--- /dev/null
+/**\r
+ * Copyright (c) 2000-2012 Liferay, Inc. All rights reserved.\r
+ *\r
+ * This library is free software; you can redistribute it and/or modify it under\r
+ * the terms of the GNU Lesser General Public License as published by the Free\r
+ * Software Foundation; either version 2.1 of the License, or (at your option)\r
+ * any later version.\r
+ *\r
+ * This library is distributed in the hope that it will be useful, but WITHOUT\r
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS\r
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more\r
+ * details.\r
+ */\r
+\r
+package com.liferay.portal.security.permission;\r
+\r
+import com.liferay.portal.NoSuchResourceException;\r
+import com.liferay.portal.kernel.dao.orm.QueryUtil;\r
+import com.liferay.portal.kernel.exception.SystemException;\r
+import com.liferay.portal.kernel.log.Log;\r
+import com.liferay.portal.kernel.log.LogFactoryUtil;\r
+import com.liferay.portal.kernel.util.ArrayUtil;\r
+import com.liferay.portal.kernel.util.CharPool;\r
+import com.liferay.portal.kernel.util.GetterUtil;\r
+import com.liferay.portal.kernel.util.SetUtil;\r
+import com.liferay.portal.kernel.util.UniqueList;\r
+import com.liferay.portal.kernel.util.Validator;\r
+import com.liferay.portal.model.Group;\r
+import com.liferay.portal.model.GroupConstants;\r
+import com.liferay.portal.model.GroupedModel;\r
+import com.liferay.portal.model.Layout;\r
+import com.liferay.portal.model.Organization;\r
+import com.liferay.portal.model.Permission;\r
+import com.liferay.portal.model.PermissionedModel;\r
+import com.liferay.portal.model.PortletConstants;\r
+import com.liferay.portal.model.Resource;\r
+import com.liferay.portal.model.ResourceBlockConstants;\r
+import com.liferay.portal.model.ResourceConstants;\r
+import com.liferay.portal.model.Role;\r
+import com.liferay.portal.model.RoleConstants;\r
+import com.liferay.portal.model.Team;\r
+import com.liferay.portal.model.UserGroup;\r
+import com.liferay.portal.security.permission.comparator.PermissionActionIdComparator;\r
+import com.liferay.portal.service.GroupLocalServiceUtil;\r
+import com.liferay.portal.service.LayoutLocalServiceUtil;\r
+import com.liferay.portal.service.OrganizationLocalServiceUtil;\r
+import com.liferay.portal.service.PermissionLocalServiceUtil;\r
+import com.liferay.portal.service.ResourceBlockLocalServiceUtil;\r
+import com.liferay.portal.service.ResourceLocalServiceUtil;\r
+import com.liferay.portal.service.ResourcePermissionLocalServiceUtil;\r
+import com.liferay.portal.service.RoleLocalServiceUtil;\r
+import com.liferay.portal.service.TeamLocalServiceUtil;\r
+import com.liferay.portal.service.UserGroupLocalServiceUtil;\r
+import com.liferay.portal.service.permission.PortletPermissionUtil;\r
+import com.liferay.portal.util.PropsValues;\r
+import com.pentila.entSavoie.ENTRolesConstants;\r
+import com.pentila.entSavoie.communityInfos.model.CommunityInfos;\r
+import com.pentila.entSavoie.communityInfos.service.CommunityInfosLocalServiceUtil;\r
+\r
+import java.util.ArrayList;\r
+import java.util.Collections;\r
+import java.util.HashMap;\r
+import java.util.LinkedHashMap;\r
+import java.util.List;\r
+import java.util.Map;\r
+import java.util.Set;\r
+\r
+import org.apache.commons.lang.time.StopWatch;\r
+\r
+/**\r
+ * @author Charles May\r
+ * @author Brian Wing Shun Chan\r
+ * @author Raymond Augé\r
+ * @author Wesley Gong\r
+ * @author Connor McKay\r
+ */\r
+public class AdvancedPermissionChecker extends BasePermissionChecker {\r
+\r
+ @Override\r
+ public AdvancedPermissionChecker clone() {\r
+ return new AdvancedPermissionChecker();\r
+ }\r
+\r
+ @Override\r
+ public List<Long> getGuestResourceBlockIds(\r
+ long companyId, long groupId, String name, String actionId) {\r
+\r
+ try {\r
+ ResourceBlockIdsBag resourceBlockIdsBag =\r
+ getGuestResourceBlockIdsBag(companyId, groupId, name);\r
+\r
+ return ResourceBlockLocalServiceUtil.getResourceBlockIds(\r
+ resourceBlockIdsBag, name, actionId);\r
+ }\r
+ catch (Exception e) {\r
+ }\r
+\r
+ return Collections.emptyList();\r
+ }\r
+\r
+ public ResourceBlockIdsBag getGuestResourceBlockIdsBag(\r
+ long companyId, long groupId, String name)\r
+ throws Exception {\r
+\r
+ // checkGuest is irrelevant for the guest role, so it is assumed true\r
+\r
