Setting to configure whether editor users who are metadata owners can…

… edit their metadata when they do not have editing privileges for the metadata.
geonetwork · Jan 30, 2025 · deef55f · deef55f
1 parent d1c1c4a
commit deef55f
Show file tree

Hide file tree

Showing 6 changed files with 95 additions and 77 deletions.
diff --git a/core/src/main/java/org/fao/geonet/kernel/AccessManager.java b/core/src/main/java/org/fao/geonet/kernel/AccessManager.java
@@ -1,5 +1,5 @@
 //=============================================================================
-//===	Copyright (C) 2001-2007 Food and Agriculture Organization of the
+//===	Copyright (C) 2001-2025 Food and Agriculture Organization of the
 //===	United Nations (FAO-UN), United Nations World Food Programme (WFP)
 //===	and United Nations Environment Programme (UNEP)
 //===
@@ -46,6 +46,7 @@
 
 import static org.fao.geonet.kernel.setting.Settings.SYSTEM_INTRANET_IP_SEPARATOR;
 import static org.fao.geonet.kernel.setting.Settings.SYSTEM_METADATAPRIVS_PUBLICATIONBYGROUPOWNERONLY;
+import static org.fao.geonet.kernel.setting.Settings.SYSTEM_METADATAPRIVS_USER_ALWAYS_CAN_EDIT_OWNED_METADATA;
 import static org.fao.geonet.repository.specification.OperationAllowedSpecs.hasMetadataId;
 import static org.fao.geonet.repository.specification.OperationAllowedSpecs.hasOperation;
 import static org.springframework.data.jpa.domain.Specification.where;
@@ -114,7 +115,7 @@ public Set<Operation> getOperations(ServiceContext context, String mdId, String
     }
 
     public Set<String> getOperationNames(ServiceContext context, String mdId, String ip, Collection<Operation> operations) throws Exception {
-        Set<String> names = new HashSet<String>();
+        Set<String> names = new HashSet<>();
 
         for (Operation op : getOperations(context, mdId, ip, operations)) {
             names.add(op.getName());
@@ -127,7 +128,7 @@ public Set<String> getOperationNames(ServiceContext context, String mdId, String
      * Returns all operations permitted by the user on a particular metadata.
      */
     public Set<Operation> getAllOperations(ServiceContext context, String mdId, String ip) throws Exception {
-        HashSet<Operation> operations = new HashSet<Operation>();
+        HashSet<Operation> operations = new HashSet<>();
         Set<Integer> groups = getUserGroups(context.getUserSession(),
             ip, false);
         for (OperationAllowed opAllow : operationAllowedRepository.findByMetadataId(mdId)) {
@@ -146,7 +147,7 @@ public Set<Operation> getAllOperations(ServiceContext context, String mdId, Stri
     public Set<Integer> getUserGroups(UserSession usrSess, String ip, boolean editingGroupsOnly) throws Exception {
         final ConfigurableApplicationContext applicationContext = ApplicationContextHolder.get();
 
-        Set<Integer> hs = new HashSet<Integer>();
+        Set<Integer> hs = new HashSet<>();
 
         // add All (1) network group
         hs.add(ReservedGroup.all.getId());
@@ -193,7 +194,7 @@ public static List<Integer> getGroups(UserSession session, Profile profile) thro
     }
 
     public Set<Integer> getReviewerGroups(UserSession usrSess) throws Exception {
-        Set<Integer> hs = new HashSet<Integer>();
+        Set<Integer> hs = new HashSet<>();
 
         // get other groups
         if ((usrSess != null) && usrSess.isAuthenticated()) {
@@ -214,7 +215,7 @@ public Set<Integer> getReviewerGroups(UserSession usrSess) throws Exception {
      * @param userId the id of the user
      */
     public Set<Integer> getVisibleGroups(final int userId) throws Exception {
-        Set<Integer> hs = new HashSet<Integer>();
+        Set<Integer> hs = new HashSet<>();
 
