Skip to content

Commit

Permalink
take1 at improved search permission query
Browse files Browse the repository at this point in the history
  • Loading branch information
@naknomum
naknomum committed Dec 12, 2024
1 parent c038cc9 commit 4f74818
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 13 deletions.
13 changes: 4 additions & 9 deletions src/main/java/org/ecocean/EncounterQueryProcessor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ public static String queryStringBuilder(HttpServletRequest request, StringBuffer
String indexName = searchQuery.optString("indexName", null);
if (indexName == null) return failed;
searchQuery = OpenSearch.queryScrubStored(searchQuery);
JSONObject sanitized = OpenSearch.querySanitize(searchQuery, user);
JSONObject sanitized = OpenSearch.querySanitize(searchQuery, user, myShepherd);
OpenSearch os = new OpenSearch();
String sort = request.getParameter("sort");
String sortOrder = request.getParameter("sortOrder");
Expand Down Expand Up @@ -134,8 +134,7 @@ public static String queryStringBuilder(HttpServletRequest request, StringBuffer
String variables_statement =
" VARIABLES org.ecocean.User user; org.ecocean.Organization org";
jdoqlVariableDeclaration = addOrgVars(variables_statement, filter);
} else {
}
} else {}
// end filter for organization------------------
// filter for projectName-------------------
if (Util.isUUID(request.getParameter("projectId"))) {
Expand Down Expand Up @@ -169,8 +168,7 @@ public static String queryStringBuilder(HttpServletRequest request, StringBuffer
}
String variables_statement = " VARIABLES org.ecocean.Project proj";
jdoqlVariableDeclaration = addOrgVars(variables_statement, filter);
} else {
}
} else {}
// end filter for projectName------------------
// username filters-------------------------------------------------
String[] usernames = request.getParameterValues("username");
Expand Down Expand Up @@ -1356,7 +1354,6 @@ public static String queryStringBuilder(HttpServletRequest request, StringBuffer
(!request.getParameter("nameField").equals(""))) {
String nameString = request.getParameter("nameField").replaceAll("%20",
" ").toLowerCase().trim();

String filterString = "" + "(" +
"(submitters.contains(submitter) && ((submitter.fullName.toLowerCase().indexOf('" +
nameString + "') != -1)||(submitter.emailAddress.toLowerCase().indexOf('" +
Expand Down Expand Up @@ -1529,7 +1526,6 @@ public static EncounterQueryResult processQuery(Shepherd myShepherd, HttpServlet
String currentUser = null;

if (request.getUserPrincipal() != null) currentUser = request.getUserPrincipal().getName();

String searchQueryId = request.getParameter("searchQueryId");
long startTime = System.currentTimeMillis();
if (searchQueryId != null) {
Expand All @@ -1546,7 +1542,7 @@ public static EncounterQueryResult processQuery(Shepherd myShepherd, HttpServlet
return new EncounterQueryResult(rEncounters, "searchQuery has no indexName",
"OpenSearch id " + searchQueryId);
searchQuery = OpenSearch.queryScrubStored(searchQuery);
JSONObject sanitized = OpenSearch.querySanitize(searchQuery, user);
JSONObject sanitized = OpenSearch.querySanitize(searchQuery, user, myShepherd);
OpenSearch os = new OpenSearch();
String sort = request.getParameter("sort");
String sortOrder = request.getParameter("sortOrder");
Expand Down Expand Up @@ -1620,7 +1616,6 @@ public static EncounterQueryResult processQuery(Shepherd myShepherd, HttpServlet
rEncounters.add(temp_enc);
}
}

query.closeAll();

// silo security logging
Expand Down
9 changes: 7 additions & 2 deletions src/main/java/org/ecocean/OpenSearch.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -581,13 +581,18 @@ public Long getIndexTimestamp(Shepherd myShepherd, String indexName) {
return SystemValue.getLong(myShepherd, INDEX_TIMESTAMP_PREFIX + indexName);
}

public static JSONObject querySanitize(JSONObject query, User user) {
public static JSONObject querySanitize(JSONObject query, User user, Shepherd myShepherd) {
if ((query == null) || (user == null)) return query;
// do not add viewUsers query when we are admin, as user has no restriction
if (user.isAdmin(myShepherd)) return query;
JSONObject permClause = new JSONObject(
"{\"bool\": {\"should\": [{\"term\": {\"publiclyReadable\": true}}, {\"term\": {\"viewUsers\": \""
+ user.getId() + "\"}} ] }}");
JSONObject newQuery = new JSONObject(query.toString());
try {
JSONArray filter = newQuery.getJSONObject("query").getJSONObject("bool").getJSONArray(
"filter");
filter.put(new JSONObject("{\"match\": {\"viewUsers\": \"" + user.getId() + "\"}}"));
filter.put(permClause);
} catch (Exception ex) {
System.out.println("OpenSearch.querySanitize() failed to find filter element: " + ex);
}
Expand Down
4 changes: 2 additions & 2 deletions src/main/java/org/ecocean/api/SearchApi.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
String sort = request.getParameter("sort");
String sortOrder = request.getParameter("sortOrder");
// for now, we delete pit by default. TODO: let frontend decide when to keep it
// by passing in the previous pit (e.g. for pagination)
// by passing in the previous pit (e.g. for pagination)
// boolean deletePit = Util.requestParameterSet(request.getParameter("deletePit"));
boolean deletePit = true;
int numFrom = 0;
Expand All @@ -77,7 +77,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
indexName = query.optString("indexName", null);
query = OpenSearch.queryScrubStored(query);
}
query = OpenSearch.querySanitize(query, currentUser);
query = OpenSearch.querySanitize(query, currentUser, myShepherd);
System.out.println("SearchApi (sanitized) indexName=" + indexName + "; query=" +
query);

Expand Down

0 comments on commit 4f74818

Please sign in to comment.