+ ResourceBlockIdsBag resourceBlockIdsBag =\r
+ PermissionCacheUtil.getResourceBlockIdsBag(\r
+ companyId, groupId, defaultUserId, name, true);\r
+\r
+ if (resourceBlockIdsBag != null) {\r
+ return resourceBlockIdsBag;\r
+ }\r
+\r
+ try {\r
+ PermissionCheckerBag bag = getGuestUserBag();\r
+\r
+ long[] roleIds = bag.getRoleIds();\r
+\r
+ resourceBlockIdsBag =\r
+ ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(\r
+ getCompanyId(), groupId, name, roleIds);\r
+\r
+ PermissionCacheUtil.putResourceBlockIdsBag(\r
+ companyId, groupId, defaultUserId, name, true,\r
+ resourceBlockIdsBag);\r
+\r
+ return resourceBlockIdsBag;\r
+ }\r
+ finally {\r
+ if (resourceBlockIdsBag == null) {\r
+ resourceBlockIdsBag = new ResourceBlockIdsBag();\r
+ }\r
+\r
+ PermissionCacheUtil.putResourceBlockIdsBag(\r
+ companyId, defaultUserId, groupId, name, true,\r
+ resourceBlockIdsBag);\r
+ }\r
+ }\r
+\r
+ /**\r
+ * Returns the permission checker bag for the guest user.\r
+ *\r
+ * @return the permission checker bag for the guest user\r
+ * @throws Exception if an exception occurred\r
+ */\r
+ public PermissionCheckerBag getGuestUserBag() throws Exception {\r
+ Group guestGroup = GroupLocalServiceUtil.getGroup(\r
+ getCompanyId(), GroupConstants.GUEST);\r
+\r
+ PermissionCheckerBag bag = PermissionCacheUtil.getBag(\r
+ defaultUserId, guestGroup.getGroupId());\r
+\r
+ if (bag == null) {\r
+ try {\r
+ List<Group> groups = new ArrayList<Group>();\r
+\r
+ groups.add(guestGroup);\r
+\r
+ List<Role> roles = RoleLocalServiceUtil.getUserRelatedRoles(\r
+ defaultUserId, groups);\r
+\r
+ bag = new PermissionCheckerBagImpl(\r
+ defaultUserId, new ArrayList<Group>(),\r
+ new ArrayList<Organization>(), new ArrayList<Group>(),\r
+ new ArrayList<Group>(), groups, roles);\r
+ }\r
+ finally {\r
+ if (bag == null) {\r
+ bag = new PermissionCheckerBagImpl(\r
+ defaultUserId, new ArrayList<Group>(),\r
+ new ArrayList<Organization>(), new ArrayList<Group>(),\r
+ new ArrayList<Group>(), new ArrayList<Group>(),\r
+ new ArrayList<Role>());\r
+ }\r
+\r
+ PermissionCacheUtil.putBag(\r
+ defaultUserId, guestGroup.getGroupId(), bag);\r
+ }\r
+ }\r
+\r
+ return bag;\r
+ }\r
+\r
+ @Override\r
+ public List<Long> getOwnerResourceBlockIds(\r
+ long companyId, long groupId, String name, String actionId) {\r
+\r
+ try {\r
+ ResourceBlockIdsBag resourceBlockIdsBag =\r
+ getOwnerResourceBlockIdsBag(companyId, groupId, name);\r
+\r
+ return ResourceBlockLocalServiceUtil.getResourceBlockIds(\r
+ resourceBlockIdsBag, name, actionId);\r
+ }\r
+ catch (Exception e) {\r
+ }\r
+\r
+ return Collections.emptyList();\r
+ }\r
+\r
+ public ResourceBlockIdsBag getOwnerResourceBlockIdsBag(\r
+ long companyId, long groupId, String name)\r
+ throws SystemException {\r
+\r
+ // checkGuest is irrelevant for the owner role, so it is assumed true\r
+\r
+ ResourceBlockIdsBag resourceBlockIdsBag =\r
+ PermissionCacheUtil.getResourceBlockIdsBag(\r
+ companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name,\r
+ true);\r
+\r
+ if (resourceBlockIdsBag != null) {\r
+ return resourceBlockIdsBag;\r
+ }\r
+\r
+ try {\r
+ long[] roleIds = {getOwnerRoleId()};\r
+\r
+ resourceBlockIdsBag =\r
+ ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(\r
+ getCompanyId(), groupId, name, roleIds);\r
+\r
+ PermissionCacheUtil.putResourceBlockIdsBag(\r
+ companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name,\r
+ true, resourceBlockIdsBag);\r
+\r
+ return resourceBlockIdsBag;\r
+ }\r
+ finally {\r
+ if (resourceBlockIdsBag == null) {\r
+ resourceBlockIdsBag = new ResourceBlockIdsBag();\r
+ }\r
+\r
+ PermissionCacheUtil.putResourceBlockIdsBag(\r
+ companyId, ResourceBlockConstants.OWNER_USER_ID, groupId, name,\r
+ true, resourceBlockIdsBag);\r
+ }\r
+ }\r
+\r
+ @Override\r
+ public List<Long> getResourceBlockIds(\r
+ long companyId, long groupId, long userId, String name,\r
+ String actionId) {\r
+\r
+ try {\r
+ ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(\r
+ companyId, groupId, userId, name);\r
+\r
+ return ResourceBlockLocalServiceUtil.getResourceBlockIds(\r
+ resourceBlockIdsBag, name, actionId);\r
+ }\r
+ catch (Exception e) {\r
+ }\r
+\r
+ return Collections.emptyList();\r
+ }\r
+\r
+ public ResourceBlockIdsBag getResourceBlockIdsBag(\r
+ long companyId, long groupId, long userId, String name)\r
