feat: separate permission for embedding content

edu-sharing · Sep 4, 2024 · f46a77e · f46a77e
1 parent e2eb56e
commit f46a77e
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 12 deletions.
diff --git a/...nd/alfresco/common/src/main/java/org/edu_sharing/repository/client/tools/CCConstants.java b/...nd/alfresco/common/src/main/java/org/edu_sharing/repository/client/tools/CCConstants.java
@@ -1748,6 +1748,7 @@ public static ArrayList<String> getDetailPropList(){
 	public final static String PERMISSION_READ_ALL = "ReadAll";
 
 	public final static String PERMISSION_DOWNLOAD_CONTENT = "DownloadContent";
+	public final static String PERMISSION_EMBED = "Embed";
 	public final static String PERMISSION_READ_PREVIEW = "ReadPreview";
 
 	public final static String PERMISSION_COMMENT = "Comment";

diff --git a/...d/alfresco/module/src/main/amp/config/alfresco/extension/custom-permissionDefinitions.xml b/...d/alfresco/module/src/main/amp/config/alfresco/extension/custom-permissionDefinitions.xml
@@ -100,6 +100,7 @@
       <permissionGroup name="WriteProperties" expose="true" allowFullControl="false" />  
       <permissionGroup name="ReadContent" expose="false" allowFullControl="false" />  
       <permissionGroup name="DownloadContent" expose="true" allowFullControl="false" />
+      <permissionGroup name="Embed" expose="true" allowFullControl="false" />
       <permissionGroup name="WriteContent" expose="false" allowFullControl="false" />
       <permissionGroup name="ExecuteContent" expose="false" allowFullControl="false" />  
       <permissionGroup name="DeleteNode" expose="true" allowFullControl="false" />  
@@ -227,6 +228,10 @@
            <grantedToGroup permissionGroup="DownloadContent"/>
        </permission>
 
+       <permission name="_Embed" expose="false">
+           <grantedToGroup permissionGroup="Embed"/>
+       </permission>
+
       <!-- The permission to write content.                                              -->
 
       <permission name="_WriteContent" expose="false">
@@ -388,6 +393,7 @@
           <includePermissionGroup type="sys:base" permissionGroup="Feedback"/>
           <includePermissionGroup type="sys:base" permissionGroup="RateRead"/>
           <includePermissionGroup type="sys:base" permissionGroup="Rate"/>
+          <includePermissionGroup type="sys:base" permissionGroup="Embed"/>
       </permissionGroup>
       <!-- edu-sharing a restricted Consumer which can only read metadata of the node -->
       <permissionGroup name="ConsumerMetadata" allowFullControl="false" expose="true" >

diff --git a/...es/core/src/main/java/org/edu_sharing/repository/server/rendering/RenderingException.java b/...es/core/src/main/java/org/edu_sharing/repository/server/rendering/RenderingException.java
@@ -1,28 +1,27 @@
 package org.edu_sharing.repository.server.rendering;
 
-import com.google.gson.JsonObject;
-import org.apache.commons.io.FileUtils;
-import org.apache.log4j.Logger;
+import jakarta.servlet.http.HttpServletResponse;
+import org.alfresco.repo.security.permissions.AccessDeniedException;
+import org.edu_sharing.repository.client.tools.CCConstants;
 import org.edu_sharing.repository.server.ErrorFilter;
 import org.edu_sharing.repository.server.tools.HttpException;
 import org.edu_sharing.service.InsufficientPermissionException;
 import org.json.JSONObject;
 
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServlet;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
-import java.io.File;
-import java.io.IOException;
-
 public class RenderingException extends ErrorFilter.ErrorFilterException {
 
     public static RenderingException fromThrowable(Throwable throwable) {
-        if(throwable instanceof InsufficientPermissionException) {
+        if(throwable instanceof InsufficientPermissionException || throwable instanceof AccessDeniedException)   {
+            I18N i18nKey = I18N.permissions_missing;
+
+            if(throwable instanceof AccessDeniedException && CCConstants.PERMISSION_EMBED.equals(((AccessDeniedException) throwable).getMsgId())){
+                i18nKey = I18N.permissions_embed_missing;
+            }
+
             return new RenderingException(
                     HttpServletResponse.SC_FORBIDDEN,
                     throwable.getMessage(),
-                    I18N.permissions_missing,
+                    i18nKey,
                     throwable
             );
         }
@@ -41,6 +40,7 @@ public enum I18N{
         node_missing,
         usage_missing_permissions,
         permissions_missing,
+        permissions_embed_missing,
         internal,
         unknown,
     }

