- }
- }
-
- perms = mapper.newInstance(API.PERMS);
- if(rlpd.isEmpty()) {
- return Result.ok(perms);
- }
- // Note: Mapper will restrict what can be viewed
- // if user is the same as that which is looked up, no filtering is required
- return mapper.perms(trans, rlpd.value,
- perms,
- !user.equals(trans.user()));
- }
-
- @ApiDoc(
- method = GET,
- path = "/authz/perms/role/:role",
- params = {"role|string|true"},
- expectedCode = 200,
- errorCodes = { 404,406 },
- text = { "List All Permissions that are granted to :role" }
- )
- @Override
- public Result<PERMS> getPermsByRole(AuthzTrans trans,String role) {
- final Validator v = new ServiceValidator();
- if(v.nullOrBlank("Role", role).err()) {
- return Result.err(Status.ERR_BadData,v.errs());
- }
-
- Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques,role);
- if(rrdd.notOK()) {
- return Result.err(rrdd);
- }
-
- Result<NsDAO.Data> r = ques.mayUser(trans, trans.user(), rrdd.value, Access.read);
- if(r.notOK()) {
- return Result.err(r);
- }
-
- PERMS perms = mapper.newInstance(API.PERMS);
-
- Result<List<PermDAO.Data>> rlpd = ques.getPermsByRole(trans, role, trans.requested(force));
- if(rlpd.isOKhasData()) {
- // Note: Mapper will restrict what can be viewed
- return mapper.perms(trans, rlpd.value, perms, true);
- }
- return Result.ok(perms);
- }
-
- @ApiDoc(
- method = GET,
- path = "/authz/perms/ns/:ns",
- params = {"ns|string|true"},
- expectedCode = 200,
- errorCodes = { 404,406 },
- text = { "List All Permissions that are in Namespace :ns" }
- )
- @Override
- public Result<PERMS> getPermsByNS(AuthzTrans trans,String ns) {
- final Validator v = new ServiceValidator();
- if(v.nullOrBlank("NS", ns).err()) {
- return Result.err(Status.ERR_BadData,v.errs());
- }
-
- Result<NsDAO.Data> rnd = ques.deriveNs(trans, ns);
- if(rnd.notOK()) {
- return Result.err(rnd);
- }
-
- rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
- if(rnd.notOK()) {
- return Result.err(rnd);
- }
-
- Result<List<PermDAO.Data>> rlpd = ques.permDAO.readNS(trans, ns);
- if(rlpd.notOK()) {
- return Result.err(rlpd);
- }
-
- PERMS perms = mapper.newInstance(API.PERMS);
- if(!rlpd.isEmpty()) {
- // Note: Mapper will restrict what can be viewed
- return mapper.perms(trans, rlpd.value,perms, true);
- }
- return Result.ok(perms);
- }
-
- @ApiDoc(
- method = PUT,
- path = "/authz/perm/:type/:instance/:action",
- params = {"type|string|true",
- "instance|string|true",
- "action|string|true"},
- expectedCode = 200,
- errorCodes = { 404,406, 409 },
- text = { "Rename the Permission referenced by :type :instance :action, and "
- + "rename (copy/delete) to the Permission described in PermRequest" }
- )
- @Override
- public Result<Void> renamePerm(final AuthzTrans trans,REQUEST rreq, String origType, String origInstance, String origAction) {
- final Result<PermDAO.Data> newPd = mapper.perm(trans, rreq);
- final ServiceValidator v = new ServiceValidator();
- if(v.perm(newPd).err()) {
- return Result.err(Status.ERR_BadData,v.errs());
- }
-
- if (ques.mayUser(trans, trans.user(), newPd.value,Access.write).notOK()) {
- return Result.err(Status.ERR_Denied, "You do not have approval to change Permission [%s.%s|%s|%s]",
- newPd.value.ns,newPd.value.type,newPd.value.instance,newPd.value.action);
- }
-
- Result<NsSplit> nss = ques.deriveNsSplit(trans, origType);
- Result<List<PermDAO.Data>> origRlpd = ques.permDAO.read(trans, nss.value.ns, nss.value.name, origInstance, origAction);
-
- if(origRlpd.notOKorIsEmpty()) {
- return Result.err(Status.ERR_PermissionNotFound,
- "Permission [%s|%s|%s] does not exist",
