8ae4f1ffd88 Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 21 Oct 2021 15:18:20 -0400 Subject: [PATCH 08/17] check new manage file perm when revoking file download perm --- .../engine/command/impl/RevokeRoleCommand.java | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java index 1a290df4a4a..8b08dba4bda 100644 --- a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java +++ b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java @@ -1,7 +1,9 @@ package edu.harvard.iq.dataverse.engine.command.impl; import edu.harvard.iq.dataverse.DataFile; +import edu.harvard.iq.dataverse.Dataset; import edu.harvard.iq.dataverse.Dataverse; +import edu.harvard.iq.dataverse.DvObject; import edu.harvard.iq.dataverse.RoleAssignment; import edu.harvard.iq.dataverse.authorization.Permission; import edu.harvard.iq.dataverse.engine.command.AbstractVoidCommand; @@ -22,7 +24,7 @@ public class RevokeRoleCommand extends AbstractVoidCommand { private final RoleAssignment toBeRevoked; public RevokeRoleCommand(RoleAssignment toBeRevoked, DataverseRequest aRequest) { - // for data file check permission on owning dataset + // for data file, report affect object as owning dataset super(aRequest, toBeRevoked.getDefinitionPoint() instanceof DataFile ? toBeRevoked.getDefinitionPoint().getOwner() : toBeRevoked.getDefinitionPoint()); this.toBeRevoked = toBeRevoked; } @@ -34,9 +36,9 @@ protected void executeImpl(CommandContext ctxt) throws CommandException { @Override public Map> getRequiredPermissions() { - // for data file check permission on owning dataset + DvObject defPoint = toBeRevoked.getDefinitionPoint(); return Collections.singletonMap("", - toBeRevoked.getDefinitionPoint() instanceof Dataverse ? Collections.singleton(Permission.ManageDataversePermissions) - : Collections.singleton(Permission.ManageDatasetPermissions)); + defPoint instanceof Dataverse ? Collections.singleton(Permission.ManageDataversePermissions) + : defPoint instanceof Dataset ? Collections.singleton(Permission.ManageDatasetPermissions): Collections.singleton(Permission.ManageFilePermissions)); } } From f9385ea201b80ccb0111505190f2f2fd0861b521 Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 28 Oct 2021 12:03:19 -0400 Subject: [PATCH 09/17] text changes per review comments --- src/main/java/propertyFiles/Bundle.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/propertyFiles/Bundle.properties b/src/main/java/propertyFiles/Bundle.properties index 45b1a91abbc..c5c6070b443 100644 --- a/src/main/java/propertyFiles/Bundle.properties +++ b/src/main/java/propertyFiles/Bundle.properties @@ -2175,7 +2175,7 @@ permission.downloadFile=Download a file permission.viewUnpublishedDataset=View an unpublished dataset and its files permission.viewUnpublishedDataverse=View an unpublished dataverse permission.addDatasetDataverse=Add a dataset to a dataverse -permission.managePermissionsDatasetFiles=Manage permissions for a dataset's file +permission.managePermissionsDatasetFiles=Manage permissions for a dataset's files #DataverseUserPage.java userPage.informationUpdated=Your account information has been successfully updated. @@ -2494,7 +2494,7 @@ permission.DownloadFile.desc=Download a file permission.ViewUnpublishedDataset.desc=View an unpublished dataset and its files permission.ViewUnpublishedDataverse.desc=View an unpublished dataverse permission.AddDataset.desc=Add a dataset to a dataverse -permission.ManageFilePermissions.desc=Manage permissions for a file +permission.ManageFilePermissions.desc=Manage permissions for a dataset's files packageDownload.title=Package File Download From 42c32afae2f5771c83b68e712fb566eb7b9014b0 Mon Sep 17 00:00:00 2001 From: qqmyers Date: Fri, 29 Oct 2021 12:44:05 -0400 Subject: [PATCH 10/17] Move the new permission in the enum and rework flyway update script --- .../dataverse/authorization/Permission.java | 6 ++--- ....0.2__8109-add-manage-files-permission.sql | 25 ++++++++++++++++++- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java b/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java index ec52e764b4a..90edb0aac9f 100644 --- a/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java +++ b/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java @@ -46,13 +46,13 @@ public enum Permission implements java.io.Serializable { EditDataset(BundleUtil.getStringFromBundle("permission.editDataset"), true, Dataset.class), ManageDataversePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataverse"), true, Dataverse.class), ManageDatasetPermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataset"), true, Dataset.class), + ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDatasetFiles"), true, Dataset.class), PublishDataverse(BundleUtil.getStringFromBundle("permission.publishDataverse"), true, Dataverse.class), PublishDataset(BundleUtil.getStringFromBundle("permission.publishDataset"), true, Dataset.class, Dataverse.class), // Delete DeleteDataverse(BundleUtil.getStringFromBundle("permission.deleteDataverse"), true, Dataverse.class), - DeleteDatasetDraft(BundleUtil.getStringFromBundle("permission.deleteDataset"), true, Dataset.class), - //Update again - ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDatasetFiles"), true, Dataset.class); + DeleteDatasetDraft(BundleUtil.getStringFromBundle("permission.deleteDataset"), true, Dataset.class); + // FUTURE: //RestrictMetadata("Mark metadata as restricted", DvObject.class), diff --git a/src/main/resources/db/migration/V5.7.0.2__8109-add-manage-files-permission.sql b/src/main/resources/db/migration/V5.7.0.2__8109-add-manage-files-permission.sql index 8f73d56d699..2fae7f4d8df 100644 --- a/src/main/resources/db/migration/V5.7.0.2__8109-add-manage-files-permission.sql +++ b/src/main/resources/db/migration/V5.7.0.2__8109-add-manage-files-permission.sql @@ -1,2 +1,25 @@ -UPDATE dataverserole SET permissionbits=permissionbits + 8192 WHERE (permissionbits & 256 >0) AND (permissionbits & 8192 = 0); +/* We're adding a new permission at bit 10 (512 ManageFilePermissions) that should be set for any role that has the permission + in bit 9 (256 ManageDatasetPermissions). +That means that any roles with current bits 10-13 (512+1024+2048+4096 = 7680) needs to have the corresponding bits 11-14 set +after the update, which can be accomplished by adding permissionbits & 7680 to the original value. (So a role with just bit 10 +set (512) would have 512&7680 (=512) added to it and become bit 11 (1024). The same logic also shifts any values in bits 11-13 +into bits 12-14. +In addition, any role wite permission for bit 9 set now should also have bit 10 set after the update +(any current role with ManageDatasetPermissions gets ManageDatasetPermissions and ManageFilePermissions after the update). +To do this we just add an addition bit 10 (512) if permissionbits&256!=0 + +Finally, to make this idempotent, at least under the assumption that the standard admin role with all permissions +(or some role with current permission bit 13 set), we check to make sure no role has bit 14+ set - max(permissionsbits) <8192. +With the IF statement, running this script more than once will only cause an update on the first pass. + +*/ +DO +$do$ +BEGIN + IF (SELECT MAX(permissionbits) FROM dataverserole) < 8192 THEN + UPDATE dataverserole SET permissionbits=permissionbits + (permissionbits & 7680) WHERE (permissionbits & 256 =0); + UPDATE dataverserole SET permissionbits=permissionbits + (permissionbits & 7680) +512 WHERE (permissionbits & 256 !=0); + END IF; +END +$do$; From a73fd491e8043edfad79bf4e882a4a00bbed5aaf Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 4 Nov 2021 14:25:36 -0400 Subject: [PATCH 11/17] Change permission object to DataFile per review request. --- .../java/edu/harvard/iq/dataverse/FileDownloadHelper.java | 4 ++-- .../edu/harvard/iq/dataverse/FileDownloadServiceBean.java | 6 +++--- src/main/java/edu/harvard/iq/dataverse/api/Access.java | 4 ++-- .../edu/harvard/iq/dataverse/authorization/Permission.java | 2 +- .../iq/dataverse/engine/command/impl/AssignRoleCommand.java | 3 ++- .../dataverse/engine/command/impl/RequestAccessCommand.java | 2 +- .../iq/dataverse/engine/command/impl/RevokeRoleCommand.java | 4 +--- src/main/java/propertyFiles/Bundle.properties | 4 ++-- 8 files changed, 14 insertions(+), 15 deletions(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/FileDownloadHelper.java b/src/main/java/edu/harvard/iq/dataverse/FileDownloadHelper.java index 6b8d0f73b83..d1314ae5f5b 100644 --- a/src/main/java/edu/harvard/iq/dataverse/FileDownloadHelper.java +++ b/src/main/java/edu/harvard/iq/dataverse/FileDownloadHelper.java @@ -315,7 +315,7 @@ public void requestAccessMultiple(List files) { } } if (notificationFile != null && succeeded) { - fileDownloadService.sendRequestFileAccessNotification(notificationFile.getOwner(), notificationFile.getId(), (AuthenticatedUser) session.getUser()); + fileDownloadService.sendRequestFileAccessNotification(notificationFile, (AuthenticatedUser) session.getUser()); } } @@ -339,7 +339,7 @@ private boolean processRequestAccess(DataFile file, Boolean sendNotification) { file.getFileAccessRequesters().add((AuthenticatedUser) session.getUser()); // create notification if necessary if (sendNotification) { - fileDownloadService.sendRequestFileAccessNotification(file.getOwner(), file.getId(), (AuthenticatedUser) session.getUser()); + fileDownloadService.sendRequestFileAccessNotification(file, (AuthenticatedUser) session.getUser()); } return true; } diff --git a/src/main/java/edu/harvard/iq/dataverse/FileDownloadServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/FileDownloadServiceBean.java index 8e12e7ca7bd..d64f3fba808 100644 --- a/src/main/java/edu/harvard/iq/dataverse/FileDownloadServiceBean.java +++ b/src/main/java/edu/harvard/iq/dataverse/FileDownloadServiceBean.java @@ -500,9 +500,9 @@ public boolean requestAccess(Long fileId) { return false; } - public void sendRequestFileAccessNotification(Dataset dataset, Long fileId, AuthenticatedUser requestor) { - permissionService.getUsersWithPermissionOn(Permission.ManageFilePermissions, dataset).stream().forEach((au) -> { - userNotificationService.sendNotification(au, new Timestamp(new Date().getTime()), UserNotification.Type.REQUESTFILEACCESS, fileId, null, requestor, false); + public void sendRequestFileAccessNotification(DataFile datafile, AuthenticatedUser requestor) { + permissionService.getUsersWithPermissionOn(Permission.ManageFilePermissions, datafile).stream().forEach((au) -> { + userNotificationService.sendNotification(au, new Timestamp(new Date().getTime()), UserNotification.Type.REQUESTFILEACCESS, datafile.getId(), null, requestor, false); }); } diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Access.java b/src/main/java/edu/harvard/iq/dataverse/api/Access.java index 2c59b10bcc4..4f1206c2590 100644 --- a/src/main/java/edu/harvard/iq/dataverse/api/Access.java +++ b/src/main/java/edu/harvard/iq/dataverse/api/Access.java @@ -1401,7 +1401,7 @@ public Response listFileAccessRequests(@PathParam("id") String fileToRequestAcce return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.fileAccess.failure.noUser", args)); } - if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile.getOwner()).has(Permission.ManageFilePermissions))) { + if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile).has(Permission.ManageFilePermissions))) { return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.rejectAccess.failure.noPermissions")); } @@ -1595,7 +1595,7 @@ public Response rejectFileAccess(@PathParam("id") String fileToRequestAccessId, return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.fileAccess.failure.noUser", args)); } - if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile.getOwner()).has(Permission.ManageFilePermissions))) { + if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile).has(Permission.ManageFilePermissions))) { return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.rejectAccess.failure.noPermissions")); } diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java b/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java index 90edb0aac9f..d61264491c9 100644 --- a/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java +++ b/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java @@ -46,7 +46,7 @@ public enum Permission implements