diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/QueryServer.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/QueryServer.java
index 314473982b5d72bbd5904d1a1bc7d95f6191957e..200854199cc9ef3a327280068866d150cb964921 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/QueryServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/QueryServer.java
@@ -39,9 +39,13 @@ import ch.systemsx.cisd.openbis.generic.server.dataaccess.IDAOFactory;
import ch.systemsx.cisd.openbis.generic.server.dataaccess.IQueryDAO;
import ch.systemsx.cisd.openbis.generic.server.plugin.IDataSetTypeSlaveServerPlugin;
import ch.systemsx.cisd.openbis.generic.server.plugin.ISampleTypeSlaveServerPlugin;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.ReturnValueFilter;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.RolesAllowed;
+import ch.systemsx.cisd.openbis.generic.shared.authorization.validator.ExpressionValidator;
import ch.systemsx.cisd.openbis.generic.shared.basic.TechId;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.BasicEntityType;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.QueryType;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.TableModel;
import ch.systemsx.cisd.openbis.generic.shared.dto.QueryPE;
import ch.systemsx.cisd.openbis.generic.shared.dto.Session;
@@ -97,6 +101,7 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
}
@Override
+ @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
public int initDatabases(String sessionToken)
{
checkSession(sessionToken);
@@ -105,6 +110,7 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
}
@Override
+ @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
public List<QueryDatabase> listQueryDatabases(String sessionToken)
{
checkSession(sessionToken);
@@ -119,6 +125,8 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
}
@Override
+ @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+ @ReturnValueFilter(validatorClass = ExpressionValidator.class)
public List<QueryExpression> listQueries(String sessionToken, QueryType queryType,
BasicEntityType entityTypeOrNull)
{
@@ -154,6 +162,7 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
}
@Override
+ @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
public void registerQuery(String sessionToken, NewQuery expression)
{
Session session = getSession(sessionToken);
@@ -180,14 +189,15 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
}
@Override
- public void deleteQueries(String sessionToken, List<TechId> filterIds)
+ @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+ public void deleteQueries(String sessionToken, List<TechId> queryIds)
{
Session session = getSession(sessionToken);
IQueryDAO queryDAO = getDAOFactory().getQueryDAO();
try
{
- for (TechId techId : filterIds)
+ for (TechId techId : queryIds)
{
QueryPE query = queryDAO.getByTechId(techId);
QueryAccessController.checkWriteAccess(session, query.getQueryDatabaseKey(),
@@ -201,6 +211,7 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
}
@Override
+ @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
public void updateQuery(String sessionToken, IQueryUpdates updates)
{
Session session = getSession(sessionToken);
@@ -229,6 +240,7 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
}
@Override
+ @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
public TableModel queryDatabase(String sessionToken, QueryDatabase database, String sqlQuery,
QueryParameterBindings bindings, boolean onlyPerform)
{
@@ -252,6 +264,7 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
}
@Override
+ @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
public TableModel queryDatabase(String sessionToken, TechId queryId,
QueryParameterBindings bindings)
{
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/shared/IQueryServer.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/shared/IQueryServer.java
index 824b08e5e7275260cce2269da4ef1f60b24f3186..cac3d86f8a23250019f24f85c4940635c9ba764f 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/shared/IQueryServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/shared/IQueryServer.java
@@ -23,14 +23,10 @@ import org.springframework.transaction.annotation.Transactional;
import ch.systemsx.cisd.openbis.generic.shared.DatabaseCreateOrDeleteModification;
import ch.systemsx.cisd.openbis.generic.shared.DatabaseUpdateModification;
import ch.systemsx.cisd.openbis.generic.shared.IServer;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.ReturnValueFilter;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.annotation.RolesAllowed;
-import ch.systemsx.cisd.openbis.generic.shared.authorization.validator.ExpressionValidator;
import ch.systemsx.cisd.openbis.generic.shared.basic.TechId;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.BasicEntityType;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.DatabaseModificationKind.ObjectKind;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.QueryType;
-import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.TableModel;
import ch.systemsx.cisd.openbis.plugin.query.shared.authorization.QueryAccessController;
import ch.systemsx.cisd.openbis.plugin.query.shared.basic.dto.IQueryUpdates;
@@ -47,41 +43,32 @@ public interface IQueryServer extends IServer
{
@Transactional(readOnly = true)
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
public int initDatabases(String sessionToken);
@Transactional(readOnly = true)
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
public List<QueryDatabase> listQueryDatabases(String sessionToken);
@Transactional(readOnly = true)
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
