From ae26d5bd4d299975e78d422c9470fbe9ffe1efae Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 14 Dec 2023 14:20:08 +0100 Subject: [PATCH 01/33] created Individual access object --- .../auth/attributes/AccessObjectType.java | 1 + .../auth/objects/IndividualAccessObject.java | 28 +++++++++++++++++++ .../individual/IndividualController.java | 26 ++++++++++++++++- .../accessControl/firsttime/object_types.n3 | 3 ++ 4 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AccessObjectType.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AccessObjectType.java index 48ca429fb7..1358c827a4 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AccessObjectType.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AccessObjectType.java @@ -15,4 +15,5 @@ public enum AccessObjectType { FAUX_DATA_PROPERTY, FAUX_DATA_PROPERTY_STATEMENT, FAUX_OBJECT_PROPERTY_STATEMENT, + INDIVIDUAL, } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java new file mode 100644 index 0000000000..c67fe78f61 --- /dev/null +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java @@ -0,0 +1,28 @@ +package edu.cornell.mannlib.vitro.webapp.auth.objects; + +import java.util.Optional; + +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; + +public class IndividualAccessObject extends AccessObject { + + private final String uri; + + public IndividualAccessObject(String uri) { + this.uri = uri; + } + + @Override + public AccessObjectType getType() { + return AccessObjectType.INDIVIDUAL; + } + + @Override + public Optional getUri() { + if (uri == null) { + return Optional.empty(); + } + return Optional.of(uri); + } + +} diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualController.java index b8d9745b93..9081ef25aa 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualController.java @@ -14,7 +14,11 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; - +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; +import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.IndividualAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest; import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerHttpServlet; @@ -22,6 +26,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.RedirectResponseValues; import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.ResponseValues; import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.TemplateResponseValues; +import edu.cornell.mannlib.vitro.webapp.controller.individual.IndividualRequestInfo.Type; import edu.cornell.mannlib.vitro.webapp.i18n.I18n; /** @@ -113,6 +118,25 @@ protected ResponseValues processRequest(VitroRequest vreq) { return new ExceptionResponseValues(e); } } + + @Override + public AuthorizationRequest requiredActions(VitroRequest vreq) { + try { + IndividualRequestInfo requestInfo = analyzeTheRequest(vreq); + switch (requestInfo.getType()) { + case RDF_REDIRECT: + case NO_INDIVIDUAL: + case BYTESTREAM_REDIRECT: + return AuthorizationRequest.AUTHORIZED; + default: + AccessObject ao = new IndividualAccessObject(requestInfo.getIndividual().getURI()); + AuthorizationRequest request = new SimpleAuthorizationRequest(ao, AccessOperation.DISPLAY); + return request; + } + } catch (Throwable e) { + return AuthorizationRequest.UNAUTHORIZED; + } + } private IndividualRequestInfo analyzeTheRequest(VitroRequest vreq) { return new IndividualRequestAnalyzer(vreq, diff --git a/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3 b/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3 index 1e7a953583..93b6a45dd2 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3 @@ -33,6 +33,9 @@ access-individual:Class a access:ObjectType ; access-individual:NamedObject a access:ObjectType ; access:id "NAMED_OBJECT" . +access-individual:IndividualAccessObject a access:ObjectType ; + access:id "INDIVIDUAL" . + #Object type value containers access-individual:ObjectPropertyValueSet a access:ValueSet ; From 9cd75cac0ed25e88a47686ebc58dd7033fbf0c30 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 14 Dec 2023 14:33:10 +0100 Subject: [PATCH 02/33] refact: removed not needed type constructor from NamedAccessObject, reuse it for IndividualAccessObject --- .../auth/objects/IndividualAccessObject.java | 17 ++--------------- .../webapp/auth/objects/NamedAccessObject.java | 10 +--------- .../auth/permissions/SimplePermission.java | 2 +- .../controller/freemarker/PageController.java | 2 +- 4 files changed, 5 insertions(+), 26 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java index c67fe78f61..c68ee43776 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java @@ -1,28 +1,15 @@ package edu.cornell.mannlib.vitro.webapp.auth.objects; -import java.util.Optional; - import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; -public class IndividualAccessObject extends AccessObject { - - private final String uri; +public class IndividualAccessObject extends NamedAccessObject { public IndividualAccessObject(String uri) { - this.uri = uri; + super(uri); } @Override public AccessObjectType getType() { return AccessObjectType.INDIVIDUAL; } - - @Override - public Optional getUri() { - if (uri == null) { - return Optional.empty(); - } - return Optional.of(uri); - } - } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/NamedAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/NamedAccessObject.java index 8b9f025ac9..f3a3eecfde 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/NamedAccessObject.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/NamedAccessObject.java @@ -11,21 +11,13 @@ */ public class NamedAccessObject extends AccessObject { private final String uri; - private AccessObjectType type; public NamedAccessObject() { this.uri = ""; - this.type = AccessObjectType.NAMED_OBJECT; - } - - public NamedAccessObject(String uri, AccessObjectType type) { - this.uri = uri; - this.type = type; } public NamedAccessObject(String uri) { this.uri = uri; - this.type = AccessObjectType.NAMED_OBJECT; } @Override @@ -61,7 +53,7 @@ public String toString() { @Override public AccessObjectType getType() { - return type; + return AccessObjectType.NAMED_OBJECT; } private static String getShortName(String entityUri) { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java index 3cfbc4a3e1..a86036dd1e 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java @@ -75,7 +75,7 @@ public String getUri() { private SimplePermission(String uri) { this.uri = SimplePermission.NS + uri; - NamedAccessObject ao = new NamedAccessObject(this.uri, AccessObjectType.NAMED_OBJECT); + NamedAccessObject ao = new NamedAccessObject(this.uri); this.ACTION = new SimpleAuthorizationRequest(ao, AccessOperation.EXECUTE); } } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/PageController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/PageController.java index a5e2a99829..f27c07aa90 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/PageController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/PageController.java @@ -73,7 +73,7 @@ private AuthorizationRequest getActionsForPage( VitroRequest vreq ) throws Excep if (StringUtils.isBlank(uri)) { continue; } - NamedAccessObject ao = new NamedAccessObject(uri, AccessObjectType.NAMED_OBJECT); + NamedAccessObject ao = new NamedAccessObject(uri); auth = auth.and( new SimpleAuthorizationRequest(ao, AccessOperation.EXECUTE)); } return auth; From fe5d50165b13f6d0b2d170bd5e7c5d167190e0f5 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Mon, 18 Dec 2023 16:16:23 +0100 Subject: [PATCH 03/33] fix: support values object property in SPARQL query to load acess policy. --- .../webapp/auth/policy/PolicyLoader.java | 52 +++++++++++-------- .../webapp/auth/policy/PolicyLoaderTest.java | 19 ++++++- .../vitro/webapp/auth/rules/policy_values.n3 | 22 ++++++++ 3 files changed, 69 insertions(+), 24 deletions(-) create mode 100644 api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/policy_values.n3 diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java index bc70622e17..06451d5b14 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java @@ -98,29 +98,37 @@ public class PolicyLoader { + "SELECT DISTINCT ?policyUri ?rule ?check ?testId ?typeId ?value ?lit_value ?decision_id \n" + "WHERE {\n" + " GRAPH {\n" - + "?policy a access:Policy .\n" - + "?policy access:hasRule ?rule . \n" - + "?rule access:requiresCheck ?check .\n" - + "OPTIONAL {\n" - + " ?check access:useOperator ?checkTest .\n" - + " OPTIONAL {\n" - + " ?checkTest access:id ?testId . \n" - + " }\n" - + "}" - + "OPTIONAL {\n" - + " ?check access:hasTypeToCheck ?checkType . \n" - + " OPTIONAL {\n" - + " ?checkType access:id ?typeId . \n" - + " }\n" - + "}\n" - + "OPTIONAL {\n" - + " ?rule access:hasDecision ?decision . \n" - + " ?decision access:id ?decision_id . \n" - + "}\n" - + "?check access:value ?value . \n" - + "OPTIONAL {?value access:id ?lit_value . }\n" + + " ?policy a access:Policy .\n" + + " ?policy access:hasRule ?rule . \n" + + " ?rule access:requiresCheck ?check .\n" + + " OPTIONAL {\n" + + " ?check access:useOperator ?checkTest .\n" + + " OPTIONAL {\n" + + " ?checkTest access:id ?testId . \n" + + " }\n" + + " }\n" + + " OPTIONAL {\n" + + " ?check access:hasTypeToCheck ?checkType . \n" + + " OPTIONAL {\n" + + " ?checkType access:id ?typeId . \n" + + " }\n" + + " }\n" + + " OPTIONAL {\n" + + " ?rule access:hasDecision ?decision . \n" + + " ?decision access:id ?decision_id . \n" + + " }\n" + + " {\n" + + " ?check access:values ?attributeValue .\n" + + " ?attributeValue access:value ?value .\n" + + " OPTIONAL { ?value access:id ?lit_value . }\n" + + " }\n" + + " UNION \n" + + " {\n" + + " ?check access:value ?value .\n" + + " OPTIONAL {?value access:id ?lit_value . }\n" + + " }\n" + + " BIND(?policy as ?policyUri)\n" + " }\n" - + "BIND(?policy as ?policyUri)\n" + "} ORDER BY ?rule ?check"; private static final String DATASET_RULES_QUERY = "" diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java index e3e677bf03..268ab11be8 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java @@ -6,10 +6,13 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; +import java.util.Collections; import java.util.List; import java.util.Map; +import java.util.Set; import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueKey; +import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary; import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelNames; import org.apache.jena.rdf.model.Model; import org.apache.jena.rdf.model.ModelFactory; @@ -53,7 +56,7 @@ public void getRoleDataSetDraftKeyTemplateTest() { @Test public void getDataSetUriByKeyTest() { load(DATA_SET); - String uri = PolicyLoader.getInstance().getDataSetUriByKey(new String[] { }, + String uri = PolicyLoader.getInstance().getDataSetUriByKey(new String[] {}, new String[] { NAMED_OBJECT.toString(), EXECUTE.toString(), PUBLIC }); assertEquals(PREFIX + "PublicDataSet", uri); } @@ -75,7 +78,6 @@ public void getDataSetKeyTest() { expectedKey.setObjectType(NAMED_OBJECT); AttributeValueKey compositeKey = PolicyLoader.getInstance().getDataSetKey(PREFIX + "PublicDataSet"); assertEquals(expectedKey, compositeKey); - } @Test @@ -91,4 +93,17 @@ public void getSubjectRoleValuePatternTest() { assertTrue(!patterns.isEmpty()); assertEquals(1, patterns.size()); } + + @Test + public void testLoadPolicyWithValues() { + load(RESOURCES_RULES_PREFIX + "policy_values.n3"); + String policyUri = VitroVocabulary.AUTH_INDIVIDUAL_PREFIX + "policy-values-test/Policy"; + Set policies = loader.loadPolicies(policyUri); + assertEquals(1, policies.size()); + DynamicPolicy policy = policies.iterator().next(); + assertTrue(policy != null); + assertEquals(100, policy.getPriority()); + countRulesAndAttributes(policy, 1, Collections.singleton(1)); + } + } diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/policy_values.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/policy_values.n3 new file mode 100644 index 0000000000..6e7dafd2dd --- /dev/null +++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/policy_values.n3 @@ -0,0 +1,22 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix access-individual: . +@prefix access: . +@prefix : . + +:Policy a access:Policy ; + access:priority 100 ; + access:hasRule :TestRule . + +:TestRule a access:Rule; + access:requiresCheck :OperationCheck ; + . + +:OperationCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:Operation ; + access:values access-individual:DisplayOperationValueSet ; + . + + + From 1416ac6d153d623c2120f9373654d2cfc03ad286 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Mon, 18 Dec 2023 18:03:31 +0100 Subject: [PATCH 04/33] check authorization for rdfs:label property on individual page --- .../individual/NameStatementTemplateModel.java | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/NameStatementTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/NameStatementTemplateModel.java index 2c413481aa..dc2cc593d1 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/NameStatementTemplateModel.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/NameStatementTemplateModel.java @@ -7,6 +7,8 @@ import org.apache.jena.rdf.model.Literal; +import static edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject.SOME_LITERAL; + import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject; @@ -44,10 +46,15 @@ public class NameStatementTemplateModel extends PropertyStatementTemplateModel { // NIHVIVO-2466 Use the same methods to get the label that are used elsewhere in the // application, to guarantee consistent results for individuals with multiple labels // across the application. - WebappDaoFactory wdf = vreq.getWebappDaoFactory(); - IndividualDao iDao = wdf.getIndividualDao(); - EditLiteral literal = iDao.getLabelEditLiteral(subjectUri); + AccessObject ao = new DataPropertyStatementAccessObject(vreq.getJenaOntModel(), subjectUri, property, SOME_LITERAL); + boolean isAuthorized = PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DISPLAY); + EditLiteral literal = null; + if (isAuthorized) { + WebappDaoFactory wdf = vreq.getWebappDaoFactory(); + IndividualDao iDao = wdf.getIndividualDao(); + literal = iDao.getLabelEditLiteral(subjectUri); + } if (literal == null) { // If the individual has no rdfs:label, use the local name. It will not be editable. (This replicates previous behavior; // perhaps we would want to allow a label to be added. But such individuals do not usually have their profiles viewed or From 1bb5e4ac9c50433a36e00642fd4d68f5a6011c89 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Mon, 18 Dec 2023 18:04:20 +0100 Subject: [PATCH 05/33] fix: removed duplicate authorization check without statement details and graph --- .../individual/PropertyGroupTemplateModel.java | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java index 44b73d5b70..abeefaf701 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java @@ -102,20 +102,11 @@ private boolean allowedToDisplay(VitroRequest vreq, ObjectProperty op, Individua */ private boolean allowedToDisplay(VitroRequest vreq, DataProperty dp, Individual subject) { AccessObject ao; - if (dp instanceof FauxDataPropertyWrapper) { - ao = new FauxDataPropertyAccessObject(dp); - } else { - ao = new DataPropertyAccessObject(dp); - } - if (PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DISPLAY)) { - return true; - } - //TODO: Model should be here to correctly check authorization if (dp instanceof FauxDataPropertyWrapper) { final FauxProperty fauxProperty = ((FauxDataPropertyWrapper) dp).getFauxProperty(); - ao = new FauxDataPropertyStatementAccessObject(null, subject.getURI(), fauxProperty, SOME_LITERAL); + ao = new FauxDataPropertyStatementAccessObject(vreq.getJenaOntModel(), subject.getURI(), fauxProperty, SOME_LITERAL); } else { - ao = new DataPropertyStatementAccessObject(null, subject.getURI(), dp, SOME_LITERAL); + ao = new DataPropertyStatementAccessObject(vreq.getJenaOntModel(), subject.getURI(), dp, SOME_LITERAL); } return PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DISPLAY); } From 259d8bce7ee9ecf1615a89c890b9b25a33f0dc63 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Mon, 18 Dec 2023 18:09:43 +0100 Subject: [PATCH 06/33] Added policy to allow access to individual pages --- .../AllowDisplayIndividualPagePolicy.java | 45 +++++++++++++++++++ .../policy_allow_display_individual_page.n3 | 27 +++++++++++ 2 files changed, 72 insertions(+) create mode 100644 api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AllowDisplayIndividualPagePolicy.java create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/policy_allow_display_individual_page.n3 diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AllowDisplayIndividualPagePolicy.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AllowDisplayIndividualPagePolicy.java new file mode 100644 index 0000000000..2d835a99ae --- /dev/null +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AllowDisplayIndividualPagePolicy.java @@ -0,0 +1,45 @@ +package edu.cornell.mannlib.vitro.webapp.auth.policy; + +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.ADD; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.AUTHORIZED; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE; +import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.AUTH_INDIVIDUAL_PREFIX; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +import java.util.Arrays; +import java.util.Collections; +import java.util.Set; + +import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.IndividualAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.NamedAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest; +import org.junit.Test; + +public class AllowDisplayIndividualPagePolicy extends PolicyTest { + + public static final String POLICY_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "policy_allow_display_individual_page.n3"; + + @Test + public void testLoadPolicy() { + load(POLICY_PATH); + String policyUri = AUTH_INDIVIDUAL_PREFIX + "allow-display-individual-page/Policy"; + Set policies = loader.loadPolicies(policyUri); + assertEquals(1, policies.size()); + DynamicPolicy policy = policies.iterator().next(); + assertTrue(policy != null); + assertEquals(1000, policy.getPriority()); + countRulesAndAttributes(policy, 1, Collections.singleton(2)); + AccessObject ao = new IndividualAccessObject("https://test-individual"); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(ao, DISPLAY); + ar.setRoleUris(Arrays.asList(PUBLIC)); + assertEquals(AUTHORIZED, policy.decide(ar).getDecisionResult()); + ar = new SimpleAuthorizationRequest(ao, ADD); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + ao = new NamedAccessObject("https://test-individual"); + ar = new SimpleAuthorizationRequest(ao, DISPLAY); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } +} diff --git a/home/src/main/resources/rdf/accessControl/firsttime/policy_allow_display_individual_page.n3 b/home/src/main/resources/rdf/accessControl/firsttime/policy_allow_display_individual_page.n3 new file mode 100644 index 0000000000..5041be2849 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/policy_allow_display_individual_page.n3 @@ -0,0 +1,27 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix access-individual: . +@prefix access: . +@prefix : . + +:Policy a access:Policy ; + access:priority 1000 ; + access:hasRule :AllowDisplayIndividualPages . + +:AllowDisplayIndividualPages a access:Rule; + access:requiresCheck :OperationCheck ; + access:requiresCheck :AccessObjectTypeCheck ; + . + +:OperationCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:Operation ; + access:values access-individual:DisplayOperationValueSet ; + . + +:AccessObjectTypeCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:AccessObjectType ; + access:value access-individual:IndividualAccessObject ; + . + From 6a9dcc29861dc566d0c0e1bb902e07369cdd6d8a Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Mon, 18 Dec 2023 18:11:17 +0100 Subject: [PATCH 07/33] Added policy template to hide some properties not related to self editor profile --- ...iesNotRelatedToSelfEditorTemplateTest.java | 43 +++++ .../auth/rules/hide_entities_value_set.n3 | 13 ++ ...s_self_editor_not_related_data_property.n3 | 6 + ...f_editor_not_related_faux_data_property.n3 | 6 + ...editor_not_related_faux_object_property.n3 | 6 + ...self_editor_not_related_object_property.n3 | 6 + .../template_hide_not_related_property.n3 | 156 ++++++++++++++++++ 7 files changed, 236 insertions(+) create mode 100644 api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java create mode 100644 api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/hide_entities_value_set.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_data_property.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_data_property.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_object_property.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_object_property.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java new file mode 100644 index 0000000000..8b338853ae --- /dev/null +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java @@ -0,0 +1,43 @@ +package edu.cornell.mannlib.vitro.webapp.auth.policy; + +import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.AUTH_INDIVIDUAL_PREFIX; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; + +@RunWith(Parameterized.class) +public class HidePropertiesNotRelatedToSelfEditorTemplateTest extends PolicyTest { + + public static final String POLICY_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "template_hide_not_related_property.n3"; + + @org.junit.runners.Parameterized.Parameter(0) + public String dataSetName; + + @Test + public void testLoadPolicy() { + load(POLICY_PATH); + load(RESOURCES_RULES_PREFIX + "hide_entities_value_set.n3"); + String policyPrefix = AUTH_INDIVIDUAL_PREFIX + "hide-not-related-property/"; + String dataSetUri = policyPrefix + dataSetName; + DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri); + assertTrue(policy != null); + assertEquals(5000, policy.getPriority()); + countRulesAndAttributes(policy, 1, Collections.singleton(5)); + } + + @Parameterized.Parameters + public static Collection requests() { + return Arrays.asList(new Object[][] { + { "SelfEditorHideNotRelatedObjectPropertyDataSet" }, + { "SelfEditorHideNotRelatedDataPropertyDataSet" }, + { "SelfEditorHideNotRelatedFauxObjectPropertyDataSet" }, + { "SelfEditorHideNotRelatedFauxDataPropertyDataSet" }, }); + } +} diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/hide_entities_value_set.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/hide_entities_value_set.n3 new file mode 100644 index 0000000000..4895f3c7a3 --- /dev/null +++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/hide_entities_value_set.n3 @@ -0,0 +1,13 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix access: . +@prefix : . + +:SelfEditorHideNotRelatedObjectPropertyValueSet access:value . + +:SelfEditorHideNotRelatedFauxObjectPropertyValueSet access:value . + +:SelfEditorHideNotRelatedDataPropertyValueSet access:value . + +:SelfEditorHideNotRelatedFauxDataPropertyValueSet access:value . + diff --git a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_data_property.n3 new file mode 100644 index 0000000000..242751b9b4 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_data_property.n3 @@ -0,0 +1,6 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix access: . +@prefix : . + +#:SelfEditorHideNotRelatedDataPropertyValueSet access:value <> . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_data_property.n3 new file mode 100644 index 0000000000..1f6e4763bb --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_data_property.n3 @@ -0,0 +1,6 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix access: . +@prefix : . + +#:SelfEditorHideNotRelatedFauxDataPropertyValueSet access:value <> . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_object_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_object_property.n3 new file mode 100644 index 0000000000..8a1baecb8f --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_object_property.n3 @@ -0,0 +1,6 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix access: . +@prefix : . + +#:SelfEditorHideNotRelatedFauxObjectPropertyValueSet access:value <> . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_object_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_object_property.n3 new file mode 100644 index 0000000000..01d8fa7ff0 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_object_property.n3 @@ -0,0 +1,6 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix access: . +@prefix : . + +#:SelfEditorHideNotRelatedObjectPropertyValueSet access:value <> . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 new file mode 100644 index 0000000000..1e934d8ac8 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 @@ -0,0 +1,156 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix access-individual: . +@prefix access: . +@prefix : . + +:PolicyTemplate a access:PolicyTemplate ; + access:priority 5000 ; + access:hasRule :HidePropertyStatementWithBlacklistedProperty ; + access:hasDataSet :SelfEditorHideNotRelatedObjectPropertyDataSet ; + access:hasDataSet :SelfEditorHideNotRelatedDataPropertyDataSet ; + access:hasDataSet :SelfEditorHideNotRelatedFauxObjectPropertyDataSet ; + access:hasDataSet :SelfEditorHideNotRelatedFauxDataPropertyDataSet ; + . + +### Hide not related object property data sets + +#Object properties + +:SelfEditorHideNotRelatedObjectPropertyDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorHideNotRelatedObjectPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; + access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :SelfEditorHideNotRelatedObjectPropertyValueSet ; + . + +:SelfEditorHideNotRelatedObjectPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:ObjectProperty ; + access:hasKeyComponent access-individual:SelfEditorRoleUri ; + access:hasKeyComponent access-individual:DisplayOperation ; + . + +#Data properties + +:SelfEditorHideNotRelatedDataPropertyDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorHideNotRelatedDataPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; + access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :SelfEditorHideNotRelatedDataPropertyValueSet ; + . + +:SelfEditorHideNotRelatedDataPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:DataProperty ; + access:hasKeyComponent access-individual:SelfEditorRoleUri ; + access:hasKeyComponent access-individual:DisplayOperation ; + . + +#Faux object properties + +:SelfEditorHideNotRelatedFauxObjectPropertyDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorHideNotRelatedFauxObjectPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; + access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :SelfEditorHideNotRelatedFauxObjectPropertyValueSet ; + . + +:SelfEditorHideNotRelatedFauxObjectPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:FauxObjectProperty ; + access:hasKeyComponent access-individual:SelfEditorRoleUri ; + access:hasKeyComponent access-individual:DisplayOperation ; + . + +#Faux data properties + +:SelfEditorHideNotRelatedFauxDataPropertyDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorHideNotRelatedFauxDataPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; + access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :SelfEditorHideNotRelatedFauxDataPropertyValueSet ; + . + +:SelfEditorHideNotRelatedFauxDataPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:FauxDataProperty ; + access:hasKeyComponent access-individual:SelfEditorRoleUri ; + access:hasKeyComponent access-individual:DisplayOperation ; + . + +#Rule + +:HidePropertyStatementWithBlacklistedProperty a access:Rule; + access:hasDecision access-individual:Deny ; + access:requiresCheck :SubjectRoleCheck ; + access:requiresCheck :OperationCheck ; + access:requiresCheck :AccessObjectStatementTypeCheck ; + access:requiresCheck :StatementPredicateCheck ; + access:requiresCheck :RelationCheck ; + . + +#Checks + +:RelationCheck a access:Check ; + access:useOperator access-individual:SparqlSelectQueryResultsNotContain ; + access:hasTypeToCheck access-individual:StatementSubjectUri ; + access:value access-individual:PersonProfileProximityToResourceUri ; + . + +:AccessObjectStatementTypeCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:AccessObjectType ; + access:values access-individual:ObjectPropertyStatementValueSet ; + access:values access-individual:DataPropertyStatementValueSet ; + access:values access-individual:FauxObjectPropertyStatementValueSet ; + access:values access-individual:FauxDataPropertyStatementValueSet ; + . + +:OperationCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:Operation ; + access:values access-individual:DisplayOperationValueSet ; + . + +:SubjectRoleCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:SubjectRole ; + access:values access-individual:SelfEditorRoleValueSet ; + . + +:StatementPredicateCheck a access:Check ; + access:useOperator access-individual:OneOf ; + access:hasTypeToCheck access-individual:StatementPredicateUri ; + access:values :SelfEditorHideNotRelatedObjectPropertyValueSet ; + access:values :SelfEditorHideNotRelatedDataPropertyValueSet ; + access:values :SelfEditorHideNotRelatedFauxObjectPropertyValueSet ; + access:values :SelfEditorHideNotRelatedFauxDataPropertyValueSet ; + . + +:AccessObjectUriCheck a access:Check ; + access:useOperator access-individual:OneOf ; + access:hasTypeToCheck access-individual:AccessObjectUri ; + access:values :SelfEditorHideNotRelatedObjectPropertyValueSet ; + access:values :SelfEditorHideNotRelatedDataPropertyValueSet ; + access:values :SelfEditorHideNotRelatedFauxObjectPropertyValueSet ; + access:values :SelfEditorHideNotRelatedFauxDataPropertyValueSet ; + . + +#Value sets + +:SelfEditorHideNotRelatedObjectPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:ObjectProperty ; + . + +:SelfEditorHideNotRelatedDataPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:DataProperty ; + . + +:SelfEditorHideNotRelatedFauxObjectPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:FauxObjectProperty ; + . + +:SelfEditorHideNotRelatedFauxDataPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:FauxDataProperty ; + . From a052dd7dbe33cadc1e3d64fec75738d8ddf3555c Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Wed, 20 Dec 2023 09:54:27 +0100 Subject: [PATCH 08/33] Added named key component class, refactored PolicyLoader and EntityPolicyLoader code to support named key components --- .../auth/attributes/AttributeValueKey.java | 44 +++++++++++++------ .../auth/attributes/NamedKeyComponent.java | 6 +++ .../auth/policy/EntityPolicyController.java | 33 +++++++------- .../webapp/auth/policy/PolicyLoader.java | 28 +++++++----- ...ccessAllowedClassesPolicyTemplateTest.java | 3 +- ...ssAllowedPropertiesPolicyTemplateTest.java | 3 +- ...edAllowedPropertiesPolicyTemplateTest.java | 3 +- .../webapp/auth/policy/PolicyLoaderTest.java | 3 +- .../vitro/webapp/auth/policy/PolicyTest.java | 2 + .../policy/SimplePermissionTemplateTest.java | 4 +- ...edAllowedPropertiesPolicyTemplateTest.java | 3 +- .../firsttime/named_key_components.n3 | 10 +++++ .../accessControl/firsttime/object_types.n3 | 3 ++ .../vitro-access-control-ontology.n3 | 5 +++ 14 files changed, 98 insertions(+), 52 deletions(-) create mode 100644 api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java index 8dfec3aa30..67488b6d62 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java @@ -1,5 +1,9 @@ package edu.cornell.mannlib.vitro.webapp.auth.attributes; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + import org.apache.commons.lang3.builder.EqualsBuilder; import org.apache.commons.lang3.builder.HashCodeBuilder; @@ -9,15 +13,31 @@ public class AttributeValueKey { private AccessObjectType aot; private String role; private String type; + private Set namedKeyComponents = new HashSet<>(); + + public Set getNamedKeyComponents() { + return namedKeyComponents; + } public AttributeValueKey() { } - public AttributeValueKey(AccessOperation ao, AccessObjectType aot, String role, String type) { + public AttributeValueKey(AccessOperation ao, AccessObjectType aot, String role, String type, + String... namedKeyComponents) { this.ao = ao; this.aot = aot; this.role = role; this.type = type; + this.namedKeyComponents = new HashSet<>(Arrays.asList(namedKeyComponents)); + } + + public AttributeValueKey(AccessOperation ao, AccessObjectType aot, String role, String type, + Set namedKeyComponents) { + this.ao = ao; + this.aot = aot; + this.role = role; + this.type = type; + this.namedKeyComponents = namedKeyComponents; } public AccessOperation getAccessOperation() { @@ -52,8 +72,12 @@ public void setType(String type) { this.type = type; } + public void addNamedKey(String key) { + namedKeyComponents.add(key); + } + public AttributeValueKey clone() { - return new AttributeValueKey(ao, aot, role, type); + return new AttributeValueKey(ao, aot, role, type, namedKeyComponents); } public boolean isEmpty() { @@ -70,21 +94,15 @@ public boolean equals(Object object) { } AttributeValueKey compared = (AttributeValueKey) object; - return new EqualsBuilder() - .append(getAccessOperation(), compared.getAccessOperation()) - .append(getObjectType(), compared.getObjectType()) - .append(getRole(), compared.getRole()) - .append(getType(), compared.getType()) + return new EqualsBuilder().append(getAccessOperation(), compared.getAccessOperation()) + .append(getObjectType(), compared.getObjectType()).append(getRole(), compared.getRole()) + .append(getType(), compared.getType()).append(getNamedKeyComponents(), compared.getNamedKeyComponents()) .isEquals(); } @Override public int hashCode() { - return new HashCodeBuilder(151, 1017) - .append(getAccessOperation()) - .append(getObjectType()) - .append(getRole()) - .append(getType()) - .toHashCode(); + return new HashCodeBuilder(151, 1017).append(getAccessOperation()).append(getObjectType()).append(getRole()) + .append(getType()).append(getNamedKeyComponents()).toHashCode(); } } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java new file mode 100644 index 0000000000..2ebcd39800 --- /dev/null +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java @@ -0,0 +1,6 @@ +package edu.cornell.mannlib.vitro.webapp.auth.attributes; + +public enum NamedKeyComponent { + URI_EXCLUSION, + CLASS_EXCLUSION; +} diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java index 98145a6f38..b32987e03a 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java @@ -52,8 +52,9 @@ private static AttributeValueSetRegistry getRegistry() { return AttributeValueSetRegistry.getInstance(); } - public static void revokeAccess(String entityUri, AccessObjectType aot, AccessOperation ao, String role) { - AttributeValueKey key = new AttributeValueKey(ao, aot, role, aot.toString()); + public static void revokeAccess(String entityUri, AccessObjectType aot, AccessOperation ao, String role, + String... namedKeyComponents) { + AttributeValueKey key = new AttributeValueKey(ao, aot, role, aot.toString(), namedKeyComponents); AttributeValueSet set = getRegistry().get(key); if (set != null) { if (set.contains(entityUri)) { @@ -77,8 +78,9 @@ private static void reduceInactiveValueSet(String entityUri, AccessObjectType ao getLoader().updateAccessControlModel(removals.toString(), false); } - public static void grantAccess(String entityUri, AccessObjectType aot, AccessOperation ao, String role) { - AttributeValueKey key = new AttributeValueKey(ao, aot, role, aot.toString()); + public static void grantAccess(String entityUri, AccessObjectType aot, AccessOperation ao, String role, + String... namedKeyComponents) { + AttributeValueKey key = new AttributeValueKey(ao, aot, role, aot.toString(), namedKeyComponents); AttributeValueSet set = getRegistry().get(key); if (set != null) { if (!set.contains(entityUri)) { @@ -87,14 +89,13 @@ public static void grantAccess(String entityUri, AccessObjectType aot, AccessOpe getLoader().updateAccessControlModel(toAdd, true); } } else { - extendInactiveValueSet(entityUri, aot, ao, role); + extendInactiveValueSet(entityUri, aot, ao, role, namedKeyComponents); loadPolicy(aot, ao, role); } } private static void loadPolicy(AccessObjectType aot, AccessOperation ao, String role) { - String dataSetUri = - getLoader().getDataSetUriByKey(new String[] { }, new String[] { ao.toString(), aot.toString(), role }); + String dataSetUri = getLoader().getDataSetUriByKey(ao.toString(), aot.toString(), role); if (dataSetUri != null) { DynamicPolicy policy = getLoader().loadPolicyFromTemplateDataSet(dataSetUri); if (policy != null) { @@ -104,18 +105,19 @@ private static void loadPolicy(AccessObjectType aot, AccessOperation ao, String } private static void extendInactiveValueSet(String entityUri, AccessObjectType aot, AccessOperation ao, - String role) { + String role, String... namedKeyComponents) { StringBuilder additions = new StringBuilder(); - getDataValueStatements(entityUri, aot, ao, Collections.singleton(role), additions); + getDataValueStatements(entityUri, aot, ao, Collections.singleton(role), additions, namedKeyComponents); getLoader().updateAccessControlModel(additions.toString(), true); } - public static boolean isGranted(String entityUri, AccessObjectType aot, AccessOperation ao, String role) { + public static boolean isGranted(String entityUri, AccessObjectType aot, AccessOperation ao, String role, + String... namedKeyComponents) { if (StringUtils.isBlank(entityUri)) { return false; } AttributeValueSetRegistry registry = getRegistry(); - AttributeValueKey key = new AttributeValueKey(ao, aot, role, aot.toString()); + AttributeValueKey key = new AttributeValueKey(ao, aot, role, aot.toString(), namedKeyComponents); AttributeValueSet set = registry.get(key); if (set == null) { return false; @@ -138,12 +140,12 @@ public static List getGrantedRoles(String entityUri, AccessOperation ao, } public static void getDataValueStatements(String entityUri, AccessObjectType aot, AccessOperation ao, - Set selectedRoles, StringBuilder sb) { + Set selectedRoles, StringBuilder sb, String... namedKeyComponents) { if (StringUtils.isBlank(entityUri)) { return; } for (String role : selectedRoles) { - String valueSetUri = getValueSetUri(aot, ao, role); + String valueSetUri = getValueSetUri(aot, ao, role, namedKeyComponents); if (valueSetUri == null) { log.debug(String.format("Policy value set wasn't found by key:\n%s\n%s\n%s", ao, aot, role)); continue; @@ -175,12 +177,13 @@ private static boolean isUriInTestDataset(String entityUri, AccessOperation ao, return values.contains(entityUri); } - private static String getValueSetUri(AccessObjectType aot, AccessOperation ao, String role) { + private static String getValueSetUri(AccessObjectType aot, AccessOperation ao, String role, + String... namedKeyComponents) { String key = aot.toString() + "." + ao.toString() + "." + role; if (policyKeyToDataValueMap.containsKey(key)) { return policyKeyToDataValueMap.get(key); } - String uri = getLoader().getEntityValueSetUri(ao, aot, role); + String uri = getLoader().getEntityValueSetUri(ao, aot, role, namedKeyComponents); policyKeyToDataValueMap.put(key, uri); return uri; } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java index 06451d5b14..8bb5616239 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java @@ -270,6 +270,10 @@ public class PolicyLoader { + " ?keyComponent a access:SubjectRoleUri .\n" + " BIND('SUBJECT_ROLE_URI' as ?type)\n" + " }\n" + + " OPTIONAL {\n" + + " ?keyComponent a access:NamedKeyComponent .\n" + + " BIND('NAMED_KEY_COMPONENT' as ?type)\n" + + " }\n" + " }\n" + "}\n"; @@ -451,8 +455,7 @@ protected void processQuerySolution(QuerySolution qs) { public Set getDataSetValues(AccessOperation ao, AccessObjectType aot, String role) { Set values = new HashSet<>(); long expectedSize = 3; - String queryText = getDataSetByKeyQuery(new String[] {}, - new String[] { ao.toString(), aot.toString(), role }); + String queryText = getDataSetByKeyQuery(ao.toString(), aot.toString(), role); ParameterizedSparqlString pss = new ParameterizedSparqlString(queryText); pss.setLiteral("setElementsId", aot.toString()); queryText = pss.toString(); @@ -486,9 +489,10 @@ protected void processQuerySolution(QuerySolution qs) { return values; } - public String getEntityValueSetUri(AccessOperation ao, AccessObjectType aot, String role) { - long expectedSize = 3; - String queryText = getDataSetByKeyQuery(new String[] { }, new String[] { ao.toString(), aot.toString(), role }); + public String getEntityValueSetUri(AccessOperation ao, AccessObjectType aot, String role, + String... namedKeyComponents) { + long expectedSize = 3 + namedKeyComponents.length; + String queryText = getDataSetByKeyQuery(ao.toString(), aot.toString(), role); ParameterizedSparqlString pss = new ParameterizedSparqlString(queryText); pss.setLiteral("setElementsId", aot.toString()); queryText = pss.toString(); @@ -587,11 +591,8 @@ private static String getPolicyDataSetValueStatementByKeyQuery(String entityUri, return query.toString(); } - private static String getDataSetByKeyQuery(String[] uris, String[] ids) { + private static String getDataSetByKeyQuery(String... ids) { StringBuilder query = new StringBuilder(policyKeyTemplatePrefix); - for (String uri : uris) { - query.append(String.format(" ?dataSetKeyUri access:hasKeyComponent <%s> . \n", uri)); - } int i = 0; for (String id : ids) { query.append(String.format( @@ -809,9 +810,9 @@ private ChangeSet makeChangeSet() { return cs; } - public String getDataSetUriByKey(String[] uris, String[] ids) { - long expectedSize = uris.length + ids.length; - final String queryText = getDataSetByKeyQuery(uris, ids); + public String getDataSetUriByKey(String... ids) { + long expectedSize = ids.length; + final String queryText = getDataSetByKeyQuery(ids); debug("SPARQL Query to get policy data set values:\n %s", queryText); String[] uri = new String[1]; try { @@ -859,6 +860,9 @@ protected void processQuerySolution(QuerySolution qs) { if (Attribute.SUBJECT_ROLE_URI.toString().equals(type)) { compositeKey.setRole(id); } + if ("NAMED_KEY_COMPONENT".equals(type)) { + compositeKey.addNamedKey(id); + } } } else { //assume keyComponent is a role diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedClassesPolicyTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedClassesPolicyTemplateTest.java index 139c547671..c6e4340b84 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedClassesPolicyTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedClassesPolicyTemplateTest.java @@ -48,8 +48,7 @@ public void testPolicy() { } EntityPolicyController.grantAccess("test:entity", type, ao, roleUri); DynamicPolicy policy = null; - String dataSet = - loader.getDataSetUriByKey(new String[] { }, new String[] { ao.toString(), type.toString(), roleUri }); + String dataSet = loader.getDataSetUriByKey(ao.toString(), type.toString(), roleUri); policy = loader.loadPolicyFromTemplateDataSet(dataSet); countRulesAndAttributes(policy, rulesCount, attrCount); Set values = loader.getDataSetValues(ao, type, roleUri); diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedPropertiesPolicyTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedPropertiesPolicyTemplateTest.java index 5cd4826702..2c893f3036 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedPropertiesPolicyTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessAllowedPropertiesPolicyTemplateTest.java @@ -54,8 +54,7 @@ public void testPolicy() { } EntityPolicyController.grantAccess("test:entity", type, ao, roleUri); DynamicPolicy policy = null; - String dataSet = - loader.getDataSetUriByKey(new String[] { }, new String[] { ao.toString(), type.toString(), roleUri }); + String dataSet = loader.getDataSetUriByKey(ao.toString(), type.toString(), roleUri); policy = loader.loadPolicyFromTemplateDataSet(dataSet); countRulesAndAttributes(policy, rulesCount, attrCount); assertTrue(EntityPolicyController.isGranted("test:entity", type, ao, roleUri)); diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessRelatedAllowedPropertiesPolicyTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessRelatedAllowedPropertiesPolicyTemplateTest.java index 60e90c7199..516f3cd9b8 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessRelatedAllowedPropertiesPolicyTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AccessRelatedAllowedPropertiesPolicyTemplateTest.java @@ -42,8 +42,7 @@ public void testPolicy() { load(TEMPLATE_RELATED_PROPERTIES_PATH); EntityPolicyController.grantAccess("test:entity", type, ao, roleUri); DynamicPolicy policy = null; - String dataSet = - loader.getDataSetUriByKey(new String[] { }, new String[] { ao.toString(), type.toString(), roleUri }); + String dataSet = loader.getDataSetUriByKey(ao.toString(), type.toString(), roleUri); policy = loader.loadPolicyFromTemplateDataSet(dataSet); countRulesAndAttributes(policy, rulesCount, attrCount); Set values = loader.getDataSetValues(ao, type, roleUri); diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java index 268ab11be8..88b00f0601 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoaderTest.java @@ -56,8 +56,7 @@ public void getRoleDataSetDraftKeyTemplateTest() { @Test public void getDataSetUriByKeyTest() { load(DATA_SET); - String uri = PolicyLoader.getInstance().getDataSetUriByKey(new String[] {}, - new String[] { NAMED_OBJECT.toString(), EXECUTE.toString(), PUBLIC }); + String uri = PolicyLoader.getInstance().getDataSetUriByKey(NAMED_OBJECT.toString(), EXECUTE.toString(), PUBLIC); assertEquals(PREFIX + "PublicDataSet", uri); } diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyTest.java index e43d9472e8..ea3786ff4f 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyTest.java @@ -43,6 +43,7 @@ public class PolicyTest { public static final String OBJECT_TYPES = USER_ACCOUNTS_HOME_FIRSTTIME + "object_types.n3"; public static final String ATTRIBUTES_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "attributes.n3"; public static final String OPERATORS_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "operators.n3"; + public static final String NAMED_KEY_COMPONENTS_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "named_key_components.n3"; public static final String PROFILE_PROXIMITY_QUERY = USER_ACCOUNTS_HOME_FIRSTTIME + "profile_proximity_query.n3"; public static final String TEST_DECISIONS = USER_ACCOUNTS_HOME_FIRSTTIME + "decisions.n3"; public static final String ROLES = USER_ACCOUNTS_HOME_FIRSTTIME + "roles.n3"; @@ -92,6 +93,7 @@ public void init() { load(OPERATORS_PATH); load(PROFILE_PROXIMITY_QUERY); load(TEST_DECISIONS); + load(NAMED_KEY_COMPONENTS_PATH); RDFServiceModel rdfService = new RDFServiceModel(configurationDataSet); AttributeValueSetRegistry.getInstance().clear(); PolicyLoader.initialize(rdfService); diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SimplePermissionTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SimplePermissionTemplateTest.java index 6ff3711777..2c6fb8ead2 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SimplePermissionTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SimplePermissionTemplateTest.java @@ -134,8 +134,8 @@ public void testCustomRole() { // Create custom data set PolicyTemplateController.createRoleDataSets(CUSTOM); // Get data set uri by key: role uri and named object - String dataSetUri = loader.getDataSetUriByKey(new String[] { }, - new String[] { AccessObjectType.NAMED_OBJECT.toString(), AccessOperation.EXECUTE.toString(), CUSTOM }); + String dataSetUri = loader.getDataSetUriByKey(AccessObjectType.NAMED_OBJECT.toString(), + AccessOperation.EXECUTE.toString(), CUSTOM); assertTrue(dataSetUri != null); DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri); diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/UpdateRelatedAllowedPropertiesPolicyTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/UpdateRelatedAllowedPropertiesPolicyTemplateTest.java index b8ac2077a4..26ea23637f 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/UpdateRelatedAllowedPropertiesPolicyTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/UpdateRelatedAllowedPropertiesPolicyTemplateTest.java @@ -43,8 +43,7 @@ public void testPolicy() { load(TEMPLATE_RELATED_UPDATE_PATH); EntityPolicyController.grantAccess("test:entity", type, ao, roleUri); DynamicPolicy policy = null; - String dataSet = - loader.getDataSetUriByKey(new String[] { }, new String[] { ao.toString(), type.toString(), roleUri }); + String dataSet = loader.getDataSetUriByKey(ao.toString(), type.toString(), roleUri); policy = loader.loadPolicyFromTemplateDataSet(dataSet); countRulesAndAttributes(policy, rulesCount, attrCount); Set values = loader.getDataSetValues(ao, type, roleUri); diff --git a/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 b/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 new file mode 100644 index 0000000000..9d05de8037 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 @@ -0,0 +1,10 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix access-individual: . +@prefix access: . + +access-individual:UriExclusion a access:NamedKeyComponent ; + access:id "URI_EXCLUSION" . + +access-individual:ClassExclusion a access:NamedKeyComponent ; + access:id "CLASS_EXCLUSION" . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3 b/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3 index 93b6a45dd2..3e103594fe 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/object_types.n3 @@ -64,3 +64,6 @@ access-individual:FauxDataPropertyStatementValueSet a access:ValueSet ; access-individual:ClassValueSet a access:ValueSet ; access:value access-individual:Class . + +access-individual:IndividualValueSet a access:ValueSet ; + access:value access-individual:IndividualAccessObject . diff --git a/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3 b/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3 index 886a7bd068..db1d02a58a 100644 --- a/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3 +++ b/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3 @@ -58,6 +58,11 @@ rdfs:comment "Represents attribute uri value"; rdfs:label "Attribute uri value"@en-US . +:NamedKeyComponent a owl:Class ; + rdfs:subClassOf :AttributeValuePattern ; + rdfs:comment "Represents named key component"; + rdfs:label "Named key component"@en-US . + :SubjectRoleUri a owl:Class ; rdfs:subClassOf :AttributeUriValue ; rdfs:comment "Represents role uri"; From f802361e47936ad5dd06d69d117f9ecae7dfe9cf Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Wed, 20 Dec 2023 09:55:14 +0100 Subject: [PATCH 09/33] Added policy and test to exclude individual page from display by uri --- ...ndividualPageExcludeByUriTemplateTest.java | 124 ++++++++++++ ...ate_exclude_display_individual_page_uri.n3 | 180 ++++++++++++++++++ 2 files changed, 304 insertions(+) create mode 100644 api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByUriTemplateTest.java create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_uri.n3 diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByUriTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByUriTemplateTest.java new file mode 100644 index 0000000000..37bca48d9d --- /dev/null +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByUriTemplateTest.java @@ -0,0 +1,124 @@ +package edu.cornell.mannlib.vitro.webapp.auth.policy; + +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.INDIVIDUAL; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.URI_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.UNAUTHORIZED; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.Set; + +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; +import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.IndividualAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.NamedAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; + +@RunWith(Parameterized.class) +public class DisplayIndividualPageExcludeByUriTemplateTest extends PolicyTest { + + private static final String TEST_ENTITY = "test:entity"; + + public static final String POLICY_PATH = + USER_ACCOUNTS_HOME_FIRSTTIME + "template_exclude_display_individual_page_uri.n3"; + + @org.junit.runners.Parameterized.Parameter(0) + public AccessOperation ao; + + @org.junit.runners.Parameterized.Parameter(1) + public AccessObjectType type; + + @org.junit.runners.Parameterized.Parameter(2) + public String roleUri; + + @org.junit.runners.Parameterized.Parameter(3) + public int rulesCount; + + @org.junit.runners.Parameterized.Parameter(4) + public Set attrCount; + + @Test + public void testLoadPolicy() { + load(POLICY_PATH); + load(RESOURCES_RULES_PREFIX + "display_individual_page_exclude_uri.n3"); + + if (roleUri.equals(CUSTOM)) { + PolicyTemplateController.createRoleDataSets(CUSTOM); + } + EntityPolicyController.grantAccess(TEST_ENTITY, type, ao, roleUri, URI_EXCLUSION.toString()); + + String dataSetUri = + loader.getDataSetUriByKey(URI_EXCLUSION.toString(), ao.toString(), type.toString(), roleUri); + assertFalse(dataSetUri == null); + DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri); + assertTrue(policy != null); + assertEquals(2000, policy.getPriority()); + countRulesAndAttributes(policy, 1, Collections.singleton(4)); + policyDeniesAccess(policy); + + policyNotAffectsOtherTypes(policy); + policyNotAffectsOtherEntities(policy); + policyNotAffectsOtherOperations(policy); + policyNotAffectsOtherRoles(policy); + } + + private void policyNotAffectsOtherRoles(DynamicPolicy policy) { + AccessObject object = new IndividualAccessObject(TEST_ENTITY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri + "_NOT_EXISTS")); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherEntities(DynamicPolicy policy) { + AccessObject object = new IndividualAccessObject("test:anothe_entity"); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherOperations(DynamicPolicy policy) { + AccessObject object = new IndividualAccessObject(TEST_ENTITY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, AccessOperation.ADD); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherTypes(DynamicPolicy policy) { + AccessObject object = new NamedAccessObject(TEST_ENTITY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyDeniesAccess(DynamicPolicy policy) { + AccessObject object = new IndividualAccessObject(TEST_ENTITY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(UNAUTHORIZED, policy.decide(ar).getDecisionResult()); + } + + @Parameterized.Parameters + public static Collection requests() { + return Arrays.asList(new Object[][] { + { DISPLAY, INDIVIDUAL, ADMIN, 1, num(4) }, + { DISPLAY, INDIVIDUAL, CURATOR, 1, num(4) }, + { DISPLAY, INDIVIDUAL, EDITOR, 1, num(4) }, + { DISPLAY, INDIVIDUAL, SELF_EDITOR, 1, num(4) }, + { DISPLAY, INDIVIDUAL, PUBLIC, 1, num(4) }, + { DISPLAY, INDIVIDUAL, CUSTOM, 1, num(4) },}); + } + + private static Set num(int i) { + return Collections.singleton(i); + } +} diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_uri.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_uri.n3 new file mode 100644 index 0000000000..93eaa77ea1 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_uri.n3 @@ -0,0 +1,180 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix auth: . +@prefix access-individual: . +@prefix access: . +@prefix : . + +:PolicyTemplate a access:PolicyTemplate ; + access:priority 2000 ; + access:hasRule :ExcludeMatchingUri ; + access:hasDataSet :PublicDisplayExclusionDataSet ; + access:hasDataSet :SelfEditorDisplayExclusionDataSet ; + access:hasDataSet :EditorDisplayExclusionDataSet ; + access:hasDataSet :CuratorDisplayExclusionDataSet ; + access:hasDataSet :AdminDisplayExclusionDataSet ; + access:hasDataSetTemplate :RoleDisplayExclusionDataSetTemplate ; + . + +#Role Display data set template + +:RoleDisplayExclusionDataSetTemplate a access:DataSetTemplate ; + access:hasDataSetTemplateKey :RoleDisplayExclusionDataSetTemplateKey ; + access:hasDataSetKeyTemplate :RoleDisplayExclusionDataSetKeyTemplate ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:dataSetValueTemplate :RoleDisplayRoleValueSetTemplate ; + access:dataSetValueTemplate :RoleDisplayValueSetTemplate . + +:RoleDisplayExclusionDataSetTemplateKey a access:DataSetTemplateKey ; + access:hasTemplateKeyComponent access-individual:SubjectRole . + +:RoleDisplayExclusionDataSetKeyTemplate a access:DataSetKeyTemplate ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:DisplayOperation ; + access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponentTemplate access-individual:SubjectRole . + +:RoleDisplayRoleValueSetTemplate a access:ValueSetTemplate ; + access:relatedCheck :SubjectRoleCheck; + access:containsElementsOfType access-individual:SubjectRole . + +:RoleDisplayValueSetTemplate a access:ValueSetTemplate ; + access:relatedCheck :AccessObjectUriCheck ; +# access:value access-individual:defaultUri ; + access:containsElementsOfType access-individual:IndividualAccessObject . + +### Public display uri data sets + +:PublicDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :PublicDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :PublicDisplayValueSet . + +:PublicDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:DisplayOperation . + +### SelfEditor display uri data sets + +:SelfEditorDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :SelfEditorDisplayValueSet . + +:SelfEditorDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:SelfEditorRoleUri ; + access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:DisplayOperation . + +### Editor display uri data sets + +:EditorDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :EditorDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:EditorRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :EditorDisplayValueSet . + +:EditorDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:EditorRoleUri ; + access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:DisplayOperation . + +### Curator display uri data sets + +:CuratorDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :CuratorDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:CuratorRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :CuratorDisplayValueSet . + +:CuratorDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:CuratorRoleUri ; + access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:DisplayOperation . + +### Admin display uri data sets + +:AdminDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :AdminDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:AdminRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :AdminDisplayValueSet . + +:AdminDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:AdminRoleUri ; + access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:DisplayOperation . + +### Rule + +:ExcludeMatchingUri a access:Rule; + access:hasDecision access-individual:Deny ; + access:requiresCheck :SubjectRoleCheck ; + access:requiresCheck :OperationCheck ; + access:requiresCheck :AccessObjectTypeCheck ; + access:requiresCheck :AccessObjectUriCheck . + +### Checks + +:AccessObjectTypeCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:AccessObjectType ; + access:values access-individual:IndividualValueSet ; + . + +:OperationCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:Operation ; + access:values access-individual:DisplayOperationValueSet ; + . + +:SubjectRoleCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:SubjectRole ; + access:values access-individual:PublicRoleValueSet ; + access:values access-individual:SelfEditorRoleValueSet ; + access:values access-individual:EditorRoleValueSet ; + access:values access-individual:CuratorRoleValueSet ; + access:values access-individual:AdminRoleValueSet . + +:AccessObjectUriCheck a access:Check ; + access:useOperator access-individual:OneOf ; + access:hasTypeToCheck access-individual:AccessObjectUri ; + access:values :AdminDisplayValueSet ; + access:values :CuratorDisplayValueSet ; + access:values :EditorDisplayValueSet ; + access:values :PublicDisplayValueSet ; + access:values :SelfEditorDisplayValueSet ; + . + +###Value sets + +:AdminDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + +:CuratorDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + +:EditorDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + +:SelfEditorDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + +:PublicDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + From 53cbfff4a7b59d8d0cfa1f2fffd66ae6113273dd Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Wed, 20 Dec 2023 18:49:05 +0100 Subject: [PATCH 10/33] fixes: store model in AccessObject, renamed sparql variable personUri to profileUri, created useConfiguration object property to provide sparql query when sparql query results tested against provided values. Replaced ProximityChecker with more abstract SparqlSelectQueryResultsChecker. Added safety check to AttributeValueSetFactory. Improved logging in PolicyLoader. --- .../auth/attributes/AttributeValueKey.java | 18 +- .../auth/attributes/AttributeValueSet.java | 4 + .../attributes/MutableAttributeValueSet.java | 4 + .../auth/attributes/ValueSetFactory.java | 6 +- .../webapp/auth/checks/AbstractCheck.java | 11 +- .../auth/checks/AttributeValueChecker.java | 42 +---- .../vitro/webapp/auth/checks/Check.java | 4 + .../webapp/auth/checks/CheckFactory.java | 10 ++ .../webapp/auth/checks/ProximityChecker.java | 89 ---------- .../auth/checks/QueryResultsMapCache.java | 16 +- .../SparqlSelectQueryResultsChecker.java | 154 ++++++++++++++++++ .../webapp/auth/objects/AccessObject.java | 13 +- .../auth/objects/AccessObjectStatement.java | 10 -- .../DataPropertyStatementAccessObject.java | 6 +- ...FauxDataPropertyStatementAccessObject.java | 2 +- ...uxObjectPropertyStatementAccessObject.java | 2 +- .../ObjectPropertyStatementAccessObject.java | 2 +- .../auth/policy/EntityPolicyController.java | 26 ++- .../auth/policy/InvalidSolutionException.java | 9 + .../webapp/auth/policy/PolicyLoader.java | 48 +++--- .../freemarker/FreemarkerHttpServlet.java | 4 +- ...ndividualPageExcludeByUriTemplateTest.java | 1 - .../auth/policy/PolicyHelper_ModelsTest.java | 2 +- .../auth/rules/proximity_test_policy.n3 | 2 +- .../vitro-access-control-ontology.n3 | 6 + 25 files changed, 290 insertions(+), 201 deletions(-) delete mode 100644 api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/ProximityChecker.java create mode 100644 api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java create mode 100644 api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/InvalidSolutionException.java diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java index 67488b6d62..3260678fa6 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java @@ -94,15 +94,23 @@ public boolean equals(Object object) { } AttributeValueKey compared = (AttributeValueKey) object; - return new EqualsBuilder().append(getAccessOperation(), compared.getAccessOperation()) - .append(getObjectType(), compared.getObjectType()).append(getRole(), compared.getRole()) - .append(getType(), compared.getType()).append(getNamedKeyComponents(), compared.getNamedKeyComponents()) + return new EqualsBuilder() + .append(getAccessOperation(), compared.getAccessOperation()) + .append(getObjectType(), compared.getObjectType()) + .append(getRole(), compared.getRole()) + .append(getType(), compared.getType()) + .append(getNamedKeyComponents(), compared.getNamedKeyComponents()) .isEquals(); } @Override public int hashCode() { - return new HashCodeBuilder(151, 1017).append(getAccessOperation()).append(getObjectType()).append(getRole()) - .append(getType()).append(getNamedKeyComponents()).toHashCode(); + return new HashCodeBuilder(151, 1017) + .append(getAccessOperation()) + .append(getObjectType()) + .append(getRole()) + .append(getType()) + .append(getNamedKeyComponents()) + .toHashCode(); } } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueSet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueSet.java index d8902b2509..902175b094 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueSet.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueSet.java @@ -1,5 +1,7 @@ package edu.cornell.mannlib.vitro.webapp.auth.attributes; +import java.util.Set; + public interface AttributeValueSet { void add(String value); @@ -26,4 +28,6 @@ public interface AttributeValueSet { void setKey(AttributeValueKey key); + Set getValues(); + } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/MutableAttributeValueSet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/MutableAttributeValueSet.java index e00b670632..413ded0957 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/MutableAttributeValueSet.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/MutableAttributeValueSet.java @@ -55,6 +55,10 @@ public String getSingleValue() { return ""; } + public Set getValues() { + return values; + } + @Override public boolean isEmpty() { return values.isEmpty(); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/ValueSetFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/ValueSetFactory.java index dc05586edd..e85d999520 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/ValueSetFactory.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/ValueSetFactory.java @@ -16,8 +16,12 @@ public static AttributeValueSet create(String value, QuerySolution qs, Attribute if (avc == null) { return createNew(value, qs, dataSetKey, avcKey); } else { - return returnFromRegistry(value, avc); + Optional setUri = getSetUri(qs); + if (!setUri.isPresent() || !setUri.get().equals(avc.getValueSetUri())) { + return createNew(value, qs, dataSetKey, avcKey); + } } + return returnFromRegistry(value, avc); } } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AbstractCheck.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AbstractCheck.java index 2409e02809..ccdf73b98e 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AbstractCheck.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AbstractCheck.java @@ -11,6 +11,7 @@ public abstract class AbstractCheck implements Check { private AttributeValueSet values; private String uri; private long computationalCost; + private String configuration; private CheckType testType = CheckType.EQUALS; @@ -36,12 +37,18 @@ public void setType(CheckType testType) { adjustComputationCost(testType); } - @Override + public String getConfiguration() { + return configuration; + } + + public void setConfiguration(String configuration) { + this.configuration = configuration; + } + public void addValue(String value) { values.add(value); } - @Override public AttributeValueSet getValues() { return values; } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java index dd5cb7a081..8acee98ffe 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java @@ -2,19 +2,13 @@ package edu.cornell.mannlib.vitro.webapp.auth.checks; -import java.util.Arrays; -import java.util.List; - import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet; -import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest; -import org.apache.commons.lang3.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.apache.jena.rdf.model.Model; public class AttributeValueChecker { - private static final Log log = LogFactory.getLog(AttributeValueChecker.class); + static final Log log = LogFactory.getLog(AttributeValueChecker.class); static boolean test(Check attr, AuthorizationRequest ar, String... values) { CheckType testType = attr.getType(); @@ -30,44 +24,14 @@ static boolean test(Check attr, AuthorizationRequest ar, String... values) { case STARTS_WITH: return startsWith(attr, values); case SPARQL_SELECT_QUERY_RESULTS_CONTAIN: - return sparqlQueryContains(attr, ar, values); + return SparqlSelectQueryResultsChecker.sparqlSelectQueryResultsContain(attr, ar, values); case SPARQL_SELECT_QUERY_RESULTS_NOT_CONTAIN: - return !sparqlQueryContains(attr, ar, values); + return !SparqlSelectQueryResultsChecker.sparqlSelectQueryResultsContain(attr, ar, values); default: return false; } } - private static boolean sparqlQueryContains(Check attr, AuthorizationRequest ar, String[] inputValues) { - AttributeValueSet values = attr.getValues(); - if (!values.containsSingleValue()) { - log.error("SparqlQueryContains more than one value"); - return false; - } - String queryTemplate = values.getSingleValue(); - if (StringUtils.isBlank(queryTemplate)) { - log.error("SparqlQueryContains template is empty"); - return false; - } - AccessObject ao = ar.getAccessObject(); - Model m = ao.getStatementOntModel(); - if (m == null) { - log.debug("SparqlQueryContains model is not provided"); - return false; - } - List personUris = ar.getEditorUris(); - if (personUris.isEmpty()) { - if (queryTemplate.contains("?personUri")) { - log.debug("Subject has no person URIs"); - return false; - } else { - personUris.add(""); - } - } - List resourceUris = Arrays.asList(ao.getResourceUris()); - return ProximityChecker.isAnyRelated(m, resourceUris, personUris, queryTemplate); - } - private static boolean contains(Check attr, String... inputValues) { AttributeValueSet values = attr.getValues(); for (String inputValue : inputValues) { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/Check.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/Check.java index 99a06bc020..7f6ee08d7b 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/Check.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/Check.java @@ -26,4 +26,8 @@ public interface Check { long getComputationalCost(); + void setConfiguration(String configuration); + + String getConfiguration(); + } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckFactory.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckFactory.java index 1a18355be8..444ca2d8b0 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckFactory.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckFactory.java @@ -8,6 +8,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.attributes.ValueSetFactory; import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyLoader; import org.apache.jena.query.QuerySolution; +import org.apache.jena.rdf.model.RDFNode; public class CheckFactory { @@ -48,9 +49,18 @@ public static Check createCheck(QuerySolution qs, AttributeValueKey dataSetKey) check = null; } check.setType(CheckType.valueOf(testId)); + setConfiguration(qs, check); return check; } + private static void setConfiguration(QuerySolution qs, Check check) { + RDFNode rdfNode = qs.get("config"); + if (rdfNode == null || !rdfNode.isLiteral()) { + return; + } + check.setConfiguration(rdfNode.asLiteral().toString()); + } + private static String getValue(QuerySolution qs) { if (!qs.contains(PolicyLoader.LITERAL_VALUE) || !qs.get(PolicyLoader.LITERAL_VALUE).isLiteral()) { String value = qs.getResource(PolicyLoader.ATTR_VALUE).getURI(); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/ProximityChecker.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/ProximityChecker.java deleted file mode 100644 index e1f4931008..0000000000 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/ProximityChecker.java +++ /dev/null @@ -1,89 +0,0 @@ -/* $This file is distributed under the terms of the license in LICENSE$ */ - -package edu.cornell.mannlib.vitro.webapp.auth.checks; - -import java.util.ArrayList; -import java.util.HashMap; -import java.util.Iterator; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.apache.jena.query.ParameterizedSparqlString; -import org.apache.jena.query.Query; -import org.apache.jena.query.QueryExecution; -import org.apache.jena.query.QueryExecutionFactory; -import org.apache.jena.query.QueryFactory; -import org.apache.jena.query.QuerySolution; -import org.apache.jena.query.ResultSet; -import org.apache.jena.rdf.model.Model; -import org.apache.jena.rdf.model.RDFNode; - -public class ProximityChecker { - private static final Log log = LogFactory.getLog(ProximityChecker.class); - - public static boolean isAnyRelated(Model ontModel, List resourceUris, List personUris, - String query) { - for (String personUri : personUris) { - List connectedResourceUris = getRelatedUris(ontModel, personUri, query); - for (String connectedResourceUri : connectedResourceUris) { - if (resourceUris.contains(connectedResourceUri)) { - return true; - } - } - } - return false; - } - - private static List getRelatedUris(Model model, String personUri, String queryTemplate) { - HashMap> queryMap = QueryResultsMapCache.get(); - String queryMapKey = createQueryMapKey(personUri, queryTemplate); - if (queryMap.containsKey(queryMapKey)) { - return queryMap.get(queryMapKey); - } - List results = new ArrayList<>(); - ParameterizedSparqlString pss = new ParameterizedSparqlString(); - pss.setCommandText(queryTemplate); - pss.setIri("personUri", personUri); - String queryText = pss.toString(); - debug("queryText: " + queryText); - Query query = QueryFactory.create(queryText); - QueryExecution queryExecution = QueryExecutionFactory.create(query, model); - try { - ResultSet resultSet = queryExecution.execSelect(); - while (resultSet.hasNext()) { - QuerySolution qs = resultSet.nextSolution(); - addSolutionValues(results, qs); - } - } finally { - queryExecution.close(); - } - debug("query results: " + results); - queryMap.put(queryMapKey, results); - QueryResultsMapCache.update(queryMap); - return results; - } - - private static void addSolutionValues(List results, QuerySolution qs) { - Iterator names = qs.varNames(); - while (names.hasNext()) { - String name = names.next(); - RDFNode node = qs.get(name); - if (node.isURIResource()) { - results.add(node.asResource().getURI()); - } else if (node.isLiteral()) { - results.add(node.asLiteral().toString()); - } - } - } - - private static void debug(String queryText) { - if (log.isDebugEnabled()) { - log.debug(queryText); - } - } - - private static String createQueryMapKey(String personUri, String queryTemplate) { - return queryTemplate + "." + personUri; - } -} diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/QueryResultsMapCache.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/QueryResultsMapCache.java index 761131cdbd..7d6fd99691 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/QueryResultsMapCache.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/QueryResultsMapCache.java @@ -4,7 +4,7 @@ import java.io.IOException; import java.util.HashMap; -import java.util.List; +import java.util.Set; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -12,11 +12,11 @@ public class QueryResultsMapCache implements AutoCloseable { private static final Log log = LogFactory.getLog(QueryResultsMapCache.class); - private static ThreadLocal>> threadLocal = - new ThreadLocal>>(); + private static ThreadLocal>> threadLocal = + new ThreadLocal>>(); public QueryResultsMapCache() { - threadLocal.set(new HashMap>()); + threadLocal.set(new HashMap>()); log.debug("Query results map cache initialized"); } @@ -26,10 +26,10 @@ public void close() throws IOException { log.debug("QueryResultsMapCache is closed"); } - public static HashMap> get() { - HashMap> queryResultsMap = threadLocal.get(); + public static HashMap> get() { + HashMap> queryResultsMap = threadLocal.get(); if (queryResultsMap == null) { - queryResultsMap = new HashMap>(); + queryResultsMap = new HashMap>(); log.debug("Use a non-cached query results map"); } else { log.debug("Use cached query results map"); @@ -37,7 +37,7 @@ public static HashMap> get() { return queryResultsMap; } - public static void update(HashMap> queryResultsMap) { + public static void update(HashMap> queryResultsMap) { if (threadLocal.get() != null) { threadLocal.set(queryResultsMap); log.debug("Query results map cache has been updated"); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java new file mode 100644 index 0000000000..bc2dc16bf0 --- /dev/null +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java @@ -0,0 +1,154 @@ +/* $This file is distributed under the terms of the license in LICENSE$ */ + +package edu.cornell.mannlib.vitro.webapp.auth.checks; + +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.Optional; +import java.util.Set; + +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet; +import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest; +import org.apache.commons.lang3.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.jena.query.ParameterizedSparqlString; +import org.apache.jena.query.Query; +import org.apache.jena.query.QueryExecution; +import org.apache.jena.query.QueryExecutionFactory; +import org.apache.jena.query.QueryFactory; +import org.apache.jena.query.QuerySolution; +import org.apache.jena.query.ResultSet; +import org.apache.jena.rdf.model.Model; +import org.apache.jena.rdf.model.RDFNode; + +public class SparqlSelectQueryResultsChecker { + private static final Log log = LogFactory.getLog(SparqlSelectQueryResultsChecker.class); + + public static boolean sparqlSelectQueryResultsContain(Check check, AuthorizationRequest ar, String[] inputValues) { + AttributeValueSet values = check.getValues(); + if (!values.containsSingleValue()) { + AttributeValueChecker.log.error("SparqlQueryContains more than one value"); + return false; + } + String queryTemplate = check.getConfiguration(); + if (StringUtils.isBlank(queryTemplate)) { + queryTemplate = values.getSingleValue(); + } + if (StringUtils.isBlank(queryTemplate)) { + AttributeValueChecker.log.error("SparqlQueryContains template is empty"); + return false; + } + AccessObject ao = ar.getAccessObject(); + Model m = ao.getModel(); + if (m == null) { + AttributeValueChecker.log.debug("SparqlQueryContains model is not provided"); + return false; + } + Set profileUris = new HashSet(ar.getEditorUris()); + if (profileUris.isEmpty()) { + if (queryTemplate.contains("?profileUri")) { + AttributeValueChecker.log.debug("Subject has no person URIs"); + return false; + } else { + profileUris.add(""); + } + } + Set comparedValues = new HashSet<>(); + if (isQueryProvidedInConfiguration(check)) { + addRelatedUrisToComparedValues(ao, comparedValues); + } else { + addValuesToComparedValues(values, comparedValues); + } + for (String profileUri : profileUris) { + Set sparqlSelectResults = getSparqlSelectResults(m, profileUri, queryTemplate, ar); + // Return true if intersection is not empty + comparedValues.retainAll(sparqlSelectResults); + if (!comparedValues.isEmpty()) { + return true; + } + } + return false; + } + + private static void addValuesToComparedValues(AttributeValueSet values, Set comparedValues) { + comparedValues.addAll(values.getValues()); + } + + private static void addRelatedUrisToComparedValues(AccessObject ao, Set comparedValues) { + comparedValues.addAll(Arrays.asList(ao.getResourceUris())); + } + + private static boolean isQueryProvidedInConfiguration(Check check) { + return StringUtils.isBlank(check.getConfiguration()); + } + + private static Set getSparqlSelectResults(Model model, String profileUri, String queryTemplate, + AuthorizationRequest ar) { + HashMap> queryMap = QueryResultsMapCache.get(); + String queryMapKey = createQueryMapKey(profileUri, queryTemplate); + if (queryMap.containsKey(queryMapKey)) { + return queryMap.get(queryMapKey); + } + Set results = new HashSet<>(); + ParameterizedSparqlString pss = new ParameterizedSparqlString(); + pss.setCommandText(queryTemplate); + setVariables(profileUri, ar, pss); + + String queryText = pss.toString(); + debug("queryText: " + queryText); + Query query = QueryFactory.create(queryText); + QueryExecution queryExecution = QueryExecutionFactory.create(query, model); + try { + ResultSet resultSet = queryExecution.execSelect(); + while (resultSet.hasNext()) { + QuerySolution qs = resultSet.nextSolution(); + addSolutionValues(results, qs); + } + } catch (Exception e) { + log.error(e, e); + } finally { + queryExecution.close(); + } + debug("query results: " + results); + queryMap.put(queryMapKey, results); + QueryResultsMapCache.update(queryMap); + return results; + } + + private static void setVariables(String profileUri, AuthorizationRequest ar, ParameterizedSparqlString pss) { + pss.setIri("profileUri", profileUri); + AccessObject object = ar.getAccessObject(); + Optional uri = object.getUri(); + if (uri.isPresent()) { + pss.setIri("objectUri", uri.get()); + } + } + + private static void addSolutionValues(Set results, QuerySolution qs) { + Iterator names = qs.varNames(); + while (names.hasNext()) { + String name = names.next(); + RDFNode node = qs.get(name); + if (node.isURIResource()) { + results.add(node.asResource().getURI()); + } else if (node.isLiteral()) { + results.add(node.asLiteral().toString()); + } + } + } + + private static void debug(String queryText) { + if (log.isDebugEnabled()) { + log.debug(queryText); + } + } + + private static String createQueryMapKey(String profileUri, String queryTemplate) { + return queryTemplate + "." + profileUri; + } + +} diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObject.java index 32e003cd5e..ffd0884537 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObject.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObject.java @@ -15,6 +15,7 @@ public abstract class AccessObject { public static String SOME_URI = "?SOME_URI"; public static Property SOME_PREDICATE = new Property(SOME_URI); public static String SOME_LITERAL = "?SOME_LITERAL"; + private Model model = null; protected AccessObjectStatement statement; private DataProperty dataProperty; @@ -50,16 +51,12 @@ protected void initializeStatement() { } } - public void setStatementOntModel(Model ontModel) { - initializeStatement(); - statement.setModel(ontModel); + public void setModel(Model ontModel) { + model = ontModel; } - public Model getStatementOntModel() { - if (statement != null) { - return statement.getModel(); - } - return null; + public Model getModel() { + return model; } public void setStatementSubject(String subject) { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObjectStatement.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObjectStatement.java index 91872cd146..db65bfa47a 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObjectStatement.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/AccessObjectStatement.java @@ -4,23 +4,13 @@ import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; import edu.cornell.mannlib.vitro.webapp.beans.Property; -import org.apache.jena.rdf.model.Model; public class AccessObjectStatement { - private Model model = null; private String subject = null; private Property predicate = null; private String object = null; - public Model getModel() { - return model; - } - - public void setModel(Model model) { - this.model = model; - } - public String getSubject() { return subject; } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/DataPropertyStatementAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/DataPropertyStatementAccessObject.java index 644b71e116..f69731b63e 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/DataPropertyStatementAccessObject.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/DataPropertyStatementAccessObject.java @@ -15,7 +15,7 @@ public class DataPropertyStatementAccessObject extends AccessObject { public DataPropertyStatementAccessObject(OntModel ontModel, String subjectUri, String predicateUri, String dataValue) { - setStatementOntModel(ontModel); + setModel(ontModel); setStatementSubject(subjectUri); setStatementPredicate(new Property(predicateUri)); setStatementObject(dataValue); @@ -24,7 +24,7 @@ public DataPropertyStatementAccessObject(OntModel ontModel, String subjectUri, S public DataPropertyStatementAccessObject(OntModel ontModel, String subjectUri, Property predicate, String dataValue) { - setStatementOntModel(ontModel); + setModel(ontModel); setStatementSubject(subjectUri); setStatementPredicate(predicate); setStatementObject(dataValue); @@ -32,7 +32,7 @@ public DataPropertyStatementAccessObject(OntModel ontModel, String subjectUri, P } public DataPropertyStatementAccessObject(OntModel ontModel, DataPropertyStatement dps) { - setStatementOntModel(ontModel); + setModel(ontModel); setStatementSubject((dps.getIndividual() == null) ? dps.getIndividualURI() : dps.getIndividual().getURI()); setStatementPredicate(new Property(dps.getDatapropURI())); setStatementObject(dps.getData()); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxDataPropertyStatementAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxDataPropertyStatementAccessObject.java index 61dbfcfd1e..383f47dcc9 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxDataPropertyStatementAccessObject.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxDataPropertyStatementAccessObject.java @@ -12,7 +12,7 @@ public class FauxDataPropertyStatementAccessObject extends AccessObject { public FauxDataPropertyStatementAccessObject(OntModel ontModel, String subjectUri, FauxProperty predicate, String dataValue) { - setStatementOntModel(ontModel); + setModel(ontModel); setStatementSubject(subjectUri); this.predicate = predicate; setStatementObject(dataValue); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxObjectPropertyStatementAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxObjectPropertyStatementAccessObject.java index 186a00505f..b710ae1722 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxObjectPropertyStatementAccessObject.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/FauxObjectPropertyStatementAccessObject.java @@ -12,7 +12,7 @@ public class FauxObjectPropertyStatementAccessObject extends AccessObject { public FauxObjectPropertyStatementAccessObject(Model ontModel, String subjectUri, FauxProperty fauxProperty, String objectUri) { - setStatementOntModel(ontModel); + setModel(ontModel); setStatementSubject(subjectUri); predicate = fauxProperty; setStatementObject(objectUri); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/ObjectPropertyStatementAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/ObjectPropertyStatementAccessObject.java index 87db9869a2..33de4b03ba 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/ObjectPropertyStatementAccessObject.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/ObjectPropertyStatementAccessObject.java @@ -14,7 +14,7 @@ public class ObjectPropertyStatementAccessObject extends AccessObject { public ObjectPropertyStatementAccessObject(Model ontModel, String subjectUri, Property predicate, String objectUri) { - setStatementOntModel(ontModel); + setModel(ontModel); setStatementSubject(subjectUri); setStatementPredicate(predicate); setStatementObject(objectUri); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java index b32987e03a..4bf7212e03 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/EntityPolicyController.java @@ -4,6 +4,8 @@ import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.AUTH_VOCABULARY_PREFIX; +import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; @@ -90,12 +92,17 @@ public static void grantAccess(String entityUri, AccessObjectType aot, AccessOpe } } else { extendInactiveValueSet(entityUri, aot, ao, role, namedKeyComponents); - loadPolicy(aot, ao, role); + loadPolicy(aot, ao, role, namedKeyComponents); } } - private static void loadPolicy(AccessObjectType aot, AccessOperation ao, String role) { - String dataSetUri = getLoader().getDataSetUriByKey(ao.toString(), aot.toString(), role); + private static void loadPolicy(AccessObjectType aot, AccessOperation ao, String role, + String... namedKeyComponents) { + String[] ids = Arrays.copyOf(namedKeyComponents, namedKeyComponents.length + 3); + ids[ids.length - 1] = ao.toString(); + ids[ids.length - 2] = aot.toString(); + ids[ids.length - 3] = role; + String dataSetUri = getLoader().getDataSetUriByKey(ids); if (dataSetUri != null) { DynamicPolicy policy = getLoader().loadPolicyFromTemplateDataSet(dataSetUri); if (policy != null) { @@ -179,7 +186,7 @@ private static boolean isUriInTestDataset(String entityUri, AccessOperation ao, private static String getValueSetUri(AccessObjectType aot, AccessOperation ao, String role, String... namedKeyComponents) { - String key = aot.toString() + "." + ao.toString() + "." + role; + String key = generateKey(aot, ao, role, namedKeyComponents); if (policyKeyToDataValueMap.containsKey(key)) { return policyKeyToDataValueMap.get(key); } @@ -187,4 +194,15 @@ private static String getValueSetUri(AccessObjectType aot, AccessOperation ao, S policyKeyToDataValueMap.put(key, uri); return uri; } + + private static String generateKey(AccessObjectType aot, AccessOperation ao, String role, + String[] namedKeyComponents) { + String key = aot.toString() + "." + ao.toString() + "." + role; + if (namedKeyComponents.length > 0) { + List namedKeys = new ArrayList<>(Arrays.asList(namedKeyComponents)); + Collections.sort(namedKeys); + key = key + String.join(".", namedKeys); + } + return key; + } } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/InvalidSolutionException.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/InvalidSolutionException.java new file mode 100644 index 0000000000..0cb3bbecff --- /dev/null +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/InvalidSolutionException.java @@ -0,0 +1,9 @@ +package edu.cornell.mannlib.vitro.webapp.auth.policy; + +public class InvalidSolutionException extends RuntimeException { + + public InvalidSolutionException(String string) { + super(string); + } + +} diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java index 8bb5616239..fecd7028a2 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java @@ -95,7 +95,8 @@ public class PolicyLoader { private static final String NO_DATASET_RULES_QUERY = "" + "prefix auth: \n" + "prefix access: \n" - + "SELECT DISTINCT ?policyUri ?rule ?check ?testId ?typeId ?value ?lit_value ?decision_id \n" + + "SELECT DISTINCT ?policyUri ?rule ?check ?config ?attributeValue " + + "?testId ?typeId ?value ?lit_value ?decision_id \n" + "WHERE {\n" + " GRAPH {\n" + " ?policy a access:Policy .\n" @@ -114,6 +115,10 @@ public class PolicyLoader { + " }\n" + " }\n" + " OPTIONAL {\n" + + " ?check access:useConfiguration ?configUri . \n" + + " ?configUri access:id ?config . \n" + + " }\n" + + " OPTIONAL {\n" + " ?rule access:hasDecision ?decision . \n" + " ?decision access:id ?decision_id . \n" + " }\n" @@ -134,7 +139,7 @@ public class PolicyLoader { private static final String DATASET_RULES_QUERY = "" + "prefix auth: \n" + "prefix access: \n" - + "SELECT DISTINCT ?policyUri ?rule ?check ?testId ?typeId ?value ?lit_value ?decision_id " + + "SELECT DISTINCT ?policyUri ?rule ?check ?config ?testId ?typeId ?value ?lit_value ?decision_id " + " ?dataSetUri ?attributeValue ?setElementsType \n" + "WHERE {\n" + " GRAPH {\n" @@ -156,6 +161,10 @@ public class PolicyLoader { + " }\n" + " }\n" + " OPTIONAL {\n" + + " ?check access:useConfiguration ?configUri . \n" + + " ?configUri access:id ?config . \n" + + " }\n" + + " OPTIONAL {\n" + " ?rule access:hasDecision ?decision .\n" + " ?decision access:id ?decision_id .\n" + " }\n" @@ -635,9 +644,7 @@ private void loadRulesWithoutDataSet(String policyUri, Map r @Override protected void processQuerySolution(QuerySolution qs) { try { - if (isInvalidPolicySolution(qs)) { - throw new Exception(); - } + isInvalidPolicySolution(qs); if (isRuleContinues(rules, qs)) { String ruleUri = qs.getResource("rule").getURI(); populateRule(rules.get(ruleUri), qs, null); @@ -675,9 +682,7 @@ private void loadRulesForDataSet(Map rules, String dataSetUr @Override protected void processQuerySolution(QuerySolution qs) { try { - if (isInvalidPolicySolution(qs)) { - throw new Exception(); - } + isInvalidPolicySolution(qs); if (isRuleContinues(rules, qs)) { String ruleUri = qs.getResource("rule").getURI(); populateRule(rules.get(ruleUri), qs, dataSetKey); @@ -757,36 +762,33 @@ private static void populateRule(AccessRule ar, QuerySolution qs, AttributeValue } } - private static boolean isInvalidPolicySolution(QuerySolution qs) { + private static void isInvalidPolicySolution(QuerySolution qs) { if (!qs.contains("policyUri") || !qs.get("policyUri").isResource()) { - log.debug("Query solution doesn't contain policy uri"); - return true; + throw new InvalidSolutionException("Query solution doesn't contain policy uri"); } String policy = qs.get("policyUri").asResource().getURI(); if (!qs.contains("rule") || !qs.get("rule").isResource()) { - log.debug(String.format("Query solution for policy <%s> doesn't contain rule uri", policy)); - return true; + throw new InvalidSolutionException( + String.format("Query solution for policy <%s> doesn't contain rule uri", policy)); } String rule = qs.get("rule").asResource().getLocalName(); if (!qs.contains("check") || !qs.get("check").isResource()) { - log.debug(String.format("Query solution for policy <%s> doesn't contain check uri", policy)); - return true; + throw new InvalidSolutionException( + String.format("Query solution for policy <%s> doesn't contain check uri", policy)); } String check = qs.get("check").asResource().getLocalName(); if (!qs.contains("value")) { - log.debug(String.format("Query solution for policy <%s> rule %s check %s doesn't contain value", policy, - rule, check)); - return true; + throw new InvalidSolutionException(String.format( + "Query solution for policy <%s> rule %s check %s doesn't contain value", policy, rule, check)); } if (!qs.contains("typeId") || !qs.get("typeId").isLiteral()) { - log.debug(String.format("Query solution for policy <%s> doesn't contain check type id", policy)); - return true; + throw new InvalidSolutionException( + String.format("Query solution for policy <%s> doesn't contain check type id", policy)); } if (!qs.contains("testId") || !qs.get("testId").isLiteral()) { - log.debug(String.format("Query solution for policy <%s> doesn't contain check test id", policy)); - return true; + throw new InvalidSolutionException( + String.format("Query solution for policy <%s> doesn't contain check test id", policy)); } - return false; } private static void debug(String template, Object... objects) { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java index cd19d42232..13b3c56758 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java @@ -20,9 +20,7 @@ import org.apache.commons.lang3.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import edu.cornell.mannlib.vitro.webapp.auth.checks.ProximityChecker; import edu.cornell.mannlib.vitro.webapp.auth.checks.QueryResultsMapCache; -import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission; import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest; @@ -101,7 +99,7 @@ public void doGet( HttpServletRequest request, HttpServletResponse response ) VitroRequest vreq = new VitroRequest(request); ResponseValues responseValues = null; - try(QueryResultsMapCache personResourceCache = new QueryResultsMapCache()) { + try(QueryResultsMapCache sparqlQueryCache = new QueryResultsMapCache()) { // This method does a redirect if the required authorizations are not met, so just return. if (!isAuthorizedToDisplayPage(request, response, requiredActions(vreq))) { diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByUriTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByUriTemplateTest.java index 37bca48d9d..e1dcd912e4 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByUriTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByUriTemplateTest.java @@ -50,7 +50,6 @@ public class DisplayIndividualPageExcludeByUriTemplateTest extends PolicyTest { @Test public void testLoadPolicy() { load(POLICY_PATH); - load(RESOURCES_RULES_PREFIX + "display_individual_page_exclude_uri.n3"); if (roleUri.equals(CUSTOM)) { PolicyTemplateController.createRoleDataSets(CUSTOM); diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_ModelsTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_ModelsTest.java index bc9855eae9..9871755065 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_ModelsTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper_ModelsTest.java @@ -344,7 +344,7 @@ public PolicyDecision decide(AuthorizationRequest ar) { Statement friendStmt = objectStatement(PRIMARY_RESOURCE_URI, FRIEND_PREDICATE_URI, subjectUri); - if (statementExists(action.getStatementOntModel(), friendStmt)) { + if (statementExists(action.getModel(), friendStmt)) { return authorized(); } diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_policy.