Merge pull request #11610 from IQSS/11275-limit-number-of-dataset-files

make limit update a superuser only function

Author: ofahimIQSS

doc/sphinx-guides/source/api/native-api.rst

@@ -2711,9 +2711,9 @@ The limit can be set via JVM setting :ref:`dataverse.files.default-dataset-file-
 
 For Installation wide limit, the limit can be set via JVM. ./asadmin $ASADMIN_OPTS create-jvm-options "-Ddataverse.files.default-dataset-file-count-limit=<limit>"
 
-For Collections, the attribute can be controlled by calling the Create or Update Dataverse API and adding ``datasetFileCountLimit=500`` to the Json body.
+For Collections, the attribute can be controlled by calling the Create or Update Dataverse API and adding ``datasetFileCountLimit=500`` to the Json body (Must be a superuser to change this value).
 
-For Datasets, the attribute can be set using the `Update Dataset Files Limit <#setting-the-files-count-limit-on-a-dataset>`_ API and passing the qp `fileCountLimit=500`.
+For Datasets, the attribute can be set using the `Update Dataset Files Limit <#setting-the-files-count-limit-on-a-dataset>`_ API and passing the qp `fileCountLimit=500` (Must be a superuser to change this value).
 
 Setting a value of -1 will clear the limit for that level. If no limit is found on the Dataset, the hierarchy of parent nodes will be checked until finally the JVM setting is checked.
 
@@ -2729,7 +2729,7 @@ Setting the files count limit on a Dataset
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 In order to update the number of files allowed for a Dataset, without causing a Draft version of the Dataset being created, the following API can be used
 
-.. note:: To clear the limit simply set the limit to -1 or call the DELETE API.
+.. note:: To clear the limit simply set the limit to -1 or call the DELETE API (Must be a superuser to change this value).
 
 .. code-block:: bash
 

src/main/java/edu/harvard/iq/dataverse/api/Datasets.java

@@ -1984,6 +1984,9 @@ public Response updateDatasetFilesLimits(@Context ContainerRequestContext crc,
         } catch (WrappedResponse ex) {
             return error(Status.UNAUTHORIZED, "Authentication is required.");
         }
+        if (!authenticatedUser.isSuperuser()) {
+            return error(Response.Status.FORBIDDEN, "Superusers only.");
+        }
 
         Dataset dataset;
         try {
@@ -1992,16 +1995,9 @@ public Response updateDatasetFilesLimits(@Context ContainerRequestContext crc,
             return ex.getResponse();
         }
 
-        if (authenticatedUser.isSuperuser() || permissionService.hasPermissionsFor(authenticatedUser, dataset,
-                EnumSet.of(Permission.EditDataset))) {
-
-            dataset.setDatasetFileCountLimit(datasetFileCountLimit);
-            datasetService.merge(dataset);
-
-            return ok("ok");
-        } else {
-            return error(Status.FORBIDDEN, "User is not a superuser or user does not have EditDataset permissions");
-        }
+        dataset.setDatasetFileCountLimit(datasetFileCountLimit);
+        datasetService.merge(dataset);
+        return ok("ok");
     }
 
     @DELETE
@@ -2016,6 +2012,9 @@ public Response deleteDatasetFilesLimits(@Context ContainerRequestContext crc,
         } catch (WrappedResponse ex) {
             return error(Status.UNAUTHORIZED, "Authentication is required.");
         }
+        if (!authenticatedUser.isSuperuser()) {
+            return error(Response.Status.FORBIDDEN, "Superusers only.");
+        }
 
         Dataset dataset;
         try {
@@ -2024,16 +2023,9 @@ public Response deleteDatasetFilesLimits(@Context ContainerRequestContext crc,
             return ex.getResponse();
         }
 
