Update authorization check in ServiceImpl

Update reflects on the access type:
  - ADMIN: Full access to all features
  - User: Admin functions restricted to selected project(s)
  - read_only: View-only access, editing disabled

Author: zaqifathis

BimServer/src/org/bimserver/database/actions/AddProjectDatabaseAction.java

@@ -66,6 +66,9 @@ public Project execute() throws UserException, BimserverDatabaseException, Bimse
 		}
 		final Project project = getDatabaseSession().create(Project.class);
 		Project parentProject = null;
+		if (actingUser.getUserType() == UserType.READ_ONLY){
+			throw new UserException("Read-only users cannot create projects/subprojects");
+		}
 		if (parentPoid != -1) {
 			parentProject = getProjectByPoid(parentPoid);
 			project.setParent(parentProject);

BimServer/src/org/bimserver/database/actions/AddUserToProjectDatabaseAction.java

@@ -17,62 +17,95 @@
  * along with this program.  If not, see {@literal<http://www.gnu.org/licenses/>}.
  *****************************************************************************/
 
+import java.util.ArrayList;
 import java.util.Date;
+import java.util.List;
 
 import org.bimserver.BimServer;
 import org.bimserver.BimserverDatabaseException;
 import org.bimserver.database.BimserverLockConflictException;
 import org.bimserver.database.DatabaseSession;
 import org.bimserver.database.PostCommitAction;
 import org.bimserver.interfaces.SConverter;
+import org.bimserver.interfaces.objects.SProjectSmall;
 import org.bimserver.models.log.AccessMethod;
 import org.bimserver.models.log.UserAddedToProject;
 import org.bimserver.models.store.Project;
 import org.bimserver.models.store.User;
+import org.bimserver.models.store.UserType;
 import org.bimserver.shared.exceptions.UserException;
 import org.bimserver.webservices.authorization.Authorization;
-
-public class AddUserToProjectDatabaseAction extends BimDatabaseAction<Boolean> {
-
-	private final long uoid;
+
+public class AddUserToProjectDatabaseAction extends BimDatabaseAction<Boolean> {
+
+	private final long uoid;
 	private final long poid;
 	private Authorization authorization;
-	private BimServer bimServer;
-
-	public AddUserToProjectDatabaseAction(BimServer bimServer, DatabaseSession databaseSession, AccessMethod accessMethod, Authorization authorization, long uoid,
-			long poid) {
+	private BimServer bimServer;
+
+	public AddUserToProjectDatabaseAction(BimServer bimServer, DatabaseSession databaseSession, AccessMethod accessMethod, Authorization authorization, long uoid,
+			long poid) {
 		super(databaseSession, accessMethod);
 		this.bimServer = bimServer;
-		this.authorization = authorization;
-		this.uoid = uoid;
-		this.poid = poid;
-	}
-
-	@Override
+		this.authorization = authorization;
+		this.uoid = uoid;
+		this.poid = poid;
+	}
+
+	@Override
 	public Boolean execute() throws UserException, BimserverDatabaseException, BimserverLockConflictException {
 		final Project project = getProjectByPoid(poid);
-		User actingUser = getUserByUoid(authorization.getUoid());
-		if (authorization.hasRightsOnProject(actingUser, project)) {
-			User user = getUserByUoid(uoid);
-			project.getHasAuthorizedUsers().add(user);
-			user.getHasRightsOn().add(project);
-			final UserAddedToProject userAddedToProject = getDatabaseSession().create(UserAddedToProject.class);
-			userAddedToProject.setExecutor(actingUser);
-			userAddedToProject.setDate(new Date());
-			userAddedToProject.setAccessMethod(getAccessMethod());
-			userAddedToProject.setUser(user);
-			userAddedToProject.setProject(project);
-			getDatabaseSession().addPostCommitAction(new PostCommitAction() {
-				@Override
-				public void execute() throws UserException {
-					bimServer.getNotificationsManager().notify(new SConverter().convertToSObject(userAddedToProject));
+		User actingUser = getUserByUoid(authorization.getUoid());
+		User user = getUserByUoid(uoid);
+		if (actingUser.getUserType() != UserType.READ_ONLY) {
+			if (authorization.hasRightsOnProject(actingUser, project)) {
+				if (user.getUserType() == UserType.USER) {
+					Project rootProject = getRootProject(project);
+					getSubProjects(rootProject, actingUser, user);
+				} else {
+					addUserToProject(project, actingUser, user);
 				}
-			});
-			getDatabaseSession().store(user);
-			getDatabaseSession().store(project);
-			return true;
-		} else {
-			throw new UserException("User has no rights to grant permission on '" + project.getName() + "'");
-		}
-	}
+				return true;
+			} else {
+				throw new UserException("User has no rights on project '" + project.getName() + "'");
+			}
+		} else {
+			throw new UserException("User has no rights to grant permission on '" + project.getName() + "'");
+		}
+    }
+
+	private Project getRootProject(Project project) {
+		if (project.getParent() != null) {
+			return getRootProject(project.getParent());
+		} else {
+			return project;
+		}
+	}
+
+	private  void getSubProjects(Project project, User actingUser, User user) throws BimserverDatabaseException {
+		addUserToProject(project, actingUser, user);
+		List<Project> subProjects = new ArrayList<Project>(project.getSubProjects());
+		for (Project subProject : subProjects) {
+			getSubProjects(subProject, actingUser, user);
+		}
+	}
+
+	private void addUserToProject( Project project, User actingUser, User user) throws BimserverDatabaseException {
+		project.getHasAuthorizedUsers().add(user);
+		user.getHasRightsOn().add(project);
+		final UserAddedToProject userAddedToProject = getDatabaseSession().create(UserAddedToProject.class);
+		userAddedToProject.setExecutor(actingUser);
+		userAddedToProject.setDate(new Date());
+		userAddedToProject.setAccessMethod(getAccessMethod());
+		userAddedToProject.setUser(user);
+		userAddedToProject.setProject(project);
+		getDatabaseSession().addPostCommitAction(new PostCommitAction() {
+			@Override
+			public void execute() throws UserException {
+				bimServer.getNotificationsManager().notify(new SConverter().convertToSObject(userAddedToProject));
+			}
+		});
+		getDatabaseSession().store(user);
+		getDatabaseSession().store(project);
+    }
 }

