Skip to content
Snippets Groups Projects
Commit 37ff1503 authored by Fabio Mancinelli's avatar Fabio Mancinelli
Browse files

XWIKI-7966 Missing rest features for search and page listing needed for Mobile application. 

Reviewing pull request

* Added right checking in order to avoid leaking private information when returning
  search and query results.
parent 7fb509f6
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/resources/BaseSearchResult.java
+ 128
110
View file @ 37ff1503
...@@ -268,6 +268,7 @@ protected List<SearchResult> searchPages(List<SearchScope> searchScopes, String ...@@ -268,6 +268,7 @@ protected List<SearchResult> searchPages(List<SearchScope> searchScopes, String
String pageId = Utils.getPageId(wikiName, spaceName, pageName); String pageId = Utils.getPageId(wikiName, spaceName, pageName);
String pageFullName = Utils.getPageFullName(wikiName, spaceName, pageName); String pageFullName = Utils.getPageFullName(wikiName, spaceName, pageName);
/* Check if the user has the right to see the found document */
if (Utils.getXWikiApi(componentManager).hasAccessLevel("view", pageId)) { if (Utils.getXWikiApi(componentManager).hasAccessLevel("view", pageId)) {
Document doc = Utils.getXWikiApi(componentManager).getDocument(pageFullName); Document doc = Utils.getXWikiApi(componentManager).getDocument(pageFullName);
String title = doc.getDisplayTitle(); String title = doc.getDisplayTitle();
...@@ -376,42 +377,45 @@ protected List<SearchResult> searchSpaces(String keywords, String wikiName, bool ...@@ -376,42 +377,45 @@ protected List<SearchResult> searchSpaces(String keywords, String wikiName, bool
.setOffset(start).execute(); .setOffset(start).execute();
for (Object object : queryResult) { for (Object object : queryResult) {
String spaceName = (String) object; String spaceName = (String) object;
Document spaceDoc = Utils.getXWikiApi(componentManager).getDocument(spaceName + ".WebHome"); Document spaceDoc = Utils.getXWikiApi(componentManager).getDocument(spaceName + ".WebHome");
String title = spaceDoc.getDisplayTitle();
SearchResult searchResult = objectFactory.createSearchResult();
searchResult.setType("space");
searchResult.setId(String.format("%s:%s", wikiName, spaceName));
searchResult.setWiki(wikiName);
searchResult.setSpace(spaceName);
searchResult.setTitle(title);
/* Add a link to the space information */
Link spaceLink = new Link();
spaceLink.setRel(Relations.SPACE);
String spaceUri =
UriBuilder.fromUri(uriInfo.getBaseUri()).path(SpaceResource.class).build(wikiName, spaceName)
.toString();
spaceLink.setHref(spaceUri);
searchResult.getLinks().add(spaceLink);
/* Add a link to the webhome if it exists */
String webHomePageId = Utils.getPageId(wikiName, spaceName, "WebHome");
if (Utils.getXWikiApi(componentManager).exists(webHomePageId)
&& Utils.getXWikiApi(componentManager).hasAccessLevel("view", webHomePageId)) {
String pageUri =
UriBuilder.fromUri(uriInfo.getBaseUri()).path(PageResource.class)
.build(wikiName, spaceName, "WebHome").toString();
Link pageLink = new Link(); /* Check if the user has the right to see the found document */
pageLink.setHref(pageUri); if (Utils.getXWikiApi(componentManager).hasAccessLevel("view", spaceDoc.getPrefixedFullName())) {
pageLink.setRel(Relations.HOME); String title = spaceDoc.getDisplayTitle();
searchResult.getLinks().add(pageLink);
}
result.add(searchResult); SearchResult searchResult = objectFactory.createSearchResult();
searchResult.setType("space");
searchResult.setId(String.format("%s:%s", wikiName, spaceName));
searchResult.setWiki(wikiName);
