replace admin role check from SecurityUtil with permission checks

2025-11-06 21:45:43 +01:00 · 2016-12-08 07:56:40 +01:00
parent 4cfc29144d
commit c673b0fb10
3 changed files with 23 additions and 92 deletions
--- a/scm-core/src/main/java/sonia/scm/plugin/PluginInformation.java
+++ b/scm-core/src/main/java/sonia/scm/plugin/PluginInformation.java
@@ -35,6 +35,9 @@ package sonia.scm.plugin;

 //~--- non-JDK imports --------------------------------------------------------

+import com.github.sdorra.ssp.PermissionObject;
+import com.github.sdorra.ssp.StaticPermissions;
+
 import com.google.common.base.Objects;

 import sonia.scm.Validateable;
@@ -57,9 +60,16 @@ import javax.xml.bind.annotation.XmlRootElement;
 *
 * @author Sebastian Sdorra
 */
+@StaticPermissions(
+  value = "plugin", 
+  generatedClass = "PluginPermissions", 
+  permissions = {},
+  globalPermissions = { "read", "manage" }
+)
@XmlAccessorType(XmlAccessType.FIELD)
@XmlRootElement(name = "plugin-information")
-public class PluginInformation implements Validateable, Cloneable, Serializable
+public class PluginInformation 
+       implements PermissionObject, Validateable, Cloneable, Serializable
 {

  /** Field description */
@@ -262,6 +272,7 @@ public class PluginInformation implements Validateable, Cloneable, Serializable
   *
   * @return
   */
+  @Override
  public String getId()
  {
    return getId(true);
--- a/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java
+++ b/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java
@@ -1,79 +0,0 @@
-/**
- * Copyright (c) 2010, Sebastian Sdorra
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright notice,
- *    this list of conditions and the following disclaimer in the documentation
- *    and/or other materials provided with the distribution.
- * 3. Neither the name of SCM-Manager; nor the names of its
- *    contributors may be used to endorse or promote products derived from this
- *    software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * http://bitbucket.org/sdorra/scm-manager
- *
- */
-
-
-
-package sonia.scm.util;
-
-//~--- non-JDK imports --------------------------------------------------------
-
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.subject.Subject;
-
-import sonia.scm.security.Role;
-import sonia.scm.security.ScmSecurityException;
-
-/**
- *
- * @author Sebastian Sdorra
- */
-public final class SecurityUtil
-{
-
-  /**
-   * Constructs ...
-   *
-   */
-  private SecurityUtil() {}
-
-  //~--- methods --------------------------------------------------------------
-
-  /**
-   * This method is only present for compatibility reasons.
-   * Use {@link Subject#checkRole(java.lang.String)} with {
-   * @link Role#ADMIN} instead.
-   *
-   * @since 1.21
-   */
-  public static void assertIsAdmin()
-  {
-    Subject subject = SecurityUtils.getSubject();
-
-    if (!subject.hasRole(Role.USER))
-    {
-      throw new ScmSecurityException("user is not authenticated");
-    }
-    else if (!subject.hasRole(Role.ADMIN))
-    {
-      throw new ScmSecurityException("admin account is required");
-    }
-  }
-}
--- a/scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java
@@ -56,7 +56,6 @@ import sonia.scm.io.ZipUnArchiver;
 import sonia.scm.net.HttpClient;
 import sonia.scm.util.AssertUtil;
 import sonia.scm.util.IOUtil;
-import sonia.scm.util.SecurityUtil;
 import sonia.scm.util.SystemUtil;
 import sonia.scm.util.Util;
 import sonia.scm.version.Version;
@@ -191,7 +190,7 @@ public class DefaultPluginManager implements PluginManager
  @Override
  public void install(String id)
  {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.manage().check();
    
    PluginCenter center = getPluginCenter();

@@ -226,7 +225,7 @@ public class DefaultPluginManager implements PluginManager
  @Override
  public void installPackage(InputStream packageStream) throws IOException
  {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.manage().check();

    File tempDirectory = Files.createTempDir();

@@ -274,7 +273,7 @@ public class DefaultPluginManager implements PluginManager
  @Override
  public void uninstall(String id)
  {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.manage().check();

    Plugin plugin = installedPlugins.get(id);

@@ -320,7 +319,7 @@ public class DefaultPluginManager implements PluginManager
  @Override
  public void update(String id)
  {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.manage().check();

    String[] idParts = id.split(":");
    String groupId = idParts[0];
@@ -364,7 +363,7 @@ public class DefaultPluginManager implements PluginManager
  @Override
  public PluginInformation get(String id)
  {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();

    PluginInformation result = null;

@@ -393,7 +392,7 @@ public class DefaultPluginManager implements PluginManager
  public Set<PluginInformation> get(Predicate<PluginInformation> predicate)
  {
    AssertUtil.assertIsNotNull(predicate);
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();

    Set<PluginInformation> infoSet = new HashSet<>();

@@ -412,7 +411,7 @@ public class DefaultPluginManager implements PluginManager
  @Override
  public Collection<PluginInformation> getAll()
  {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();

    Set<PluginInformation> infoSet = getInstalled();

@@ -430,7 +429,7 @@ public class DefaultPluginManager implements PluginManager
  @Override
  public Collection<PluginInformation> getAvailable()
  {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();

    Set<PluginInformation> availablePlugins = new HashSet<>();
    Set<PluginInformation> centerPlugins = getPluginCenter().getPlugins();
@@ -455,7 +454,7 @@ public class DefaultPluginManager implements PluginManager
  @Override
  public Set<PluginInformation> getAvailableUpdates()
  {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();

    return get(FILTER_UPDATES);
  }
@@ -469,7 +468,7 @@ public class DefaultPluginManager implements PluginManager
  @Override
  public Set<PluginInformation> getInstalled()
  {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();

    Set<PluginInformation> infoSet = new LinkedHashSet<>();