2 * Copyright (c) 2000-2012 Liferay, Inc. All rights reserved.
\r
4 * This library is free software; you can redistribute it and/or modify it under
\r
5 * the terms of the GNU Lesser General Public License as published by the Free
\r
6 * Software Foundation; either version 2.1 of the License, or (at your option)
\r
9 * This library is distributed in the hope that it will be useful, but WITHOUT
\r
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
\r
11 * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
\r
15 package com.liferay.portal.security.permission;
\r
17 import com.liferay.portal.NoSuchResourceException;
\r
18 import com.liferay.portal.kernel.dao.orm.QueryUtil;
\r
19 import com.liferay.portal.kernel.exception.SystemException;
\r
20 import com.liferay.portal.kernel.log.Log;
\r
21 import com.liferay.portal.kernel.log.LogFactoryUtil;
\r
22 import com.liferay.portal.kernel.util.ArrayUtil;
\r
23 import com.liferay.portal.kernel.util.CharPool;
\r
24 import com.liferay.portal.kernel.util.GetterUtil;
\r
25 import com.liferay.portal.kernel.util.SetUtil;
\r
26 import com.liferay.portal.kernel.util.UniqueList;
\r
27 import com.liferay.portal.kernel.util.Validator;
\r
28 import com.liferay.portal.model.Group;
\r
29 import com.liferay.portal.model.GroupConstants;
\r
30 import com.liferay.portal.model.GroupedModel;
\r
31 import com.liferay.portal.model.Layout;
\r
32 import com.liferay.portal.model.Organization;
\r
33 import com.liferay.portal.model.Permission;
\r
34 import com.liferay.portal.model.PermissionedModel;
\r
35 import com.liferay.portal.model.PortletConstants;
\r
36 import com.liferay.portal.model.Resource;
\r
37 import com.liferay.portal.model.ResourceBlockConstants;
\r
38 import com.liferay.portal.model.ResourceConstants;
\r
39 import com.liferay.portal.model.Role;
\r
40 import com.liferay.portal.model.RoleConstants;
\r
41 import com.liferay.portal.model.Team;
\r
42 import com.liferay.portal.model.UserGroup;
\r
43 import com.liferay.portal.security.permission.comparator.PermissionActionIdComparator;
\r
44 import com.liferay.portal.service.GroupLocalServiceUtil;
\r
45 import com.liferay.portal.service.LayoutLocalServiceUtil;
\r
46 import com.liferay.portal.service.OrganizationLocalServiceUtil;
\r
47 import com.liferay.portal.service.PermissionLocalServiceUtil;
\r
48 import com.liferay.portal.service.ResourceBlockLocalServiceUtil;
\r
49 import com.liferay.portal.service.ResourceLocalServiceUtil;
\r
50 import com.liferay.portal.service.ResourcePermissionLocalServiceUtil;
\r
51 import com.liferay.portal.service.RoleLocalServiceUtil;
\r
52 import com.liferay.portal.service.TeamLocalServiceUtil;
\r
53 import com.liferay.portal.service.UserGroupLocalServiceUtil;
\r
54 import com.liferay.portal.service.permission.PortletPermissionUtil;
\r
55 import com.liferay.portal.util.PropsValues;
\r
56 import com.pentila.entSavoie.ENTRolesConstants;
\r
57 import com.pentila.entSavoie.communityInfos.model.CommunityInfos;
\r
58 import com.pentila.entSavoie.communityInfos.service.CommunityInfosLocalServiceUtil;
\r
60 import java.util.ArrayList;
\r
61 import java.util.Collections;
\r
62 import java.util.HashMap;
\r
63 import java.util.LinkedHashMap;
\r
64 import java.util.List;
\r
65 import java.util.Map;
\r
66 import java.util.Set;
\r
68 import org.apache.commons.lang.time.StopWatch;
\r
71 * @author Charles May
\r
72 * @author Brian Wing Shun Chan
\r
73 * @author Raymond Augé
\r
74 * @author Wesley Gong
\r
75 * @author Connor McKay
\r
77 public class AdvancedPermissionChecker extends BasePermissionChecker {
\r
80 public AdvancedPermissionChecker clone() {
\r
81 return new AdvancedPermissionChecker();
\r
85 public List<Long> getGuestResourceBlockIds(
\r
86 long companyId, long groupId, String name, String actionId) {
\r
89 ResourceBlockIdsBag resourceBlockIdsBag =
\r
90 getGuestResourceBlockIdsBag(companyId, groupId, name);
\r