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_policy.n3 index 465610f253..e5d8966c81 100644 --- a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_policy.n3 +++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_policy.n3 @@ -22,6 +22,6 @@ access-individual:PublicationInProximityAttribute rdf:type access:Check ; access-individual:PublicationProximityToPerson rdf:type access:ValueSet ; access:id """ SELECT ?resourceUri WHERE { - ?personUri ?resourceUri . + ?profileUri ?resourceUri . } """ . diff --git a/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3 b/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3 index db1d02a58a..48c397dc2c 100644 --- a/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3 +++ b/home/src/main/resources/rdf/tbox/firsttime/vitro-access-control-ontology.n3 @@ -154,6 +154,12 @@ rdfs:domain :Check ; rdfs:range :Operator . +:useConfiguration a owl:ObjectProperty ; + rdfs:comment "Use configuration in case :Check needs additional configuration"; + rdfs:label "use configuration"@en-US ; + rdfs:domain :Check ; + rdfs:range :AttributeValuePattern . + :hasTypeToCheck a owl:ObjectProperty , owl:FunctionalProperty ; rdfs:comment "Set attribute type that should be checked"; From 8984e8d9b9eb601f6c48601dcc636955b11a60bb Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Wed, 20 Dec 2023 18:55:34 +0100 Subject: [PATCH 11/33] added template to exclude individual page from display by type --- .../auth/attributes/NamedKeyComponent.java | 2 +- ...dividualPageExcludeByTypeTemplateTest.java | 144 ++++++++++++++ .../rules/exclude_from_display_test_data.n3 | 4 + .../firsttime/named_key_components.n3 | 4 +- ...te_exclude_display_individual_page_type.n3 | 188 ++++++++++++++++++ 5 files changed, 339 insertions(+), 3 deletions(-) create mode 100644 api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByTypeTemplateTest.java create mode 100644 api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/exclude_from_display_test_data.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java index 2ebcd39800..d8297a771b 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java @@ -2,5 +2,5 @@ public enum NamedKeyComponent { URI_EXCLUSION, - CLASS_EXCLUSION; + TYPE_EXCLUSION; } diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByTypeTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByTypeTemplateTest.java new file mode 100644 index 0000000000..173ac34db6 --- /dev/null +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByTypeTemplateTest.java @@ -0,0 +1,144 @@ +package edu.cornell.mannlib.vitro.webapp.auth.policy; + +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.INDIVIDUAL; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.TYPE_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.UNAUTHORIZED; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.Set; + +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; +import edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent; +import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.IndividualAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.NamedAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest; +import org.apache.jena.rdf.model.Model; +import org.apache.jena.rdf.model.ModelFactory; +import org.apache.jena.shared.Lock; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; + +@RunWith(Parameterized.class) +public class DisplayIndividualPageExcludeByTypeTemplateTest extends PolicyTest { + + private static final NamedKeyComponent NAMED_KEY = TYPE_EXCLUSION; + + private static final String TEST_ENTITY = "test:alice"; + private static final String TEST_TYPE = "test:person"; + + + public static final String POLICY_PATH = + USER_ACCOUNTS_HOME_FIRSTTIME + "template_exclude_display_individual_page_type.n3"; + public static final String TEST_DATA = RESOURCES_RULES_PREFIX + "exclude_from_display_test_data.n3"; + + @org.junit.runners.Parameterized.Parameter(0) + public AccessOperation ao; + + @org.junit.runners.Parameterized.Parameter(1) + public AccessObjectType type; + + @org.junit.runners.Parameterized.Parameter(2) + public String roleUri; + + @org.junit.runners.Parameterized.Parameter(3) + public int rulesCount; + + @org.junit.runners.Parameterized.Parameter(4) + public Set attrCount; + + @Test + public void testLoadPolicy() { + load(POLICY_PATH); + Model dataModel = ModelFactory.createDefaultModel(); + try { + dataModel.enterCriticalSection(Lock.WRITE); + dataModel.read(TEST_DATA); + } finally { + dataModel.leaveCriticalSection(); + } + if (roleUri.equals(CUSTOM)) { + PolicyTemplateController.createRoleDataSets(CUSTOM); + } + EntityPolicyController.grantAccess(TEST_TYPE, type, ao, roleUri, NAMED_KEY.toString()); + + String dataSetUri = + loader.getDataSetUriByKey(NAMED_KEY.toString(), ao.toString(), type.toString(), roleUri); + assertFalse(dataSetUri == null); + DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri); + assertTrue(policy != null); + assertEquals(1500, policy.getPriority()); + countRulesAndAttributes(policy, 1, Collections.singleton(4)); + policyDeniesAccess(policy, dataModel); + + policyNotAffectsOtherTypes(policy, dataModel); + policyNotAffectsOtherEntities(policy, dataModel); + policyNotAffectsOtherOperations(policy, dataModel); + policyNotAffectsOtherRoles(policy, dataModel); + } + + private void policyNotAffectsOtherRoles(DynamicPolicy policy, Model targetModel) { + AccessObject object = new IndividualAccessObject(TEST_ENTITY); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, AccessOperation.DISPLAY); + ar.setRoleUris(Arrays.asList(roleUri + "_NOT_EXISTS")); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherEntities(DynamicPolicy policy, Model targetModel) { + AccessObject object = new IndividualAccessObject("test:another_entity"); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherOperations(DynamicPolicy policy, Model targetModel) { + AccessObject object = new IndividualAccessObject(TEST_ENTITY); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, AccessOperation.ADD); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherTypes(DynamicPolicy policy, Model targetModel) { + AccessObject object = new NamedAccessObject(TEST_ENTITY); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyDeniesAccess(DynamicPolicy policy, Model targetModel) { + AccessObject object = new IndividualAccessObject(TEST_ENTITY); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(UNAUTHORIZED, policy.decide(ar).getDecisionResult()); + } + + + @Parameterized.Parameters + public static Collection requests() { + return Arrays.asList(new Object[][] { + { DISPLAY, INDIVIDUAL, ADMIN, 1, num(4) }, + { DISPLAY, INDIVIDUAL, CURATOR, 1, num(4) }, + { DISPLAY, INDIVIDUAL, EDITOR, 1, num(4) }, + { DISPLAY, INDIVIDUAL, SELF_EDITOR, 1, num(4) }, + { DISPLAY, INDIVIDUAL, PUBLIC, 1, num(4) }, + { DISPLAY, INDIVIDUAL, CUSTOM, 1, num(4) },}); + } + + private static Set num(int i) { + return Collections.singleton(i); + } +} diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/exclude_from_display_test_data.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/exclude_from_display_test_data.n3 new file mode 100644 index 0000000000..04e0ae86f3 --- /dev/null +++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/exclude_from_display_test_data.n3 @@ -0,0 +1,4 @@ +# $This file is distributed under the terms of the license in LICENSE$ + + . + diff --git a/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 b/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 index 9d05de8037..dbe96966a0 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 @@ -6,5 +6,5 @@ access-individual:UriExclusion a access:NamedKeyComponent ; access:id "URI_EXCLUSION" . -access-individual:ClassExclusion a access:NamedKeyComponent ; - access:id "CLASS_EXCLUSION" . +access-individual:TypeExclusion a access:NamedKeyComponent ; + access:id "TYPE_EXCLUSION" . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 new file mode 100644 index 0000000000..9a34e37119 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 @@ -0,0 +1,188 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix auth: . +@prefix access-individual: . +@prefix access: . +@prefix : . + +:PolicyTemplate a access:PolicyTemplate ; + access:priority 1500 ; + access:hasRule :ExcludeMatchingUri ; + access:hasDataSet :PublicDisplayExclusionDataSet ; + access:hasDataSet :SelfEditorDisplayExclusionDataSet ; + access:hasDataSet :EditorDisplayExclusionDataSet ; + access:hasDataSet :CuratorDisplayExclusionDataSet ; + access:hasDataSet :AdminDisplayExclusionDataSet ; + access:hasDataSetTemplate :RoleDisplayExclusionDataSetTemplate ; + . + +#Role Display data set template + +:RoleDisplayExclusionDataSetTemplate a access:DataSetTemplate ; + access:hasDataSetTemplateKey :RoleDisplayExclusionDataSetTemplateKey ; + access:hasDataSetKeyTemplate :RoleDisplayExclusionDataSetKeyTemplate ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:dataSetValueTemplate :RoleDisplayRoleValueSetTemplate ; + access:dataSetValueTemplate :RoleDisplayValueSetTemplate . + +:RoleDisplayExclusionDataSetTemplateKey a access:DataSetTemplateKey ; + access:hasTemplateKeyComponent access-individual:SubjectRole . + +:RoleDisplayExclusionDataSetKeyTemplate a access:DataSetKeyTemplate ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:DisplayOperation ; + access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponentTemplate access-individual:SubjectRole . + +:RoleDisplayRoleValueSetTemplate a access:ValueSetTemplate ; + access:relatedCheck :SubjectRoleCheck; + access:containsElementsOfType access-individual:SubjectRole . + +:RoleDisplayValueSetTemplate a access:ValueSetTemplate ; + access:relatedCheck :AccessObjectClassCheck ; +# access:value access-individual:defaultUri ; + access:containsElementsOfType access-individual:IndividualAccessObject . + +### Public display uri data sets + +:PublicDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :PublicDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :PublicDisplayValueSet . + +:PublicDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:DisplayOperation . + +### SelfEditor display uri data sets + +:SelfEditorDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :SelfEditorDisplayValueSet . + +:SelfEditorDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:SelfEditorRoleUri ; + access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:DisplayOperation . + +### Editor display uri data sets + +:EditorDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :EditorDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:EditorRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :EditorDisplayValueSet . + +:EditorDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:EditorRoleUri ; + access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:DisplayOperation . + +### Curator display uri data sets + +:CuratorDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :CuratorDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:CuratorRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :CuratorDisplayValueSet . + +:CuratorDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:CuratorRoleUri ; + access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:DisplayOperation . + +### Admin display uri data sets + +:AdminDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :AdminDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:AdminRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :AdminDisplayValueSet . + +:AdminDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:AdminRoleUri ; + access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:DisplayOperation . + +### Rule + +:ExcludeMatchingUri a access:Rule; + access:hasDecision access-individual:Deny ; + access:requiresCheck :SubjectRoleCheck ; + access:requiresCheck :OperationCheck ; + access:requiresCheck :AccessObjectTypeCheck ; + access:requiresCheck :AccessObjectClassCheck . + +### Checks + +:AccessObjectTypeCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:AccessObjectType ; + access:values access-individual:IndividualValueSet ; + . + +:OperationCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:Operation ; + access:values access-individual:DisplayOperationValueSet ; + . + +:SubjectRoleCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:SubjectRole ; + access:values access-individual:PublicRoleValueSet ; + access:values access-individual:SelfEditorRoleValueSet ; + access:values access-individual:EditorRoleValueSet ; + access:values access-individual:CuratorRoleValueSet ; + access:values access-individual:AdminRoleValueSet . + +:AccessObjectClassCheck a access:Check ; + access:useOperator access-individual:SparqlSelectQueryContains ; + access:useConfiguration :IndividualTypeQuery ; + access:hasTypeToCheck access-individual:AccessObjectUri ; + access:values :AdminDisplayValueSet ; + access:values :CuratorDisplayValueSet ; + access:values :EditorDisplayValueSet ; + access:values :PublicDisplayValueSet ; + access:values :SelfEditorDisplayValueSet ; + . + +:IndividualTypeQuery a access:SparqlSelectValuesQuery ; + access:id """ + SELECT ?type WHERE { + ?objectUri ?type . + } + """ . + +###Value sets + +:AdminDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + +:CuratorDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + +:EditorDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + +:SelfEditorDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + +:PublicDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + From c7cdf8177e1c1c62bac422645df0a890a30c24ee Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 08:30:31 +0100 Subject: [PATCH 12/33] fix: use objectUri as part of query map key in QueryResultsMapCache --- .../checks/SparqlSelectQueryResultsChecker.java | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java index bc2dc16bf0..0603341733 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java @@ -89,7 +89,7 @@ private static boolean isQueryProvidedInConfiguration(Check check) { private static Set getSparqlSelectResults(Model model, String profileUri, String queryTemplate, AuthorizationRequest ar) { HashMap> queryMap = QueryResultsMapCache.get(); - String queryMapKey = createQueryMapKey(profileUri, queryTemplate); + String queryMapKey = createQueryMapKey(profileUri, queryTemplate, ar); if (queryMap.containsKey(queryMapKey)) { return queryMap.get(queryMapKey); } @@ -147,8 +147,16 @@ private static void debug(String queryText) { } } - private static String createQueryMapKey(String profileUri, String queryTemplate) { - return queryTemplate + "." + profileUri; + private static String createQueryMapKey(String profileUri, String queryTemplate, AuthorizationRequest ar) { + String mapKey = queryTemplate + "." + profileUri; + if (queryTemplate.contains("?objectUri")) { + AccessObject object = ar.getAccessObject(); + Optional uri = object.getUri(); + if (uri.isPresent()) { + mapKey += "." + uri.get(); + } + } + return mapKey; } } From 0f850c8150863349097009dfbecdf903fe665959 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 10:03:45 +0100 Subject: [PATCH 13/33] Added NOT_RELATED key component --- .../vitro/webapp/auth/attributes/NamedKeyComponent.java | 3 ++- .../rdf/accessControl/firsttime/named_key_components.n3 | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java index d8297a771b..b775a114b0 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java @@ -2,5 +2,6 @@ public enum NamedKeyComponent { URI_EXCLUSION, - TYPE_EXCLUSION; + TYPE_EXCLUSION, + NOT_RELATED, } diff --git a/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 b/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 index dbe96966a0..af7ee774c4 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 @@ -8,3 +8,6 @@ access-individual:UriExclusion a access:NamedKeyComponent ; access-individual:TypeExclusion a access:NamedKeyComponent ; access:id "TYPE_EXCLUSION" . + +access-individual:NotRelated a access:NamedKeyComponent ; + access:id "NOT_RELATED" . From f9745b73471ebe08255efe40fc92d9790a01398a Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 10:04:25 +0100 Subject: [PATCH 14/33] fix for proximity query --- .../rdf/accessControl/firsttime/profile_proximity_query.n3 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/src/main/resources/rdf/accessControl/firsttime/profile_proximity_query.n3 b/home/src/main/resources/rdf/accessControl/firsttime/profile_proximity_query.n3 index f1e67b43e7..68bf924349 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/profile_proximity_query.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/profile_proximity_query.n3 @@ -6,7 +6,7 @@ access-individual:PersonProfileProximityToResourceUri a access:SparqlSelectValuesQuery ; access:id """ SELECT ?resourceUri WHERE { - BIND ( ?personUri as ?resourceUri) + BIND ( ?profileUri as ?resourceUri) } """ . From f4e801494a69311cb8bdfdac5f1982bc111c49d5 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 10:04:57 +0100 Subject: [PATCH 15/33] renamed operator --- .../firsttime/template_exclude_display_individual_page_type.n3 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 index 9a34e37119..b30f65be81 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 @@ -152,7 +152,7 @@ access:values access-individual:AdminRoleValueSet . :AccessObjectClassCheck a access:Check ; - access:useOperator access-individual:SparqlSelectQueryContains ; + access:useOperator access-individual:SparqlSelectQueryResultsContain ; access:useConfiguration :IndividualTypeQuery ; access:hasTypeToCheck access-individual:AccessObjectUri ; access:values :AdminDisplayValueSet ; From 8c7c1079a0e4d919faa30f10147d90135f78285b Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 10:05:56 +0100 Subject: [PATCH 16/33] fix: use named key components in getEntityValueSetUri query --- .../mannlib/vitro/webapp/auth/policy/PolicyLoader.java | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java index fecd7028a2..57e91ebdc4 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java @@ -7,6 +7,7 @@ import java.io.InputStream; import java.io.StringWriter; import java.util.ArrayList; +import java.util.Arrays; import java.util.HashMap; import java.util.HashSet; import java.util.LinkedList; @@ -500,8 +501,12 @@ protected void processQuerySolution(QuerySolution qs) { public String getEntityValueSetUri(AccessOperation ao, AccessObjectType aot, String role, String... namedKeyComponents) { - long expectedSize = 3 + namedKeyComponents.length; - String queryText = getDataSetByKeyQuery(ao.toString(), aot.toString(), role); + int expectedSize = 3 + namedKeyComponents.length; + String[] ids = Arrays.copyOf(namedKeyComponents, expectedSize); + ids[ids.length - 1] = ao.toString(); + ids[ids.length - 2] = aot.toString(); + ids[ids.length - 3] = role; + String queryText = getDataSetByKeyQuery(ids); ParameterizedSparqlString pss = new ParameterizedSparqlString(queryText); pss.setLiteral("setElementsId", aot.toString()); queryText = pss.toString(); From 1bdcfe1fd4ffd31d278454b139ef7771d03313d9 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 10:06:46 +0100 Subject: [PATCH 17/33] implemented getResourceUris in IndividualAccessObject --- .../webapp/auth/objects/IndividualAccessObject.java | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java index c68ee43776..0df44ff030 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/objects/IndividualAccessObject.java @@ -1,5 +1,7 @@ package edu.cornell.mannlib.vitro.webapp.auth.objects; +import java.util.Optional; + import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; public class IndividualAccessObject extends NamedAccessObject { @@ -12,4 +14,13 @@ public IndividualAccessObject(String uri) { public AccessObjectType getType() { return AccessObjectType.INDIVIDUAL; } + + public String[] getResourceUris() { + Optional optionalUri = getUri(); + if (optionalUri.isPresent()) { + return new String[] { optionalUri.get() }; + } else { + return new String[0]; + } + } } From 71357e837ab9783718fad244bc02a910d653ae7c Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 10:07:44 +0100 Subject: [PATCH 18/33] Added policy template to exclude not related individual pages from display --- ...geExcludeByTypeNotRelatedTemplateTest.java | 146 ++++++++++++++++++ ...isplay_individual_page_type_not_related.n3 | 84 ++++++++++ 2 files changed, 230 insertions(+) create mode 100644 api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByTypeNotRelatedTemplateTest.java create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByTypeNotRelatedTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByTypeNotRelatedTemplateTest.java new file mode 100644 index 0000000000..5be1dc4bbe --- /dev/null +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/DisplayIndividualPageExcludeByTypeNotRelatedTemplateTest.java @@ -0,0 +1,146 @@ +package edu.cornell.mannlib.vitro.webapp.auth.policy; + +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.INDIVIDUAL; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.NOT_RELATED; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.TYPE_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.UNAUTHORIZED; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.Set; + +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; +import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.IndividualAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.NamedAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest; +import org.apache.jena.rdf.model.Model; +import org.apache.jena.rdf.model.ModelFactory; +import org.apache.jena.shared.Lock; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; + +@RunWith(Parameterized.class) +public class DisplayIndividualPageExcludeByTypeNotRelatedTemplateTest extends PolicyTest { + + private static final String TEST_ENTITY = "test:alice"; + private static final String TEST_TYPE = "test:person"; + + public static final String POLICY_PATH = + USER_ACCOUNTS_HOME_FIRSTTIME + "template_exclude_display_individual_page_type_not_related.n3"; + public static final String TEST_DATA = RESOURCES_RULES_PREFIX + "exclude_from_display_test_data.n3"; + + @org.junit.runners.Parameterized.Parameter(0) + public AccessOperation ao; + + @org.junit.runners.Parameterized.Parameter(1) + public AccessObjectType type; + + @org.junit.runners.Parameterized.Parameter(2) + public String roleUri; + + @org.junit.runners.Parameterized.Parameter(3) + public int rulesCount; + + @org.junit.runners.Parameterized.Parameter(4) + public Set attrCount; + + @Test + public void testLoadPolicy() { + load(POLICY_PATH); + Model dataModel = ModelFactory.createDefaultModel(); + try { + dataModel.enterCriticalSection(Lock.WRITE); + dataModel.read(TEST_DATA); + } finally { + dataModel.leaveCriticalSection(); + } + if (roleUri.equals(CUSTOM)) { + PolicyTemplateController.createRoleDataSets(CUSTOM); + } + EntityPolicyController.grantAccess(TEST_TYPE, type, ao, roleUri, TYPE_EXCLUSION.toString(), + NOT_RELATED.toString()); + + String dataSetUri = loader.getDataSetUriByKey(TYPE_EXCLUSION.toString(), NOT_RELATED.toString(), ao.toString(), + type.toString(), roleUri); + assertFalse(dataSetUri == null); + DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri); + assertTrue(policy != null); + assertEquals(1500, policy.getPriority()); + countRulesAndAttributes(policy, 1, Collections.singleton(5)); + policyDeniesAccess(policy, dataModel); + + policyNotAffectsOtherTypes(policy, dataModel); + policyNotAffectsOtherEntities(policy, dataModel); + policyNotAffectsOtherOperations(policy, dataModel); + policyNotAffectsOtherRoles(policy, dataModel); + policyNotAffectsRelatedIndividuals(policy, dataModel); + + } + + private void policyNotAffectsOtherRoles(DynamicPolicy policy, Model targetModel) { + AccessObject object = new IndividualAccessObject(TEST_ENTITY); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, AccessOperation.DISPLAY); + ar.setRoleUris(Arrays.asList(roleUri + "_NOT_EXISTS")); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherEntities(DynamicPolicy policy, Model targetModel) { + AccessObject object = new IndividualAccessObject("test:another_entity"); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherOperations(DynamicPolicy policy, Model targetModel) { + AccessObject object = new IndividualAccessObject(TEST_ENTITY); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, AccessOperation.ADD); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherTypes(DynamicPolicy policy, Model targetModel) { + AccessObject object = new NamedAccessObject(TEST_ENTITY); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsRelatedIndividuals(DynamicPolicy policy, Model targetModel) { + AccessObject object = new IndividualAccessObject(TEST_ENTITY); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + ar.setEditorUris(Arrays.asList(TEST_ENTITY)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyDeniesAccess(DynamicPolicy policy, Model targetModel) { + AccessObject object = new IndividualAccessObject(TEST_ENTITY); + object.setModel(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(UNAUTHORIZED, policy.decide(ar).getDecisionResult()); + } + + @Parameterized.Parameters + public static Collection requests() { + return Arrays.asList(new Object[][] { { DISPLAY, INDIVIDUAL, SELF_EDITOR, 1, num(4) }, }); + } + + private static Set num(int i) { + return Collections.singleton(i); + } +} diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 new file mode 100644 index 0000000000..60b32f4b8b --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 @@ -0,0 +1,84 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix auth: . +@prefix access-individual: . +@prefix access: . +@prefix : . + +:PolicyTemplate a access:PolicyTemplate ; + access:priority 1500 ; + access:hasRule :ExcludeMatchingUri ; + access:hasDataSet :SelfEditorDisplayExclusionDataSet ; + . + +### SelfEditor display uri data sets + +:SelfEditorDisplayExclusionDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorDisplayExclusionDataSetKey ; + access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; + access:hasRelatedValueSet access-individual:IndividualValueSet ; + access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; + access:hasRelatedValueSet :SelfEditorDisplayValueSet . + +:SelfEditorDisplayExclusionDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:IndividualAccessObject ; + access:hasKeyComponent access-individual:SelfEditorRoleUri ; + access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:NotRelated ; + access:hasKeyComponent access-individual:DisplayOperation . + +### Rule + +:ExcludeMatchingUri a access:Rule; + access:hasDecision access-individual:Deny ; + access:requiresCheck :SubjectRoleCheck ; + access:requiresCheck :OperationCheck ; + access:requiresCheck :AccessObjectTypeCheck ; + access:requiresCheck :RelationCheck ; + access:requiresCheck :AccessObjectClassCheck . + +### Checks + +:AccessObjectTypeCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:AccessObjectType ; + access:values access-individual:IndividualValueSet ; + . + +:OperationCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:Operation ; + access:values access-individual:DisplayOperationValueSet ; + . + +:SubjectRoleCheck a access:Check ; + access:useOperator access-individual:Equals ; + access:hasTypeToCheck access-individual:SubjectRole ; + access:values access-individual:SelfEditorRoleValueSet . + +:AccessObjectClassCheck a access:Check ; + access:useOperator access-individual:SparqlSelectQueryResultsContain ; + access:useConfiguration :IndividualTypeQuery ; + access:hasTypeToCheck access-individual:AccessObjectUri ; + access:values :SelfEditorDisplayValueSet ; + . + +:RelationCheck a access:Check ; + access:useOperator access-individual:SparqlSelectQueryResultsNotContain ; + access:hasTypeToCheck access-individual:AccessObjectUri ; + access:value access-individual:PersonProfileProximityToResourceUri + . + + +:IndividualTypeQuery a access:SparqlSelectValuesQuery ; + access:id """ + SELECT ?type WHERE { + ?objectUri ?type . + } + """ . + +###Value sets + +:SelfEditorDisplayValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:IndividualAccessObject . + From 399015646efa65525fc1e2511963acc11230c123 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 11:35:10 +0100 Subject: [PATCH 19/33] Property exclusion named key component --- .../vitro/webapp/auth/attributes/NamedKeyComponent.java | 1 + .../rdf/accessControl/firsttime/named_key_components.n3 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java index b775a114b0..8a3404056f 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java @@ -3,5 +3,6 @@ public enum NamedKeyComponent { URI_EXCLUSION, TYPE_EXCLUSION, + PROPERTY_EXCLUSION, NOT_RELATED, } diff --git a/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 b/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 index af7ee774c4..dfb9d8be8a 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 @@ -9,5 +9,8 @@ access-individual:UriExclusion a access:NamedKeyComponent ; access-individual:TypeExclusion a access:NamedKeyComponent ; access:id "TYPE_EXCLUSION" . +access-individual:PropertyExclusion a access:NamedKeyComponent ; + access:id "PROPERTY_EXCLUSION" . + access-individual:NotRelated a access:NamedKeyComponent ; access:id "NOT_RELATED" . From af7958cbaaeb5829a2f051c878a25fca931d21ce Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 11:35:44 +0100 Subject: [PATCH 20/33] fixes and test improvements for policy template hide not related property --- ...iesNotRelatedToSelfEditorTemplateTest.java | 159 +++++++++++++++++- .../template_hide_not_related_property.n3 | 8 + 2 files changed, 158 insertions(+), 9 deletions(-) diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java index 8b338853ae..5883b1a391 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java @@ -1,13 +1,36 @@ package edu.cornell.mannlib.vitro.webapp.auth.policy; -import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.AUTH_INDIVIDUAL_PREFIX; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.DATA_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_DATA_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_OBJECT_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.OBJECT_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.PUBLISH; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.NOT_RELATED; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.PROPERTY_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.UNAUTHORIZED; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; import java.util.Arrays; import java.util.Collection; import java.util.Collections; +import java.util.Set; +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; +import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxDataPropertyStatementAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxObjectPropertyStatementAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest; +import edu.cornell.mannlib.vitro.webapp.beans.FauxProperty; +import edu.cornell.mannlib.vitro.webapp.beans.Property; +import edu.cornell.mannlib.vitro.webapp.rdfservice.adapters.VitroModelFactory; +import org.apache.jena.ontology.OntModel; +import org.apache.jena.shared.Lock; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.Parameterized; @@ -16,28 +39,146 @@ public class HidePropertiesNotRelatedToSelfEditorTemplateTest extends PolicyTest { public static final String POLICY_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "template_hide_not_related_property.n3"; + public static final String TEST_DATA = RESOURCES_RULES_PREFIX + "exclude_from_display_test_data.n3"; + private static final String TEST_ENTITY = "test:alice"; + private static final String OBJECT_ENTITY = "test:orange"; + private static final String TEST_PROPERTY = "test:has"; + private static final String OTHER_PROPERTY = "test:seen"; @org.junit.runners.Parameterized.Parameter(0) - public String dataSetName; + public AccessOperation ao; + + @org.junit.runners.Parameterized.Parameter(1) + public AccessObjectType type; + + @org.junit.runners.Parameterized.Parameter(2) + public String roleUri; + + @org.junit.runners.Parameterized.Parameter(3) + public int rulesCount; + + @org.junit.runners.Parameterized.Parameter(4) + public Set attrCount; @Test public void testLoadPolicy() { load(POLICY_PATH); - load(RESOURCES_RULES_PREFIX + "hide_entities_value_set.n3"); - String policyPrefix = AUTH_INDIVIDUAL_PREFIX + "hide-not-related-property/"; - String dataSetUri = policyPrefix + dataSetName; + OntModel dataModel = VitroModelFactory.createOntologyModel(); + try { + dataModel.enterCriticalSection(Lock.WRITE); + dataModel.read(TEST_DATA); + } finally { + dataModel.leaveCriticalSection(); + } + EntityPolicyController.grantAccess(TEST_PROPERTY, type, ao, roleUri, NOT_RELATED.toString(), + PROPERTY_EXCLUSION.toString()); + + String dataSetUri = loader.getDataSetUriByKey(PROPERTY_EXCLUSION.toString(), NOT_RELATED.toString(), + ao.toString(), type.toString(), roleUri); DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri); assertTrue(policy != null); assertEquals(5000, policy.getPriority()); countRulesAndAttributes(policy, 1, Collections.singleton(5)); + policyDeniesAccess(policy, dataModel); + policyNotAffectsOtherTypes(policy, dataModel); + policyNotAffectsOtherEntities(policy, dataModel); + policyNotAffectsOtherOperations(policy, dataModel); + policyNotAffectsOtherRoles(policy, dataModel); + policyNotAffectsRelatedIndividuals(policy, dataModel); + } + + private void policyNotAffectsRelatedIndividuals(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getAccessObject(targetModel, TEST_PROPERTY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + ar.setEditorUris(Arrays.asList(TEST_ENTITY)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherRoles(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getAccessObject(targetModel, TEST_PROPERTY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(ADMIN)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherOperations(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getAccessObject(targetModel, TEST_PROPERTY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, PUBLISH); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherEntities(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getAccessObject(targetModel, OTHER_PROPERTY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherTypes(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getWrongAccessObject(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyDeniesAccess(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getAccessObject(targetModel, TEST_PROPERTY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(UNAUTHORIZED, policy.decide(ar).getDecisionResult()); + } + + private AccessObject getWrongAccessObject(OntModel targetModel) { + FauxProperty fauxProperty = new FauxProperty(TEST_ENTITY, TEST_PROPERTY, ""); + fauxProperty.setConfigUri(TEST_PROPERTY); + switch (type) { + case OBJECT_PROPERTY: + return new DataPropertyStatementAccessObject(targetModel, TEST_ENTITY, TEST_PROPERTY, "test"); + case DATA_PROPERTY: + return new ObjectPropertyStatementAccessObject(targetModel, TEST_ENTITY, new Property(TEST_PROPERTY), + OBJECT_ENTITY); + case FAUX_OBJECT_PROPERTY: + return new FauxDataPropertyStatementAccessObject(targetModel, TEST_ENTITY, fauxProperty, "test"); + case FAUX_DATA_PROPERTY: + return new FauxObjectPropertyStatementAccessObject(targetModel, TEST_ENTITY, fauxProperty, + OBJECT_ENTITY); + default: + return null; + } + } + + private AccessObject getAccessObject(OntModel targetModel, String property) { + FauxProperty fauxProperty = new FauxProperty(TEST_ENTITY, property, ""); + fauxProperty.setConfigUri(property); + switch (type) { + case DATA_PROPERTY: + return new DataPropertyStatementAccessObject(targetModel, TEST_ENTITY, property, "test"); + case OBJECT_PROPERTY: + return new ObjectPropertyStatementAccessObject(targetModel, TEST_ENTITY, new Property(property), + OBJECT_ENTITY); + case FAUX_DATA_PROPERTY: + return new FauxDataPropertyStatementAccessObject(targetModel, TEST_ENTITY, fauxProperty, "test"); + case FAUX_OBJECT_PROPERTY: + return new FauxObjectPropertyStatementAccessObject(targetModel, TEST_ENTITY, fauxProperty, + OBJECT_ENTITY); + default: + return null; + } } @Parameterized.Parameters public static Collection requests() { return Arrays.asList(new Object[][] { - { "SelfEditorHideNotRelatedObjectPropertyDataSet" }, - { "SelfEditorHideNotRelatedDataPropertyDataSet" }, - { "SelfEditorHideNotRelatedFauxObjectPropertyDataSet" }, - { "SelfEditorHideNotRelatedFauxDataPropertyDataSet" }, }); + { DISPLAY, DATA_PROPERTY, SELF_EDITOR, 1, num(5) }, + { DISPLAY, OBJECT_PROPERTY, SELF_EDITOR, 1, num(5) }, + { DISPLAY, FAUX_DATA_PROPERTY, SELF_EDITOR, 1, num(5) }, + { DISPLAY, FAUX_OBJECT_PROPERTY, SELF_EDITOR, 1, num(5) }, + }); + } + + private static Set num(int i) { + return Collections.singleton(i); } } diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 index 1e934d8ac8..90bbdcad19 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 @@ -29,6 +29,8 @@ access:hasKeyComponent access-individual:ObjectProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; + access:hasKeyComponent access-individual:NotRelated ; + access:hasKeyComponent access-individual:PropertyExclusion ; . #Data properties @@ -45,6 +47,8 @@ access:hasKeyComponent access-individual:DataProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; + access:hasKeyComponent access-individual:NotRelated ; + access:hasKeyComponent access-individual:PropertyExclusion ; . #Faux object properties @@ -61,6 +65,8 @@ access:hasKeyComponent access-individual:FauxObjectProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; + access:hasKeyComponent access-individual:NotRelated ; + access:hasKeyComponent access-individual:PropertyExclusion ; . #Faux data properties @@ -77,6 +83,8 @@ access:hasKeyComponent access-individual:FauxDataProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; + access:hasKeyComponent access-individual:NotRelated ; + access:hasKeyComponent access-individual:PropertyExclusion ; . #Rule From e7c89e634d9a5bf945a4459f388c9ea6269f2831 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 12:47:40 +0100 Subject: [PATCH 21/33] Provide model into authorization request. --- .../vitro/webapp/controller/individual/IndividualController.java | 1 + 1 file changed, 1 insertion(+) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualController.java index 9081ef25aa..00cd6837c6 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/individual/IndividualController.java @@ -130,6 +130,7 @@ public AuthorizationRequest requiredActions(VitroRequest vreq) { return AuthorizationRequest.AUTHORIZED; default: AccessObject ao = new IndividualAccessObject(requestInfo.getIndividual().getURI()); + ao.setModel(vreq.getJenaOntModel()); AuthorizationRequest request = new SimpleAuthorizationRequest(ao, AccessOperation.DISPLAY); return request; } From bdc428f23f1760f2ad4ad9362274422170eb84fc Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Mon, 8 Jan 2024 17:39:42 +0100 Subject: [PATCH 22/33] Web interface for policies to suppress individual by type, by type not related; suppress not related property --- .../vedit/controller/BaseEditController.java | 119 ++++++++++-- .../vedit/controller/OperationController.java | 176 +++++++++++++----- .../auth/checks/AttributeValueChecker.java | 3 - .../SparqlSelectQueryResultsChecker.java | 19 +- .../webapp/auth/policy/PolicyLoader.java | 2 +- .../edit/DatapropRetryController.java | 1 + .../edit/FauxPropertyRetryController.java | 1 + .../edit/PropertyRetryController.java | 2 + .../edit/VclassRetryController.java | 3 + .../PropertyGroupTemplateModel.java | 22 +-- .../rules/exclude_from_display_test_data.n3 | 2 +- ...te_exclude_display_individual_page_type.n3 | 2 +- ...isplay_individual_page_type_not_related.n3 | 2 +- .../edit/specific/dataprop_retry.jsp | 25 +++ .../edit/specific/fauxProperty_retry.jsp | 24 +++ .../edit/specific/property_retry.jsp | 24 +++ .../templates/edit/specific/vclass_retry.jsp | 51 +++++ 17 files changed, 383 insertions(+), 95 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java index 23a3e6f51e..bb57218422 100644 --- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java +++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java @@ -2,6 +2,10 @@ package edu.cornell.mannlib.vedit.controller; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.NOT_RELATED; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.PROPERTY_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.TYPE_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.URI_EXCLUSION; import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess.ReasoningOption.ASSERTIONS_ONLY; import java.text.Collator; @@ -12,13 +16,11 @@ import java.util.Comparator; import java.util.Enumeration; import java.util.HashMap; -import java.util.HashSet; import java.util.LinkedHashMap; import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Random; -import java.util.Set; import javax.servlet.http.HttpServletRequest; @@ -27,6 +29,7 @@ import edu.cornell.mannlib.vedit.util.FormUtils; import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; +import edu.cornell.mannlib.vitro.webapp.auth.permissions.PermissionSets; import edu.cornell.mannlib.vitro.webapp.auth.policy.EntityPolicyController; import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet; import edu.cornell.mannlib.vitro.webapp.controller.Controllers; @@ -41,6 +44,7 @@ public class BaseEditController extends VitroHttpServlet { public static final String ENTITY_URI_ATTRIBUTE_NAME = "_permissionsEntityURI"; + public static final String ENTITY_TYPE_ATTRIBUTE_NAME = "_permissionsEntityType"; public static final boolean FORCE_NEW = true; // when you know you're starting a new edit process @@ -215,15 +219,13 @@ public String getDefaultLandingPage(HttpServletRequest request) { protected static void addAccessAttributes(HttpServletRequest req, String entityURI, AccessObjectType aot) { // Add the permissionsEntityURI (if we are creating a new property, this will be empty) req.setAttribute(ENTITY_URI_ATTRIBUTE_NAME, entityURI); - + String[] namedKeys = new String[0]; // Get the available permission sets List permissionSets = buildListOfSelectableRoles(ModelAccess.on(req).getWebappDaoFactory()); List roles = new ArrayList<>(); - List roleUris = new ArrayList<>(); for (PermissionSet permissionSet : permissionSets) { roles.add(new RoleInfo(permissionSet)); - roleUris.add(permissionSet.getUri()); } List accessOperations = AccessOperation.getOperations(aot); // Operation, list of roles> @@ -242,16 +244,109 @@ protected static void addAccessAttributes(HttpServletRequest req, String entityU } } } - if (!StringUtils.isEmpty(entityURI)) { - for (RoleInfo roleInfo : roleInfos) { - if (roleInfo.isEnabled()) { - roleInfo.setGranted( - EntityPolicyController.isGranted(entityURI, aot, operation, roleInfo.getUri())); - } + getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); + } + req.setAttribute("operationsToRoles", operationsToRoles); + } + + private static void getRolePolicyInformation(String entityURI, AccessObjectType aot, String[] namedKeys, + AccessOperation operation, List roleInfos) { + if (!StringUtils.isEmpty(entityURI)) { + for (RoleInfo roleInfo : roleInfos) { + if (roleInfo.isEnabled()) { + roleInfo.setGranted( + EntityPolicyController.isGranted(entityURI, aot, operation, roleInfo.getUri(), namedKeys)); } } } - req.setAttribute("operationsToRoles", operationsToRoles); + } + + protected static void addUriSuppressions(HttpServletRequest req, String entityURI, AccessObjectType aot) { + AccessOperation operation = AccessOperation.DISPLAY; + String[] namedKeys = new String[1]; + namedKeys[0] = URI_EXCLUSION.toString(); + // Get the available permission sets + List permissionSets = buildListOfSelectableRoles(ModelAccess.on(req).getWebappDaoFactory()); + List roles = new ArrayList<>(); + + for (PermissionSet permissionSet : permissionSets) { + roles.add(new RoleInfo(permissionSet)); + } + Map> uriSuppressionsToRoles = new LinkedHashMap<>(); + List roleInfos = new LinkedList<>(); + String operationName = StringUtils.capitalize(operation.toString().toLowerCase()); + uriSuppressionsToRoles.put(operationName, roleInfos); + for (RoleInfo role : roles) { + RoleInfo roleCopy = role.clone(); + roleInfos.add(roleCopy); + } + getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); + req.setAttribute("uriSuppressions", uriSuppressionsToRoles); + } + + protected static void addTypeSuppressions(HttpServletRequest req, String entityURI, AccessObjectType aot) { + AccessOperation operation = AccessOperation.DISPLAY; + String[] namedKeys = new String[1]; + namedKeys[0] = TYPE_EXCLUSION.toString(); + // Get the available permission sets + List permissionSets = buildListOfSelectableRoles(ModelAccess.on(req).getWebappDaoFactory()); + List roles = new ArrayList<>(); + + for (PermissionSet permissionSet : permissionSets) { + roles.add(new RoleInfo(permissionSet)); + } + Map> typeSuppressionsToRoles = new LinkedHashMap<>(); + List roleInfos = new LinkedList<>(); + String operationName = StringUtils.capitalize(operation.toString().toLowerCase()); + typeSuppressionsToRoles.put(operationName, roleInfos); + for (RoleInfo role : roles) { + RoleInfo roleCopy = role.clone(); + roleInfos.add(roleCopy); + } + getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); + req.setAttribute("typeSuppressions", typeSuppressionsToRoles); + } + + protected static void addNotRelatedTypeSuppressions(HttpServletRequest req, String entityURI, AccessObjectType aot) { + AccessOperation operation = AccessOperation.DISPLAY; + String[] namedKeys = new String[2]; + namedKeys[0] = TYPE_EXCLUSION.toString(); + namedKeys[1] = NOT_RELATED.toString(); + + RoleInfo role = getSelfEditorRole(req); + Map> typeSuppressionsToRoles = new LinkedHashMap<>(); + List roleInfos = new LinkedList<>(); + String operationName = StringUtils.capitalize(operation.toString().toLowerCase()); + typeSuppressionsToRoles.put(operationName, roleInfos); + roleInfos.add(role); + + getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); + req.setAttribute("typeSuppressionsNotRelated", typeSuppressionsToRoles); + } + + protected static RoleInfo getSelfEditorRole(HttpServletRequest req) { + PermissionSet permissionSet = ModelAccess.on(req).getWebappDaoFactory().getUserAccountsDao() + .getPermissionSetByUri(PermissionSets.URI_SELF_EDITOR); + RoleInfo role = new RoleInfo(permissionSet); + return role; + } + + protected static void addNotRelatedPropertySuppressions(HttpServletRequest req, String entityURI, + AccessObjectType aot) { + AccessOperation operation = AccessOperation.DISPLAY; + String[] namedKeys = new String[2]; + namedKeys[0] = PROPERTY_EXCLUSION.toString(); + namedKeys[1] = NOT_RELATED.toString(); + + RoleInfo role = getSelfEditorRole(req); + Map> propertySuppressionsToRoles = new LinkedHashMap<>(); + List roleInfos = new LinkedList<>(); + String operationName = StringUtils.capitalize(operation.toString().toLowerCase()); + propertySuppressionsToRoles.put(operationName, roleInfos); + roleInfos.add(role); + + getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); + req.setAttribute("propertySuppressionsNotRelated", propertySuppressionsToRoles); } static boolean isPublicForbiddenOperation(AccessOperation operation) { diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java index 6953d7e343..80c72d2a66 100644 --- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java +++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java @@ -2,10 +2,16 @@ package edu.cornell.mannlib.vedit.controller; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.CLASS; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.INDIVIDUAL; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.NOT_RELATED; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.PROPERTY_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.TYPE_EXCLUSION; + import java.io.IOException; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; -import java.util.ArrayList; import java.util.Arrays; import java.util.Enumeration; import java.util.HashMap; @@ -19,19 +25,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; -import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; -import edu.cornell.mannlib.vitro.webapp.auth.attributes.OperationGroup; -import edu.cornell.mannlib.vitro.webapp.auth.policy.EntityPolicyController; -import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet; -import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess; -import org.apache.commons.lang3.EnumUtils; -import org.apache.commons.lang3.StringUtils; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - import edu.cornell.mannlib.vedit.beans.EditProcessObject; -import edu.cornell.mannlib.vedit.controller.BaseEditController.RoleInfo; import edu.cornell.mannlib.vedit.forwarder.PageForwarder; import edu.cornell.mannlib.vedit.listener.ChangeListener; import edu.cornell.mannlib.vedit.listener.EditPreProcessor; @@ -40,6 +34,15 @@ import edu.cornell.mannlib.vedit.util.OperationUtils; import edu.cornell.mannlib.vedit.validator.ValidationObject; import edu.cornell.mannlib.vedit.validator.Validator; +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; +import edu.cornell.mannlib.vitro.webapp.auth.policy.EntityPolicyController; +import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet; +import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess; +import org.apache.commons.lang3.EnumUtils; +import org.apache.commons.lang3.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; @WebServlet(name = "OperationController", urlPatterns = {"/doEdit"} ) public class OperationController extends BaseEditController { @@ -138,39 +141,7 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) { // If contains restrictions if (request.getParameter("_permissions") != null) { - // Get the namespace that we are editing - String entityUri = request.getParameter(ENTITY_URI_ATTRIBUTE_NAME); - if (StringUtils.isEmpty(entityUri)) { - // If we don't have a namespace set, we are creating a new entity so use that namespace - if (!StringUtils.isEmpty(request.getParameter("Namespace")) && !StringUtils.isEmpty(request.getParameter("LocalName"))) { - entityUri = "" + request.getParameter("Namespace") + request.getParameter("LocalName"); - } - } - String entityType = request.getParameter(ENTITY_TYPE_ATTRIBUTE_NAME); - List permissionSets = buildListOfSelectableRoles(ModelAccess.on(request).getWebappDaoFactory()); - Set roles = new HashSet<>(); - for (PermissionSet permissionSet : permissionSets) { - roles.add(new RoleInfo(permissionSet)); - } - AccessObjectType aot = getAccessObjectType(entityUri, entityType); - if (aot != null) { - List operations = AccessOperation.getOperations(aot); - for (AccessOperation ao : operations) { - String operationGroupName = ao.toString().toLowerCase().split("_")[0]; - Set selectedRoles = getSelectedRoles(request, operationGroupName); - for (RoleInfo role : roles) { - if (role.isPublic() && isPublicForbiddenOperation(ao)) { - continue; - } - if (selectedRoles.contains(role.getUri())) { - EntityPolicyController.grantAccess(entityUri, aot, ao, role.getUri()); - } else { - EntityPolicyController.revokeAccess(entityUri, aot, ao, role.getUri()); - } - - } - } - } + updatePermissions(request); } /* put request parameters and attributes into epo where the listeners can see */ @@ -230,6 +201,119 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) { } } + private void updatePermissions(HttpServletRequest request) { + // Get the namespace that we are editing + String entityUri = request.getParameter(ENTITY_URI_ATTRIBUTE_NAME); + if (StringUtils.isEmpty(entityUri)) { + // If we don't have a namespace set, we are creating a new entity so use that namespace + if (!StringUtils.isEmpty(request.getParameter("Namespace")) && !StringUtils.isEmpty(request.getParameter("LocalName"))) { + entityUri = "" + request.getParameter("Namespace") + request.getParameter("LocalName"); + } + } + String entityType = request.getParameter(ENTITY_TYPE_ATTRIBUTE_NAME); + AccessObjectType aot = getAccessObjectType(entityUri, entityType); + if (aot == null) { + return; + } + updateEntityPermissions(request, entityUri, aot); + updateTypeSuppressions(request, aot, entityUri); + updateNotRelatedTypeSuppressions(request, aot, entityUri); + updateNotRelatedPropertySuppressions(request, aot, entityUri); + } + + private void updateEntityPermissions(HttpServletRequest request, String entityUri, AccessObjectType aot) { + Set roles = getAllRoles(request); + List operations = AccessOperation.getOperations(aot); + for (AccessOperation ao : operations) { + String operationGroupName = ao.toString().toLowerCase(); + Set selectedRoles = getSelectedRoles(request, operationGroupName); + for (RoleInfo role : roles) { + if (role.isPublic() && isPublicForbiddenOperation(ao)) { + continue; + } + if (selectedRoles.contains(role.getUri())) { + EntityPolicyController.grantAccess(entityUri, aot, ao, role.getUri()); + } else { + EntityPolicyController.revokeAccess(entityUri, aot, ao, role.getUri()); + } + } + } + } + + private Set getAllRoles(HttpServletRequest request) { + List permissionSets = buildListOfSelectableRoles(ModelAccess.on(request).getWebappDaoFactory()); + Set roles = new HashSet<>(); + for (PermissionSet permissionSet : permissionSets) { + roles.add(new RoleInfo(permissionSet)); + } + return roles; + } + + private void updateTypeSuppressions(HttpServletRequest request, AccessObjectType aot, String entityUri) { + if (!isTypeSuppressionsPresent(request) || !AccessObjectType.CLASS.equals(aot)) { + return; + } + String[] namedKeys = new String[1]; + namedKeys[0] = TYPE_EXCLUSION.toString(); + Set roles = getAllRoles(request); + String operationGroupName = "typeSuppression" + DISPLAY.toString().toLowerCase(); + Set selectedRoles = getSelectedRoles(request, operationGroupName); + for (RoleInfo role : roles) { + if (selectedRoles.contains(role.getUri())) { + EntityPolicyController.grantAccess(entityUri, INDIVIDUAL, DISPLAY, role.getUri(), namedKeys); + } else { + EntityPolicyController.revokeAccess(entityUri, INDIVIDUAL, DISPLAY, role.getUri(), namedKeys); + } + } + } + + private void updateNotRelatedTypeSuppressions(HttpServletRequest request, AccessObjectType aot, String entityUri) { + if (!isNotRelatedTypeSuppressionsPresent(request) || !CLASS.equals(aot)) { + return; + } + String[] namedKeys = new String[2]; + namedKeys[0] = TYPE_EXCLUSION.toString(); + namedKeys[1] = NOT_RELATED.toString(); + RoleInfo role = getSelfEditorRole(request); + String operationGroupName = "typeSuppressionNotRelated" + DISPLAY.toString().toLowerCase(); + Set selectedRoles = getSelectedRoles(request, operationGroupName); + if (selectedRoles.contains(role.getUri())) { + EntityPolicyController.grantAccess(entityUri, INDIVIDUAL, DISPLAY, role.getUri(), namedKeys); + } else { + EntityPolicyController.revokeAccess(entityUri, INDIVIDUAL, DISPLAY, role.getUri(), namedKeys); + } + } + + private void updateNotRelatedPropertySuppressions(HttpServletRequest request, AccessObjectType aot, + String entityUri) { + if (!isNotRelatedPropertySuppressionsPresent(request)) { + return; + } + String[] namedKeys = new String[2]; + namedKeys[0] = PROPERTY_EXCLUSION.toString(); + namedKeys[1] = NOT_RELATED.toString(); + RoleInfo role = getSelfEditorRole(request); + String operationGroupName = "propertySuppressionNotRelated" + DISPLAY.toString().toLowerCase(); + Set selectedRoles = getSelectedRoles(request, operationGroupName); + if (selectedRoles.contains(role.getUri())) { + EntityPolicyController.grantAccess(entityUri, aot, DISPLAY, role.getUri(), namedKeys); + } else { + EntityPolicyController.revokeAccess(entityUri, aot, DISPLAY, role.getUri(), namedKeys); + } + } + + private boolean isNotRelatedPropertySuppressionsPresent(HttpServletRequest request) { + return request.getParameter("_propertySuppressionsNotRelated") != null; + } + + private boolean isTypeSuppressionsPresent(HttpServletRequest request) { + return request.getParameter("_typeSuppressions") != null; + } + + private boolean isNotRelatedTypeSuppressionsPresent(HttpServletRequest request) { + return request.getParameter("_typeSuppressionsNotRelated") != null; + } + private Set getSelectedRoles(HttpServletRequest request, String operationGroupName) { String[] selectedRoles = request.getParameterValues(operationGroupName + "Roles"); if (selectedRoles == null) { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java index 8acee98ffe..3ad814622b 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java @@ -4,11 +4,8 @@ import edu.cornell.mannlib.vitro.webapp.auth.attributes.AttributeValueSet; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.AuthorizationRequest; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; public class AttributeValueChecker { - static final Log log = LogFactory.getLog(AttributeValueChecker.class); static boolean test(Check attr, AuthorizationRequest ar, String... values) { CheckType testType = attr.getType(); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java index 0603341733..75b62cfeae 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/SparqlSelectQueryResultsChecker.java @@ -29,39 +29,34 @@ public class SparqlSelectQueryResultsChecker { private static final Log log = LogFactory.getLog(SparqlSelectQueryResultsChecker.class); public static boolean sparqlSelectQueryResultsContain(Check check, AuthorizationRequest ar, String[] inputValues) { - AttributeValueSet values = check.getValues(); - if (!values.containsSingleValue()) { - AttributeValueChecker.log.error("SparqlQueryContains more than one value"); - return false; - } String queryTemplate = check.getConfiguration(); if (StringUtils.isBlank(queryTemplate)) { - queryTemplate = values.getSingleValue(); + queryTemplate = check.getValues().getSingleValue(); } if (StringUtils.isBlank(queryTemplate)) { - AttributeValueChecker.log.error("SparqlQueryContains template is empty"); + log.error("SparqlQueryContains template is empty"); return false; } AccessObject ao = ar.getAccessObject(); Model m = ao.getModel(); if (m == null) { - AttributeValueChecker.log.debug("SparqlQueryContains model is not provided"); + log.debug("SparqlQueryContains model is not provided"); return false; } Set profileUris = new HashSet(ar.getEditorUris()); if (profileUris.isEmpty()) { if (queryTemplate.contains("?profileUri")) { - AttributeValueChecker.log.debug("Subject has no person URIs"); + log.debug("Subject has no person URIs"); return false; } else { profileUris.add(""); } } Set comparedValues = new HashSet<>(); - if (isQueryProvidedInConfiguration(check)) { + if (isQueryNotProvidedInConfiguration(check)) { addRelatedUrisToComparedValues(ao, comparedValues); } else { - addValuesToComparedValues(values, comparedValues); + addValuesToComparedValues(check.getValues(), comparedValues); } for (String profileUri : profileUris) { Set sparqlSelectResults = getSparqlSelectResults(m, profileUri, queryTemplate, ar); @@ -82,7 +77,7 @@ private static void addRelatedUrisToComparedValues(AccessObject ao, Set comparedValues.addAll(Arrays.asList(ao.getResourceUris())); } - private static boolean isQueryProvidedInConfiguration(Check check) { + private static boolean isQueryNotProvidedInConfiguration(Check check) { return StringUtils.isBlank(check.getConfiguration()); } diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java index 57e91ebdc4..90a4fa62ce 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyLoader.java @@ -522,7 +522,7 @@ protected void processQuerySolution(QuerySolution qs) { } long keySize = qs.getLiteral("keySize").getLong(); if (expectedSize != keySize) { - log.error("wrong key size. Expected " + expectedSize + ". Actual " + keySize ); + debug("wrong key size. Expected " + expectedSize + ". Actual " + keySize ); return; } uri[0] = qs.getResource("valueSet").getURI(); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java index 7153ddaf9f..e37a2cabfc 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java @@ -184,6 +184,7 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) { request.setAttribute("unqualifiedClassName","DatatypeProperty"); addAccessAttributes(request, objectForEditing.getURI(), AccessObjectType.DATA_PROPERTY); + addNotRelatedPropertySuppressions(request, objectForEditing.getURI(), AccessObjectType.DATA_PROPERTY); setRequestAttributes(request,epo); try { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java index 00dd403109..bbb36cfc5a 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java @@ -81,6 +81,7 @@ public void doPost(HttpServletRequest req, HttpServletResponse response) { req.setAttribute("_faux_property_type", aot); addAccessAttributes(req, populator.beanForEditing.getConfigUri(), aot); + addNotRelatedPropertySuppressions(req, populator.beanForEditing.getConfigUri(), aot); setRequestAttributes(req, epo); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java index a269a9c5f9..7efdb8e394 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java @@ -184,6 +184,8 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) { request.setAttribute("_action",action); addAccessAttributes(request, propertyForEditing.getURI(), AccessObjectType.OBJECT_PROPERTY); + addNotRelatedPropertySuppressions(request, propertyForEditing.getURI(), AccessObjectType.OBJECT_PROPERTY); + setRequestAttributes(request,epo); try { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java index 0ba8117966..3c8a9bdb5f 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java @@ -163,6 +163,9 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) { request.setAttribute("unqualifiedClassName","VClass"); addAccessAttributes(request, vclassForEditing.getURI(), AccessObjectType.CLASS); + addTypeSuppressions(request, vclassForEditing.getURI(), AccessObjectType.INDIVIDUAL); + addNotRelatedTypeSuppressions(request, vclassForEditing.getURI(), AccessObjectType.INDIVIDUAL); + setRequestAttributes(request,epo); try { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java index abeefaf701..33aedb81d1 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/PropertyGroupTemplateModel.java @@ -8,18 +8,11 @@ import java.util.ArrayList; import java.util.List; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; -import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyAccessObject; import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject; -import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxDataPropertyAccessObject; import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxDataPropertyStatementAccessObject; -import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxObjectPropertyAccessObject; import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxObjectPropertyStatementAccessObject; -import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyAccessObject; import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject; import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper; import edu.cornell.mannlib.vitro.webapp.beans.DataProperty; @@ -30,6 +23,8 @@ import edu.cornell.mannlib.vitro.webapp.beans.PropertyGroup; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.web.templatemodels.BaseTemplateModel; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; public class PropertyGroupTemplateModel extends BaseTemplateModel { @@ -78,20 +73,11 @@ public class PropertyGroupTemplateModel extends BaseTemplateModel { */ private boolean allowedToDisplay(VitroRequest vreq, ObjectProperty op, Individual subject) { AccessObject ao; - if (op instanceof FauxObjectPropertyWrapper) { - ao = new FauxObjectPropertyAccessObject(op); - } else { - ao = new ObjectPropertyAccessObject(op); - } - if (PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DISPLAY)) { - return true; - } - //TODO: Model should be here to correctly check authorization if (op instanceof FauxObjectPropertyWrapper) { final FauxProperty fauxProperty = ((FauxObjectPropertyWrapper) op).getFauxProperty(); - ao = new FauxObjectPropertyStatementAccessObject(null, subject.getURI(), fauxProperty, SOME_URI); + ao = new FauxObjectPropertyStatementAccessObject(vreq.getJenaOntModel(), subject.getURI(), fauxProperty, SOME_URI); } else { - ao = new ObjectPropertyStatementAccessObject(null, subject.getURI(), op, SOME_URI); + ao = new ObjectPropertyStatementAccessObject(vreq.getJenaOntModel(), subject.getURI(), op, SOME_URI); } return PolicyHelper.isAuthorizedForActions(vreq, ao, AccessOperation.DISPLAY); } diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/exclude_from_display_test_data.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/exclude_from_display_test_data.n3 index 04e0ae86f3..8dbf89b88a 100644 --- a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/exclude_from_display_test_data.n3 +++ b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/exclude_from_display_test_data.n3 @@ -1,4 +1,4 @@ # $This file is distributed under the terms of the license in LICENSE$ - . + . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 index b30f65be81..93336fc28d 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 @@ -165,7 +165,7 @@ :IndividualTypeQuery a access:SparqlSelectValuesQuery ; access:id """ SELECT ?type WHERE { - ?objectUri ?type . + ?objectUri ?type . } """ . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 index 60b32f4b8b..44990aa2fa 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 @@ -73,7 +73,7 @@ :IndividualTypeQuery a access:SparqlSelectValuesQuery ; access:id """ SELECT ?type WHERE { - ?objectUri ?type . + ?objectUri ?type . } """ . diff --git a/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp index 6b35856959..f20146f7a3 100644 --- a/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp @@ -150,6 +150,31 @@ + + + + + + Suppress ${entry.key} for this property in not related individuals
+ + + + + + + + + +
+ + + + + + diff --git a/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp index 577d30ea5c..02385b19e0 100644 --- a/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp @@ -86,6 +86,30 @@ + + + + + + Suppress ${entry.key} for this property in not related individuals
+ + + + + + + + + +
+ + + + + diff --git a/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp index 00ad410eb9..0d4437fb0d 100644 --- a/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp @@ -213,6 +213,30 @@ + + + + + + Suppress ${entry.key} for this property in not related individuals
+ + + + + + + + + +
+ + + + + diff --git a/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp index 864879e82c..a21fac5e89 100644 --- a/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp @@ -111,8 +111,59 @@ + + + + + + + Suppress ${entry.key} for individual pages of this class
+ + + + + + + + + +
+ + + + + + + + + + + + Suppress ${entry.key} for not related individual pages of this class
+ + + + + + + + + +
+ + + + + + + + + + + + + Suppress ${entry.key} for roles
+ + + + + + + + + +
+ + + + + + From af706bc24571a58915ecf13d98951d6d59e1c9cc Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Tue, 9 Jan 2024 09:51:49 +0100 Subject: [PATCH 24/33] refact: renamed templates, named key components. --- .../vedit/controller/BaseEditController.java | 13 ++- .../vedit/controller/OperationController.java | 14 ++-- .../auth/attributes/NamedKeyComponent.java | 6 +- ...isplayIndividualPageByUriTemplateTest.java | 10 +-- ...DisplayIndividualPageTypeTemplateTest.java | 10 +-- ...latedIndividualPageByTypeTemplateTest.java | 14 ++-- ...ayNotRelatedPropertyByUriTemplateTest.java | 16 ++-- ..._data.n3 => suppress_display_test_data.n3} | 0 ...s_self_editor_not_related_data_property.n3 | 6 -- ...f_editor_not_related_faux_data_property.n3 | 6 -- ...editor_not_related_faux_object_property.n3 | 6 -- ...self_editor_not_related_object_property.n3 | 6 -- .../firsttime/named_key_components.n3 | 11 +-- ...ppress_display_individual_page_by_type.n3} | 70 ++++++++-------- ...uppress_display_individual_page_by_uri.n3} | 70 ++++++++-------- ...ay_not_related_individual_page_by_type.n3} | 16 ++-- ...ss_display_not_related_property_by_uri.n3} | 80 +++++++++---------- 17 files changed, 162 insertions(+), 192 deletions(-) rename api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/{exclude_from_display_test_data.n3 => suppress_display_test_data.n3} (100%) delete mode 100644 home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_data_property.n3 delete mode 100644 home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_data_property.n3 delete mode 100644 home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_object_property.n3 delete mode 100644 home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_object_property.n3 rename home/src/main/resources/rdf/accessControl/firsttime/{template_exclude_display_individual_page_type.n3 => template_suppress_display_individual_page_by_type.n3} (74%) rename home/src/main/resources/rdf/accessControl/firsttime/{template_exclude_display_individual_page_uri.n3 => template_suppress_display_individual_page_by_uri.n3} (74%) rename home/src/main/resources/rdf/accessControl/firsttime/{template_exclude_display_individual_page_type_not_related.n3 => template_suppress_display_not_related_individual_page_by_type.n3} (86%) rename home/src/main/resources/rdf/accessControl/firsttime/{template_hide_not_related_property.n3 => template_suppress_display_not_related_property_by_uri.n3} (62%) diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java index ba8a6f17dd..43471a3847 100644 --- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java +++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java @@ -3,9 +3,8 @@ package edu.cornell.mannlib.vedit.controller; import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.NOT_RELATED; -import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.PROPERTY_EXCLUSION; -import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.TYPE_EXCLUSION; -import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.URI_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.SUPPRESSION_BY_TYPE; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.SUPPRESSION_BY_URI; import static edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess.ReasoningOption.ASSERTIONS_ONLY; import java.text.Collator; @@ -264,7 +263,7 @@ private static void getRolePolicyInformation(String entityURI, AccessObjectType protected static void addUriSuppressions(HttpServletRequest req, String entityURI, AccessObjectType aot) { AccessOperation operation = AccessOperation.DISPLAY; String[] namedKeys = new String[1]; - namedKeys[0] = URI_EXCLUSION.toString(); + namedKeys[0] = SUPPRESSION_BY_URI.toString(); // Get the available permission sets List permissionSets = buildListOfSelectableRoles(ModelAccess.on(req).getWebappDaoFactory()); List roles = new ArrayList<>(); @@ -288,7 +287,7 @@ protected static void addUriSuppressions(HttpServletRequest req, String entityUR protected static void addTypeSuppressions(HttpServletRequest req, String entityURI, AccessObjectType aot) { AccessOperation operation = AccessOperation.DISPLAY; String[] namedKeys = new String[1]; - namedKeys[0] = TYPE_EXCLUSION.toString(); + namedKeys[0] = SUPPRESSION_BY_TYPE.toString(); // Get the available permission sets List permissionSets = buildListOfSelectableRoles(ModelAccess.on(req).getWebappDaoFactory()); List roles = new ArrayList<>(); @@ -311,7 +310,7 @@ protected static void addTypeSuppressions(HttpServletRequest req, String entityU protected static void addNotRelatedTypeSuppressions(HttpServletRequest req, String entityURI, AccessObjectType aot) { AccessOperation operation = AccessOperation.DISPLAY; String[] namedKeys = new String[2]; - namedKeys[0] = TYPE_EXCLUSION.toString(); + namedKeys[0] = SUPPRESSION_BY_TYPE.toString(); namedKeys[1] = NOT_RELATED.toString(); RoleInfo role = getSelfEditorRole(req); @@ -336,7 +335,7 @@ protected static void addNotRelatedPropertySuppressions(HttpServletRequest req, AccessObjectType aot) { AccessOperation operation = AccessOperation.DISPLAY; String[] namedKeys = new String[2]; - namedKeys[0] = PROPERTY_EXCLUSION.toString(); + namedKeys[0] = SUPPRESSION_BY_URI.toString(); namedKeys[1] = NOT_RELATED.toString(); RoleInfo role = getSelfEditorRole(req); diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java index 6f092cefd5..c86fe12b37 100644 --- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java +++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java @@ -6,9 +6,8 @@ import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.INDIVIDUAL; import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.NOT_RELATED; -import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.PROPERTY_EXCLUSION; -import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.TYPE_EXCLUSION; -import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.URI_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.SUPPRESSION_BY_TYPE; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.SUPPRESSION_BY_URI; import java.io.IOException; import java.lang.reflect.InvocationTargetException; @@ -37,7 +36,6 @@ import edu.cornell.mannlib.vedit.validator.Validator; import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; -import edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent; import edu.cornell.mannlib.vitro.webapp.auth.policy.EntityPolicyController; import edu.cornell.mannlib.vitro.webapp.beans.PermissionSet; import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess; @@ -272,7 +270,7 @@ private void updateUriSuppressions(HttpServletRequest request, AccessObjectType return; } String[] namedKeys = new String[1]; - namedKeys[0] = URI_EXCLUSION.toString(); + namedKeys[0] = SUPPRESSION_BY_URI.toString(); Set roles = getAllRoles(request); String operationGroupName = "uriSuppression" + DISPLAY.toString().toLowerCase(); Set selectedRoles = getSelectedRoles(request, operationGroupName); @@ -290,7 +288,7 @@ private void updateTypeSuppressions(HttpServletRequest request, AccessObjectType return; } String[] namedKeys = new String[1]; - namedKeys[0] = TYPE_EXCLUSION.toString(); + namedKeys[0] = SUPPRESSION_BY_TYPE.toString(); Set roles = getAllRoles(request); String operationGroupName = "typeSuppression" + DISPLAY.toString().toLowerCase(); Set selectedRoles = getSelectedRoles(request, operationGroupName); @@ -308,7 +306,7 @@ private void updateNotRelatedTypeSuppressions(HttpServletRequest request, Access return; } String[] namedKeys = new String[2]; - namedKeys[0] = TYPE_EXCLUSION.toString(); + namedKeys[0] = SUPPRESSION_BY_TYPE.toString(); namedKeys[1] = NOT_RELATED.toString(); RoleInfo role = getSelfEditorRole(request); String operationGroupName = "typeSuppressionNotRelated" + DISPLAY.toString().toLowerCase(); @@ -326,7 +324,7 @@ private void updateNotRelatedPropertySuppressions(HttpServletRequest request, Ac return; } String[] namedKeys = new String[2]; - namedKeys[0] = PROPERTY_EXCLUSION.toString(); + namedKeys[0] = SUPPRESSION_BY_URI.toString(); namedKeys[1] = NOT_RELATED.toString(); RoleInfo role = getSelfEditorRole(request); String operationGroupName = "propertySuppressionNotRelated" + DISPLAY.toString().toLowerCase(); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java index 8a3404056f..2d39cffd46 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java @@ -1,8 +1,8 @@ package edu.cornell.mannlib.vitro.webapp.auth.attributes; public enum NamedKeyComponent { - URI_EXCLUSION, - TYPE_EXCLUSION, - PROPERTY_EXCLUSION, + SUPPRESSION_BY_URI, + SUPPRESSION_BY_TYPE, + PROPERTY_SUPPRESSION, NOT_RELATED, } diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayIndividualPageByUriTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayIndividualPageByUriTemplateTest.java index e1dcd912e4..e0f91f0a70 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayIndividualPageByUriTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayIndividualPageByUriTemplateTest.java @@ -2,7 +2,7 @@ import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.INDIVIDUAL; import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; -import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.URI_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.SUPPRESSION_BY_URI; import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE; import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.UNAUTHORIZED; import static org.junit.Assert.assertEquals; @@ -25,12 +25,12 @@ import org.junit.runners.Parameterized; @RunWith(Parameterized.class) -public class DisplayIndividualPageExcludeByUriTemplateTest extends PolicyTest { +public class SuppressDisplayIndividualPageByUriTemplateTest extends PolicyTest { private static final String TEST_ENTITY = "test:entity"; public static final String POLICY_PATH = - USER_ACCOUNTS_HOME_FIRSTTIME + "template_exclude_display_individual_page_uri.n3"; + USER_ACCOUNTS_HOME_FIRSTTIME + "template_suppress_display_individual_page_by_uri.n3"; @org.junit.runners.Parameterized.Parameter(0) public AccessOperation ao; @@ -54,10 +54,10 @@ public void testLoadPolicy() { if (roleUri.equals(CUSTOM)) { PolicyTemplateController.createRoleDataSets(CUSTOM); } - EntityPolicyController.grantAccess(TEST_ENTITY, type, ao, roleUri, URI_EXCLUSION.toString()); + EntityPolicyController.grantAccess(TEST_ENTITY, type, ao, roleUri, SUPPRESSION_BY_URI.toString()); String dataSetUri = - loader.getDataSetUriByKey(URI_EXCLUSION.toString(), ao.toString(), type.toString(), roleUri); + loader.getDataSetUriByKey(SUPPRESSION_BY_URI.toString(), ao.toString(), type.toString(), roleUri); assertFalse(dataSetUri == null); DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri); assertTrue(policy != null); diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayIndividualPageTypeTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayIndividualPageTypeTemplateTest.java index 173ac34db6..824d16c09b 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayIndividualPageTypeTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayIndividualPageTypeTemplateTest.java @@ -2,7 +2,7 @@ import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.INDIVIDUAL; import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; -import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.TYPE_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.SUPPRESSION_BY_TYPE; import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE; import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.UNAUTHORIZED; import static org.junit.Assert.assertEquals; @@ -29,17 +29,17 @@ import org.junit.runners.Parameterized; @RunWith(Parameterized.class) -public class DisplayIndividualPageExcludeByTypeTemplateTest extends PolicyTest { +public class SuppressDisplayIndividualPageTypeTemplateTest extends PolicyTest { - private static final NamedKeyComponent NAMED_KEY = TYPE_EXCLUSION; + private static final NamedKeyComponent NAMED_KEY = SUPPRESSION_BY_TYPE; private static final String TEST_ENTITY = "test:alice"; private static final String TEST_TYPE = "test:person"; public static final String POLICY_PATH = - USER_ACCOUNTS_HOME_FIRSTTIME + "template_exclude_display_individual_page_type.n3"; - public static final String TEST_DATA = RESOURCES_RULES_PREFIX + "exclude_from_display_test_data.n3"; + USER_ACCOUNTS_HOME_FIRSTTIME + "template_suppress_display_individual_page_by_type.n3"; + public static final String TEST_DATA = RESOURCES_RULES_PREFIX + "suppress_display_test_data.n3"; @org.junit.runners.Parameterized.Parameter(0) public AccessOperation ao; diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayNotRelatedIndividualPageByTypeTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayNotRelatedIndividualPageByTypeTemplateTest.java index 5be1dc4bbe..11738e1a20 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayNotRelatedIndividualPageByTypeTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayNotRelatedIndividualPageByTypeTemplateTest.java @@ -3,7 +3,7 @@ import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.INDIVIDUAL; import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.NOT_RELATED; -import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.TYPE_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.SUPPRESSION_BY_TYPE; import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE; import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.UNAUTHORIZED; import static org.junit.Assert.assertEquals; @@ -29,14 +29,14 @@ import org.junit.runners.Parameterized; @RunWith(Parameterized.class) -public class DisplayIndividualPageExcludeByTypeNotRelatedTemplateTest extends PolicyTest { +public class SuppressDisplayNotRelatedIndividualPageByTypeTemplateTest extends PolicyTest { private static final String TEST_ENTITY = "test:alice"; private static final String TEST_TYPE = "test:person"; public static final String POLICY_PATH = - USER_ACCOUNTS_HOME_FIRSTTIME + "template_exclude_display_individual_page_type_not_related.n3"; - public static final String TEST_DATA = RESOURCES_RULES_PREFIX + "exclude_from_display_test_data.n3"; + USER_ACCOUNTS_HOME_FIRSTTIME + "template_suppress_display_not_related_individual_page_by_type.n3"; + public static final String TEST_DATA = RESOURCES_RULES_PREFIX + "suppress_display_test_data.n3"; @org.junit.runners.Parameterized.Parameter(0) public AccessOperation ao; @@ -66,11 +66,11 @@ public void testLoadPolicy() { if (roleUri.equals(CUSTOM)) { PolicyTemplateController.createRoleDataSets(CUSTOM); } - EntityPolicyController.grantAccess(TEST_TYPE, type, ao, roleUri, TYPE_EXCLUSION.toString(), + EntityPolicyController.grantAccess(TEST_TYPE, type, ao, roleUri, SUPPRESSION_BY_TYPE.toString(), NOT_RELATED.toString()); - String dataSetUri = loader.getDataSetUriByKey(TYPE_EXCLUSION.toString(), NOT_RELATED.toString(), ao.toString(), - type.toString(), roleUri); + String dataSetUri = loader.getDataSetUriByKey(SUPPRESSION_BY_TYPE.toString(), NOT_RELATED.toString(), + ao.toString(), type.toString(), roleUri); assertFalse(dataSetUri == null); DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri); assertTrue(policy != null); diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayNotRelatedPropertyByUriTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayNotRelatedPropertyByUriTemplateTest.java index 5883b1a391..5e80d4def3 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayNotRelatedPropertyByUriTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/SuppressDisplayNotRelatedPropertyByUriTemplateTest.java @@ -7,7 +7,7 @@ import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.PUBLISH; import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.NOT_RELATED; -import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.PROPERTY_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.SUPPRESSION_BY_URI; import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE; import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.UNAUTHORIZED; import static org.junit.Assert.assertEquals; @@ -36,10 +36,11 @@ import org.junit.runners.Parameterized; @RunWith(Parameterized.class) -public class HidePropertiesNotRelatedToSelfEditorTemplateTest extends PolicyTest { +public class SuppressDisplayNotRelatedPropertyByUriTemplateTest extends PolicyTest { - public static final String POLICY_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "template_hide_not_related_property.n3"; - public static final String TEST_DATA = RESOURCES_RULES_PREFIX + "exclude_from_display_test_data.n3"; + public static final String POLICY_PATH = + USER_ACCOUNTS_HOME_FIRSTTIME + "template_suppress_display_not_related_property_by_uri.n3"; + public static final String TEST_DATA = RESOURCES_RULES_PREFIX + "suppress_display_test_data.n3"; private static final String TEST_ENTITY = "test:alice"; private static final String OBJECT_ENTITY = "test:orange"; private static final String TEST_PROPERTY = "test:has"; @@ -71,9 +72,9 @@ public void testLoadPolicy() { dataModel.leaveCriticalSection(); } EntityPolicyController.grantAccess(TEST_PROPERTY, type, ao, roleUri, NOT_RELATED.toString(), - PROPERTY_EXCLUSION.toString()); + SUPPRESSION_BY_URI.toString()); - String dataSetUri = loader.getDataSetUriByKey(PROPERTY_EXCLUSION.toString(), NOT_RELATED.toString(), + String dataSetUri = loader.getDataSetUriByKey(SUPPRESSION_BY_URI.toString(), NOT_RELATED.toString(), ao.toString(), type.toString(), roleUri); DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri); assertTrue(policy != null); @@ -174,8 +175,7 @@ public static Collection requests() { { DISPLAY, DATA_PROPERTY, SELF_EDITOR, 1, num(5) }, { DISPLAY, OBJECT_PROPERTY, SELF_EDITOR, 1, num(5) }, { DISPLAY, FAUX_DATA_PROPERTY, SELF_EDITOR, 1, num(5) }, - { DISPLAY, FAUX_OBJECT_PROPERTY, SELF_EDITOR, 1, num(5) }, - }); + { DISPLAY, FAUX_OBJECT_PROPERTY, SELF_EDITOR, 1, num(5) }, }); } private static Set num(int i) { diff --git a/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/exclude_from_display_test_data.n3 b/api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/suppress_display_test_data.n3 similarity index 100% rename from api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/exclude_from_display_test_data.n3 rename to api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/suppress_display_test_data.n3 diff --git a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_data_property.n3 deleted file mode 100644 index 242751b9b4..0000000000 --- a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_data_property.n3 +++ /dev/null @@ -1,6 +0,0 @@ -# $This file is distributed under the terms of the license in LICENSE$ - -@prefix access: . -@prefix : . - -#:SelfEditorHideNotRelatedDataPropertyValueSet access:value <> . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_data_property.n3 deleted file mode 100644 index 1f6e4763bb..0000000000 --- a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_data_property.n3 +++ /dev/null @@ -1,6 +0,0 @@ -# $This file is distributed under the terms of the license in LICENSE$ - -@prefix access: . -@prefix : . - -#:SelfEditorHideNotRelatedFauxDataPropertyValueSet access:value <> . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_object_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_object_property.n3 deleted file mode 100644 index 8a1baecb8f..0000000000 --- a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_faux_object_property.n3 +++ /dev/null @@ -1,6 +0,0 @@ -# $This file is distributed under the terms of the license in LICENSE$ - -@prefix access: . -@prefix : . - -#:SelfEditorHideNotRelatedFauxObjectPropertyValueSet access:value <> . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_object_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_object_property.n3 deleted file mode 100644 index 01d8fa7ff0..0000000000 --- a/home/src/main/resources/rdf/accessControl/firsttime/hidden_entities_self_editor_not_related_object_property.n3 +++ /dev/null @@ -1,6 +0,0 @@ -# $This file is distributed under the terms of the license in LICENSE$ - -@prefix access: . -@prefix : . - -#:SelfEditorHideNotRelatedObjectPropertyValueSet access:value <> . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 b/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 index dfb9d8be8a..a59f6b0f1a 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/named_key_components.n3 @@ -3,14 +3,11 @@ @prefix access-individual: . @prefix access: . -access-individual:UriExclusion a access:NamedKeyComponent ; - access:id "URI_EXCLUSION" . +access-individual:SuppressionByUri a access:NamedKeyComponent ; + access:id "SUPPRESSION_BY_URI" . -access-individual:TypeExclusion a access:NamedKeyComponent ; - access:id "TYPE_EXCLUSION" . - -access-individual:PropertyExclusion a access:NamedKeyComponent ; - access:id "PROPERTY_EXCLUSION" . +access-individual:SuppressionByType a access:NamedKeyComponent ; + access:id "SUPPRESSION_BY_TYPE" . access-individual:NotRelated a access:NamedKeyComponent ; access:id "NOT_RELATED" . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_individual_page_by_type.n3 similarity index 74% rename from home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 rename to home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_individual_page_by_type.n3 index 93336fc28d..0a90b4ffc6 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_individual_page_by_type.n3 @@ -3,36 +3,36 @@ @prefix auth: . @prefix access-individual: . @prefix access: . -@prefix : . +@prefix : . :PolicyTemplate a access:PolicyTemplate ; access:priority 1500 ; - access:hasRule :ExcludeMatchingUri ; - access:hasDataSet :PublicDisplayExclusionDataSet ; - access:hasDataSet :SelfEditorDisplayExclusionDataSet ; - access:hasDataSet :EditorDisplayExclusionDataSet ; - access:hasDataSet :CuratorDisplayExclusionDataSet ; - access:hasDataSet :AdminDisplayExclusionDataSet ; - access:hasDataSetTemplate :RoleDisplayExclusionDataSetTemplate ; + access:hasRule :SuppressMatchingUri ; + access:hasDataSet :PublicDisplaySuppressionDataSet ; + access:hasDataSet :SelfEditorDisplaySuppressionDataSet ; + access:hasDataSet :EditorDisplaySuppressionDataSet ; + access:hasDataSet :CuratorDisplaySuppressionDataSet ; + access:hasDataSet :AdminDisplaySuppressionDataSet ; + access:hasDataSetTemplate :RoleDisplaySuppressionDataSetTemplate ; . #Role Display data set template -:RoleDisplayExclusionDataSetTemplate a access:DataSetTemplate ; - access:hasDataSetTemplateKey :RoleDisplayExclusionDataSetTemplateKey ; - access:hasDataSetKeyTemplate :RoleDisplayExclusionDataSetKeyTemplate ; +:RoleDisplaySuppressionDataSetTemplate a access:DataSetTemplate ; + access:hasDataSetTemplateKey :RoleDisplaySuppressionDataSetTemplateKey ; + access:hasDataSetKeyTemplate :RoleDisplaySuppressionDataSetKeyTemplate ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:dataSetValueTemplate :RoleDisplayRoleValueSetTemplate ; access:dataSetValueTemplate :RoleDisplayValueSetTemplate . -:RoleDisplayExclusionDataSetTemplateKey a access:DataSetTemplateKey ; +:RoleDisplaySuppressionDataSetTemplateKey a access:DataSetTemplateKey ; access:hasTemplateKeyComponent access-individual:SubjectRole . -:RoleDisplayExclusionDataSetKeyTemplate a access:DataSetKeyTemplate ; +:RoleDisplaySuppressionDataSetKeyTemplate a access:DataSetKeyTemplate ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:DisplayOperation ; - access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:SuppressionByType ; access:hasKeyComponentTemplate access-individual:SubjectRole . :RoleDisplayRoleValueSetTemplate a access:ValueSetTemplate ; @@ -46,82 +46,82 @@ ### Public display uri data sets -:PublicDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :PublicDisplayExclusionDataSetKey ; +:PublicDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :PublicDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:PublicRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :PublicDisplayValueSet . -:PublicDisplayExclusionDataSetKey a access:DataSetKey ; +:PublicDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:PublicRoleUri ; - access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:SuppressionByType ; access:hasKeyComponent access-individual:DisplayOperation . ### SelfEditor display uri data sets -:SelfEditorDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :SelfEditorDisplayExclusionDataSetKey ; +:SelfEditorDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :SelfEditorDisplayValueSet . -:SelfEditorDisplayExclusionDataSetKey a access:DataSetKey ; +:SelfEditorDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; - access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:SuppressionByType ; access:hasKeyComponent access-individual:DisplayOperation . ### Editor display uri data sets -:EditorDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :EditorDisplayExclusionDataSetKey ; +:EditorDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :EditorDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:EditorRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :EditorDisplayValueSet . -:EditorDisplayExclusionDataSetKey a access:DataSetKey ; +:EditorDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:EditorRoleUri ; - access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:SuppressionByType ; access:hasKeyComponent access-individual:DisplayOperation . ### Curator display uri data sets -:CuratorDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :CuratorDisplayExclusionDataSetKey ; +:CuratorDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :CuratorDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:CuratorRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :CuratorDisplayValueSet . -:CuratorDisplayExclusionDataSetKey a access:DataSetKey ; +:CuratorDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:CuratorRoleUri ; - access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:SuppressionByType ; access:hasKeyComponent access-individual:DisplayOperation . ### Admin display uri data sets -:AdminDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :AdminDisplayExclusionDataSetKey ; +:AdminDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :AdminDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:AdminRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :AdminDisplayValueSet . -:AdminDisplayExclusionDataSetKey a access:DataSetKey ; +:AdminDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:AdminRoleUri ; - access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:SuppressionByType ; access:hasKeyComponent access-individual:DisplayOperation . ### Rule -:ExcludeMatchingUri a access:Rule; +:SuppressMatchingUri a access:Rule; access:hasDecision access-individual:Deny ; access:requiresCheck :SubjectRoleCheck ; access:requiresCheck :OperationCheck ; diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_uri.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_individual_page_by_uri.n3 similarity index 74% rename from home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_uri.n3 rename to home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_individual_page_by_uri.n3 index 93eaa77ea1..3ebca99dcb 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_uri.