UFAL/Endpoints leaks private information

dspace-api/src/main/java/org/dspace/content/clarin/ClarinLicenseResourceMappingServiceImpl.java

@@ -16,6 +16,7 @@
 
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang.NullArgumentException;
+import org.dspace.authorize.AuthorizeException;
 import org.dspace.authorize.service.AuthorizeService;
 import org.dspace.content.Bitstream;
 import org.dspace.content.dao.clarin.ClarinLicenseResourceMappingDAO;
@@ -234,7 +235,14 @@ private boolean userFilledInRequiredInfo(Context context,
 
         // Find all records when the current user fill in some clarin license required info
         List<ClarinLicenseResourceUserAllowance> clarinLicenseResourceUserAllowances =
-                clarinLicenseResourceUserAllowanceService.findByEPersonId(context, userID);
+                null;
+        try {
+            clarinLicenseResourceUserAllowances = clarinLicenseResourceUserAllowanceService.findByEPersonId(context,
+                    userID);
+        } catch (AuthorizeException e) {
+            log.error("Cannot get the user registration for the user with id: {}", userID, e);
+            return false;
+        }
         // The user hasn't been filled in any information.
         if (CollectionUtils.isEmpty(clarinLicenseResourceUserAllowances)) {
             return false;

dspace-api/src/main/java/org/dspace/content/clarin/ClarinLicenseResourceUserAllowanceServiceImpl.java

@@ -21,6 +21,7 @@
 import org.dspace.content.service.clarin.ClarinLicenseResourceUserAllowanceService;
 import org.dspace.core.Context;
 import org.dspace.core.LogHelper;
+import org.dspace.eperson.EPerson;
 import org.hibernate.ObjectNotFoundException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -50,9 +51,16 @@ public ClarinLicenseResourceUserAllowance create(Context context) throws SQLExce
     }
 
     @Override
-    public ClarinLicenseResourceUserAllowance find(Context context, int valueId) throws SQLException {
-        return clarinLicenseResourceUserAllowanceDAO.findByID(context,
+    public ClarinLicenseResourceUserAllowance find(Context context, int valueId) throws SQLException,
+            AuthorizeException {
+        ClarinLicenseResourceUserAllowance clrua = clarinLicenseResourceUserAllowanceDAO.findByID(context,
                 ClarinLicenseResourceUserAllowance.class, valueId);
+
+        if (Objects.isNull(clrua)) {
+            return null;
+        }
+        this.authorizeClruaAction(context, List.of(clrua));
+        return clrua;
     }
 
     @Override
@@ -67,7 +75,7 @@ public List<ClarinLicenseResourceUserAllowance> findAll(Context context) throws
 
     @Override
     public void update(Context context, ClarinLicenseResourceUserAllowance clarinLicenseResourceUserAllowance)
-            throws SQLException {
+            throws SQLException, AuthorizeException {
         if (Objects.isNull(clarinLicenseResourceUserAllowance)) {
             throw new NullArgumentException("Cannot update clarinLicenseResourceUserAllowance because the " +
                     "new clarinLicenseResourceUserAllowance is null");
@@ -111,13 +119,56 @@ public boolean isUserAllowedToAccessTheResource(Context context, UUID userId, UU
     }
 
     @Override
-    public List<ClarinLicenseResourceUserAllowance> findByEPersonId(Context context, UUID userID) throws SQLException {
-        return clarinLicenseResourceUserAllowanceDAO.findByEPersonId(context, userID);
+    public List<ClarinLicenseResourceUserAllowance> findByEPersonId(Context context, UUID userID) throws SQLException,
+            AuthorizeException {
+        List<ClarinLicenseResourceUserAllowance> clruaList =
+                clarinLicenseResourceUserAllowanceDAO.findByEPersonId(context, userID);
+
+        this.authorizeClruaAction(context, clruaList);
+        return clruaList;
     }
 
     @Override
     public List<ClarinLicenseResourceUserAllowance> findByEPersonIdAndBitstreamId(Context context, UUID userID,
-                                                                            UUID bitstreamID) throws SQLException {
-        return clarinLicenseResourceUserAllowanceDAO.findByEPersonIdAndBitstreamId(context, userID, bitstreamID);
+                                                                            UUID bitstreamID)
+            throws SQLException, AuthorizeException {
+
+        List<ClarinLicenseResourceUserAllowance> clruaList = clarinLicenseResourceUserAllowanceDAO
+                .findByEPersonIdAndBitstreamId(context, userID, bitstreamID);
+
+        this.authorizeClruaAction(context, clruaList);
+
+        return clruaList;
+    }
+
+    /**
+     * Check if the user is authorized to access the Clarin License Resource User Allowance
+     */
+    private void authorizeClruaAction(Context context, List<ClarinLicenseResourceUserAllowance> clruaList)
+            throws SQLException, AuthorizeException {
+        if (authorizeService.isAdmin(context)) {
+            return;
+        }
+
+        if (CollectionUtils.isEmpty(clruaList)) {
+            return;
+        }
+        // Check if the user is the same as from the userRegistration
+        // Do not allow to get the userRegistration of another user
+        EPerson currentUser = context.getCurrentUser();
+        ClarinLicenseResourceUserAllowance clrua = clruaList.get(0);
+
+        // Check if the userRegistration is not null
+        if (Objects.isNull(clrua.getUserRegistration())) {
+            return;
+        }
+
+        UUID userRegistrationEpersonUUID = clrua.getUserRegistration().getPersonID();
+        if (currentUser.getID().equals(userRegistrationEpersonUUID)) {
+            return;
+        }
+
+        throw new AuthorizeException("You are not authorized to access the Clarin License Resource User Allowance " +
+                "because it is not associated with your account.");
     }
 }

dspace-api/src/main/java/org/dspace/content/clarin/ClarinUserMetadataServiceImpl.java

@@ -20,10 +20,12 @@
 import org.dspace.content.service.clarin.ClarinUserMetadataService;
 import org.dspace.core.Context;
 import org.dspace.core.LogHelper;
+import org.dspace.eperson.EPerson;
 import org.hibernate.ObjectNotFoundException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.CollectionUtils;
 
 public class ClarinUserMetadataServiceImpl implements ClarinUserMetadataService {
     private static final Logger log = LoggerFactory.getLogger(ClarinUserMetadataService.class);
@@ -46,17 +48,28 @@ public ClarinUserMetadata create(Context context) throws SQLException {
     }
 
     @Override
-    public ClarinUserMetadata find(Context context, int valueId) throws SQLException {
-        return clarinUserMetadataDAO.findByID(context, ClarinUserMetadata.class, valueId);
+    public ClarinUserMetadata find(Context context, int valueId) throws SQLException, AuthorizeException {
+        ClarinUserMetadata clarinUserMetadata = clarinUserMetadataDAO
+                .findByID(context, ClarinUserMetadata.class, valueId);
+
+        if (Objects.isNull(clarinUserMetadata)) {
+            return null;
+        }
+        this.authorizeClarinUserMetadataAction(context, List.of(clarinUserMetadata));
+        return clarinUserMetadata;
     }
 
     @Override
-    public List<ClarinUserMetadata> findAll(Context context) throws SQLException {
+    public List<ClarinUserMetadata> findAll(Context context) throws SQLException, AuthorizeException {
+        if (!authorizeService.isAdmin(context)) {
+            throw new AuthorizeException(
+                    "You must be an admin to get all clarin user metadata.");
+        }
         return clarinUserMetadataDAO.findAll(context, ClarinUserMetadata.class);
     }
 
