authorize-check for xlscollectionCrosswalk

dspace-api/src/main/java/org/dspace/content/integration/crosswalks/XlsCollectionCrosswalk.java

@@ -14,7 +14,9 @@
 import java.io.OutputStream;
 import java.sql.SQLException;
 import java.util.Iterator;
+import java.util.List;
 
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.collections4.IteratorUtils;
 import org.apache.poi.ss.usermodel.Workbook;
 import org.dspace.app.bulkedit.BulkImport;
@@ -31,6 +33,9 @@
 import org.dspace.content.service.ItemService;
 import org.dspace.core.Constants;
 import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+import org.dspace.eperson.Group;
+import org.dspace.eperson.service.GroupService;
 import org.springframework.beans.factory.annotation.Autowired;
 
 /**
@@ -52,6 +57,9 @@
     @Autowired
     private BulkImportWorkbookBuilder bulkImportWorkbookBuilder;
 
+    @Autowired
+    private GroupService groupService;
+
     @Override
     public boolean canDisseminate(Context context, DSpaceObject dso) {
         return dso.getType() == Constants.COLLECTION;
@@ -71,6 +79,16 @@
         return CrosswalkMode.MULTIPLE;
     }
 
+    private List<String> allowedGroups;
+
+    public List<String> getAllowedGroups() {
+        return allowedGroups;
+    }
+
+    public void setAllowedGroups(List<String> allowedGroups) {
+        this.allowedGroups = allowedGroups;
+    }
+
     @Override
     public void disseminate(Context context, DSpaceObject dso, OutputStream out)
         throws CrosswalkException, IOException, SQLException, AuthorizeException {
@@ -79,6 +97,10 @@
             throw new CrosswalkObjectNotSupported("Can only crosswalk a Collection");
         }
 
+        if (!isAuthorized(context)) {
+            throw new AuthorizeException("The current user is not allowed to perform a xls collection export");
+        }
+
         Collection collection = (Collection) dso;
 
         Iterator<Item> itemIterator = itemService.findByCollection(context, collection);
@@ -133,4 +155,28 @@
         return collection;
     }
 
+    @Override
+    public boolean isAuthorized(Context context) {
+        if (CollectionUtils.isEmpty(getAllowedGroups())) {
+            return true;
+        }
+
+        EPerson ePerson = context.getCurrentUser();
+        if (ePerson == null) {
+            return getAllowedGroups().contains(Group.ANONYMOUS);
+        }
+
+        return getAllowedGroups().stream()
+            .anyMatch(groupName -> isMemberOfGroupNamed(context, ePerson, groupName));
+    }
+
+    private boolean isMemberOfGroupNamed(Context context, EPerson ePerson, String groupName) {
+        try {
+            Group group = groupService.findByName(context, groupName);
+            return groupService.isMember(context, ePerson, group);
+        } catch (SQLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
 }

dspace-api/src/test/java/org/dspace/content/integration/crosswalks/XlsCollectionCrosswalkIT.java

@@ -63,6 +63,9 @@
 import org.dspace.content.WorkspaceItem;
 import org.dspace.core.Constants;
 import org.dspace.core.CrisConstants;
+import org.dspace.eperson.Group;
+import org.dspace.eperson.factory.EPersonServiceFactory;
+import org.dspace.eperson.service.GroupService;
 import org.dspace.services.ConfigurationService;
 import org.dspace.services.factory.DSpaceServicesFactory;
 import org.dspace.utils.DSpace;
@@ -86,6 +89,8 @@ public class XlsCollectionCrosswalkIT extends AbstractIntegrationTestWithDatabas
 
     private ConfigurationService configurationService;
 
+    private GroupService groupService;
+
     private Community community;
 
     private static final String BITSTREAM_URL_FORMAT = "%s/api/core/bitstreams/%s/content";
@@ -103,6 +108,9 @@ public void setup() throws SQLException, AuthorizeException {
             .getServicesByType(BulkImportWorkbookBuilderImpl.class).get(0);
 
         configurationService = DSpaceServicesFactory.getInstance().getConfigurationService();
+        configurationService = DSpaceServicesFactory.getInstance().getConfigurationService();
+
+        groupService = EPersonServiceFactory.getInstance().getGroupService();
 
         context.turnOffAuthorisationSystem();
         community = createCommunity(context).build();
@@ -332,6 +340,109 @@ public void testCollectionDisseminateWithEmptyCollection() throws Exception {
         assertThat(getRowValues(mainSheet.getRow(0), mainSheetHeader.length), contains(mainSheetHeader));
     }
 
+    @Test
+    public void testCollectionIsNotAuthorized() throws Exception {
+
+        context.turnOffAuthorisationSystem();
+        Collection collection = createCollection(context, community)
+            .withAdminGroup(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        List<String> groups = new ArrayList<>();
+        groups.add("Test1");
+        xlsCollectionCrosswalk.setAllowedGroups(groups);
+        context.commit();
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        assertThat(xlsCollectionCrosswalk.isAuthorized(context), equalTo(false));
+
+        AuthorizeException authorizeException = Assert.assertThrows(AuthorizeException.class,
+            () -> xlsCollectionCrosswalk.disseminate(context, collection, baos));
+
+        assertThat(authorizeException.getMessage(),
+            is("The current user is not allowed to perform a xls collection export"));
+
+
+    }
+
+    @Test
+    public void testCollectionIsAuthorizedEmptyCollection() throws Exception {
+
+        context.turnOffAuthorisationSystem();
+        Collection collection = createCollection(context, community)
+            .withAdminGroup(eperson)
+            .build();
+
+        Group group = groupService.create(context);
+        groupService.setName(group, "Test");
+        groupService.addMember(context, group, eperson);
+        context.commit();
+
+        context.restoreAuthSystemState();
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        List<String> groups = new ArrayList<>();
+        groups.add("Test");
+
+        xlsCollectionCrosswalk.setAllowedGroups(groups);
+
+        assertThat(xlsCollectionCrosswalk.isAuthorized(context), equalTo(true));
+
+        xlsCollectionCrosswalk.disseminate(context, collection, baos);
+
+        Workbook workbook = WorkbookFactory.create(new ByteArrayInputStream(baos.toByteArray()));
+        assertThat(workbook.getNumberOfSheets(), equalTo(2));
+
+        Sheet mainSheet = workbook.getSheetAt(0);
+        String[] mainSheetHeader = { "ID", "DISCOVERABLE", "dc.contributor.author", "dc.title", "dc.title.alternative",
+            "dc.date.issued", "dc.publisher", "dc.identifier.citation", "dc.relation.ispartofseries",
+            "dc.identifier.doi", "dc.identifier.scopus", "dc.identifier.isi", "dc.identifier.adsbibcode",
+            "dc.identifier.pmid", "dc.identifier.arxiv", "dc.identifier.issn", "dc.identifier.other",
+            "dc.identifier.ismn", "dc.identifier.govdoc", "dc.identifier.uri", "dc.identifier.isbn",
+            "dc.type", "dc.language.iso", "dc.subject", "dc.description.abstract", "dc.description.sponsorship",
+            "dc.description" };
+        assertThat(mainSheet.getPhysicalNumberOfRows(), equalTo(1));
+        assertThat(getRowValues(mainSheet.getRow(0), mainSheetHeader.length), contains(mainSheetHeader));
+    }
+
+    @Test
+    public void testCollectionIsAuthorizedAnonymousEmptyCollection() throws Exception {
+
+        context.turnOffAuthorisationSystem();
+        Collection collection = createCollection(context, community)
+            .withAdminGroup(eperson)
+            .build();
+        context.restoreAuthSystemState();
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        List<String> groups = new ArrayList<>();
+        groups.add("Anonymous");
+
+        xlsCollectionCrosswalk.setAllowedGroups(groups);
+
+        assertThat(xlsCollectionCrosswalk.isAuthorized(context), equalTo(true));
+
+        xlsCollectionCrosswalk.disseminate(context, collection, baos);
+
+        Workbook workbook = WorkbookFactory.create(new ByteArrayInputStream(baos.toByteArray()));
+        assertThat(workbook.getNumberOfSheets(), equalTo(2));
+
+        Sheet mainSheet = workbook.getSheetAt(0);
+        String[] mainSheetHeader = { "ID", "DISCOVERABLE", "dc.contributor.author", "dc.title", "dc.title.alternative",
+            "dc.date.issued", "dc.publisher", "dc.identifier.citation", "dc.relation.ispartofseries",
+            "dc.identifier.doi", "dc.identifier.scopus", "dc.identifier.isi", "dc.identifier.adsbibcode",
+            "dc.identifier.pmid", "dc.identifier.arxiv", "dc.identifier.issn", "dc.identifier.other",
+            "dc.identifier.ismn", "dc.identifier.govdoc", "dc.identifier.uri", "dc.identifier.isbn",
+            "dc.type", "dc.language.iso", "dc.subject", "dc.description.abstract", "dc.description.sponsorship",
+            "dc.description" };
+        assertThat(mainSheet.getPhysicalNumberOfRows(), equalTo(1));
+        assertThat(getRowValues(mainSheet.getRow(0), mainSheetHeader.length), contains(mainSheetHeader));
+    }
+
     @Test
     public void testCollectionDisseminateWithMockSubmissionFormConfiguration() throws Exception {
 

dspace/config/spring/api/crosswalks.xml

@@ -509,7 +509,14 @@
 		<property name="crosswalkMode" value="#{T(org.dspace.content.crosswalk.CrosswalkMode).MULTIPLE}"/>
 	</bean>
 
-	<bean class="org.dspace.content.integration.crosswalks.XlsCollectionCrosswalk" id="xlsCrosswalkCollection"/>
+	<bean class="org.dspace.content.integration.crosswalks.XlsCollectionCrosswalk" id="xlsCrosswalkCollection">
+		<property name="allowedGroups">
+			<list>
+				<value>Administrator</value>
+				<value>Anonymous</value>
+			</list>
+		</property>
+	</bean>
 
     <bean class="org.dspace.content.integration.crosswalks.ZipItemExportCrosswalk" id="zipCrosswalk">
         <property name="zipName" value="items.zip"/>