-        if (authenticatedUser.isSuperuser() || permissionService.hasPermissionsFor(authenticatedUser, dataset,
-                EnumSet.of(Permission.EditDataset))) {
-
-            dataset.setDatasetFileCountLimit(null);
-            datasetService.merge(dataset);
-
-            return ok("ok");
-        } else {
-            return error(Status.FORBIDDEN, "User is not a superuser or user does not have EditDataset permissions");
-        }
+        dataset.setDatasetFileCountLimit(null);
+        datasetService.merge(dataset);
+        return ok("ok");
     }
 
     @PUT

src/main/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDataverseCommand.java

@@ -11,6 +11,7 @@
 import edu.harvard.iq.dataverse.engine.command.RequiredPermissions;
 import edu.harvard.iq.dataverse.engine.command.exception.IllegalCommandException;
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
+import edu.harvard.iq.dataverse.util.BundleUtil;
 
 import java.sql.Timestamp;
 import java.util.ArrayList;
@@ -50,6 +51,9 @@ protected Dataverse innerExecute(CommandContext ctxt) throws IllegalCommandExcep
                 throw new IllegalCommandException("Root Dataverse already exists. Cannot create another one", this);
             }
         }
+        if (!getUser().isSuperuser() && dataverse.isDatasetFileCountLimitSet(dataverse.getDatasetFileCountLimit())) {
+            throw new IllegalCommandException(BundleUtil.getStringFromBundle("file.dataset.error.set.file.count.limit"), this);
+        }
 
         if (metadataBlocks != null && !metadataBlocks.isEmpty()) {
             dataverse.setMetadataBlockRoot(true);

src/main/java/edu/harvard/iq/dataverse/engine/command/impl/UpdateDataverseCommand.java

@@ -11,6 +11,7 @@
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import edu.harvard.iq.dataverse.engine.command.RequiredPermissions;
 import edu.harvard.iq.dataverse.engine.command.exception.IllegalCommandException;
+import edu.harvard.iq.dataverse.util.BundleUtil;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -66,6 +67,14 @@ protected Dataverse innerExecute(CommandContext ctxt) throws IllegalCommandExcep
                 }
             }
         }
+        if (!getUser().isSuperuser() && updatedDataverseDTO != null) {
+            // default if not set
+            if (updatedDataverseDTO.getDatasetFileCountLimit() == null) {
+                updatedDataverseDTO.setDatasetFileCountLimit(dataverse.getDatasetFileCountLimit());
+            } else if (updatedDataverseDTO.getDatasetFileCountLimit() != dataverse.getDatasetFileCountLimit()) {
+                throw new IllegalCommandException(BundleUtil.getStringFromBundle("file.dataset.error.set.file.count.limit"), this);
+            }
+        }
 
         Dataverse oldDv = ctxt.dataverses().find(dataverse.getId());
 

src/main/java/edu/harvard/iq/dataverse/util/json/JsonParser.java

@@ -134,7 +134,9 @@ public Dataverse parseDataverse(JsonObject jobj) throws JsonParseException {
         dv.setPermissionRoot(jobj.getBoolean("permissionRoot", false));
         dv.setFacetRoot(jobj.getBoolean("facetRoot", false));
         dv.setAffiliation(jobj.getString("affiliation", null));
-        dv.setDatasetFileCountLimit(jobj.getInt("datasetFileCountLimit", -1));
+        if (jobj.containsKey("datasetFileCountLimit")) {
+            dv.setDatasetFileCountLimit(jobj.getInt("datasetFileCountLimit", -1));
+        }
 
         if (jobj.containsKey("dataverseContacts")) {
             JsonArray dvContacts = jobj.getJsonArray("dataverseContacts");

src/main/java/propertyFiles/Bundle.properties

@@ -2385,6 +2385,7 @@ file.message.replaceSuccess=The file has been replaced.
 
