Merge pull request #11492 from vera/feat/list-dataset-links

feat: allow non-superusers to list the links of a dataset via API

Author: ofahimIQSS

doc/release-notes/11492-list-dataset-links.md

@@ -0,0 +1 @@
+The [API for listing the collections a dataset has been linked to](https://guides.dataverse.org/en/latest/admin/dataverses-datasets.html#list-collections-that-are-linked-from-a-dataset) (`api/datasets/$linked-dataset-id/links`) is no longer restricted to superusers. For unpublished datasets, users need the "View Unpublished Dataset" permission to access the API. Unpublished collections in the list require the "View Unpublished Dataverse" permission; otherwise, they are hidden.

src/main/java/edu/harvard/iq/dataverse/api/Datasets.java

@@ -2086,20 +2086,23 @@ public Response getCustomTermsTab(@PathParam("id") String id, @PathParam("versio
     public Response getLinks(@Context ContainerRequestContext crc, @PathParam("id") String idSupplied ) {
         try {
             User u = getRequestUser(crc);
-            if (!u.isSuperuser()) {
-                return error(Response.Status.FORBIDDEN, "Not a superuser");
-            }
             Dataset dataset = findDatasetOrDie(idSupplied);
 
+            if (!dataset.isReleased() && !permissionService.hasPermissionsFor(u, dataset, EnumSet.of(Permission.ViewUnpublishedDataset))) {
+                return error(Response.Status.FORBIDDEN, "User is not allowed to list the link(s) of this dataset");
+            }
+
             long datasetId = dataset.getId();
             List<Dataverse> dvsThatLinkToThisDatasetId = dataverseSvc.findDataversesThatLinkToThisDatasetId(datasetId);
             JsonArrayBuilder dataversesThatLinkToThisDatasetIdBuilder = Json.createArrayBuilder();
             for (Dataverse dataverse : dvsThatLinkToThisDatasetId) {
-                JsonObjectBuilder datasetBuilder = Json.createObjectBuilder();
-                datasetBuilder.add("id", dataverse.getId());
-                datasetBuilder.add("alias", dataverse.getAlias());
-                datasetBuilder.add("displayName", dataverse.getDisplayName());
-                dataversesThatLinkToThisDatasetIdBuilder.add(datasetBuilder.build());
+                if (dataverse.isReleased() || this.permissionService.hasPermissionsFor(u, dataverse, EnumSet.of(Permission.ViewUnpublishedDataverse))) {
+                    JsonObjectBuilder datasetBuilder = Json.createObjectBuilder();
+                    datasetBuilder.add("id", dataverse.getId());
+                    datasetBuilder.add("alias", dataverse.getAlias());
+                    datasetBuilder.add("displayName", dataverse.getDisplayName());
+                    dataversesThatLinkToThisDatasetIdBuilder.add(datasetBuilder.build());
+                }
             }
             JsonObjectBuilder response = Json.createObjectBuilder();
             response.add("id", datasetId);

src/test/java/edu/harvard/iq/dataverse/api/LinkIT.java

@@ -4,13 +4,18 @@
 import io.restassured.path.json.JsonPath;
 import io.restassured.response.Response;
 
+import java.io.StringReader;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.logging.Logger;
-import static jakarta.ws.rs.core.Response.Status.CREATED;
-import static jakarta.ws.rs.core.Response.Status.FORBIDDEN;
-import static jakarta.ws.rs.core.Response.Status.OK;
+
+import static jakarta.ws.rs.core.Response.Status.*;
 import static org.hamcrest.CoreMatchers.equalTo;
-import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.*;
 
+import jakarta.json.Json;
+import jakarta.json.JsonArray;
+import jakarta.json.JsonObject;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
@@ -186,4 +191,160 @@ public void testDeepLinks() {
 
