Revision 51938
Added by Argiro Kokogiannaki almost 6 years ago
modules/uoa-claims-api/trunk/src/main/java/eu/dnetlib/openaire/rest/Authorization.java | ||
---|---|---|
15 | 15 |
private static Logger logger = Logger.getLogger(Authorization.class); |
16 | 16 |
List<String> registeredRoles = new ArrayList<String>(Arrays.asList("Super Administrator", "Portal Administrator", "Expert - Community", |
17 | 17 |
"Expert - Funder", "Curator - Claim", "Curator - Project", "Curator - Community", "Curator - Institution", "Cuthor", "Registered", "User Manager")); |
18 |
List<String> adminRoles = new ArrayList<String>(Arrays.asList("Super Administrator", "Curator - Claim", "Portal Administrator"));
|
|
18 |
List<String> claimCuratorRoles = new ArrayList<String>(Arrays.asList("Super Administrator", "Curator - Claim", "Portal Administrator"));
|
|
19 | 19 |
List<String> projectCuratorRoles = new ArrayList<String>(Arrays.asList("Curator - Project")); |
20 |
List<String> communityCuratorRoles = new ArrayList<String>(Arrays.asList("Curator - Community")); |
|
20 | 21 |
UserHandler userHandler = null; |
21 | 22 |
String originServer = null; |
22 | 23 |
|
... | ... | |
36 | 37 |
// } |
37 | 38 |
// } |
38 | 39 |
// |
39 |
// public static boolean isAdmin(String token) {
|
|
40 |
// public static boolean isClaimCurator(String token) {
|
|
40 | 41 |
// Claims claims = Jwts.parser() |
41 | 42 |
// .setSigningKey(DatatypeConverter.parseBase64Binary("my-very-secret")) |
42 | 43 |
// .parseClaimsJws(token).getBody(); |
... | ... | |
74 | 75 |
|
75 | 76 |
} |
76 | 77 |
|
77 |
public boolean isAdmin(String token) {
|
|
78 |
public boolean isClaimCurator(String token) {
|
|
78 | 79 |
UserInfo userInfo = userHandler.getUserInfo(token); |
79 |
return isAdmin(userInfo);
|
|
80 |
return isClaimCurator(userInfo);
|
|
80 | 81 |
|
81 | 82 |
} |
82 | 83 |
|
83 |
public boolean isAdmin(UserInfo userInfo) {
|
|
84 |
public boolean isClaimCurator(UserInfo userInfo) {
|
|
84 | 85 |
if (userInfo != null && userInfo.getEdu_person_entitlements() != null) { |
85 | 86 |
|
86 |
return hasRole(userInfo.getEdu_person_entitlements(), adminRoles);
|
|
87 |
return hasRole(userInfo.getEdu_person_entitlements(), claimCuratorRoles);
|
|
87 | 88 |
} else { |
88 | 89 |
logger.debug(" User has no Valid UserInfo"); |
89 | 90 |
return false; |
... | ... | |
91 | 92 |
|
92 | 93 |
} |
93 | 94 |
|
95 |
public boolean isCommunityCurator(String token) { |
|
96 |
UserInfo userInfo = userHandler.getUserInfo(token); |
|
97 |
return isCommunityCurator(userInfo); |
|
98 |
|
|
99 |
} |
|
100 |
|
|
101 |
public boolean isCommunityCurator(UserInfo userInfo) { |
|
102 |
if (userInfo != null && userInfo.getEdu_person_entitlements() != null) { |
|
103 |
|
|
104 |
return hasRole(userInfo.getEdu_person_entitlements(), communityCuratorRoles); |
|
105 |
} else { |
|
106 |
logger.debug(" User has no Valid UserInfo"); |
|
107 |
return false; |
|
108 |
} |
|
109 |
|
|
110 |
} |
|
94 | 111 |
public boolean isProjectCurator(String token) { |
95 | 112 |
UserInfo userInfo = userHandler.getUserInfo(token); |
96 | 113 |
return isProjectCurator(userInfo); |
... | ... | |
121 | 138 |
} |
122 | 139 |
|
123 | 140 |
public boolean hasValidOrigin(String origin) { |
124 |
if (origin != null && originServer.equals(origin)) { |
|
141 |
logger.debug("Origin is "+origin +" originServer: "+originServer); |
|
142 |
if (origin != null && origin.indexOf(originServer)!=-1) { |
|
125 | 143 |
return true; |
126 | 144 |
} |
127 | 145 |
