Changeset 15715


Ignore:
Timestamp:
02/02/18 20:19:43 (19 months ago)
Author:
jzenisek
Message:

#2839 improved permission checking of HiveService methods

Location:
branches/HiveProjectManagement
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/HiveProjectManagement/HeuristicLab.Services.Hive.DataAccess/3.3/Daos/AssignedProjectResourceDao.cs

    r15658 r15715  
    116116        WHERE ProjectId IN ({0})
    117117    ";
    118     // tested
    119118    private const string CheckProjectGrantedForResourcesQueryString = @"
    120119    WITH rtree AS
  • branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/HiveService.cs

    r15658 r15715  
    7272    public Guid AddTask(DT.Task task, DT.TaskData taskData) {
    7373      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     74      AuthorizationManager.AuthorizeForJob(task.JobId, DT.Permission.Full);
    7475      var pm = PersistenceManager;
    7576      using (new PerformanceLogger("AddTask")) {
     
    322323      var pm = PersistenceManager;
    323324      using (new PerformanceLogger("GetJobs")) {
    324         // TODO-JAN: optimization potential - avoid using too many joins in linq
    325325        var jobDao = pm.JobDao;
    326326        var jobPermissionDao = pm.JobPermissionDao;
     
    336336            .Select(x => x.ToDto())
    337337            .ToList();
    338           // calculate stats only for owned & permitted jobs; TODO: query only needed ones, not all
    339338          var statistics = taskDao.GetAll()
    340339              .Where(x => jobs.Select(y => y.Id).Contains(x.JobId))
     
    367366    }
    368367
    369     public Guid AddJob(DT.Job jobDto) {
    370       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    371       var pm = PersistenceManager;
    372       using (new PerformanceLogger("AddJob")) {
    373         var jobDao = pm.JobDao;
    374         var userPriorityDao = pm.UserPriorityDao;
    375         return pm.UseTransaction(() => {
    376           jobDto.OwnerUserId = UserManager.CurrentUserId;
    377           jobDto.DateCreated = DateTime.Now;
    378           var job = jobDao.Save(jobDto.ToEntity());
    379           if (userPriorityDao.GetById(jobDto.OwnerUserId) == null) {
    380             userPriorityDao.Save(new DA.UserPriority {
    381               UserId = jobDto.OwnerUserId,
    382               DateEnqueued = jobDto.DateCreated
    383             });
    384           }
    385           pm.SubmitChanges();
    386           return job.JobId;
    387         });
    388       }
    389     }
    390 
    391368    public Guid AddJob(DT.Job jobDto, IEnumerable<Guid> resourceIds) {
    392369      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     
    406383
    407384          // add resource assignments
    408           newJob.AssignedJobResources.AddRange(resourceIds.Select(
    409             x => new DA.AssignedJobResource {
    410               ResourceId = x
    411             }));
     385          if (resourceIds != null && resourceIds.Any()) {           
     386            newJob.AssignedJobResources.AddRange(resourceIds.Select(
     387              x => new DA.AssignedJobResource {
     388                ResourceId = x
     389              }));
     390          }
    412391
    413392          var job = jobDao.Save(newJob);
     
    424403    }
    425404
    426     public void UpdateJob(DT.Job jobDto) {
    427       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    428       AuthorizationManager.AuthorizeForJob(jobDto.Id, DT.Permission.Full);
    429       var pm = PersistenceManager;
    430       using (new PerformanceLogger("UpdateJob")) {
    431         bool exists = true;
    432         var jobDao = pm.JobDao;
    433         pm.UseTransaction(() => {
    434           var job = jobDao.GetById(jobDto.Id);
    435           if (job == null) {
    436             exists = false;
    437             job = new DA.Job();
    438           }
    439           jobDto.CopyToEntity(job);
    440           if (!exists) {
    441             jobDao.Save(job);
    442           }
    443           pm.SubmitChanges();
    444         });
    445       }
    446     }
    447 
    448405    public void UpdateJob(DT.Job jobDto, IEnumerable<Guid> resourceIds) {
    449406      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     
    468425          if (!exists) {
    469426            // add resource assignments
    470             job.AssignedJobResources.AddRange(resourceIds.Select(
    471               x => new DA.AssignedJobResource {
    472                 ResourceId = x
     427            if (resourceIds != null && resourceIds.Any()) {
     428              job.AssignedJobResources.AddRange(resourceIds.Select(
     429                x => new DA.AssignedJobResource {
     430                  ResourceId = x
    473431              }));
     432            }
    474433            jobDao.Save(job);
    475           } else {
     434          } else if(resourceIds != null) {
    476435            var addedJobResourceIds = resourceIds.Except(job.AssignedJobResources.Select(x => x.ResourceId));
    477436            var removedJobResourceIds = job.AssignedJobResources
     
    716675    #region Project Methods
    717676    public Guid AddProject(DT.Project projectDto) {
    718       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator);
     677      if (projectDto == null) return Guid.Empty;
     678      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     679      // check if current (non-admin) user is owner of one of projectDto's-parents
     680      if (!RoleVerifier.IsInRole(HiveRoles.Administrator)) {
     681        if(projectDto.ParentProjectId.HasValue) {
     682          AuthorizationManager.AuthorizeForProjectAdministration(projectDto.ParentProjectId.Value);
     683        } else {
     684          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
     685        }
     686      }
     687     
    719688      var pm = PersistenceManager;
    720689      using (new PerformanceLogger("AddProject")) {
     
    729698
    730699    public void UpdateProject(DT.Project projectDto) {
    731       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator);
     700      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     701      // check if current (non-admin) user is owner of the project or the projectDto's-parents
     702      if (!RoleVerifier.IsInRole(HiveRoles.Administrator)) {
     703        AuthorizationManager.AuthorizeForProjectAdministration(projectDto.Id);
     704      }
     705
    732706      var pm = PersistenceManager;
    733707      using (new PerformanceLogger("UpdateProject")) {
     
    746720
    747721    public void DeleteProject(Guid projectId) {
    748       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator);
     722      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     723      // check if current (non-admin) user is owner of the project or the projectDto's-parents
     724      if (!RoleVerifier.IsInRole(HiveRoles.Administrator)) {
     725        AuthorizationManager.AuthorizeForProjectAdministration(projectId);
     726      }
     727
    749728      var pm = PersistenceManager;
    750729      using (new PerformanceLogger("DeleteProject")) {
     
    759738    }
    760739
     740    // query granted project for use (i.e. to calculate on)
    761741    public DT.Project GetProject(Guid projectId) {
    762742      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     
    764744      using (new PerformanceLogger("GetProject")) {
    765745        var projectDao = pm.ProjectDao;
    766         return pm.UseTransaction(() => projectDao.GetById(projectId).ToDto());
    767       }
    768     }
    769 
    770     // query granted projects for use (i.e. to calculate on)
    771     public IEnumerable<DT.Project> GetProjects() {
    772       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    773       //bool isAdministrator = RoleVerifier.IsInRole(HiveRoles.Administrator);
    774       var pm = PersistenceManager;
    775       using (new PerformanceLogger("GetProjects")) {
    776         var projectDao = pm.ProjectDao;
    777         //var projectPermissionDao = pm.ProjectPermissionDao;
    778746        var currentUserId = UserManager.CurrentUserId;
    779747        var userAndGroupIds = new List<Guid> { currentUserId };
     
    781749        return pm.UseTransaction(() => {
    782750          return projectDao.GetUsageGrantedProjectsForUser(userAndGroupIds)
     751          .Where(x => x.ProjectId == projectId)
     752          .Select(x => x.ToDto())
     753          .SingleOrDefault();
     754        });
     755      }
     756    }
     757
     758    // query granted projects for use (i.e. to calculate on)
     759    public IEnumerable<DT.Project> GetProjects() {
     760      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     761      var pm = PersistenceManager;
     762      using (new PerformanceLogger("GetProjects")) {
     763        var projectDao = pm.ProjectDao;
     764        var currentUserId = UserManager.CurrentUserId;
     765        var userAndGroupIds = new List<Guid> { currentUserId };
     766        userAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(currentUserId));
     767        return pm.UseTransaction(() => {
     768          return projectDao.GetUsageGrantedProjectsForUser(userAndGroupIds)
    783769            .Select(x => x.ToDto()).ToList();
    784770        });
     
    792778      using (new PerformanceLogger("GetProjectsForAdministration")) {
    793779        var projectDao = pm.ProjectDao;
    794         //var projectPermissionDao = pm.ProjectPermissionDao;
    795780       
    796781        return pm.UseTransaction(() => {
     
    803788
    804789          }
    805 
    806           //var projectPermissions = projectPermissionDao.GetAll();
    807           //return projectDao.GetAll().ToList()
    808           //  .Where(x => isAdministrator
    809           //    || x.OwnerUserId == currentUserId
    810           //    || UserManager.VerifyUser(currentUserId, projectPermissions
    811           //        .Where(y => y.ProjectId == x.ProjectId)
    812           //        .Select(z => z.GrantedUserId)
    813           //        .ToList())
    814           //    )
    815           //  .Select(x => x.ToDto())
    816           //  .ToList();
    817790        });
    818791      }
     
    903876    }
    904877
    905     public void GrantProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading) {
     878    private void GrantProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading) {
    906879      throw new NotImplementedException();
    907880    }
    908881
    909     public void RevokeProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading) {
     882    private void RevokeProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading) {
    910883      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    911884      if (projectId == null || grantedUserIds == null || !grantedUserIds.Any()) return;
     
    960933          var project = projectDao.GetById(projectId);
    961934          var assignedResources = project.AssignedProjectResources.Select(x => x.ResourceId).ToArray();
    962           //var addedAssignments = resourceIds.Except(assignedResources);
    963935          var removedAssignments = assignedResources.Except(resourceIds);
    964936
     
    1000972              // remove project assignments
    1001973              if (reassignCascading) {
    1002                 //assignedProjectResourceDao.DeleteByProjectIds(new List<Guid> { p.ProjectId });
    1003974                p.AssignedProjectResources.Clear();
    1004975              } else {
    1005                 //assignedProjectResourceDao.DeleteByProjectIdAndResourceIds(p.ProjectId, removedAssignments);
    1006                 //for(int i = p.AssignedProjectResources.Count -1; i >= 0; i--) {
    1007                 //  if(removedAssignments.Contains(p.AssignedProjectResources[i].ResourceId)) {
    1008                 //    p.AssignedProjectResources.RemoveAt(i);
    1009                 //  }
    1010                 //}
    1011976                foreach (var item in p.AssignedProjectResources
    1012977                  .Where(x => removedAssignments.Contains(x.ResourceId))
     
    1032997    }
    1033998
    1034     public void AssignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading) {
     999    private void AssignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading) {
    10351000      throw new NotImplementedException();
    10361001    }
     
    10381003    // basic: unassign resourceIds from project and depending jobs
    10391004    // cascading: unassign resourceIds from all child-projects and their depending jobs
    1040     public void UnassignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading) {
     1005    private void UnassignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading) {
    10411006      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    10421007      if (projectId == null || resourceIds == null || !resourceIds.Any()) return;
     
    11031068
    11041069    public Guid AddSlaveGroup(DT.SlaveGroup slaveGroupDto) {
    1105       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     1070      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator);
    11061071      var pm = PersistenceManager;
    11071072      using (new PerformanceLogger("AddSlaveGroup")) {
     