     }
 
+    @Test
+    public void testListLinks() {
+
+        Response createUser1 = UtilIT.createRandomUser();
+        createUser1.prettyPrint();
+        createUser1.then().assertThat()
+                .statusCode(OK.getStatusCode());
+        String apiToken1 = UtilIT.getApiTokenFromResponse(createUser1);
+
+        Response createUser2 = UtilIT.createRandomUser();
+        createUser2.prettyPrint();
+        createUser2.then().assertThat()
+                .statusCode(OK.getStatusCode());
+        String username2 = UtilIT.getUsernameFromResponse(createUser2);
+        String apiToken2 = UtilIT.getApiTokenFromResponse(createUser2);
+
+        // Create and publish dataverse1 which both user1 and user2 have admin access to
+        Response createDataverse1 = UtilIT.createRandomDataverse(apiToken1);
+        createDataverse1.prettyPrint();
+        createDataverse1.then().assertThat()
+                .statusCode(CREATED.getStatusCode());
+        String dataverse1Alias = UtilIT.getAliasFromResponse(createDataverse1);
+
+        UtilIT.publishDataverseViaNativeApi(dataverse1Alias, apiToken1).then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        Response grantUser2AccessOnDataverse = UtilIT.grantRoleOnDataverse(dataverse1Alias, "admin", "@" + username2, apiToken1);
+        grantUser2AccessOnDataverse.prettyPrint();
+        grantUser2AccessOnDataverse.then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        // Create and publish dataset in dataverse1
+        // Which means that both user1 and user2 have permission to view it
+        Response createDataset = UtilIT.createRandomDatasetViaNativeApi(dataverse1Alias, apiToken1);
+        createDataset.prettyPrint();
+        createDataset.then().assertThat()
+                .statusCode(CREATED.getStatusCode());
+        String datasetPid = JsonPath.from(createDataset.asString()).getString("data.persistentId");
+
+        Response publishDatasetResponse = UtilIT.publishDatasetViaNativeApi(datasetPid, "major", apiToken1);
+        publishDatasetResponse.prettyPrint();
+        publishDatasetResponse.then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        // Create another unpublished dataverse2 as user2, and don't grant user1 any permissions on it
+        // Which means that user1 doesn't have permission to view this dataverse before it is published
+        Response createDataverse2 = UtilIT.createRandomDataverse(apiToken2);
+        createDataverse2.prettyPrint();
+        createDataverse2.then().assertThat()
+                .statusCode(CREATED.getStatusCode());
+        String dataverse2Alias = UtilIT.getAliasFromResponse(createDataverse2);
+        Integer dataverse2Id = UtilIT.getDatasetIdFromResponse(createDataverse2);
+
+        // User1 doesn't have permission to link the dataset to the unpublished dataverse2
+        Response tryToLinkToUnpublishedDataverseResponse = UtilIT.linkDataset(datasetPid, dataverse2Alias, apiToken1);
+        tryToLinkToUnpublishedDataverseResponse.prettyPrint();
+        tryToLinkToUnpublishedDataverseResponse.then().assertThat()
+                .statusCode(UNAUTHORIZED.getStatusCode());
+
+        // But user2 does have permission to link the dataset to his own unpublished dataverse2
+        Response linkDatasetToUnpublishedDataverseResponse = UtilIT.linkDataset(datasetPid, dataverse2Alias, apiToken2);
+        linkDatasetToUnpublishedDataverseResponse.prettyPrint();
+        linkDatasetToUnpublishedDataverseResponse.then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        // User1 has permission to list the links of the dataset, but cannot see the link to the unpublished dataverse2
+        Response linkDatasetsResponse = UtilIT.getDatasetLinks(datasetPid, apiToken1);
+        linkDatasetsResponse.prettyPrint();
+        linkDatasetsResponse.then().assertThat()
+                .statusCode(OK.getStatusCode());
+        JsonObject linkDatasets = Json.createReader(new StringReader(linkDatasetsResponse.asString())).readObject();
+        JsonArray linksList = linkDatasets.getJsonObject("data").getJsonArray("linked-dataverses");
+        assertEquals(0, linksList.size());
+
+        // User2 has permission to list the links of the dataset and can see the link to the unpublished dataverse2
+        Response linkDatasetsResponse2 = UtilIT.getDatasetLinks(datasetPid, apiToken2);
+        linkDatasetsResponse2.prettyPrint();
+        linkDatasetsResponse2.then().assertThat()
+                .statusCode(OK.getStatusCode());
+        JsonObject linkDatasets2 = Json.createReader(new StringReader(linkDatasetsResponse2.asString())).readObject();
+        JsonArray linksList2 = linkDatasets2.getJsonObject("data").getJsonArray("linked-dataverses");
+        assertEquals(1, linksList2.size());
+        assertEquals(dataverse2Id, linksList2.getJsonObject(0).getInt("id"));
+