92 return ResourceBlockLocalServiceUtil.getResourceBlockIds(
\r
93 resourceBlockIdsBag, name, actionId);
\r
95 catch (Exception e) {
\r
98 return Collections.emptyList();
\r
101 public ResourceBlockIdsBag getGuestResourceBlockIdsBag(
\r
102 long companyId, long groupId, String name)
\r
105 // checkGuest is irrelevant for the guest role, so it is assumed true
\r
107 ResourceBlockIdsBag resourceBlockIdsBag =
\r
108 PermissionCacheUtil.getResourceBlockIdsBag(
\r
109 companyId, groupId, defaultUserId, name, true);
\r
111 if (resourceBlockIdsBag != null) {
\r
112 return resourceBlockIdsBag;
\r
116 PermissionCheckerBag bag = getGuestUserBag();
\r
118 long[] roleIds = bag.getRoleIds();
\r
120 resourceBlockIdsBag =
\r
121 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
\r
122 getCompanyId(), groupId, name, roleIds);
\r
124 PermissionCacheUtil.putResourceBlockIdsBag(
\r
125 companyId, groupId, defaultUserId, name, true,
\r
126 resourceBlockIdsBag);
\r
128 return resourceBlockIdsBag;
\r
131 if (resourceBlockIdsBag == null) {
\r
132 resourceBlockIdsBag = new ResourceBlockIdsBag();
\r
135 PermissionCacheUtil.putResourceBlockIdsBag(
\r
136 companyId, defaultUserId, groupId, name, true,
\r
137 resourceBlockIdsBag);
\r
142 * Returns the permission checker bag for the guest user.
\r
144 * @return the permission checker bag for the guest user
\r
145 * @throws Exception if an exception occurred
\r
147 public PermissionCheckerBag getGuestUserBag() throws Exception {
\r
148 Group guestGroup = GroupLocalServiceUtil.getGroup(
\r
149 getCompanyId(), GroupConstants.GUEST);
\r
151 PermissionCheckerBag bag = PermissionCacheUtil.getBag(
\r
152 defaultUserId, guestGroup.getGroupId());
\r
156 List<Group> groups = new ArrayList<Group>();
\r
158 groups.add(guestGroup);
\r
160 List<Role> roles = RoleLocalServiceUtil.getUserRelatedRoles(
\r
161 defaultUserId, groups);
\r
163 bag = new PermissionCheckerBagImpl(
\r
164 defaultUserId, new ArrayList<Group>(),
\r
165 new ArrayList<Organization>(), new ArrayList<Group>(),
\r
166 new ArrayList<Group>(), groups, roles);
\r
170 bag = new PermissionCheckerBagImpl(
\r
171 defaultUserId, new ArrayList<Group>(),
\r
172 new ArrayList<Organization>(), new ArrayList<Group>(),
\r
173 new ArrayList<Group>(), new ArrayList<Group>(),
\r
174 new ArrayList<Role>());
\r
177 PermissionCacheUtil.putBag(
\r
178 defaultUserId, guestGroup.getGroupId(), bag);
\r
186 public List<Long> getOwnerResourceBlockIds(
\r
187 long companyId, long groupId, String name, String actionId) {
\r
190 ResourceBlockIdsBag resourceBlockIdsBag =
\r
191 getOwnerResourceBlockIdsBag(companyId, groupId, name);
\r
193 return ResourceBlockLocalServiceUtil.getResourceBlockIds(
\r
194 resourceBlockIdsBag, name, actionId);
\r
196 catch (Exception e) {
\r
199 return Collections.emptyList();
\r
202 public ResourceBlockIdsBag getOwnerResourceBlockIdsBag(
\r
203 long companyId, long groupId, String name)
\r
204 throws SystemException {
\r
206 // checkGuest is irrelevant for the owner role, so it is assumed true
\r
208 ResourceBlockIdsBag resourceBlockIdsBag =
\r
209 PermissionCacheUtil.getResourceBlockIdsBag(
\r
210 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name,
\r
213 if (resourceBlockIdsBag != null) {
\r
214 return resourceBlockIdsBag;
\r
218 long[] roleIds = {getOwnerRoleId()};
\r
220 resourceBlockIdsBag =
\r
221 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
\r
222 getCompanyId(), groupId, name, roleIds);
\r
224 PermissionCacheUtil.putResourceBlockIdsBag(
\r
225 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name,
\r
226 true, resourceBlockIdsBag);
\r
228 return resourceBlockIdsBag;
\r
231 if (resourceBlockIdsBag == null) {
\r
232 resourceBlockIdsBag = new ResourceBlockIdsBag();
\r
235 PermissionCacheUtil.putResourceBlockIdsBag(
\r
236 companyId, ResourceBlockConstants.OWNER_USER_ID, groupId, name,
\r
237 true, resourceBlockIdsBag);
\r
242 public List<Long> getResourceBlockIds(
