Merge pull request #14927 from wangkx/h23634

HPCC-23634 Check permission before restoring an ECL WU

Reviewed-By: Anthony Fishbeck <anthony.fishbeck@lexisnexis.com>
Reviewed-By: Richard Chapman <rchapman@hpccsystems.com>

esp/services/ws_workunits/ws_workunitsHelpers.cpp

@@ -97,6 +97,11 @@ bool validateWsWorkunitAccess(IEspContext& ctx, const char* wuid, SecAccessFlags
     return ctx.validateFeatureAccess(getWuAccessType(*cw, ctx.queryUserId()), minAccess, false);
 }
 
+bool validateWsWorkunitAccessByOwnerId(IEspContext& ctx, const char* owner, SecAccessFlags minAccess)
+{
+    return ctx.validateFeatureAccess(getWuAccessType(owner, ctx.queryUserId()), minAccess, false);
+}
+
 void ensureWsWorkunitAccessByOwnerId(IEspContext& ctx, const char* owner, SecAccessFlags minAccess)
 {
     if (!ctx.validateFeatureAccess(getWuAccessType(owner, ctx.queryUserId()), minAccess, false))

esp/services/ws_workunits/ws_workunitsHelpers.hpp

@@ -76,6 +76,7 @@ void ensureWsWorkunitAccess(IEspContext& context, const char* wuid, SecAccessFla
 void ensureWsWorkunitAccessByOwnerId(IEspContext& context, const char* owner, SecAccessFlags minAccess);
 void ensureWsCreateWorkunitAccess(IEspContext& cxt);
 bool validateWsWorkunitAccess(IEspContext& context, const char* wuid, SecAccessFlags minAccess);
+bool validateWsWorkunitAccessByOwnerId(IEspContext& context, const char* owner, SecAccessFlags minAccess);
 
 const char *getGraphNum(const char *s,unsigned &num);
 

esp/services/ws_workunits/ws_workunitsService.cpp

@@ -108,6 +108,40 @@ void setActionResult(const char* wuid, CECLWUActions action, const char* result,
     results->append(*res.getClear());
 }
 
+IPropertyTree *getArchivedWorkUnitProperties(const char *wuid, bool dfuWU)
+{
+    SocketEndpoint ep;
+    getSashaNode(ep);
+    Owned<INode> node = createINode(ep);
+    if (!node)
+        throw MakeStringException(ECLWATCH_INODE_NOT_FOUND, "INode not found.");
+
+    StringBuffer tmp;
+    Owned<ISashaCommand> cmd = createSashaCommand();
+    cmd->addId(wuid);
+    cmd->setAction(SCA_GET);
+    cmd->setArchived(true);
+    if (dfuWU)
+        cmd->setDFU(true);
+    if (!cmd->send(node, 1*60*1000))
+        throw MakeStringException(ECLWATCH_CANNOT_CONNECT_ARCHIVE_SERVER,
+            "Sasha (%s) took too long to respond from: Get workUnit properties for %s.",
+            ep.getUrlStr(tmp).str(), wuid);
+
+    if ((cmd->numIds() < 1) || (cmd->numResults() < 1))
+        return nullptr;
+
+    cmd->getResult(0, tmp.clear());
+    if(tmp.length() < 1)
+        return nullptr;
+
+    Owned<IPropertyTree> wu = createPTreeFromXMLString(tmp.str());
+    if (!wu)
+        return nullptr;
+
+    return wu.getClear();
+}
+
 bool doAction(IEspContext& context, StringArray& wuids, CECLWUActions action, IProperties* params, IArrayOf<IConstWUActionResult>* results)
 {
     if (!wuids.length())
@@ -127,6 +161,14 @@ bool doAction(IEspContext& context, StringArray& wuids, CECLWUActions action, IP
             }
             if ((action == CECLWUActions_Archive) && !validateWsWorkunitAccess(context, wuid, SecAccess_Full))
                 msg.appendf("Access denied for Workunit %s. ", wuid);
+            else if (action == CECLWUActions_Restore)
+            {
+                Owned<IPropertyTree> wuProps = getArchivedWorkUnitProperties(wuid, false);
+                if (!wuProps)
+                    msg.appendf("Archived workunit %s not found.", wuid);
+                else if (!validateWsWorkunitAccessByOwnerId(context, wuProps->queryProp("@submitID"), SecAccess_Full))
+                    msg.appendf("Access denied for Workunit %s. ", wuid);
+            }
         }
         if (!msg.isEmpty())
             throw makeStringException(ECLWATCH_INVALID_INPUT, msg);
@@ -136,11 +178,6 @@ bool doAction(IEspContext& context, StringArray& wuids, CECLWUActions action, IP
         {
             StringBuffer reply;
             cmd->getId(idx, reply);
-
-            const char* wuid = wuids.item(idx);
-            if ((action == CECLWUActions_Restore) && !validateWsWorkunitAccess(context, wuid, SecAccess_Full))
-                reply.appendf("Access denied for Workunit %s. ", wuid);
-
             AuditSystemAccess(context.queryUserId(), true, "%s", reply.str());
         }
         return true;
@@ -3173,40 +3210,6 @@ bool CWsWorkunitsEx::onWUFile(IEspContext &context,IEspWULogFileRequest &req, IE
     return true;
 }
 
-IPropertyTree *getArchivedWorkUnitProperties(const char *wuid, bool dfuWU)
-{
-    SocketEndpoint ep;
-    getSashaNode(ep);
-    Owned<INode> node = createINode(ep);
-    if (!node)
-        throw MakeStringException(ECLWATCH_INODE_NOT_FOUND, "INode not found.");
-
-    StringBuffer tmp;
-    Owned<ISashaCommand> cmd = createSashaCommand();
-    cmd->addId(wuid);
-    cmd->setAction(SCA_GET);
-    cmd->setArchived(true);
-    if (dfuWU)
-        cmd->setDFU(true);
-    if (!cmd->send(node, 1*60*1000))
-        throw MakeStringException(ECLWATCH_CANNOT_CONNECT_ARCHIVE_SERVER,
-            "Sasha (%s) took too long to respond from: Get workUnit properties for %s.",
-            ep.getUrlStr(tmp).str(), wuid);
-
-    if ((cmd->numIds() < 1) || (cmd->numResults() < 1))
-        return nullptr;
-
-    cmd->getResult(0, tmp.clear());
-    if(tmp.length() < 1)
-        return nullptr;
-
-    Owned<IPropertyTree> wu = createPTreeFromXMLString(tmp.str());
-    if (!wu)
-        return nullptr;
-
-    return wu.getClear();
-}
-
 void getWorkunitCluster(IEspContext &context, const char *wuid, SCMStringBuffer &cluster, bool checkArchiveWUs)
 {
     if (isEmpty(wuid))