BimServer/src/org/bimserver/database/actions/BranchToExistingProjectDatabaseAction.java

@@ -28,32 +28,28 @@
 import org.bimserver.ifc.BasicIfcModel;
 import org.bimserver.ifc.IfcModel;
 import org.bimserver.models.log.AccessMethod;
-import org.bimserver.models.store.ConcreteRevision;
-import org.bimserver.models.store.Project;
-import org.bimserver.models.store.Revision;
-import org.bimserver.models.store.StorePackage;
-import org.bimserver.models.store.User;
+import org.bimserver.models.store.*;
 import org.bimserver.plugins.IfcModelSet;
 import org.bimserver.plugins.ModelHelper;
 import org.bimserver.plugins.modelmerger.MergeException;
 import org.bimserver.shared.exceptions.UserException;
 import org.bimserver.webservices.authorization.Authorization;
-
-public class BranchToExistingProjectDatabaseAction extends AbstractBranchDatabaseAction {
-	private final Long roid;
-	private final Long destPoid;
-	private final String comment;
-	private final BimServer bimServer;
-	private Authorization authorization;
-	
-	public BranchToExistingProjectDatabaseAction(DatabaseSession databaseSession, AccessMethod accessMethod, BimServer bimServer, Authorization authorization, Long roid, Long destPoid, String comment) {
-		super(databaseSession, accessMethod);
+
+public class BranchToExistingProjectDatabaseAction extends AbstractBranchDatabaseAction {
+	private final Long roid;
+	private final Long destPoid;
+	private final String comment;
+	private final BimServer bimServer;
+	private Authorization authorization;
+	
+	public BranchToExistingProjectDatabaseAction(DatabaseSession databaseSession, AccessMethod accessMethod, BimServer bimServer, Authorization authorization, Long roid, Long destPoid, String comment) {
+		super(databaseSession, accessMethod);
 		this.bimServer = bimServer;
-		this.authorization = authorization;
-		this.roid = roid;
-		this.destPoid = destPoid;
-		this.comment = comment;
-	}
+		this.authorization = authorization;
+		this.roid = roid;
+		this.destPoid = destPoid;
+		this.comment = comment;
+	}
 