     @Override
-    public void update(Context context, ClarinUserMetadata clarinUserMetadata) throws SQLException {
+    public void update(Context context, ClarinUserMetadata clarinUserMetadata) throws SQLException, AuthorizeException {
         if (Objects.isNull(clarinUserMetadata)) {
             throw new NullArgumentException("Cannot update user metadata because the new user metadata is null");
         }
@@ -82,12 +95,22 @@ public void delete(Context context, ClarinUserMetadata clarinUserMetadata) throw
     @Override
     public List<ClarinUserMetadata> findByUserRegistrationAndBitstream(Context context, Integer userRegUUID,
                                                                        UUID bitstreamUUID, boolean lastTransaction)
-            throws SQLException {
+            throws SQLException, AuthorizeException {
+        List<ClarinUserMetadata> userMetadata = null;
         if (lastTransaction) {
-            return getLastTransactionUserMetadata(clarinUserMetadataDAO.findByUserRegistrationAndBitstream(context,
-                    userRegUUID, bitstreamUUID));
+            userMetadata = getLastTransactionUserMetadata(clarinUserMetadataDAO
+                    .findByUserRegistrationAndBitstream(context, userRegUUID, bitstreamUUID));
+        } else {
+            userMetadata = clarinUserMetadataDAO.findByUserRegistrationAndBitstream(context,
+                    userRegUUID, bitstreamUUID);
+        }
+
+        this.authorizeClarinUserMetadataAction(context, userMetadata);
+
+        if (userMetadata == null) {
+            userMetadata = List.of();
         }
-        return clarinUserMetadataDAO.findByUserRegistrationAndBitstream(context, userRegUUID, bitstreamUUID);
+        return userMetadata;
     }
 
     private List<ClarinUserMetadata> getLastTransactionUserMetadata(List<ClarinUserMetadata> userMetadataList) {
@@ -118,4 +141,36 @@ private Integer getIdOfLastTransaction(List<ClarinUserMetadata> userMetadataList
             return null;
         }
     }
+
+    /**
+     * Check if the user is admin or if the user is the same as from the userRegistration
+     */
+    private void authorizeClarinUserMetadataAction(Context context, List<ClarinUserMetadata> userMetadata)
+            throws SQLException, AuthorizeException {
+        if (authorizeService.isAdmin(context)) {
+            return;
+        }
+
+        if (CollectionUtils.isEmpty(userMetadata)) {
+            return;
+        }
+
+        // Check if the user is the same as from the userRegistration
+        // Do not allow to get the userRegistration of another user
+        EPerson currentUser = context.getCurrentUser();
+        ClarinUserMetadata userMetadatum = userMetadata.get(0);
+
+        // Check if the userRegistration is not null
+        if (Objects.isNull(userMetadatum.getEperson())) {
+            return;
+        }
+
+        UUID userRegistrationEpersonUUID = userMetadatum.getEperson().getPersonID();
+        if (currentUser.getID().equals(userRegistrationEpersonUUID)) {
+            return;
+        }
+
+        throw new AuthorizeException("You are not authorized to access the Clarin User Metadata " +
+                "because it is not associated with your account.");
+    }
 }

dspace-api/src/main/java/org/dspace/content/clarin/ClarinUserRegistrationServiceImpl.java

@@ -19,10 +19,12 @@
 import org.dspace.content.service.clarin.ClarinUserRegistrationService;
 import org.dspace.core.Context;
 import org.dspace.core.LogHelper;
+import org.dspace.eperson.EPerson;
 import org.hibernate.ObjectNotFoundException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.CollectionUtils;
 
 public class ClarinUserRegistrationServiceImpl implements ClarinUserRegistrationService {
 
@@ -61,8 +63,15 @@ public ClarinUserRegistration create(Context context,
     }
 
     @Override
-    public ClarinUserRegistration find(Context context, int valueId) throws SQLException {
-        return clarinUserRegistrationDAO.findByID(context, ClarinUserRegistration.class, valueId);
+    public ClarinUserRegistration find(Context context, int valueId) throws SQLException, AuthorizeException {
+        ClarinUserRegistration clarinUserRegistration = clarinUserRegistrationDAO
+                .findByID(context, ClarinUserRegistration.class, valueId);
+
+        if (Objects.isNull(clarinUserRegistration)) {
+            return null;
+        }
+        this.authorizeClarinUserRegistrationAction(context, List.of(clarinUserRegistration));
+        return clarinUserRegistration;
     }
 
