add readonly mode

.github/workflows/ci.yml

@@ -30,7 +30,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: github branch
         run: |
           if [ "${{ github.event.release.target_commitish }}" != "" ]; then
@@ -46,9 +46,10 @@ jobs:
           else
             echo "CLOWDER_VERSION=testing" >> $GITHUB_ENV
           fi
-      - uses: actions/setup-java@v1
+      - uses: actions/setup-java@v3
         with:
-          java-version: 1.8
+          distribution: 'zulu'
+          java-version: 8
       - name: Cache SBT ivy cache
         uses: actions/cache@v1
         with:
@@ -84,7 +85,7 @@ jobs:
         ports:
           - 27017:27017
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: github branch
         run: |
           if [ "${{ github.event.release.target_commitish }}" != "" ]; then
@@ -100,16 +101,17 @@ jobs:
           else
             echo "CLOWDER_VERSION=testing" >> $GITHUB_ENV
           fi
-      - uses: actions/setup-java@v1
+      - uses: actions/setup-java@v3
         with:
-          java-version: 1.8
+          distribution: 'zulu'
+          java-version: 8
       - name: Cache SBT ivy cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.ivy2/cache
           key: ${{ runner.os }}-sbt-ivy-cache-${{ hashFiles('project/Build.scala') }}
       - name: Cache SBT
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.sbt
           key: ${{ runner.os }}-sbt-${{ hashFiles('project/Build.scala') }}
@@ -128,7 +130,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: github branch
         run: |
           if [ "${{ github.event.release.target_commitish }}" != "" ]; then
@@ -144,16 +146,17 @@ jobs:
           else
             echo "CLOWDER_VERSION=testing" >> $GITHUB_ENV
           fi
-      - uses: actions/setup-java@v1
+      - uses: actions/setup-java@v3
         with:
-          java-version: 1.8
+          distribution: 'zulu'
+          java-version: 8
       - name: Cache SBT ivy cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.ivy2/cache
           key: ${{ runner.os }}-sbt-ivy-cache-${{ hashFiles('project/Build.scala') }}
       - name: Cache SBT
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.sbt
           key: ${{ runner.os }}-sbt-${{ hashFiles('project/Build.scala') }}
@@ -204,7 +207,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: github branch
         run: |
           if [ "${{ github.event.release.target_commitish }}" != "" ]; then
@@ -220,16 +223,17 @@ jobs:
           else
             echo "CLOWDER_VERSION=testing" >> $GITHUB_ENV
           fi
-      - uses: actions/setup-java@v1
+      - uses: actions/setup-java@v3
         with:
-          java-version: 1.8
+          distribution: 'zulu'
+          java-version: 8
       - name: Cache SBT ivy cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.ivy2/cache
           key: ${{ runner.os }}-sbt-ivy-cache-${{ hashFiles('project/Build.scala') }}
       - name: Cache SBT
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.sbt
           key: ${{ runner.os }}-sbt-${{ hashFiles('project/Build.scala') }}

.github/workflows/swagger.yml

@@ -20,7 +20,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: openapi-lint 
         uses: mbowman100/swagger-validator-action@master

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ## Unreleased
 
 ### Added
+- Users can be marked as ReadOnly [#405](https://github.com/clowder-framework/clowder/issues/405)
 - Added Trash button to delete section [#347](https://github.com/clowder-framework/clowder/issues/347)
 - Add "when" parameter in a few GET API endpoints to enable pagination [#266](https://github.com/clowder-framework/clowder/issues/266)
 - Extractors can now specify an extractor_key and an owner (email address) when sending a