- origType,origInstance,origAction);
- }
-
- PermDAO.Data origPd = origRlpd.value.get(0);
-
- if (!origPd.ns.equals(newPd.value.ns)) {
- return Result.err(Status.ERR_Denied, "Cannot change namespace with rename command. " +
- "<new type> must start with [" + origPd.ns + "]");
- }
-
- if ( origPd.type.equals(newPd.value.type) &&
- origPd.action.equals(newPd.value.action) &&
- origPd.instance.equals(newPd.value.instance) ) {
- return Result.err(Status.ERR_ConflictAlreadyExists, "New Permission must be different than original permission");
- }
-
- Set<String> origRoles = origPd.roles(false);
- if (!origRoles.isEmpty()) {
- Set<String> roles = newPd.value.roles(true);
- for (String role : origPd.roles) {
- roles.add(role);
- }
- }
-
- newPd.value.description = origPd.description;
-
- Result<Void> rv = null;
-
- rv = func.createPerm(trans, newPd.value, false);
- if (rv.isOK()) {
- rv = func.deletePerm(trans, origPd, true, false);
- }
- return rv;
- }
-
- @ApiDoc(
- method = PUT,
- path = "/authz/perm",
- params = {},
- expectedCode = 200,
- errorCodes = { 404,406 },
- text = { "Add Description Data to Perm" }
- )
- @Override
- public Result<Void> updatePermDescription(AuthzTrans trans, REQUEST from) {
- final Result<PermDAO.Data> pd = mapper.perm(trans, from);
- final ServiceValidator v = new ServiceValidator();
- if(v.perm(pd).err()) {
- return Result.err(Status.ERR_BadData,v.errs());
- }
- if(v.nullOrBlank("description", pd.value.description).err()) {
- return Result.err(Status.ERR_BadData,v.errs());
- }
- final PermDAO.Data perm = pd.value;
- if(ques.permDAO.read(trans, perm.ns, perm.type, perm.instance,perm.action).notOKorIsEmpty()) {
- return Result.err(Status.ERR_NotFound, "Permission [%s.%s|%s|%s] does not exist",
- perm.ns,perm.type,perm.instance,perm.action);
- }
-
- if (ques.mayUser(trans, trans.user(), perm, Access.write).notOK()) {
- return Result.err(Status.ERR_Denied, "You do not have approval to change Permission [%s.%s|%s|%s]",
- perm.ns,perm.type,perm.instance,perm.action);
- }
-
- Result<List<NsDAO.Data>> nsr = ques.nsDAO.read(trans, pd.value.ns);
- if(nsr.notOKorIsEmpty()) {
- return Result.err(nsr);
- }
-
- Result<Void> rdr = ques.permDAO.addDescription(trans, perm.ns, perm.type, perm.instance,
- perm.action, perm.description);
- if(rdr.isOK()) {
- return Result.ok();
- } else {
- return Result.err(rdr);
- }
-
- }
-
+
+ CachedRoleDAO roleDAO = ques.roleDAO();
+ Result<List<RoleDAO.Data>> rlrdd = roleDAO.read(trans, rdd);
+ if(rlrdd.notOK()) {
+ return Result.err(rlrdd);
+ } else {
+ if(!rlrdd.isEmpty()) {
+ rdd = rlrdd.value.get(0);
+ }
+ }
+
+ String eperm = pdd.encode();
+ rdd.perms(true).add(eperm);
+ Result<Void> rv = roleDAO.update(trans, rdd);
+ if(rv.notOK()) {
+ return rv;
+ }
+
+ CachedUserRoleDAO urDAO = ques.userRoleDAO();
+ UserRoleDAO.Data urdd = new UserRoleDAO.Data();
+ urdd.user = trans.user();
+ urdd.ns = rdd.ns;
+ urdd.rname = rdd.name;
+ urdd.role = rdd.fullName();
+ Result<List<UserRoleDAO.Data>> rlurdd = urDAO.read(trans, urdd);
+ if(rlurdd.notOK()) {
+ return Result.err(rlrdd);
+ } else if(rlurdd.isEmpty()) {
+ GregorianCalendar gc = trans.org().expiration(null, Expiration.UserInRole);
+ if(gc==null) {
+ return Result.err(Result.ERR_Policy,"Organzation does not grant Expiration for UserRole");
+ } else {
+ urdd.expires = gc.getTime();
+ }
+ Result<UserRoleDAO.Data> rurdd = urDAO.create(trans, urdd);
+ return Result.err(rurdd);
+ }
+ return rv;
+ } else {
+ return Result.err(Result.ERR_Security,"Only the User can create User Permissions");
+ }
+ } else {
+ // Does Perm Type exist as a Namespace?