public TableModel queryDatabase(String sessionToken, QueryDatabase database, String sqlQuery,
QueryParameterBindings bindings, boolean onlyPerform);
@Transactional(readOnly = true)
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
public TableModel queryDatabase(String sessionToken, TechId queryId,
QueryParameterBindings bindings);
@Transactional(readOnly = true)
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
- @ReturnValueFilter(validatorClass = ExpressionValidator.class)
public List<QueryExpression> listQueries(String sessionToken, QueryType queryType,
BasicEntityType entityTypeOrNull);
@Transactional
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
@DatabaseCreateOrDeleteModification(value = ObjectKind.QUERY)
public void registerQuery(String sessionToken, NewQuery expression);
@Transactional
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
@DatabaseCreateOrDeleteModification(value = ObjectKind.QUERY)
public void deleteQueries(String sessionToken, List<TechId> queryIds);
@Transactional
- @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
@DatabaseUpdateModification(value = ObjectKind.QUERY)
public void updateQuery(String sessionToken, IQueryUpdates updates);
}
diff --git a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/shared/RegressionTestCase.java b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/shared/RegressionTestCase.java
index e60cf495c7f03ee9d331bd1fafddf259773115d7..51000f75616f73deb7505cc4e3052a0ddc0a8e1f 100644
--- a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/shared/RegressionTestCase.java
+++ b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/generic/shared/RegressionTestCase.java
@@ -51,6 +51,14 @@ public class RegressionTestCase extends AssertJUnit
mandatoryAnnotations.add(RolesAllowed.class);
mandatoryAnnotations.add(Transactional.class);
+ assertMandatoryMethodAnnotations(mandatoryAnnotations, interfaceClass, implementingClass,
+ exceptions);
+ }
+
+ protected void assertMandatoryMethodAnnotations(
+ List<Class<? extends Annotation>> mandatoryAnnotations, Class<?> interfaceClass,
+ Class<?> implementingClass, String exceptions)
+ {
final String noMissingAnnotationsMsg =
"Annotation checking for interface " + interfaceClass.getName()
+ " and implementing class " + implementingClass.getName()
diff --git a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/plugin/query/shared/ServerInterfaceRegressionTest.java b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/plugin/query/server/ServerInterfaceRegressionTest.java
similarity index 81%
rename from openbis/sourceTest/java/ch/systemsx/cisd/openbis/plugin/query/shared/ServerInterfaceRegressionTest.java
rename to openbis/sourceTest/java/ch/systemsx/cisd/openbis/plugin/query/server/ServerInterfaceRegressionTest.java
index b132d70f3875ff83163ebd8607a9e23b502394f5..e248cfd7e76194af5449cc59fd850a3c17920a25 100644
--- a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/plugin/query/shared/ServerInterfaceRegressionTest.java
+++ b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/plugin/query/server/ServerInterfaceRegressionTest.java
@@ -14,11 +14,12 @@
* limitations under the License.
*/
-package ch.systemsx.cisd.openbis.plugin.query.shared;
+package ch.systemsx.cisd.openbis.plugin.query.server;
import org.testng.annotations.Test;
import ch.systemsx.cisd.openbis.generic.shared.RegressionTestCase;
+import ch.systemsx.cisd.openbis.plugin.query.shared.IQueryServer;
/**
* @author Piotr Buczek
@@ -28,6 +29,6 @@ public class ServerInterfaceRegressionTest extends RegressionTestCase
@Test
public void testIQueryServer()
{
- assertMandatoryMethodAnnotations(IQueryServer.class);
+ assertMandatoryMethodAnnotations(IQueryServer.class, QueryServer.class);
}
}
diff --git a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/authorization/QueryServerAuthorizationTest.java b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/authorization/QueryServerAuthorizationTest.java
new file mode 100644
index 0000000000000000000000000000000000000000..fa06b93f34fc25b53c9513da52fc78f07860472d
--- /dev/null
+++ b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/authorization/QueryServerAuthorizationTest.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2012 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.systemtest.authorization;
+
+import static org.testng.AssertJUnit.assertEquals;
+
+import org.testng.annotations.Test;
+
+import ch.systemsx.cisd.common.exceptions.AuthorizationFailureException;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.QueryType;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.Space;
+import ch.systemsx.cisd.openbis.plugin.query.shared.basic.dto.NewQuery;
+import ch.systemsx.cisd.openbis.plugin.query.shared.basic.dto.QueryDatabase;
+import ch.systemsx.cisd.openbis.systemtest.base.BaseTest;
+
+/**
+ * @author Franz-Josef Elmer
+ */
+public class QueryServerAuthorizationTest extends BaseTest
+{
+ @Test(expectedExceptions = AuthorizationFailureException.class)
+ public void testRegisterQueryByUnauthorizedUser()
+ {
+ Space space = create(aSpace());
+ String sessionToken =
+ create(aSession().withSpaceRole(RoleWithHierarchy.SPACE_OBSERVER, space));
+ int databases = queryServer.initDatabases(sessionToken);
+ assertEquals(1, databases);
+ QueryDatabase database = queryServer.listQueryDatabases(sessionToken).get(0);
+ NewQuery query = new NewQuery();
+ query.setExpression("select * from sample_types order by code");
+ query.setName("List sample types");
+ query.setQueryType(QueryType.GENERIC);
+ query.setQueryDatabase(database);
+
+ queryServer.registerQuery(sessionToken, query);
+ }
+}