diff --git a/openbis/source/java/ch/ethz/sis/openbis/generic/server/asapi/v3/executor/dataset/DataSetAuthorizationExecutor.java b/openbis/source/java/ch/ethz/sis/openbis/generic/server/asapi/v3/executor/dataset/DataSetAuthorizationExecutor.java
index 416d01f30cf8940052687567c75d5c3cb1f7eaf2..919d375111e63a58c921f58c3781dd70e9ffd054 100644
--- a/openbis/source/java/ch/ethz/sis/openbis/generic/server/asapi/v3/executor/dataset/DataSetAuthorizationExecutor.java
+++ b/openbis/source/java/ch/ethz/sis/openbis/generic/server/asapi/v3/executor/dataset/DataSetAuthorizationExecutor.java
@@ -45,6 +45,7 @@ public class DataSetAuthorizationExecutor implements IDataSetAuthorizationExecut
{
@Override
+ @RolesAllowed({ RoleWithHierarchy.SPACE_USER, RoleWithHierarchy.SPACE_ETL_SERVER })
@Capability("CREATE_DATASET")
@DatabaseCreateOrDeleteModification(value = ObjectKind.DATA_SET)
public void canCreate(IOperationContext context)
@@ -82,7 +83,10 @@ public class DataSetAuthorizationExecutor implements IDataSetAuthorizationExecut
}
@Override
- public void canCreate(IOperationContext context, DataPE dataSet)
+ @RolesAllowed({ RoleWithHierarchy.SPACE_USER, RoleWithHierarchy.SPACE_ETL_SERVER })
+ @Capability("CREATE_DATASET")
+ @DatabaseCreateOrDeleteModification(value = ObjectKind.DATA_SET)
+ public void canCreate(IOperationContext context, @AuthorizationGuard(guardClass = DataPEPredicate.class) DataPE dataSet)
{
if (false == new DataSetPEByExperimentOrSampleIdentifierValidator().doValidation(dataSet.getRegistrator(), dataSet))
{
diff --git a/openbis/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/CreateDataSetTest.java b/openbis/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/CreateDataSetTest.java
index 70c29c7435d81cad13cc8eb2ec20e52587fa5f5d..034d376539db00c50481744c5429c44128aa6279 100644
--- a/openbis/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/CreateDataSetTest.java
+++ b/openbis/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/CreateDataSetTest.java
@@ -79,36 +79,67 @@ import ch.systemsx.cisd.openbis.generic.shared.basic.dto.NewETPTAssignment;
public class CreateDataSetTest extends AbstractDataSetTest
{
@Test
- public void testCreateDSWithAdminUserInAnotherSpace()
+ public void testCreateDSWithAdminUserInBehalfOfASpaceObserver()
{
final DataSetPermId permId = new DataSetPermId("NO_SHALL_CREATE");
-
+
assertUserFailureException(new IDelegatedAction()
+ {
+ @Override
+ public void execute()
{
- @Override
- public void execute()
- {
- String sessionToken = v3api.login(TEST_ROLE_V3, PASSWORD);
-
- PhysicalDataCreation physicalCreation = new PhysicalDataCreation();
- physicalCreation.setLocation("test/location/" + permId.getPermId());
- physicalCreation.setFileFormatTypeId(new FileFormatTypePermId("TIFF"));
- physicalCreation.setLocatorTypeId(new RelativeLocationLocatorTypePermId());
- physicalCreation.setStorageFormatId(new ProprietaryStorageFormatPermId());
-
- DataSetCreation creation = new DataSetCreation();
- creation.setCode(permId.getPermId());
- creation.setTypeId(new EntityTypePermId("UNKNOWN"));
- creation.setExperimentId(new ExperimentIdentifier("/TEST-SPACE/TEST-PROJECT/EXP_SPACE_TEST"));
- creation.setDataStoreId(new DataStorePermId("STANDARD"));
- creation.setPhysicalData(physicalCreation);
- creation.setCreationId(new CreationId(permId.getPermId()));
-
- v3api.createDataSets(sessionToken, Collections.singletonList(creation));
- }
- }, "Data set creation can be only executed by a system user or a user with at least SPACE_ETL_SERVER role");
- }
-
+ String sessionToken = v3api.loginAs(TEST_USER, PASSWORD, TEST_OBSERVER_CISD);
+
+ PhysicalDataCreation physicalCreation = new PhysicalDataCreation();
+ physicalCreation.setLocation("test/location/" + permId.getPermId());
+ physicalCreation.setFileFormatTypeId(new FileFormatTypePermId("TIFF"));
+ physicalCreation.setLocatorTypeId(new RelativeLocationLocatorTypePermId());
+ physicalCreation.setStorageFormatId(new ProprietaryStorageFormatPermId());
+
+ DataSetCreation creation = new DataSetCreation();
+ creation.setCode(permId.getPermId());
+ creation.setTypeId(new EntityTypePermId("UNKNOWN"));
+ creation.setDataStoreId(new DataStorePermId("STANDARD"));
+ creation.setExperimentId(new ExperimentIdentifier("/CISD/NEMO/EXP1"));
+ creation.setPhysicalData(physicalCreation);
+ creation.setCreationId(new CreationId(permId.getPermId()));
+
+ v3api.createDataSets(sessionToken, Collections.singletonList(creation));
+ }
+ }, "Access denied to object with DataSetPermId = [NO_SHALL_CREATE]");
+ }
+
+ @Test
+ public void testCreateDSForSampleWithAdminUserInBehalfOfASpaceObserver()
+ {
+ final DataSetPermId permId = new DataSetPermId("NO_SHALL_CREATE");
+
+ assertUserFailureException(new IDelegatedAction()
+ {
+ @Override
+ public void execute()
+ {
+ String sessionToken = v3api.loginAs(TEST_USER, PASSWORD, TEST_OBSERVER_CISD);
+
+ PhysicalDataCreation physicalCreation = new PhysicalDataCreation();
+ physicalCreation.setLocation("test/location/" + permId.getPermId());
+ physicalCreation.setFileFormatTypeId(new FileFormatTypePermId("TIFF"));
+ physicalCreation.setLocatorTypeId(new RelativeLocationLocatorTypePermId());
+ physicalCreation.setStorageFormatId(new ProprietaryStorageFormatPermId());
+
+ DataSetCreation creation = new DataSetCreation();
+ creation.setCode(permId.getPermId());
+ creation.setTypeId(new EntityTypePermId("UNKNOWN"));
+ creation.setSampleId(new SampleIdentifier("/CISD/C1"));
+ creation.setDataStoreId(new DataStorePermId("STANDARD"));
+ creation.setPhysicalData(physicalCreation);
+ creation.setCreationId(new CreationId(permId.getPermId()));
+
+ v3api.createDataSets(sessionToken, Collections.singletonList(creation));
+ }
+ }, "Access denied to object with DataSetPermId = [NO_SHALL_CREATE]");
+ }
+
@Test
public void testArchiveWithAdminUserInAnotherSpace()
{
@@ -1014,7 +1045,7 @@ public class CreateDataSetTest extends AbstractDataSetTest
@Test
public void testCreateWithUserNonEtlServer()
{
- final String sessionToken = v3api.login(TEST_SPACE_USER, PASSWORD);
+ final String sessionToken = v3api.login(TEST_POWER_USER_CISD, PASSWORD);
assertUserFailureException(new IDelegatedAction()
{