NOJIRA re-enabling access control in service layer in the trunk (only)

M    security/SecurityInterceptor.java

diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
index 194c6c1db8fdf7c6ec9f57749c36314bf6181b5c..fd8fa167ccd1c5a3f50a0454bf916ab57280fc3c 100644 (file)
--- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
@@ -71,12 +71,12 @@ public class SecurityInterceptor implements PreProcessInterceptor {
         }
         String resName = getResourceName(request.getUri());
         checkActive();
-//        if (uriPath.startsWith("dimensions")) {
         AuthZ authZ = AuthZ.get();
         CSpaceResource res = new URIResourceImpl(resName, httpMethod);
 /*
   TEMPORARILY commented out by Aron per Sanjay's suggestion in CSPACE-1946.
   NOTE: This effectively DISABLES authorization checks at the services layer.
+ */
         if (!authZ.isAccessAllowed(res)) {
             logger.error("Access to " + res.getId() + " is NOT allowed to "
                     + " user=" + AuthN.get().getUserId());
@@ -84,12 +84,10 @@ public class SecurityInterceptor implements PreProcessInterceptor {
                     Response.Status.FORBIDDEN).entity(uriPath + " " + httpMethod).type("text/plain").build();
             throw new WebApplicationException(response);
         }
-*/
         if (logger.isDebugEnabled()) {
             logger.debug("Access to " + res.getId() + " is allowed to "
                     + " user=" + AuthN.get().getUserId());
         }
-//        }
         return null;
     }