IQSS · kcondon · Nov 19, 2021 · Oct 19, 2021 · Oct 21, 2021 · Oct 21, 2021
diff --git a/doc/release-notes/8174-new-managefilepermissions.md b/doc/release-notes/8174-new-managefilepermissions.md
@@ -0,0 +1,3 @@
+## New ManageFilePermissions Permission
+
+Dataverse can now support a use case in which a Admin or Curator would like to delegate the ability to grant access to restricted files to other users. This can be implemented by creating a custom role (e.g. DownloadApprover) that has the new ManageFilePermissions permission. This release introduces the new permission ( and adjusts the existing standard Admin and Curator roles so they continue to have the ability to grant file download requrests).
diff --git a/scripts/api/data/role-curator.json b/scripts/api/data/role-curator.json
@@ -9,6 +9,7 @@
         "DeleteDatasetDraft",
         "PublishDataset",
         "ManageDatasetPermissions",
+        "ManageFilePermissions",
         "AddDataverse",
         "AddDataset",
         "ViewUnpublishedDataverse" 

diff --git a/src/main/java/edu/harvard/iq/dataverse/FileDownloadHelper.java b/src/main/java/edu/harvard/iq/dataverse/FileDownloadHelper.java
@@ -315,7 +315,7 @@ public void requestAccessMultiple(List<DataFile> files) {
              }
          }
          if (notificationFile != null && succeeded) {
-             fileDownloadService.sendRequestFileAccessNotification(notificationFile.getOwner(), notificationFile.getId(), (AuthenticatedUser) session.getUser());
+             fileDownloadService.sendRequestFileAccessNotification(notificationFile, (AuthenticatedUser) session.getUser());
          }
      }
 
@@ -339,7 +339,7 @@ private boolean processRequestAccess(DataFile file, Boolean sendNotification) {
              file.getFileAccessRequesters().add((AuthenticatedUser) session.getUser());
              // create notification if necessary
              if (sendNotification) {
-                 fileDownloadService.sendRequestFileAccessNotification(file.getOwner(), file.getId(), (AuthenticatedUser) session.getUser());
+                 fileDownloadService.sendRequestFileAccessNotification(file, (AuthenticatedUser) session.getUser());
              }
              return true;
          }

diff --git a/src/main/java/edu/harvard/iq/dataverse/FileDownloadServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/FileDownloadServiceBean.java
@@ -500,9 +500,9 @@ public boolean requestAccess(Long fileId) {
         return false;
     }    
 
-    public void sendRequestFileAccessNotification(Dataset dataset, Long fileId, AuthenticatedUser requestor) {
-        permissionService.getUsersWithPermissionOn(Permission.ManageDatasetPermissions, dataset).stream().forEach((au) -> {
-            userNotificationService.sendNotification(au, new Timestamp(new Date().getTime()), UserNotification.Type.REQUESTFILEACCESS, fileId, null, requestor, false);
+    public void sendRequestFileAccessNotification(DataFile datafile, AuthenticatedUser requestor) {
+        permissionService.getUsersWithPermissionOn(Permission.ManageFilePermissions, datafile).stream().forEach((au) -> {
+            userNotificationService.sendNotification(au, new Timestamp(new Date().getTime()), UserNotification.Type.REQUESTFILEACCESS, datafile.getId(), null, requestor, false);
         });
 
     } 

diff --git a/src/main/java/edu/harvard/iq/dataverse/ManageFilePermissionsPage.java b/src/main/java/edu/harvard/iq/dataverse/ManageFilePermissionsPage.java
@@ -136,7 +136,7 @@ public String init() {
             return permissionsWrapper.notFound();
         }
 
-        if (!permissionService.on(dataset).has(Permission.ManageDatasetPermissions)) {
+        if (!permissionService.on(dataset).has(Permission.ManageFilePermissions)) {
             return permissionsWrapper.notAuthorized();
         }
         initMaps();

diff --git a/src/main/java/edu/harvard/iq/dataverse/PermissionsWrapper.java b/src/main/java/edu/harvard/iq/dataverse/PermissionsWrapper.java
@@ -142,7 +142,9 @@ public boolean canUpdateDataset(DataverseRequest dr, Dataset dataset) {
         return doesSessionUserHaveDataSetPermission(dr, dataset, Permission.EditDataset);
     }
 
-
+    public boolean canManageFilesOnDataset(Dataset dataset) {
+        return doesSessionUserHaveDataSetPermission(dvRequestService.getDataverseRequest(), dataset, Permission.ManageFilePermissions);
+    }
 
     /**
      * (Using Raman's implementation in DatasetPage - moving it here, so that 

diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Access.java b/src/main/java/edu/harvard/iq/dataverse/api/Access.java
@@ -121,6 +121,7 @@
 import javax.ws.rs.RedirectionException;
 import javax.ws.rs.core.MediaType;
 import static javax.ws.rs.core.Response.Status.FORBIDDEN;
+import static javax.ws.rs.core.Response.Status.UNAUTHORIZED;
 import org.glassfish.jersey.media.multipart.FormDataParam;
 
 /*
@@ -1367,21 +1368,20 @@ public Response listFileAccessRequests(@PathParam("id") String fileToRequestAcce
         }
 
         try {
-            dataverseRequest = createDataverseRequest(findUserOrDie());
+            dataverseRequest = createDataverseRequest(findAuthenticatedUserOrDie());
         } catch (WrappedResponse wr) {
             List<String> args = Arrays.asList(wr.getLocalizedMessage());
-            return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.fileAccess.failure.noUser", args));
+            return error(UNAUTHORIZED, BundleUtil.getStringFromBundle("access.api.fileAccess.failure.noUser", args));
         }
-
-        if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile.getOwner()).has(Permission.ManageDatasetPermissions))) {
-            return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.rejectAccess.failure.noPermissions"));
+        if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile).has(Permission.ManageFilePermissions))) {
+            return error(FORBIDDEN, BundleUtil.getStringFromBundle("access.api.rejectAccess.failure.noPermissions"));
         }
 
         List<AuthenticatedUser> requesters = dataFile.getFileAccessRequesters();
 
         if (requesters == null || requesters.isEmpty()) {
             List<String> args = Arrays.asList(dataFile.getDisplayName());
-            return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.requestList.noRequestsFound"));
+            return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.requestList.noRequestsFound", args));
         }
 
         JsonArrayBuilder userArray = Json.createArrayBuilder();
@@ -1567,7 +1567,7 @@ public Response rejectFileAccess(@PathParam("id") String fileToRequestAccessId,
             return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.fileAccess.failure.noUser", args));
         }
 
-        if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile.getOwner()).has(Permission.ManageDatasetPermissions))) {
+        if (!(dataverseRequest.getAuthenticatedUser().isSuperuser() || permissionService.requestOn(dataverseRequest, dataFile).has(Permission.ManageFilePermissions))) {
             return error(BAD_REQUEST, BundleUtil.getStringFromBundle("access.api.rejectAccess.failure.noPermissions"));
         }
 

diff --git a/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java b/src/main/java/edu/harvard/iq/dataverse/authorization/Permission.java
@@ -46,11 +46,13 @@ public enum Permission implements java.io.Serializable {
     EditDataset(BundleUtil.getStringFromBundle("permission.editDataset"), true, Dataset.class),
     ManageDataversePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataverse"), true, Dataverse.class),
     ManageDatasetPermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataset"), true, Dataset.class),
+    ManageFilePermissions(BundleUtil.getStringFromBundle("permission.managePermissionsDataFile"), true, DataFile.class),
     PublishDataverse(BundleUtil.getStringFromBundle("permission.publishDataverse"), true, Dataverse.class),
     PublishDataset(BundleUtil.getStringFromBundle("permission.publishDataset"), true, Dataset.class, Dataverse.class),
     // Delete
     DeleteDataverse(BundleUtil.getStringFromBundle("permission.deleteDataverse"), true, Dataverse.class),
     DeleteDatasetDraft(BundleUtil.getStringFromBundle("permission.deleteDataset"), true, Dataset.class);
+
 
     // FUTURE:
     //RestrictMetadata("Mark metadata as restricted", DvObject.class),

diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/AssignRoleCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/AssignRoleCommand.java
@@ -32,6 +32,7 @@ public class AssignRoleCommand extends AbstractCommand<RoleAssignment> {
 
     private final DataverseRole role;
     private final RoleAssignee grantee;
+    //Kept for convenience -could get this as the only DVObject AbstractCommand<>.getAffectedDvObjects() instead of having a local defPoint
     private final DvObject defPoint;
     private final String privateUrlToken;
     private boolean anonymizedAccess;
@@ -45,7 +46,7 @@ public class AssignRoleCommand extends AbstractCommand<RoleAssignment> {
      */
     public AssignRoleCommand(RoleAssignee anAssignee, DataverseRole aRole, DvObject assignmentPoint, DataverseRequest aRequest, String privateUrlToken) {
         // for data file check permission on owning dataset
-        super(aRequest, assignmentPoint instanceof DataFile ? assignmentPoint.getOwner() : assignmentPoint);
+        super(aRequest, assignmentPoint);
         role = aRole;
         grantee = anAssignee;
         defPoint = assignmentPoint;
@@ -76,7 +77,7 @@ public Map<String, Set<Permission>> getRequiredPermissions() {
         // for data file check permission on owning dataset
         return Collections.singletonMap("",
                 defPoint instanceof Dataverse ? Collections.singleton(Permission.ManageDataversePermissions)
-                : Collections.singleton(Permission.ManageDatasetPermissions));
+                : defPoint instanceof Dataset ? Collections.singleton(Permission.ManageDatasetPermissions) : Collections.singleton(Permission.ManageFilePermissions));
     }
 
     @Override

diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RequestAccessCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RequestAccessCommand.java
@@ -61,7 +61,7 @@ public DataFile execute(CommandContext ctxt) throws CommandException {
         }
         file.getFileAccessRequesters().add(requester);
         if (sendNotification) {
-            ctxt.fileDownload().sendRequestFileAccessNotification(this.file.getOwner(), this.file.getId(), requester);
+            ctxt.fileDownload().sendRequestFileAccessNotification(this.file, requester);
         }
         return ctxt.files().save(file);
     }

diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/RevokeRoleCommand.java
@@ -1,6 +1,6 @@
 package edu.harvard.iq.dataverse.engine.command.impl;
 
-import edu.harvard.iq.dataverse.DataFile;
+import edu.harvard.iq.dataverse.Dataset;
 import edu.harvard.iq.dataverse.Dataverse;
 import edu.harvard.iq.dataverse.DvObject;
 import edu.harvard.iq.dataverse.RoleAssignment;
@@ -23,8 +23,7 @@ public class RevokeRoleCommand extends AbstractVoidCommand {
 	private final RoleAssignment toBeRevoked;
 
 	public RevokeRoleCommand(RoleAssignment toBeRevoked, DataverseRequest aRequest) {
-        // for data file check permission on owning dataset
-        super(aRequest, toBeRevoked.getDefinitionPoint() instanceof DataFile ? toBeRevoked.getDefinitionPoint().getOwner() : toBeRevoked.getDefinitionPoint());
+        super(aRequest, toBeRevoked.getDefinitionPoint());
 		this.toBeRevoked = toBeRevoked;
 	}
 
@@ -35,10 +34,10 @@ protected void executeImpl(CommandContext ctxt) throws CommandException {
 
     @Override
     public Map<String, Set<Permission>> getRequiredPermissions() {
-        // for data file check permission on owning dataset
+        DvObject defPoint = toBeRevoked.getDefinitionPoint();
         return Collections.singletonMap("",
-                toBeRevoked.getDefinitionPoint() instanceof Dataverse ? Collections.singleton(Permission.ManageDataversePermissions)
-                : Collections.singleton(Permission.ManageDatasetPermissions));
+                defPoint instanceof Dataverse ? Collections.singleton(Permission.ManageDataversePermissions)
+                : defPoint instanceof Dataset ? Collections.singleton(Permission.ManageDatasetPermissions): Collections.singleton(Permission.ManageFilePermissions));
     }
 
     @Override public String describe() { 

diff --git a/src/main/java/propertyFiles/Bundle.properties b/src/main/java/propertyFiles/Bundle.properties
@@ -2208,6 +2208,7 @@ permission.deleteDataset=Delete a dataset draft
 permission.deleteDataverse=Delete an unpublished dataverse
 permission.publishDataset=Publish a dataset
 permission.publishDataverse=Publish a dataverse
+permission.managePermissionsDataFile=Manage permissions for a file
 permission.managePermissionsDataset=Manage permissions for a dataset
 permission.managePermissionsDataverse=Manage permissions for a dataverse
 permission.editDataset=Edit a dataset's metadata
@@ -2499,7 +2500,7 @@ access.api.revokeAccess.noRoleFound=No File Downloader role found for user {0}
 access.api.revokeAccess.success.for.single.file=File Downloader access has been revoked for user {0} on file {1}
 access.api.requestList.fileNotFound=Could not find datafile with id {0}.
 access.api.requestList.noKey=You must provide a key to get list of access requests for a file. 
-access.api.requestList.noRequestsFound=There are no access requests for this file {0}.
+access.api.requestList.noRequestsFound=There are no access requests for this file: {0}.
 access.api.exception.metadata.not.available.for.nontabular.file=This type of metadata is only available for tabular files.
 access.api.exception.metadata.restricted.no.permission=You do not have permission to download this file.
 access.api.exception.version.not.found=Could not find requested dataset version.
@@ -2519,12 +2520,14 @@ permission.PublishDataverse.label=PublishDataverse
 permission.PublishDataset.label=PublishDataset
 permission.DeleteDataverse.label=DeleteDataverse
 permission.DeleteDatasetDraft.label=DeleteDatasetDraft
+permission.ManageFilePermissions.label=ManageFilePermissions
 