app/api/Admin.scala

@@ -125,10 +125,10 @@ class Admin @Inject() (userService: UserService,
       list.foreach(id =>
         userService.findById(UUID(id)) match {
           case Some(u: ClowderUser) => {
-            if (u.status == UserStatus.Inactive) {
+            if (u.status != UserStatus.Active) {
               userService.update(u.copy(status = UserStatus.Active))
-              val subject = s"[${AppConfiguration.getDisplayName}] account activated"
-              val body = views.html.emails.userActivated(u, active = true)(request)
+              val subject = s"[${AppConfiguration.getDisplayName}] account is now active"
+              val body = views.html.emails.userChanged(u, "activated")(request)
               util.Mail.sendEmail(subject, request.user, u, body)
             }
           }
@@ -138,10 +138,10 @@ class Admin @Inject() (userService: UserService,
       list.foreach(id =>
         userService.findById(UUID(id)) match {
           case Some(u: ClowderUser) => {
-            if (!(u.status == UserStatus.Inactive)) {
+            if (u.status != UserStatus.Inactive) {
               userService.update(u.copy(status = UserStatus.Inactive))
-              val subject = s"[${AppConfiguration.getDisplayName}] account deactivated"
-              val body = views.html.emails.userActivated(u, active = false)(request)
+              val subject = s"[${AppConfiguration.getDisplayName}] account is deactivated"
+              val body = views.html.emails.userChanged(u, "deactivated")(request)
               util.Mail.sendEmail(subject, request.user, u, body)
             }
           }
@@ -150,26 +150,27 @@ class Admin @Inject() (userService: UserService,
     (request.body \ "admin").asOpt[List[String]].foreach(list =>
       list.foreach(id =>
         userService.findById(UUID(id)) match {
-          case Some(u: ClowderUser) if (u.status == UserStatus.Active) => {
-
-            userService.update(u.copy(status = UserStatus.Admin))
-            val subject = s"[${AppConfiguration.getDisplayName}] admin access granted"
-            val body = views.html.emails.userAdmin(u, admin = true)(request)
-            util.Mail.sendEmail(subject, request.user, u, body)
-
+          case Some(u: ClowderUser) => {
+            if (u.status != UserStatus.Admin) {
+              userService.update(u.copy(status = UserStatus.Admin))
+              val subject = s"[${AppConfiguration.getDisplayName}] account is now an admin"
+              val body = views.html.emails.userChanged(u, "an admin account")(request)
+              util.Mail.sendEmail(subject, request.user, u, body)
+            }
           }
           case _ => Logger.error(s"Could not update user with id=${id}")
         }))
-    (request.body \ "unadmin").asOpt[List[String]].foreach(list =>
+    (request.body \ "readonly").asOpt[List[String]].foreach(list =>
       list.foreach(id =>
         userService.findById(UUID(id)) match {
-          case Some(u: ClowderUser) if (u.status == UserStatus.Admin) => {
-            userService.update(u.copy(status = UserStatus.Active))
-            val subject = s"[${AppConfiguration.getDisplayName}] admin access revoked"
-            val body = views.html.emails.userAdmin(u, admin = false)(request)
-            util.Mail.sendEmail(subject, request.user, u, body)
+          case Some(u: ClowderUser) => {
+            if (u.status != UserStatus.ReadOnly) {
+              userService.update(u.copy(status = UserStatus.ReadOnly))
+              val subject = s"[${AppConfiguration.getDisplayName}] account is now an read-only"
+              val body = views.html.emails.userChanged(u, "read-only")(request)
+              util.Mail.sendEmail(subject, request.user, u, body)
+            }
           }
-
           case _ => Logger.error(s"Could not update user with id=${id}")
         }))
     Ok(toJson(Map("status" -> "success")))

app/api/ApiController.scala

@@ -88,12 +88,13 @@ trait ApiController extends Controller {
       userRequest.user match {
         case Some(u) if !AppConfiguration.acceptedTermsOfServices(u.termsOfServices) => Future.successful(Unauthorized("Terms of Service not accepted"))
         case Some(u) if (u.status == UserStatus.Inactive) => Future.successful(Unauthorized("Account is not activated"))
+        case Some(u) if (u.status == UserStatus.ReadOnly && !api.Permission.READONLY.contains(permission) && permission != Permission.DownloadFiles) => Future.successful(Unauthorized("Account is ReadOnly"))
         case Some(u) if u.superAdminMode || Permission.checkPermission(userRequest.user, permission, resourceRef) => block(userRequest)
         case Some(u) => {
           affectedResource match {
             case Some(resource) if Permission.checkOwner(u, resource) => block(userRequest)
             case _ => Future.successful(Unauthorized("Not authorized"))
-           }
+          }
         }
         case None if Permission.checkPermission(userRequest.user, permission, resourceRef) => block(userRequest)
         case _ => Future.successful(Unauthorized("Not authorized"))

app/api/Metadata.scala

@@ -257,7 +257,7 @@ class Metadata @Inject() (
 
   // Given a list of terms, create a new standard vocabulary from the list
   // Expects a JSON array of Strings as the request body
-  def createVocabulary() = AuthenticatedAction(parse.json) {
+  def createVocabulary() = PermissionAction(Permission.CreateVocabulary)(parse.json) {
     implicit request =>
       request.user match {
         case None => BadRequest(toJson("Invalid user"))
@@ -278,7 +278,7 @@ class Metadata @Inject() (
 
