add methods for resetSharing + verifySharing to aclService, also incl…

…… (#410)

* add methods for resetSharing + verifySharing to aclService, also includes tests.

* minor fix, remove clear on userAccesses

* minor fix

dhis-2/dhis-api/src/main/java/org/hisp/dhis/feedback/ErrorCode.java

@@ -45,6 +45,10 @@ public enum ErrorCode
     E3003( "User {0} is not allowed to grant users access to user role {1}." ),
     E3004( "User {0} is not allowed to grant users access to user groups." ),
     E3005( "User {0} is not allowed to grant users access to user group {1}." ),
+    E3006( "User {0} is not allowed to externalize objects of type {1}." ),
+    E3007( "User {0} is not allowed to externalize private objects of type {1}." ),
+    E3008( "User {0} is not allowed to make public objects of type {1}." ),
+    E3009( "User {0} is not allowed to make private objects of type {1}." ),
 
     /* Metadata Validation Errors */
     E4000( "Missing required property `{0}`." ),

dhis-2/dhis-api/src/main/java/org/hisp/dhis/security/acl/AclService.java

@@ -28,9 +28,13 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import org.hisp.dhis.common.BaseIdentifiableObject;
 import org.hisp.dhis.common.IdentifiableObject;
+import org.hisp.dhis.feedback.ErrorReport;
 import org.hisp.dhis.user.User;
 
+import java.util.List;
+
 /**
  * @author Morten Olav Hansen <[email protected]>
  */
@@ -219,4 +223,21 @@ public interface AclService
      * @return Populated access instance
      */
     <T extends IdentifiableObject> Access getAccess( T object, User user );
+
+    /**
+     * Sets default sharing props on object, disregarding what is already there.
+     *
+     * @param object Object to update
+     * @param user   User to base ACL on
+     */
+    <T extends BaseIdentifiableObject> void resetSharing( T object, User user );
+
+    /**
+     * Verify that sharing props are correctly set according to user.
+     *
+     * @param object Object to update
+     * @param user   User to base ACL on
+     * @return List of error reports (if any)
+     */
+    <T extends IdentifiableObject> List<ErrorReport> verifySharing( T object, User user );
 }

dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/acl/DefaultAclService.java

@@ -28,17 +28,22 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import org.hisp.dhis.common.BaseIdentifiableObject;
 import org.hisp.dhis.common.IdentifiableObject;
+import org.hisp.dhis.feedback.ErrorCode;
+import org.hisp.dhis.feedback.ErrorReport;
 import org.hisp.dhis.period.Period;
 import org.hisp.dhis.schema.Schema;
 import org.hisp.dhis.schema.SchemaService;
 import org.hisp.dhis.security.AuthorityType;
+import org.hisp.dhis.security.acl.AccessStringHelper.Permission;
 import org.hisp.dhis.user.CurrentUserService;
 import org.hisp.dhis.user.User;
 import org.hisp.dhis.user.UserGroup;
 import org.hisp.dhis.user.UserGroupAccess;
 import org.springframework.beans.factory.annotation.Autowired;
 
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
@@ -338,4 +343,80 @@ public <T extends IdentifiableObject> Access getAccess( T object, User user )
 
         return access;
     }
+
+    @Override
+    public <T extends BaseIdentifiableObject> void resetSharing( T object, User user )
+    {
+        if ( object == null )
+        {
+            return;
+        }
+
+        object.setPublicAccess( AccessStringHelper.DEFAULT );
+        object.setExternalAccess( false );
+
+        if ( object.getUser() == null )
+        {
+            object.setUser( user );
+        }
+
+        if ( canCreatePublic( user, object.getClass() ) )
+        {
+            if ( defaultPublic( object.getClass() ) )
+            {
+                object.setPublicAccess( AccessStringHelper.READ_WRITE );
+            }
+        }
+
+        object.getUserGroupAccesses().clear();
+    }
+
+    @Override
+    public <T extends IdentifiableObject> List<ErrorReport> verifySharing( T object, User user )
+    {
+        List<ErrorReport> errorReports = new ArrayList<>();
+
+        if ( object == null || !isShareable( object.getClass() ) )
+        {
+            return errorReports;
+        }
+
+        boolean canMakePublic = canCreatePublic( user, object.getClass() );
+        boolean canMakePrivate = canCreatePrivate( user, object.getClass() );
+        boolean canExternalize = canExternalize( user, object.getClass() );
+
+        if ( object.getExternalAccess() )
+        {
+            if ( !canExternalize )
+            {
+                errorReports.add( new ErrorReport( object.getClass(), ErrorCode.E3006, user.getUsername(), object.getClass() ) );
+            }
+
+            if ( !AccessStringHelper.isEnabled( object.getPublicAccess(), Permission.READ ) )
+            {
+                errorReports.add( new ErrorReport( object.getClass(), ErrorCode.E3007, user.getUsername(), object.getClass() ) );
+            }
+        }
+
+        if ( AccessStringHelper.DEFAULT.equals( object.getPublicAccess() ) )
+        {
+            if ( canMakePublic || canMakePrivate )
+            {
+                return errorReports;
+            }
+
+            errorReports.add( new ErrorReport( object.getClass(), ErrorCode.E3009, user.getUsername(), object.getClass() ) );
+        }
+        else
+        {
+            if ( canMakePublic )
+            {
+                return errorReports;
+            }
+
+            errorReports.add( new ErrorReport( object.getClass(), ErrorCode.E3008, user.getUsername(), object.getClass() ) );
+        }
+
+        return errorReports;
+    }
 }

dhis-2/dhis-services/dhis-service-core/src/test/java/org/hisp/dhis/security/acl/AclServiceTest.java

