SSDM-5299 : Project Authorization - modify @RolesAllowed annotations at experiment related methods

SVN: 38502

openbis/source/java/ch/systemsx/cisd/openbis/generic/server/authorization/project/provider/project/ProjectProviderFromExperimentPermId.java

+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.project;
+
+import ch.systemsx.cisd.openbis.generic.server.authorization.IAuthorizationDataProvider;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.project.IProject;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.data.project.ProjectFromProjectPE;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.object.SingleObjectProvider;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ExperimentPE;
+
+/**
+ * @author pkupczyk
+ */
+public class ProjectProviderFromExperimentPermId extends SingleObjectProvider<String>
+{
+
+    public ProjectProviderFromExperimentPermId(String permId)
+    {
+        super(permId);
+    }
+
+    @Override
+    protected IProject createProject(IAuthorizationDataProvider dataProvider, String permId)
+    {
+        ExperimentPE experimentPE = dataProvider.tryGetExperimentByPermId(permId);
+
+        if (experimentPE != null)
+        {
+            return new ProjectFromProjectPE(experimentPE.getProject());
+        } else
+        {
+            return null;
+        }
+    }
+
+}

screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/ScreeningServer.java

@@ -271,7 +271,8 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
                         session.tryGetPerson(), sample);
         return SampleTranslator.translate(getSampleTypeSlaveServerPlugin(sample.getSampleType())
                 .getSampleInfo(session, sample), session.getBaseIndexURL(), MetaprojectTranslator
-                .translate(metaprojectPEs), managedPropertyEvaluatorFactory);
+                        .translate(metaprojectPEs),
+                managedPropertyEvaluatorFactory);
     }
 
     @Override
@@ -469,7 +470,8 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
     @Override
     @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
     public ExperimentFeatureVectorSummary getExperimentFeatureVectorSummary(String sessionToken,
-            @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class) TechId experimentId, AnalysisProcedureCriteria analysisProcedureCriteria)
+            @AuthorizationGuard(guardClass = ExperimentTechIdPredicate.class) TechId experimentId,
+            AnalysisProcedureCriteria analysisProcedureCriteria)
     {
         Session session = getSession(sessionToken);
         // NOTE: we want the settings to be passed form the client in future
@@ -523,8 +525,7 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
         MaterialSummarySettings settings = new MaterialSummarySettings();
         settings.setAggregationType(MaterialReplicaSummaryAggregationType.MEDIAN);
         settings.setFeatureCodes(new ArrayList<String>());
-        settings.setReplicaMatrialTypePatterns(new String[]
-        { "GENE", "CONTROL", "COMPOUND" });
+        settings.setReplicaMatrialTypePatterns(new String[] { "GENE", "CONTROL", "COMPOUND" });
         settings.setMaterialDetailsPropertyType(ScreeningConstants.GENE_SYMBOLS);
         settings.setBiologicalReplicatePropertyTypeCodes("CONCENTRATION", "SIRNA");
         return settings;
@@ -651,7 +652,7 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
     }
 
     @Override
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
     public List<PlateWellReferenceWithDatasets> listPlateWells(
             String sessionToken,
             @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier experimentIdentifer,
@@ -704,7 +705,7 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
     }
 
     @Override
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
     public List<Plate> listPlates(String sessionToken,
             @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experiment) throws IllegalArgumentException
     {
@@ -821,7 +822,7 @@ public final class ScreeningServer extends AbstractServer<IScreeningServer> impl
     }
 
     @Override
-    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    @RolesAllowed(RoleWithHierarchy.PROJECT_OBSERVER)
     public ExperimentImageMetadata getExperimentImageMetadata(String sessionToken,
             @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experimentIdentifer)
     {

screening/source/java/ch/systemsx/cisd/openbis/plugin/screening/server/authorization/ExperimentIdentifierPredicate.java

