Filter cohorts and concepts but read permissions - penultimate draft pull request

.gitignore

@@ -12,6 +12,7 @@ sandbox/
 /nbactions*.xml
 *~
 .DS_Store
+.factorypath
 
 ### Developer's personal properties ###
 **/resources/config/application*-dev-*.properties

Makefile

@@ -1,56 +1,21 @@
 compile:
-	mvn clean
-	mvn compile -Pwebapi-postgresql-laertes
+	mvn clean compile -DskipUnitTests -DskipITtests -s WebAPIConfig/settings.xml -P webapi-postgresql
 
 package: compile
-	mvn package -Pwebapi-postgresql-laertes
+	mvn package -DskipUnitTests -DskipITtests -s WebAPIConfig/settings.xml -P webapi-postgresql
 
-deploy: package 
-	sudo service tomcat7 stop
-	sleep 4
-	sudo rm -rf /var/lib/tomcat7/webapps/WebAPI*
-	sudo cp -r target/WebAPI.war  /var/lib/tomcat7/webapps/
-	sudo chown tomcat7 /var/lib/tomcat7/webapps/WebAPI.war
-	sudo chgrp tomcat7 /var/lib/tomcat7/webapps/WebAPI.war
-	sudo service tomcat7 start
+deploy: package
+	/home/ubuntu/Downloads/apache-tomcat-8.5.84-DEV/bin/shutdown.sh 
+	mv /home/ubuntu/Downloads/apache-tomcat-8.5.84-DEV/webapps/WebAPI /mnt/disk1/webapi-dev-tmp/WebAPI-FOLDER-`date +%m%d%H%S`
+	mv /home/ubuntu/Downloads/apache-tomcat-8.5.84-DEV/webapps/WebAPI.war /mnt/disk1/webapi-dev-tmp/WebAPI.war-`date +%m%d%H%S`
+	mv target/WebAPI.war /home/ubuntu/Downloads/apache-tomcat-8.5.84-DEV/webapps/
+	/home/ubuntu/Downloads/apache-tomcat-8.5.84-DEV/bin/startup.sh
 
 git-push:
-	git push myfork master
+	git push
 
 test:
-	wget -O tests/test-general-evidence.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/752061"
-	wget -O tests/test-drug-hoi.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drughoi/752061-374013"
-	wget -O tests/test-drug.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drug/752061"
-	wget -O tests/test-hoi.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/hoi/320073"
-	wget -O tests/test-info.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/info"
-	wget -O tests/test-drug-hoi-eu-spc.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drughoi/904351-4190045" 
-	wget -O tests/test-drug-hoi-splicer.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drughoi/19133853-195588"
-	wget -O tests/test-drug-hoi-faers-counts-and-signals.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drughoi/1154343-433031"
-	wget -O tests/test-drug-hoi-pubmed-mesh-cr.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drughoi/1154343-433031" 
-	wget -O tests/test-drug-hoi-pubmed-mesh-clin-trial.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drughoi/789578-378144"
-	wget -O tests/test-drug-hoi-pubmed-mesh-other.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drughoi/19010482-316866"
-	wget -O tests/test-drug-hoi-semmed-cr.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drughoi/1112807-441202"
-	wget -O tests/test-drug-hoi-semmed-clin-trial.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drughoi/19059744-381591"
-	wget -O tests/test-drug-rollup-ingredient.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drugrollup/ingredient/1000632"
-	wget -O tests/test-drug-rollup-clin-drug.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drugrollup/clinicaldrug/19074181"
-	wget -O tests/test-drug-rollup-branded-drug.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/drugrollup/brandeddrug/1000640"
-	wget -O tests/test-rdf-evidencesummary.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/evidencesummary?conditionID=139900&drugID=1115008&evidenceGroup=Literature"
-	wget -O tests/test-rdf-evidencedetails.json "http://localhost:8080/WebAPI/LAERTES_CDM/evidence/evidencedetails?conditionID=24134&drugID=1115008&evidenceType=SPL_SPLICER_ADR"
+	wget -O /tmp/tests/test-drug-rollup-branded-drug.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drugrollup/brandeddrug/1000640"
 
