diff --git a/src/main/java/org/caosdb/server/CaosDBServer.java b/src/main/java/org/caosdb/server/CaosDBServer.java
index b445749d68fafaeac74cc398912769acd6841a8b..f238bdd72df110db7021353272b87bd71fd8ff52 100644
--- a/src/main/java/org/caosdb/server/CaosDBServer.java
+++ b/src/main/java/org/caosdb/server/CaosDBServer.java
@@ -60,6 +60,8 @@ import org.caosdb.server.entity.EntityInterface;
import org.caosdb.server.entity.Role;
import org.caosdb.server.entity.container.Container;
import org.caosdb.server.grpc.GRPCServer;
+import org.caosdb.server.jobs.core.AccessControl;
+import org.caosdb.server.jobs.core.CheckStateTransition;
import org.caosdb.server.logging.RequestErrorLogMessage;
import org.caosdb.server.resource.AuthenticationResource;
import org.caosdb.server.resource.DefaultResource;
@@ -81,6 +83,7 @@ import org.caosdb.server.resource.Webinterface;
import org.caosdb.server.resource.WebinterfaceBuildNumber;
import org.caosdb.server.resource.transaction.EntityNamesResource;
import org.caosdb.server.resource.transaction.EntityResource;
+import org.caosdb.server.scripting.ScriptingPermissions;
import org.caosdb.server.transaction.ChecksumUpdater;
import org.caosdb.server.utils.FileUtils;
import org.caosdb.server.utils.Initialization;
@@ -280,6 +283,13 @@ public class CaosDBServer extends Application {
// init Shiro (user authentication/authorization and session management)
final Ini config = getShiroConfig();
initShiro(config);
+
+ // Init Permissions
+ logger.debug("Register permissions: ", ScriptingPermissions.PERMISSION_EXECUTION("*"));
+ logger.debug("Register permissions: ", CheckStateTransition.STATE_PERMISSIONS.toString());
+ logger.debug(
+ "Register permissions: ", CheckStateTransition.PERMISSION_STATE_FORCE_FINAL.toString());
+ logger.debug("Register permissions: ", AccessControl.TRANSACTION_PERMISSIONS.toString());
}
public static Ini getShiroConfig() {
diff --git a/src/main/java/org/caosdb/server/accessControl/ACMPermissions.java b/src/main/java/org/caosdb/server/accessControl/ACMPermissions.java
index 264af44456586fc84e4d391047d5f9c18c8cc28a..854fc07f9ed93eda28e8aca99c1ea1983c73f4fe 100644
--- a/src/main/java/org/caosdb/server/accessControl/ACMPermissions.java
+++ b/src/main/java/org/caosdb/server/accessControl/ACMPermissions.java
@@ -26,9 +26,6 @@ import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
-import org.caosdb.server.jobs.core.AccessControl;
-import org.caosdb.server.jobs.core.CheckStateTransition;
-import org.caosdb.server.scripting.ScriptingPermissions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -264,15 +261,6 @@ public class ACMPermissions implements Comparable<ACMPermissions> {
return assign_role.toString(role);
}
- static {
- // trigger adding all permissions to ALL
- LOGGER.debug("Register permissions: ", ScriptingPermissions.PERMISSION_EXECUTION("*"));
- LOGGER.debug("Register permissions: ", CheckStateTransition.STATE_PERMISSIONS.toString());
- LOGGER.debug(
- "Register permissions: ", CheckStateTransition.PERMISSION_STATE_FORCE_FINAL.toString());
- LOGGER.debug("Register permissions: ", AccessControl.TRANSACTION_PERMISSIONS.toString());
- }
-
@Override
public int compareTo(ACMPermissions that) {
return this.toString().compareToIgnoreCase(that.toString());
diff --git a/src/main/java/org/caosdb/server/jobs/core/AccessControl.java b/src/main/java/org/caosdb/server/jobs/core/AccessControl.java
index dc596e50883dd5cd2210332b7cbab954a1e76c92..724dd89844097dad5bd1a6fbf2102c8f2c4ceb8c 100644
--- a/src/main/java/org/caosdb/server/jobs/core/AccessControl.java
+++ b/src/main/java/org/caosdb/server/jobs/core/AccessControl.java
@@ -53,6 +53,10 @@ public class AccessControl extends ContainerJob {
public final String toString(String transaction, String entityRole) {
return "TRANSACTION:" + transaction + (entityRole != null ? (":" + entityRole) : "");
}
+
+ public static String init() {
+ return TransactionPermission.class.getSimpleName();
+ }
}
public static final TransactionPermission TRANSACTION_PERMISSIONS =
diff --git a/src/main/java/org/caosdb/server/jobs/core/CheckStateTransition.java b/src/main/java/org/caosdb/server/jobs/core/CheckStateTransition.java
index fa21ed3a72c22237b2d10a51b566e9a753f01480..a43face9ae14f3fac57890ccb8617e5637c95c16 100644