searchResult.setSpace(spaceName);
searchResult.setTitle(title);
/* Add a link to the space information */
Link spaceLink = new Link();
spaceLink.setRel(Relations.SPACE);
String spaceUri =
UriBuilder.fromUri(uriInfo.getBaseUri()).path(SpaceResource.class).build(wikiName, spaceName)
.toString();
spaceLink.setHref(spaceUri);
searchResult.getLinks().add(spaceLink);
/* Add a link to the webhome if it exists */
String webHomePageId = Utils.getPageId(wikiName, spaceName, "WebHome");
if (Utils.getXWikiApi(componentManager).exists(webHomePageId)
&& Utils.getXWikiApi(componentManager).hasAccessLevel("view", webHomePageId)) {
String pageUri =
UriBuilder.fromUri(uriInfo.getBaseUri()).path(PageResource.class)
.build(wikiName, spaceName, "WebHome").toString();
Link pageLink = new Link();
pageLink.setHref(pageUri);
pageLink.setRel(Relations.HOME);
searchResult.getLinks().add(pageLink);
}
result.add(searchResult);
}
} }
return result; return result;
...@@ -525,6 +529,7 @@ protected List<SearchResult> searchObjects(String keywords, String wikiName, Str ...@@ -525,6 +529,7 @@ protected List<SearchResult> searchObjects(String keywords, String wikiName, Str
String pageId = Utils.getPageId(wikiName, spaceName, pageName); String pageId = Utils.getPageId(wikiName, spaceName, pageName);
String pageFullName = Utils.getPageFullName(wikiName, spaceName, pageName); String pageFullName = Utils.getPageFullName(wikiName, spaceName, pageName);
/* Check if the user has the right to see the found document */
if (Utils.getXWikiApi(componentManager).hasAccessLevel("view", pageId)) { if (Utils.getXWikiApi(componentManager).hasAccessLevel("view", pageId)) {
Document doc = Utils.getXWikiApi(componentManager).getDocument(pageFullName); Document doc = Utils.getXWikiApi(componentManager).getDocument(pageFullName);
String title = doc.getDisplayTitle(); String title = doc.getDisplayTitle();
...@@ -698,6 +703,7 @@ protected List<SearchResult> searchDatabaseQuery(String query, String queryLangu ...@@ -698,6 +703,7 @@ protected List<SearchResult> searchDatabaseQuery(String query, String queryLangu
String pageId = Utils.getPageId(wikiName, spaceName, pageName); String pageId = Utils.getPageId(wikiName, spaceName, pageName);
String pageFullName = Utils.getPageFullName(wikiName, spaceName, pageName); String pageFullName = Utils.getPageFullName(wikiName, spaceName, pageName);
/* Check if the user has the right to see the found document */
if (Utils.getXWikiApi(componentManager).hasAccessLevel("view", pageId)) { if (Utils.getXWikiApi(componentManager).hasAccessLevel("view", pageId)) {
Document doc = Utils.getXWikiApi(componentManager).getDocument(pageFullName); Document doc = Utils.getXWikiApi(componentManager).getDocument(pageFullName);
String title = doc.getDisplayTitle(); String title = doc.getDisplayTitle();
...@@ -720,7 +726,14 @@ protected List<SearchResult> searchDatabaseQuery(String query, String queryLangu ...@@ -720,7 +726,14 @@ protected List<SearchResult> searchDatabaseQuery(String query, String queryLangu
searchResult.setAuthorName(Utils.getAuthorName(doc.getAuthor(), componentManager)); searchResult.setAuthorName(Utils.getAuthorName(doc.getAuthor(), componentManager));
} }
if (className != null && !className.equals("")) { /*
* In order to add object data to the result, view rights are not enough. Check for edit rights.
* Practical case: XWiki.Admin can be viewed by guest but the information stored in the
* XWiki.XWikiUsers objects (containing the password hash, for example) should not be exposed unless
* the user making the request has actually the right to modify it.