 test-public:
-	wget -O tests/test-general-evidence.json "http://api.ohdsi.org/WebAPI/CS1/evidence/1000640"
-	wget -O /tmp/tests/test-drug-hoi.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drughoi/1000640-137682"
-	wget -O /tmp/tests/test-drug.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drug/1000640"
-	wget -O /tmp/tests/test-hoi.json "http://api.ohdsi.org/WebAPI/CS1/evidence/hoi/320073"
-	wget -O /tmp/tests/test-info.json "http://api.ohdsi.org/WebAPI/CS1/evidence/info"
-	wget -O /tmp/tests/test-drug-hoi-eu-spc.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drughoi/40239056-75053" 
-	wget -O /tmp/tests/test-drug-hoi-splicer.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drughoi/19133853-195588"
-	wget -O /tmp/tests/test-drug-hoi-faers-counts-and-signals.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drughoi/1154343-433031"
-	wget -O /tmp/tests/test-drug-hoi-pubmed-mesh-cr.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drughoi/1154343-433031" 
-	wget -O /tmp/tests/test-drug-hoi-pubmed-mesh-clin-trial.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drughoi/789578-378144"
-	wget -O /tmp/tests/test-drug-hoi-pubmed-mesh-other.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drughoi/19010482-316866"
-	wget -O /tmp/tests/test-drug-hoi-semmed-cr.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drughoi/1782521-45612000"
-	wget -O /tmp/tests/test-drug-hoi-semmed-clin-trial.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drughoi/1303425-45616736"
-	wget -O /tmp/tests/test-drug-rollup-ingredient.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drugrollup/ingredient/1000632"
-	wget -O /tmp/tests/test-drug-rollup-clin-drug.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drugrollup/clinicaldrug/19074181"
 	wget -O /tmp/tests/test-drug-rollup-branded-drug.json "http://api.ohdsi.org/WebAPI/CS1/evidence/drugrollup/brandeddrug/1000640"

pom.xml

@@ -192,6 +192,11 @@
     <spring.datasource.hikari.register-mbeans>true</spring.datasource.hikari.register-mbeans>
     <spring.datasource.hikari.mbean-name>authDataSource</spring.datasource.hikari.mbean-name>
 
+    <!-- If defaultGlobalReadPermissions is set to true (default), then all users can see every artifact.  -->
+    <!-- If it is set to false, WebAPI will filter out the artifacts that a user does not explicitly have -->
+    <!-- read permissions to -->
+    <security.defaultGlobalReadPermissions>false</security.defaultGlobalReadPermissions>	
+
     <!-- EMBEDDED SERVER CONFIGURATION (ServerProperties) -->
     <server.port>8080</server.port>
     <server.ssl.key-store></server.ssl.key-store>

src/main/java/org/ohdsi/webapi/cohortcharacterization/CcController.java

@@ -42,9 +42,11 @@
 import org.ohdsi.webapi.versioning.dto.VersionUpdateDTO;
 import org.springframework.core.convert.ConversionService;
 import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageImpl;
 import org.springframework.data.domain.Pageable;
 import org.springframework.stereotype.Controller;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.RequestBody;
 
 import javax.ws.rs.Consumes;
@@ -63,6 +65,7 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.StringWriter;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -86,6 +89,9 @@ public class CcController {
     private CharacterizationChecker checker;
     private PermissionService permissionService;
 
+    @Value("#{'${security.defaultglobalreadpermissions}'.equals(false)}")
+    private boolean defaultglobalreadpermissions;
+
     public CcController(
             final CcService service,
             final FeAnalysisService feAnalysisService,
@@ -151,11 +157,28 @@ public CohortCharacterizationDTO copy(@PathParam("id") final Long id) {
     @Produces(MediaType.APPLICATION_JSON)
     @Consumes(MediaType.APPLICATION_JSON)
     public Page<CcShortDTO> list(@Pagination Pageable pageable) {
-        return service.getPage(pageable).map(entity -> {
-            CcShortDTO dto = convertCcToShortDto(entity);
-            permissionService.fillWriteAccess(entity, dto);
-            return dto;
-        });
+			if (defaultglobalreadpermissions == true) { // don't filter based on read permissions 
+				return service.getPage(pageable).map(entity -> {
+					CcShortDTO dto = convertCcToShortDto(entity);
+					permissionService.fillWriteAccess(entity, dto);
+					permissionService.fillReadAccess(entity, dto);
+					return dto;
+				});
+			} else { // filter out what the user does not have read access to
+			  List<CcShortDTO> dtolist = new ArrayList<CcShortDTO>();
+
+			  Page<CohortCharacterizationEntity> newpage = service.getPage(pageable);
+
+			  for (CohortCharacterizationEntity entity : newpage) {			    
+			    if(permissionService.hasReadAccess(entity)){
+			      CcShortDTO dto = convertCcToShortDto(entity);
+			      permissionService.fillWriteAccess(entity, dto);
+			      permissionService.fillReadAccess(entity, dto);
+			      dtolist.add(dto);
+			    } 
+			  }
+			  return new PageImpl<CcShortDTO>(dtolist, pageable, dtolist.size());
+			}
     }
 