+ throws Exception {\r
+\r
+ ResourceBlockIdsBag resourceBlockIdsBag =\r
+ PermissionCacheUtil.getResourceBlockIdsBag(\r
+ companyId, groupId, userId, name, checkGuest);\r
+\r
+ if (resourceBlockIdsBag != null) {\r
+ return resourceBlockIdsBag;\r
+ }\r
+\r
+ try {\r
+ long[] roleIds = getRoleIds(userId, groupId);\r
+\r
+ resourceBlockIdsBag =\r
+ ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(\r
+ getCompanyId(), groupId, name, roleIds);\r
+\r
+ PermissionCacheUtil.putResourceBlockIdsBag(\r
+ companyId, groupId, userId, name, checkGuest,\r
+ resourceBlockIdsBag);\r
+\r
+ return resourceBlockIdsBag;\r
+ }\r
+ finally {\r
+ if (resourceBlockIdsBag == null) {\r
+ resourceBlockIdsBag = new ResourceBlockIdsBag();\r
+ }\r
+\r
+ PermissionCacheUtil.putResourceBlockIdsBag(\r
+ companyId, userId, groupId, name, checkGuest,\r
+ resourceBlockIdsBag);\r
+ }\r
+ }\r
+\r
+ @Override\r
+ public long[] getRoleIds(long userId, long groupId) {\r
+ PermissionCheckerBag bag = null;\r
+\r
+ try {\r
+ bag = getUserBag(userId, groupId);\r
+ }\r
+ catch (Exception e) {\r
+ }\r
+\r
+ if (bag != null) {\r
+ if (checkGuest) {\r
+ Set<Long> roleIds = SetUtil.fromArray(bag.getRoleIds());\r
+\r
+ try {\r
+ PermissionCheckerBag guestBag = getGuestUserBag();\r
+\r
+ if (guestBag != null) {\r
+ for (long roleId : guestBag.getRoleIds()) {\r
+ roleIds.add(roleId);\r
+ }\r
+ }\r
+ }\r
+ catch (Exception e) {\r
+ }\r
+\r
+ return ArrayUtil.toArray(\r
+ roleIds.toArray(new Long[roleIds.size()]));\r
+ }\r
+ else {\r
+ return bag.getRoleIds();\r
+ }\r
+ }\r
+\r
+ return PermissionChecker.DEFAULT_ROLE_IDS;\r
+ }\r
+\r
+ /**\r
+ * Returns the permission checker bag for the user and group. Users can have\r
+ * different roles and permissions in different groups.\r
+ *\r
+ * @param userId the primary key of the user\r
+ * @param groupId the primary key of the group\r
+ * @return the permission checker bag for the user and group\r
+ * @throws Exception if a user or group with the primary key could not be\r
+ * found\r
+ */\r
+ public PermissionCheckerBag getUserBag(long userId, long groupId)\r
+ throws Exception {\r
+\r
+ PermissionCheckerBag bag = PermissionCacheUtil.getBag(userId, groupId);\r
+\r
+ if (bag != null) {\r
+ return bag;\r
+ }\r
+\r
+ try {\r
+ Group group = null;\r
+\r
+ if (groupId > 0) {\r
+ group = GroupLocalServiceUtil.getGroup(groupId);\r
+\r
+ if (group.isLayout()) {\r
+ long parentGroupId = group.getParentGroupId();\r
+\r
+ if (parentGroupId > 0) {\r
+ group = GroupLocalServiceUtil.getGroup(parentGroupId);\r
+ }\r
+ }\r
+ }\r
+\r
+ boolean hackIntranetGrp = false;\r
+ \r
+ List<Group> userGroups = new ArrayList<Group>();\r
+ if (groupId > 0) {\r
+ if (GroupLocalServiceUtil.hasUserGroup(userId, groupId)) {\r
+ group = GroupLocalServiceUtil.getGroup(groupId);\r
+ userGroups.add(group);\r
+ }\r
+ else {\r
+ /**************************\r
+ * MIGRATION MODIFICATION *\r
+ **************************/\r
+ // si il s agit d'un grp community/site open on l ajoute\r
+ group = GroupLocalServiceUtil.getGroup(groupId);\r
+ if (group.isRegularSite()) {\r
+ try {\r
+ CommunityInfos ci = CommunityInfosLocalServiceUtil.getCommunityInfosByGroupId(groupId);\r
+ if (ci.getPolitic()==2) {\r
+ // c est un grp intranet et il n est pas directement membre donc on l ajoute et on hack\r
+ // aussi pour le role CommunityVisitor\r
+ hackIntranetGrp = true;\r
+ userGroups.add(group);\r
+ }\r
+ }\r
+ catch(Exception exc) {\r
+ //_log.error("Guest group i hope");\r
+ }\r
+ }\r
+ }\r
+ }\r
+\r
+ List<Organization> userOrgs = getUserOrgs(userId);\r
+\r
+ List<Group> userOrgGroups =\r
+ GroupLocalServiceUtil.getOrganizationsGroups(userOrgs);\r
+\r
+ List<UserGroup> userUserGroups =\r
+ UserGroupLocalServiceUtil.getUserUserGroups(userId);\r
+\r
+ List<Group> userUserGroupGroups =\r
+ GroupLocalServiceUtil.getUserGroupsGroups(userUserGroups);\r
+\r
+ List<Group> groups = new ArrayList<Group>(\r
+ userGroups.size() + userOrgGroups.size() +\r
+ userUserGroupGroups.size());\r
+\r
+ groups.addAll(userGroups);\r
+ groups.addAll(userOrgGroups);\r
+ groups.addAll(userUserGroupGroups);\r
+\r
+ List<Role> roles = new UniqueList<Role>();\r
+\r
+ if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 3) ||\r
+ (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 4) ||\r