@@ -278,4 +278,125 @@ public void testCanUpdatePrivateLegendSet()
 
         assertTrue( aclService.canUpdate( user, legendSet ) );
     }
+
+    @Test
+    public void testVerifyDataElementPrivateRW()
+    {
+        User user = createAdminUser( "F_DATAELEMENT_PRIVATE_ADD" );
+
+        DataElement dataElement = createDataElement( 'A' );
+        dataElement.setPublicAccess( AccessStringHelper.READ_WRITE );
+
+        assertFalse( aclService.verifySharing( dataElement, user ).isEmpty() );
+    }
+
+    @Test
+    public void testVerifyDataElementPrivate()
+    {
+        User user = createAdminUser( "F_DATAELEMENT_PRIVATE_ADD" );
+
+        DataElement dataElement = createDataElement( 'A' );
+        dataElement.setPublicAccess( AccessStringHelper.DEFAULT );
+
+        assertTrue( aclService.verifySharing( dataElement, user ).isEmpty() );
+    }
+
+    @Test
+    public void testVerifyDataElementPublicRW()
+    {
+        User user = createAdminUser( "F_DATAELEMENT_PUBLIC_ADD" );
+
+        DataElement dataElement = createDataElement( 'A' );
+        dataElement.setPublicAccess( AccessStringHelper.READ_WRITE );
+
+        assertTrue( aclService.verifySharing( dataElement, user ).isEmpty() );
+    }
+
+    @Test
+    public void testVerifyDataElementPublic()
+    {
+        User user = createAdminUser( "F_DATAELEMENT_PUBLIC_ADD" );
+
+        DataElement dataElement = createDataElement( 'A' );
+        dataElement.setPublicAccess( AccessStringHelper.DEFAULT );
+
+        assertTrue( aclService.verifySharing( dataElement, user ).isEmpty() );
+    }
+
+    @Test
+    public void testVerifyReportTableCanExternalize()
+    {
+        User user = createAdminUser( "F_REPORTTABLE_PUBLIC_ADD", "F_REPORTTABLE_EXTERNAL" );
+
+        ReportTable reportTable = new ReportTable();
+        reportTable.setAutoFields();
+        reportTable.setPublicAccess( AccessStringHelper.DEFAULT );
+        reportTable.setExternalAccess( true );
+
+        assertFalse( aclService.verifySharing( reportTable, user ).isEmpty() );
+    }
+
+    @Test
+    public void testVerifyReportTableCantExternalize()
+    {
+        User user = createAdminUser( "F_REPORTTABLE_PUBLIC_ADD" );
+
+        ReportTable reportTable = new ReportTable();
+        reportTable.setAutoFields();
+        reportTable.setPublicAccess( AccessStringHelper.DEFAULT );
+        reportTable.setExternalAccess( true );
+
+        assertFalse( aclService.verifySharing( reportTable, user ).isEmpty() );
+    }
+
+    @Test
+    public void testVerifyReportTableCanExternalizeNoExplicitAdd()
+    {
+        User user = createAdminUser( "F_REPORTTABLE_EXTERNAL" );
+
+        ReportTable reportTable = new ReportTable();
+        reportTable.setAutoFields();
+        reportTable.setPublicAccess( AccessStringHelper.DEFAULT );
+        reportTable.setExternalAccess( true );
+
+        assertFalse( aclService.verifySharing( reportTable, user ).isEmpty() );
+    }
+
+    @Test
+    public void testResetSharingPropsPrivate()
+    {
+        User user = createAdminUser();
+
+        ReportTable reportTable = new ReportTable();
+        reportTable.setAutoFields();
+        reportTable.setPublicAccess( AccessStringHelper.DEFAULT );
+        reportTable.setExternalAccess( true );
+
+        assertFalse( aclService.verifySharing( reportTable, user ).isEmpty() );
+
+        aclService.resetSharing( reportTable, user );
+
+        assertTrue( AccessStringHelper.DEFAULT.equals( reportTable.getPublicAccess() ) );
+        assertFalse( reportTable.getExternalAccess() );
+        assertTrue( reportTable.getUserGroupAccesses().isEmpty() );
+    }
+
+    @Test
+    public void testResetSharingPropsPublic()
+    {
+        User user = createAdminUser( "F_REPORTTABLE_PUBLIC_ADD" );
+
+        ReportTable reportTable = new ReportTable();
+        reportTable.setAutoFields();
+        reportTable.setPublicAccess( AccessStringHelper.DEFAULT );
+        reportTable.setExternalAccess( true );
+
+        assertFalse( aclService.verifySharing( reportTable, user ).isEmpty() );
+
+        aclService.resetSharing( reportTable, user );
+
+        assertTrue( AccessStringHelper.READ_WRITE.equals( reportTable.getPublicAccess() ) );
+        assertFalse( reportTable.getExternalAccess() );
+        assertTrue( reportTable.getUserGroupAccesses().isEmpty() );
+    }
 }