logger.debug("Not valid origin. Origin server is \"" + origin + "\", but expected value is \"" + originServer + "\". If the expec cted value is not right, check properties file. "); |
... | ... | |
136 | 154 |
this.registeredRoles = registeredRoles; |
137 | 155 |
} |
138 | 156 |
|
139 |
public List<String> getAdminRoles() {
|
|
140 |
return adminRoles;
|
|
157 |
public List<String> getClaimCuratorRoles() {
|
|
158 |
return claimCuratorRoles;
|
|
141 | 159 |
} |
142 | 160 |
|
143 |
public void setAdminRoles(List<String> adminRoles) {
|
|
144 |
this.adminRoles = adminRoles;
|
|
161 |
public void setClaimCuratorRoles(List<String> claimCuratorRoles) {
|
|
162 |
this.claimCuratorRoles = claimCuratorRoles;
|
|
145 | 163 |
} |
146 | 164 |
|
165 |
public List<String> getCommunityCuratorRoles() { |
|
166 |
return communityCuratorRoles; |
|
167 |
} |
|
168 |
|
|
169 |
public void setCommunityCuratorRoles(List<String> communityCuratorRoles) { |
|
170 |
this.communityCuratorRoles = communityCuratorRoles; |
|
171 |
} |
|
172 |
|
|
147 | 173 |
public List<String> getProjectCuratorRoles() { |
148 | 174 |
return projectCuratorRoles; |
149 | 175 |
} |
modules/uoa-claims-api/trunk/src/main/java/eu/dnetlib/openaire/rest/HelloWorldService.java | ||
---|---|---|
75 | 75 |
.build(); |
76 | 76 |
} |
77 | 77 |
|
78 |
if(authorization.isAdmin(token)) {
|
|
78 |
if(authorization.isClaimCurator(token)) {
|
|
79 | 79 |
|
80 | 80 |
int total = -1; |
81 | 81 |
|
... | ... | |
117 | 117 |
@HeaderParam("X-XSRF-TOKEN") String token, |
118 | 118 |
@CookieParam("AccessToken") String cookie, |
119 | 119 |
@Context HttpServletRequest request) { |
120 |
|
|
121 | 120 |
|
121 |
|
|
122 | 122 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)){ |
123 | 123 |
authorization.logStatus(token,cookie); |
124 | 124 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
... | ... | |
127 | 127 |
} |
128 | 128 |
|
129 | 129 |
UserInfo userInfo = authorization.getUserHandler().getUserInfo(token); |
130 |
if(authorization.isProjectCurator(userInfo)) { |
|
130 |
if(authorization.isProjectCurator(userInfo)|| authorization.isClaimCurator(userInfo)) {
|
|
131 | 131 |
String userMail = userInfo.getEmail(); |
132 | 132 |
|
133 | 133 |
int total = -1; |
... | ... | |
190 | 190 |
} |
191 | 191 |
// logger.debug("Calling API for context with token " + token); |
192 | 192 |
|
193 |
if(authorization.isAdmin(token)) {
|
|
193 |
if(authorization.isCommunityCurator(token) || authorization.isClaimCurator(token)) {
|
|
194 | 194 |
|
195 | 195 |
int total = -1; |
196 | 196 |
if (contextId == null || contextId.isEmpty()) { |
... | ... | |
232 | 232 |
@HeaderParam("X-XSRF-TOKEN") String token, |
233 | 233 |
@CookieParam("AccessToken") String cookie, |
234 | 234 |
@Context HttpServletRequest request) { |
235 |
|
|
236 | 235 |
|
236 |
|
|
237 | 237 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)){ |
238 | 238 |
authorization.logStatus(token,cookie); |
239 | 239 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
... | ... | |
241 | 241 |
.build(); |
242 | 242 |
} |
243 | 243 |
|
244 |
if(authorization.isAdmin(token)) {
|
|
244 |
if(authorization.isClaimCurator(token)) {
|
|
245 | 245 |
|
246 | 246 |
int total = -1; |
247 | 247 |
if (resultId == null || resultId.isEmpty()) { |
... | ... | |
281 | 281 |
@HeaderParam("X-XSRF-TOKEN") String token, |
282 | 282 |
@CookieParam("AccessToken") String cookie, |
283 | 283 |
@Context HttpServletRequest request) { |
284 |
|
|
285 | 284 |
|
285 |
|
|
286 | 286 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)){ |
287 | 287 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
288 | 288 |
.type(MediaType.APPLICATION_JSON) |
... | ... | |
335 | 335 |
@HeaderParam("X-XSRF-TOKEN") String token, |
336 | 336 |
@CookieParam("AccessToken") String cookie, |
337 | 337 |
@Context HttpServletRequest request) { |
338 |
|
|
339 | 338 |
|
339 |
|
|
340 | 340 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)){ |
341 | 341 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
342 | 342 |
.type(MediaType.APPLICATION_JSON) |
... | ... | |
395 | 395 |
@CookieParam("AccessToken") String cookie, |
396 | 396 |
@Context HttpServletRequest request) { |
397 | 397 |
|
398 |
|
|
398 |
|
|
399 | 399 |
logger.debug("Header \"Origin\" has value " + origin); |
400 |
|
|
401 | 400 |
|
402 | 401 |
|
402 |
|
|
403 | 403 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)){ |
404 | 404 |
logger.debug("User is not authorized - Eroor 403"); |
405 | 405 |
|
... | ... | |
408 | 408 |
.build(); |
409 | 409 |
} |
410 | 410 |
|
411 |
if(authorization.isAdmin(token)) {
|
|
411 |
if(authorization.isClaimCurator(token)) {
|
|
412 | 412 |
logger.debug("User is authorized ! !"); |
413 | 413 |
List<Claim> claims = null; |
414 |
|
|
414 |
|
|
415 | 415 |
int total = -1; |
416 | 416 |
try { |
417 | 417 |
claims = fetchClaimHandler.fetchAllClaims(limit, offset, keyword, orderby, descending, types,false); |
... | ... | |
517 | 517 |
@HeaderParam("Origin") String origin, |
518 | 518 |
@CookieParam("AccessToken") String cookie){ |
519 | 519 |
|
520 |
|
|
521 | 520 |
|
521 |
|
|
522 | 522 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)|| !authorization.hasValidOrigin(origin)){ |
523 | 523 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
524 | 524 |
.type(MediaType.APPLICATION_JSON) |
... | ... | |
540 | 540 |
try { |
541 | 541 |
|
542 | 542 |
if (authorization.isRegistered(userInfo)) { |
543 |
if (authorization.isAdmin(userInfo) || userInfo.getEmail().equals(fetchClaimHandler.fetchClaimById(claimId,false).getUserMail())) {
|
|
543 |
if (authorization.isClaimCurator(userInfo) || authorization.isCommunityCurator(userInfo) || userInfo.getEmail().equals(fetchClaimHandler.fetchClaimById(claimId,false).getUserMail())) {
|
|
544 | 544 |
if (claimHandler.deleteClaim(claimId)) { |
545 | 545 |
deletedIds.add(claimId); |
546 | 546 |
} else { |
... | ... | |
580 | 580 |
@HeaderParam("X-XSRF-TOKEN") String token, |
581 | 581 |
@HeaderParam("Origin") String origin, |
582 | 582 |
@CookieParam("AccessToken") String cookie) { |
583 |
|
|
584 | 583 |
|
584 |
|
|
585 | 585 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token) || !authorization.hasValidOrigin(origin)){ |
586 | 586 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
587 | 587 |
.type(MediaType.APPLICATION_JSON) |
... | ... | |
653 | 653 |
@HeaderParam("X-XSRF-TOKEN") String token, |
654 | 654 |
@HeaderParam("Origin") String origin, |
655 | 655 |
@CookieParam("AccessToken") String cookie) { |
656 |
|
|
657 | 656 |
|
657 |
|
|
658 | 658 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)|| !authorization.hasValidOrigin(origin)){ |
659 | 659 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
660 | 660 |
.type(MediaType.APPLICATION_JSON) |
... | ... | |
757 | 757 |
@HeaderParam("X-XSRF-TOKEN") String token, |
758 | 758 |
@HeaderParam("Origin") String origin, |
759 | 759 |
@CookieParam("AccessToken") String cookie) { |
760 |
|
|
761 | 760 |
|
761 |
|
|
762 | 762 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)|| !authorization.hasValidOrigin(origin)){ |
763 | 763 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
764 | 764 |
