001
014
015 package com.liferay.portal.service.permission;
016
017 import com.liferay.portal.kernel.exception.PortalException;
018 import com.liferay.portal.kernel.exception.SystemException;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.model.Contact;
022 import com.liferay.portal.model.Group;
023 import com.liferay.portal.model.Organization;
024 import com.liferay.portal.model.ResourceConstants;
025 import com.liferay.portal.model.Role;
026 import com.liferay.portal.model.RoleConstants;
027 import com.liferay.portal.model.User;
028 import com.liferay.portal.security.auth.PrincipalException;
029 import com.liferay.portal.security.permission.ActionKeys;
030 import com.liferay.portal.security.permission.PermissionChecker;
031 import com.liferay.portal.service.OrganizationLocalServiceUtil;
032 import com.liferay.portal.service.RoleLocalServiceUtil;
033 import com.liferay.portal.service.UserGroupRoleLocalServiceUtil;
034 import com.liferay.portal.service.UserLocalServiceUtil;
035 import com.liferay.portal.util.PortalUtil;
036 import com.liferay.portal.util.PropsValues;
037
038
042 public class UserPermissionImpl implements UserPermission {
043
044
048 @Override
049 public void check(
050 PermissionChecker permissionChecker, long userId,
051 long organizationId, long locationId, String actionId)
052 throws PrincipalException {
053
054 check(
055 permissionChecker, userId, new long[] {organizationId, locationId},
056 actionId);
057 }
058
059 @Override
060 public void check(
061 PermissionChecker permissionChecker, long userId,
062 long[] organizationIds, String actionId)
063 throws PrincipalException {
064
065 if (!contains(permissionChecker, userId, organizationIds, actionId)) {
066 throw new PrincipalException();
067 }
068 }
069
070 @Override
071 public void check(
072 PermissionChecker permissionChecker, long userId, String actionId)
073 throws PrincipalException {
074
075 if (!contains(permissionChecker, userId, actionId)) {
076 throw new PrincipalException();
077 }
078 }
079
080
084 @Override
085 public boolean contains(
086 PermissionChecker permissionChecker, long userId, long organizationId,
087 long locationId, String actionId) {
088
089 return contains(
090 permissionChecker, userId, new long[] {organizationId, locationId},
091 actionId);
092 }
093
094 @Override
095 public boolean contains(
096 PermissionChecker permissionChecker, long userId,
097 long[] organizationIds, String actionId) {
098
099 if ((actionId.equals(ActionKeys.DELETE) ||
100 actionId.equals(ActionKeys.IMPERSONATE) ||
101 actionId.equals(ActionKeys.PERMISSIONS) ||
102 actionId.equals(ActionKeys.UPDATE)) &&
103 PortalUtil.isOmniadmin(userId) &&
104 !permissionChecker.isOmniadmin()) {
105
106 return false;
107 }
108
109 try {
110 User user = null;
111
112 if (userId != ResourceConstants.PRIMKEY_DNE) {
113 user = UserLocalServiceUtil.getUserById(userId);
114
115 Contact contact = user.getContact();
116
117 if ((((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 5) ||
118 (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6)) &&
119 permissionChecker.hasOwnerPermission(
120 permissionChecker.getCompanyId(), User.class.getName(),
121 userId, contact.getUserId(), actionId)) ||
122 (permissionChecker.getUserId() == userId)) {
123
124 return true;
125 }
126 }
127
128 if (permissionChecker.hasPermission(
129 0, User.class.getName(), userId, actionId)) {
130
131 return true;
132 }
133
134 if (user == null) {
135 return false;
136 }
137
138 if (organizationIds == null) {
139 organizationIds = user.getOrganizationIds();
140 }
141
142 for (long organizationId : organizationIds) {
143 if (OrganizationPermissionUtil.contains(
144 permissionChecker, organizationId,
145 ActionKeys.MANAGE_USERS)) {
146
147 if (permissionChecker.getUserId() == user.getUserId()) {
148 return true;
149 }
150
151 Organization organization =
152 OrganizationLocalServiceUtil.getOrganization(
153 organizationId);
154
155 Group organizationGroup = organization.getGroup();
156
157
158
159
160 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
161 user.getUserId(), organizationGroup.getGroupId(),
162 RoleConstants.ORGANIZATION_OWNER, true)) {
163
164 continue;
165 }
166 else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