+ (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 5) ||\r
+ (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6)) {\r
+\r
+ if (groups.size() > 0) {\r
+ List<Role> userRelatedRoles=\r
+ RoleLocalServiceUtil.getUserRelatedRoles(\r
+ userId, groups);\r
+\r
+ roles.addAll(userRelatedRoles);\r
+ }\r
+ else {\r
+ roles.addAll(RoleLocalServiceUtil.getUserRoles(userId));\r
+ }\r
+\r
+ List<Role> userGroupRoles =\r
+ RoleLocalServiceUtil.getUserGroupRoles(userId, groupId);\r
+\r
+ roles.addAll(userGroupRoles);\r
+\r
+ List<Role> userGroupGroupRoles =\r
+ RoleLocalServiceUtil.getUserGroupGroupRoles(\r
+ userId, groupId);\r
+\r
+ roles.addAll(userGroupGroupRoles);\r
+\r
+ if (group != null) {\r
+ if (group.isOrganization() &&\r
+ userOrgGroups.contains(group)) {\r
+\r
+ Role organizationUserRole =\r
+ RoleLocalServiceUtil.getRole(\r
+ group.getCompanyId(),\r
+ RoleConstants.ORGANIZATION_USER);\r
+\r
+ roles.add(organizationUserRole);\r
+ }\r
+\r
+ if (group.isSite() &&\r
+ (userGroups.contains(group) ||\r
+ userOrgGroups.contains(group))) {\r
+\r
+ Role siteMemberRole = RoleLocalServiceUtil.getRole(\r
+ group.getCompanyId(), RoleConstants.SITE_MEMBER);\r
+\r
+ roles.add(siteMemberRole);\r
+ }\r
+\r
+ if(hackIntranetGrp) {\r
+ Role role = RoleLocalServiceUtil.getRole(\r
+ user.getCompanyId(), ENTRolesConstants.COMMUNITY_VISITOR);\r
+ roles.add(role); \r
+ }\r
+ \r
+ if ((group.isOrganization() &&\r
+ userOrgGroups.contains(group)) ||\r
+ (group.isSite() && userGroups.contains(group))) {\r
+\r
+ addTeamRoles(userId, group, roles);\r
+ }\r
+ }\r
+ }\r
+ else {\r
+ roles = new ArrayList<Role>();\r
+ }\r
+\r
+ bag = new PermissionCheckerBagImpl(\r
+ userId, userGroups, userOrgs, userOrgGroups,\r
+ userUserGroupGroups, groups, roles);\r
+\r
+ return bag;\r
+ }\r
+ finally {\r
+ if (bag == null) {\r
+ bag = new PermissionCheckerBagImpl(\r
+ userId, new ArrayList<Group>(),\r
+ new ArrayList<Organization>(), new ArrayList<Group>(),\r
+ new ArrayList<Group>(), new ArrayList<Group>(),\r
+ new ArrayList<Role>());\r
+ }\r
+\r
+ PermissionCacheUtil.putBag(userId, groupId, bag);\r
+ }\r
+ }\r
+\r
+ public boolean hasOwnerPermission(\r
+ long companyId, String name, String primKey, long ownerId,\r
+ String actionId) {\r
+\r
+ if (ownerId != getUserId()) {\r
+ return false;\r
+ }\r
+\r
+ if (ownerId == defaultUserId) {\r
+ if (actionId.equals(ActionKeys.VIEW)) {\r
+ return true;\r
+ }\r
+ else {\r
+ return false;\r
+ }\r
+ }\r
+\r
+ try {\r
+ if (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) {\r
+ if (ResourceBlockLocalServiceUtil.isSupported(name)) {\r
+ PermissionedModel permissionedModel =\r
+ ResourceBlockLocalServiceUtil.getPermissionedModel(\r
+ name, GetterUtil.getLong(primKey));\r
+\r
+ long groupId = 0;\r
+\r
+ if (permissionedModel instanceof GroupedModel) {\r
+ GroupedModel groupedModel =\r
+ (GroupedModel)permissionedModel;\r
+\r
+ groupId = groupedModel.getGroupId();\r
+ }\r
+\r
+ ResourceBlockIdsBag resourceBlockIdsBag =\r
+ getOwnerResourceBlockIdsBag(companyId, groupId, name);\r
+\r
+ return ResourceBlockLocalServiceUtil.hasPermission(\r
+ name, permissionedModel, actionId, resourceBlockIdsBag);\r
+ }\r
+\r
+ return ResourcePermissionLocalServiceUtil.hasResourcePermission(\r
+ companyId, name, ResourceConstants.SCOPE_INDIVIDUAL,\r
+ primKey, getOwnerRoleId(), actionId);\r
+ }\r
+\r
+ ResourceActionsUtil.checkAction(name, actionId);\r
+\r
+ Resource resource = ResourceLocalServiceUtil.getResource(\r
+ companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);\r
+\r
+ List<Permission> permissions =\r
+ PermissionLocalServiceUtil.getRolePermissions(\r
+ getOwnerRoleId(), resource.getResourceId());\r
+\r
+ int pos = Collections.binarySearch(\r
+ permissions, actionId, new PermissionActionIdComparator());\r
+\r
+ if (pos >= 0) {\r
+ return true;\r
+ }\r
+ }\r
+ catch (Exception e) {\r
+ if (_log.isDebugEnabled()) {\r
+ _log.debug(e, e);\r
+ }\r
+ }\r
+\r
+ return false;\r
+ }\r
+\r
+ public boolean hasPermission(\r
+ long groupId, String name, String primKey, String actionId) {\r
+\r
+ StopWatch stopWatch = null;\r
+\r
+ if (_log.isDebugEnabled()) {\r
+ stopWatch = new StopWatch();\r
+\r
+ stopWatch.start();\r
+ }\r
+\r
+ Group group = null;\r
+\r