.type(MediaType.APPLICATION_JSON) |
... | ... | |
828 | 828 |
|
829 | 829 |
|
830 | 830 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)|| !authorization.hasValidOrigin(origin)){ |
831 |
|
|
831 |
|
|
832 | 832 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
833 | 833 |
.type(MediaType.APPLICATION_JSON) |
834 | 834 |
.build(); |
... | ... | |
875 | 875 |
@Produces(MediaType.APPLICATION_JSON) |
876 | 876 |
public Response fetchCommunities(@HeaderParam("X-XSRF-TOKEN") String token, |
877 | 877 |
@CookieParam("AccessToken") String cookie) throws ISLookUpServiceException { |
878 |
|
|
879 | 878 |
|
879 |
|
|
880 | 880 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)){ |
881 | 881 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
882 | 882 |
.type(MediaType.APPLICATION_JSON) |
... | ... | |
903 | 903 |
public Response fetchCommunityCategories(@PathParam("communityid") String communityid, |
904 | 904 |
@HeaderParam("X-XSRF-TOKEN") String token, |
905 | 905 |
@CookieParam("AccessToken") String cookie) throws ISLookUpServiceException { |
906 |
|
|
907 | 906 |
|
907 |
|
|
908 | 908 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)){ |
909 | 909 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
910 | 910 |
.type(MediaType.APPLICATION_JSON) |
... | ... | |
938 | 938 |
public Response fetchCategoryConcepts(@PathParam("categoryid") String categoryid, |
939 | 939 |
@HeaderParam("X-XSRF-TOKEN") String token, |
940 | 940 |
@CookieParam("AccessToken") String cookie) throws ISLookUpServiceException { |
941 |
|
|
942 | 941 |
|
942 |
|
|
943 | 943 |
if(token == null || token.isEmpty() || cookie == null || cookie.isEmpty() || !cookie.equals(token)){ |
944 | 944 |
return Response.status(Response.Status.FORBIDDEN).entity(compose403Message("Forbidden: You don't have permission to access. Maybe you are not registered.")) |
945 | 945 |
.type(MediaType.APPLICATION_JSON) |
... | ... | |
1131 | 1131 |
// Authorization authorization = context.getBean(Authorization.class); |
1132 | 1132 |
// UserHandler userHandler = context.getBean(UserHandler.class); |
1133 | 1133 |
// System.out.println(authorization.getAdminRoles()); |
1134 |
// authorization.isAdmin("eyJraWQiOiJvaWRjIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwOTMxNzMwMTMyODMzNjMyQG9wZW5taW50ZWQuZXUiLCJhenAiOiIyNGU4MzE3Ni0xMzEyLTRiYTMtYmMwYi1mZmVlYmVhMTYwM2UiLCJpc3MiOiJodHRwczpcL1wvYWFpLm9wZW5taW50ZWQuZXVcL29pZGNcLyIsImV4cCI6MTQ5ODQ4NTk3NiwiaWF0IjoxNDk4NDcxNTc2LCJqdGkiOiJkMWRlZjc1Yi00MTEyLTRiZDktYTIyNi0wZThhOWI2M2Y3MWQifQ.WVYOb_yO8OaxIIt2jRYEDQBhGGFRDTBw3DgtVV_smuN5yx1ScCj6aehLu3JKPSArme4m2SGF4TEGhpwNJkwhM2WapGtxmtuCmCzYIo_QlC1Yki9hr2OT2rXMcQsJCiKaBSf6pLue6Sn78GMB5yaUTvOQHRgidXGiZXH5lsuZUx15Q6Equ_wzond_rgP9mRheRkTyIFuvvg4PuzmudBc11Ty863vIIQtoWF7_p98zTbHxiNF9lLPwzPZKxDoQ8JeayQEC-jsWVLgxmp-h0jG_Ko5jFVVJeeosqMMucOrs2FT_NKHVYVqB6VVh0C6nOufeiLrNDeMUlDT4dAvKD2zE9w");
|
|
1134 |
// authorization.isClaimCurator("eyJraWQiOiJvaWRjIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwOTMxNzMwMTMyODMzNjMyQG9wZW5taW50ZWQuZXUiLCJhenAiOiIyNGU4MzE3Ni0xMzEyLTRiYTMtYmMwYi1mZmVlYmVhMTYwM2UiLCJpc3MiOiJodHRwczpcL1wvYWFpLm9wZW5taW50ZWQuZXVcL29pZGNcLyIsImV4cCI6MTQ5ODQ4NTk3NiwiaWF0IjoxNDk4NDcxNTc2LCJqdGkiOiJkMWRlZjc1Yi00MTEyLTRiZDktYTIyNi0wZThhOWI2M2Y3MWQifQ.WVYOb_yO8OaxIIt2jRYEDQBhGGFRDTBw3DgtVV_smuN5yx1ScCj6aehLu3JKPSArme4m2SGF4TEGhpwNJkwhM2WapGtxmtuCmCzYIo_QlC1Yki9hr2OT2rXMcQsJCiKaBSf6pLue6Sn78GMB5yaUTvOQHRgidXGiZXH5lsuZUx15Q6Equ_wzond_rgP9mRheRkTyIFuvvg4PuzmudBc11Ty863vIIQtoWF7_p98zTbHxiNF9lLPwzPZKxDoQ8JeayQEC-jsWVLgxmp-h0jG_Ko5jFVVJeeosqMMucOrs2FT_NKHVYVqB6VVh0C6nOufeiLrNDeMUlDT4dAvKD2zE9w");