@@ -21,9 +21,15 @@ import java.util.List;
 import ch.systemsx.cisd.common.exceptions.Status;
 import ch.systemsx.cisd.openbis.generic.server.authorization.RoleWithIdentifier;
 import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.AbstractSpacePredicate;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.IProjectAuthorization;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.ProjectAuthorizationBuilder;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.project.ProjectProviderFromExperimentIdentifierString;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.project.ProjectProviderFromExperimentPermId;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.role.RolesProviderFromRolesWithIdentifier;
+import ch.systemsx.cisd.openbis.generic.server.authorization.project.provider.user.UserProviderFromPersonPE;
 import ch.systemsx.cisd.openbis.generic.shared.dto.ExperimentPE;
-import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
 import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
 import ch.systemsx.cisd.openbis.generic.shared.util.SpaceCodeHelper;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
 
@@ -49,6 +55,18 @@ public class ExperimentIdentifierPredicate extends AbstractSpacePredicate<Experi
     {
         if (value.getPermId() != null)
         {
+            IProjectAuthorization<String> pa = new ProjectAuthorizationBuilder<String>()
+                    .withData(authorizationDataProvider)
+                    .withUser(new UserProviderFromPersonPE(person))
+                    .withRoles(new RolesProviderFromRolesWithIdentifier(allowedRoles))
+                    .withObjects(new ProjectProviderFromExperimentPermId(value.getPermId()))
+                    .build();
+
+            if (pa.getObjectsWithoutAccess().isEmpty())
+            {
+                return Status.OK;
+            }
+
             final ExperimentPE experimentOrNull =
                     authorizationDataProvider.tryGetExperimentByPermId(value.getPermId());
             if (experimentOrNull == null)
@@ -60,6 +78,18 @@ public class ExperimentIdentifierPredicate extends AbstractSpacePredicate<Experi
             return evaluate(allowedRoles, person, space.getCode());
         }
 
+        IProjectAuthorization<String> pa = new ProjectAuthorizationBuilder<String>()
+                .withData(authorizationDataProvider)
+                .withUser(new UserProviderFromPersonPE(person))
+                .withRoles(new RolesProviderFromRolesWithIdentifier(allowedRoles))
+                .withObjects(new ProjectProviderFromExperimentIdentifierString(value.getAugmentedCode()))
+                .build();
+
+        if (pa.getObjectsWithoutAccess().isEmpty())
+        {
+            return Status.OK;
+        }
+
         final String spaceCode = SpaceCodeHelper.getSpaceCode(person, value.getSpaceCode());
         return evaluate(allowedRoles, person, spaceCode);
     }

screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentIdentifierPredicateWithExperimentIdentifierSystemTest.java

+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.screening.systemtests.authorization.predicate.experiment;
+
+import java.util.List;
+
+import ch.systemsx.cisd.common.exceptions.UserFailureException;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ExperimentPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.IAuthSessionProvider;
+import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ProjectPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
+import ch.systemsx.cisd.openbis.screening.systemtests.authorization.predicate.CommonPredicateScreeningSystemTest;
+
+/**
+ * @author pkupczyk
+ */
+public class ExperimentIdentifierPredicateWithExperimentIdentifierSystemTest extends CommonPredicateScreeningSystemTest<ExperimentIdentifier>
+{
+
+    @Override
+    protected ExperimentIdentifier createNonexistentObject()
+    {
+        return new ExperimentIdentifier("IDONTEXIST", "IDONTEXIST", "IDONTEXIST", null);
+    }
+
+    @Override
+    protected ExperimentIdentifier createObject(SpacePE spacePE, ProjectPE projectPE)
+    {
+        ExperimentPE experimentPE = getExperiment(spacePE, projectPE);
+        return new ExperimentIdentifier(experimentPE.getCode(), projectPE.getCode(), spacePE.getCode(), null);
+    }
+
+    @Override
+    protected void evaluateObjects(IAuthSessionProvider session, List<ExperimentIdentifier> objects)
+    {
+        getBean(ExperimentPredicateScreeningTestService.class).testExperimentIdentifierPredicate(session, objects.get(0));
+    }
+
+    @Override
+    protected void assertWithNull(PersonPE person, Throwable t)
+    {
+        assertException(t, UserFailureException.class, "No experiment specified.");
+    }
+
+    @Override
+    protected void assertWithNonexistentObject(PersonPE person, Throwable t)
+    {
+        assertAuthorizationFailureExceptionThatNotEnoughPrivileges(t);
+    }
+
+}

screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentIdentifierPredicateWithExperimentPermIdSystemTest.java

+/*
+ * Copyright 2017 ETH Zuerich, CISD
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.screening.systemtests.authorization.predicate.experiment;
+
+import java.util.List;
+
+import ch.systemsx.cisd.common.exceptions.UserFailureException;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ExperimentPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.IAuthSessionProvider;
+import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.ProjectPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
+import ch.systemsx.cisd.openbis.screening.systemtests.authorization.predicate.CommonPredicateScreeningSystemTest;
+
+/**
+ * @author pkupczyk
+ */
+public class ExperimentIdentifierPredicateWithExperimentPermIdSystemTest extends CommonPredicateScreeningSystemTest<ExperimentIdentifier>
+{
+
+    @Override
+    protected ExperimentIdentifier createNonexistentObject()
+    {
+        return new ExperimentIdentifier(null, null, null, "IDONTEXIST");
+    }
+
+    @Override
+    protected ExperimentIdentifier createObject(SpacePE spacePE, ProjectPE projectPE)
+    {
+        ExperimentPE experimentPE = getExperiment(spacePE, projectPE);
+        return new ExperimentIdentifier(null, null, null, experimentPE.getPermId());
+    }
+
+    @Override
+    protected void evaluateObjects(IAuthSessionProvider session, List<ExperimentIdentifier> objects)
+    {
+        getBean(ExperimentPredicateScreeningTestService.class).testExperimentIdentifierPredicate(session, objects.get(0));
+    }
+
+    @Override
+    protected void assertWithNull(PersonPE person, Throwable t)
+    {
+        assertException(t, UserFailureException.class, "No experiment specified.");
+    }
+
+    @Override
+    protected void assertWithNonexistentObject(PersonPE person, Throwable t)
+    {
+        assertAuthorizationFailureExceptionThatNotEnoughPrivileges(t);
+    }
+
+}

screening/sourceTest/java/ch/systemsx/cisd/openbis/screening/systemtests/authorization/predicate/experiment/ExperimentPredicateScreeningTestService.java

@@ -23,7 +23,9 @@ import ch.systemsx.cisd.openbis.generic.server.authorization.annotation.Authoriz
 import ch.systemsx.cisd.openbis.generic.server.authorization.annotation.RolesAllowed;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
 import ch.systemsx.cisd.openbis.generic.shared.dto.IAuthSessionProvider;
+import ch.systemsx.cisd.openbis.plugin.screening.server.authorization.ExperimentIdentifierPredicate;
 import ch.systemsx.cisd.openbis.plugin.screening.server.authorization.ExperimentSearchCriteriaPredicate;
+import ch.systemsx.cisd.openbis.plugin.screening.shared.api.v1.dto.ExperimentIdentifier;
 import ch.systemsx.cisd.openbis.plugin.screening.shared.basic.dto.WellSearchCriteria.ExperimentSearchCriteria;
 
 /**
@@ -40,4 +42,11 @@ public class ExperimentPredicateScreeningTestService
     {
     }
 
+    @Transactional
+    @RolesAllowed(value = { RoleWithHierarchy.PROJECT_OBSERVER })
+    public void testExperimentIdentifierPredicate(IAuthSessionProvider session,
+            @AuthorizationGuard(guardClass = ExperimentIdentifierPredicate.class) ExperimentIdentifier experimentIdentifier)
+    {
+    }
+
 }