*/
if (className != null && !className.equals("")
&& Utils.getXWikiApi(componentManager).hasAccessLevel("edit", pageId)) {
BaseObject baseObject = Utils.getBaseObject(doc, className, 0, componentManager); BaseObject baseObject = Utils.getBaseObject(doc, className, 0, componentManager);
if (baseObject != null) if (baseObject != null)
searchResult.setObject(DomainObjectFactory.createObject(objectFactory, searchResult.setObject(DomainObjectFactory.createObject(objectFactory,
...@@ -849,92 +862,97 @@ protected List<SearchResult> searchLucene(String query, String defaultWikiName, ...@@ -849,92 +862,97 @@ protected List<SearchResult> searchLucene(String query, String defaultWikiName,
String wikiName = luceneSearchResult.getWiki(); String wikiName = luceneSearchResult.getWiki();
String spaceName = luceneSearchResult.getSpace(); String spaceName = luceneSearchResult.getSpace();
String pageName = luceneSearchResult.getName(); String pageName = luceneSearchResult.getName();
String pageFullName = Utils.getPageFullName(wikiName, spaceName, pageName); String pageId = Utils.getPageId(wikiName, spaceName, pageName);
Document doc = Utils.getXWikiApi(componentManager).getDocument(pageFullName);
String title = doc.getDisplayTitle(); /* Check if the user has the right to see the found document */
if (Utils.getXWikiApi(componentManager).hasAccessLevel("view", pageId)) {
SearchResult searchResult = objectFactory.createSearchResult(); String pageFullName = Utils.getPageFullName(wikiName, spaceName, pageName);
Document doc = Utils.getXWikiApi(componentManager).getDocument(pageFullName);
String title = doc.getDisplayTitle();
SearchResult searchResult = objectFactory.createSearchResult();
searchResult.setPageFullName(pageFullName);
searchResult.setTitle(title);
searchResult.setWiki(wikiName);
searchResult.setSpace(spaceName);
searchResult.setPageName(pageName);
searchResult.setVersion(doc.getVersion());
/*
* Check if the result is a page or an attachment, and fill the corresponding fields in the
* result accordingly.
*/
if (luceneSearchResult.getType().equals(LucenePlugin.DOCTYPE_WIKIPAGE)) {
searchResult.setType("page");
searchResult.setId(Utils.getPageId(wikiName, spaceName, pageName));
} else {
searchResult.setType("file");
searchResult.setId(String.format("%s@%s", Utils.getPageId(wikiName, pageFullName),
luceneSearchResult.getFilename()));
searchResult.setFilename(luceneSearchResult.getFilename());
searchResult.setPageFullName(pageFullName); String attachmentUri =
searchResult.setTitle(title); UriBuilder
searchResult.setWiki(wikiName); .fromUri(this.uriInfo.getBaseUri())
searchResult.setSpace(spaceName); .path(AttachmentResource.class)
searchResult.setPageName(pageName); .buildFromEncoded(URLEncoder.encode(wikiName, "UTF-8"),
searchResult.setVersion(doc.getVersion()); URLEncoder.encode(spaceName, "UTF-8"), URLEncoder.encode(pageName, "UTF-8"),
URLEncoder.encode(luceneSearchResult.getFilename(), "UTF-8")).toString();
/* Link attachmentLink = new Link();
* Check if the result is a page or an attachment, and fill the corresponding fields in the result attachmentLink.setHref(attachmentUri);
* accordingly. attachmentLink.setRel(Relations.ATTACHMENT_DATA);
*/ searchResult.getLinks().add(attachmentLink);
if (luceneSearchResult.getType().equals(LucenePlugin.DOCTYPE_WIKIPAGE)) { }
searchResult.setType("page");
searchResult.setId(Utils.getPageId(wikiName, spaceName, pageName));
} else {
searchResult.setType("file");
searchResult.setId(String.format("%s@%s", Utils.getPageId(wikiName, pageFullName),
