adding user permission check

stevenwinship · stevenwinship · commit de4ada4c395a · 2025-05-28T15:04:53.000-04:00
diff --git a/src/main/java/edu/harvard/iq/dataverse/dataverse/featured/DataverseFeaturedItemServiceBean.java b/src/main/java/edu/harvard/iq/dataverse/dataverse/featured/DataverseFeaturedItemServiceBean.java
@@ -2,6 +2,9 @@
 
 import com.google.common.collect.Lists;
 import edu.harvard.iq.dataverse.*;
+import edu.harvard.iq.dataverse.authorization.Permission;
+import edu.harvard.iq.dataverse.authorization.users.User;
+import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import edu.harvard.iq.dataverse.settings.JvmSettings;
 import edu.harvard.iq.dataverse.util.BundleUtil;
 import edu.harvard.iq.dataverse.util.FileUtil;
@@ -10,6 +13,7 @@
 import jakarta.inject.Named;
 import jakarta.persistence.EntityManager;
 import jakarta.persistence.PersistenceContext;
+import jakarta.servlet.http.HttpServletRequest;
 
 import java.io.File;
 import java.io.IOException;
@@ -18,6 +22,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
+import java.util.EnumSet;
 import java.util.List;
 
 @Stateless
@@ -36,6 +41,8 @@ public InvalidImageFileException(String message) {
     protected DataFileServiceBean fileService;
     @EJB
     protected DatasetServiceBean datasetService;
+    @EJB
+    protected PermissionServiceBean permissionService;
 
     public DataverseFeaturedItem findById(Long id) {
         return em.find(DataverseFeaturedItem.class, id);
@@ -57,7 +64,7 @@ public void delete(Long id) {
                 .executeUpdate();
     }
 
-    public List<DataverseFeaturedItem> findAllByDataverseOrdered(Dataverse dataverse, boolean filter) {
+    public List<DataverseFeaturedItem> findAllByDataverseOrdered(User user, Dataverse dataverse, boolean filter) {
         List<DataverseFeaturedItem> items = em
                 .createNamedQuery("DataverseFeaturedItem.findByDataverseOrderedByDisplayOrder", DataverseFeaturedItem.class)
                 .setParameter("dataverse", dataverse)
@@ -68,14 +75,15 @@ public List<DataverseFeaturedItem> findAllByDataverseOrdered(Dataverse dataverse
             // filter the list by removing any items with dvObjects that should not be shown
             for (DataverseFeaturedItem item : items) {
                 if (item.getDvObject() != null) {
+                    DataverseRequest req = new DataverseRequest(user, (HttpServletRequest) null);
                     if ("datafile".equals(item.getType())) {
                         final DataFile datafile = fileService.find(item.getDvObject().getId());
-                        if (datafile == null || datafile.isRestricted()) {
+                        if (datafile == null || (datafile.isRestricted() && !userHasPermission(req, datafile, Permission.DownloadFile))) {
                             filteredList.remove(item);
                         }
                     } else if ("dataset".equals(item.getType())) {
                         final Dataset dataset = datasetService.find(item.getDvObject().getId());
-                        if (dataset == null || dataset.isDeaccessioned()) {
+                        if (dataset == null || (dataset.isDeaccessioned() && !userHasPermission(req, dataset, Permission.ViewUnpublishedDataset))) {
                             filteredList.remove(item);
                         }
                     }
@@ -84,6 +92,9 @@ public List<DataverseFeaturedItem> findAllByDataverseOrdered(Dataverse dataverse
         }
         return filteredList;
     }
+    private boolean userHasPermission(DataverseRequest req, DvObject dvObject, Permission permission) {
+        return req.getUser() == null || dvObject == null ? false : permissionService.hasPermissionsFor(req, dvObject, EnumSet.of(permission));
+    }
 