         Optional<User> user = userRepository.findById(userId);
 
@@ -243,10 +244,22 @@ public Set<Integer> getVisibleGroups(final int userId) throws Exception {
      *     <li>the user has edit rights over the metadata</li>
      * </ul>
      *
+     * If the setting to allow edit always to the metadata the owner (independently of the edit privilege in
+     * the group owner of the metadata) is disabled, only the edit privileges are checked, except for Administrators.
+     *
      * @param id The metadata internal identifier
      */
     public boolean canEdit(final ServiceContext context, final String id) throws Exception {
-        return isOwner(context, id) || hasEditPermission(context, id);
+        UserSession us = context.getUserSession();
+        final Profile profile = us.getProfile();
+
+        if ((profile == Profile.Administrator) || settingManager.getValueAsBool(SYSTEM_METADATAPRIVS_USER_ALWAYS_CAN_EDIT_OWNED_METADATA, true)) {
+            return isOwner(context, id) || hasEditPermission(context, id);
+        } else {
+            // Ownership is not checked.. If the user is Editor and is the metadata owner,
+            // can only edit the metadata if has edit privileges for the metadata.
+            return hasEditPermission(context, id);
+        }
     }
 
     /**
@@ -429,9 +442,9 @@ public boolean hasReviewPermission(final ServiceContext context, final String id
         return hasReviewPermission(context, info);
     }
 
-    private String GROUPOWNERONLY_STRATEGY =
+    private static final String GROUPOWNERONLY_STRATEGY =
         "api.metadata.share.strategy.groupOwnerOnly";
-    private String REVIEWERINGROUP_STRATEGY =
+    private static final String REVIEWERINGROUP_STRATEGY =
         "api.metadata.share.strategy.reviewerInGroup";
 
     public String getReviewerRule() {
@@ -497,9 +510,9 @@ private boolean hasEditingPermissionWithProfile(final ServiceContext context, fi
             return false;
         }
 
-        Specification spec = where(UserGroupSpecs.hasProfile(profile)).and(UserGroupSpecs.hasUserId(us.getUserIdAsInt()));
+        Specification<UserGroup> spec = where(UserGroupSpecs.hasProfile(profile)).and(UserGroupSpecs.hasUserId(us.getUserIdAsInt()));
 
-        List<Integer> opAlloweds = new ArrayList<Integer>();
+        List<Integer> opAlloweds = new ArrayList<>();
         for (OperationAllowed opAllowed : allOpAlloweds) {
             opAlloweds.add(opAllowed.getId().getGroupId());
         }

diff --git a/core/src/main/java/org/fao/geonet/kernel/setting/Settings.java b/core/src/main/java/org/fao/geonet/kernel/setting/Settings.java
@@ -109,6 +109,7 @@ public class Settings {
     public static final String SYSTEM_METADATAPRIVS_PUBLICATIONNOTIFICATION_EMAILS = "system/metadataprivs/publication/notificationEmails";
     public static final String SYSTEM_METADATAPRIVS_PUBLICATION_NOTIFICATIONLEVEL = "system/metadataprivs/publication/notificationLevel";
     public static final String SYSTEM_METADATAPRIVS_PUBLICATION_NOTIFICATIONGROUPS = "system/metadataprivs/publication/notificationGroups";
+    public static final String SYSTEM_METADATAPRIVS_USER_ALWAYS_CAN_EDIT_OWNED_METADATA = "system/metadataprivs/userAlwaysCanEditOwnedMetadata";
     public static final String SYSTEM_INSPIRE_ATOM_PROTOCOL = "system/inspire/atomProtocol";
     public static final String SYSTEM_HARVESTING_MAIL_RECIPIENT = "system/harvesting/mail/recipient";
     public static final String SYSTEM_HARVESTING_MAIL_LEVEL3 = "system/harvesting/mail/level3";