   // Given an ID, replace the entire terms list of a standard vocabulary
   // Expects a JSON array of Strings as the request body
-  def updateVocabulary(id: UUID) = AuthenticatedAction(parse.json) {
+  def updateVocabulary(id: UUID) = PermissionAction(Permission.EditVocabulary)(parse.json) {
     implicit request =>
       request.user match {
         case None => BadRequest(toJson("Invalid user"))
@@ -304,7 +304,7 @@ class Metadata @Inject() (
   }
 
   // Given an ID, delete the standard vocabulary with that ID
-  def deleteVocabulary(id: UUID) = AuthenticatedAction(parse.empty) {
+  def deleteVocabulary(id: UUID) = PermissionAction(Permission.DeleteVocabulary)(parse.empty) {
     implicit request =>
       request.user match {
         case None => BadRequest(toJson("Invalid user"))
@@ -341,7 +341,7 @@ class Metadata @Inject() (
     }
   }
 
-  def editDefinition(id: UUID, spaceId: Option[String]) = AuthenticatedAction(parse.json) {
+  def editDefinition(id: UUID, spaceId: Option[String]) = PermissionAction(Permission.EditVocabulary)(parse.json) {
     implicit request =>
       request.user match {
         case Some(user) => {
@@ -387,7 +387,7 @@ class Metadata @Inject() (
       }
   }
 
-  def deleteDefinition(id: UUID) = AuthenticatedAction { implicit request =>
+  def deleteDefinition(id: UUID) = PermissionAction(Permission.CreateVocabulary) { implicit request =>
     implicit val user = request.user
     user match {
       case Some(user) => {

app/api/Permissions.scala

@@ -426,6 +426,7 @@ object Permission extends Enumeration {
   def checkPermission(user: User, permission: Permission, resourceRef: ResourceRef): Boolean = {
     // check if user is owner, in that case they can do what they want.
     if (user.superAdminMode) return true
+    if (user.status == UserStatus.ReadOnly && !READONLY.contains(permission) && permission != Permission.DownloadFiles) return false
     if (checkOwner(users.findByIdentity(user), resourceRef)) return true
 
     resourceRef match {

app/api/Spaces.scala

@@ -32,35 +32,39 @@ class Spaces @Inject()(spaces: SpaceService,
   val spaceTitle: String = Messages("space.title")
 
   //TODO- Minimal Space created with Name and description. URLs are not yet put in
-  def createSpace() = AuthenticatedAction(parse.json) { implicit request =>
+  def createSpace() = PermissionAction(Permission.CreateSpace)(parse.json) { implicit request =>
     Logger.debug("Creating new space")
-    val nameOpt = (request.body \ "name").asOpt[String]
-    val descOpt = (request.body \ "description").asOpt[String]
-    (nameOpt, descOpt) match {
-      case (Some(name), Some(description)) => {
-        // TODO: add creator
-        val userId = request.user.get.id
-        val c = ProjectSpace(name = name, description = description, created = new Date(), creator = userId,
-          homePage = List.empty, logoURL = None, bannerURL = None, collectionCount = 0,
-          datasetCount = 0, fileCount = 0, userCount = 0, spaceBytes = 0, metadata = List.empty)
-        spaces.insert(c) match {
-          case Some(id) => {
-            appConfig.incrementCount('spaces, 1)
-            events.addObjectEvent(request.user, c.id, c.name, "create_space")
-            userService.findRoleByName("Admin") match {
-              case Some(realRole) => {
-                spaces.addUser(userId, realRole, UUID(id))
-              }
-              case None => Logger.info("No admin role found")
+    if(request.user.get.status == UserStatus.ReadOnly) {
+      BadRequest(toJson("User is Read-Only"))
+    } else {
+      val nameOpt = (request.body \ "name").asOpt[String]
+      val descOpt = (request.body \ "description").asOpt[String]
+      (nameOpt, descOpt) match {
+        case (Some(name), Some(description)) => {
+          // TODO: add creator
+          val userId = request.user.get.id
+          val c = ProjectSpace(name = name, description = description, created = new Date(), creator = userId,
+            homePage = List.empty, logoURL = None, bannerURL = None, collectionCount = 0,
+            datasetCount = 0, fileCount = 0, userCount = 0, spaceBytes = 0, metadata = List.empty)
+          spaces.insert(c) match {
+            case Some(id) => {
+              appConfig.incrementCount('spaces, 1)
+              events.addObjectEvent(request.user, c.id, c.name, "create_space")
+              userService.findRoleByName("Admin") match {
+                case Some(realRole) => {
+                  spaces.addUser(userId, realRole, UUID(id))
+                }
+                case None => Logger.info("No admin role found")
 