\r
243 long companyId, long groupId, long userId, String name,
\r
247 ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
\r
248 companyId, groupId, userId, name);
\r
250 return ResourceBlockLocalServiceUtil.getResourceBlockIds(
\r
251 resourceBlockIdsBag, name, actionId);
\r
253 catch (Exception e) {
\r
256 return Collections.emptyList();
\r
259 public ResourceBlockIdsBag getResourceBlockIdsBag(
\r
260 long companyId, long groupId, long userId, String name)
\r
263 ResourceBlockIdsBag resourceBlockIdsBag =
\r
264 PermissionCacheUtil.getResourceBlockIdsBag(
\r
265 companyId, groupId, userId, name, checkGuest);
\r
267 if (resourceBlockIdsBag != null) {
\r
268 return resourceBlockIdsBag;
\r
272 long[] roleIds = getRoleIds(userId, groupId);
\r
274 resourceBlockIdsBag =
\r
275 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
\r
276 getCompanyId(), groupId, name, roleIds);
\r
278 PermissionCacheUtil.putResourceBlockIdsBag(
\r
279 companyId, groupId, userId, name, checkGuest,
\r
280 resourceBlockIdsBag);
\r
282 return resourceBlockIdsBag;
\r
285 if (resourceBlockIdsBag == null) {
\r
286 resourceBlockIdsBag = new ResourceBlockIdsBag();
\r
289 PermissionCacheUtil.putResourceBlockIdsBag(
\r
290 companyId, userId, groupId, name, checkGuest,
\r
291 resourceBlockIdsBag);
\r
296 public long[] getRoleIds(long userId, long groupId) {
\r
297 PermissionCheckerBag bag = null;
\r
300 bag = getUserBag(userId, groupId);
\r
302 catch (Exception e) {
\r
307 Set<Long> roleIds = SetUtil.fromArray(bag.getRoleIds());
\r
310 PermissionCheckerBag guestBag = getGuestUserBag();
\r
312 if (guestBag != null) {
\r
313 for (long roleId : guestBag.getRoleIds()) {
\r
314 roleIds.add(roleId);
\r
318 catch (Exception e) {
\r
321 return ArrayUtil.toArray(
\r
322 roleIds.toArray(new Long[roleIds.size()]));
\r
325 return bag.getRoleIds();
\r
329 return PermissionChecker.DEFAULT_ROLE_IDS;
\r
333 * Returns the permission checker bag for the user and group. Users can have
\r
334 * different roles and permissions in different groups.
\r
336 * @param userId the primary key of the user
\r
337 * @param groupId the primary key of the group
\r
338 * @return the permission checker bag for the user and group
\r
339 * @throws Exception if a user or group with the primary key could not be
\r
342 public PermissionCheckerBag getUserBag(long userId, long groupId)
\r
345 PermissionCheckerBag bag = PermissionCacheUtil.getBag(userId, groupId);
\r
352 Group group = null;
\r
355 group = GroupLocalServiceUtil.getGroup(groupId);
\r
357 if (group.isLayout()) {
\r
358 long parentGroupId = group.getParentGroupId();
\r
360 if (parentGroupId > 0) {
\r
361 group = GroupLocalServiceUtil.getGroup(parentGroupId);
\r
366 boolean hackIntranetGrp = false;
\r
368 List<Group> userGroups = new ArrayList<Group>();
\r
370 if (GroupLocalServiceUtil.hasUserGroup(userId, groupId)) {
\r
371 group = GroupLocalServiceUtil.getGroup(groupId);
\r
372 userGroups.add(group);
\r
375 /**************************
\r
376 * MIGRATION MODIFICATION *
\r
377 **************************/
\r
378 // si il s agit d'un grp community/site open on l ajoute
\r
379 group = GroupLocalServiceUtil.getGroup(groupId);
\r
380 if (group.isRegularSite()) {
\r
382 CommunityInfos ci = CommunityInfosLocalServiceUtil.getCommunityInfosByGroupId(groupId);
\r
383 if (ci.getPolitic()==2) {
\r
384 // c est un grp intranet et il n est pas directement membre donc on l ajoute et on hack
\r
385 // aussi pour le role CommunityVisitor
\r
386 hackIntranetGrp = true;
\r
387 userGroups.add(group);
\r
390 catch(Exception exc) {
\r
391 //_log.error("Guest group i hope");
\r
397 List<Organization> userOrgs = getUserOrgs(userId);
\r
399 List<Group> userOrgGroups =
\r
400 GroupLocalServiceUtil.getOrganizationsGroups(userOrgs);
\r
402 List<UserGroup> userUserGroups =
\r
403 UserGroupLocalServiceUtil.getUserUserGroups(userId);
\r
405 List<Group> userUserGroupGroups =
\r
