git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@1302367 13f79535-47bb-0310-9956-ffa450edef68tags/archiva-1.4-M3
@@ -121,5 +121,11 @@ public interface RepositoriesService | |||
Boolean deleteArtifact( @QueryParam( "" ) Artifact artifact, @QueryParam( "repositoryId" ) String repositoryId ) | |||
throws ArchivaRestServiceException; | |||
@Path( "isAuthorizedToDeleteArtifacts/{repositoryId}" ) | |||
@GET | |||
@Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, MediaType.TEXT_PLAIN } ) | |||
@RedbackAuthorization( noPermission = true, noRestriction = true) | |||
Boolean isAuthorizedToDeleteArtifacts( @PathParam( "repositoryId" ) String repoId ) | |||
throws ArchivaRestServiceException; | |||
} |
@@ -65,6 +65,7 @@ import org.apache.archiva.scheduler.indexing.DownloadRemoteIndexException; | |||
import org.apache.archiva.scheduler.indexing.DownloadRemoteIndexScheduler; | |||
import org.apache.archiva.scheduler.repository.RepositoryArchivaTaskScheduler; | |||
import org.apache.archiva.scheduler.repository.RepositoryTask; | |||
import org.apache.archiva.security.ArchivaSecurityException; | |||
import org.apache.archiva.security.common.ArchivaRoleConstants; | |||
import org.apache.archiva.xml.XMLException; | |||
import org.apache.commons.io.FilenameUtils; | |||
@@ -85,6 +86,7 @@ import org.springframework.stereotype.Service; | |||
import javax.inject.Inject; | |||
import javax.inject.Named; | |||
import javax.ws.rs.core.Response; | |||
import java.io.File; | |||
import java.io.FileInputStream; | |||
import java.io.FileOutputStream; | |||
@@ -624,13 +626,17 @@ public class DefaultRepositoriesService | |||
public Boolean deleteArtifact( Artifact artifact, String repositoryId ) | |||
throws ArchivaRestServiceException | |||
{ | |||
String userName = (String) getAuditInformation().getUser().getUsername(); | |||
if ( StringUtils.isBlank( userName ) ) | |||
if ( StringUtils.isEmpty( repositoryId ) ) | |||
{ | |||
// TODO use constants from a class instead of magic number | |||
throw new ArchivaRestServiceException( "deleteArtifact call: userName not found", 403 ); | |||
throw new ArchivaRestServiceException( "repositoryId cannot be null", 400 ); | |||
} | |||
if ( !isAuthorizedToDeleteArtifacts( repositoryId ) ) | |||
{ | |||
throw new ArchivaRestServiceException( "not authorized to delete artifacts", 403 ); | |||
} | |||
if ( artifact == null ) | |||
{ | |||
throw new ArchivaRestServiceException( "artifact cannot be null", 400 ); | |||
@@ -646,11 +652,6 @@ public class DefaultRepositoriesService | |||
throw new ArchivaRestServiceException( "artifact.artifactId cannot be null", 400 ); | |||
} | |||
if ( StringUtils.isEmpty( repositoryId ) ) | |||
{ | |||
throw new ArchivaRestServiceException( "repositoryId cannot be null", 400 ); | |||
} | |||
// TODO more control on artifact fields | |||
RepositorySession repositorySession = repositorySessionFactory.createSession(); | |||
@@ -771,6 +772,24 @@ public class DefaultRepositoriesService | |||
return Boolean.TRUE; | |||
} | |||
public Boolean isAuthorizedToDeleteArtifacts( String repoId ) | |||
throws ArchivaRestServiceException | |||
{ | |||
String userName = | |||
getAuditInformation().getUser() == null ? "guest" : getAuditInformation().getUser().getUsername(); | |||
try | |||
{ | |||
boolean res = userRepositories.isAuthorizedToDeleteArtifacts( userName, repoId ); | |||
return res; | |||
} | |||
catch ( ArchivaSecurityException e ) | |||
{ | |||
throw new ArchivaRestServiceException( e.getMessage(), | |||
Response.Status.INTERNAL_SERVER_ERROR.getStatusCode() ); | |||
} | |||
} | |||
public RepositoryScanStatistics scanRepositoryDirectoriesNow( String repositoryId ) | |||
throws ArchivaRestServiceException | |||
{ |
@@ -152,12 +152,52 @@ public class RepositoriesServiceTest | |||
} | |||
} | |||
@Test | |||
public void authorizedToDeleteArtifacts() | |||
throws Exception | |||
{ | |||
ManagedRepository managedRepository = getTestManagedRepository( "SOURCE_REPO_ID", "SOURCE_REPO_ID" ); | |||
try | |||
{ | |||
getManagedRepositoriesService( authorizationHeader ).addManagedRepository( managedRepository ); | |||
RepositoriesService repositoriesService = getRepositoriesService( authorizationHeader ); | |||
assertTrue( repositoriesService.isAuthorizedToDeleteArtifacts( managedRepository.getId() ) ); | |||
} | |||
finally | |||
{ | |||
getManagedRepositoriesService( authorizationHeader ).deleteManagedRepository( managedRepository.getId(), | |||
true ); | |||
} | |||
} | |||
@Test | |||
public void notAuthorizedToDeleteArtifacts() | |||
throws Exception | |||
{ | |||
ManagedRepository managedRepository = getTestManagedRepository( "SOURCE_REPO_ID", "SOURCE_REPO_ID" ); | |||
try | |||
{ | |||
getManagedRepositoriesService( authorizationHeader ).addManagedRepository( managedRepository ); | |||
RepositoriesService repositoriesService = getRepositoriesService( guestAuthzHeader ); | |||
assertFalse( repositoriesService.isAuthorizedToDeleteArtifacts( managedRepository.getId() ) ); | |||
} | |||
finally | |||
{ | |||
getManagedRepositoriesService( authorizationHeader ).deleteManagedRepository( managedRepository.getId(), | |||
true ); | |||
} | |||
} | |||
protected ManagedRepository getTestManagedRepository( String id, String path ) | |||
{ | |||
String location = new File( FileUtil.getBasedir(), "target/" + path ).getAbsolutePath(); | |||
return new ManagedRepository( id, id, location, "default", true, true, true, "2 * * * * ?", null, false, 80, 80, | |||
true, false ); | |||
} | |||
protected ManagedRepository getTestManagedRepository() | |||
{ | |||
String location = new File( FileUtil.getBasedir(), "target/test-repo" ).getAbsolutePath(); | |||
return new ManagedRepository( "TEST", "test", location, "default", true, true, true, "2 * * * * ?", null, false, | |||
80, 80, true, false ); | |||
return getTestManagedRepository( "TEST", "test-repo" ); | |||
} | |||
} |
@@ -205,7 +205,7 @@ public class DefaultUserRepositories | |||
} | |||
public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId ) | |||
throws AccessDeniedException, ArchivaSecurityException | |||
throws ArchivaSecurityException | |||
{ | |||
try | |||
{ |