     /**

src/main/java/org/ohdsi/webapi/estimation/EstimationController.java

@@ -22,6 +22,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.convert.support.GenericConversionService;
 import org.springframework.stereotype.Controller;
 
@@ -70,7 +71,10 @@ public class EstimationController {
   private final ScriptExecutionService executionService;
   private EstimationChecker checker;
   private PermissionService permissionService;
-
+
+  @Value("#{'${security.defaultglobalreadpermissions}'.equals(false)}")
+  private boolean defaultglobalreadpermissions;
+
   public EstimationController(EstimationService service,
                               GenericConversionService conversionService,
                               CommonGenerationSensitiveInfoService sensitiveInfoService,
@@ -97,14 +101,26 @@ public EstimationController(EstimationService service,
   @Path("/")
   @Produces(MediaType.APPLICATION_JSON)
   public List<EstimationShortDTO> getAnalysisList() {
-
-    return StreamSupport.stream(service.getAnalysisList().spliterator(), false)
-            .map(analysis -> {
-              EstimationShortDTO dto = conversionService.convert(analysis, EstimationShortDTO.class);
-              permissionService.fillWriteAccess(analysis, dto);
-              return dto;
-            })
-            .collect(Collectors.toList());
+    if (defaultglobalreadpermissions == true) { // don't filter based on read permissions 
+      return StreamSupport.stream(service.getAnalysisList().spliterator(), false)
+	.map(analysis -> {
+	    EstimationShortDTO dto = conversionService.convert(analysis, EstimationShortDTO.class);
+	    permissionService.fillWriteAccess(analysis, dto);
+	    permissionService.fillReadAccess(analysis, dto);
+	    return dto;
+	  })
+	.collect(Collectors.toList());
+    } else {
+      return StreamSupport.stream(service.getAnalysisList().spliterator(), false)
+	.filter(candidateEstimation -> permissionService.hasReadAccess(candidateEstimation))
+	.map(analysis -> {
+	    EstimationShortDTO dto = conversionService.convert(analysis, EstimationShortDTO.class);
+	    permissionService.fillWriteAccess(analysis, dto);
+	    permissionService.fillReadAccess(analysis, dto);
+	    return dto;
+	  })
+	.collect(Collectors.toList());
+    }
   }
 
   /**

src/main/java/org/ohdsi/webapi/pathway/PathwayController.java

@@ -25,15 +25,18 @@
 import org.ohdsi.webapi.versioning.dto.VersionDTO;
 import org.ohdsi.webapi.versioning.dto.VersionUpdateDTO;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.convert.ConversionService;
 import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageImpl;
 import org.springframework.data.domain.Pageable;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestBody;
 
 import javax.transaction.Transactional;
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -53,6 +56,9 @@ public class PathwayController {
 	private PathwayChecker checker;
 	private PermissionService permissionService;
 
+        @Value("#{'${security.defaultglobalreadpermissions}'.equals(false)}")
+        private boolean defaultglobalreadpermissions;
+
 	@Autowired
 	public PathwayController(ConversionService conversionService, ConverterUtils converterUtils, PathwayService pathwayService, SourceService sourceService, CommonGenerationSensitiveInfoService sensitiveInfoService, PathwayChecker checker, PermissionService permissionService, I18nService i18nService) {
 
@@ -156,13 +162,29 @@ public PathwayAnalysisDTO importAnalysis(final PathwayAnalysisExportDTO dto) {
 	@Consumes(MediaType.APPLICATION_JSON)
 	@Transactional
 	public Page<PathwayAnalysisDTO> list(@Pagination Pageable pageable) {
-
-		return pathwayService.getPage(pageable).map(pa -> {
-			PathwayAnalysisDTO dto = conversionService.convert(pa, PathwayAnalysisDTO.class);
-			permissionService.fillWriteAccess(pa, dto);
-			return dto;
-		});
+		if (defaultglobalreadpermissions == true) { // don't filter based on read permissions 
+			return pathwayService.getPage(pageable).map(pa -> {
+				PathwayAnalysisDTO dto = conversionService.convert(pa, PathwayAnalysisDTO.class);
+				permissionService.fillWriteAccess(pa, dto);
+				permissionService.fillReadAccess(pa, dto);
+				return dto;
+			});
+		} else { // filter out entities that the user does not have read permissions to view
+			List<PathwayAnalysisDTO> dtolist = new ArrayList<PathwayAnalysisDTO>();
+
+			Page<PathwayAnalysisEntity> newpage = pathwayService.getPage(pageable);
+			for (PathwayAnalysisEntity pa : newpage) {
+				if (permissionService.hasReadAccess(pa)) {
+					PathwayAnalysisDTO dto = conversionService.convert(pa, PathwayAnalysisDTO.class);
+					permissionService.fillWriteAccess(pa, dto);
+					permissionService.fillReadAccess(pa, dto);
+					dtolist.add(dto);
+				}
+			}
+			return new PageImpl<PathwayAnalysisDTO>(dtolist, pageable, dtolist.size());
+		}
 	}
+
 
 	/**
 	 * Check that a pathway analysis name exists.

src/main/java/org/ohdsi/webapi/prediction/PredictionController.java

@@ -21,6 +21,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.convert.support.GenericConversionService;
 import org.springframework.stereotype.Controller;
 
@@ -67,6 +68,9 @@ public class PredictionController {
 
   private PermissionService permissionService;
 
+  @Value("#{'${security.defaultglobalreadpermissions}'.equals(false)}")
+  private boolean defaultglobalreadpermissions;
+
   @Autowired
   public PredictionController(PredictionService service,
                               GenericConversionService conversionService,
@@ -93,26 +97,40 @@ public PredictionController(PredictionService service,
   @GET
   @Path("/")
   @Produces(MediaType.APPLICATION_JSON)
-  public List<CommonAnalysisDTO> getAnalysisList() {
-
-    return StreamSupport
-            .stream(service.getAnalysisList().spliterator(), false)
-            .map(analysis -> {
-              CommonAnalysisDTO dto = conversionService.convert(analysis, CommonAnalysisDTO.class);
-              permissionService.fillWriteAccess(analysis, dto);
-              return dto;
-            })
-            .collect(Collectors.toList());
-  }
-
-  /**
-   * Check to see if a prediction design exists by name
-   * 
-   * @summary Prediction design exists by name
-   * @param id The prediction design id
-   * @param name The prediction design name
-   * @return 1 if a prediction design with the given name and id exist in WebAPI and 0 otherwise
-   */
+	public List<CommonAnalysisDTO> getAnalysisList() {
+		if (defaultglobalreadpermissions == true) { // don't filter based on read permissions 
+			return StreamSupport
+					.stream(service.getAnalysisList().spliterator(), false)
+					.map(analysis -> {
+						CommonAnalysisDTO dto = conversionService.convert(analysis, CommonAnalysisDTO.class);
+						permissionService.fillWriteAccess(analysis, dto);
+						permissionService.fillReadAccess(analysis, dto);
+						return dto;
+					})
+					.collect(Collectors.toList());
+		} else {
+			return StreamSupport
+					.stream(service.getAnalysisList().spliterator(), false)
+					.filter(candidateAnalysis -> permissionService.hasReadAccess(candidateAnalysis))
+					.map(analysis -> {
+						CommonAnalysisDTO dto = conversionService.convert(analysis, CommonAnalysisDTO.class);
+						permissionService.fillWriteAccess(analysis, dto);
+						permissionService.fillReadAccess(analysis, dto);
+						return dto;
+					})
+					.collect(Collectors.toList());
+		}
+	}
+
+
+	/**
+	 * Check to see if a prediction design exists by name
+	 * 
+	 * @summary Prediction design exists by name
+	 * @param id The prediction design id
+	 * @param name The prediction design name
+	 * @return 1 if a prediction design with the given name and id exist in WebAPI and 0 otherwise
+	 */
   @GET
   @Path("/{id}/exists")
   @Produces(MediaType.APPLICATION_JSON)

src/main/java/org/ohdsi/webapi/security/PermissionController.java

@@ -92,17 +92,22 @@ public List<RoleDTO> listAccessesForEntity(@QueryParam("roleSearch") String role
      * @throws Exception 
      */
     @GET
-    @Path("/access/{entityType}/{entityId}")
+    @Path("/access/{entityType}/{entityId}/{role}")
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     public List<RoleDTO> listAccessesForEntity(
             @PathParam("entityType") EntityType entityType,
-            @PathParam("entityId") Integer entityId
+            @PathParam("entityId") Integer entityId,
+	    @PathParam("role") String role
     ) throws Exception {
 
         permissionService.checkCommonEntityOwnership(entityType, entityId);
-
-        Set<String> permissionTemplates = permissionService.getTemplatesForType(entityType, AccessType.WRITE).keySet();
+	Set<String> permissionTemplates = null;
+	if (role == "WRITE") {
+	  permissionTemplates = permissionService.getTemplatesForType(entityType, AccessType.WRITE).keySet();
+	} else {
+	  permissionTemplates = permissionService.getTemplatesForType(entityType, AccessType.READ).keySet();
+	}
 
         List<String> permissions = permissionTemplates
                 .stream()