diff --git a/...ices/core/src/main/java/org/edu_sharing/repository/server/rendering/RenderingServlet.java b/...ices/core/src/main/java/org/edu_sharing/repository/server/rendering/RenderingServlet.java
@@ -4,13 +4,16 @@
 import jakarta.servlet.http.HttpServlet;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
+import org.edu_sharing.repository.client.tools.CCConstants;
 import org.edu_sharing.repository.server.SecurityHeadersFilter;
 import org.edu_sharing.repository.tools.URLHelper;
 import org.edu_sharing.service.config.ConfigServiceFactory;
+import org.edu_sharing.service.permission.PermissionServiceFactory;
 import org.edu_sharing.service.rendering.RenderingService;
 import org.edu_sharing.service.rendering.RenderingServiceFactory;
 import org.edu_sharing.service.rendering.RenderingTool;
@@ -35,6 +38,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                 node_id = req.getParameter("node_id");
             }
             String version = req.getParameter("version");
+
             RenderingService renderingService = RenderingServiceFactory.getLocalService();
             Map<String, String> params=new HashMap<>();
             for(Object key:  req.getParameterMap().keySet()){
@@ -59,6 +63,12 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
             resp.getWriter().write("<body class= \"eduservlet-render-body\">");
             String response;
             try {
+                if(!PermissionServiceFactory.getLocalService().hasPermission(StoreRef.PROTOCOL_WORKSPACE,
+                        StoreRef.STORE_REF_WORKSPACE_SPACESSTORE.getIdentifier(),
+                        node_id,
+                        CCConstants.PERMISSION_EMBED)){
+                     throw new AccessDeniedException(CCConstants.PERMISSION_EMBED);
+                }
                 response = renderingService.getDetails(node_id, version,DEFAULT_DISPLAY_MODE, params).getDetails();
                 response = response.replace("{{{LMS_INLINE_HELPER_SCRIPT}}}", URLHelper.getNgRenderNodeUrl(node_id,version)+"?");
                 TrackingServiceFactory.getTrackingService().trackActivityOnNode(new NodeRef(StoreRef.STORE_REF_WORKSPACE_SPACESSTORE, node_id), null, TrackingService.EventType.VIEW_MATERIAL_EMBEDDED);

diff --git a/Frontend/src/app/features/dialogs/dialog-modules/share-dialog/share-dialog.component.ts b/Frontend/src/app/features/dialogs/dialog-modules/share-dialog/share-dialog.component.ts
@@ -86,6 +86,7 @@ export class ShareDialogComponent implements OnInit, AfterViewInit {
         'Comment',
         'Feedback',
         'Deny',
+        'Embed',
     ];
     readonly PERMISSIONS_FORCES = [
         ['Read', ['ConsumerMetadata']],
@@ -97,6 +98,7 @@ export class ShareDialogComponent implements OnInit, AfterViewInit {
         ['Comment', ['Consumer']],
         ['Feedback', ['Consumer']],
         ['Rate', ['Consumer']],
+        ['Embed', ['Consumer']],
         ['Write', ['Editor']],
         ['DeleteChildren', ['Delete']],
         ['DeleteNode', ['Delete']],

diff --git a/config/defaults/src/main/resources/metadatasets/i18n/mds.properties b/config/defaults/src/main/resources/metadatasets/i18n/mds.properties
@@ -768,5 +768,6 @@ rendering_error_node_missing: The requested element was deleted or is not availa
 rendering_error_usage_missing: There are no permissions available for the requested element. Maybe the permissions have been removed.
 rendering_error_usage_missing_permissions: There are no permissions available for the requested element. Maybe the permissions have been removed.\nYou have the appropriate rights to re-embed this element in order to fix the permissions.
 rendering_error_permissions_missing: There are no permissions available for the requested element.
+rendering_error_permissions_embed_missing: There are no permissions available to embed the requested element in other systems.
 rendering_error_internal: An internal error occured
 rendering_error_unknown: An error occured
diff --git a/config/defaults/src/main/resources/metadatasets/i18n/mds_de_DE.properties b/config/defaults/src/main/resources/metadatasets/i18n/mds_de_DE.properties
@@ -789,5 +789,6 @@ rendering_error_node_missing: Das angeforderte Objekt wurde gel
 rendering_error_usage_missing: Für das angeforderte Objekt sind keine Berechtigungen vorhanden. Eventuell wurden die Berechtigungen entfernt.
 rendering_error_usage_missing_permissions: Für das angeforderte Objekt sind keine Berechtigungen vorhanden. Eventuell wurden die Berechtigungen entfernt.\nSie verfügen über die notwendigen Berechtigungen, um dieses Objekt neu einzubinden. Sie können das Objekt erneut im angeschlossenen System einfügen.
 rendering_error_permissions_missing: Für das angeforderte Objekt sind keine Berechtigungen vorhanden.
+rendering_error_permissions_embed_missing: Für das angeforderte Objekt sind keine Berechtigungen für die Einbettung in andere Systeme vorhanden.
 rendering_error_internal: Ein interner Fehler ist aufgetreten
 rendering_error_unknown: Ein Fehler ist aufgetreten