406 GroupLocalServiceUtil.getUserGroupsGroups(userUserGroups);
\r
408 List<Group> groups = new ArrayList<Group>(
\r
409 userGroups.size() + userOrgGroups.size() +
\r
410 userUserGroupGroups.size());
\r
412 groups.addAll(userGroups);
\r
413 groups.addAll(userOrgGroups);
\r
414 groups.addAll(userUserGroupGroups);
\r
416 List<Role> roles = new UniqueList<Role>();
\r
418 if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 3) ||
\r
419 (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 4) ||
\r
420 (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 5) ||
\r
421 (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6)) {
\r
423 if (groups.size() > 0) {
\r
424 List<Role> userRelatedRoles=
\r
425 RoleLocalServiceUtil.getUserRelatedRoles(
\r
428 roles.addAll(userRelatedRoles);
\r
431 roles.addAll(RoleLocalServiceUtil.getUserRoles(userId));
\r
434 List<Role> userGroupRoles =
\r
435 RoleLocalServiceUtil.getUserGroupRoles(userId, groupId);
\r
437 roles.addAll(userGroupRoles);
\r
439 List<Role> userGroupGroupRoles =
\r
440 RoleLocalServiceUtil.getUserGroupGroupRoles(
\r
443 roles.addAll(userGroupGroupRoles);
\r
445 if (group != null) {
\r
446 if (group.isOrganization() &&
\r
447 userOrgGroups.contains(group)) {
\r
449 Role organizationUserRole =
\r
450 RoleLocalServiceUtil.getRole(
\r
451 group.getCompanyId(),
\r
452 RoleConstants.ORGANIZATION_USER);
\r
454 roles.add(organizationUserRole);
\r
457 if (group.isSite() &&
\r
458 (userGroups.contains(group) ||
\r
459 userOrgGroups.contains(group))) {
\r
461 Role siteMemberRole = RoleLocalServiceUtil.getRole(
\r
462 group.getCompanyId(), RoleConstants.SITE_MEMBER);
\r
464 roles.add(siteMemberRole);
\r
467 if(hackIntranetGrp) {
\r
468 Role role = RoleLocalServiceUtil.getRole(
\r
469 user.getCompanyId(), ENTRolesConstants.COMMUNITY_VISITOR);
\r
473 if ((group.isOrganization() &&
\r
474 userOrgGroups.contains(group)) ||
\r
475 (group.isSite() && userGroups.contains(group))) {
\r
477 addTeamRoles(userId, group, roles);
\r
482 roles = new ArrayList<Role>();
\r
485 bag = new PermissionCheckerBagImpl(
\r
486 userId, userGroups, userOrgs, userOrgGroups,
\r
487 userUserGroupGroups, groups, roles);
\r
493 bag = new PermissionCheckerBagImpl(
\r
494 userId, new ArrayList<Group>(),
\r
495 new ArrayList<Organization>(), new ArrayList<Group>(),
\r
496 new ArrayList<Group>(), new ArrayList<Group>(),
\r
497 new ArrayList<Role>());
\r
500 PermissionCacheUtil.putBag(userId, groupId, bag);
\r
504 public boolean hasOwnerPermission(
\r
505 long companyId, String name, String primKey, long ownerId,
\r
508 if (ownerId != getUserId()) {
\r
512 if (ownerId == defaultUserId) {
\r
513 if (actionId.equals(ActionKeys.VIEW)) {
\r
522 if (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) {
\r
523 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
\r
524 PermissionedModel permissionedModel =
\r
525 ResourceBlockLocalServiceUtil.getPermissionedModel(
\r
526 name, GetterUtil.getLong(primKey));
\r
530 if (permissionedModel instanceof GroupedModel) {
\r
531 GroupedModel groupedModel =
\r
532 (GroupedModel)permissionedModel;
\r
534 groupId = groupedModel.getGroupId();
\r
537 ResourceBlockIdsBag resourceBlockIdsBag =
\r
538 getOwnerResourceBlockIdsBag(companyId, groupId, name);
\r
540 return ResourceBlockLocalServiceUtil.hasPermission(
\r
541 name, permissionedModel, actionId, resourceBlockIdsBag);
\r
544 return ResourcePermissionLocalServiceUtil.hasResourcePermission(
\r
545 companyId, name, ResourceConstants.SCOPE_INDIVIDUAL,
\r
546 primKey, getOwnerRoleId(), actionId);
\r
549 ResourceActionsUtil.checkAction(name, actionId);
\r
551 Resource resource = ResourceLocalServiceUtil.getResource(
\r
552 companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);
\r
554 List<Permission> permissions =
\r
555 PermissionLocalServiceUtil.getRolePermissions(
\r
556 getOwnerRoleId(), resource.getResourceId());
\r
558 int pos = Collections.binarySearch(