+ // If the current group is a staging group, check the live group. If the\r
+ // current group is a scope group for a layout, check the original\r
+ // group.\r
+\r
+ try {\r
+ if (groupId > 0) {\r
+ group = GroupLocalServiceUtil.getGroup(groupId);\r
+\r
+ if (group.isUser() && (group.getClassPK() == getUserId())) {\r
+ group = GroupLocalServiceUtil.getGroup(\r
+ getCompanyId(), GroupConstants.USER_PERSONAL_SITE);\r
+\r
+ groupId = group.getGroupId();\r
+ }\r
+\r
+ if (group.isLayout()) {\r
+ Layout layout = LayoutLocalServiceUtil.getLayout(\r
+ group.getClassPK());\r
+\r
+ groupId = layout.getGroupId();\r
+\r
+ group = GroupLocalServiceUtil.getGroup(groupId);\r
+ }\r
+\r
+ if (group.isStagingGroup()) {\r
+ if (primKey.equals(String.valueOf(groupId))) {\r
+ primKey = String.valueOf(group.getLiveGroupId());\r
+ }\r
+\r
+ groupId = group.getLiveGroupId();\r
+ group = group.getLiveGroup();\r
+ }\r
+ }\r
+ }\r
+ catch (Exception e) {\r
+ _log.error(e, e);\r
+ }\r
+\r
+ Boolean value = PermissionCacheUtil.getPermission(\r
+ user.getUserId(), signedIn, checkGuest, groupId, name, primKey,\r
+ actionId);\r
+\r
+ if (value == null) {\r
+ try {\r
+ value = Boolean.valueOf(\r
+ hasPermissionImpl(groupId, name, primKey, actionId));\r
+\r
+ if (_log.isDebugEnabled()) {\r
+ _log.debug(\r
+ "Checking permission for " + groupId + " " + name +\r
+ " " + primKey + " " + actionId + " takes " +\r
+ stopWatch.getTime() + " ms");\r
+ }\r
+ }\r
+ finally {\r
+ if (value == null) {\r
+ value = Boolean.FALSE;\r
+ }\r
+\r
+ PermissionCacheUtil.putPermission(\r
+ user.getUserId(), signedIn, checkGuest, groupId, name,\r
+ primKey, actionId, value);\r
+ }\r
+ }\r
+\r
+ return value.booleanValue();\r
+ }\r
+\r
+ public boolean hasUserPermission(\r
+ long groupId, String name, String primKey, String actionId,\r
+ boolean checkAdmin) {\r
+\r
+ try {\r
+ return hasUserPermissionImpl(\r
+ groupId, name, primKey, actionId, checkAdmin);\r
+ }\r
+ catch (Exception e) {\r
+ _log.error(e, e);\r
+\r
+ return false;\r
+ }\r
+ }\r
+\r
+ public boolean isCompanyAdmin() {\r
+ try {\r
+ return isCompanyAdminImpl();\r
+ }\r
+ catch (Exception e) {\r
+ _log.error(e, e);\r
+\r
+ return false;\r
+ }\r
+ }\r
+\r
+ public boolean isCompanyAdmin(long companyId) {\r
+ try {\r
+ return isCompanyAdminImpl(companyId);\r
+ }\r
+ catch (Exception e) {\r
+ _log.error(e, e);\r
+\r
+ return false;\r
+ }\r
+ }\r
+\r
+ public boolean isGroupAdmin(long groupId) {\r
+ try {\r
+ return isGroupAdminImpl(groupId);\r
+ }\r
+ catch (Exception e) {\r
+ _log.error(e, e);\r
+\r
+ return false;\r
+ }\r
+ }\r
+\r
+ public boolean isGroupMember(long groupId) {\r
+ try {\r
+ return isGroupMemberImpl(groupId);\r
+ }\r
+ catch (Exception e) {\r
+ _log.error(e, e);\r
+\r
+ return false;\r
+ }\r
+ }\r
+\r
+ public boolean isGroupOwner(long groupId) {\r
+ try {\r
+ return isGroupOwnerImpl(groupId);\r
+ }\r
+ catch (Exception e) {\r
+ _log.error(e, e);\r
+\r
+ return false;\r
+ }\r
+ }\r
+\r
+ public boolean isOrganizationAdmin(long organizationId) {\r
+ try {\r
+ return isOrganizationAdminImpl(organizationId);\r
+ }\r
+ catch (Exception e) {\r
+ _log.error(e, e);\r
+\r
+ return false;\r
+ }\r
+ }\r
+\r
+ protected void addTeamRoles(long userId, Group group, List<Role> roles)\r
+ throws Exception {\r
+\r
+ if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 5) ||\r
+ (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6)) {\r
+\r
+ List<Team> userTeams = TeamLocalServiceUtil.getUserTeams(\r
+ userId, group.getGroupId());\r
+\r
+ for (Team team : userTeams) {\r
+ Role role = RoleLocalServiceUtil.getTeamRole(\r
+ team.getCompanyId(), team.getTeamId());\r
+\r
+ roles.add(role);\r
+ }\r
+\r
+ LinkedHashMap<String, Object> teamParams =\r
+ new LinkedHashMap<String, Object>();\r
+\r
+ teamParams.put("usersUserGroups", userId);\r
+\r
+ List<Team> userGroupTeams = TeamLocalServiceUtil.search(\r
+ group.getGroupId(), null, null, teamParams, QueryUtil.ALL_POS,\r
+ QueryUtil.ALL_POS, null);\r
+\r
+ for (Team team : userGroupTeams) {\r
+ Role role = RoleLocalServiceUtil.getTeamRole(\r
+ team.getCompanyId(), team.getTeamId());\r
+\r
+ roles.add(role);\r
+ }\r
+ }\r
+ }\r
+\r
+ /**\r
+ * Returns representations of the resource at each scope level.\r
+ *\r
+ * <p>\r
+ * For example, if the class name and primary key of a blog entry were\r
