Add a feature flag to optionally enable permission check in LC api

Author: qqmyers

doc/sphinx-guides/source/installation/localcontexts.rst

@@ -29,3 +29,7 @@ See https://github.com/gdcc/dataverse-external-vocab-support/blob/main/packages/
 
 Lastly, if you wish the Local Contexts information to be shown in the summary section of the dataset page, as shown in the image above, you should add `LCProjectUrl` to list of custom summary fields via use of the :ref:`:CustomDatasetSummaryFields` setting.
 
+Optionally, one could also set the dataverse.feature.add-local-contexts-permission-check FeatureFlag to true. This assures that only users editing datasets can use the LocalContexts search functionality.
+However, as this currently would also require setting the dataverse.feature.api-session-auth, the security implications of which haven't been fully explored, it is not recommended unless problematic use is seen.
+(When API access via OpenIdConnect is available, use of api-session-auth would not be required.)
+

src/main/java/edu/harvard/iq/dataverse/api/LocalContexts.java

@@ -15,6 +15,7 @@
 import edu.harvard.iq.dataverse.api.auth.AuthRequired;
 import edu.harvard.iq.dataverse.authorization.Permission;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
+import edu.harvard.iq.dataverse.settings.FeatureFlags;
 import edu.harvard.iq.dataverse.settings.JvmSettings;
 import edu.harvard.iq.dataverse.util.json.JsonUtil;
 import jakarta.ejb.EJB;
@@ -50,7 +51,11 @@ public Response getDatasetLocalContexts(@Context ContainerRequestContext crc, @P
             DataverseRequest req = createDataverseRequest(getRequestUser(crc));
 
             // Check if the user has edit dataset permission
-            if (!permissionService.userOn(req.getUser(), dataset).has(Permission.EditDataset)) {
+            /* Feature flag to skip permission check
+             * If you add the api-session-auth FeatureFlag, you can verify if the user has edit permissions
+             * 
+             */
+            if (FeatureFlags.ADD_LOCAL_CONTEXTS_PERMISSION_CHECK.enabled() && !permissionService.userOn(req.getUser(), dataset).has(Permission.EditDataset)) {
                 return error(Response.Status.FORBIDDEN,
                         "You do not have permission to query LocalContexts about this dataset.");
             }
@@ -100,8 +105,7 @@ public Response getDatasetLocalContexts(@Context ContainerRequestContext crc, @P
     @GET
     @Path("/datasets/{id}/{projectId}")
     @Produces(MediaType.APPLICATION_JSON)
-    public Response searchLocalContexts(@Context ContainerRequestContext crc, @PathParam("id") String datasetId,
-            @PathParam("projectId") String projectId) {
+    public Response searchLocalContexts(@PathParam("id") String datasetId, @PathParam("projectId") String projectId) {
         try {
             Dataset dataset = findDatasetOrDie(datasetId);
             String localContextsUrl = JvmSettings.LOCALCONTEXTS_URL.lookupOptional().orElse(null);

src/main/java/edu/harvard/iq/dataverse/settings/FeatureFlags.java

@@ -25,7 +25,7 @@
 public enum FeatureFlags {
 
     /**
-     * Enables API authentication via session cookie (JSESSIONID). Caution: Enabling this feature flag exposes the installation to CSRF risks
+     * Enables API authentication via session cookie (JSESSIONID). Caution: Enabling this feature flag may expose the installation to CSRF risks
      * @apiNote Raise flag by setting "dataverse.feature.api-session-auth"
      * @since Dataverse 5.14
      */
@@ -151,6 +151,21 @@ public enum FeatureFlags {
      * @since Dataverse 6.5
      */
     VERSION_NOTE("enable-version-note"),
+    /**
+     * This flag adds a permission check to assure that the user calling the
+     * /api/localcontexts/datasets/{id} can edit the dataset with that id. This is
+     * currently the only use case - see
+     * https://github.com/gdcc/dataverse-external-vocab-support/tree/main/packages/local_contexts.
+     * The flag adds additional security to stop other uses, but would currently
+     * have to be used in conjunction with the api-session-auth feature flag (the
+     * security implications of which have not been fully investigated) to still
+     * allow adding Local Contexts metadata to a dataset.
+     * 
+     * @apiNote Raise flag by setting
+     *          "dataverse.feature.add-local-contexts-permission-check"
+     * @since Dataverse 6.5
+     */
+    ADD_LOCAL_CONTEXTS_PERMISSION_CHECK("add-local-contexts-permission-check"),
 
     ;