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_individual_page_by_uri.n3 @@ -3,36 +3,36 @@ @prefix auth: . @prefix access-individual: . @prefix access: . -@prefix : . +@prefix : . :PolicyTemplate a access:PolicyTemplate ; access:priority 2000 ; - access:hasRule :ExcludeMatchingUri ; - access:hasDataSet :PublicDisplayExclusionDataSet ; - access:hasDataSet :SelfEditorDisplayExclusionDataSet ; - access:hasDataSet :EditorDisplayExclusionDataSet ; - access:hasDataSet :CuratorDisplayExclusionDataSet ; - access:hasDataSet :AdminDisplayExclusionDataSet ; - access:hasDataSetTemplate :RoleDisplayExclusionDataSetTemplate ; + access:hasRule :SuppressMatchingUri ; + access:hasDataSet :PublicDisplaySuppressionDataSet ; + access:hasDataSet :SelfEditorDisplaySuppressionDataSet ; + access:hasDataSet :EditorDisplaySuppressionDataSet ; + access:hasDataSet :CuratorDisplaySuppressionDataSet ; + access:hasDataSet :AdminDisplaySuppressionDataSet ; + access:hasDataSetTemplate :RoleDisplaySuppressionDataSetTemplate ; . #Role Display data set template -:RoleDisplayExclusionDataSetTemplate a access:DataSetTemplate ; - access:hasDataSetTemplateKey :RoleDisplayExclusionDataSetTemplateKey ; - access:hasDataSetKeyTemplate :RoleDisplayExclusionDataSetKeyTemplate ; +:RoleDisplaySuppressionDataSetTemplate a access:DataSetTemplate ; + access:hasDataSetTemplateKey :RoleDisplaySuppressionDataSetTemplateKey ; + access:hasDataSetKeyTemplate :RoleDisplaySuppressionDataSetKeyTemplate ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:dataSetValueTemplate :RoleDisplayRoleValueSetTemplate ; access:dataSetValueTemplate :RoleDisplayValueSetTemplate . -:RoleDisplayExclusionDataSetTemplateKey a access:DataSetTemplateKey ; +:RoleDisplaySuppressionDataSetTemplateKey a access:DataSetTemplateKey ; access:hasTemplateKeyComponent access-individual:SubjectRole . -:RoleDisplayExclusionDataSetKeyTemplate a access:DataSetKeyTemplate ; +:RoleDisplaySuppressionDataSetKeyTemplate a access:DataSetKeyTemplate ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:DisplayOperation ; - access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:SuppressionByUri ; access:hasKeyComponentTemplate access-individual:SubjectRole . :RoleDisplayRoleValueSetTemplate a access:ValueSetTemplate ; @@ -46,82 +46,82 @@ ### Public display uri data sets -:PublicDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :PublicDisplayExclusionDataSetKey ; +:PublicDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :PublicDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:PublicRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :PublicDisplayValueSet . -:PublicDisplayExclusionDataSetKey a access:DataSetKey ; +:PublicDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:PublicRoleUri ; - access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:SuppressionByUri ; access:hasKeyComponent access-individual:DisplayOperation . ### SelfEditor display uri data sets -:SelfEditorDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :SelfEditorDisplayExclusionDataSetKey ; +:SelfEditorDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :SelfEditorDisplayValueSet . -:SelfEditorDisplayExclusionDataSetKey a access:DataSetKey ; +:SelfEditorDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; - access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:SuppressionByUri ; access:hasKeyComponent access-individual:DisplayOperation . ### Editor display uri data sets -:EditorDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :EditorDisplayExclusionDataSetKey ; +:EditorDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :EditorDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:EditorRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :EditorDisplayValueSet . -:EditorDisplayExclusionDataSetKey a access:DataSetKey ; +:EditorDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:EditorRoleUri ; - access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:SuppressionByUri ; access:hasKeyComponent access-individual:DisplayOperation . ### Curator display uri data sets -:CuratorDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :CuratorDisplayExclusionDataSetKey ; +:CuratorDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :CuratorDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:CuratorRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :CuratorDisplayValueSet . -:CuratorDisplayExclusionDataSetKey a access:DataSetKey ; +:CuratorDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:CuratorRoleUri ; - access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:SuppressionByUri ; access:hasKeyComponent access-individual:DisplayOperation . ### Admin display uri data sets -:AdminDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :AdminDisplayExclusionDataSetKey ; +:AdminDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :AdminDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:AdminRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :AdminDisplayValueSet . -:AdminDisplayExclusionDataSetKey a access:DataSetKey ; +:AdminDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:AdminRoleUri ; - access:hasKeyComponent access-individual:UriExclusion ; + access:hasKeyComponent access-individual:SuppressionByUri ; access:hasKeyComponent access-individual:DisplayOperation . ### Rule -:ExcludeMatchingUri a access:Rule; +:SuppressMatchingUri a access:Rule; access:hasDecision access-individual:Deny ; access:requiresCheck :SubjectRoleCheck ; access:requiresCheck :OperationCheck ; diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_not_related_individual_page_by_type.n3 similarity index 86% rename from home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 rename to home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_not_related_individual_page_by_type.n3 index 44990aa2fa..9b9e491940 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_exclude_display_individual_page_type_not_related.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_not_related_individual_page_by_type.n3 @@ -3,33 +3,33 @@ @prefix auth: . @prefix access-individual: . @prefix access: . -@prefix : . +@prefix : . :PolicyTemplate a access:PolicyTemplate ; access:priority 1500 ; - access:hasRule :ExcludeMatchingUri ; - access:hasDataSet :SelfEditorDisplayExclusionDataSet ; + access:hasRule :SuppressMatchingUri ; + access:hasDataSet :SelfEditorDisplaySuppressionDataSet ; . ### SelfEditor display uri data sets -:SelfEditorDisplayExclusionDataSet a access:DataSet ; - access:hasDataSetKey :SelfEditorDisplayExclusionDataSetKey ; +:SelfEditorDisplaySuppressionDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorDisplaySuppressionDataSetKey ; access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; access:hasRelatedValueSet access-individual:IndividualValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; access:hasRelatedValueSet :SelfEditorDisplayValueSet . -:SelfEditorDisplayExclusionDataSetKey a access:DataSetKey ; +:SelfEditorDisplaySuppressionDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:IndividualAccessObject ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; - access:hasKeyComponent access-individual:TypeExclusion ; + access:hasKeyComponent access-individual:SuppressionByType ; access:hasKeyComponent access-individual:NotRelated ; access:hasKeyComponent access-individual:DisplayOperation . ### Rule -:ExcludeMatchingUri a access:Rule; +:SuppressMatchingUri a access:Rule; access:hasDecision access-individual:Deny ; access:requiresCheck :SubjectRoleCheck ; access:requiresCheck :OperationCheck ; diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_not_related_property_by_uri.n3 similarity index 62% rename from home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 rename to home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_not_related_property_by_uri.n3 index 90bbdcad19..8dfe664bce 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_suppress_display_not_related_property_by_uri.n3 @@ -2,94 +2,94 @@ @prefix access-individual: . @prefix access: . -@prefix : . +@prefix : . :PolicyTemplate a access:PolicyTemplate ; access:priority 5000 ; - access:hasRule :HidePropertyStatementWithBlacklistedProperty ; - access:hasDataSet :SelfEditorHideNotRelatedObjectPropertyDataSet ; - access:hasDataSet :SelfEditorHideNotRelatedDataPropertyDataSet ; - access:hasDataSet :SelfEditorHideNotRelatedFauxObjectPropertyDataSet ; - access:hasDataSet :SelfEditorHideNotRelatedFauxDataPropertyDataSet ; + access:hasRule :SuppressDisplayPropertyStatementWithBlacklistedProperty ; + access:hasDataSet :SelfEditorObjectPropertyDataSet ; + access:hasDataSet :SelfEditorDataPropertyDataSet ; + access:hasDataSet :SelfEditorFauxObjectPropertyDataSet ; + access:hasDataSet :SelfEditorFauxDataPropertyDataSet ; . -### Hide not related object property data sets +### Suppress Display not related object property data sets #Object properties -:SelfEditorHideNotRelatedObjectPropertyDataSet a access:DataSet ; - access:hasDataSetKey :SelfEditorHideNotRelatedObjectPropertyDataSetKey ; +:SelfEditorObjectPropertyDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorObjectPropertyDataSetKey ; access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; - access:hasRelatedValueSet :SelfEditorHideNotRelatedObjectPropertyValueSet ; + access:hasRelatedValueSet :SelfEditorObjectPropertyValueSet ; . -:SelfEditorHideNotRelatedObjectPropertyDataSetKey a access:DataSetKey ; +:SelfEditorObjectPropertyDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:ObjectProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; access:hasKeyComponent access-individual:NotRelated ; - access:hasKeyComponent access-individual:PropertyExclusion ; + access:hasKeyComponent access-individual:SuppressionByUri ; . #Data properties -:SelfEditorHideNotRelatedDataPropertyDataSet a access:DataSet ; - access:hasDataSetKey :SelfEditorHideNotRelatedDataPropertyDataSetKey ; +:SelfEditorDataPropertyDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorDataPropertyDataSetKey ; access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; - access:hasRelatedValueSet :SelfEditorHideNotRelatedDataPropertyValueSet ; + access:hasRelatedValueSet :SelfEditorDataPropertyValueSet ; . -:SelfEditorHideNotRelatedDataPropertyDataSetKey a access:DataSetKey ; +:SelfEditorDataPropertyDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:DataProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; access:hasKeyComponent access-individual:NotRelated ; - access:hasKeyComponent access-individual:PropertyExclusion ; + access:hasKeyComponent access-individual:SuppressionByUri ; . #Faux object properties -:SelfEditorHideNotRelatedFauxObjectPropertyDataSet a access:DataSet ; - access:hasDataSetKey :SelfEditorHideNotRelatedFauxObjectPropertyDataSetKey ; +:SelfEditorFauxObjectPropertyDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorFauxObjectPropertyDataSetKey ; access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; - access:hasRelatedValueSet :SelfEditorHideNotRelatedFauxObjectPropertyValueSet ; + access:hasRelatedValueSet :SelfEditorFauxObjectPropertyValueSet ; . -:SelfEditorHideNotRelatedFauxObjectPropertyDataSetKey a access:DataSetKey ; +:SelfEditorFauxObjectPropertyDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:FauxObjectProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; access:hasKeyComponent access-individual:NotRelated ; - access:hasKeyComponent access-individual:PropertyExclusion ; + access:hasKeyComponent access-individual:SuppressionByUri ; . #Faux data properties -:SelfEditorHideNotRelatedFauxDataPropertyDataSet a access:DataSet ; - access:hasDataSetKey :SelfEditorHideNotRelatedFauxDataPropertyDataSetKey ; +:SelfEditorFauxDataPropertyDataSet a access:DataSet ; + access:hasDataSetKey :SelfEditorFauxDataPropertyDataSetKey ; access:hasRelatedValueSet access-individual:SelfEditorRoleValueSet ; access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ; access:hasRelatedValueSet access-individual:DisplayOperationValueSet ; - access:hasRelatedValueSet :SelfEditorHideNotRelatedFauxDataPropertyValueSet ; + access:hasRelatedValueSet :SelfEditorFauxDataPropertyValueSet ; . -:SelfEditorHideNotRelatedFauxDataPropertyDataSetKey a access:DataSetKey ; +:SelfEditorFauxDataPropertyDataSetKey a access:DataSetKey ; access:hasKeyComponent access-individual:FauxDataProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; access:hasKeyComponent access-individual:NotRelated ; - access:hasKeyComponent access-individual:PropertyExclusion ; + access:hasKeyComponent access-individual:SuppressionByUri ; . #Rule -:HidePropertyStatementWithBlacklistedProperty a access:Rule; +:SuppressDisplayPropertyStatementWithBlacklistedProperty a access:Rule; access:hasDecision access-individual:Deny ; access:requiresCheck :SubjectRoleCheck ; access:requiresCheck :OperationCheck ; @@ -130,35 +130,35 @@ :StatementPredicateCheck a access:Check ; access:useOperator access-individual:OneOf ; access:hasTypeToCheck access-individual:StatementPredicateUri ; - access:values :SelfEditorHideNotRelatedObjectPropertyValueSet ; - access:values :SelfEditorHideNotRelatedDataPropertyValueSet ; - access:values :SelfEditorHideNotRelatedFauxObjectPropertyValueSet ; - access:values :SelfEditorHideNotRelatedFauxDataPropertyValueSet ; + access:values :SelfEditorObjectPropertyValueSet ; + access:values :SelfEditorDataPropertyValueSet ; + access:values :SelfEditorFauxObjectPropertyValueSet ; + access:values :SelfEditorFauxDataPropertyValueSet ; . :AccessObjectUriCheck a access:Check ; access:useOperator access-individual:OneOf ; access:hasTypeToCheck access-individual:AccessObjectUri ; - access:values :SelfEditorHideNotRelatedObjectPropertyValueSet ; - access:values :SelfEditorHideNotRelatedDataPropertyValueSet ; - access:values :SelfEditorHideNotRelatedFauxObjectPropertyValueSet ; - access:values :SelfEditorHideNotRelatedFauxDataPropertyValueSet ; + access:values :SelfEditorObjectPropertyValueSet ; + access:values :SelfEditorDataPropertyValueSet ; + access:values :SelfEditorFauxObjectPropertyValueSet ; + access:values :SelfEditorFauxDataPropertyValueSet ; . #Value sets -:SelfEditorHideNotRelatedObjectPropertyValueSet a access:ValueSet ; +:SelfEditorObjectPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:ObjectProperty ; . -:SelfEditorHideNotRelatedDataPropertyValueSet a access:ValueSet ; +:SelfEditorDataPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:DataProperty ; . -:SelfEditorHideNotRelatedFauxObjectPropertyValueSet a access:ValueSet ; +:SelfEditorFauxObjectPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:FauxObjectProperty ; . -:SelfEditorHideNotRelatedFauxDataPropertyValueSet a access:ValueSet ; +:SelfEditorFauxDataPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:FauxDataProperty ; . From 9a2e0fee9f03aa9ecf99970932f699db08406383 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Tue, 9 Jan 2024 11:56:39 +0100 Subject: [PATCH 25/33] removed not used key component for previous commit --- .../mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java | 1 - 1 file changed, 1 deletion(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java index 2d39cffd46..09a7bc4894 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/NamedKeyComponent.java @@ -3,6 +3,5 @@ public enum NamedKeyComponent { SUPPRESSION_BY_URI, SUPPRESSION_BY_TYPE, - PROPERTY_SUPPRESSION, NOT_RELATED, } From bfb5bdd38c148fd7407681ab8bdbd074be255e4c Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Fri, 12 Jan 2024 14:46:41 +0100 Subject: [PATCH 26/33] translations for permission related controls --- .../edit/DatapropRetryController.java | 3 +- .../edit/EntityRetryController.java | 2 + .../edit/FauxPropertyRetryController.java | 2 + .../edit/PropertyRetryController.java | 2 + .../edit/VclassRetryController.java | 2 + .../firsttime/vitro_UiLabel.ttl | 49 +++++++++++++++++++ .../firsttime/vitro_UiLabel.ttl | 49 +++++++++++++++++++ .../firsttime/vitro_UiLabel.ttl | 49 +++++++++++++++++++ .../firsttime/vitro_UiLabel.ttl | 49 +++++++++++++++++++ .../firsttime/vitro_UiLabel.ttl | 49 +++++++++++++++++++ .../firsttime/vitro_UiLabel.ttl | 49 +++++++++++++++++++ .../firsttime/vitro_UiLabel.ttl | 49 +++++++++++++++++++ .../firsttime/vitro_UiLabel.ttl | 49 +++++++++++++++++++ .../edit/specific/dataprop_retry.jsp | 4 +- .../templates/edit/specific/entity_retry.jsp | 2 +- .../edit/specific/fauxProperty_retry.jsp | 4 +- .../edit/specific/property_retry.jsp | 4 +- .../templates/edit/specific/vclass_retry.jsp | 6 +-- 18 files changed, 412 insertions(+), 11 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java index e37a2cabfc..ef8bd4c53b 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java @@ -35,6 +35,7 @@ import edu.cornell.mannlib.vitro.webapp.dao.DatatypeDao; import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao; import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; +import edu.cornell.mannlib.vitro.webapp.i18n.I18n; import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess; @@ -182,7 +183,7 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) { request.setAttribute("title","Data Property Editing Form"); request.setAttribute("_action",action); request.setAttribute("unqualifiedClassName","DatatypeProperty"); - + request.setAttribute("i18n", I18n.bundle(vreq)); addAccessAttributes(request, objectForEditing.getURI(), AccessObjectType.DATA_PROPERTY); addNotRelatedPropertySuppressions(request, objectForEditing.getURI(), AccessObjectType.DATA_PROPERTY); setRequestAttributes(request,epo); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityRetryController.java index 12c96bbb42..9bbcf58e92 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityRetryController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/EntityRetryController.java @@ -54,6 +54,7 @@ import edu.cornell.mannlib.vitro.webapp.dao.VClassGroupDao; import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; import edu.cornell.mannlib.vitro.webapp.edit.listener.impl.IndividualDataPropertyStatementProcessor; +import edu.cornell.mannlib.vitro.webapp.i18n.I18n; @WebServlet(name = "EntityRetryController", urlPatterns = {"/entity_retry"} ) public class EntityRetryController extends BaseEditController { @@ -299,6 +300,7 @@ public void doPost (HttpServletRequest request, HttpServletResponse response) { request.setAttribute("_action",action); request.setAttribute("unqualifiedClassName","Individual"); addUriSuppressions(request, individualForEditing.getURI(), AccessObjectType.INDIVIDUAL); + request.setAttribute("i18n", I18n.bundle(vreq)); setRequestAttributes(request,epo); try { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java index bbb36cfc5a..4035ff210a 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/FauxPropertyRetryController.java @@ -43,6 +43,7 @@ import edu.cornell.mannlib.vitro.webapp.dao.FauxPropertyDao; import edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDao; import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; +import edu.cornell.mannlib.vitro.webapp.i18n.I18n; import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess; /** @@ -82,6 +83,7 @@ public void doPost(HttpServletRequest req, HttpServletResponse response) { addAccessAttributes(req, populator.beanForEditing.getConfigUri(), aot); addNotRelatedPropertySuppressions(req, populator.beanForEditing.getConfigUri(), aot); + req.setAttribute("i18n", I18n.bundle(req)); setRequestAttributes(req, epo); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java index 7efdb8e394..e09f06da60 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java @@ -34,6 +34,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDao; import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao; +import edu.cornell.mannlib.vitro.webapp.i18n.I18n; import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess; public class PropertyRetryController extends BaseEditController { @@ -182,6 +183,7 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) { request.setAttribute("scripts","/templates/edit/formBasic.js"); request.setAttribute("title","Property Editing Form"); request.setAttribute("_action",action); + request.setAttribute("i18n", I18n.bundle(request)); addAccessAttributes(request, propertyForEditing.getURI(), AccessObjectType.OBJECT_PROPERTY); addNotRelatedPropertySuppressions(request, propertyForEditing.getURI(), AccessObjectType.OBJECT_PROPERTY); diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java index 3c8a9bdb5f..0952bda7a7 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/VclassRetryController.java @@ -35,6 +35,7 @@ import edu.cornell.mannlib.vitro.webapp.dao.VClassDao; import edu.cornell.mannlib.vitro.webapp.dao.VClassGroupDao; import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; +import edu.cornell.mannlib.vitro.webapp.i18n.I18n; import edu.cornell.mannlib.vitro.webapp.modelaccess.ModelAccess; @WebServlet(name = "VclassRetryController", urlPatterns = {"/vclass_retry"} ) @@ -161,6 +162,7 @@ public void doPost (HttpServletRequest req, HttpServletResponse response) { request.setAttribute("title","Class Editing Form"); request.setAttribute("_action",action); request.setAttribute("unqualifiedClassName","VClass"); + request.setAttribute("i18n", I18n.bundle(request)); addAccessAttributes(request, vclassForEditing.getURI(), AccessObjectType.CLASS); addTypeSuppressions(request, vclassForEditing.getURI(), AccessObjectType.INDIVIDUAL); diff --git a/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl index ef00eaac44..7a572e2114 100644 --- a/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6309,3 +6309,52 @@ uil-data:captcha_user_sol_invalid.Vitro uil:hasApp "Vitro" ; uil:hasKey "captcha_user_sol_invalid" ; uil:hasPackage "Vitro-languages" . + + uil-data:suppress_operation_for_roles.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Verweigern Sie {0}-Vorgänge für Rollen"@de-DE ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_roles" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_property.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Erlauben Sie {0}-Vorgänge für diese Eigenschaft"@de-DE ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_property" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Erlauben Sie {0}-Vorgänge für diese Klasse"@de-DE ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Verhindern Sie {0}-Vorgänge für diese Eigenschaft auf nicht verwandten Objektseiten"@de-DE ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Verweigern Sie {0}-Vorgänge für Objektseiten, die zur bearbeiteten Klasse gehören"@de-DE ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Verhindern Sie {0}-Vorgänge für Seiten mit nicht verwandten Objekten, die zur bearbeiteten Klasse gehören"@de-DE ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + diff --git a/home/src/main/resources/rdf/i18n/en_CA/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/en_CA/interface-i18n/firsttime/vitro_UiLabel.ttl index eacfae4b4c..442ba18b17 100644 --- a/home/src/main/resources/rdf/i18n/en_CA/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/en_CA/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6309,3 +6309,52 @@ uil-data:captcha_user_sol_invalid.Vitro uil:hasApp "Vitro" ; uil:hasKey "captcha_user_sol_invalid" ; uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_roles.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Suppress {0} for roles "@en-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_roles" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_property.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "{0} permissions for this property"@en-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_property" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "{0} permissions for this class"@en-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Suppress {0} for this property in not related individuals"@en-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Suppress {0} for individual pages of this class"@en-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Suppress {0} for not related individual pages of this class"@en-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + diff --git a/home/src/main/resources/rdf/i18n/en_US/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/en_US/interface-i18n/firsttime/vitro_UiLabel.ttl index 157ea5bcb0..29b9c83aa4 100644 --- a/home/src/main/resources/rdf/i18n/en_US/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/en_US/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6309,3 +6309,52 @@ uil-data:captcha_user_sol_invalid.Vitro uil:hasApp "Vitro" ; uil:hasKey "captcha_user_sol_invalid" ; uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_roles.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Suppress {0} for roles "@en-US ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_roles" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_property.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "{0} permissions for this property"@en-US ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_property" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "{0} permissions for this class"@en-US ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Suppress {0} for this property in not related individuals"@en-US ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Suppress {0} for individual pages of this class"@en-US ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Suppress {0} for not related individual pages of this class"@en-US ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + diff --git a/home/src/main/resources/rdf/i18n/es/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/es/interface-i18n/firsttime/vitro_UiLabel.ttl index 3871418990..b67c2f2abc 100644 --- a/home/src/main/resources/rdf/i18n/es/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/es/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6309,3 +6309,52 @@ uil-data:captcha_user_sol_invalid.Vitro uil:hasApp "Vitro" ; uil:hasKey "captcha_user_sol_invalid" ; uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_roles.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Denegar operaciones {0} para roles"@es ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_roles" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_property.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Permitir operaciones {0} para esta propiedad"@es ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_property" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Permitir operaciones {0} para esta clase"@es ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Impedir operaciones {0} para esta propiedad en páginas de objetos no relacionados"@es ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Denegar operaciones {0} para páginas de objetos que pertenecen a la clase editada"@es ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Evitar operaciones {0} para páginas de objetos no relacionados que pertenecen a la clase editada"@es ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + diff --git a/home/src/main/resources/rdf/i18n/fr_CA/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/fr_CA/interface-i18n/firsttime/vitro_UiLabel.ttl index 74a00f2c9c..7cce18c1f5 100644 --- a/home/src/main/resources/rdf/i18n/fr_CA/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/fr_CA/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6309,3 +6309,52 @@ uil-data:captcha_user_sol_invalid.Vitro uil:hasApp "Vitro" ; uil:hasKey "captcha_user_sol_invalid" ; uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_roles.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Refuser {0} opérations pour les rôles"@fr-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_roles" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_property.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Autoriser les opérations {0} pour cette propriété"@fr-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_property" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Autoriser les opérations {0} pour cette classe"@fr-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Empêcher les opérations {0} pour cette propriété sur les pages d'objets sans rapport"@fr-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Refuser les opérations {0} pour les pages d'objet appartenant à la classe modifiée"@fr-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Empêcher les opérations {0} pour les pages d'objets non liés appartenant à la classe modifiée"@fr-CA ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + diff --git a/home/src/main/resources/rdf/i18n/pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl index 4297780456..c2d03bace4 100644 --- a/home/src/main/resources/rdf/i18n/pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6309,3 +6309,52 @@ uil-data:captcha_user_sol_invalid.Vitro uil:hasApp "Vitro" ; uil:hasKey "captcha_user_sol_invalid" ; uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_roles.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Negar {0} operações para funções"@pt-BR ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_roles" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_property.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Permitir {0} operações para esta propriedade"@pt-BR ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_property" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Permitir {0} operações para esta classe"@pt-BR ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Impedir operações {0} para esta propriedade em páginas de objetos não relacionados"@pt-BR ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Negar operações {0} para páginas de objetos pertencentes à classe editada"@pt-BR ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Impedir operações {0} para páginas de objetos não relacionados pertencentes à classe editada"@pt-BR ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + diff --git a/home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl index d091845941..7b96b862a3 100644 --- a/home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6309,3 +6309,52 @@ uil-data:captcha_user_sol_invalid.Vitro uil:hasApp "Vitro" ; uil:hasKey "captcha_user_sol_invalid" ; uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_roles.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Запрещать операции {0} для ролей"@ru-RU ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_roles" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_property.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Разрешать операции {0} для данного свойства"@ru-RU ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_property" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Разрешать операции {0} для данного класса"@ru-RU ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Запрещать операции {0} для данного свойства на страницах не связанных объектов"@ru-RU ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Запрещать операции {0} для страниц объектов, относящихся к редактируемому классу"@ru-RU ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Запрещать операции {0} для страниц не связанных объектов, относящихся к редактируемому классу"@ru-RU ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + diff --git a/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl index a900c469f8..98fb70b732 100644 --- a/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6309,3 +6309,52 @@ uil-data:captcha_user_sol_invalid.Vitro uil:hasApp "Vitro" ; uil:hasKey "captcha_user_sol_invalid" ; uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_roles.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Odbij {0} operacije za uloge"@sr-Latn-RS ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_roles" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_property.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Dozvoli {0} operacije za ovo svojstvo"@sr-Latn-RS ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_property" ; + uil:hasPackage "Vitro-languages" . + +uil-data:operation_permissions_for_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Dozvoli {0} operacije za ovu klasu"@sr-Latn-RS ; + uil:hasApp "Vitro" ; + uil:hasKey "operation_permissions_for_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Sprečite {0} operacije za ovo svojstvo na stranicama nepovezanih objekata"@sr-Latn-RS ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Odbij {0} operacije za stranice objekata koje pripadaju uređenoj klasi"@sr-Latn-RS ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + +uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro + rdf:type owl:NamedIndividual ; + rdf:type uil:UILabel ; + rdfs:label "Sprečavanje {0} operacija za stranice nepovezanih objekata koji pripadaju uređenoj klasi"@sr-Latn-RS ; + uil:hasApp "Vitro" ; + uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasPackage "Vitro-languages" . + diff --git a/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp index f20146f7a3..3f5a3e69b3 100644 --- a/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp @@ -133,7 +133,7 @@ - ${entry.key} permissions for this property
+ ${i18n.text('operation_permissions_for_this_property', entry.key)}
- Suppress ${entry.key} for this property in not related individuals
+ ${i18n.text('suppress_operation_for_this_property_in_not_related_individuals', entry.key)}
- Suppress ${entry.key} for roles
+ ${i18n.text('suppress_operation_for_roles', entry.key)}
- ${entry.key} permissions for this property
+ ${i18n.text('operation_permissions_for_this_property', entry.key)}
- Suppress ${entry.key} for this property in not related individuals
+ ${i18n.text('suppress_operation_for_this_property_in_not_related_individuals', entry.key)}
- ${entry.key} permissions for this property
+ ${i18n.text('operation_permissions_for_this_property', entry.key)}
- Suppress ${entry.key} for this property in not related individuals
+ ${i18n.text('suppress_operation_for_this_property_in_not_related_individuals', entry.key)}
- ${entry.key} permissions for this property
+ ${i18n.text('operation_permissions_for_this_class', entry.key)}
- Suppress ${entry.key} for individual pages of this class
+ ${i18n.text('suppress_operation_for_individuals_of_this_class', entry.key)}
- Suppress ${entry.key} for not related individual pages of this class
+ ${i18n.text('suppress_operation_for_not_related_individuals_of_this_class', entry.key)}
Date: Fri, 12 Jan 2024 16:20:10 +0100 Subject: [PATCH 27/33] Fixes for English labels --- .../de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl | 8 ++++---- .../en_CA/interface-i18n/firsttime/vitro_UiLabel.ttl | 10 +++++----- .../en_US/interface-i18n/firsttime/vitro_UiLabel.ttl | 10 +++++----- .../i18n/es/interface-i18n/firsttime/vitro_UiLabel.ttl | 8 ++++---- .../fr_CA/interface-i18n/firsttime/vitro_UiLabel.ttl | 8 ++++---- .../pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl | 8 ++++---- .../ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl | 8 ++++---- .../interface-i18n/firsttime/vitro_UiLabel.ttl | 8 ++++---- .../webapp/templates/edit/specific/dataprop_retry.jsp | 2 +- .../templates/edit/specific/fauxProperty_retry.jsp | 2 +- .../webapp/templates/edit/specific/property_retry.jsp | 2 +- .../webapp/templates/edit/specific/vclass_retry.jsp | 2 +- 12 files changed, 38 insertions(+), 38 deletions(-) diff --git a/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl index 7a572e2114..499e5f4212 100644 --- a/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6334,12 +6334,12 @@ uil-data:operation_permissions_for_this_class.Vitro uil:hasKey "operation_permissions_for_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro +uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Verhindern Sie {0}-Vorgänge für diese Eigenschaft auf nicht verwandten Objektseiten"@de-DE ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasKey "suppress_operation_for_this_property_in_unrelated_individuals" ; uil:hasPackage "Vitro-languages" . uil-data:suppress_operation_for_individuals_of_this_class.Vitro @@ -6350,11 +6350,11 @@ uil-data:suppress_operation_for_individuals_of_this_class.Vitro uil:hasKey "suppress_operation_for_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro +uil-data:suppress_operation_for_unrelated_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Verhindern Sie {0}-Vorgänge für Seiten mit nicht verwandten Objekten, die zur bearbeiteten Klasse gehören"@de-DE ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasKey "suppress_operation_for_unrelated_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . diff --git a/home/src/main/resources/rdf/i18n/en_CA/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/en_CA/interface-i18n/firsttime/vitro_UiLabel.ttl index 442ba18b17..9889757a53 100644 --- a/home/src/main/resources/rdf/i18n/en_CA/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/en_CA/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6334,12 +6334,12 @@ uil-data:operation_permissions_for_this_class.Vitro uil:hasKey "operation_permissions_for_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro +uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Suppress {0} for this property in not related individuals"@en-CA ; + rdfs:label "Suppress {0} for this property in unrelated individuals"@en-CA ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasKey "suppress_operation_for_this_property_in_unrelated_individuals" ; uil:hasPackage "Vitro-languages" . uil-data:suppress_operation_for_individuals_of_this_class.Vitro @@ -6350,11 +6350,11 @@ uil-data:suppress_operation_for_individuals_of_this_class.Vitro uil:hasKey "suppress_operation_for_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro +uil-data:suppress_operation_for_unrelated_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Suppress {0} for not related individual pages of this class"@en-CA ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasKey "suppress_operation_for_unrelated_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . diff --git a/home/src/main/resources/rdf/i18n/en_US/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/en_US/interface-i18n/firsttime/vitro_UiLabel.ttl index 29b9c83aa4..f7815323a5 100644 --- a/home/src/main/resources/rdf/i18n/en_US/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/en_US/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6334,12 +6334,12 @@ uil-data:operation_permissions_for_this_class.Vitro uil:hasKey "operation_permissions_for_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro +uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Suppress {0} for this property in not related individuals"@en-US ; + rdfs:label "Suppress {0} for this property in unrelated individuals"@en-US ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasKey "suppress_operation_for_this_property_in_unrelated_individuals" ; uil:hasPackage "Vitro-languages" . uil-data:suppress_operation_for_individuals_of_this_class.Vitro @@ -6350,11 +6350,11 @@ uil-data:suppress_operation_for_individuals_of_this_class.Vitro uil:hasKey "suppress_operation_for_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro +uil-data:suppress_operation_for_unrelated_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Suppress {0} for not related individual pages of this class"@en-US ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasKey "suppress_operation_for_unrelated_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . diff --git a/home/src/main/resources/rdf/i18n/es/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/es/interface-i18n/firsttime/vitro_UiLabel.ttl index b67c2f2abc..dabf22813b 100644 --- a/home/src/main/resources/rdf/i18n/es/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/es/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6334,12 +6334,12 @@ uil-data:operation_permissions_for_this_class.Vitro uil:hasKey "operation_permissions_for_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro +uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Impedir operaciones {0} para esta propiedad en páginas de objetos no relacionados"@es ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasKey "suppress_operation_for_this_property_in_unrelated_individuals" ; uil:hasPackage "Vitro-languages" . uil-data:suppress_operation_for_individuals_of_this_class.Vitro @@ -6350,11 +6350,11 @@ uil-data:suppress_operation_for_individuals_of_this_class.Vitro uil:hasKey "suppress_operation_for_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro +uil-data:suppress_operation_for_unrelated_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Evitar operaciones {0} para páginas de objetos no relacionados que pertenecen a la clase editada"@es ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasKey "suppress_operation_for_unrelated_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . diff --git a/home/src/main/resources/rdf/i18n/fr_CA/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/fr_CA/interface-i18n/firsttime/vitro_UiLabel.ttl index 7cce18c1f5..b293b11aec 100644 --- a/home/src/main/resources/rdf/i18n/fr_CA/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/fr_CA/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6334,12 +6334,12 @@ uil-data:operation_permissions_for_this_class.Vitro uil:hasKey "operation_permissions_for_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro +uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Empêcher les opérations {0} pour cette propriété sur les pages d'objets sans rapport"@fr-CA ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasKey "suppress_operation_for_this_property_in_unrelated_individuals" ; uil:hasPackage "Vitro-languages" . uil-data:suppress_operation_for_individuals_of_this_class.Vitro @@ -6350,11 +6350,11 @@ uil-data:suppress_operation_for_individuals_of_this_class.Vitro uil:hasKey "suppress_operation_for_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro +uil-data:suppress_operation_for_unrelated_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Empêcher les opérations {0} pour les pages d'objets non liés appartenant à la classe modifiée"@fr-CA ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasKey "suppress_operation_for_unrelated_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . diff --git a/home/src/main/resources/rdf/i18n/pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl index c2d03bace4..1170a3880d 100644 --- a/home/src/main/resources/rdf/i18n/pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/pt_BR/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6334,12 +6334,12 @@ uil-data:operation_permissions_for_this_class.Vitro uil:hasKey "operation_permissions_for_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro +uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Impedir operações {0} para esta propriedade em páginas de objetos não relacionados"@pt-BR ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasKey "suppress_operation_for_this_property_in_unrelated_individuals" ; uil:hasPackage "Vitro-languages" . uil-data:suppress_operation_for_individuals_of_this_class.Vitro @@ -6350,11 +6350,11 @@ uil-data:suppress_operation_for_individuals_of_this_class.Vitro uil:hasKey "suppress_operation_for_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro +uil-data:suppress_operation_for_unrelated_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Impedir operações {0} para páginas de objetos não relacionados pertencentes à classe editada"@pt-BR ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasKey "suppress_operation_for_unrelated_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . diff --git a/home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl index 7b96b862a3..582dfe544e 100644 --- a/home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/ru_RU/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6334,12 +6334,12 @@ uil-data:operation_permissions_for_this_class.Vitro uil:hasKey "operation_permissions_for_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro +uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Запрещать операции {0} для данного свойства на страницах не связанных объектов"@ru-RU ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasKey "suppress_operation_for_this_property_in_unrelated_individuals" ; uil:hasPackage "Vitro-languages" . uil-data:suppress_operation_for_individuals_of_this_class.Vitro @@ -6350,11 +6350,11 @@ uil-data:suppress_operation_for_individuals_of_this_class.Vitro uil:hasKey "suppress_operation_for_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro +uil-data:suppress_operation_for_unrelated_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Запрещать операции {0} для страниц не связанных объектов, относящихся к редактируемому классу"@ru-RU ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasKey "suppress_operation_for_unrelated_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . diff --git a/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl index 98fb70b732..141979497e 100644 --- a/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6334,12 +6334,12 @@ uil-data:operation_permissions_for_this_class.Vitro uil:hasKey "operation_permissions_for_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_this_property_in_not_related_individuals.Vitro +uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Sprečite {0} operacije za ovo svojstvo na stranicama nepovezanih objekata"@sr-Latn-RS ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_this_property_in_not_related_individuals" ; + uil:hasKey "suppress_operation_for_this_property_in_unrelated_individuals" ; uil:hasPackage "Vitro-languages" . uil-data:suppress_operation_for_individuals_of_this_class.Vitro @@ -6350,11 +6350,11 @@ uil-data:suppress_operation_for_individuals_of_this_class.Vitro uil:hasKey "suppress_operation_for_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . -uil-data:suppress_operation_for_not_related_individuals_of_this_class.Vitro +uil-data:suppress_operation_for_unrelated_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; rdfs:label "Sprečavanje {0} operacija za stranice nepovezanih objekata koji pripadaju uređenoj klasi"@sr-Latn-RS ; uil:hasApp "Vitro" ; - uil:hasKey "suppress_operation_for_not_related_individuals_of_this_class" ; + uil:hasKey "suppress_operation_for_unrelated_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . diff --git a/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp index 3f5a3e69b3..4a74425b76 100644 --- a/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp @@ -155,7 +155,7 @@ - ${i18n.text('suppress_operation_for_this_property_in_not_related_individuals', entry.key)}
+ ${i18n.text('suppress_operation_for_this_property_in_unrelated_individuals', entry.key)}
- ${i18n.text('suppress_operation_for_this_property_in_not_related_individuals', entry.key)}
+ ${i18n.text('suppress_operation_for_this_property_in_unrelated_individuals', entry.key)}
- ${i18n.text('suppress_operation_for_this_property_in_not_related_individuals', entry.key)}
+ ${i18n.text('suppress_operation_for_this_property_in_unrelated_individuals', entry.key)}
- ${i18n.text('suppress_operation_for_not_related_individuals_of_this_class', entry.key)}
+ ${i18n.text('suppress_operation_for_unrelated_individuals_of_this_class', entry.key)}
Date: Mon, 15 Jan 2024 09:27:17 +0100 Subject: [PATCH 28/33] German label improvements --- .../de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl index 499e5f4212..90a1d39a6d 100644 --- a/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/de_DE/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6313,7 +6313,7 @@ uil-data:captcha_user_sol_invalid.Vitro uil-data:suppress_operation_for_roles.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Verweigern Sie {0}-Vorgänge für Rollen"@de-DE ; + rdfs:label "{0}-Vorgänge für Rollen verweigern"@de-DE ; uil:hasApp "Vitro" ; uil:hasKey "suppress_operation_for_roles" ; uil:hasPackage "Vitro-languages" . @@ -6321,7 +6321,7 @@ uil-data:captcha_user_sol_invalid.Vitro uil-data:operation_permissions_for_this_property.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Erlauben Sie {0}-Vorgänge für diese Eigenschaft"@de-DE ; + rdfs:label "{0}-Vorgänge für diese Property erlauben"@de-DE ; uil:hasApp "Vitro" ; uil:hasKey "operation_permissions_for_this_property" ; uil:hasPackage "Vitro-languages" . @@ -6329,7 +6329,7 @@ uil-data:operation_permissions_for_this_property.Vitro uil-data:operation_permissions_for_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Erlauben Sie {0}-Vorgänge für diese Klasse"@de-DE ; + rdfs:label "{0}-Vorgänge für diese Klasse erlauben"@de-DE ; uil:hasApp "Vitro" ; uil:hasKey "operation_permissions_for_this_class" ; uil:hasPackage "Vitro-languages" . @@ -6337,7 +6337,7 @@ uil-data:operation_permissions_for_this_class.Vitro uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Verhindern Sie {0}-Vorgänge für diese Eigenschaft auf nicht verwandten Objektseiten"@de-DE ; + rdfs:label "{0}-Vorgänge für diese Property bei nicht verwandten Instanzen verhindern"@de-DE ; uil:hasApp "Vitro" ; uil:hasKey "suppress_operation_for_this_property_in_unrelated_individuals" ; uil:hasPackage "Vitro-languages" . @@ -6353,7 +6353,7 @@ uil-data:suppress_operation_for_individuals_of_this_class.Vitro uil-data:suppress_operation_for_unrelated_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Verhindern Sie {0}-Vorgänge für Seiten mit nicht verwandten Objekten, die zur bearbeiteten Klasse gehören"@de-DE ; + rdfs:label "{0}-Vorgänge für Seiten mit nicht verwandten Instanzen, die zur bearbeiteten Klasse gehören, verhindern"@de-DE ; uil:hasApp "Vitro" ; uil:hasKey "suppress_operation_for_unrelated_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . From f9d876e616f6b39676d88c2b1f335c88c60d4c25 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 18 Jan 2024 10:25:56 +0100 Subject: [PATCH 29/33] Apply suggestions from code review Serbian label fixes. Co-authored-by: Dragan Ivanovic --- .../sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl index 141979497e..ee71a9b6d4 100644 --- a/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6313,7 +6313,7 @@ uil-data:captcha_user_sol_invalid.Vitro uil-data:suppress_operation_for_roles.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Odbij {0} operacije za uloge"@sr-Latn-RS ; + rdfs:label "Zabrani {0} operacije za uloge"@sr-Latn-RS ; uil:hasApp "Vitro" ; uil:hasKey "suppress_operation_for_roles" ; uil:hasPackage "Vitro-languages" . @@ -6337,7 +6337,7 @@ uil-data:operation_permissions_for_this_class.Vitro uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Sprečite {0} operacije za ovo svojstvo na stranicama nepovezanih objekata"@sr-Latn-RS ; + rdfs:label "Zabrani {0} operacije za ovo svojstvo na stranicama nepovezanih objekata"@sr-Latn-RS ; uil:hasApp "Vitro" ; uil:hasKey "suppress_operation_for_this_property_in_unrelated_individuals" ; uil:hasPackage "Vitro-languages" . @@ -6345,7 +6345,7 @@ uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro uil-data:suppress_operation_for_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Odbij {0} operacije za stranice objekata koje pripadaju uređenoj klasi"@sr-Latn-RS ; + rdfs:label "Zabrani {0} operacije za objekte koje pripadaju ovoj klasi"@sr-Latn-RS ; uil:hasApp "Vitro" ; uil:hasKey "suppress_operation_for_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . @@ -6353,7 +6353,7 @@ uil-data:suppress_operation_for_individuals_of_this_class.Vitro uil-data:suppress_operation_for_unrelated_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Sprečavanje {0} operacija za stranice nepovezanih objekata koji pripadaju uređenoj klasi"@sr-Latn-RS ; + rdfs:label "Zabrani {0} operacija za nepovezane objekte koji pripadaju ovoj klasi"@sr-Latn-RS ; uil:hasApp "Vitro" ; uil:hasKey "suppress_operation_for_unrelated_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . From ac59f4457b16acc41dd8ee4e0a76eb809753b954 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 18 Jan 2024 10:31:22 +0100 Subject: [PATCH 30/33] refact:renamed test --- ...agePolicy.java => AllowDisplayIndividualPagePolicyTest.java} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/{AllowDisplayIndividualPagePolicy.java => AllowDisplayIndividualPagePolicyTest.java} (96%) diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AllowDisplayIndividualPagePolicy.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AllowDisplayIndividualPagePolicyTest.java similarity index 96% rename from api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AllowDisplayIndividualPagePolicy.java rename to api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AllowDisplayIndividualPagePolicyTest.java index 2d835a99ae..4c30b73fa3 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AllowDisplayIndividualPagePolicy.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/AllowDisplayIndividualPagePolicyTest.java @@ -18,7 +18,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest; import org.junit.Test; -public class AllowDisplayIndividualPagePolicy extends PolicyTest { +public class AllowDisplayIndividualPagePolicyTest extends PolicyTest { public static final String POLICY_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "policy_allow_display_individual_page.n3"; From b1360a2f962843662624d446d9449f499ad2978d Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 18 Jan 2024 11:28:36 +0100 Subject: [PATCH 31/33] Converted parameters to constants --- .../vedit/controller/BaseEditController.java | 20 ++++++++++++++----- .../vedit/controller/OperationController.java | 8 ++++---- .../edit/specific/dataprop_retry.jsp | 2 +- .../templates/edit/specific/entity_retry.jsp | 2 +- .../edit/specific/fauxProperty_retry.jsp | 2 +- .../edit/specific/property_retry.jsp | 2 +- .../templates/edit/specific/vclass_retry.jsp | 4 ++-- 7 files changed, 25 insertions(+), 15 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java index 43471a3847..93a27e0e97 100644 --- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java +++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java @@ -42,6 +42,16 @@ public class BaseEditController extends VitroHttpServlet { + private static final String OPERATIONS_TO_ROLES = "operationsToRoles"; + + public static final String URI_SUPPRESSIONS = "uriSuppressions"; + + public static final String TYPE_SUPPRESSIONS = "typeSuppressions"; + + public static final String TYPE_SUPPRESSIONS_NOT_RELATED = "typeSuppressionsNotRelated"; + + public static final String PROPERTY_SUPPRESSIONS_NOT_RELATED = "propertySuppressionsNotRelated"; + public static final String ENTITY_URI_ATTRIBUTE_NAME = "_permissionsEntityURI"; public static final String ENTITY_TYPE_ATTRIBUTE_NAME = "_permissionsEntityType"; @@ -245,7 +255,7 @@ protected static void addAccessAttributes(HttpServletRequest req, String entityU } getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); } - req.setAttribute("operationsToRoles", operationsToRoles); + req.setAttribute(OPERATIONS_TO_ROLES, operationsToRoles); } private static void getRolePolicyInformation(String entityURI, AccessObjectType aot, String[] namedKeys, @@ -280,7 +290,7 @@ protected static void addUriSuppressions(HttpServletRequest req, String entityUR roleInfos.add(roleCopy); } getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); - req.setAttribute("uriSuppressions", uriSuppressionsToRoles); + req.setAttribute(URI_SUPPRESSIONS, uriSuppressionsToRoles); req.setAttribute(ENTITY_URI_ATTRIBUTE_NAME, entityURI); } @@ -304,7 +314,7 @@ protected static void addTypeSuppressions(HttpServletRequest req, String entityU roleInfos.add(roleCopy); } getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); - req.setAttribute("typeSuppressions", typeSuppressionsToRoles); + req.setAttribute(TYPE_SUPPRESSIONS, typeSuppressionsToRoles); } protected static void addNotRelatedTypeSuppressions(HttpServletRequest req, String entityURI, AccessObjectType aot) { @@ -321,7 +331,7 @@ protected static void addNotRelatedTypeSuppressions(HttpServletRequest req, Stri roleInfos.add(role); getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); - req.setAttribute("typeSuppressionsNotRelated", typeSuppressionsToRoles); + req.setAttribute(TYPE_SUPPRESSIONS_NOT_RELATED, typeSuppressionsToRoles); } protected static RoleInfo getSelfEditorRole(HttpServletRequest req) { @@ -346,7 +356,7 @@ protected static void addNotRelatedPropertySuppressions(HttpServletRequest req, roleInfos.add(role); getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); - req.setAttribute("propertySuppressionsNotRelated", propertySuppressionsToRoles); + req.setAttribute(PROPERTY_SUPPRESSIONS_NOT_RELATED, propertySuppressionsToRoles); } static boolean isPublicForbiddenOperation(AccessOperation operation) { diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java index c86fe12b37..db98ba2a97 100644 --- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java +++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java @@ -338,19 +338,19 @@ private void updateNotRelatedPropertySuppressions(HttpServletRequest request, Ac private boolean isUriSuppressionsPresent(HttpServletRequest request) { - return request.getParameter("_uriSuppressions") != null; + return request.getParameter(URI_SUPPRESSIONS) != null; } private boolean isNotRelatedPropertySuppressionsPresent(HttpServletRequest request) { - return request.getParameter("_propertySuppressionsNotRelated") != null; + return request.getParameter(PROPERTY_SUPPRESSIONS_NOT_RELATED) != null; } private boolean isTypeSuppressionsPresent(HttpServletRequest request) { - return request.getParameter("_typeSuppressions") != null; + return request.getParameter(TYPE_SUPPRESSIONS) != null; } private boolean isNotRelatedTypeSuppressionsPresent(HttpServletRequest request) { - return request.getParameter("_typeSuppressionsNotRelated") != null; + return request.getParameter(TYPE_SUPPRESSIONS_NOT_RELATED) != null; } private Set getSelectedRoles(HttpServletRequest request, String operationGroupName) { diff --git a/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp index 4a74425b76..526651acc0 100644 --- a/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/dataprop_retry.jsp @@ -152,7 +152,7 @@ - + ${i18n.text('suppress_operation_for_this_property_in_unrelated_individuals', entry.key)}
diff --git a/webapp/src/main/webapp/templates/edit/specific/entity_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/entity_retry.jsp index 2e4640bd60..c36c5f7d0d 100644 --- a/webapp/src/main/webapp/templates/edit/specific/entity_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/entity_retry.jsp @@ -8,7 +8,7 @@ - + diff --git a/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp index 988c5bee6d..23867979b2 100644 --- a/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/fauxProperty_retry.jsp @@ -88,7 +88,7 @@ - + ${i18n.text('suppress_operation_for_this_property_in_unrelated_individuals', entry.key)}
diff --git a/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp index 2fcb95abf5..d0d967ad06 100644 --- a/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/property_retry.jsp @@ -215,7 +215,7 @@ - + ${i18n.text('suppress_operation_for_this_property_in_unrelated_individuals', entry.key)}
diff --git a/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp b/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp index 8a97cad16c..c5c36e40f3 100644 --- a/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp +++ b/webapp/src/main/webapp/templates/edit/specific/vclass_retry.jsp @@ -114,7 +114,7 @@ - + ${i18n.text('suppress_operation_for_individuals_of_this_class', entry.key)}
@@ -139,7 +139,7 @@ - + ${i18n.text('suppress_operation_for_unrelated_individuals_of_this_class', entry.key)}
From 5f2c22ac11de07408a543482962a644462eff623 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Mon, 22 Jan 2024 14:31:17 +0100 Subject: [PATCH 32/33] Serbian translation template improvements MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ivan R. Mršulja --- .../sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl b/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl index ee71a9b6d4..ef426fc344 100644 --- a/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl +++ b/home/src/main/resources/rdf/i18n/sr_Latn_RS/interface-i18n/firsttime/vitro_UiLabel.ttl @@ -6313,7 +6313,7 @@ uil-data:captcha_user_sol_invalid.Vitro uil-data:suppress_operation_for_roles.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Zabrani {0} operacije za uloge"@sr-Latn-RS ; + rdfs:label "Zabrani {0} operacije za role"@sr-Latn-RS ; uil:hasApp "Vitro" ; uil:hasKey "suppress_operation_for_roles" ; uil:hasPackage "Vitro-languages" . @@ -6345,7 +6345,7 @@ uil-data:suppress_operation_for_this_property_in_unrelated_individuals.Vitro uil-data:suppress_operation_for_individuals_of_this_class.Vitro rdf:type owl:NamedIndividual ; rdf:type uil:UILabel ; - rdfs:label "Zabrani {0} operacije za objekte koje pripadaju ovoj klasi"@sr-Latn-RS ; + rdfs:label "Zabrani {0} operacije za objekte koji pripadaju ovoj klasi"@sr-Latn-RS ; uil:hasApp "Vitro" ; uil:hasKey "suppress_operation_for_individuals_of_this_class" ; uil:hasPackage "Vitro-languages" . From e7229bac6861fd19a10c655943bedd6e473a2d1b Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Mon, 22 Jan 2024 15:51:07 +0100 Subject: [PATCH 33/33] refact: renamed class attributes --- .../auth/attributes/AttributeValueKey.java | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java index 3260678fa6..ec65c5f1e0 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/attributes/AttributeValueKey.java @@ -9,8 +9,8 @@ public class AttributeValueKey { - private AccessOperation ao; - private AccessObjectType aot; + private AccessOperation accessOperation; + private AccessObjectType accessObjectType; private String role; private String type; private Set namedKeyComponents = new HashSet<>(); @@ -24,8 +24,8 @@ public AttributeValueKey() { public AttributeValueKey(AccessOperation ao, AccessObjectType aot, String role, String type, String... namedKeyComponents) { - this.ao = ao; - this.aot = aot; + this.accessOperation = ao; + this.accessObjectType = aot; this.role = role; this.type = type; this.namedKeyComponents = new HashSet<>(Arrays.asList(namedKeyComponents)); @@ -33,27 +33,27 @@ public AttributeValueKey(AccessOperation ao, AccessObjectType aot, String role, public AttributeValueKey(AccessOperation ao, AccessObjectType aot, String role, String type, Set namedKeyComponents) { - this.ao = ao; - this.aot = aot; + this.accessOperation = ao; + this.accessObjectType = aot; this.role = role; this.type = type; this.namedKeyComponents = namedKeyComponents; } public AccessOperation getAccessOperation() { - return ao; + return accessOperation; } public void setOperation(AccessOperation ao) { - this.ao = ao; + this.accessOperation = ao; } public AccessObjectType getObjectType() { - return aot; + return accessObjectType; } public void setObjectType(AccessObjectType aot) { - this.aot = aot; + this.accessObjectType = aot; } public String getRole() { @@ -77,11 +77,11 @@ public void addNamedKey(String key) { } public AttributeValueKey clone() { - return new AttributeValueKey(ao, aot, role, type, namedKeyComponents); + return new AttributeValueKey(accessOperation, accessObjectType, role, type, namedKeyComponents); } public boolean isEmpty() { - return ao == null && aot == null && role == null && type == null; + return accessOperation == null && accessObjectType == null && role == null && type == null; } @Override