     public InputStream getImageFileAsInputStream(DataverseFeaturedItem dataverseFeaturedItem) throws IOException {
         Path imagePath = Path.of(JvmSettings.DOCROOT_DIRECTORY.lookup(),
diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/DeleteDataverseCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/DeleteDataverseCommand.java
@@ -1,6 +1,7 @@
 package edu.harvard.iq.dataverse.engine.command.impl;
 
 import edu.harvard.iq.dataverse.Dataverse;
+import edu.harvard.iq.dataverse.authorization.users.User;
 import edu.harvard.iq.dataverse.dataverse.featured.DataverseFeaturedItem;
 import edu.harvard.iq.dataverse.DataverseFieldTypeInputLevel;
 import edu.harvard.iq.dataverse.authorization.DataverseRole;
@@ -43,7 +44,7 @@ protected void executeImpl(CommandContext ctxt) throws CommandException {
             throw new IllegalCommandException("Cannot delete the root dataverse", this);
         }
         
-        // make sure the dataverse is emptyw
+        // make sure the dataverse is empty
         if (ctxt.dvObjects().hasData(doomed)) {
             throw new IllegalCommandException("Cannot delete non-empty dataverses", this);
         }
@@ -78,10 +79,12 @@ protected void executeImpl(CommandContext ctxt) throws CommandException {
             DataverseFieldTypeInputLevel merged = ctxt.em().merge(inputLevel);
             ctxt.em().remove(merged);
         }
+
+        User user = getUser();
         doomed.setDataverseFieldTypeInputLevels(new ArrayList<>());
 
         // Featured Items
-        for (DataverseFeaturedItem featuredItem : ctxt.dataverseFeaturedItems().findAllByDataverseOrdered(doomed, false) ) {
+        for (DataverseFeaturedItem featuredItem : ctxt.dataverseFeaturedItems().findAllByDataverseOrdered(user, doomed, false) ) {
             DataverseFeaturedItem merged = ctxt.em().merge(featuredItem);
             ctxt.em().remove(merged);
         }
diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/ListDataverseFeaturedItemsCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/ListDataverseFeaturedItemsCommand.java
@@ -24,7 +24,7 @@ public ListDataverseFeaturedItemsCommand(DataverseRequest request, Dataverse dat
 
     @Override
     public List<DataverseFeaturedItem> execute(CommandContext ctxt) throws CommandException {
-        return ctxt.dataverseFeaturedItems().findAllByDataverseOrdered(dataverse, true);
+        return ctxt.dataverseFeaturedItems().findAllByDataverseOrdered(getUser(), dataverse, true);
     }
 
     @Override
diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/UpdateDataverseFeaturedItemsCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/UpdateDataverseFeaturedItemsCommand.java
@@ -44,7 +44,7 @@ public List<DataverseFeaturedItem> execute(CommandContext ctxt) throws CommandEx
 
     private List<DataverseFeaturedItem> updateOrDeleteExistingFeaturedItems(CommandContext ctxt) throws CommandException {
         List<DataverseFeaturedItem> updatedFeaturedItems = new ArrayList<>();
-        List<DataverseFeaturedItem> featuredItemsToDelete = ctxt.dataverseFeaturedItems().findAllByDataverseOrdered(dataverse, false);
+        List<DataverseFeaturedItem> featuredItemsToDelete = ctxt.dataverseFeaturedItems().findAllByDataverseOrdered(getUser(), dataverse, false);
 
         for (Map.Entry<DataverseFeaturedItem, UpdatedDataverseFeaturedItemDTO> entry : dataverseFeaturedItemsToUpdate.entrySet()) {
             DataverseFeaturedItem featuredItem = entry.getKey();
diff --git a/src/test/java/edu/harvard/iq/dataverse/api/DataversesIT.java b/src/test/java/edu/harvard/iq/dataverse/api/DataversesIT.java
@@ -1988,17 +1988,25 @@ public void testDeleteFeaturedItemWithDvObject() {
 
