add REST method to know if user able to delete artifact on a repository

git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@1302367 13f79535-47bb-0310-9956-ffa450edef68

archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/RepositoriesService.java

@@ -121,5 +121,11 @@ public interface RepositoriesService
     Boolean deleteArtifact( @QueryParam( "" ) Artifact artifact, @QueryParam( "repositoryId" ) String repositoryId )
         throws ArchivaRestServiceException;
 
+    @Path( "isAuthorizedToDeleteArtifacts/{repositoryId}" )
+    @GET
+    @Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, MediaType.TEXT_PLAIN } )
+    @RedbackAuthorization( noPermission = true, noRestriction = true)
+    Boolean isAuthorizedToDeleteArtifacts( @PathParam( "repositoryId" ) String repoId )
+        throws ArchivaRestServiceException;
 
 }

archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultRepositoriesService.java

@@ -65,6 +65,7 @@ import org.apache.archiva.scheduler.indexing.DownloadRemoteIndexException;
 import org.apache.archiva.scheduler.indexing.DownloadRemoteIndexScheduler;
 import org.apache.archiva.scheduler.repository.RepositoryArchivaTaskScheduler;
 import org.apache.archiva.scheduler.repository.RepositoryTask;
+import org.apache.archiva.security.ArchivaSecurityException;
 import org.apache.archiva.security.common.ArchivaRoleConstants;
 import org.apache.archiva.xml.XMLException;
 import org.apache.commons.io.FilenameUtils;
@@ -85,6 +86,7 @@ import org.springframework.stereotype.Service;
 
 import javax.inject.Inject;
 import javax.inject.Named;
+import javax.ws.rs.core.Response;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -624,13 +626,17 @@ public class DefaultRepositoriesService
     public Boolean deleteArtifact( Artifact artifact, String repositoryId )
         throws ArchivaRestServiceException
     {
-        String userName = (String) getAuditInformation().getUser().getUsername();
-        if ( StringUtils.isBlank( userName ) )
-        {
-            // TODO use constants from a class instead of magic number
-            throw new ArchivaRestServiceException( "deleteArtifact call: userName not found", 403 );
 
+        if ( StringUtils.isEmpty( repositoryId ) )
+        {
+            throw new ArchivaRestServiceException( "repositoryId cannot be null", 400 );
         }
+
+        if ( !isAuthorizedToDeleteArtifacts( repositoryId ) )
+        {
+            throw new ArchivaRestServiceException( "not authorized to delete artifacts", 403 );
+        }
+
         if ( artifact == null )
         {
             throw new ArchivaRestServiceException( "artifact cannot be null", 400 );
@@ -646,11 +652,6 @@ public class DefaultRepositoriesService
             throw new ArchivaRestServiceException( "artifact.artifactId cannot be null", 400 );
         }
 
-        if ( StringUtils.isEmpty( repositoryId ) )
-        {
-            throw new ArchivaRestServiceException( "repositoryId cannot be null", 400 );
-        }
-
         // TODO more control on artifact fields
 
         RepositorySession repositorySession = repositorySessionFactory.createSession();
@@ -771,6 +772,24 @@ public class DefaultRepositoriesService
         return Boolean.TRUE;
     }
 
+    public Boolean isAuthorizedToDeleteArtifacts( String repoId )
+        throws ArchivaRestServiceException
+    {
+        String userName =
+            getAuditInformation().getUser() == null ? "guest" : getAuditInformation().getUser().getUsername();
+
+        try
+        {
+            boolean res = userRepositories.isAuthorizedToDeleteArtifacts( userName, repoId );
+            return res;
+        }
+        catch ( ArchivaSecurityException e )
+        {
+            throw new ArchivaRestServiceException( e.getMessage(),
+                                                   Response.Status.INTERNAL_SERVER_ERROR.getStatusCode() );
+        }
+    }
+
     public RepositoryScanStatistics scanRepositoryDirectoriesNow( String repositoryId )
         throws ArchivaRestServiceException
     {

archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/RepositoriesServiceTest.java

@@ -152,12 +152,52 @@ public class RepositoriesServiceTest
         }
     }
 
+    @Test
+    public void authorizedToDeleteArtifacts()
+        throws Exception
+    {
+        ManagedRepository managedRepository = getTestManagedRepository( "SOURCE_REPO_ID", "SOURCE_REPO_ID" );
+        try
+        {
+            getManagedRepositoriesService( authorizationHeader ).addManagedRepository( managedRepository );
+            RepositoriesService repositoriesService = getRepositoriesService( authorizationHeader );
+            assertTrue( repositoriesService.isAuthorizedToDeleteArtifacts( managedRepository.getId() ) );
+        }
+        finally
+        {
+            getManagedRepositoriesService( authorizationHeader ).deleteManagedRepository( managedRepository.getId(),
+                                                                                          true );
+        }
+    }
+
+    @Test
+    public void notAuthorizedToDeleteArtifacts()
+        throws Exception
+    {
+        ManagedRepository managedRepository = getTestManagedRepository( "SOURCE_REPO_ID", "SOURCE_REPO_ID" );
+        try
+        {
+            getManagedRepositoriesService( authorizationHeader ).addManagedRepository( managedRepository );
+            RepositoriesService repositoriesService = getRepositoriesService( guestAuthzHeader );
+            assertFalse( repositoriesService.isAuthorizedToDeleteArtifacts( managedRepository.getId() ) );
+        }
+        finally
+        {
+            getManagedRepositoriesService( authorizationHeader ).deleteManagedRepository( managedRepository.getId(),
+                                                                                          true );
+        }
+    }
+
+    protected ManagedRepository getTestManagedRepository( String id, String path )
+    {
+        String location = new File( FileUtil.getBasedir(), "target/" + path ).getAbsolutePath();
+        return new ManagedRepository( id, id, location, "default", true, true, true, "2 * * * * ?", null, false, 80, 80,
+                                      true, false );
+    }
 
     protected ManagedRepository getTestManagedRepository()
     {
-        String location = new File( FileUtil.getBasedir(), "target/test-repo" ).getAbsolutePath();
+        return getTestManagedRepository( "TEST", "test-repo" );
-        return new ManagedRepository( "TEST", "test", location, "default", true, true, true, "2 * * * * ?", null, false,
-                                      80, 80, true, false );
     }
 
 }

archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/archiva/security/DefaultUserRepositories.java

@@ -205,7 +205,7 @@ public class DefaultUserRepositories
     }
 
     public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId )
-        throws AccessDeniedException, ArchivaSecurityException
+        throws ArchivaSecurityException
     {
         try
         {