java.io.Serializable { EditDataset(BundleUtil.getStringFromBundle("permission.editDataset"), true, Dataset.class), ManageDataversePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataverse"), true, Dataverse.class), ManageDatasetPermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataset"), true, Dataset.class), - ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDatasetFiles"), true, Dataset.class), + ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataFiles"), true, DataFile.class), PublishDataverse(BundleUtil.getStringFromBundle("permission.publishDataverse"), true, Dataverse.class), PublishDataset(BundleUtil.getStringFromBundle("permission.publishDataset"), true, Dataset.class, Dataverse.class), // Delete diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/AssignRoleCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/AssignRoleCommand.java index 95dca62c7f5..5577d541012 100644 --- a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/AssignRoleCommand.java +++ b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/AssignRoleCommand.java @@ -32,6 +32,7 @@ public class AssignRoleCommand extends AbstractCommand { private final DataverseRole role; private final RoleAssignee grantee; + //Kept for convenience -could get this as the only DVObject AbstractCommand<>.getAffectedDvObjects() instead of having a local defPoint private final DvObject defPoint; private final String privateUrlToken; private boolean anonymizedAccess; @@ -45,7 +46,7 @@ public class AssignRoleCommand extends AbstractCommand { */ public AssignRoleCommand(RoleAssignee anAssignee, DataverseRole aRole, DvObject assignmentPoint, DataverseRequest aRequest, String privateUrlToken) { // for data file check permission on owning dataset - super(aRequest, assignmentPoint instanceof DataFile ? assignmentPoint.getOwner() : assignmentPoint); + super(aRequest, assignmentPoint); role = aRole; grantee = anAssignee; defPoint = assignmentPoint; diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RequestAccessCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RequestAccessCommand.java index 0a1d41ff49c..2fc3a5c525e 100644 --- a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RequestAccessCommand.java +++ b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RequestAccessCommand.java @@ -61,7 +61,7 @@ public DataFile execute(CommandContext ctxt) throws CommandException { } file.getFileAccessRequesters().add(requester); if (sendNotification) { - ctxt.fileDownload().sendRequestFileAccessNotification(this.file.getOwner(), this.file.getId(), requester); + ctxt.fileDownload().sendRequestFileAccessNotification(this.file, requester); } return ctxt.files().save(file); } diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java index 8b08dba4bda..295b1b49f2e 100644 --- a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java +++ b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java @@ -1,6 +1,5 @@ package edu.harvard.iq.dataverse.engine.command.impl; -import edu.harvard.iq.dataverse.DataFile; import edu.harvard.iq.dataverse.Dataset; import edu.harvard.iq.dataverse.Dataverse; import edu.harvard.iq.dataverse.DvObject; @@ -24,8 +23,7 @@ public class RevokeRoleCommand extends AbstractVoidCommand { private final RoleAssignment toBeRevoked; public RevokeRoleCommand(RoleAssignment toBeRevoked, DataverseRequest aRequest) { - // for data file, report affect object as owning dataset - super(aRequest, toBeRevoked.getDefinitionPoint() instanceof DataFile ? toBeRevoked.getDefinitionPoint().getOwner() : toBeRevoked.getDefinitionPoint()); + super(aRequest, toBeRevoked.getDefinitionPoint()); this.toBeRevoked = toBeRevoked; } diff --git a/src/main/java/propertyFiles/Bundle.properties b/src/main/java/propertyFiles/Bundle.properties index 58a50a01af6..08850ed24fa 100644 --- a/src/main/java/propertyFiles/Bundle.properties +++ b/src/main/java/propertyFiles/Bundle.properties @@ -2216,7 +2216,7 @@ permission.downloadFile=Download a file permission.viewUnpublishedDataset=View an unpublished dataset and its files permission.viewUnpublishedDataverse=View an unpublished dataverse