     @Test
     public void testFilteredFeaturedItemWithDvObject() {
-        String userToken = UtilIT.createRandomUserGetToken();
-        // test when featuring a datafile and the file is either deleted or restricted
-        Response createUserResponse = UtilIT.createRandomUser();
-        String apiToken = UtilIT.getApiTokenFromResponse(createUserResponse);
+        // first create a superuser
+        Response createResponse = UtilIT.createRandomUser();
+        String adminApiToken = UtilIT.getApiTokenFromResponse(createResponse);
+        String username = UtilIT.getUsernameFromResponse(createResponse);
+        UtilIT.makeSuperUser(username);
+
+        // Create the owner of the dataverse/dataset/datafile
+        createResponse = UtilIT.createRandomUser();
+        String apiToken = UtilIT.getApiTokenFromResponse(createResponse);
+
         Response createDataverseResponse = UtilIT.createRandomDataverse(apiToken);
         createDataverseResponse.then().assertThat().statusCode(CREATED.getStatusCode());
         String dataverseAlias = UtilIT.getAliasFromResponse(createDataverseResponse);
         UtilIT.publishDataverseViaNativeApi(dataverseAlias, apiToken).prettyPrint();
 
         Response createDatasetResponse = UtilIT.createRandomDatasetViaNativeApi(dataverseAlias, apiToken);
+        createDatasetResponse.prettyPrint();
         Integer datasetId = UtilIT.getDatasetIdFromResponse(createDatasetResponse);
+        String datasetPersistentId = UtilIT.getDatasetPersistentIdFromResponse(createDatasetResponse);
 
         // Upload a file
         String pathToFile1 = "src/main/webapp/resources/images/cc0.png";
@@ -2011,6 +2019,12 @@ public void testFilteredFeaturedItemWithDvObject() {
         Response createDatafileResponse = UtilIT.createDataverseFeaturedItem(dataverseAlias, apiToken, "My File", 0, pathToFile1, "datafile", String.valueOf(datafileId));
         createDatafileResponse.prettyPrint();
 
+        // test when featuring a datafile and the file is either deleted or restricted
+        Response createUserResponse = UtilIT.createRandomUser();
+        createUserResponse.prettyPrint();
+        String userToken = UtilIT.getApiTokenFromResponse(createUserResponse);
+        username = UtilIT.getUsernameFromResponse(createUserResponse);
+
         // Test restrict datafile
         UtilIT.restrictFile(String.valueOf(datafileId), true, apiToken);
         UtilIT.publishDatasetViaNativeApi(datasetId, "minor", apiToken);
@@ -2051,6 +2065,18 @@ public void testFilteredFeaturedItemWithDvObject() {
                 .body("data.size()", equalTo(1))
                 .body("data[0].type", equalTo("datafile"))
                 .assertThat().statusCode(OK.getStatusCode());
+
+        // Test giving permissions to Permission.ViewUnpublishedDataset will un-hide deassessioned datasets, Permission.DownloadFile will un-hide restricted datafiles
+        Response giveRandoPermission = UtilIT.grantRoleOnDataset(datasetPersistentId, "curator", "@" + username, adminApiToken);
+        giveRandoPermission.prettyPrint();
+
+        // permission to view deassessioned datasets and restricted files results in both featured items being returned
+        listFeaturedItemsResponse = UtilIT.listDataverseFeaturedItems(dataverseAlias, userToken);
+        listFeaturedItemsResponse.prettyPrint();
+        listFeaturedItemsResponse.then()
+                .body("data.size()", equalTo(2))
+                .body("data[0].type", equalTo("datafile"))
+                .assertThat().statusCode(OK.getStatusCode());
     }
 
     @Test

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ public ListDataverseFeaturedItemsCommand(DataverseRequest request, Dataverse dat`
`24`	`24`
`25`	`25`	`@Override`
`26`	`26`	`public List<DataverseFeaturedItem> execute(CommandContext ctxt) throws CommandException {`
`27`		`- return ctxt.dataverseFeaturedItems().findAllByDataverseOrdered(dataverse, true);`
	`27`	`+ return ctxt.dataverseFeaturedItems().findAllByDataverseOrdered(getUser(), dataverse, true);`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`@Override`