Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-4153

Refactor REST API v7 "createAndReturn()" methods for Spring Security alignment

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Code Review Needed (View Workflow)
    • Priority: Blocker
    • Resolution: Unresolved
    • Affects Version/s: 7.0
    • Fix Version/s: None
    • Component/s: REST API v7
    • Labels:
      None
    • Attachments:
      0
    • Comments:
      1
    • Documentation Status:
      Needed

      Description

      Currently, the DSpaceRestRepository class provides a few very basic "createAndReturn()" methods for the creation of new objects (via POST request). 

      The one with the most parameters simply takes in a Context object: https://github.com/DSpace/DSpace/blob/master/dspace-spring-rest/src/main/java/org/dspace/app/rest/repository/DSpaceRestRepository.java#L287

      Unfortunately, this lack of method parameters makes using Spring Security Annotations (like @PreAuthorize) difficult. Here's how these annotations are expected to be used (on PUT/DELETE/GET methods): https://wiki.duraspace.org/display/DSPACE/REST+Authorization 

      Some DSpace objects require that you have ADD permissions on a parent object in order to create a child object. 

      For example, creating a Collection requires ADD Permissions on the parent Community.  Ideally, in this example, we should be able check those permissions (in CollectionRestRepository.createAndReturn()) via an annotation like:

      @PreAuthorize("hasPermission(#id, 'COMMUNITY', 'ADD')")

      However, as the createAndReturn(context) method doesn't take in the Parent Community ID, this annotation will not function properly.  Currently, we manually extract the parent ID from the request parameters (on querystring) within the createAndReturn(context) method.

      We should either refactor createAndReturn() to allow for a version that takes in a Parent ID parameter or find a way to leverage Spring Security to pull this Parent ID parameter from the querystring.  That way we can update @PreAuthorize to properly check for permissions on the parent object.

      Flagging this as a Blocker as it involves REST API security.

        Attachments

          Activity

            People

            Assignee:
            mspalti Michael Spalti
            Reporter:
            tdonohue Tim Donohue
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: