Skip to content

Commit

Permalink
Added the admin role to solve the problem with rubrics only for admins (
Browse files Browse the repository at this point in the history 
sakaiproject#4526)
  • Loading branch information
@ddelblanco @ern
ddelblanco authored and ern committed Aug 29, 2017
1 parent 4f08d3a commit 8bfe3c5
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 15 deletions.
12 changes: 6 additions & 6 deletions rubrics/impl/src/java/org/sakaiproject/rubrics/logic/impl/RubricsServiceImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ public class RubricsServiceImpl implements RubricsService {
private static final String RBCS_PERMISSIONS_EDITOR = "rbcs.editor";
private static final String RBCS_PERMISSIONS_EVALUEE = "rbcs.evaluee";
private static final String RBCS_PERMISSIONS_ASSOCIATOR = "rbcs.associator";
private static final String RBCS_PERMISSIONS_SUPERUSER = "rbcs.superuser";

private static final String RBCS_SERVICE_URL_PREFIX = "/rubrics-service/rest/";

Expand All @@ -117,7 +118,6 @@ public class RubricsServiceImpl implements RubricsService {
private static final String JWT_CUSTOM_CLAIM_ROLES = "roles";
private static final String JWT_CUSTOM_CLAIM_CONTEXT_ID = "contextId";
private static final String JWT_CUSTOM_CLAIM_CONTEXT_TYPE = "contextType";
private static final String JWT_CUSTOM_CLAIM_CONTEXT_ID_ALL_MATCH = "*";

@Getter
@Setter
Expand Down Expand Up @@ -208,9 +208,9 @@ public String generateJsonWebToken(String tool) {
new String[]{ RBCS_PERMISSIONS_EDITOR,
RBCS_PERMISSIONS_ASSOCIATOR,
RBCS_PERMISSIONS_EVALUATOR,
RBCS_PERMISSIONS_EVALUEE });
jwtBuilder.withClaim(JWT_CUSTOM_CLAIM_CONTEXT_ID, JWT_CUSTOM_CLAIM_CONTEXT_ID_ALL_MATCH);
jwtBuilder.withClaim(JWT_CUSTOM_CLAIM_CONTEXT_TYPE, SITE_CONTEXT_TYPE);
RBCS_PERMISSIONS_EVALUEE,
RBCS_PERMISSIONS_SUPERUSER });

} else {

List<String> roles = new ArrayList<>();
Expand All @@ -227,9 +227,9 @@ public String generateJsonWebToken(String tool) {
roles.add(RBCS_PERMISSIONS_EVALUEE);
}
jwtBuilder.withArrayClaim(JWT_CUSTOM_CLAIM_ROLES, roles.toArray(new String[]{}));
jwtBuilder.withClaim(JWT_CUSTOM_CLAIM_CONTEXT_ID, siteId);
jwtBuilder.withClaim(JWT_CUSTOM_CLAIM_CONTEXT_TYPE, SITE_CONTEXT_TYPE);
}
jwtBuilder.withClaim(JWT_CUSTOM_CLAIM_CONTEXT_ID, siteId);
jwtBuilder.withClaim(JWT_CUSTOM_CLAIM_CONTEXT_TYPE, SITE_CONTEXT_TYPE);
token = jwtBuilder.sign(Algorithm.HMAC256(serverConfigurationService.getString(
RUBRICS_TOKEN_SIGNING_SHARED_SECRET_PROPERTY)));

Expand Down
2 changes: 1 addition & 1 deletion ...cs/services/src/main/java/org/sakaiproject/rubrics/repository/BaseResourceRepository.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ public interface BaseResourceRepository<T extends BaseResource, ID extends Seria
extends PagingAndSortingRepository<T, ID> {

static final String QUERY_CONTEXT_CONSTRAINT = "(resource.metadata.ownerId = ?#{principal.contextId} " +
"or 1 = ?#{principal.hasWildcardContextId() ? 1 : 0})";
"or 1 = ?#{principal.isSuperUser() ? 1 : 0})";

@Override
@PreAuthorize("canWrite(#resource)")
Expand Down
4 changes: 2 additions & 2 deletions ...s/src/main/java/org/sakaiproject/rubrics/security/CustomMethodSecurityExpressionRoot.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ public boolean canCopy(String resourceId, String resourceType) {
boolean allowed = false;
if (authenticatedRequestContext.isEditor()) {
allowed = DEFAULT_RESOURCE_COPY_ID.equalsIgnoreCase(resourceId)
|| authenticatedRequestContext.hasWildcardContextId();
|| authenticatedRequestContext.isSuperUser();
if (!allowed) {
Long id = Long.parseLong(resourceId);
allowed = canRead(id, resourceType);
Expand All @@ -140,7 +140,7 @@ public boolean canCopy(String resourceId, String resourceType) {
}

private boolean isAuthorizedToAccessContextResource(Long resourceId, String resourceType) {
boolean allowed = authenticatedRequestContext.hasWildcardContextId();
boolean allowed = authenticatedRequestContext.isSuperUser();
if (!allowed) {
BaseResource resource = repositories.get(resourceType).findOne(resourceId);
allowed = resource.getMetadata().getOwnerId().equalsIgnoreCase(
Expand Down
7 changes: 3 additions & 4 deletions ...es/src/main/java/org/sakaiproject/rubrics/security/model/AuthenticatedRequestContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,6 @@
*/
public class AuthenticatedRequestContext implements UserDetails {

private static final String JWT_CUSTOM_CLAIM_CONTEXT_ID_ALL_MATCH = "*";

private final String userId;
private final String username;
private final String toolId;
Expand Down Expand Up @@ -136,7 +134,8 @@ public boolean isEvalueeOnly() {
Role.ROLE_EVALUEE.name().equalsIgnoreCase(authority.getAuthority()));
}

public boolean hasWildcardContextId() {
return JWT_CUSTOM_CLAIM_CONTEXT_ID_ALL_MATCH.equals(this.contextId);
public boolean isSuperUser() {
return this.getAuthorities().stream().allMatch(authority ->
Role.ROLE_SUPERUSER.name().equalsIgnoreCase(authority.getAuthority()));
}
}
5 changes: 3 additions & 2 deletions rubrics/services/src/main/java/org/sakaiproject/rubrics/security/model/Role.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ public enum Role {
ROLE_EDITOR ("rbcs.editor", Arrays.asList(Rubric.class, Criterion.class, Rating.class)),
ROLE_ASSOCIATOR ("rbcs.associator", Arrays.asList(ToolItemRubricAssociation.class)),
ROLE_EVALUATOR ("rbcs.evaluator", Arrays.asList(Evaluation.class)),
ROLE_EVALUEE ("rbcs.evaluee", Collections.emptyList());
ROLE_EVALUEE ("rbcs.evaluee", Collections.emptyList()),
ROLE_SUPERUSER ("rbcs.superuser", Collections.emptyList());

private String permissionKey;
private List<Class<? extends BaseResource>> authorizedToCreateOrEditResources;
Expand All @@ -43,4 +44,4 @@ public static Role fromPermissionKey(String key) {
}
throw new IllegalArgumentException(key);
}
}
}

0 comments on commit 8bfe3c5

Please sign in to comment.