git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@1302367 13f79535-47bb-0310-9956-ffa450edef68

12 years ago · 3b01da90b5
--- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/RepositoriesService.java
+++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/RepositoriesService.java
@@ -121,5 +121,11 @@ public interface RepositoriesService
    Boolean deleteArtifact( @QueryParam( "" ) Artifact artifact, @QueryParam( "repositoryId" ) String repositoryId )
        throws ArchivaRestServiceException;

    @Path( "isAuthorizedToDeleteArtifacts/{repositoryId}" )
    @GET
    @Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, MediaType.TEXT_PLAIN } )
    @RedbackAuthorization( noPermission = true, noRestriction = true)
    Boolean isAuthorizedToDeleteArtifacts( @PathParam( "repositoryId" ) String repoId )
        throws ArchivaRestServiceException;

 }
--- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultRepositoriesService.java
+++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultRepositoriesService.java
@@ -65,6 +65,7 @@ import org.apache.archiva.scheduler.indexing.DownloadRemoteIndexException;
 import org.apache.archiva.scheduler.indexing.DownloadRemoteIndexScheduler;
 import org.apache.archiva.scheduler.repository.RepositoryArchivaTaskScheduler;
 import org.apache.archiva.scheduler.repository.RepositoryTask;
 import org.apache.archiva.security.ArchivaSecurityException;
 import org.apache.archiva.security.common.ArchivaRoleConstants;
 import org.apache.archiva.xml.XMLException;
 import org.apache.commons.io.FilenameUtils;
@@ -85,6 +86,7 @@ import org.springframework.stereotype.Service;

 import javax.inject.Inject;
 import javax.inject.Named;
 import javax.ws.rs.core.Response;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -624,13 +626,17 @@ public class DefaultRepositoriesService
    public Boolean deleteArtifact( Artifact artifact, String repositoryId )
        throws ArchivaRestServiceException
    {
        String userName = (String) getAuditInformation().getUser().getUsername();
        if ( StringUtils.isBlank( userName ) )

        if ( StringUtils.isEmpty( repositoryId ) )
        {
            // TODO use constants from a class instead of magic number
            throw new ArchivaRestServiceException( "deleteArtifact call: userName not found", 403 );
            throw new ArchivaRestServiceException( "repositoryId cannot be null", 400 );
        }

        if ( !isAuthorizedToDeleteArtifacts( repositoryId ) )
        {
            throw new ArchivaRestServiceException( "not authorized to delete artifacts", 403 );
        }

        if ( artifact == null )
        {
            throw new ArchivaRestServiceException( "artifact cannot be null", 400 );
@@ -646,11 +652,6 @@ public class DefaultRepositoriesService
            throw new ArchivaRestServiceException( "artifact.artifactId cannot be null", 400 );
        }

        if ( StringUtils.isEmpty( repositoryId ) )
        {
            throw new ArchivaRestServiceException( "repositoryId cannot be null", 400 );
        }

        // TODO more control on artifact fields

        RepositorySession repositorySession = repositorySessionFactory.createSession();
@@ -771,6 +772,24 @@ public class DefaultRepositoriesService
        return Boolean.TRUE;
    }

    public Boolean isAuthorizedToDeleteArtifacts( String repoId )
        throws ArchivaRestServiceException
    {
        String userName =
            getAuditInformation().getUser() == null ? "guest" : getAuditInformation().getUser().getUsername();

        try
        {
            boolean res = userRepositories.isAuthorizedToDeleteArtifacts( userName, repoId );
            return res;
        }
        catch ( ArchivaSecurityException e )
        {
            throw new ArchivaRestServiceException( e.getMessage(),
                                                   Response.Status.INTERNAL_SERVER_ERROR.getStatusCode() );
        }
    }

    public RepositoryScanStatistics scanRepositoryDirectoriesNow( String repositoryId )
        throws ArchivaRestServiceException
    {
--- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/RepositoriesServiceTest.java
+++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/RepositoriesServiceTest.java
@@ -152,12 +152,52 @@ public class RepositoriesServiceTest
        }
    }

    @Test
    public void authorizedToDeleteArtifacts()
        throws Exception
    {
        ManagedRepository managedRepository = getTestManagedRepository( "SOURCE_REPO_ID", "SOURCE_REPO_ID" );
        try
        {
            getManagedRepositoriesService( authorizationHeader ).addManagedRepository( managedRepository );
            RepositoriesService repositoriesService = getRepositoriesService( authorizationHeader );
            assertTrue( repositoriesService.isAuthorizedToDeleteArtifacts( managedRepository.getId() ) );
        }
        finally
        {
            getManagedRepositoriesService( authorizationHeader ).deleteManagedRepository( managedRepository.getId(),
                                                                                          true );
        }
    }

    @Test
    public void notAuthorizedToDeleteArtifacts()
        throws Exception
    {
        ManagedRepository managedRepository = getTestManagedRepository( "SOURCE_REPO_ID", "SOURCE_REPO_ID" );
        try
        {
            getManagedRepositoriesService( authorizationHeader ).addManagedRepository( managedRepository );
            RepositoriesService repositoriesService = getRepositoriesService( guestAuthzHeader );
            assertFalse( repositoriesService.isAuthorizedToDeleteArtifacts( managedRepository.getId() ) );
        }
        finally
        {
            getManagedRepositoriesService( authorizationHeader ).deleteManagedRepository( managedRepository.getId(),
                                                                                          true );
        }
    }

    protected ManagedRepository getTestManagedRepository( String id, String path )
    {
        String location = new File( FileUtil.getBasedir(), "target/" + path ).getAbsolutePath();
        return new ManagedRepository( id, id, location, "default", true, true, true, "2 * * * * ?", null, false, 80, 80,
                                      true, false );
    }

    protected ManagedRepository getTestManagedRepository()
    {
        String location = new File( FileUtil.getBasedir(), "target/test-repo" ).getAbsolutePath();
        return new ManagedRepository( "TEST", "test", location, "default", true, true, true, "2 * * * * ?", null, false,
                                      80, 80, true, false );
        return getTestManagedRepository( "TEST", "test-repo" );
    }

 }
--- a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/archiva/security/DefaultUserRepositories.java
+++ b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/archiva/security/DefaultUserRepositories.java
@@ -205,7 +205,7 @@ public class DefaultUserRepositories
    }

    public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId )
        throws AccessDeniedException, ArchivaSecurityException
        throws ArchivaSecurityException
    {
        try
        {