\r
559 permissions, actionId, new PermissionActionIdComparator());
\r
565 catch (Exception e) {
\r
566 if (_log.isDebugEnabled()) {
\r
574 public boolean hasPermission(
\r
575 long groupId, String name, String primKey, String actionId) {
\r
577 StopWatch stopWatch = null;
\r
579 if (_log.isDebugEnabled()) {
\r
580 stopWatch = new StopWatch();
\r
585 Group group = null;
\r
587 // If the current group is a staging group, check the live group. If the
\r
588 // current group is a scope group for a layout, check the original
\r
593 group = GroupLocalServiceUtil.getGroup(groupId);
\r
595 if (group.isUser() && (group.getClassPK() == getUserId())) {
\r
596 group = GroupLocalServiceUtil.getGroup(
\r
597 getCompanyId(), GroupConstants.USER_PERSONAL_SITE);
\r
599 groupId = group.getGroupId();
\r
602 if (group.isLayout()) {
\r
603 Layout layout = LayoutLocalServiceUtil.getLayout(
\r
604 group.getClassPK());
\r
606 groupId = layout.getGroupId();
\r
608 group = GroupLocalServiceUtil.getGroup(groupId);
\r
611 if (group.isStagingGroup()) {
\r
612 if (primKey.equals(String.valueOf(groupId))) {
\r
613 primKey = String.valueOf(group.getLiveGroupId());
\r
616 groupId = group.getLiveGroupId();
\r
617 group = group.getLiveGroup();
\r
621 catch (Exception e) {
\r
625 Boolean value = PermissionCacheUtil.getPermission(
\r
626 user.getUserId(), signedIn, checkGuest, groupId, name, primKey,
\r
629 if (value == null) {
\r
631 value = Boolean.valueOf(
\r
632 hasPermissionImpl(groupId, name, primKey, actionId));
\r
634 if (_log.isDebugEnabled()) {
\r
636 "Checking permission for " + groupId + " " + name +
\r
637 " " + primKey + " " + actionId + " takes " +
\r
638 stopWatch.getTime() + " ms");
\r
642 if (value == null) {
\r
643 value = Boolean.FALSE;
\r
646 PermissionCacheUtil.putPermission(
\r
647 user.getUserId(), signedIn, checkGuest, groupId, name,
\r
648 primKey, actionId, value);
\r
652 return value.booleanValue();
\r
655 public boolean hasUserPermission(
\r
656 long groupId, String name, String primKey, String actionId,
\r
657 boolean checkAdmin) {
\r
660 return hasUserPermissionImpl(
\r
661 groupId, name, primKey, actionId, checkAdmin);
\r
663 catch (Exception e) {
\r
670 public boolean isCompanyAdmin() {
\r
672 return isCompanyAdminImpl();
\r
674 catch (Exception e) {
\r
681 public boolean isCompanyAdmin(long companyId) {
\r
683 return isCompanyAdminImpl(companyId);
\r
685 catch (Exception e) {
\r
692 public boolean isGroupAdmin(long groupId) {
\r
694 return isGroupAdminImpl(groupId);
\r
696 catch (Exception e) {
\r
703 public boolean isGroupMember(long groupId) {
\r
705 return isGroupMemberImpl(groupId);
\r
707 catch (Exception e) {
\r
714 public boolean isGroupOwner(long groupId) {
\r
716 return isGroupOwnerImpl(groupId);
\r
718 catch (Exception e) {
\r
725 public boolean isOrganizationAdmin(long organizationId) {
\r
727 return isOrganizationAdminImpl(organizationId);
\r
729 catch (Exception e) {
\r
736 protected void addTeamRoles(long userId, Group group, List<Role> roles)
\r
739 if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 5) ||
\r
740 (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6)) {
\r
742 List<Team> userTeams = TeamLocalServiceUtil.getUserTeams(
\r
743 userId, group.getGroupId());
\r
745 for (Team team : userTeams) {
\r
746 Role role = RoleLocalServiceUtil.getTeamRole(
\r
747 team.getCompanyId(), team.getTeamId());
\r
752 LinkedHashMap<String, Object> teamParams =
\r
753 new LinkedHashMap<String, Object>();
\r
755 teamParams.put("usersUserGroups", userId);
\r
757 List<Team> userGroupTeams = TeamLocalServiceUtil.search(
\r
758 group.getGroupId(), null, null, teamParams, QueryUtil.ALL_POS,
\r
759 QueryUtil.ALL_POS, null);
\r
761 for (Team team : userGroupTeams) {
\r
762 Role role = RoleLocalServiceUtil.getTeamRole(
\r
763 team.getCompanyId(), team.getTeamId());
\r
771 * Returns representations of the resource at each scope level.
