change: choose a secure creator-minimal-role (INSTANCE_OBSERVER) if no...

change: choose a secure creator-minimal-role (INSTANCE_OBSERVER) if no data-space is set to avoid circumvention of authorization settings by insecure configuration SVN: 17896

change: choose a secure creator-minimal-role (INSTANCE_OBSERVER) if no...
e82d1505 · brinn · 7a85f717 · e82d1505
Commit e82d1505 authored 14 years ago by brinn
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/QueryServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/QueryServer.java
@@ -76,7 +76,11 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
    private static final String CREATOR_MINIMAL_ROLE_KEY = "creator-minimal-role";
-    private static final String DEFAULT_CREATOR_MINIMAL_ROLE = RoleWithHierarchy.SPACE_POWER_USER.name();
+    private static final String DEFAULT_CREATOR_MINIMAL_ROLE_SPACE =
+            RoleWithHierarchy.SPACE_POWER_USER.name();
+    private static final String DEFAULT_CREATOR_MINIMAL_ROLE_INSTANCE =
+            RoleWithHierarchy.INSTANCE_OBSERVER.name();
    private static final String DATA_SPACE_KEY = "data-space";
@@ -303,11 +307,11 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
                    new SimpleDatabaseConfigurationContext(databaseProperties);
            final String label =
                    PropertyUtils.getMandatoryProperty(databaseProperties, LABEL_PROPERTY_KEY);
-            final String creatorMinimalRoleString =
-                    PropertyUtils.getProperty(databaseProperties, CREATOR_MINIMAL_ROLE_KEY,
-                            DEFAULT_CREATOR_MINIMAL_ROLE);
            final String dataSpaceOrNullString =
                    PropertyUtils.getProperty(databaseProperties, DATA_SPACE_KEY);
+            final String creatorMinimalRoleString =
+                    PropertyUtils.getProperty(databaseProperties, CREATOR_MINIMAL_ROLE_KEY,
+                            getDefaultRoleForDataSource(dataSpaceOrNullString));
            if (labels.contains(label))
            {
@@ -331,7 +335,8 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
            }
            try
            {
-                final RoleWithHierarchy creatorMinimalRole = RoleWithHierarchy.valueOf(creatorMinimalRoleString);
+                final RoleWithHierarchy creatorMinimalRole =
+                        RoleWithHierarchy.valueOf(creatorMinimalRoleString);
                definitions.put(databaseKey, new DatabaseDefinition(configurationContext,
                        databaseKey, label, creatorMinimalRole, dataSpaceOrNull));
            } catch (IllegalArgumentException ex)
@@ -344,4 +349,15 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
        }
        QueryAccessController.initialize(definitions);
    }
+    private String getDefaultRoleForDataSource(final String dataSpaceOrNull)
+    {
+        if (dataSpaceOrNull == null) // database contains data for the whole instance
+        {
+            return DEFAULT_CREATOR_MINIMAL_ROLE_INSTANCE;
+        } else
+        {
+            return DEFAULT_CREATOR_MINIMAL_ROLE_SPACE;
+        }
+    }
 }