+ if(newPd.value.type.isEmpty() || ques.nsDAO().read(trans, newPd.value.fullType()).isOKhasData()) {
+ return Result.err(Status.ERR_ConflictAlreadyExists,
+ "Permission Type exists as a Namespace");
+ }
+
+ Result<FutureDAO.Data> fd = mapper.future(trans, PermDAO.TABLE, rreq, newPd.value,false,
+ new Mapper.Memo() {
+ @Override
+ public String get() {
+ return "Create Permission [" +
+ newPd.value.fullType() + '|' +
+ newPd.value.instance + '|' +
+ newPd.value.action + ']';
+ }
+ },
+ new MayChange() {
+ private Result<NsDAO.Data> nsd;
+ @Override
+ public Result<?> mayChange() {
+ if (nsd==null) {
+ nsd = ques.mayUser(trans, trans.user(), newPd.value, Access.write);
+ }
+ return nsd;
+ }
+ });
+
+ Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, newPd.value.ns);
+ if (nsr.notOKorIsEmpty()) {
+ return Result.err(nsr);
+ }
+ switch(fd.status) {
+ case OK:
+ Result<String> rfc = func.createFuture(trans,fd.value,
+ newPd.value.fullType() + '|' + newPd.value.instance + '|' + newPd.value.action,
+ trans.user(),
+ nsr.value.get(0),
+ FUTURE_OP.C);
+ if (rfc.isOK()) {
+ return Result.err(Status.ACC_Future, "Perm [%s.%s|%s|%s] is saved for future processing",
+ newPd.value.ns,
+ newPd.value.type,
+ newPd.value.instance,
+ newPd.value.action);
+ } else {
+ return Result.err(rfc);
+ }
+ case Status.ACC_Now:
+ return func.createPerm(trans, newPd.value, true);
+ default:
+ return Result.err(fd);
+ }
+ }
+ }
+
+ @ApiDoc(
+ method = GET,
+ path = "/authz/perms/:type",
+ params = {"type|string|true"},
+ expectedCode = 200,
+ errorCodes = { 404,406 },
+ text = { "List All Permissions that match the :type element of the key" }
+ )
+ @Override
+ public Result<PERMS> getPermsByType(AuthzTrans trans, final String permType) {
+ final Validator v = new ServiceValidator();
+ if (v.nullOrBlank("PermType", permType).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+
+ Result<List<PermDAO.Data>> rlpd = ques.getPermsByType(trans, permType);
+ if (rlpd.notOK()) {
+ return Result.err(rlpd);
+ }
+
+// We don't have instance & action for mayUserView... do we want to loop through all returned here as well as in mapper?
+// Result<NsDAO.Data> r;
+// if ((r = ques.mayUserViewPerm(trans, trans.user(), permType)).notOK())return Result.err(r);
+
+ PERMS perms = mapper.newInstance(API.PERMS);
+ if (!rlpd.isEmpty()) {
+ // Note: Mapper will restrict what can be viewed
+ return mapper.perms(trans, rlpd.value, perms, true);
+ }
+ return Result.ok(perms);
+ }
+
+ @ApiDoc(
+ method = GET,
+ path = "/authz/perms/:type/:instance/:action",
+ params = {"type|string|true",
+ "instance|string|true",
+ "action|string|true"},
+ expectedCode = 200,
+ errorCodes = { 404,406 },
+ text = { "List Permissions that match key; :type, :instance and :action" }
+ )
+ @Override
+ public Result<PERMS> getPermsByName(AuthzTrans trans, String type, String instance, String action) {
+ final Validator v = new ServiceValidator();
+ if (v.nullOrBlank("PermType", type).err()
+ || v.nullOrBlank("PermInstance", instance).err()
+ || v.nullOrBlank("PermAction", action).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+
+ Result<List<PermDAO.Data>> rlpd = ques.getPermsByName(trans, type, instance, action);
+ if (rlpd.notOK()) {
+ return Result.err(rlpd);
+ }
+
+ PERMS perms = mapper.newInstance(API.PERMS);
+ if (!rlpd.isEmpty()) {
+ // Note: Mapper will restrict what can be viewed
+ return mapper.perms(trans, rlpd.value, perms, true);
+ }
+ return Result.ok(perms);
+ }
+
+ @ApiDoc(
+ method = GET,
+ path = "/authz/perms/user/:user",
+ params = {"user|string|true"},