     @Override
@@ -76,12 +85,19 @@ public List<ClarinUserRegistration> findAll(Context context) throws SQLException
     }
 
     @Override
-    public List<ClarinUserRegistration> findByEPersonUUID(Context context, UUID epersonUUID) throws SQLException {
-        return clarinUserRegistrationDAO.findByEPersonUUID(context, epersonUUID);
+    public List<ClarinUserRegistration> findByEPersonUUID(Context context, UUID epersonUUID)
+            throws SQLException, AuthorizeException {
+        List<ClarinUserRegistration> clarinUserRegistrationList = clarinUserRegistrationDAO
+                .findByEPersonUUID(context, epersonUUID);
+
+        this.authorizeClarinUserRegistrationAction(context, clarinUserRegistrationList);
+
+        return clarinUserRegistrationList;
     }
 
     @Override
-    public List<ClarinUserRegistration> findByEmail(Context context, String email) throws SQLException {
+    public List<ClarinUserRegistration> findByEmail(Context context, String email)
+            throws SQLException {
         return clarinUserRegistrationDAO.findByEmail(context, email);
     }
 
@@ -110,4 +126,31 @@ public void update(Context context, ClarinUserRegistration clarinUserRegistratio
 
         clarinUserRegistrationDAO.save(context, clarinUserRegistration);
     }
+
+    /**
+     * Check if the user is admin or if the user is the same as from the userRegistration
+     */
+    private void authorizeClarinUserRegistrationAction(Context context, List<ClarinUserRegistration>
+            userRegistrationList)
+            throws SQLException, AuthorizeException {
+        if (authorizeService.isAdmin(context)) {
+            return;
+        }
+
+        if (CollectionUtils.isEmpty(userRegistrationList)) {
+            return;
+        }
+
+        // Check if the user is the same as from the userRegistration
+        // Do not allow to get the userRegistration of another user
+        EPerson currentUser = context.getCurrentUser();
+        ClarinUserRegistration clarinUserRegistration = userRegistrationList.get(0);
+        UUID userRegistrationEpersonUUID = clarinUserRegistration.getPersonID();
+        if (currentUser.getID().equals(userRegistrationEpersonUUID)) {
+            return;
+        }
+
+        throw new AuthorizeException("You are not authorized to access the Clarin User Registration " +
+                "because it is not associated with your account.");
+    }
 }

dspace-api/src/main/java/org/dspace/content/service/clarin/ClarinLicenseResourceUserAllowanceService.java

@@ -17,15 +17,17 @@
 
 public interface ClarinLicenseResourceUserAllowanceService {
     ClarinLicenseResourceUserAllowance create(Context context) throws SQLException;
-    ClarinLicenseResourceUserAllowance find(Context context, int valueId) throws SQLException;
+    ClarinLicenseResourceUserAllowance find(Context context, int valueId) throws SQLException, AuthorizeException;
     List<ClarinLicenseResourceUserAllowance> findAll(Context context) throws SQLException, AuthorizeException;
     void update(Context context, ClarinLicenseResourceUserAllowance clarinLicenseResourceUserAllowance)
-            throws SQLException;
+            throws SQLException, AuthorizeException;
     void delete(Context context, ClarinLicenseResourceUserAllowance clarinLicenseResourceUserAllowance)
             throws SQLException, AuthorizeException;
     boolean verifyToken(Context context, UUID resourceID, String token) throws SQLException;
     boolean isUserAllowedToAccessTheResource(Context context, UUID userId, UUID resourceId) throws SQLException;
-    List<ClarinLicenseResourceUserAllowance> findByEPersonId(Context context, UUID userID) throws SQLException;
+    List<ClarinLicenseResourceUserAllowance> findByEPersonId(Context context, UUID userID)
+            throws SQLException, AuthorizeException;
     List<ClarinLicenseResourceUserAllowance> findByEPersonIdAndBitstreamId(Context context, UUID userID,
-                                                                           UUID bitstreamID) throws SQLException;
+                                                                           UUID bitstreamID)
+            throws SQLException, AuthorizeException;
 }

dspace-api/src/main/java/org/dspace/content/service/clarin/ClarinUserMetadataService.java