\r
774 * For example, if the class name and primary key of a blog entry were
\r
775 * passed to this method, it would return a resource for the blog entry
\r
776 * itself (individual scope), a resource representing all blog entries
\r
777 * within its group (group scope), a resource standing for all blog entries
\r
778 * within a group the user has a suitable role in (group-template scope),
\r
779 * and a resource signifying all blog entries within the company (company
\r
783 * @param companyId the primary key of the company
\r
784 * @param groupId the primary key of the group containing the resource
\r
785 * @param name the resource's name, which can be either a class name or a
\r
787 * @param primKey the primary key of the resource
\r
788 * @param actionId unused
\r
789 * @return representations of the resource at each scope level
\r
790 * @throws Exception if an exception occurred
\r
792 protected List<Resource> getResources(
\r
793 long companyId, long groupId, String name, String primKey,
\r
799 List<Resource> resources = new ArrayList<Resource>(4);
\r
802 Resource resource = ResourceLocalServiceUtil.getResource(
\r
803 companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);
\r
805 resources.add(resource);
\r
807 catch (NoSuchResourceException nsre) {
\r
808 if (_log.isWarnEnabled()) {
\r
810 "Resource " + companyId + " " + name + " " +
\r
811 ResourceConstants.SCOPE_INDIVIDUAL + " " + primKey +
\r
812 " does not exist");
\r
820 Resource resource = ResourceLocalServiceUtil.getResource(
\r
821 companyId, name, ResourceConstants.SCOPE_GROUP,
\r
822 String.valueOf(groupId));
\r
824 resources.add(resource);
\r
827 catch (NoSuchResourceException nsre) {
\r
828 if (_log.isWarnEnabled()) {
\r
830 "Resource " + companyId + " " + name + " " +
\r
831 ResourceConstants.SCOPE_GROUP + " " + groupId +
\r
832 " does not exist");
\r
839 if (signedIn && (groupId > 0)) {
\r
840 Resource resource = ResourceLocalServiceUtil.getResource(
\r
841 companyId, name, ResourceConstants.SCOPE_GROUP_TEMPLATE,
\r
842 String.valueOf(GroupConstants.DEFAULT_PARENT_GROUP_ID));
\r
844 resources.add(resource);
\r
847 catch (NoSuchResourceException nsre) {
\r
848 if (_log.isWarnEnabled()) {
\r
850 "Resource " + companyId + " " + name + " " +
\r
851 ResourceConstants.SCOPE_GROUP_TEMPLATE + " " +
\r
852 GroupConstants.DEFAULT_PARENT_GROUP_ID +
\r
853 " does not exist");
\r
860 Resource resource = ResourceLocalServiceUtil.getResource(
\r
861 companyId, name, ResourceConstants.SCOPE_COMPANY,
\r
862 String.valueOf(companyId));
\r
864 resources.add(resource);
\r
866 catch (NoSuchResourceException nsre) {
\r
867 if (_log.isWarnEnabled()) {
\r
869 "Resource " + companyId + " " + name + " " +
\r
870 ResourceConstants.SCOPE_COMPANY + " " + companyId +
\r
871 " does not exist");
\r
879 * Returns all of the organizations that the user is a member of, including
\r
880 * their parent organizations.
