Merged in dspace-cris-2023_02_x-DSC-1604-cris-security-check-subgroup…

…s (pull request DSpace#1982) Dspace cris 2023 02 x DSC-1604 cris security check subgroups Approved-by: Stefano Maffei
4Science · May 14, 2024 · 8ad6949 · 8ad6949
2 parents bf9ef64 + d3878d1
commit 8ad6949
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 4 deletions.
diff --git a/dspace-api/src/main/java/org/dspace/content/security/CrisSecurityServiceImpl.java b/dspace-api/src/main/java/org/dspace/content/security/CrisSecurityServiceImpl.java
@@ -10,7 +10,6 @@
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Objects;
 import java.util.Optional;
 import java.util.UUID;
 
@@ -192,9 +191,15 @@ private boolean hasAccessByGroup(Context context, EPerson user, List<String> gro
  }
 
  return groups.stream()
- .map(group -> findGroupByNameOrUUID(context, group))
- .filter(group -> Objects.nonNull(group))
- .anyMatch(group -> userGroups.contains(group) || isSpecialGroup(context, group));
+ .map(group -> findGroupByNameOrUUID(context, group))
+ .filter(group -> group != null)
+ .anyMatch(group -> {
+ try {
+ return groupService.isMember(context, user, group);
+ } catch (SQLException e) {
+ return false;
+ }
+ });
  }
 
  private boolean isSpecialGroup(Context context, Group group) {

diff --git a/dspace-api/src/test/data/dspaceFolder/config/spring/api/edititem-service.xml b/dspace-api/src/test/data/dspaceFolder/config/spring/api/edititem-service.xml
@@ -90,6 +90,20 @@
  </property>
  <property name="submissionDefinition" value="traditional-with-custom-url" />
  </bean>
+ <bean class="org.dspace.content.edit.EditItemMode">
+ <property name="name" value="RESEARCHERS" />
+ <property name="security">
+ <value type="org.dspace.content.security.CrisSecurity">
+ GROUP
+ </value>
+ </property>
+ <property name="groups">
+ <list>
+ <value>Researchers</value>
+ </list>
+ </property>
+ <property name="submissionDefinition" value="publication-edit" />
+ </bean>
  <bean class="org.dspace.content.edit.EditItemMode">
  <property name="name" value="MODE-TEST-HIDDEN" />
  <property name="security">

diff --git a/dspace-api/src/test/java/org/dspace/content/security/CrisSecurityServiceIT.java b/dspace-api/src/test/java/org/dspace/content/security/CrisSecurityServiceIT.java
@@ -310,6 +310,33 @@ public void testHasAccessWithSubmitterGroupConfig() throws SQLException, Authori
  assertThat(crisSecurityService.hasAccess(context, item, anotherSubmitter, accessMode), is(true));
  }
 
+ @Test
+ public void testHasAccessWithGroupChildOfResearchersConfig() throws SQLException {
+ context.turnOffAuthorisationSystem();
+ Group researchersMainGroup = GroupBuilder.createGroup(context)
+ .withName("Researchers")
+ .build();
+ Group researcherSubGroup = GroupBuilder.createGroup(context)
+ .withName("Researcher")
+ .withParent(researchersMainGroup)
+ .build();
+ EPerson firstUser = EPersonBuilder.createEPerson(context)
+ .withEmail("[email protected]")
+ .withGroupMembership(researcherSubGroup)
+ .build();
+ Item item = ItemBuilder.createItem(context, collection)
+ .withTitle("Test item")
+ .withDspaceObjectOwner("Owner", owner.getID().toString())
+ //.withCrisOwner("Owner", owner.getID().toString())
+ .build();
+ context.restoreAuthSystemState();
+ AccessItemMode accessMode = buildAccessItemMode(CrisSecurity.GROUP);
+ when(accessMode.getGroups()).thenReturn(List.of("Researcher"));
+ assertThat(crisSecurityService.hasAccess(context, item, firstUser, accessMode), is(true));
+ assertThat(crisSecurityService.hasAccess(context, item, eperson, accessMode), is(false));
+ assertThat(crisSecurityService.hasAccess(context, item, owner, accessMode), is(false));
+ }
+
  @Test
  public void testHasAccessWithGroupConfig() throws SQLException, AuthorizeException {