@@ -19,12 +19,12 @@ public interface ClarinUserMetadataService {
 
     ClarinUserMetadata create(Context context) throws SQLException;
 
-    ClarinUserMetadata find(Context context, int valueId) throws SQLException;
-    List<ClarinUserMetadata> findAll(Context context) throws SQLException;
-    void update(Context context, ClarinUserMetadata clarinUserMetadata) throws SQLException;
+    ClarinUserMetadata find(Context context, int valueId) throws SQLException, AuthorizeException;
+    List<ClarinUserMetadata> findAll(Context context) throws SQLException, AuthorizeException;
+    void update(Context context, ClarinUserMetadata clarinUserMetadata) throws SQLException, AuthorizeException;
     void delete(Context context, ClarinUserMetadata clarinUserMetadata) throws SQLException, AuthorizeException;
 
     List<ClarinUserMetadata> findByUserRegistrationAndBitstream(Context context, Integer userRegUUID,
                                                                 UUID bitstreamUUID, boolean lastTransaction)
-            throws SQLException;
+            throws SQLException, AuthorizeException;
 }

dspace-api/src/main/java/org/dspace/content/service/clarin/ClarinUserRegistrationService.java

@@ -17,14 +17,13 @@
 
 public interface ClarinUserRegistrationService {
     ClarinUserRegistration create(Context context) throws SQLException, AuthorizeException;
-//    ClarinUserRegistration create(Context context, UUID id) throws SQLException, AuthorizeException;
-
     ClarinUserRegistration create(Context context,
           ClarinUserRegistration clarinUserRegistration) throws SQLException, AuthorizeException;
 
-    ClarinUserRegistration find(Context context, int valueId) throws SQLException;
+    ClarinUserRegistration find(Context context, int valueId) throws SQLException, AuthorizeException;
     List<ClarinUserRegistration> findAll(Context context) throws SQLException, AuthorizeException;
-    List<ClarinUserRegistration> findByEPersonUUID(Context context, UUID epersonUUID) throws SQLException;
+    List<ClarinUserRegistration> findByEPersonUUID(Context context, UUID epersonUUID)
+            throws SQLException, AuthorizeException;
 
     List<ClarinUserRegistration> findByEmail(Context context, String email) throws SQLException;
     void delete(Context context, ClarinUserRegistration clarinUserRegistration) throws SQLException, AuthorizeException;

dspace-server-webapp/src/main/java/org/dspace/app/rest/ClarinUserMetadataImportController.java

@@ -29,6 +29,7 @@
 import org.dspace.app.rest.model.ClarinUserMetadataRest;
 import org.dspace.app.rest.repository.ClarinUserMetadataRestController;
 import org.dspace.app.rest.utils.Utils;
+import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.clarin.ClarinLicenseResourceMapping;
 import org.dspace.content.clarin.ClarinLicenseResourceUserAllowance;
 import org.dspace.content.clarin.ClarinUserMetadata;
@@ -84,7 +85,7 @@ public class ClarinUserMetadataImportController {
     @PreAuthorize("hasAuthority('ADMIN')")
     @RequestMapping(method =  RequestMethod.POST, value = "/usermetadata")
     public ClarinUserMetadataRest importUserMetadata(HttpServletRequest request) throws SQLException, IOException,
-            java.text.ParseException {
+            java.text.ParseException, AuthorizeException {
         //controlling of the input parameters
         Context context = obtainContext(request);
         if (Objects.isNull(context)) {