--- a/src/main/java/org/caosdb/server/jobs/core/CheckStateTransition.java
+++ b/src/main/java/org/caosdb/server/jobs/core/CheckStateTransition.java
@@ -54,6 +54,10 @@ public class CheckStateTransition extends EntityStateJob {
public final String toString(String state_model) {
return toString().replace(STATE_MODEL_PARAMETER, state_model);
}
+
+ public static String init() {
+ return StateModelPermission.class.getSimpleName();
+ }
}
public static final StateModelPermission PERMISSION_STATE_FORCE_FINAL =
diff --git a/src/main/java/org/caosdb/server/scripting/ScriptingPermissions.java b/src/main/java/org/caosdb/server/scripting/ScriptingPermissions.java
index ff596a794a6b646003422e63e86b78cf80c475c4..0af49e9faf6ec8ad9a4107d72554a44744184661 100644
--- a/src/main/java/org/caosdb/server/scripting/ScriptingPermissions.java
+++ b/src/main/java/org/caosdb/server/scripting/ScriptingPermissions.java
@@ -22,4 +22,8 @@ public class ScriptingPermissions extends ACMPermissions {
public static final String PERMISSION_EXECUTION(final String call) {
return execution.toString(call);
}
+
+ public static String init() {
+ return ScriptingPermissions.class.getSimpleName();
+ }
}
diff --git a/src/main/java/org/caosdb/server/transaction/RetrieveACL.java b/src/main/java/org/caosdb/server/transaction/RetrieveACL.java
index c82ff76e696d73da030f6b0c1b815a0620e6e7c4..cd9c5c0841557da579c3581f876a1180ecd06f8d 100644
--- a/src/main/java/org/caosdb/server/transaction/RetrieveACL.java
+++ b/src/main/java/org/caosdb/server/transaction/RetrieveACL.java
@@ -24,6 +24,7 @@ package org.caosdb.server.transaction;
import com.google.protobuf.ProtocolStringList;
import java.util.UUID;
import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authz.AuthorizationException;
import org.caosdb.server.database.backend.transaction.RetrieveEntityACLTransaction;
import org.caosdb.server.entity.Entity;
import org.caosdb.server.entity.EntityInterface;
@@ -71,7 +72,7 @@ public class RetrieveACL extends Transaction<TransactionContainer> {
e.setEntityACL(acl);
} else if (acl != null
&& acl.isPermitted(getTransactor(), EntityPermission.RETRIEVE_ENTITY)) {
- e.addError(org.caosdb.server.utils.ServerMessages.AUTHORIZATION_ERROR);
+ throw new AuthorizationException("You are not permitted to update this entity's ACL.");
} else {
e.addError(org.caosdb.server.utils.ServerMessages.ENTITY_DOES_NOT_EXIST);
}
diff --git a/src/main/java/org/caosdb/server/transaction/UpdateACL.java b/src/main/java/org/caosdb/server/transaction/UpdateACL.java
index e0b0c5cf7b1d1cfd95ef48f9823e01aaae69afce..84c73080550d8899f4f1a5156bebb2a44c39df6a 100644
--- a/src/main/java/org/caosdb/server/transaction/UpdateACL.java
+++ b/src/main/java/org/caosdb/server/transaction/UpdateACL.java
@@ -23,6 +23,7 @@ package org.caosdb.server.transaction;
import static org.caosdb.server.query.Query.clearCache;
+import org.apache.shiro.authz.AuthorizationException;
import org.caosdb.server.database.backend.transaction.RetrieveFullEntityTransaction;
import org.caosdb.server.database.backend.transaction.UpdateEntityTransaction;
import org.caosdb.server.entity.EntityInterface;
@@ -88,8 +89,8 @@ public class UpdateACL extends Transaction<TransactionContainer>
} else {
if (!oldAcl.getPriorityEntityACL().equals(newAcl.getPriorityEntityACL())
&& !oldAcl.isPermitted(getTransactor(), EntityPermission.EDIT_PRIORITY_ACL)) {
- // the user is now permitted to update the prioriy acl.
- result.addError(org.caosdb.server.utils.ServerMessages.AUTHORIZATION_ERROR);
+ throw new AuthorizationException(
+ "You are not permitted to change prioritized permission rules of this entity.");
}
// we're good to go. set new entity acl
@@ -99,7 +100,8 @@ public class UpdateACL extends Transaction<TransactionContainer>
} else if (oldAcl != null
&& oldAcl.isPermitted(getTransactor(), EntityPermission.RETRIEVE_ENTITY)) {
// the user knows that this entity exists
- result.addError(org.caosdb.server.utils.ServerMessages.AUTHORIZATION_ERROR);
+ throw new AuthorizationException(
+ "You are not permitted to change permission rules of this entity.");
} else {
// we pretend this entity doesn't exist
result.addError(org.caosdb.server.utils.ServerMessages.ENTITY_DOES_NOT_EXIST);