 	public Long getRoid() {
 		return roid;
@@ -63,34 +59,38 @@ public Long getRoid() {
 	public Long getPoid() {
 		return destPoid;
 	}
-	
-	@Override
-	public ConcreteRevision execute() throws UserException, BimserverLockConflictException, BimserverDatabaseException {
-		Revision oldRevision = getDatabaseSession().get(StorePackage.eINSTANCE.getRevision(), roid, OldQuery.getDefault());
-		Project oldProject = oldRevision.getProject();
-		User user = getDatabaseSession().get(StorePackage.eINSTANCE.getUser(), authorization.getUoid(), OldQuery.getDefault());
-		if (!authorization.hasRightsOnProjectOrSuperProjectsOrSubProjects(user, oldProject)) {
-			throw new UserException("User has insufficient rights to download revisions from this project");
-		}
+	
+	@Override
+	public ConcreteRevision execute() throws UserException, BimserverLockConflictException, BimserverDatabaseException {
+		Revision oldRevision = getDatabaseSession().get(StorePackage.eINSTANCE.getRevision(), roid, OldQuery.getDefault());
+		Project oldProject = oldRevision.getProject();
+		User user = getDatabaseSession().get(StorePackage.eINSTANCE.getUser(), authorization.getUoid(), OldQuery.getDefault());
+		User actingUser = getUserByUoid(authorization.getUoid());
+		if (actingUser.getUserType() == UserType.READ_ONLY) {
+			throw new UserException("User '" + actingUser.getName() + "' is read only and cannot branch projects");
+		}
+		if (!authorization.hasRightsOnProjectOrSuperProjectsOrSubProjects(user, oldProject)) {
+			throw new UserException("User has insufficient rights to download revisions from this project");
+		}
 		IfcModelSet ifcModelSet = new IfcModelSet();
-		PackageMetaData lastMetaData = null;
+		PackageMetaData lastMetaData = null;
 		for (ConcreteRevision subRevision : oldRevision.getConcreteRevisions()) {
-			PackageMetaData packageMetaData = bimServer.getMetaDataManager().getPackageMetaData(subRevision.getProject().getSchema());
-			IfcModel subModel = new BasicIfcModel(packageMetaData, null);
-			getDatabaseSession().getMap(subModel, new OldQuery(packageMetaData, subRevision.getProject().getId(), subRevision.getId(), -1, Deep.YES));
-			subModel.getModelMetaData().setDate(subRevision.getDate());
+			PackageMetaData packageMetaData = bimServer.getMetaDataManager().getPackageMetaData(subRevision.getProject().getSchema());
+			IfcModel subModel = new BasicIfcModel(packageMetaData, null);
+			getDatabaseSession().getMap(subModel, new OldQuery(packageMetaData, subRevision.getProject().getId(), subRevision.getId(), -1, Deep.YES));
+			subModel.getModelMetaData().setDate(subRevision.getDate());
 			ifcModelSet.add(subModel);
-			lastMetaData = packageMetaData;
-		}
+			lastMetaData = packageMetaData;
+		}
 		IfcModelInterface model = new BasicIfcModel(lastMetaData, null);
 		try {
-			model = bimServer.getMergerFactory().createMerger(getDatabaseSession(), authorization.getUoid())
+			model = bimServer.getMergerFactory().createMerger(getDatabaseSession(), authorization.getUoid())
 					.merge(oldRevision.getProject(), ifcModelSet, new ModelHelper(bimServer.getMetaDataManager(), model));
 		} catch (MergeException e) {
 			throw new UserException(e);
-		}
-		model.resetOids();
-		CheckinDatabaseAction checkinDatabaseAction = new CheckinDatabaseAction(bimServer, getDatabaseSession(), getAccessMethod(), destPoid, authorization, model, comment, comment, false, -1, -1); // TODO
+		}
+		model.resetOids();
+		CheckinDatabaseAction checkinDatabaseAction = new CheckinDatabaseAction(bimServer, getDatabaseSession(), getAccessMethod(), destPoid, authorization, model, comment, comment, false, -1, -1); // TODO
 		return checkinDatabaseAction.execute();
-	}
+	}
 }