 permission.AddDataverse.desc=Add a dataverse within another dataverse
 permission.DeleteDatasetDraft.desc=Delete a dataset draft
 permission.DeleteDataverse.desc=Delete an unpublished dataverse
 permission.PublishDataset.desc=Publish a dataset
 permission.PublishDataverse.desc=Publish a dataverse
+permission.ManageFilePermissions.desc=Manage permissions for a file
 permission.ManageDatasetPermissions.desc=Manage permissions for a dataset
 permission.ManageDataversePermissions.desc=Manage permissions for a dataverse
 permission.EditDataset.desc=Edit a dataset's metadata

diff --git a/src/main/resources/db/migration/V5.8.0.1__8109-add-manage-files-permission.sql b/src/main/resources/db/migration/V5.8.0.1__8109-add-manage-files-permission.sql
@@ -0,0 +1,25 @@
+/* We're adding a new permission at bit 10 (512 ManageFilePermissions) that should be set for any role that has the permission
+ in bit 9 (256 ManageDatasetPermissions).
+That means that any roles with current bits 10-13 (512+1024+2048+4096 = 7680) needs to have the corresponding bits 11-14 set 
+after the update, which can be accomplished by adding permissionbits & 7680 to the original value. (So a role with just bit 10 
+set (512) would have 512&7680 (=512) added to it and become bit 11 (1024). The same logic also shifts any values in bits 11-13 
+into bits 12-14.
+
+In addition, any role wite permission for bit 9 set now should also have bit 10 set after the update 
+(any current role with ManageDatasetPermissions gets ManageDatasetPermissions and ManageFilePermissions after the update).
+To do this we just add an addition bit 10 (512) if permissionbits&256!=0
+
+Finally, to make this idempotent, at least under the assumption that the standard admin role with all permissions 
+(or some role with current permission bit 13 set), we check to make sure no role has bit 14+ set - max(permissionsbits) <8192. 
+With the IF statement, running this script more than once will only cause an update on the first pass.
+
+*/
+DO
+$do$
+BEGIN
+   IF (SELECT MAX(permissionbits) FROM dataverserole) < 8192 THEN
+     UPDATE dataverserole SET permissionbits=permissionbits + (permissionbits & 7680)  WHERE (permissionbits & 256 =0);
+     UPDATE dataverserole SET permissionbits=permissionbits + (permissionbits & 7680) +512 WHERE (permissionbits & 256 !=0);
+   END IF;
+END
+$do$;
diff --git a/src/main/webapp/dataset.xhtml b/src/main/webapp/dataset.xhtml
@@ -384,18 +384,18 @@
                                                                 <h:outputText value="#{bundle['dataset.editBtn.itemLabel.terms']}" />
                                                             </p:commandLink>
                                                         </li>
-                                                        <ui:fragment rendered="#{permissionsWrapper.canManagePermissions(DatasetPage.dataset)}">
+                                                        <ui:fragment rendered="#{permissionsWrapper.canManagePermissions(DatasetPage.dataset) || permissionsWrapper.canManageFilesOnDataset(DatasetPage.dataset)}">
                                                             <li class="#{settingsWrapper.publicInstall ? '' : 'dropdown-submenu pull-left'}">
                                                                 <ui:fragment rendered="#{!settingsWrapper.publicInstall}">
                                                                     <a tabindex="-1" href="#">#{bundle['dataset.editBtn.itemLabel.permissions']}</a>
                                                                     <ul class="dropdown-menu">
-                                                                        <li>
+                                                                        <li jsf:rendered="#{permissionsWrapper.canManagePermissions(DatasetPage.dataset)}">
                                                                             <h:link id="manageDatasetPermissions" styleClass="ui-commandlink ui-widget" outcome="permissions-manage">
                                                                                 <h:outputText value="#{bundle['dataset']}" />
                                                                                 <f:param name="id" value="#{DatasetPage.dataset.id}" />
                                                                             </h:link>
                                                                         </li>
-                                                                        <li>
+                                                                        <li jsf:rendered="#{permissionsWrapper.canManageFilesOnDataset(DatasetPage.dataset)}">
                                                                             <h:link id="manageFilePermissions" styleClass="ui-commandlink ui-widget" outcome="permissions-manage-files">
                                                                                 <h:outputText value="#{bundle['file']}" />
                                                                                 <f:param name="id" value="#{DatasetPage.dataset.id}" />
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		## New ManageFilePermissions Permission

		Dataverse can now support a use case in which a Admin or Curator would like to delegate the ability to grant access to restricted files to other users. This can be implemented by creating a custom role (e.g. DownloadApprover) that has the new ManageFilePermissions permission. This release introduces the new permission ( and adjusts the existing standard Admin and Curator roles so they continue to have the ability to grant file download requrests).