+ * passed to this method, it would return a resource for the blog entry\r
+ * itself (individual scope), a resource representing all blog entries\r
+ * within its group (group scope), a resource standing for all blog entries\r
+ * within a group the user has a suitable role in (group-template scope),\r
+ * and a resource signifying all blog entries within the company (company\r
+ * scope).\r
+ * </p>\r
+ *\r
+ * @param companyId the primary key of the company\r
+ * @param groupId the primary key of the group containing the resource\r
+ * @param name the resource's name, which can be either a class name or a\r
+ * portlet ID\r
+ * @param primKey the primary key of the resource\r
+ * @param actionId unused\r
+ * @return representations of the resource at each scope level\r
+ * @throws Exception if an exception occurred\r
+ */\r
+ protected List<Resource> getResources(\r
+ long companyId, long groupId, String name, String primKey,\r
+ String actionId)\r
+ throws Exception {\r
+\r
+ // Individual\r
+\r
+ List<Resource> resources = new ArrayList<Resource>(4);\r
+\r
+ try {\r
+ Resource resource = ResourceLocalServiceUtil.getResource(\r
+ companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);\r
+\r
+ resources.add(resource);\r
+ }\r
+ catch (NoSuchResourceException nsre) {\r
+ if (_log.isWarnEnabled()) {\r
+ _log.warn(\r
+ "Resource " + companyId + " " + name + " " +\r
+ ResourceConstants.SCOPE_INDIVIDUAL + " " + primKey +\r
+ " does not exist");\r
+ }\r
+ }\r
+\r
+ // Group\r
+\r
+ try {\r
+ if (groupId > 0) {\r
+ Resource resource = ResourceLocalServiceUtil.getResource(\r
+ companyId, name, ResourceConstants.SCOPE_GROUP,\r
+ String.valueOf(groupId));\r
+\r
+ resources.add(resource);\r
+ }\r
+ }\r
+ catch (NoSuchResourceException nsre) {\r
+ if (_log.isWarnEnabled()) {\r
+ _log.warn(\r
+ "Resource " + companyId + " " + name + " " +\r
+ ResourceConstants.SCOPE_GROUP + " " + groupId +\r
+ " does not exist");\r
+ }\r
+ }\r
+\r
+ // Group template\r
+\r
+ try {\r
+ if (signedIn && (groupId > 0)) {\r
+ Resource resource = ResourceLocalServiceUtil.getResource(\r
+ companyId, name, ResourceConstants.SCOPE_GROUP_TEMPLATE,\r
+ String.valueOf(GroupConstants.DEFAULT_PARENT_GROUP_ID));\r
+\r
+ resources.add(resource);\r
+ }\r
+ }\r
+ catch (NoSuchResourceException nsre) {\r
+ if (_log.isWarnEnabled()) {\r
+ _log.warn(\r
+ "Resource " + companyId + " " + name + " " +\r
+ ResourceConstants.SCOPE_GROUP_TEMPLATE + " " +\r
+ GroupConstants.DEFAULT_PARENT_GROUP_ID +\r
+ " does not exist");\r
+ }\r
+ }\r
+\r
+ // Company\r
+\r
+ try {\r
+ Resource resource = ResourceLocalServiceUtil.getResource(\r
+ companyId, name, ResourceConstants.SCOPE_COMPANY,\r
+ String.valueOf(companyId));\r
+\r
+ resources.add(resource);\r
+ }\r
+ catch (NoSuchResourceException nsre) {\r
+ if (_log.isWarnEnabled()) {\r
+ _log.warn(\r
+ "Resource " + companyId + " " + name + " " +\r
+ ResourceConstants.SCOPE_COMPANY + " " + companyId +\r
+ " does not exist");\r
+ }\r
+ }\r
+\r
+ return resources;\r
+ }\r
+\r
+ /**\r
+ * Returns all of the organizations that the user is a member of, including\r
+ * their parent organizations.\r
+ *\r
+ * @param userId the primary key of the user\r
+ * @return all of the organizations that the user is a member of, including\r
+ * their parent organizations\r
+ * @throws Exception if a user with the primary key could not be found\r
+ */\r
+ protected List<Organization> getUserOrgs(long userId) throws Exception {\r
+ List<Organization> userOrgs =\r
+ OrganizationLocalServiceUtil.getUserOrganizations(userId);\r
+\r
+ if (userOrgs.size() == 0) {\r
+ return userOrgs;\r
+ }\r
+\r
+ List<Organization> organizations = new UniqueList<Organization>();\r
+\r
+ for (Organization organization : userOrgs) {\r
+ if (!organizations.contains(organization)) {\r
+ organizations.add(organization);\r
+\r
+ List<Organization> ancestorOrganizations =\r
+ OrganizationLocalServiceUtil.getParentOrganizations(\r
+ organization.getOrganizationId());\r
+\r
+ organizations.addAll(ancestorOrganizations);\r
+ }\r
+ }\r
+\r
+ return organizations;\r
+ }\r
+\r
+ protected boolean hasGuestPermission(\r
+ long groupId, String name, String primKey, String actionId)\r
+ throws Exception {\r
+\r
+ ResourceActionsUtil.checkAction(name, actionId);\r