luceneSearchResult.getFilename()));
searchResult.setFilename(luceneSearchResult.getFilename());
String attachmentUri =
UriBuilder
.fromUri(this.uriInfo.getBaseUri())
.path(AttachmentResource.class)
.buildFromEncoded(URLEncoder.encode(wikiName, "UTF-8"),
URLEncoder.encode(spaceName, "UTF-8"), URLEncoder.encode(pageName, "UTF-8"),
URLEncoder.encode(luceneSearchResult.getFilename(), "UTF-8")).toString();
Link attachmentLink = new Link();
attachmentLink.setHref(attachmentUri);
attachmentLink.setRel(Relations.ATTACHMENT_DATA);
searchResult.getLinks().add(attachmentLink);
}
searchResult.setScore(luceneSearchResult.getScore()); searchResult.setScore(luceneSearchResult.getScore());
searchResult.setAuthor(luceneSearchResult.getAuthor()); searchResult.setAuthor(luceneSearchResult.getAuthor());
Calendar calendar = Calendar.getInstance(); Calendar calendar = Calendar.getInstance();
calendar.setTime(doc.getDate()); calendar.setTime(doc.getDate());
searchResult.setModified(calendar); searchResult.setModified(calendar);
if (withPrettyNames) { if (withPrettyNames) {
searchResult searchResult.setAuthorName(Utils.getAuthorName(luceneSearchResult.getAuthor(),
.setAuthorName(Utils.getAuthorName(luceneSearchResult.getAuthor(), componentManager)); componentManager));
} }
String language = luceneSearchResult.getLanguage(); String language = luceneSearchResult.getLanguage();
if (language.equals("default")) { if (language.equals("default")) {
language = ""; language = "";
} }
String pageUri = null; String pageUri = null;
try { try {
if (StringUtils.isBlank(language)) { if (StringUtils.isBlank(language)) {
pageUri = pageUri =
UriBuilder UriBuilder
.fromUri(this.uriInfo.getBaseUri()) .fromUri(this.uriInfo.getBaseUri())
.path(PageResource.class) .path(PageResource.class)
.buildFromEncoded(URLEncoder.encode(wikiName, "UTF-8"), .buildFromEncoded(URLEncoder.encode(wikiName, "UTF-8"),
URLEncoder.encode(spaceName, "UTF-8"), URLEncoder.encode(pageName, "UTF-8")) URLEncoder.encode(spaceName, "UTF-8"), URLEncoder.encode(pageName, "UTF-8"))
.toString(); .toString();
} else { } else {
searchResult.setLanguage(language); searchResult.setLanguage(language);
pageUri = pageUri =
UriBuilder UriBuilder
.fromUri(this.uriInfo.getBaseUri()) .fromUri(this.uriInfo.getBaseUri())
.path(PageTranslationResource.class) .path(PageTranslationResource.class)
.buildFromEncoded(URLEncoder.encode(wikiName, "UTF-8"), .buildFromEncoded(URLEncoder.encode(wikiName, "UTF-8"),
URLEncoder.encode(spaceName, "UTF-8"), URLEncoder.encode(pageName, "UTF-8"), URLEncoder.encode(spaceName, "UTF-8"),
language).toString(); URLEncoder.encode(pageName, "UTF-8"), language).toString();
}
} catch (UnsupportedEncodingException ex) {
// This should never happen, UTF-8 is always valid.
} }
} catch (UnsupportedEncodingException ex) {
// This should never happen, UTF-8 is always valid.
}
Link pageLink = new Link(); Link pageLink = new Link();
pageLink.setHref(pageUri); pageLink.setHref(pageUri);
pageLink.setRel(Relations.PAGE); pageLink.setRel(Relations.PAGE);
searchResult.getLinks().add(pageLink); searchResult.getLinks().add(pageLink);
result.add(searchResult); result.add(searchResult);
}
} }
} catch (Exception e) { } catch (Exception e) {
throw new XWikiException(XWikiException.MODULE_XWIKI, XWikiException.ERROR_XWIKI_UNKNOWN, throw new XWikiException(XWikiException.MODULE_XWIKI, XWikiException.ERROR_XWIKI_UNKNOWN,
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment