Changeset 16209 for trunk/HeuristicLab.Services.Hive

Timestamp:

10/03/18 15:06:21 (6 years ago)

Author:

jzenisek

Message:

#2839:

• adapted job execution implementation at ProjectJobsView
• prohibited resource checking for non-admins

Location:

trunk/HeuristicLab.Services.Hive/3.3

Files:

• HiveService.cs (modified) (4 diffs)
• Manager/AuthorizationManager.cs (modified) (3 diffs)

trunk/HeuristicLab.Services.Hive/3.3/HiveService.cs

@@ -483 +483 @@
           }
 
-
           jobDto.CopyToEntity(job);
 
@@ -523 +522 @@
 
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
-      bool isAdministrator = RoleVerifier.IsInRole(HiveRoles.Administrator);
-      var currentUserId = UserManager.CurrentUserId;
+      // check if user is an admin, or granted to administer a job-parenting project, or job owner
+      AuthorizationManager.AuthorizeForJob(jobId, DT.Permission.Full);
 
       var pm = PersistenceManager;
       using (new PerformanceLogger("UpdateJobState")) {
-        var jobDao = pm.JobDao;
-        var projectDao = pm.ProjectDao;
+        var jobDao = pm.JobDao;        
         pm.UseTransaction(() => {
           var job = jobDao.GetById(jobId);
-          if (job != null) {
-
-            var administrationGrantedProjects = projectDao
-              .GetAdministrationGrantedProjectsForUser(currentUserId)
-              .ToList();
-
-            // check if user is an admin, or granted to administer a job-parenting project,...
-            if (!isAdministrator && !administrationGrantedProjects.Contains(job.Project))
-              AuthorizationManager.AuthorizeForJob(jobId, DT.Permission.Full); // ... or job owner
+          if (job != null) {            
 
             // note: allow solely state changes from "Online" to "StatisticsPending" = deletion request by user for HiveStatisticGenerator            
@@ -563 +553 @@
 
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
-      bool isAdministrator = RoleVerifier.IsInRole(HiveRoles.Administrator);
-      var currentUserId = UserManager.CurrentUserId;
+      // check if user is an admin, or granted to administer a job-parenting project, or job owner
+      foreach (var jobId in jobIds)
+          AuthorizationManager.AuthorizeForJob(jobId, DT.Permission.Full);
 
       var pm = PersistenceManager;
@@ -571 +562 @@
         var projectDao = pm.ProjectDao;
         pm.UseTransaction(() => {
-          var administrationGrantedProjects = projectDao
-            .GetAdministrationGrantedProjectsForUser(currentUserId)
-            .ToList();
-
           foreach (var jobId in jobIds) {
             var job = jobDao.GetById(jobId);
             if (job != null) {
-
-              // check if user is an admin, or granted to administer a job-parenting project,...
-              if (!isAdministrator && !administrationGrantedProjects.Contains(job.Project))
-                AuthorizationManager.AuthorizeForJob(jobId, DT.Permission.Full); // ... or job owner
 
               // note: allow solely state changes from "Online" to "StatisticsPending" = deletion request by user for HiveStatisticGenerator

trunk/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs

@@ -38 +38 @@
     private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource";
     private const string USER_NOT_IDENTIFIED = "User could not be identified";
+    private const string JOB_NOT_EXISTENT = "Queried job could not be found";
     private const string TASK_NOT_EXISTENT = "Queried task could not be found";
     private const string PROJECT_NOT_EXISTENT = "Queried project could not be found";
@@ -60 +61 @@
     public void AuthorizeForTask(Guid taskId, DT.Permission requiredPermission) {
       if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Slave)) return; // slave-users can access all tasks
+      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Administrator)) return; // administrator can access all tasks
+      var currentUserId = UserManager.CurrentUserId;
       var pm = PersistenceManager;
       var taskDao = pm.TaskDao;
+      var projectDao = pm.ProjectDao;
       pm.UseTransaction(() => {
         var task = taskDao.GetById(taskId);
         if (task == null) throw new SecurityException(TASK_NOT_EXISTENT);
+
+        // check if user is granted to administer a job-parenting project
+        var administrationGrantedProjects = projectDao
+          .GetAdministrationGrantedProjectsForUser(currentUserId)
+          .ToList();
+        if (administrationGrantedProjects.Contains(task.Job.Project)) return;
+
         AuthorizeJob(pm, task.JobId, requiredPermission);
       });
@@ -70 +81 @@
 
     public void AuthorizeForJob(Guid jobId, DT.Permission requiredPermission) {
-      var pm = PersistenceManager;
-      pm.UseTransaction(() => {
+      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Administrator)) return; // administrator can access all jobs
+      var currentUserId = UserManager.CurrentUserId;
+      var pm = PersistenceManager;
+      var jobDao = pm.JobDao;
+      var projectDao = pm.ProjectDao;
+      pm.UseTransaction(() => {
+        var job = jobDao.GetById(jobId);
+        if(job == null) throw new SecurityException(JOB_NOT_EXISTENT);
+
+        // check if user is granted to administer a job-parenting project
+        var administrationGrantedProjects = projectDao
+          .GetAdministrationGrantedProjectsForUser(currentUserId)
+          .ToList();
+        if (administrationGrantedProjects.Contains(job.Project)) return;
+
         AuthorizeJob(pm, jobId, requiredPermission);
       });