 # File Add/Replace operation messages
 file.add.count_exceeds_limit=Number of files can not exceed the maximum number of files allowed for this Dataset ({0}).
+file.dataset.error.set.file.count.limit=Only Superuser can set the Dataset File Count Limit.
 file.addreplace.file_size_ok=File size is in range.
 file.addreplace.error.byte_abrev=B
 file.addreplace.error.file_exceeds_limit=This file size ({0}) exceeds the size limit of {1}.
@@ -3222,4 +3223,4 @@ updateDatasetFieldsCommand.api.processDatasetUpdate.parseError=Error parsing dat
 abstractApiBean.error.datasetInternalVersionNumberIsOutdated=Dataset internal version number {0} is outdated
 
 #RoleAssigneeServiceBean.java
-roleAssigneeServiceBean.error.dataverseRequestCannotBeNull=DataverseRequest cannot be null.
+roleAssigneeServiceBean.error.dataverseRequestCannotBeNull=DataverseRequest cannot be null.

src/test/java/edu/harvard/iq/dataverse/api/DatasetsIT.java

@@ -12,10 +12,7 @@
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
 import edu.harvard.iq.dataverse.util.BundleUtil;
 import edu.harvard.iq.dataverse.util.SystemConfig;
-import edu.harvard.iq.dataverse.util.json.JSONLDUtil;
-import edu.harvard.iq.dataverse.util.json.JsonParseException;
-import edu.harvard.iq.dataverse.util.json.JsonParser;
-import edu.harvard.iq.dataverse.util.json.JsonUtil;
+import edu.harvard.iq.dataverse.util.json.*;
 import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
 import io.restassured.parsing.Parser;
@@ -370,12 +367,16 @@ public void testCreateDataset() {
     public void testCreateUpdateDatasetFileCountLimit() throws JsonParseException {
         Response createUser = UtilIT.createRandomUser();
         String apiToken = UtilIT.getApiTokenFromResponse(createUser);
-        Response createDataverseResponse = createFileLimitedDataverse(500, apiToken);
+        String adminApiToken = getSuperuserToken();
+        Response createDataverseResponse = UtilIT.createRandomDataverse(apiToken);
         createDataverseResponse.prettyPrint();
         String dataverseAlias = UtilIT.getAliasFromResponse(createDataverseResponse);
         JsonObject data = JsonUtil.getJsonObject(createDataverseResponse.getBody().asString());
         JsonParser parser = new JsonParser();
         Dataverse dv = parser.parseDataverse(data.getJsonObject("data"));
+        dv.setDatasetFileCountLimit(500);
+        Response updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, adminApiToken);
+        updateDataverseResponse.prettyPrint();
 
         JsonArrayBuilder metadataBlocks = Json.createArrayBuilder();
         metadataBlocks.add("citation");
@@ -411,7 +412,7 @@ public void testCreateUpdateDatasetFileCountLimit() throws JsonParseException {
         String persistentId = JsonPath.from(datasetAsJson.getBody().asString()).getString("data.latestVersion.datasetPersistentId");
 
         // Update dataset with datasetFileCountLimit = 1
-        Response updateDatasetResponse = UtilIT.updateDatasetFilesLimits(persistentId, 1, apiToken);
+        Response updateDatasetResponse = UtilIT.updateDatasetFilesLimits(persistentId, 1, adminApiToken);
         updateDatasetResponse.prettyPrint();
         updateDatasetResponse.then().assertThat()
                 .statusCode(OK.getStatusCode());
@@ -424,7 +425,7 @@ public void testCreateUpdateDatasetFileCountLimit() throws JsonParseException {
                 .body("data.datasetFileCountLimit", equalTo(1));
 
         // Update/reset dataset with datasetFileCountLimit = -1 and expect the value from the owner dataverse
-        updateDatasetResponse = UtilIT.deleteDatasetFilesLimits(persistentId, apiToken);
+        updateDatasetResponse = UtilIT.deleteDatasetFilesLimits(persistentId, adminApiToken);
         updateDatasetResponse.prettyPrint();
         updateDatasetResponse.then().assertThat()
                 .statusCode(OK.getStatusCode());
@@ -438,7 +439,7 @@ public void testCreateUpdateDatasetFileCountLimit() throws JsonParseException {
 
