From 44b2d5a3f6a6031d0d865cc65cac4d72f2cf5340 Mon Sep 17 00:00:00 2001 From: Dean Farrell Date: Tue, 5 Dec 2023 09:12:43 -0500 Subject: [PATCH] Only show thumbnails if user has viewAccessCopies permissions (#1630) * Only show thumbnails if user has viewAccessCopies permissions * Simplify thumbnail permissions check * Fix thumbnail IT tests * Let the client handle displaying a thumbnail or not * Update test permission --- .../services/DatastreamPermissionUtil.java | 4 +-- .../src/components/full_record/fileList.vue | 2 +- .../src/components/full_record/thumbnail.vue | 2 +- .../tests/unit/thumbnail.spec.js | 11 +++++++- .../common/services/AccessCopiesService.java | 1 + .../common/services/PermissionsHelper.java | 18 +++---------- .../services/AccessCopiesServiceTest.java | 2 +- .../services/PermissionsHelperTest.java | 2 +- .../rest/DatastreamRestControllerIT.java | 26 +++++++++---------- .../datastream-content-it-servlet.xml | 20 +++++++------- 10 files changed, 43 insertions(+), 45 deletions(-) diff --git a/auth-api/src/main/java/edu/unc/lib/boxc/auth/api/services/DatastreamPermissionUtil.java b/auth-api/src/main/java/edu/unc/lib/boxc/auth/api/services/DatastreamPermissionUtil.java index ff69854f65..81a72d3da0 100644 --- a/auth-api/src/main/java/edu/unc/lib/boxc/auth/api/services/DatastreamPermissionUtil.java +++ b/auth-api/src/main/java/edu/unc/lib/boxc/auth/api/services/DatastreamPermissionUtil.java @@ -30,8 +30,8 @@ public class DatastreamPermissionUtil { DS_PERMISSION_MAP.put(DatastreamType.ORIGINAL_FILE, Permission.viewOriginal); DS_PERMISSION_MAP.put(DatastreamType.TECHNICAL_METADATA, Permission.viewHidden); DS_PERMISSION_MAP.put(DatastreamType.TECHNICAL_METADATA_HISTORY, Permission.viewHidden); - DS_PERMISSION_MAP.put(DatastreamType.THUMBNAIL_SMALL, Permission.viewMetadata); - DS_PERMISSION_MAP.put(DatastreamType.THUMBNAIL_LARGE, Permission.viewMetadata); + DS_PERMISSION_MAP.put(DatastreamType.THUMBNAIL_SMALL, Permission.viewAccessCopies); + DS_PERMISSION_MAP.put(DatastreamType.THUMBNAIL_LARGE, Permission.viewAccessCopies); } private DatastreamPermissionUtil() { diff --git a/static/js/vue-cdr-access/src/components/full_record/fileList.vue b/static/js/vue-cdr-access/src/components/full_record/fileList.vue index d9ee7435f5..7cdfc09f17 100644 --- a/static/js/vue-cdr-access/src/components/full_record/fileList.vue +++ b/static/js/vue-cdr-access/src/components/full_record/fileList.vue @@ -135,7 +135,7 @@ export default { render: (data, type, row) => { let img; - if ('thumbnail_url' in row) { + if ('thumbnail_url' in row && this.hasPermission(row,'viewAccessCopies')) { const thumbnail_title = this.$t('full_record.thumbnail_title', { title: row.title }) img = `${thumbnail_title}`; diff --git a/static/js/vue-cdr-access/src/components/full_record/thumbnail.vue b/static/js/vue-cdr-access/src/components/full_record/thumbnail.vue index 27c8718719..8ec1150b82 100644 --- a/static/js/vue-cdr-access/src/components/full_record/thumbnail.vue +++ b/static/js/vue-cdr-access/src/components/full_record/thumbnail.vue @@ -105,7 +105,7 @@ export default { }, src() { - if (this.objectData.thumbnail_url !== undefined) { + if (this.objectData.thumbnail_url !== undefined && this.hasPermission(this.objectData, 'viewAccessCopies')) { return this.objectData.thumbnail_url; } diff --git a/static/js/vue-cdr-access/tests/unit/thumbnail.spec.js b/static/js/vue-cdr-access/tests/unit/thumbnail.spec.js index 0d1f4f0f24..313c46f57f 100644 --- a/static/js/vue-cdr-access/tests/unit/thumbnail.spec.js +++ b/static/js/vue-cdr-access/tests/unit/thumbnail.spec.js @@ -128,12 +128,21 @@ describe('thumbnail.vue', () => { }); }); - it('displays a thumbnail, if present', () => { + it('displays a thumbnail, if present and user has viewAccessCopies permissions', () => { expect(wrapper.find('.thumbnail .thumbnail-viewer').exists()).toBe(true); + expect(wrapper.find('i.placeholder').exists()).toBe(false); expect(wrapper.find('a').attributes('class')) .toEqual('thumbnail thumbnail-size-large has_tooltip') }); + it('does not display a thumbnail if user does not have viewAccessCopies permissions', async () => { + let updatedRecordData = cloneDeep(recordData); + updatedRecordData.briefObject.permissions = ['viewMetadata']; + await wrapper.setProps({ thumbnailData: updatedRecordData }); + expect(wrapper.find('i.placeholder').exists()).toBe(true); + expect(wrapper.find('.thumbnail .thumbnail-viewer').exists()).toBe(false); + }); + it('displays a placeholder, if no thumbnail', async () => { let updatedRecordData = cloneDeep(recordData); updatedRecordData.briefObject.thumbnail_url = undefined; diff --git a/web-common/src/main/java/edu/unc/lib/boxc/web/common/services/AccessCopiesService.java b/web-common/src/main/java/edu/unc/lib/boxc/web/common/services/AccessCopiesService.java index 235ee9504c..488d337db8 100644 --- a/web-common/src/main/java/edu/unc/lib/boxc/web/common/services/AccessCopiesService.java +++ b/web-common/src/main/java/edu/unc/lib/boxc/web/common/services/AccessCopiesService.java @@ -136,6 +136,7 @@ public String getThumbnailId(ContentObjectRecord contentObjectRecord, AccessGrou log.debug("Found thumbnail object directly assigned to object {}", thumbId); return thumbId; } + // Don't need to check any further if object isn't a work or doesn't contain files with thumbnails if (!ResourceType.Work.name().equals(contentObjectRecord.getResourceType()) || contentObjectRecord.getFileFormatCategory() == null diff --git a/web-common/src/main/java/edu/unc/lib/boxc/web/common/services/PermissionsHelper.java b/web-common/src/main/java/edu/unc/lib/boxc/web/common/services/PermissionsHelper.java index 29218f80b4..bbfe17aea7 100644 --- a/web-common/src/main/java/edu/unc/lib/boxc/web/common/services/PermissionsHelper.java +++ b/web-common/src/main/java/edu/unc/lib/boxc/web/common/services/PermissionsHelper.java @@ -48,18 +48,6 @@ public boolean hasOriginalAccess(AccessGroupSet principals, ContentObjectRecord return hasDatastreamAccess(principals, ORIGINAL_FILE, metadata); } - /** - * Returns true if the principals can access thumbnails belonging to - * the requested object, if present. - * - * @param principals - * @param metadata - * @return - */ - public boolean hasThumbnailAccess(AccessGroupSet principals, ContentObjectRecord metadata) { - return hasDatastreamAccess(principals, THUMBNAIL_SMALL, metadata); - } - /** * Returns true if the principals can access the image preview belonging to * the requested object, if present. @@ -75,7 +63,7 @@ public boolean hasImagePreviewAccess(AccessGroupSet principals, ContentObjectRec /** * Returns true if the principals can access the MODS description belonging to * the requested object, if present. - * + * * @param metadata * @return */ @@ -93,7 +81,7 @@ public boolean hasDescriptionAccess(AccessGroupSet principals, ContentObjectReco * @return */ public boolean hasDatastreamAccess(AccessGroupSet principals, DatastreamType datastream, - ContentObjectRecord metadata) { + ContentObjectRecord metadata) { notNull(principals, "Requires agent principals"); notNull(datastream, "Requires datastream type"); notNull(metadata, "Requires metadata object"); @@ -168,4 +156,4 @@ public AccessControlService getAccessControlService() { public void setAccessControlService(AccessControlService accessControlService) { this.accessControlService = accessControlService; } -} +} \ No newline at end of file diff --git a/web-common/src/test/java/edu/unc/lib/boxc/web/common/services/AccessCopiesServiceTest.java b/web-common/src/test/java/edu/unc/lib/boxc/web/common/services/AccessCopiesServiceTest.java index fc17173f61..950af5449f 100644 --- a/web-common/src/test/java/edu/unc/lib/boxc/web/common/services/AccessCopiesServiceTest.java +++ b/web-common/src/test/java/edu/unc/lib/boxc/web/common/services/AccessCopiesServiceTest.java @@ -371,4 +371,4 @@ private void hasPermissions(ContentObjectSolrRecord contentObject, boolean hasAc private void populateResultList(ContentObjectRecord... objects) { when(searchResultResponse.getResultList()).thenReturn(Arrays.asList(objects)); } -} +} \ No newline at end of file diff --git a/web-common/src/test/java/edu/unc/lib/boxc/web/common/services/PermissionsHelperTest.java b/web-common/src/test/java/edu/unc/lib/boxc/web/common/services/PermissionsHelperTest.java index 68ec7c9622..fe7a2589f3 100644 --- a/web-common/src/test/java/edu/unc/lib/boxc/web/common/services/PermissionsHelperTest.java +++ b/web-common/src/test/java/edu/unc/lib/boxc/web/common/services/PermissionsHelperTest.java @@ -162,4 +162,4 @@ public void testDoesNotHaveEnhancedIfLoggedIn() { private void assignPermission(Permission permission, boolean value) { when(accessControlService.hasAccess(any(PID.class), eq(principals), eq(permission))).thenReturn(value); } -} +} \ No newline at end of file diff --git a/web-services-app/src/test/java/edu/unc/lib/boxc/web/services/rest/DatastreamRestControllerIT.java b/web-services-app/src/test/java/edu/unc/lib/boxc/web/services/rest/DatastreamRestControllerIT.java index f8e91b690b..84c21b10be 100644 --- a/web-services-app/src/test/java/edu/unc/lib/boxc/web/services/rest/DatastreamRestControllerIT.java +++ b/web-services-app/src/test/java/edu/unc/lib/boxc/web/services/rest/DatastreamRestControllerIT.java @@ -1,7 +1,7 @@ package edu.unc.lib.boxc.web.services.rest; +import static edu.unc.lib.boxc.auth.api.Permission.viewAccessCopies; import static edu.unc.lib.boxc.auth.api.Permission.viewHidden; -import static edu.unc.lib.boxc.auth.api.Permission.viewMetadata; import static edu.unc.lib.boxc.model.api.DatastreamType.MD_EVENTS; import static edu.unc.lib.boxc.model.api.DatastreamType.TECHNICAL_METADATA; import static edu.unc.lib.boxc.model.api.DatastreamType.THUMBNAIL_SMALL; @@ -66,10 +66,10 @@ @ExtendWith(SpringExtension.class) @WebAppConfiguration @ContextHierarchy({ - @ContextConfiguration("/spring-test/test-fedora-container.xml"), - @ContextConfiguration("/spring-test/cdr-client-container.xml"), - @ContextConfiguration("/spring-test/solr-indexing-context.xml"), - @ContextConfiguration("/datastream-content-it-servlet.xml") + @ContextConfiguration("/spring-test/test-fedora-container.xml"), + @ContextConfiguration("/spring-test/cdr-client-container.xml"), + @ContextConfiguration("/spring-test/solr-indexing-context.xml"), + @ContextConfiguration("/datastream-content-it-servlet.xml") }) public class DatastreamRestControllerIT extends AbstractAPIIT { @@ -225,7 +225,7 @@ public void testGetThumbnailNoPermission() throws Exception { createDerivative(id, THUMBNAIL_SMALL, BINARY_CONTENT.getBytes()); doThrow(new AccessRestrictionException()).when(accessControlService) - .assertHasAccess(anyString(), eq(filePid), any(AccessGroupSetImpl.class), eq(viewMetadata)); + .assertHasAccess(anyString(), eq(filePid), any(AccessGroupSetImpl.class), eq(viewAccessCopies)); MvcResult result = mvc.perform(get("/thumb/" + filePid.getId())) .andExpect(status().isForbidden()) @@ -277,9 +277,9 @@ public void testGetEventLog() throws Exception { FolderObject folderObj = repositoryObjectFactory.createFolderObject(folderPid, null); premisLoggerFactory.createPremisLogger(folderObj) - .buildEvent(Premis.Creation) - .addAuthorizingAgent(AgentPids.forPerson("some_user")) - .writeAndClose(); + .buildEvent(Premis.Creation) + .addAuthorizingAgent(AgentPids.forPerson("some_user")) + .writeAndClose(); MvcResult result = mvc.perform(get("/file/" + id + "/" + MD_EVENTS.getId())) .andExpect(status().is2xxSuccessful()) @@ -321,9 +321,9 @@ public void testGetEventLogNoPermissions() throws Exception { FolderObject folderObj = repositoryObjectFactory.createFolderObject(folderPid, null); premisLoggerFactory.createPremisLogger(folderObj) - .buildEvent(Premis.Creation) - .addAuthorizingAgent(AgentPids.forPerson("some_user")) - .writeAndClose(); + .buildEvent(Premis.Creation) + .addAuthorizingAgent(AgentPids.forPerson("some_user")) + .writeAndClose(); doThrow(new AccessRestrictionException()).when(accessControlService) .assertHasAccess(anyString(), eq(folderPid), any(AccessGroupSetImpl.class), eq(viewHidden)); @@ -347,4 +347,4 @@ private File createDerivative(String id, DatastreamType dsType, byte[] content) return derivFile; } -} +} \ No newline at end of file diff --git a/web-services-app/src/test/resources/datastream-content-it-servlet.xml b/web-services-app/src/test/resources/datastream-content-it-servlet.xml index 0b50961d24..0ba2e6c93a 100644 --- a/web-services-app/src/test/resources/datastream-content-it-servlet.xml +++ b/web-services-app/src/test/resources/datastream-content-it-servlet.xml @@ -1,34 +1,34 @@ - + - + - + - + - + @@ -41,4 +41,4 @@ - + \ No newline at end of file