permission.addDatasetDataverse=Add a dataset to a dataverse -permission.managePermissionsDatasetFiles=Manage permissions for a dataset's files +permission.managePermissionsDataFiles=Manage permissions for a dataFile(s) #DataverseUserPage.java userPage.informationUpdated=Your account information has been successfully updated. @@ -2535,7 +2535,7 @@ permission.DownloadFile.desc=Download a file permission.ViewUnpublishedDataset.desc=View an unpublished dataset and its files permission.ViewUnpublishedDataverse.desc=View an unpublished dataverse permission.AddDataset.desc=Add a dataset to a dataverse -permission.ManageFilePermissions.desc=Manage permissions for a dataset's files +permission.ManageFilePermissions.desc=Manage permissions for a file(s) packageDownload.title=Package File Download From 05f9055912e36660bf22cfe75956984fb5d56074 Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 4 Nov 2021 14:27:31 -0400 Subject: [PATCH 12/17] typo --- src/main/java/propertyFiles/Bundle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/propertyFiles/Bundle.properties b/src/main/java/propertyFiles/Bundle.properties index 08850ed24fa..0a062e57ce9 100644 --- a/src/main/java/propertyFiles/Bundle.properties +++ b/src/main/java/propertyFiles/Bundle.properties @@ -2216,7 +2216,7 @@ permission.downloadFile=Download a file permission.viewUnpublishedDataset=View an unpublished dataset and its files permission.viewUnpublishedDataverse=View an unpublished dataverse permission.addDatasetDataverse=Add a dataset to a dataverse -permission.managePermissionsDataFiles=Manage permissions for a dataFile(s) +permission.managePermissionsDataFiles=Manage permissions for a file(s) #DataverseUserPage.java userPage.informationUpdated=Your account information has been successfully updated. From d97f36a0fa06b98c0ebb7f395016f2c6b6a57acc Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 4 Nov 2021 15:31:14 -0400 Subject: [PATCH 13/17] singularize string name --- .../java/edu/harvard/iq/dataverse/authorization/Permission.java | 2 +- src/main/java/propertyFiles/Bundle.properties | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java b/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java index d61264491c9..32937098118 100644 --- a/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java +++ b/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java @@ -46,7 +46,7 @@ public enum Permission implements java.io.Serializable { EditDataset(BundleUtil.getStringFromBundle("permission.editDataset"), true, Dataset.class), ManageDataversePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataverse"), true, Dataverse.class), ManageDatasetPermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataset"), true, Dataset.class), - ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataFiles"), true, DataFile.class), + ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataFile"), true, DataFile.class), PublishDataverse(BundleUtil.getStringFromBundle("permission.publishDataverse"), true, Dataverse.class), PublishDataset(BundleUtil.getStringFromBundle("permission.publishDataset"), true, Dataset.class, Dataverse.class), // Delete diff --git a/src/main/java/propertyFiles/Bundle.properties b/src/main/java/propertyFiles/Bundle.properties index 0a062e57ce9..4fa0205ba81 100644 --- a/src/main/java/propertyFiles/Bundle.properties +++ b/src/main/java/propertyFiles/Bundle.properties @@ -2216,7 +2216,7 @@ permission.downloadFile=Download a file permission.viewUnpublishedDataset=View an unpublished dataset and its files permission.viewUnpublishedDataverse=View an unpublished dataverse permission.addDatasetDataverse=Add a dataset to a dataverse -permission.managePermissionsDataFiles=Manage permissions for a file(s) +permission.managePermissionsDataFile=Manage permissions for a file(s) #DataverseUserPage.java userPage.informationUpdated=Your account information has been successfully updated. From 706fc17b9c6fa4e36c3789f2fdc0ebdf09bd0faf Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 4 Nov 2021 15:38:17 -0400 Subject: [PATCH 14/17] more conformity --- src/main/java/propertyFiles/Bundle.properties | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main/java/propertyFiles/Bundle.properties b/src/main/java/propertyFiles/Bundle.properties index 4fa0205ba81..faa891ec021 100644 --- a/src/main/java/propertyFiles/Bundle.properties +++ b/src/main/java/propertyFiles/Bundle.properties @@ -2208,6 +2208,7 @@ permission.deleteDataset=Delete a dataset draft permission.deleteDataverse=Delete an unpublished dataverse permission.publishDataset=Publish a dataset permission.publishDataverse=Publish a dataverse +permission.managePermissionsDataFile=Manage permissions for a file permission.managePermissionsDataset=Manage permissions for a dataset permission.managePermissionsDataverse=Manage permissions for a dataverse permission.editDataset=Edit a dataset's metadata @@ -2216,7 +2217,6 @@ permission.downloadFile=Download a file permission.viewUnpublishedDataset=View an unpublished dataset and its files permission.viewUnpublishedDataverse=View an unpublished dataverse permission.addDatasetDataverse=Add a dataset to a dataverse -permission.managePermissionsDataFile=Manage permissions for a file(s) #DataverseUserPage.java userPage.informationUpdated=Your account information has been successfully updated. @@ -2527,6 +2527,7 @@ permission.DeleteDatasetDraft.desc=Delete a dataset draft permission.DeleteDataverse.desc=Delete an unpublished dataverse permission.PublishDataset.desc=Publish a dataset permission.PublishDataverse.desc=Publish a dataverse +permission.ManageFilePermissions.desc=Manage permissions for a file permission.ManageDatasetPermissions.desc=Manage permissions for a dataset permission.ManageDataversePermissions.desc=Manage permissions for a dataverse permission.EditDataset.desc=Edit a dataset's metadata @@ -2535,8 +2536,6 @@ permission.DownloadFile.desc=Download a file permission.ViewUnpublishedDataset.desc=View an unpublished dataset and its files permission.ViewUnpublishedDataverse.desc=View an unpublished dataverse permission.AddDataset.desc=Add a dataset to a dataverse -permission.ManageFilePermissions.desc=Manage permissions for a file(s) - packageDownload.title=Package File Download packageDownload.instructions=Use the Download URL in a Wget command or a download manager to download this package file. Download via web browser is not recommended. User Guide - Downloading a Dataverse Package via URL From dc0b83e50b3e521c8a6370f62b711b4ec449b582 Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 4 Nov 2021 16:35:51 -0400 Subject: [PATCH 15/17] a possible release note addition --- doc/release-notes/8174-new-managefilepermissions.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 doc/release-notes/8174-new-managefilepermissions.md diff --git a/doc/release-notes/8174-new-managefilepermissions.md b/doc/release-notes/8174-new-managefilepermissions.md new file mode 100644 index 00000000000..81ef0821d69 --- /dev/null +++ b/doc/release-notes/8174-new-managefilepermissions.md @@ -0,0 +1,3 @@ +## New ManageFilePermissions Permission + +Dataverse can now support a use case in which a Admin or Curator would like to delegate the ability to grant access to restricted files to other users. This can be implemented by creating a custom role (e.g. DownloadApprover) that has the new ManageFilePermissions permission. This release introduces the new permission ( and adjusts the existing standard Admin and Curator roles so they continue to have the ability to grant file download requrests). \ No newline at end of file From 3054eac73b668bfd44c50852552dd63a4ffc31fe Mon Sep 17 00:00:00 2001 From: qqmyers Date: Thu, 18 Nov 2021 15:42:21 -0500 Subject: [PATCH 16/17] fix npe, update flyway numbering, tweak error status/text --- src/main/java/edu/harvard/iq/dataverse/api/Access.java | 10 +++++----- src/main/java/propertyFiles/Bundle.properties | 2 +- ... => V5.8.0.2__8109-add-manage-files-permission.sql} | 0 3 files changed, 6 insertions(+), 6 deletions(-) rename src/main/resources/db/migration/{V5.7.0.2__8109-add-manage-files-permission.sql => V5.8.0.2__8109-add-manage-files-permission.sql} (100%) diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Access.java