+              }
+              Ok(toJson(Map("id" -> id)))
             }
-            Ok(toJson(Map("id" -> id)))
+            case None => Ok(toJson(Map("status" -> "error")))
           }
-          case None => Ok(toJson(Map("status" -> "error")))
-        }
 
+        }
+        case (_, _) => BadRequest(toJson("Missing required parameters"))
       }
-      case (_, _) => BadRequest(toJson("Missing required parameters"))
     }
   }
 

app/controllers/SecuredController.scala

@@ -104,6 +104,9 @@ trait SecuredController extends Controller {
       userRequest.user match {
         case Some(u) if !AppConfiguration.acceptedTermsOfServices(u.termsOfServices) => Future.successful(Results.Redirect(routes.Application.tos(Some(request.uri))))
         case Some(u) if (u.status==UserStatus.Inactive) => Future.successful(Results.Redirect(routes.Error.notActivated()))
+        case Some(u) if (u.status==UserStatus.ReadOnly && !api.Permission.READONLY.contains(permission) && permission != Permission.DownloadFiles) => {
+          Future.successful(Results.Redirect(routes.Error.notAuthorized("Account is ReadOnly", "", "")))
+        }
         case Some(u) if u.superAdminMode || Permission.checkPermission(userRequest.user, permission, resourceRef) => block(userRequest)
         case Some(u) => notAuthorizedMessage(userRequest.user, resourceRef)
         case None if Permission.checkPermission(userRequest.user, permission, resourceRef) => block(userRequest)

app/controllers/Spaces.scala

@@ -222,7 +222,7 @@ class Spaces @Inject() (spaces: SpaceService, users: UserService, events: EventS
     }
   }
 
-  def newSpace() = AuthenticatedAction { implicit request =>
+  def newSpace() = PermissionAction(Permission.CreateSpace) { implicit request =>
     implicit val user = request.user
     Ok(views.html.spaces.newSpace(spaceForm))
   }
@@ -396,10 +396,10 @@ class Spaces @Inject() (spaces: SpaceService, users: UserService, events: EventS
    * Submit action for new or edit space
    */
   // TODO this should check to see if user has editspace for specific space
-  def submit() = AuthenticatedAction { implicit request =>
+  def submit() = PermissionAction(Permission.CreateSpace) { implicit request =>
     implicit val user = request.user
     user match {
-      case Some(identity) => {
+      case Some(identity) if identity.status != UserStatus.ReadOnly => {
         val userId = request.user.get.id
         //need to get the submitValue before binding form data, in case of errors we want to trigger different forms
         request.body.asMultipartFormData.get.dataParts.get("submitValue").headOption match {
@@ -483,7 +483,7 @@ class Spaces @Inject() (spaces: SpaceService, users: UserService, events: EventS
           case None => { BadRequest("Did not get any submit button value.") }
         }
       } //some identity
-      case None => Redirect(routes.Spaces.list()).flashing("error" -> "You are not authorized to create/edit $spaceTitle.")
+      case _ => Redirect(routes.Spaces.list()).flashing("error" -> "You are not authorized to create/edit $spaceTitle.")
     }
   }
   def followingSpaces(index: Int, limit: Int, mode: String) = PrivateServerAction { implicit request =>

app/models/User.scala

@@ -13,7 +13,7 @@ import play.api.libs.json._
 
 object UserStatus extends Enumeration {
 	  type UserStatus = Value
-	  val Inactive, Active, Admin = Value
+	  val Inactive, Active, Admin, ReadOnly = Value
 	}
 
 /**