CSPACE-3798: Re-enabled AuthZ on the Blob service now that the App layer deals with...

diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
index aee35c35a8c223b19a9254eca1e18d4c2972f405..995218baa94a47e800fbafa3acd39bc0b5c10586 100644 (file)
--- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
@@ -91,24 +91,18 @@ public class SecurityInterceptor implements PreProcessInterceptor {
                checkActive();
                
                //
-               // All active users are allowed to the their current list of permissions.  If this is not
+               // All active users are allowed to the *their* (we enforce this) current list of permissions.  If this is not
                // the request, then we'll do a full AuthZ check.
                //
-               if (resName.equalsIgnoreCase(ACCOUNT_PERMISSIONS) != true) {
+               if (resName.equalsIgnoreCase(ACCOUNT_PERMISSIONS) != true) { //see comment immediately above
                        AuthZ authZ = AuthZ.get();
                        CSpaceResource res = new URIResourceImpl(resName, httpMethod);
-                       if (!authZ.isAccessAllowed(res)) {
-                               //
-                               // They failed the first check, but let's see if they're try to access the Blob service
-                               // with a GET method.   If so they are allow, see http://issues.collectionspace.org/browse/CSPACE-3797
-                               //
-                               if (resName.contains("blobs") == false) { //FIXME : REM - Yuk!  Remove this ASAP -see http://issues.collectionspace.org/browse/CSPACE-3797
+                       if (authZ.isAccessAllowed(res) == false) {
                                        logger.error("Access to " + res.getId() + " is NOT allowed to "
                                                        + " user=" + AuthN.get().getUserId());
                                        Response response = Response.status(
                                                        Response.Status.FORBIDDEN).entity(uriPath + " " + httpMethod).type("text/plain").build();
                                        throw new WebApplicationException(response);
-                               }
                        } else {
                                //
                                // They passed the first round of security checks, so now let's check to see if they're trying
@@ -117,7 +111,7 @@ public class SecurityInterceptor implements PreProcessInterceptor {
                                if (uriPath.endsWith(WorkflowClient.SERVICE_PATH_COMPONENT) == true) {
                                        String workflowSubResName = SecurityUtils.getResourceName(request.getUri());
                                        res = new URIResourceImpl(workflowSubResName, httpMethod);
-                                       if (!authZ.isAccessAllowed(res)) {
+                                       if (authZ.isAccessAllowed(res) == false) {
                                                logger.error("Access to " + resName + ":" + res.getId() + " is NOT allowed to "
                                                                + " user=" + AuthN.get().getUserId());
                                                Response response = Response.status(
@@ -129,9 +123,9 @@ public class SecurityInterceptor implements PreProcessInterceptor {
                        //
                        // We've passed all the checks.  Now just log the results
                        //
-                       if (logger.isDebugEnabled()) {
-                               logger.debug("Access to " + res.getId() + " is allowed to "
-                                               + " user=" + AuthN.get().getUserId() +
+                       if (logger.isTraceEnabled()) {
+                               logger.trace("Access to " + res.getId() + " is allowed to " +
+                                               " user=" + AuthN.get().getUserId() +
                                                " for tenant id=" + AuthN.get().getCurrentTenantName());
                        }
                }

diff --git a/services/common/src/main/java/org/collectionspace/services/nuxeo/client/java/RemoteDocumentModelHandlerImpl.java b/services/common/src/main/java/org/collectionspace/services/nuxeo/client/java/RemoteDocumentModelHandlerImpl.java
index cfb60e472d254e065970889df932b44baf3e31eb..743c4b4b5aa346a0cf48a7437b1bfbdc07fc9d3c 100644 (file)
--- a/services/common/src/main/java/org/collectionspace/services/nuxeo/client/java/RemoteDocumentModelHandlerImpl.java
+++ b/services/common/src/main/java/org/collectionspace/services/nuxeo/client/java/RemoteDocumentModelHandlerImpl.java
@@ -145,8 +145,8 @@ public abstract class   RemoteDocumentModelHandlerImpl<T, TL>
             throws Exception {
         Element doc = DocumentUtils.buildDocument(partMeta, schema,
                 unQObjectProperties);
-        if (logger.isDebugEnabled() == true) {
-            logger.debug(doc.asXML());
+        if (logger.isTraceEnabled() == true) {
+            logger.trace(doc.asXML());
         }
         MultipartServiceContext ctx = (MultipartServiceContext) getServiceContext();
         ctx.addOutputPart(schema, doc, partMeta.getContent().getContentType());