+\r
+ if (name.indexOf(CharPool.PERIOD) != -1) {\r
+\r
+ // Check unsupported model actions\r
+\r
+ List<String> actions = ResourceActionsUtil.\r
+ getModelResourceGuestUnsupportedActions(name);\r
+\r
+ if (actions.contains(actionId)) {\r
+ return false;\r
+ }\r
+ }\r
+ else {\r
+\r
+ // Check unsupported portlet actions\r
+\r
+ List<String> actions = ResourceActionsUtil.\r
+ getPortletResourceGuestUnsupportedActions(name);\r
+\r
+ if (actions.contains(actionId)) {\r
+ return false;\r
+ }\r
+ }\r
+\r
+ long companyId = user.getCompanyId();\r
+\r
+ List<Resource> resources = getResources(\r
+ companyId, groupId, name, primKey, actionId);\r
+\r
+ PermissionCheckerBag bag = getGuestUserBag();\r
+\r
+ try {\r
+ if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) &&\r
+ ResourceBlockLocalServiceUtil.isSupported(name)) {\r
+\r
+ ResourceBlockIdsBag resourceBlockIdsBag =\r
+ getGuestResourceBlockIdsBag(companyId, groupId, name);\r
+\r
+ return ResourceBlockLocalServiceUtil.hasPermission(\r
+ name, GetterUtil.getLong(primKey), actionId,\r
+ resourceBlockIdsBag);\r
+ }\r
+\r
+ return PermissionLocalServiceUtil.hasUserPermissions(\r
+ defaultUserId, groupId, resources, actionId, bag);\r
+ }\r
+ catch (Exception e) {\r
+ _log.error(e, e);\r
+\r
+ return false;\r
+ }\r
+ }\r
+\r
+ protected boolean hasPermissionImpl(\r
+ long groupId, String name, String primKey, String actionId) {\r
+\r
+ try {\r
+ if (!signedIn) {\r
+ return hasGuestPermission(groupId, name, primKey, actionId);\r
+ }\r
+\r
+ if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) &&\r
+ ResourceBlockLocalServiceUtil.isSupported(name)) {\r
+\r
+ // It is not necessary to check guest permissions separately,\r
+ // as the user's resource block IDs bag will already have the\r
+ // guest permissions in it if checkGuest is true.\r
+\r
+ return hasUserPermission(\r
+ groupId, name, primKey, actionId, true);\r
+ }\r
+\r
+ boolean value = false;\r
+\r
+ if (checkGuest) {\r
+ value = hasGuestPermission(groupId, name, primKey, actionId);\r
+ }\r
+\r
+ if (!value) {\r
+ value = hasUserPermission(\r
+ groupId, name, primKey, actionId, true);\r
+ }\r
+\r
+ return value;\r
+ }\r
+ catch (Exception e) {\r
+ _log.error(e, e);\r
+\r
+ return false;\r
+ }\r
+ }\r
+\r
+ protected boolean hasUserPermissionImpl(\r
+ long groupId, String name, String primKey, String actionId,\r
+ boolean checkAdmin)\r
+ throws Exception {\r
+\r
+ StopWatch stopWatch = null;\r
+\r
+ if (_log.isDebugEnabled()) {\r
+ stopWatch = new StopWatch();\r
+\r
+ stopWatch.start();\r
+ }\r
+\r
+ long companyId = user.getCompanyId();\r
+\r
+ boolean hasLayoutManagerPermission = true;\r
+\r
+ // Check if the layout manager has permission to do this action for the\r
+ // current portlet\r
+\r
+ if (Validator.isNotNull(name) && Validator.isNotNull(primKey) &&\r
+ (primKey.indexOf(PortletConstants.LAYOUT_SEPARATOR) != -1)) {\r
+\r
+ hasLayoutManagerPermission =\r
+ PortletPermissionUtil.hasLayoutManagerPermission(\r
+ name, actionId);\r
+ }\r
+\r
+ if (checkAdmin) {\r
+ if (isCompanyAdminImpl(companyId)) {\r
+ return true;\r
+ }\r
+\r
+ if (name.equals(Organization.class.getName())) {\r
+ long organizationId = GetterUtil.getInteger(primKey);\r
+\r
+ if (isOrganizationAdminImpl(organizationId)) {\r
+ return true;\r
+ }\r
+ }\r
+ else if (isGroupAdminImpl(groupId) && hasLayoutManagerPermission) {\r
+ return true;\r
+ }\r
+ }\r
+\r
+ logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 1);\r
+\r
+ if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) &&\r
+ ResourceBlockLocalServiceUtil.isSupported(name)) {\r
+\r
+ ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(\r
+ companyId, groupId, getUserId(), name);\r
+\r
+ boolean value = ResourceBlockLocalServiceUtil.hasPermission(\r
+ name, GetterUtil.getLong(primKey), actionId,\r
+ resourceBlockIdsBag);\r
+\r
+ logHasUserPermission(\r
+ groupId, name, primKey, actionId, stopWatch, 2);\r
+\r
+ return value;\r
+ }\r
+\r
+ List<Resource> resources = getResources(\r
+ companyId, groupId, name, primKey, actionId);\r
+\r
+ logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 3);\r
+\r
+ // Check if user has access to perform the action on the given\r
+ // resource scopes. The resources are scoped to check first for an\r
