authorization update for self editors

[hudajkhan]

Thank you for submitting a pull request! Title this pull request with a brief description of what the pull request fixes/improves/changes. Please describe the pull request in detail using the template below.

---

No linked JIRA issue:
We didn't create a specific JIRA issue although discussed this using other channels

• Other Relevant Links (Mailing list discussion, related pull requests, etc.)

What does this pull request do?

Ensures self-editors cannot access edit or add links using URLs

What's new?

The code which checks authorization now adds a check to see if this particular property can be edited or added for the current user. This check adds to the front end editing permission check.

How should this be tested?

I tested this using the following steps: When logged in as a site admin, I copied the URLs for adding and editing a data property and an object property. I then logged out and logged back in as a self editor and then tried to access these URLs. The page should not allow the form to display but should state that the user does not have access to this page.

Additional Notes:

Additional testing would be preferable for more editing scenarios across different roles.

Interested parties

@VIVO-project/vivo-committers and specifically @gneissone and @j2blake

[gneissone]

Suggested change

import org.apache.jena.rdf.model.ResourceFactory;

Can this import be removed?

[gneissone]

It is working, but I think it is possible it's working a little too well. I am not able to add or edit any faux properties as a self-editor.

[awoods]

@hudajkhan : would you mind creating a JIRA for this PR so that it does not get lost in the shuffle?

[gneissone]

@hudajkhan I have not forgotten about your efforts. I wonder if @brianjlowe could help us here? I know at the very least he has leveraged VIVO's permission code before. @brianjlowe this was previously discussed via the committers channels, happy to clarify the issue if anything is not clear.

[awoods]

@brianjlowe ? @vivo-project/vivo-committers ? any comments on this bug fix?

[awoods]

@hudajkhan / @gneissone : While reproducing the behavior of a self-editor not being able to edit their own faux property, I captured the DEBUG log: https://gist.github.com/awoods/157eab4ab31b844be014669ac374915b

It appears that both AddObjectPropertyStatement and AddDataPropertyStatement actions are unrecognized by any policy and therefore "INCONCLUSIVE".

My question is: What permission do we expect to be in the session that would recognized (and allow) the above actions?

[awoods]

Investigating further, @hudajkhan 's logic appears to work as expected (user can update their own profile, properties and faux properties... and not other profiles) only when the base-property from which the faux property is created has a #selfEditor update level.

Using the debugger, the edit requests on faux properties are declined due to the PropertyRestrictionBeanImpl returning nobody instead of selfEditor. When I change the value of these properties to "self-editor and above" in the Faux Property editor form in the "site admin"... the functionality appears to be correct.

I would expect that the appropriate changes could be made in vitroAnnotations.n3 as well.

The remaining question is, are these properties' "prohibitedFromUpdateBelowRoleLevelAnnot" values set to "nobody" for some other reason?

[gneissone]

The remaining question is, are these properties' "prohibitedFromUpdateBelowRoleLevelAnnot" values set to "nobody" for some other reason?

The authorization code should respect the settings in PropertyConfig.n3, right? The editing levels for each individual faux property need to be controlled separately, even if they share a base property.

[brianjlowe]

Benjamin is correct. Faux property visibility and editing levels override those of their parent property. It is a common occurrence that very generic base properties like "relates" are set to nobody (i.e. only root) while the more specific faux properties have greater visibility and editability.

[gneissone]

Reopening this pull request. In an effort to follow current best practices, the VIVO project will now be developed against the master branch. As a result of removing the develop branch, this pull request was automatically closed by GitHub, apologies for any confusion this may have caused.

[brianjlowe]

After taking a quick look at this, I think the problem is that predicateProp doesn't have its domainVClassURI and rangeVClassURI values set so that it can be recognized as a faux property if applicable.

If we're lucky, it may be just a matter of adding after line 73:

predicateProp.setDomainVClassURI(EditConfigurationUtils.getDomainUri(vreq));
predicateProp.setRangeVClassURI(EditConfigurationUtils.getRangeUri(vreq));

I'll try to test this out when I get a chance.

[gneissone]

Thanks for taking a look @brianjlowe. Unfortunately I'm still not able to edit faux properties with the change. I get redirected to the home page and an error is displayed We're sorry, but you are not authorized to view the page you requested. If you think this is an error, please contact us and we'll be happy to help.

[brianjlowe]

Thanks, Benjamin. Turns out the domain and range were only part of it. This version appears to be working as expected:

    @Override
    protected AuthorizationRequest requiredActions(VitroRequest vreq) {
        //Check if this statement can be edited here and return unauthorized if not
        String subjectUri = EditConfigurationUtils.getSubjectUri(vreq);
        String predicateUri = EditConfigurationUtils.getPredicateUri(vreq);
        String objectUri = EditConfigurationUtils.getObjectUri(vreq);
        String domainUri = EditConfigurationUtils.getDomainUri(vreq); 
        String rangeUri = EditConfigurationUtils.getRangeUri(vreq);
        Property predicateProp = new Property();
        predicateProp.setURI(predicateUri);
        predicateProp.setDomainVClassURI(domainUri);
        predicateProp.setRangeVClassURI(rangeUri);
        OntModel ontModel = ModelAccess.on(vreq).getOntModel();        
        AbstractObjectPropertyStatementAction objectPropertyAction;
        if (objectUri == null) {
            objectPropertyAction = new AddObjectPropertyStatement(
                    ontModel, subjectUri, predicateProp, RequestedAction.SOME_URI);            
        } else {            
            if (isDeleteForm(vreq)) {
                objectPropertyAction = new DropObjectPropertyStatement(
                        ontModel, subjectUri, predicateProp, objectUri);
            } else {
                objectPropertyAction = new EditObjectPropertyStatement(
                        ontModel, subjectUri, predicateProp, objectUri);
            }
        }        
        boolean isAuthorized = PolicyHelper.isAuthorizedForActions(vreq, 
                new EditDataPropertyStatement(ontModel, subjectUri, predicateUri, objectUri).
                or(objectPropertyAction));
        if (isAuthorized) {
            return SimplePermission.DO_FRONT_END_EDITING.ACTION;
        } else { 
            return AuthorizationRequest.UNAUTHORIZED;
        }
}

[awoods]

@brianjlowe : Can you submit a pull-request against @hudajkhan 's branch:
https://github.com/hudajkhan/Vitro/tree/updateEditing

[awoods]

@brianjlowe / @hudajkhan / @gneissone : My local testing verifies Brian's PR both allows for self-edit of all properties, while prohibiting edit of other profiles.

[hudajkhan]

The file has been updated based on suggestions from Brian Lowe and Benjamin Gross

[awoods]

@hudajkhan : there are a lot of whitespace changes that clutter this pull-request. Would you be able to limit the updates to the functional bits?

[awoods]

Works as expected. I would be happy to merge now... unless anyone else would like to review first.

[awoods]

I believe @gneissone still has an outstanding "request for change"... which has likely been addressed.

[gneissone]

Works as intended, thank you Huda and Brian.