+        UtilIT.publishDataverseViaNativeApi(dataverse2Alias, apiToken2).then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        // After publishing dataverse2, user1 can now also see the link
+        Response linkDatasetsResponse3 = UtilIT.getDatasetLinks(datasetPid, apiToken1);
+        linkDatasetsResponse3.prettyPrint();
+        linkDatasetsResponse3.then().assertThat()
+                .statusCode(OK.getStatusCode());
+        JsonObject linkDatasets3 = Json.createReader(new StringReader(linkDatasetsResponse3.asString())).readObject();
+        JsonArray linksList3 = linkDatasets3.getJsonObject("data").getJsonArray("linked-dataverses");
+        assertEquals(1, linksList3.size());
+        assertEquals(dataverse2Id, linksList3.getJsonObject(0).getInt("id"));
+
+        // Create another dataset, but don't publish it
+        Response createDataset2 = UtilIT.createRandomDatasetViaNativeApi(dataverse1Alias, apiToken1);
+        createDataset2.prettyPrint();
+        createDataset2.then().assertThat()
+                .statusCode(CREATED.getStatusCode());
+        String dataset2Pid = JsonPath.from(createDataset2.asString()).getString("data.persistentId");
+
+        // Create user3 without permissions on the unpublished dataset
+        Response createUser3 = UtilIT.createRandomUser();
+        createUser3.prettyPrint();
+        createUser3.then().assertThat()
+                .statusCode(OK.getStatusCode());
+        String username3 = UtilIT.getUsernameFromResponse(createUser3);
+        String apiToken3 = UtilIT.getApiTokenFromResponse(createUser3);
+
+        // User3 cannot list the links of the unpublished dataset
+        Response linkDatasetsResponse4 = UtilIT.getDatasetLinks(dataset2Pid, apiToken3);
+        linkDatasetsResponse4.prettyPrint();
+        linkDatasetsResponse4.then().assertThat()
+                .statusCode(FORBIDDEN.getStatusCode());
+
+        // Grant user3 "member" role on dataverse1, which allows viewing unpublished datasets
+        Response grantUser3AccessOnDataverse = UtilIT.grantRoleOnDataverse(dataverse1Alias, "member", "@" + username3, apiToken1);
+        grantUser3AccessOnDataverse.prettyPrint();
+        grantUser3AccessOnDataverse.then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        // User 3 can now also list the links
+        Response linkDatasetsResponse5 = UtilIT.getDatasetLinks(dataset2Pid, apiToken3);
+        linkDatasetsResponse5.prettyPrint();
+        linkDatasetsResponse5.then().assertThat()
+                .statusCode(OK.getStatusCode());
+        JsonObject linkDatasets5 = Json.createReader(new StringReader(linkDatasetsResponse5.asString())).readObject();
+        JsonArray linksList5 = linkDatasets5.getJsonObject("data").getJsonArray("linked-dataverses");
+        assertEquals(0, linksList5.size());
+
+        // Non-authenticated user cannot list the links of the unpublished dataset
+        Response linkDatasetsResponse6 = UtilIT.getDatasetLinks(dataset2Pid, null);
+        linkDatasetsResponse6.prettyPrint();
+        linkDatasetsResponse6.then().assertThat()
+                .statusCode(FORBIDDEN.getStatusCode());
+
+        // Publish dataset2
+        Response publishDataset2Response = UtilIT.publishDatasetViaNativeApi(dataset2Pid, "major", apiToken1);
+        publishDataset2Response.prettyPrint();
+        publishDataset2Response.then().assertThat()
+                .statusCode(OK.getStatusCode());
+
+        // After publishing the dataset, non-authenticated user can now also list the links
+        Response linkDatasetsResponse7 = UtilIT.getDatasetLinks(dataset2Pid, null);
+        linkDatasetsResponse7.prettyPrint();
+        linkDatasetsResponse7.then().assertThat()
+                .statusCode(OK.getStatusCode());
+        JsonObject linkDatasets7 = Json.createReader(new StringReader(linkDatasetsResponse7.asString())).readObject();
+        JsonArray linksList7 = linkDatasets7.getJsonObject("data").getJsonArray("linked-dataverses");
+        assertEquals(0, linksList7.size());
+
+    }
+
 }

src/test/java/edu/harvard/iq/dataverse/api/UtilIT.java

@@ -2095,10 +2095,12 @@ static Response linkDataset(String datasetToLinkPid, String dataverseAlias, Stri
     }
 
     static Response getDatasetLinks(String datasetToLinkPid, String apiToken) {
-        Response response = given()
-                .header(API_TOKEN_HTTP_HEADER, apiToken)
-                .get("api/datasets/:persistentId/links" + "?persistentId=" + datasetToLinkPid);
-        return response;
+        RequestSpecification requestSpecification = given();
+        if (apiToken != null) {
+            requestSpecification = given()
+                    .header(UtilIT.API_TOKEN_HTTP_HEADER, apiToken);
+        }
+        return requestSpecification.get("api/datasets/:persistentId/links" + "?persistentId=" + datasetToLinkPid);
     }
 
     static Response createDataverseLink(String linkedDataverseAlias, String linkingDataverseAlias, String apiToken) {