         // test clear limits and test that datasetFileCountLimit is not returned in json
         dv.setDatasetFileCountLimit(null);
-        Response updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, apiToken);
+        updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, adminApiToken);
         updateDataverseResponse.then().assertThat()
                 .statusCode(OK.getStatusCode());
 
@@ -451,12 +452,20 @@ public void testCreateUpdateDatasetFileCountLimit() throws JsonParseException {
     }
 
     @Test
-    public void testMultipleFileUploadOverCountLimit() {
+    public void testMultipleFileUploadOverCountLimit() throws JsonParseException {
         Response createUser = UtilIT.createRandomUser();
         String apiToken = UtilIT.getApiTokenFromResponse(createUser);
-        Response createDataverseResponse = createFileLimitedDataverse(1, apiToken);
+        String adminApiToken = getSuperuserToken();
+        Response createDataverseResponse = UtilIT.createRandomDataverse(apiToken);
         createDataverseResponse.prettyPrint();
         String dataverseAlias = UtilIT.getAliasFromResponse(createDataverseResponse);
+        JsonObject data = JsonUtil.getJsonObject(createDataverseResponse.getBody().asString());
+        JsonParser parser = new JsonParser();
+        Dataverse dv = parser.parseDataverse(data.getJsonObject("data"));
+        dv.setDatasetFileCountLimit(1);
+        Response updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, adminApiToken);
+        updateDataverseResponse.prettyPrint();
+
         Response createDatasetResponse = UtilIT.createRandomDatasetViaNativeApi(dataverseAlias, apiToken);
         createDatasetResponse.prettyPrint();
         Integer datasetId = UtilIT.getDatasetIdFromResponse(createDatasetResponse);
@@ -6769,19 +6778,11 @@ public void testUpdateMultipleFileMetadata() {
                 .statusCode(OK.getStatusCode());
     }
 
-    private Response createFileLimitedDataverse(int datasetFileCountLimit, String apiToken) {
-        String dataverseAlias = UtilIT.getRandomDvAlias();
-        String emailAddressOfFirstDataverseContact = dataverseAlias + "@mailinator.com";
-        JsonObjectBuilder jsonToCreateDataverse = Json.createObjectBuilder()
-                .add("name", dataverseAlias)
-                .add("alias", dataverseAlias)
-                .add("datasetFileCountLimit", datasetFileCountLimit)
-                .add("dataverseContacts", Json.createArrayBuilder()
-                        .add(Json.createObjectBuilder()
-                                .add("contactEmail", emailAddressOfFirstDataverseContact)
-                        )
-                );
-        ;
-        return UtilIT.createDataverse(jsonToCreateDataverse.build(), apiToken);
+    private String getSuperuserToken() {
+        Response createResponse = UtilIT.createRandomUser();
+        String adminApiToken = UtilIT.getApiTokenFromResponse(createResponse);
+        String username = UtilIT.getUsernameFromResponse(createResponse);
+        UtilIT.makeSuperUser(username);
+        return adminApiToken;
     }
 }

src/test/java/edu/harvard/iq/dataverse/api/DataversesIT.java

@@ -1355,6 +1355,7 @@ public void testAddDataverse() {
 
     @Test
     public void testUpdateDataverse() throws JsonParseException {
+        String adminApiToken = getSuperuserToken();
         Response createUser = UtilIT.createRandomUser();
         String apiToken = UtilIT.getApiTokenFromResponse(createUser);
         String testAliasSuffix = "-update-dataverse";
@@ -1372,7 +1373,7 @@ public void testUpdateDataverse() throws JsonParseException {
         JsonParser parser = new JsonParser();
         Dataverse dv = parser.parseDataverse(data.getJsonObject("data"));
         dv.setDatasetFileCountLimit(500);
-        Response updateDataverseResponse = UtilIT.updateDataverse(testDataverseAlias, dv, apiToken);
+        Response updateDataverseResponse = UtilIT.updateDataverse(testDataverseAlias, dv, adminApiToken);
         updateDataverseResponse.prettyPrint();
         updateDataverseResponse.then().assertThat()
                 .statusCode(OK.getStatusCode())
@@ -2282,4 +2283,12 @@ public void testUpdateInputLevelDisplayOnCreateOverride() {
                 .body("data.inputLevels[0].datasetFieldTypeName", equalTo("subtitle"));
 
