Commit 4dd1fc01 authored by Keith Jolley's avatar Keith Jolley
Browse files

Submitter account that only allows edit/delete isolate if sender.

parent f98af405
...@@ -172,6 +172,10 @@ sub _insert { ...@@ -172,6 +172,10 @@ sub _insert {
my $extra_inserts = []; my $extra_inserts = [];
my @tables = qw(accession loci locus_aliases locus_descriptions profile_refs scheme_fields scheme_group_group_members my @tables = qw(accession loci locus_aliases locus_descriptions profile_refs scheme_fields scheme_group_group_members
sequences sequence_bin sequence_refs); sequences sequence_bin sequence_refs);
if ( defined $newdata->{'isolate_id'} && !$self->is_allowed_to_view_isolate( $newdata->{'isolate_id'} ) ) {
return; #Problem will be reported in CuratePage::create_record_table.
}
if ( any { $table eq $_ } @tables ) { if ( any { $table eq $_ } @tables ) {
my $method = "_check_$table"; my $method = "_check_$table";
......
...@@ -884,6 +884,22 @@ sub _check_data_duplicates { ...@@ -884,6 +884,22 @@ sub _check_data_duplicates {
return; return;
} }
#sub _check_allowed_to_modify_isolate {
# my ( $self, $arg_ref ) = @_;
# return if $self->{'system'}->{'dbtype'} ne 'isolates';
# my $pk_combination = $arg_ref->{'pk_combination'};
# my $value = ${ $arg_ref->{'value'} };
# if ($arg_ref->{'field'} eq 'isolate_id'){
# if (!$self->is_allowed_to_view_isolate( $value)){
# my $problem_text = "isolate id-$value is not accessible.<br />";
# $arg_ref->{'problems'}->{$pk_combination} .= $problem_text
# if !defined $arg_ref->{'problems'}->{$pk_combination} || $arg_ref->{'problems'}->{$pk_combination} !~ /$problem_text/;
# ${ $arg_ref->{'special_problem'} } = 1;
# }
# }
# return;
#}
sub _check_data_allele_designations { sub _check_data_allele_designations {
#special case to check for allele id format and regex which is defined in loci table #special case to check for allele id format and regex which is defined in loci table
......
...@@ -94,7 +94,7 @@ sub print_content { ...@@ -94,7 +94,7 @@ sub print_content {
} }
} elsif ( $system->{'dbtype'} eq 'sequences' ) { } elsif ( $system->{'dbtype'} eq 'sequences' ) {
foreach (qw (locus_descriptions scheme_curators locus_curators sequences accession sequence_refs profiles profile_refs)) { foreach (qw (locus_descriptions scheme_curators locus_curators sequences accession sequence_refs profiles profile_refs)) {
if ( $self->can_modify_table($_) || $_ eq 'profiles' ) { #profile permissions handled by ACL if ( $self->can_modify_table($_) || $_ eq 'profiles' ) {
my $function = "_print_$_"; my $function = "_print_$_";
try { try {
my ( $temp_buffer, $returned_td ) = $self->$function( $td, $set_string ); my ( $temp_buffer, $returned_td ) = $self->$function( $td, $set_string );
......
...@@ -45,16 +45,13 @@ sub print_content { ...@@ -45,16 +45,13 @@ sub print_content {
} }
my $data = $self->{'datastore'}->get_isolate_field_values($id); my $data = $self->{'datastore'}->get_isolate_field_values($id);
if ( !$data ) { if ( !$data ) {
say qq(<div class="box" id="statusbad"><p>No record with id = $id exists.</p></div>); say qq(<div class="box" id="statusbad"><p>No record with id-$id exists or your account is not allowed to delete it.</p></div>);
return; return;
} }
if ( !$self->can_modify_table('isolates') ) { if ( !$self->can_modify_table('isolates') ) {
say qq(<div class="box" id="statusbad"><p>Your user account is not allowed to delete records to the isolates table.</p></div>); say qq(<div class="box" id="statusbad"><p>Your user account is not allowed to delete records in the isolates table.</p></div>);
return; return;
} elsif ( !$self->is_allowed_to_view_isolate($id) ) { }
say qq(<div class="box" id="statusbad"><p>Your user account is not allowed to delete this isolate record.</p></div>);
return;
}
$buffer .= qq(<div class="box" id="resultstable">\n); $buffer .= qq(<div class="box" id="resultstable">\n);
$buffer .= "<p>You have selected to delete the following record:</p>"; $buffer .= "<p>You have selected to delete the following record:</p>";
$buffer .= $q->start_form; $buffer .= $q->start_form;
......