BimServer/src/org/bimserver/database/actions/BranchToNewProjectDatabaseAction.java

@@ -28,11 +28,7 @@
 import org.bimserver.ifc.BasicIfcModel;
 import org.bimserver.ifc.IfcModel;
 import org.bimserver.models.log.AccessMethod;
-import org.bimserver.models.store.ConcreteRevision;
-import org.bimserver.models.store.Project;
-import org.bimserver.models.store.Revision;
-import org.bimserver.models.store.StorePackage;
-import org.bimserver.models.store.User;
+import org.bimserver.models.store.*;
 import org.bimserver.plugins.IfcModelSet;
 import org.bimserver.plugins.ModelHelper;
 import org.bimserver.plugins.modelmerger.MergeException;
@@ -71,6 +67,10 @@ public ConcreteRevision execute() throws UserException, BimserverLockConflictExc
 		Revision oldRevision = getDatabaseSession().get(StorePackage.eINSTANCE.getRevision(), roid, OldQuery.getDefault());
 		Project oldProject = oldRevision.getProject();
 		final User user = getDatabaseSession().get(StorePackage.eINSTANCE.getUser(), authorization.getUoid(), OldQuery.getDefault());
+		User actingUser = getUserByUoid(authorization.getUoid());
+		if (actingUser.getUserType() == UserType.READ_ONLY) {
+			throw new UserException("User '" + actingUser.getName() + "' is read only and cannot branch projects");
+		}
 		if (!authorization.hasRightsOnProjectOrSuperProjectsOrSubProjects(user, oldProject)) {
 			throw new UserException("User has insufficient rights to download revisions from this project");
 		}

BimServer/src/org/bimserver/database/actions/CloneToNewProjectDatabaseAction.java

@@ -36,11 +36,7 @@
 import org.bimserver.database.queries.om.SpecialQueryType;
 import org.bimserver.emf.PackageMetaData;
 import org.bimserver.models.log.AccessMethod;
-import org.bimserver.models.store.ConcreteRevision;
-import org.bimserver.models.store.Project;
-import org.bimserver.models.store.Revision;
-import org.bimserver.models.store.StorePackage;
-import org.bimserver.models.store.User;
+import org.bimserver.models.store.*;
 import org.bimserver.shared.HashMapVirtualObject;
 import org.bimserver.shared.QueryContext;
 import org.bimserver.shared.exceptions.UserException;
@@ -71,6 +67,9 @@ public ConcreteRevision execute() throws UserException, BimserverLockConflictExc
 		Revision oldRevision = getDatabaseSession().get(StorePackage.eINSTANCE.getRevision(), roid, OldQuery.getDefault());
 		Project oldProject = oldRevision.getProject();
 		final User user = getDatabaseSession().get(StorePackage.eINSTANCE.getUser(), authorization.getUoid(), OldQuery.getDefault());
+		if (user.getUserType() == UserType.READ_ONLY) {
+			throw new UserException("User '" + user.getName() + "' is read-only and cannot create a new project");
+		}
 		if (!authorization.hasRightsOnProjectOrSuperProjectsOrSubProjects(user, oldProject)) {
 			throw new UserException("User has insufficient rights to download revisions from this project");
 		}

BimServer/src/org/bimserver/database/actions/DeleteProjectDatabaseAction.java

@@ -33,48 +33,51 @@
 import org.bimserver.models.store.UserType;
 import org.bimserver.shared.exceptions.UserException;
 import org.bimserver.webservices.authorization.Authorization;
-
-public class DeleteProjectDatabaseAction extends BimDatabaseAction<Boolean> {
-
+
+public class DeleteProjectDatabaseAction extends BimDatabaseAction<Boolean> {
+
 	private final long poid;
 	private Authorization authorization;
-	private BimServer bimServer;
-
-	public DeleteProjectDatabaseAction(BimServer bimServer, DatabaseSession databaseSession, AccessMethod accessMethod, long poid, Authorization authorization) {
+	private BimServer bimServer;
+
+	public DeleteProjectDatabaseAction(BimServer bimServer, DatabaseSession databaseSession, AccessMethod accessMethod, long poid, Authorization authorization) {
 		super(databaseSession, accessMethod);
 		this.bimServer = bimServer;
 		this.poid = poid;
-		this.authorization = authorization;
-	}
-
-	@Override
-	public Boolean execute() throws UserException, BimserverDatabaseException, BimserverLockConflictException {
-		User actingUser = getUserByUoid(authorization.getUoid());
-		final Project project = getProjectByPoid(poid);
-		if (actingUser.getUserType() == UserType.ADMIN || (actingUser.getHasRightsOn().contains(project) && bimServer.getServerSettingsCache().getServerSettings().isAllowUsersToCreateTopLevelProjects())) {
-			delete(project);
-			final ProjectDeleted projectDeleted = getDatabaseSession().create(ProjectDeleted.class);
-			projectDeleted.setAccessMethod(getAccessMethod());
-			projectDeleted.setDate(new Date());
-			projectDeleted.setExecutor(actingUser);
+		this.authorization = authorization;
+	}
+
+	@Override
+	public Boolean execute() throws UserException, BimserverDatabaseException, BimserverLockConflictException {
+		User actingUser = getUserByUoid(authorization.getUoid());
+		final Project project = getProjectByPoid(poid);
+		if (actingUser.getUserType() == UserType.READ_ONLY){
+			throw new UserException("No rights to delete this project");
+		}
+		if (actingUser.getUserType() == UserType.ADMIN || (actingUser.getHasRightsOn().contains(project) && bimServer.getServerSettingsCache().getServerSettings().isAllowUsersToCreateTopLevelProjects())) {
+			delete(project);
+			final ProjectDeleted projectDeleted = getDatabaseSession().create(ProjectDeleted.class);
+			projectDeleted.setAccessMethod(getAccessMethod());
+			projectDeleted.setDate(new Date());
+			projectDeleted.setExecutor(actingUser);
 			projectDeleted.setProject(project);
 			getDatabaseSession().addPostCommitAction(new PostCommitAction() {
 				@Override
 				public void execute() throws UserException {
 					bimServer.getNotificationsManager().notify(new SConverter().convertToSObject(projectDeleted));
 				}
 			});
-			getDatabaseSession().store(project);
-			return true;
-		} else {
-			throw new UserException("No rights to delete this project");
-		}
-	}
-	
-	private void delete(Project project) {
-		project.setState(ObjectState.DELETED);
-		for (Project subProject : project.getSubProjects()) {
-			delete(subProject);
-		}
-	}
+			getDatabaseSession().store(project);
+			return true;
+		} else {
+			throw new UserException("No rights to delete this project");
+		}
+	}
+	
+	private void delete(Project project) {
+		project.setState(ObjectState.DELETED);
+		for (Project subProject : project.getSubProjects()) {
+			delete(subProject);
+		}
+	}
 }