167 user.getUserId(),
168 organizationGroup.getGroupId(),
169 RoleConstants.ORGANIZATION_ADMINISTRATOR,
170 true) &&
171 !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
172 permissionChecker.getUserId(),
173 organizationGroup.getGroupId(),
174 RoleConstants.ORGANIZATION_OWNER, true)) {
175
176 continue;
177 }
178
179 return true;
180 }
181 }
182 }
183 catch (Exception e) {
184 _log.error(e, e);
185 }
186
187 return false;
188 }
189
190 @Override
191 public boolean contains(
192 PermissionChecker permissionChecker, long userId, String actionId) {
193
194 return contains(permissionChecker, userId, null, actionId);
195 }
196
197 @Override
198 public boolean hasMembershipProtected(
199 PermissionChecker permissionChecker, Group group, Role role,
200 User user)
201 throws PortalException, SystemException {
202
203 if (role.getType() == RoleConstants.TYPE_ORGANIZATION) {
204 Organization organization =
205 OrganizationLocalServiceUtil.getOrganization(
206 group.getClassPK());
207
208 return hasMembershipProtected(
209 permissionChecker, organization, role, user);
210 }
211
212 if (permissionChecker.isGroupOwner(group.getGroupId())) {
213 return false;
214 }
215
216 String roleName = role.getName();
217
218 if (!roleName.equals(RoleConstants.SITE_ADMINISTRATOR) &&
219 !roleName.equals(RoleConstants.SITE_OWNER)) {
220
221 return false;
222 }
223
224 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
225 user.getUserId(), group.getGroupId(), role.getRoleId())) {
226
227 return true;
228 }
229
230 return false;
231 }
232
233 @Override
234 public boolean hasMembershipProtected(
235 PermissionChecker permissionChecker, Group group, User user)
236 throws PortalException, SystemException {
237
238 if (permissionChecker.isGroupOwner(group.getGroupId())) {
239 return false;
240 }
241
242 Role siteAdministratorRole = RoleLocalServiceUtil.getRole(
243 permissionChecker.getCompanyId(), RoleConstants.SITE_ADMINISTRATOR);
244
245 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
246 user.getUserId(), group.getGroupId(),
247 siteAdministratorRole.getRoleId())) {
248
249 return true;
250 }
251
252 Role siteOwnerRole = RoleLocalServiceUtil.getRole(
253 permissionChecker.getCompanyId(), RoleConstants.SITE_OWNER);
254
255 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
256 user.getUserId(), group.getGroupId(),
257 siteOwnerRole.getRoleId())) {
258
259 return true;
260 }
261
262 return false;
263 }
264
265 @Override
266 public boolean hasMembershipProtected(
267 PermissionChecker permissionChecker, Organization organization,
268 Role role, User user)
269 throws SystemException {
270
271 Group group = organization.getGroup();
272
273 if (permissionChecker.isOrganizationOwner(group.getOrganizationId())) {
274 return false;
275 }
276
277 String roleName = role.getName();
278
279 if (!roleName.equals(RoleConstants.ORGANIZATION_ADMINISTRATOR) &&
280 !roleName.equals(RoleConstants.ORGANIZATION_OWNER)) {
281
282 return false;
283 }
284
285 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
286 user.getUserId(), group.getGroupId(), role.getRoleId())) {
287
288 return true;
289 }
290
291 return false;
292 }
293
294 @Override
295 public boolean hasMembershipProtected(
296 PermissionChecker permissionChecker, Organization organization,
297 User user)
298 throws PortalException, SystemException {
299
300 Group group = organization.getGroup();
301
302 if (permissionChecker.isOrganizationOwner(group.getOrganizationId())) {
303 return false;
304 }
305
306 Role organizationAdministratorRole = RoleLocalServiceUtil.getRole(
307 permissionChecker.getCompanyId(),
308 RoleConstants.ORGANIZATION_ADMINISTRATOR);
309
310 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
311 user.getUserId(), group.getGroupId(),
312 organizationAdministratorRole.getRoleId())) {
313
314 return true;
315 }
316
317 Role organizationOwnerRole = RoleLocalServiceUtil.getRole(
318 permissionChecker.getCompanyId(), RoleConstants.ORGANIZATION_OWNER);
319
320 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
321 user.getUserId(), group.getGroupId(),
322 organizationOwnerRole.getRoleId())) {
323
324 return true;
325 }
326
327 return false;
328 }
329
330 private static Log _log = LogFactoryUtil.getLog(UserPermissionImpl.class);
331
332 }