+ // individual class, then for the group that the class may belong\r
+ // to, and then for the company that the class belongs to.\r
+\r
+ PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);\r
+\r
+ boolean value = PermissionLocalServiceUtil.hasUserPermissions(\r
+ user.getUserId(), groupId, resources, actionId, bag);\r
+\r
+ logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 4);\r
+\r
+ return value;\r
+ }\r
+\r
+ protected boolean isCompanyAdminImpl() throws Exception {\r
+ return isCompanyAdminImpl(user.getCompanyId());\r
+ }\r
+\r
+ protected boolean isCompanyAdminImpl(long companyId) throws Exception {\r
+ if (!signedIn) {\r
+ return false;\r
+ }\r
+\r
+ if (isOmniadmin()) {\r
+ return true;\r
+ }\r
+\r
+ Boolean value = companyAdmins.get(companyId);\r
+\r
+ if (value == null) {\r
+ boolean hasAdminRole = RoleLocalServiceUtil.hasUserRole(\r
+ user.getUserId(), companyId, RoleConstants.ADMINISTRATOR, true);\r
+\r
+ value = Boolean.valueOf(hasAdminRole);\r
+\r
+ companyAdmins.put(companyId, value);\r
+ }\r
+\r
+ return value.booleanValue();\r
+ }\r
+\r
+ protected boolean isGroupAdminImpl(long groupId) throws Exception {\r
+ if (!signedIn) {\r
+ return false;\r
+ }\r
+\r
+ if (isOmniadmin()) {\r
+ return true;\r
+ }\r
+\r
+ if (groupId <= 0) {\r
+ return false;\r
+ }\r
+\r
+ Group group = GroupLocalServiceUtil.getGroup(groupId);\r
+\r
+ if (isCompanyAdmin(group.getCompanyId())) {\r
+ return true;\r
+ }\r
+\r
+ PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);\r
+\r
+ if (bag == null) {\r
+ _log.error("Bag should never be null");\r
+ }\r
+\r
+ if (bag.isGroupAdmin(this, group)) {\r
+ return true;\r
+ }\r
+ else {\r
+ return false;\r
+ }\r
+ }\r
+\r
+ protected boolean isGroupMemberImpl(long groupId) throws Exception {\r
+ if (!signedIn) {\r
+ return false;\r
+ }\r
+\r
+ if (groupId <= 0) {\r
+ return false;\r
+ }\r
+\r
+ Group group = GroupLocalServiceUtil.getGroup(groupId);\r
+\r
+ PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);\r
+\r
+ if (bag == null) {\r
+ _log.error("Bag should never be null");\r
+ }\r
+\r
+ if (bag.isGroupMember(this, group)) {\r
+ return true;\r
+ }\r
+ else {\r
+ return false;\r
+ }\r
+ }\r
+\r
+ protected boolean isGroupOwnerImpl(long groupId) throws Exception {\r
+ if (!signedIn) {\r
+ return false;\r
+ }\r
+\r
+ if (isOmniadmin()) {\r
+ return true;\r
+ }\r
+\r
+ if (groupId <= 0) {\r
+ return false;\r
+ }\r
+\r
+ Group group = GroupLocalServiceUtil.getGroup(groupId);\r
+\r
+ if (isCompanyAdmin(group.getCompanyId())) {\r
+ return true;\r
+ }\r
+\r
+ PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);\r
+\r
+ if (bag == null) {\r
+ _log.error("Bag should never be null");\r
+ }\r
+\r
+ if (bag.isGroupOwner(this, group)) {\r
+ return true;\r
+ }\r
+ else {\r
+ return false;\r
+ }\r
+ }\r
+\r
+ protected boolean isOrganizationAdminImpl(long organizationId)\r
+ throws Exception {\r
+\r
+ if (!signedIn) {\r
+ return false;\r
+ }\r
+\r
+ if (isOmniadmin()) {\r
+ return true;\r
+ }\r
+\r
+ if (organizationId <= 0) {\r
+ return false;\r
+ }\r
+\r
+ Organization organization =\r
+ OrganizationLocalServiceUtil.fetchOrganization(organizationId);\r
+\r
+ if (organization == null) {\r
+ return false;\r
+ }\r
+\r
+ if (isCompanyAdmin(organization.getCompanyId())) {\r
+ return true;\r
+ }\r
+\r
+ PermissionCheckerBag bag = getUserBag(\r
+ user.getUserId(), organization.getGroupId());\r
+\r
+ if (bag == null) {\r
+ _log.error("Bag should never be null");\r
+ }\r
+\r
+ if (bag.isOrganizationAdmin(this, organization)) {\r
+ return true;\r
+ }\r
+ else {\r
+ return false;\r
+ }\r
+ }\r
+\r
+ protected void logHasUserPermission(\r
+ long groupId, String name, String primKey, String actionId,\r
+ StopWatch stopWatch, int block) {\r
+\r
+ if (!_log.isDebugEnabled()) {\r
+ return;\r
+ }\r
+\r
+ _log.debug(\r
+ "Checking user permission block " + block + " for " + groupId +\r
+ " " + name + " " + primKey + " " + actionId + " takes " +\r
+ stopWatch.getTime() + " ms");\r
+ }\r
+\r
+ /**\r
+ * @deprecated\r
+ */\r
+ protected static final String RESULTS_SEPARATOR = "_RESULTS_SEPARATOR_";\r
+\r
+ protected Map<Long, Boolean> companyAdmins = new HashMap<Long, Boolean>();\r
+\r
+ private static Log _log = LogFactoryUtil.getLog(\r
+ AdvancedPermissionChecker.class);\r
+\r
+}
\ No newline at end of file