    11271092    }
    11281093
     1094    // query granted slaves for use (i.e. to calculate on)
    11291095    public IEnumerable<DT.Slave> GetSlaves() {
    11301096      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     
    11581124    }
    11591125
     1126    // query granted slave groups for use (i.e. to calculate on)
    11601127    public IEnumerable<DT.SlaveGroup> GetSlaveGroups() {
    11611128      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     
    11891156    }
    11901157
     1158    // query granted slaves for resource administration
    11911159    public IEnumerable<DT.Slave> GetSlavesForAdministration() {
    11921160      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     
    12221190    }
    12231191
     1192    // query granted slave groups for resource administration
    12241193    public IEnumerable<DT.SlaveGroup> GetSlaveGroupsForAdministration() {
    12251194      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     
    12571226    public void UpdateSlave(DT.Slave slaveDto) {
    12581227      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     1228      if (slaveDto == null) return;
    12591229      AuthorizationManager.AuthorizeForResourceAdministration(slaveDto.Id);
    12601230      var pm = PersistenceManager;
     
    12751245    public void UpdateSlaveGroup(DT.SlaveGroup slaveGroupDto) {
    12761246      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     1247      if (slaveGroupDto == null) return;
    12771248      AuthorizationManager.AuthorizeForResourceAdministration(slaveGroupDto.Id);
    12781249      var pm = PersistenceManager;
  • branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs

    r15628 r15715  
    3737    private const string NOT_AUTHORIZED_USERJOB = "Current user is not authorized to access the requested job";
    3838    private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource";
     39    private const string USER_NOT_IDENTIFIED = "User could not be identified";
     40    private const string TASK_NOT_EXISTENT = "Queried task could not be found";
    3941
    4042    private IPersistenceManager PersistenceManager {
     
    6163      pm.UseTransaction(() => {
    6264        var task = taskDao.GetById(taskId);
    63         if (task == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
     65        if (task == null) throw new SecurityException(TASK_NOT_EXISTENT);
    6466        AuthorizeJob(pm, task.JobId, requiredPermission);
    6567      });
     
    151153    // note: administrators and project owner are NOT automatically granted
    152154    public void AuthorizeUserForProjectUse(Guid userId, Guid projectId) {
    153       if (userId == null || projectId == null) return;
     155      if(userId == null || userId == Guid.Empty) {
     156        throw new SecurityException(USER_NOT_IDENTIFIED);
     157      }
     158      if(projectId == null) return;
     159
    154160      var pm = PersistenceManager;
    155161      // collect current and group membership Ids
  • branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/ServiceContracts/IHiveService.cs

    r15658 r15715  
    7878    IEnumerable<Job> GetJobs();
    7979
    80     //[OperationContract]
    81     //Guid AddJob(Job jobDto);
    82 
    8380    [OperationContract]
    8481    Guid AddJob(Job jobDto, IEnumerable<Guid> resourceIds);
    85 
    86     //[OperationContract]
    87     //void UpdateJob(Job jobDto);
    8882
    8983    [OperationContract]
     
    166160    void SaveProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool reassign, bool cascading, bool reassignCascading);
    167161
    168     [OperationContract]
    169     void GrantProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading);
    170 
    171     [OperationContract]
    172     void RevokeProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading);
     162    //[OperationContract]
     163    //void GrantProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading);
     164
     165    //[OperationContract]
     166    //void RevokeProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading);
    173167
    174168    [OperationContract]
     
    180174    void SaveProjectResourceAssignments(Guid projectId, List<Guid> resourceIds, bool reassign, bool cascading, bool reassignCascading);
    181175
    182     [OperationContract]
    183     void AssignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading);
    184 
    185     [OperationContract]
    186     void UnassignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading);
     176    //[OperationContract]
     177    //void AssignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading);
     178
     179    //[OperationContract]
     180    //void UnassignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading);
    187181
    188182    [OperationContract]
Note: See TracChangeset for help on using the changeset viewer.