+ expectedCode = 200,
+ errorCodes = { 404,406 },
+ text = { "List All Permissions that match user :user",
+ "<p>'user' must be expressed as full identity (ex: id@full.domain.com)</p>"}
+ )
+ @Override
+ public Result<PERMS> getPermsByUser(AuthzTrans trans, String user) {
+ final Validator v = new ServiceValidator();
+ if (v.nullOrBlank("User", user).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+
+ Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user,
+ trans.requested(force));
+ if (rlpd.notOK()) {
+ return Result.err(rlpd);
+ }
+
+ PERMS perms = mapper.newInstance(API.PERMS);
+
+ if (rlpd.isEmpty()) {
+ return Result.ok(perms);
+ }
+ // Note: Mapper will restrict what can be viewed
+ // if user is the same as that which is looked up, no filtering is required
+ return mapper.perms(trans, rlpd.value,
+ perms,
+ !user.equals(trans.user()));
+ }
+
+ @ApiDoc(
+ method = GET,
+ path = "/authz/perms/user/:user/scope/:scope",
+ params = {"user|string|true","scope|string|true"},
+ expectedCode = 200,
+ errorCodes = { 404,406 },
+ text = { "List All Permissions that match user :user, filtered by NS (Scope)",
+ "<p>'user' must be expressed as full identity (ex: id@full.domain.com)</p>",
+ "<p>'scope' must be expressed as NSs separated by ':'</p>"
+ }
+ )
+ @Override
+ public Result<PERMS> getPermsByUserScope(AuthzTrans trans, String user, String[] scopes) {
+ final Validator v = new ServiceValidator();
+ if (v.nullOrBlank("User", user).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+
+ Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user, trans.requested(force));
+ if (rlpd.notOK()) {
+ return Result.err(rlpd);
+ }
+
+ PERMS perms = mapper.newInstance(API.PERMS);
+
+ if (rlpd.isEmpty()) {
+ return Result.ok(perms);
+ }
+ // Note: Mapper will restrict what can be viewed
+ // if user is the same as that which is looked up, no filtering is required
+ return mapper.perms(trans, rlpd.value,
+ perms,
+ scopes,
+ !user.equals(trans.user()));
+ }
+
+ @ApiDoc(
+ method = POST,
+ path = "/authz/perms/user/:user",
+ params = {"user|string|true"},
+ expectedCode = 200,
+ errorCodes = { 404,406 },
+ text = { "List All Permissions that match user :user",
+ "<p>'user' must be expressed as full identity (ex: id@full.domain.com)</p>",
+ "",
+ "Present Queries as one or more Permissions (see ContentType Links below for format).",
+ "",
+ "If the Caller is Granted this specific Permission, and the Permission is valid",
+ " for the User, it will be included in response Permissions, along with",
+ " all the normal permissions on the 'GET' version of this call. If it is not",
+ " valid, or Caller does not have permission to see, it will be removed from the list",
+ "",
+ " *Note: This design allows you to make one call for all expected permissions",
+ " The permission to be included MUST be:",
+ " <user namespace>.access|:<ns|role|perm>[:key]|<create|read|write>",
+ " examples:",
+ " com.att.myns.access|:ns|write",
+ " com.att.myns.access|:role:myrole|create",
+ " com.att.myns.access|:perm:mytype:myinstance:myaction|read",
+ ""
+ }
+ )
+ @Override
+ public Result<PERMS> getPermsByUser(AuthzTrans trans, PERMS _perms, String user) {
+ PERMS perms = _perms;
+ final Validator v = new ServiceValidator();
+ if (v.nullOrBlank("User", user).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+
+ //////////////
+ Result<List<PermDAO.Data>> rlpd = ques.getPermsByUser(trans, user,trans.requested(force));
+ if (rlpd.notOK()) {
+ return Result.err(rlpd);
+ }
+
+ /*//TODO
+ 1) See if allowed to query
+ 2) See if User is allowed
+ */
+ Result<List<PermDAO.Data>> in = mapper.perms(trans, perms);
+ if (in.isOKhasData()) {
+ List<PermDAO.Data> out = rlpd.value;
+ boolean ok;
+ for (PermDAO.Data pdd : in.value) {
+ ok = false;
+ if ("access".equals(pdd.type)) {
+ Access access = Access.valueOf(pdd.action);
+ String[] mdkey = Split.splitTrim(':',pdd.instance);
+ if (mdkey.length>1) {
+ String type = mdkey[1];
+ if ("role".equals(type)) {
+ if (mdkey.length>2) {
+ RoleDAO.Data rdd = new RoleDAO.Data();
+ rdd.ns=pdd.ns;
+ rdd.name=mdkey[2];
+ ok = ques.mayUser(trans, trans.user(), rdd, Access.read).isOK() && ques.mayUser(trans, user, rdd , access).isOK();
+ }
+ } else if ("perm".equals(type)) {
+ if (mdkey.length>4) { // also need instance/action
+ PermDAO.Data p = new PermDAO.Data();
+ p.ns=pdd.ns;
+ p.type=mdkey[2];
+ p.instance=mdkey[3];
+ p.action=mdkey[4];
+ ok = ques.mayUser(trans, trans.user(), p, Access.read).isOK() && ques.mayUser(trans, user, p , access).isOK();
+ }
+ } else if ("ns".equals(type)) {
+ NsDAO.Data ndd = new NsDAO.Data();
+ ndd.name=pdd.ns;
+ ok = ques.mayUser(trans, trans.user(), ndd, Access.read).isOK() && ques.mayUser(trans, user, ndd , access).isOK();
+ }
+ }
+ }
+ if (ok) {
+ out.add(pdd);
+ }
+ }
+ }
+
+ perms = mapper.newInstance(API.PERMS);
+ if (rlpd.isEmpty()) {
+ return Result.ok(perms);
+ }
+ // Note: Mapper will restrict what can be viewed
+ // if user is the same as that which is looked up, no filtering is required
+ return mapper.perms(trans, rlpd.value,
+ perms,
+ !user.equals(trans.user()));
+ }
+
+ @ApiDoc(
+ method = GET,
+ path = "/authz/perms/role/:role",
+ params = {"role|string|true"},
+ expectedCode = 200,
+ errorCodes = { 404,406 },
+ text = { "List All Permissions that are granted to :role" }
+ )
+ @Override
+ public Result<PERMS> getPermsByRole(AuthzTrans trans,String role) {
+ final Validator v = new ServiceValidator();
+ if (v.nullOrBlank("Role", role).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+
+ Result<RoleDAO.Data> rrdd = RoleDAO.Data.decode(trans, ques,role);
+ if (rrdd.notOK()) {
+ return Result.err(rrdd);
+ }
+
+ Result<NsDAO.Data> r = ques.mayUser(trans, trans.user(), rrdd.value, Access.read);
+ if (r.notOK()) {
+ return Result.err(r);
+ }
+
+ PERMS perms = mapper.newInstance(API.PERMS);
+
+ Result<List<PermDAO.Data>> rlpd = ques.getPermsByRole(trans, role, trans.requested(force));
+ if (rlpd.isOKhasData()) {
+ // Note: Mapper will restrict what can be viewed
+ return mapper.perms(trans, rlpd.value, perms, true);
+ }
+ return Result.ok(perms);
+ }
+
+ @ApiDoc(
+ method = GET,
+ path = "/authz/perms/ns/:ns",
+ params = {"ns|string|true"},
+ expectedCode = 200,
+ errorCodes = { 404,406 },
+ text = { "List All Permissions that are in Namespace :ns" }
+ )
+ @Override
+ public Result<PERMS> getPermsByNS(AuthzTrans trans,String ns) {
+ final Validator v = new ServiceValidator();
+ if (v.nullOrBlank("NS", ns).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+
+ Result<NsDAO.Data> rnd = ques.deriveNs(trans, ns);
+ if (rnd.notOK()) {
+ return Result.err(rnd);
+ }
+
+ rnd = ques.mayUser(trans, trans.user(), rnd.value, Access.read);
+ if (rnd.notOK()) {
+ return Result.err(rnd);
+ }
+
+ Result<List<PermDAO.Data>> rlpd = ques.permDAO().readNS(trans, ns);
+ if (rlpd.notOK()) {
+ return Result.err(rlpd);
+ }
+
+ PERMS perms = mapper.newInstance(API.PERMS);
+ if (!rlpd.isEmpty()) {
+ // Note: Mapper will restrict what can be viewed
+ return mapper.perms(trans, rlpd.value,perms, true);
+ }
+ return Result.ok(perms);
+ }
+
+ @ApiDoc(
+ method = PUT,
+ path = "/authz/perm/:type/:instance/:action",
+ params = {"type|string|true",
+ "instance|string|true",
+ "action|string|true"},
+ expectedCode = 200,
+ errorCodes = { 404,406, 409 },
+ text = { "Rename the Permission referenced by :type :instance :action, and "
+ + "rename (copy/delete) to the Permission described in PermRequest" }
+ )
+ @Override
+ public Result<Void> renamePerm(final AuthzTrans trans,REQUEST rreq, String origType, String origInstance, String origAction) {
+ final Result<PermDAO.Data> newPd = mapper.perm(trans, rreq);
+ final ServiceValidator v = new ServiceValidator();
+ if (v.perm(newPd).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+
+ if (ques.mayUser(trans, trans.user(), newPd.value,Access.write).notOK()) {
+ return Result.err(Status.ERR_Denied, "You do not have approval to change Permission [%s.%s|%s|%s]",
+ newPd.value.ns,newPd.value.type,newPd.value.instance,newPd.value.action);
+ }
+
+ Result<NsSplit> nss = ques.deriveNsSplit(trans, origType);
+ Result<List<PermDAO.Data>> origRlpd = ques.permDAO().read(trans, nss.value.ns, nss.value.name, origInstance, origAction);
+
+ if (origRlpd.notOKorIsEmpty()) {
+ return Result.err(Status.ERR_PermissionNotFound,
+ "Permission [%s|%s|%s] does not exist",
+ origType,origInstance,origAction);
+ }
+
+ PermDAO.Data origPd = origRlpd.value.get(0);
+
+ if (!origPd.ns.equals(newPd.value.ns)) {
+ return Result.err(Status.ERR_Denied, "Cannot change namespace with rename command. " +
+ "<new type> must start with [" + origPd.ns + "]");
+ }
+
+ if ( origPd.type.equals(newPd.value.type) &&
+ origPd.action.equals(newPd.value.action) &&
+ origPd.instance.equals(newPd.value.instance) ) {
+ return Result.err(Status.ERR_ConflictAlreadyExists, "New Permission must be different than original permission");
+ }
+
+ Set<String> origRoles = origPd.roles(false);
+ if (!origRoles.isEmpty()) {
+ Set<String> roles = newPd.value.roles(true);
+ for (String role : origPd.roles) {
+ roles.add(role);
+ }
+ }
+
+ newPd.value.description = origPd.description;
+
+ Result<Void> rv = null;
+
+ rv = func.createPerm(trans, newPd.value, false);
+ if (rv.isOK()) {
+ rv = func.deletePerm(trans, origPd, true, false);
+ }
+ return rv;
+ }
+
+ @ApiDoc(
+ method = PUT,
+ path = "/authz/perm",
+ params = {},
+ expectedCode = 200,
+ errorCodes = { 404,406 },
+ text = { "Add Description Data to Perm" }
+ )
+ @Override
+ public Result<Void> updatePermDescription(AuthzTrans trans, REQUEST from) {
+ final Result<PermDAO.Data> pd = mapper.perm(trans, from);
+ final ServiceValidator v = new ServiceValidator();
+ if (v.perm(pd).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+ if (v.nullOrBlank("description", pd.value.description).err()) {
+ return Result.err(Status.ERR_BadData,v.errs());
+ }
+ final PermDAO.Data perm = pd.value;
+ if (ques.permDAO().read(trans, perm.ns, perm.type, perm.instance,perm.action).notOKorIsEmpty()) {
+ return Result.err(Status.ERR_NotFound, "Permission [%s.%s|%s|%s] does not exist",
+ perm.ns,perm.type,perm.instance,perm.action);
+ }
+
+ if (ques.mayUser(trans, trans.user(), perm, Access.write).notOK()) {
+ return Result.err(Status.ERR_Denied, "You do not have approval to change Permission [%s.%s|%s|%s]",
+ perm.ns,perm.type,perm.instance,perm.action);
+ }
+
+ Result<List<NsDAO.Data>> nsr = ques.nsDAO().read(trans, pd.value.ns);
+ if (nsr.notOKorIsEmpty()) {
+ return Result.err(nsr);
+ }
+
+ Result<Void> rdr = ques.permDAO().addDescription(trans, perm.ns, perm.type, perm.instance,
+ perm.action, perm.description);
+ if (rdr.isOK()) {
+ return Result.ok();
+ } else {
+ return Result.err(rdr);
+ }
+
+ }
+