...@@ -75,7 +75,13 @@ sub print_content { ...@@ -75,7 +75,13 @@ sub print_content {
my $data = $sql->fetchrow_hashref; my $data = $sql->fetchrow_hashref;
$self->add_existing_metadata_to_hashref($data); $self->add_existing_metadata_to_hashref($data);
if ( !$data->{'id'} ) { if ( !$data->{'id'} ) {
say "<div class=\"box\" id=\"statusbad\"><p>No record with id = " . $q->param('id') . " exists.</p></div>"; my $exists_in_isolates_table =
$self->{'datastore'}->run_query( "SELECT EXISTS(SELECT * FROM isolates WHERE id=?)", $q->param('id') );
if ($exists_in_isolates_table) {
say qq(<div class="box" id="statusbad"><p>Isolate id-) . $q->param('id') . qq( is not accessible from your account.</p></div>);
} else {
say qq(<div class="box" id="statusbad"><p>No record with id-) . $q->param('id') . qq( exists.</p></div>);
}
return; return;
} }
if ( $q->param('sent') ) { if ( $q->param('sent') ) {
......
...@@ -51,7 +51,11 @@ sub create_record_table { ...@@ -51,7 +51,11 @@ sub create_record_table {
my ( $self, $table, $newdata, $options ) = @_; my ( $self, $table, $newdata, $options ) = @_;
$options = {} if ref $options ne 'HASH'; $options = {} if ref $options ne 'HASH';
if ( ref $newdata ne 'HASH' ) { if ( ref $newdata ne 'HASH' ) {
say "<div class=\"box\" id=\"statusbad\"><p>Record doesn't exist.</p></div>"; say qq(<div class="box" id="statusbad"><p>Record doesn't exist.</p></div>);
return '';
} elsif ( defined $newdata->{'isolate_id'} && !$self->is_allowed_to_view_isolate( $newdata->{'isolate_id'} ) ) {
say qq(<div class="box" id="statusbad"><p>Your account is not allowed to modify values for isolate id-$newdata->{'isolate_id'}.)
. qq(</p></div>);
return ''; return '';
} }
my $q = $self->{'cgi'}; my $q = $self->{'cgi'};
...@@ -614,7 +618,7 @@ sub _create_extra_fields_for_loci { ...@@ -614,7 +618,7 @@ sub _create_extra_fields_for_loci {
my ( $self, $newdata_ref, $width ) = @_; my ( $self, $newdata_ref, $width ) = @_;
my $q = $self->{'cgi'}; my $q = $self->{'cgi'};
my $buffer = ''; my $buffer = '';
if ($self->{'system'}->{'dbtype'} eq 'sequences'){ if ( $self->{'system'}->{'dbtype'} eq 'sequences' ) {
my $attributes = $self->{'datastore'}->get_table_field_attributes('locus_descriptions'); my $attributes = $self->{'datastore'}->get_table_field_attributes('locus_descriptions');
if ( defined $newdata_ref->{'id'} ) { if ( defined $newdata_ref->{'id'} ) {
my $desc_ref = my $desc_ref =
...@@ -1082,14 +1086,19 @@ sub _is_field_bad_other { ...@@ -1082,14 +1086,19 @@ sub _is_field_bad_other {
#Make sure a foreign key value exists in foreign table #Make sure a foreign key value exists in foreign table
if ( $thisfield->{'foreign_key'} ) { if ( $thisfield->{'foreign_key'} ) {
my $qry = "SELECT COUNT(*) FROM $thisfield->{'foreign_key'} WHERE id=?"; my $qry;
my $sql = $self->{'db'}->prepare($qry); if ( $fieldname eq 'isolate_id' ) {
$qry = "SELECT EXISTS(SELECT * FROM $self->{'system'}->{'view'} WHERE id=?)";
} else {
$qry = "SELECT EXISTS(SELECT * FROM $thisfield->{'foreign_key'} WHERE id=?)";
}
$value = $self->map_locus_name($value) if $fieldname eq 'locus'; $value = $self->map_locus_name($value) if $fieldname eq 'locus';
eval { $sql->execute($value) }; my $exists = $self->{'datastore'}->run_query( $qry, $value, { cache => "CuratePage::is_field_bad_other:$fieldname" } );
$logger->error($@) if $@;
my ($exists) = $sql->fetchrow_array;
if ( !$exists ) { if ( !$exists ) {
return "value '$value' does not exist in $thisfield->{foreign_key} table"; if ( $thisfield->{'foreign_key'} eq 'isolates' && $self->{'system'}->{'view'} ne 'isolates' ) {
return "value '$value' does not exist in isolates table or is not accessible to your account";
}
return "value '$value' does not exist in $thisfield->{'foreign_key'} table";
} }
} }
return 0; return 0;
......
...@@ -99,7 +99,7 @@ sub get_user_string { ...@@ -99,7 +99,7 @@ sub get_user_string {
sub get_user_info_from_username { sub get_user_info_from_username {
my ( $self, $user_name ) = @_; my ( $self, $user_name ) = @_;
return if !defined $user_name; return if !defined $user_name;
return $self->run_query( "SELECT first_name,surname,affiliation,email FROM users WHERE user_name=?", return $self->run_query( "SELECT * FROM users WHERE user_name=?",
$user_name, { fetch => 'row_hashref', cache => 'get_user_info_from_username' } ); $user_name, { fetch => 'row_hashref', cache => 'get_user_info_from_username' } );
} }
......
...@@ -64,7 +64,7 @@ use constant SUBMITTER_ALLOWED_PERMISSIONS => qw(modify_isolates modify_sequence ...@@ -64,7 +64,7 @@ use constant SUBMITTER_ALLOWED_PERMISSIONS => qw(modify_isolates modify_sequence
our @EXPORT_OK = qw(SEQ_METHODS SEQ_FLAGS ALLELE_FLAGS SEQ_STATUS DIPLOID HAPLOID DATABANKS FLANKING LOCUS_PATTERN our @EXPORT_OK = qw(SEQ_METHODS SEQ_FLAGS ALLELE_FLAGS SEQ_STATUS DIPLOID HAPLOID DATABANKS FLANKING LOCUS_PATTERN
SUBMITTER_ALLOWED_PERMISSIONS); SUBMITTER_ALLOWED_PERMISSIONS);
sub new { ## no critic (RequireArgUnpacking) sub new { ## no critic (RequireArgUnpacking)
my $class = shift; my $class = shift;
my $self = {@_}; my $self = {@_};
$self->{'prefs'} = {}; $self->{'prefs'} = {};
...@@ -204,7 +204,7 @@ sub print_page_content { ...@@ -204,7 +204,7 @@ sub print_page_content {
} }
} else { } else {
$self->initiate_prefs; $self->initiate_prefs;
$self->initiate_view( $self->{'username'}, $self->{'curate'} ); $self->initiate_view( $self->{'username'} );
} }
$q->charset('UTF-8'); $q->charset('UTF-8');
if ( $self->{'type'} ne 'xhtml' ) { if ( $self->{'type'} ne 'xhtml' ) {
...@@ -598,6 +598,7 @@ sub get_metaset_and_fieldname { ...@@ -598,6 +598,7 @@ sub get_metaset_and_fieldname {
sub add_existing_metadata_to_hashref { sub add_existing_metadata_to_hashref {
my ( $self, $data ) = @_; my ( $self, $data ) = @_;
return if !defined $data->{'id'};
my $metadata_list = $self->{'xmlHandler'}->get_metadata_list; my $metadata_list = $self->{'xmlHandler'}->get_metadata_list;
foreach my $metadata_set (@$metadata_list) { foreach my $metadata_set (@$metadata_list) {
my $metadata = my $metadata =
...@@ -2044,7 +2045,7 @@ sub _initiate_isolatedb_prefs { ...@@ -2044,7 +2045,7 @@ sub _initiate_isolatedb_prefs {
} }
sub initiate_view { sub initiate_view {
my ( $self, $username, $curate ) = @_; my ( $self, $username ) = @_;
return if ( $self->{'system'}->{'dbtype'} // '' ) ne 'isolates'; return if ( $self->{'system'}->{'dbtype'} // '' ) ne 'isolates';
my $set_id = $self->get_set_id; my $set_id = $self->get_set_id;
if ( defined $self->{'system'}->{'view'} && $set_id ) { if ( defined $self->{'system'}->{'view'} && $set_id ) {
...@@ -2053,6 +2054,15 @@ sub initiate_view { ...@@ -2053,6 +2054,15 @@ sub initiate_view {
$self->{'system'}->{'view'} = $set_view if $set_view; $self->{'system'}->{'view'} = $set_view if $set_view;
} }
} }
if ( $self->{'curate'} ) {
my $user_info = $self->{'datastore'}->get_user_info_from_username($username);
return if !$user_info;
if ( $user_info->{'status'} eq 'submitter' ) {
$self->{'db'}->do( "CREATE TEMPORARY VIEW temp_view AS SELECT * FROM $self->{'system'}->{'view'} WHERE sender=?",
undef, $user_info->{'id'} );
$self->{'system'}->{'view'} = 'temp_view';
}
}
return; return;
} }
......
...@@ -340,7 +340,7 @@ sub print_content { ...@@ -340,7 +340,7 @@ sub print_content {
} }
} }
$plugin->initiate_prefs; $plugin->initiate_prefs;
$plugin->initiate_view( $self->{'username'}, $self->{'curate'} ); $plugin->initiate_view( $self->{'username'} );
$plugin->run; $plugin->run;
return; return;
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment