From 22f4f4df12e77ef4cd235075723ec908ab585167 Mon Sep 17 00:00:00 2001
From: Timm Fitschen <timm.fitschen@ds.mpg.de>
Date: Thu, 13 Dec 2018 02:13:24 +0100
Subject: [PATCH] BUG: anonymous permissions

---
 .../java/caosdb/server/jobs/core/Atomic.java     |  6 +++++-
 .../caosdb/server/jobs/extension/AWIBoxLoan.java | 16 +++++++++-------
 .../server/jobs/extension/AWIBoxLoanModel.java   |  2 +-
 .../caosdb/server/permissions/EntityACL.java     |  2 ++
 .../caosdb/server/transaction/Transaction.java   |  4 ----
 .../server/jobs/extension/TestAWIBoxLoan.java    |  2 +-
 6 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/src/main/java/caosdb/server/jobs/core/Atomic.java b/src/main/java/caosdb/server/jobs/core/Atomic.java
index f41eba28..cdc9f25d 100644
--- a/src/main/java/caosdb/server/jobs/core/Atomic.java
+++ b/src/main/java/caosdb/server/jobs/core/Atomic.java
@@ -27,11 +27,15 @@ import caosdb.server.entity.EntityInterface;
 import caosdb.server.jobs.ContainerJob;
 import caosdb.server.jobs.JobAnnotation;
 import caosdb.server.jobs.JobExecutionTime;
+import caosdb.server.transaction.WriteTransaction;
 import caosdb.server.utils.EntityStatus;
 import caosdb.server.utils.Observable;
 import caosdb.server.utils.ServerMessages;
 
-@JobAnnotation(time = JobExecutionTime.POST_CHECK)
+@JobAnnotation(
+    time = JobExecutionTime.POST_CHECK,
+    transaction = WriteTransaction.class,
+    loadAlways = true)
 public class Atomic extends ContainerJob {
 
   private boolean doCheck() {
diff --git a/src/main/java/caosdb/server/jobs/extension/AWIBoxLoan.java b/src/main/java/caosdb/server/jobs/extension/AWIBoxLoan.java
index cc280c69..2412a43f 100644
--- a/src/main/java/caosdb/server/jobs/extension/AWIBoxLoan.java
+++ b/src/main/java/caosdb/server/jobs/extension/AWIBoxLoan.java
@@ -8,6 +8,7 @@ import caosdb.server.datatype.SingleValue;
 import caosdb.server.entity.Entity;
 import caosdb.server.entity.EntityInterface;
 import caosdb.server.entity.Message;
+import caosdb.server.entity.Message.MessageType;
 import caosdb.server.entity.wrapper.Property;
 import caosdb.server.jobs.JobAnnotation;
 import caosdb.server.jobs.core.CheckNoAdditionalPropertiesPresent;
@@ -51,6 +52,9 @@ public class AWIBoxLoan extends AWIBoxLoanModel {
             || isRequestReturnSetUser()
             || isRequestReturnUpdateLoan())) {
       addError(ServerMessages.AUTHORIZATION_ERROR);
+      getContainer()
+          .addMessage(
+              new Message(MessageType.Info, 0, "Anonymous users have restricted permissions."));
       return;
     } else if (!(isRequestLoanSetUser()
         || isRequestLoanInsertLoan()
@@ -92,6 +96,7 @@ public class AWIBoxLoan extends AWIBoxLoanModel {
   EntityACL getBoxACL() {
     EntityACLFactory f = new EntityACLFactory();
     f.grant(ANONYMOUS_ROLE, false, EntityPermission.UPDATE_ADD_PROPERTY);
+    f.grant(ANONYMOUS_ROLE, false, EntityPermission.UPDATE_REMOVE_PROPERTY);
     return f.create();
   }
 
@@ -127,11 +132,12 @@ public class AWIBoxLoan extends AWIBoxLoanModel {
       for (EntityInterface e : getContainer()) {
         if (boxHasLoanProperty(e)) {
           e.addError(BOX_HAS_LOAN);
-          return true;
+          return false;
         }
         if (!isBoxRecord(e) || !hasOnlyAllowedBoxProperties4RequestLoan(e)) {
           return false;
         }
+        appendJob(e, CheckNoAdditionalPropertiesPresent.class);
       }
       return true;
     }
@@ -152,12 +158,8 @@ public class AWIBoxLoan extends AWIBoxLoanModel {
   boolean hasOnlyAllowedBoxProperties4RequestLoan(EntityInterface e) {
     int count = 0;
     for (Property p : e.getProperties()) {
-      if (p.getEntityStatus() == EntityStatus.QUALIFIED) { // this means update
-        if (Objects.equals(p.getId(), getLoanId())) {
-          count++;
-          continue;
-        }
-        return false; // this is not a Loan.
+      if (p.getEntityStatus() == EntityStatus.QUALIFIED && Objects.equals(p.getId(), getLoanId())) {
+        count++;
       }
     }
 