b/src/main/java/edu/harvard/iq/dataverse/api/Access.java index e9792c3b5b1..d171658fe2d 100644 --- a/src/main/java/edu/harvard/iq/dataverse/api/Access.java +++ b/src/main/java/edu/harvard/iq/dataverse/api/Access.java @@ -121,6 +121,7 @@ import javax.ws.rs.RedirectionException; import javax.ws.rs.core.MediaType; import static javax.ws.rs.core.Response.Status.FORBIDDEN; +import static javax.ws.rs.core.Response.Status.UNAUTHORIZED; import org.glassfish.jersey.media.multipart.FormDataParam; /* @@ -1367,21 +1368,20 @@ public Response listFileAccessRequests(@PathParam("id") String fileToRequestAcce } try { - dataverseRequest = createDataverseRequest(findUserOrDie()); + dataverseRequest = createDataverseRequest(findAuthenticatedUserOrDie()); } catch (WrappedResponse wr) { List args = Arrays.asList(wr.getLocalizedMessage()); - return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.fileAccess.failure.noUser", args)); + return error(UNAUTHORIZED, BundleUtil.getStringFromBundle("access.api.fileAccess.failure.noUser", args)); } - if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile).has(Permission.ManageFilePermissions))) { - return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.rejectAccess.failure.noPermissions")); + return error(FORBIDDEN, BundleUtil.getStringFromBundle("access.api.rejectAccess.failure.noPermissions")); } List requesters = dataFile.getFileAccessRequesters(); if (requesters == null || requesters.isEmpty()) { List args = Arrays.asList(dataFile.getDisplayName()); - return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.requestList.noRequestsFound")); + return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.requestList.noRequestsFound", args)); } JsonArrayBuilder userArray = Json.createArrayBuilder(); diff --git a/src/main/java/propertyFiles/Bundle.properties b/src/main/java/propertyFiles/Bundle.properties index a93c354f50c..a06d2d2d67b 100644 --- a/src/main/java/propertyFiles/Bundle.properties +++ b/src/main/java/propertyFiles/Bundle.properties @@ -2500,7 +2500,7 @@ access.api.revokeAccess.noRoleFound=No File Downloader role found for user {0} access.api.revokeAccess.success.for.single.file=File Downloader access has been revoked for user {0} on file {1} access.api.requestList.fileNotFound=Could not find datafile with id {0}. access.api.requestList.noKey=You must provide a key to get list of access requests for a file. -access.api.requestList.noRequestsFound=There are no access requests for this file {0}. +access.api.requestList.noRequestsFound=There are no access requests for this file: {0}. access.api.exception.metadata.not.available.for.nontabular.file=This type of metadata is only available for tabular files. access.api.exception.metadata.restricted.no.permission=You do not have permission to download this file. access.api.exception.version.not.found=Could not find requested dataset version. diff --git a/src/main/resources/db/migration/V5.7.0.2__8109-add-manage-files-permission.sql b/src/main/resources/db/migration/V5.8.0.2__8109-add-manage-files-permission.sql similarity index 100% rename from src/main/resources/db/migration/V5.7.0.2__8109-add-manage-files-permission.sql rename to src/main/resources/db/migration/V5.8.0.2__8109-add-manage-files-permission.sql From 6c609c408e483e3e510a15413c60cade9276b60d Mon Sep 17 00:00:00 2001 From: qqmyers Date: Fri, 19 Nov 2021 10:40:11 -0500 Subject: [PATCH 17/17] moving up in the merge queue! - rename flyway script --- ...mission.sql => V5.8.0.1__8109-add-manage-files-permission.sql} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename src/main/resources/db/migration/{V5.8.0.2__8109-add-manage-files-permission.sql => V5.8.0.1__8109-add-manage-files-permission.sql} (100%) diff --git a/src/main/resources/db/migration/V5.8.0.2__8109-add-manage-files-permission.sql b/src/main/resources/db/migration/V5.8.0.1__8109-add-manage-files-permission.sql similarity index 100% rename from src/main/resources/db/migration/V5.8.0.2__8109-add-manage-files-permission.sql rename to src/main/resources/db/migration/V5.8.0.1__8109-add-manage-files-permission.sql