|
|
1135 | 1135 |
|
1136 | 1136 |
} |
1137 | 1137 |
|
modules/uoa-claims-api/trunk/src/main/java/eu/dnetlib/openaire/rest/inputHandler/UserHandler.java | ||
---|---|---|
89 | 89 |
String role = userInfo.getEdu_person_entitlements().get(i); |
90 | 90 |
logger.debug("AAI role: "+role); |
91 | 91 |
role = role.split(":")[role.split(":").length-1]; |
92 |
role = role.split("#")[0]; |
|
92 | 93 |
role = role.replace("+"," "); |
93 | 94 |
logger.debug("Adding parsed role : "+role); |
94 | 95 |
userInfo.getEdu_person_entitlements().set(i,role); |
modules/uoa-claims-api/trunk/src/main/resources/eu/dnetlib/openaire/rest/springContext-claims-authorization.properties | ||
---|---|---|
1 | 1 |
|
2 |
services.claims.authorization.userInfoUrl = http://mpagasas.di.uoa.gr:8080/uoa-user-management-1.0.0-SNAPSHOT/api/users/getUserInfo?accessToken= |
|
3 |
services.claims.authorization.originServer = http://scoobydoo.di.uoa.gr:5000 |
|
4 |
services.claims.authorization.registeredRoles = OpenAIRE Super Administrator,OpenAIRE Portal Administrator,OpenAIRE Expert - Community,OpenAIRE Expert - Funder,OpenAIRE Curator - Claim,OpenAIRE Curator - Project,OpenAIRE Curator - Community,OpenAIRE Curator - Institution,OpenAIRE Author,Registered User,User Manager |
|
5 |
services.claims.authorization.adminRoles = OpenAIRE Super Administrator,OpenAIRE Curator - Claim,OpenAIRE Portal Administrator |
|
6 |
services.claims.authorization.projectCuratorRoles = OpenAIRE Curator - Project,OpenAIRE Super Administrator,OpenAIRE Curator - Claim,OpenAIRE Portal Administrator |
|
2 |
services.claims.authorization.userInfoUrl = http://mpagasas.di.uoa.gr:8080/dnet-user-management-1.0.0-SNAPSHOT/api/users/getUserInfo?accessToken= |
|
3 |
services.claims.authorization.originServer = .di.uoa.gr |
|
4 |
services.claims.authorization.registeredRoles = Super Administrator,Portal Administrator,Expert - Community,Expert - Funder,Curator - Claim,Curator - Project,Curator - Community,Curator - Institution,Author,Registered User,User Manager |
|
5 |
services.claims.authorization.claimCuratorRoles = Super Administrator,Curator - Claim,Portal Administrator |
|
6 |
services.claims.authorization.projectCuratorRoles = Curator - Project,Super Administrator,Curator - Claim,Portal Administrator |
|
7 |
services.claims.authorization.communityCuratorRoles = Curator - Community,Expert - Community,Portal Administrator,Registered User |
modules/uoa-claims-api/trunk/src/main/resources/eu/dnetlib/openaire/rest/springContext-claims-authorization.xml | ||
---|---|---|
25 | 25 |
|
26 | 26 |
<bean id="authorization" class="eu.dnetlib.openaire.rest.Authorization" > |
27 | 27 |
<property name="registeredRoles" value="#{'${services.claims.authorization.registeredRoles}'.split(',')}"/> |
28 |
<property name="adminRoles" value="#{'${services.claims.authorization.adminRoles}'.split(',')}"/>
|
|
28 |
<property name="claimCuratorRoles" value="#{'${services.claims.authorization.claimCuratorRoles}'.split(',')}"/>
|
|
29 | 29 |
<property name="projectCuratorRoles" value="#{'${services.claims.authorization.projectCuratorRoles}'.split(',')}"/> |
30 |
<property name="communityCuratorRoles" value="#{'${services.claims.authorization.communityCuratorRoles}'.split(',')}"/> |
|
30 | 31 |
<property name="userHandler" ref="userHandler"/> |
31 | 32 |
<property name="originServer" value="${services.claims.authorization.originServer}"/> |
32 | 33 |
|
Also available in: Unified diff
add more roles for community curators | distinct admin and claim curators