     }
+
+    private String getSuperuserToken() {
+        Response createResponse = UtilIT.createRandomUser();
+        String adminApiToken = UtilIT.getApiTokenFromResponse(createResponse);
+        String username = UtilIT.getUsernameFromResponse(createResponse);
+        UtilIT.makeSuperUser(username);
+        return adminApiToken;
+    }
 }

src/test/java/edu/harvard/iq/dataverse/api/FilesIT.java

@@ -3227,7 +3227,7 @@ public void testUploadFilesWithLimits() throws JsonParseException {
         JsonParser parser = new JsonParser();
         Dataverse dv = parser.parseDataverse(data.getJsonObject("data"));
         dv.setDatasetFileCountLimit(1);
-        Response updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, apiToken);
+        Response updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, adminApiToken);
         updateDataverseResponse.then().assertThat()
                 .statusCode(OK.getStatusCode())
                 .body("data.effectiveDatasetFileCountLimit", equalTo(1))
@@ -3261,7 +3261,8 @@ public void testUploadFilesWithLimits() throws JsonParseException {
 
         // Add 1 to file limit and upload a second file
         dv.setDatasetFileCountLimit(2);
-        updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, apiToken);updateDataverseResponse.then().assertThat()
+        updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, adminApiToken);
+        updateDataverseResponse.then().assertThat()
                 .statusCode(OK.getStatusCode())
                 .body("data.effectiveDatasetFileCountLimit", equalTo(2))
                 .body("data.datasetFileCountLimit", equalTo(2));
@@ -3273,7 +3274,8 @@ public void testUploadFilesWithLimits() throws JsonParseException {
 
         // Set limit back to 1 even though the number of files is 2
         dv.setDatasetFileCountLimit(1);
-        updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, apiToken);updateDataverseResponse.then().assertThat()
+        updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, adminApiToken);
+        updateDataverseResponse.then().assertThat()
                 .statusCode(OK.getStatusCode())
                 .body("data.effectiveDatasetFileCountLimit", equalTo(1))
                 .body("data.datasetFileCountLimit", equalTo(1));
@@ -3302,5 +3304,13 @@ public void testUploadFilesWithLimits() throws JsonParseException {
         uploadFileResponse.prettyPrint();
         uploadFileResponse.then().assertThat()
                 .statusCode(OK.getStatusCode());
+
+        // Test changing the limit by a non-superuser
+        dv.setDatasetFileCountLimit(100);
+        updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, apiToken);
+        updateDataverseResponse.prettyPrint();
+        updateDataverseResponse.then().assertThat()
+                .body("message", containsString(BundleUtil.getStringFromBundle("file.dataset.error.set.file.count.limit")))
+                .statusCode(FORBIDDEN.getStatusCode());
     }
 }

src/test/java/edu/harvard/iq/dataverse/api/S3AccessIT.java

@@ -679,7 +679,7 @@ public void testDirectUploadWithFileCountLimit() throws JsonParseException {
         JsonParser parser = new JsonParser();
         Dataverse dv = parser.parseDataverse(data.getJsonObject("data"));
         dv.setDatasetFileCountLimit(1);
-        Response updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, apiToken);
+        Response updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, superuserApiToken); // only superuser can update the datasetFileCountLimit
         updateDataverseResponse.prettyPrint();
         updateDataverseResponse.then().assertThat()
                 .statusCode(OK.getStatusCode())