diff --git a/src/main/java/caosdb/server/jobs/extension/AWIBoxLoanModel.java b/src/main/java/caosdb/server/jobs/extension/AWIBoxLoanModel.java
index e4abafe1..a113c00e 100644
--- a/src/main/java/caosdb/server/jobs/extension/AWIBoxLoanModel.java
+++ b/src/main/java/caosdb/server/jobs/extension/AWIBoxLoanModel.java
@@ -21,7 +21,7 @@ public abstract class AWIBoxLoanModel extends ContainerJob {
   boolean isBoxRecord(EntityInterface e) {
     return e.getRole() == Role.Record
         && e.getParents().size() == 1
-        && Objects.equals(retrieveValidIDByName(e.getParents().get(0).getName()), getBoxId());
+        && Objects.equals(e.getParents().get(0).getId(), getBoxId());
   }
 
   /** Is Record and has single loan parent */
diff --git a/src/main/java/caosdb/server/permissions/EntityACL.java b/src/main/java/caosdb/server/permissions/EntityACL.java
index 86346bdf..c18bfb79 100644
--- a/src/main/java/caosdb/server/permissions/EntityACL.java
+++ b/src/main/java/caosdb/server/permissions/EntityACL.java
@@ -60,6 +60,8 @@ public class EntityACL {
     final EntityACLFactory f = new EntityACLFactory();
     f.grant(OWNER_ROLE, "*");
     f.grant(OTHER_ROLE, "RETRIEVE:*");
+    f.grant(Role.ANONYMOUS_ROLE, "RETRIEVE:*");
+    f.grant(Role.ANONYMOUS_ROLE, "USE:*");
     f.deny(OTHER_ROLE, "UPDATE:*");
     f.deny(OTHER_ROLE, "DELETE");
     f.deny(OTHER_ROLE, true, "EDIT:ACL");
diff --git a/src/main/java/caosdb/server/transaction/Transaction.java b/src/main/java/caosdb/server/transaction/Transaction.java
index f4dda3fb..de1e5e27 100644
--- a/src/main/java/caosdb/server/transaction/Transaction.java
+++ b/src/main/java/caosdb/server/transaction/Transaction.java
@@ -38,7 +38,6 @@ import caosdb.server.jobs.Job;
 import caosdb.server.jobs.JobExecutionTime;
 import caosdb.server.jobs.Schedule;
 import caosdb.server.jobs.core.AccessControl;
-import caosdb.server.jobs.core.Atomic;
 import caosdb.server.jobs.core.CheckDatatypePresent;
 import caosdb.server.jobs.core.CheckEntityACLRoles;
 import caosdb.server.jobs.core.Mode;
@@ -86,9 +85,6 @@ public abstract class Transaction<C extends TransactionContainer> extends Abstra
     this.schedule.add(loadContainerFlags);
     this.schedule.runJob(loadContainerFlags);
 
-    // all transactions are atomic
-    this.schedule.add(Job.getJob(Atomic.class.getSimpleName(), Mode.MUST, null, this));
-
     // AccessControl
     this.schedule.add(Job.getJob(AccessControl.class.getSimpleName(), Mode.MUST, null, this));
     this.schedule.add(Job.getJob(CheckEntityACLRoles.class.getSimpleName(), Mode.MUST, null, this));
diff --git a/src/test/java/caosdb/server/jobs/extension/TestAWIBoxLoan.java b/src/test/java/caosdb/server/jobs/extension/TestAWIBoxLoan.java
index 59ce687d..08a0e412 100644
--- a/src/test/java/caosdb/server/jobs/extension/TestAWIBoxLoan.java
+++ b/src/test/java/caosdb/server/jobs/extension/TestAWIBoxLoan.java
@@ -271,7 +271,7 @@ public class TestAWIBoxLoan {
     assertEquals(EntityStatus.QUALIFIED, j.getContainer().getStatus());
 
     j.run();
-    assertEquals(1, j.getContainer().getMessages().size());
+    assertEquals(2, j.getContainer().getMessages().size());
     assertEquals(EntityStatus.UNQUALIFIED, j.getContainer().getStatus());
   }
 }
-- 
GitLab