[Treebase-guts] SF.net SVN: treebase:[474] trunk/treebase-web/src/main/java/org/cipres/ treebase/web/controllers/AbstractDownloadController.java

[<rv...@us...>]

Revision: 474
          http://treebase.svn.sourceforge.net/treebase/?rev=474&view=rev
Author:   rvos
Date:     2010-01-19 18:02:17 +0000 (Tue, 19 Jan 2010)

Log Message:
-----------
Added access control for the download controllers. This has two moving parts: 1) a call to ControllerUtil.isReviewerAccessGranted which verifies that access has been granted to the focal study (i.e. the study that contains the object for which a serialization is being requested) during this session; 2) a check that the focal study has been published (in which case access is always granted).

Modified Paths:
--------------
    trunk/treebase-web/src/main/java/org/cipres/treebase/web/controllers/AbstractDownloadController.java

Modified: trunk/treebase-web/src/main/java/org/cipres/treebase/web/controllers/AbstractDownloadController.java
===================================================================
--- trunk/treebase-web/src/main/java/org/cipres/treebase/web/controllers/AbstractDownloadController.java	2010-01-19 17:59:08 UTC (rev 473)
+++ trunk/treebase-web/src/main/java/org/cipres/treebase/web/controllers/AbstractDownloadController.java	2010-01-19 18:02:17 UTC (rev 474)
@@ -9,6 +9,9 @@
 
 import org.cipres.treebase.TreebaseUtil;
 import org.cipres.treebase.domain.nexus.NexusService;
+import org.cipres.treebase.domain.study.Study;
+import org.cipres.treebase.domain.study.StudyService;
+import org.cipres.treebase.web.util.ControllerUtil;
 import org.cipres.treebase.web.util.WebUtil;
 import org.springframework.web.servlet.mvc.Controller;
 
@@ -21,6 +24,18 @@
 	private NexusService mRdfaService;	
 	private static String mNexmlContentType = "application/xml";
 	private static String mRdfContentType = "application/rdf+xml";
+
+	/**
+	 * Return the StudyService field.
+	 * 
+	 * @return StudyService mStudyService
+	 */
+	public abstract StudyService getStudyService();
+
+	/**
+	 * Set the StudyService field.
+	 */
+	public abstract void setStudyService(StudyService pNewStudyService);
 	
 	protected Properties getDefaultProperties(HttpServletRequest request) {
 		Properties properties = new Properties();
@@ -85,6 +100,13 @@
 	 */
 	protected abstract String getFileContent(long objectId,HttpServletRequest request);
 	
+	/**
+	 * 
+	 * @param objectId - the id of the focal object (e.g. a tree)
+	 * @return the study to which the focal object belongs
+	 */
+	protected abstract Study getStudy(long objectId,HttpServletRequest request);
+	
 	protected String getDownloadDir (HttpServletRequest request) {
 		String downloadDir = request.getSession().getServletContext().getRealPath(
 				TreebaseUtil.FILESEP + "NexusFileDownload")
@@ -100,29 +122,35 @@
 	 * @param downloadDirName
 	 */
 	protected void generateAFileDynamically(HttpServletRequest request, HttpServletResponse response, long objectId) {
-		String downloadDirName = getDownloadDir(request);
-		File dirPath = new File(downloadDirName);
-		if (!dirPath.exists()) {
-			dirPath.mkdirs();
-		}
-		String fileName = getFileName(objectId,request);
-		try {
-			File file = new File(downloadDirName + TreebaseUtil.FILESEP + fileName);
-			FileWriter out = new FileWriter(file);
-			out.write(getFileContent(objectId,request));
-			out.close();
-			if ( getFormat(request) == FORMAT_NEXML ) {
-				WebUtil.downloadFile(response, downloadDirName, fileName, mNexmlContentType);
+        if ( ! ControllerUtil.isReviewerAccessGranted(request) && ! getStudy(objectId,request).isPublished() ) {
+        	response.setStatus(HttpServletResponse.SC_SEE_OTHER);        
+        	response.setHeader("Location", "/treebase-web/accessviolation.html");
+        }
+        else {
+			String downloadDirName = getDownloadDir(request);
+			File dirPath = new File(downloadDirName);
+			if (!dirPath.exists()) {
+				dirPath.mkdirs();
 			}
-			else if ( getFormat(request) == FORMAT_RDF ) {
-				WebUtil.downloadFile(response, downloadDirName, fileName, mRdfContentType);
-			}			
-			else {
-				WebUtil.downloadFile(response, downloadDirName, fileName);
+			String fileName = getFileName(objectId,request);
+			try {
+				File file = new File(downloadDirName + TreebaseUtil.FILESEP + fileName);
+				FileWriter out = new FileWriter(file);
+				out.write(getFileContent(objectId,request));
+				out.close();
+				if ( getFormat(request) == FORMAT_NEXML ) {
+					WebUtil.downloadFile(response, downloadDirName, fileName, mNexmlContentType);
+				}
+				else if ( getFormat(request) == FORMAT_RDF ) {
+					WebUtil.downloadFile(response, downloadDirName, fileName, mRdfContentType);
+				}			
+				else {
+					WebUtil.downloadFile(response, downloadDirName, fileName);
+				}
+			} catch (Exception e) {
+				e.printStackTrace();
 			}
-		} catch (Exception e) {
-			e.printStackTrace();
-		}
+        }
 	}
 
 	/**


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.