\r
882 * @param userId the primary key of the user
\r
883 * @return all of the organizations that the user is a member of, including
\r
884 * their parent organizations
\r
885 * @throws Exception if a user with the primary key could not be found
\r
887 protected List<Organization> getUserOrgs(long userId) throws Exception {
\r
888 List<Organization> userOrgs =
\r
889 OrganizationLocalServiceUtil.getUserOrganizations(userId);
\r
891 if (userOrgs.size() == 0) {
\r
895 List<Organization> organizations = new UniqueList<Organization>();
\r
897 for (Organization organization : userOrgs) {
\r
898 if (!organizations.contains(organization)) {
\r
899 organizations.add(organization);
\r
901 List<Organization> ancestorOrganizations =
\r
902 OrganizationLocalServiceUtil.getParentOrganizations(
\r
903 organization.getOrganizationId());
\r
905 organizations.addAll(ancestorOrganizations);
\r
909 return organizations;
\r
912 protected boolean hasGuestPermission(
\r
913 long groupId, String name, String primKey, String actionId)
\r
916 ResourceActionsUtil.checkAction(name, actionId);
\r
918 if (name.indexOf(CharPool.PERIOD) != -1) {
\r
920 // Check unsupported model actions
\r
922 List<String> actions = ResourceActionsUtil.
\r
923 getModelResourceGuestUnsupportedActions(name);
\r
925 if (actions.contains(actionId)) {
\r
931 // Check unsupported portlet actions
\r
933 List<String> actions = ResourceActionsUtil.
\r
934 getPortletResourceGuestUnsupportedActions(name);
\r
936 if (actions.contains(actionId)) {
\r
941 long companyId = user.getCompanyId();
\r
943 List<Resource> resources = getResources(
\r
944 companyId, groupId, name, primKey, actionId);
\r
946 PermissionCheckerBag bag = getGuestUserBag();
\r
949 if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) &&
\r
950 ResourceBlockLocalServiceUtil.isSupported(name)) {
\r
952 ResourceBlockIdsBag resourceBlockIdsBag =
\r
953 getGuestResourceBlockIdsBag(companyId, groupId, name);
\r
955 return ResourceBlockLocalServiceUtil.hasPermission(
\r
956 name, GetterUtil.getLong(primKey), actionId,
\r
957 resourceBlockIdsBag);
\r
960 return PermissionLocalServiceUtil.hasUserPermissions(
\r
961 defaultUserId, groupId, resources, actionId, bag);
\r
963 catch (Exception e) {
\r
970 protected boolean hasPermissionImpl(
\r
971 long groupId, String name, String primKey, String actionId) {
\r
975 return hasGuestPermission(groupId, name, primKey, actionId);
\r
978 if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) &&
\r
979 ResourceBlockLocalServiceUtil.isSupported(name)) {
\r
981 // It is not necessary to check guest permissions separately,
\r
982 // as the user's resource block IDs bag will already have the
\r
983 // guest permissions in it if checkGuest is true.
\r
985 return hasUserPermission(
\r
986 groupId, name, primKey, actionId, true);
\r
989 boolean value = false;
\r
992 value = hasGuestPermission(groupId, name, primKey, actionId);
\r
996 value = hasUserPermission(
\r
997 groupId, name, primKey, actionId, true);
\r
1002 catch (Exception e) {
\r
1009 protected boolean hasUserPermissionImpl(
\r
1010 long groupId, String name, String primKey, String actionId,
\r
1011 boolean checkAdmin)
\r
1012 throws Exception {
\r
1014 StopWatch stopWatch = null;
\r
1016 if (_log.isDebugEnabled()) {
\r
1017 stopWatch = new StopWatch();
\r
1019 stopWatch.start();
\r
1022 long companyId = user.getCompanyId();
\r
1024 boolean hasLayoutManagerPermission = true;
\r
1026 // Check if the layout manager has permission to do this action for the
\r
1027 // current portlet
\r
1029 if (Validator.isNotNull(name) && Validator.isNotNull(primKey) &&
\r
1030 (primKey.indexOf(PortletConstants.LAYOUT_SEPARATOR) != -1)) {
\r
1032 hasLayoutManagerPermission =
\r
1033 PortletPermissionUtil.hasLayoutManagerPermission(
\r
1038 if (isCompanyAdminImpl(companyId)) {
\r
1042 if (name.equals(Organization.class.getName())) {
\r
1043 long organizationId = GetterUtil.getInteger(primKey);
\r
1045 if (isOrganizationAdminImpl(organizationId)) {
\r
1049 else if (isGroupAdminImpl(groupId) && hasLayoutManagerPermission) {
\r
1054 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 1);
\r
1056 if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) &&
\r
1057 ResourceBlockLocalServiceUtil.isSupported(name)) {
\r
1059 ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
\r
1060 companyId, groupId, getUserId(), name);
\r
1062 boolean value = ResourceBlockLocalServiceUtil.hasPermission(
\r
1063 name, GetterUtil.getLong(primKey), actionId,
\r
1064 resourceBlockIdsBag);
\r
1066 logHasUserPermission(
\r
1067 groupId, name, primKey, actionId, stopWatch, 2);
\r
1072 List<Resource> resources = getResources(
\r
1073 companyId, groupId, name, primKey, actionId);
\r
1075 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 3);
\r
1077 // Check if user has access to perform the action on the given
\r
1078 // resource scopes. The resources are scoped to check first for an
\r
1079 // individual class, then for the group that the class may belong
\r
1080 // to, and then for the company that the class belongs to.
\r
1082 PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);
\r
1084 boolean value = PermissionLocalServiceUtil.hasUserPermissions(
\r
1085 user.getUserId(), groupId, resources, actionId, bag);
\r
1087 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 4);
\r
1092 protected boolean isCompanyAdminImpl() throws Exception {
\r
1093 return isCompanyAdminImpl(user.getCompanyId());
\r
1096 protected boolean isCompanyAdminImpl(long companyId) throws Exception {
\r
1101 if (isOmniadmin()) {
\r
1105 Boolean value = companyAdmins.get(companyId);
\r
1107 if (value == null) {
\r
1108 boolean hasAdminRole = RoleLocalServiceUtil.hasUserRole(
\r
1109 user.getUserId(), companyId, RoleConstants.ADMINISTRATOR, true);
\r
1111 value = Boolean.valueOf(hasAdminRole);
\r
1113 companyAdmins.put(companyId, value);
\r
1116 return value.booleanValue();
\r
1119 protected boolean isGroupAdminImpl(long groupId) throws Exception {
\r
1124 if (isOmniadmin()) {
\r
1128 if (groupId <= 0) {
\r
1132 Group group = GroupLocalServiceUtil.getGroup(groupId);
\r
1134 if (isCompanyAdmin(group.getCompanyId())) {
\r
1138 PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);
\r
1140 if (bag == null) {
\r
1141 _log.error("Bag should never be null");
\r
1144 if (bag.isGroupAdmin(this, group)) {
\r
1152 protected boolean isGroupMemberImpl(long groupId) throws Exception {
\r
1157 if (groupId <= 0) {
\r
1161 Group group = GroupLocalServiceUtil.getGroup(groupId);
\r
1163 PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);
\r
1165 if (bag == null) {
\r
1166 _log.error("Bag should never be null");
\r
1169 if (bag.isGroupMember(this, group)) {
\r
1177 protected boolean isGroupOwnerImpl(long groupId) throws Exception {
\r
1182 if (isOmniadmin()) {
\r
1186 if (groupId <= 0) {
\r
1190 Group group = GroupLocalServiceUtil.getGroup(groupId);
\r
1192 if (isCompanyAdmin(group.getCompanyId())) {
\r
1196 PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);
\r
1198 if (bag == null) {
\r
1199 _log.error("Bag should never be null");
\r
1202 if (bag.isGroupOwner(this, group)) {
\r
1210 protected boolean isOrganizationAdminImpl(long organizationId)
\r
1211 throws Exception {
\r
1217 if (isOmniadmin()) {
\r
1221 if (organizationId <= 0) {
\r
1225 Organization organization =
\r
1226 OrganizationLocalServiceUtil.fetchOrganization(organizationId);
\r
1228 if (organization == null) {
\r
1232 if (isCompanyAdmin(organization.getCompanyId())) {
\r
1236 PermissionCheckerBag bag = getUserBag(
\r
1237 user.getUserId(), organization.getGroupId());
\r
1239 if (bag == null) {
\r
1240 _log.error("Bag should never be null");
\r
1243 if (bag.isOrganizationAdmin(this, organization)) {
\r
1251 protected void logHasUserPermission(
\r
1252 long groupId, String name, String primKey, String actionId,
\r
1253 StopWatch stopWatch, int block) {
\r
1255 if (!_log.isDebugEnabled()) {
\r
1260 "Checking user permission block " + block + " for " + groupId +
\r
1261 " " + name + " " + primKey + " " + actionId + " takes " +
\r
1262 stopWatch.getTime() + " ms");
\r
1268 protected static final String RESULTS_SEPARATOR = "_RESULTS_SEPARATOR_";
\r
1270 protected Map<Long, Boolean> companyAdmins = new HashMap<Long, Boolean>();
\r
1272 private static Log _log = LogFactoryUtil.getLog(
\r
1273 AdvancedPermissionChecker.class);
\r