001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.exception.SystemException;
019    import com.liferay.portal.kernel.log.Log;
020    import com.liferay.portal.kernel.log.LogFactoryUtil;
021    import com.liferay.portal.model.Contact;
022    import com.liferay.portal.model.Group;
023    import com.liferay.portal.model.Organization;
024    import com.liferay.portal.model.ResourceConstants;
025    import com.liferay.portal.model.Role;
026    import com.liferay.portal.model.RoleConstants;
027    import com.liferay.portal.model.User;
028    import com.liferay.portal.security.auth.PrincipalException;
029    import com.liferay.portal.security.permission.ActionKeys;
030    import com.liferay.portal.security.permission.PermissionChecker;
031    import com.liferay.portal.service.OrganizationLocalServiceUtil;
032    import com.liferay.portal.service.RoleLocalServiceUtil;
033    import com.liferay.portal.service.UserGroupRoleLocalServiceUtil;
034    import com.liferay.portal.service.UserLocalServiceUtil;
035    import com.liferay.portal.util.PortalUtil;
036    import com.liferay.portal.util.PropsValues;
037    
038    /**
039     * @author Charles May
040     * @author Jorge Ferrer
041     */
042    public class UserPermissionImpl implements UserPermission {
043    
044            /**
045             * @deprecated Replaced by {@link #check(PermissionChecker, long, long[],
046             *             String)}
047             */
048            @Override
049            public void check(
050                            PermissionChecker permissionChecker, long userId,
051                            long organizationId, long locationId, String actionId)
052                    throws PrincipalException {
053    
054                    check(
055                            permissionChecker, userId, new long[] {organizationId, locationId},
056                            actionId);
057            }
058    
059            @Override
060            public void check(
061                            PermissionChecker permissionChecker, long userId,
062                            long[] organizationIds, String actionId)
063                    throws PrincipalException {
064    
065                    if (!contains(permissionChecker, userId, organizationIds, actionId)) {
066                            throw new PrincipalException();
067                    }
068            }
069    
070            @Override
071            public void check(
072                            PermissionChecker permissionChecker, long userId, String actionId)
073                    throws PrincipalException {
074    
075                    if (!contains(permissionChecker, userId, actionId)) {
076                            throw new PrincipalException();
077                    }
078            }
079    
080            /**
081             * @deprecated Replaced by {@link #contains(PermissionChecker, long, long[],
082             *             String)}
083             */
084            @Override
085            public boolean contains(
086                    PermissionChecker permissionChecker, long userId, long organizationId,
087                    long locationId, String actionId) {
088    
089                    return contains(
090                            permissionChecker, userId, new long[] {organizationId, locationId},
091                            actionId);
092            }
093    
094            @Override
095            public boolean contains(
096                    PermissionChecker permissionChecker, long userId,
097                    long[] organizationIds, String actionId) {
098    
099                    if ((actionId.equals(ActionKeys.DELETE) ||
100                             actionId.equals(ActionKeys.IMPERSONATE) ||
101                             actionId.equals(ActionKeys.PERMISSIONS) ||
102                             actionId.equals(ActionKeys.UPDATE)) &&
103                            PortalUtil.isOmniadmin(userId) &&
104                            !permissionChecker.isOmniadmin()) {
105    
106                            return false;
107                    }
108    
109                    try {
110                            User user = null;
111    
112                            if (userId != ResourceConstants.PRIMKEY_DNE) {
113                                    user = UserLocalServiceUtil.getUserById(userId);
114    
115                                    Contact contact = user.getContact();
116    
117                                    if ((((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 5) ||
118                                              (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6)) &&
119                                             permissionChecker.hasOwnerPermission(
120                                                     permissionChecker.getCompanyId(), User.class.getName(),
121                                                     userId, contact.getUserId(), actionId)) ||
122                                            (permissionChecker.getUserId() == userId)) {
123    
124                                            return true;
125                                    }
126                            }
127    
128                            if (permissionChecker.hasPermission(
129                                            0, User.class.getName(), userId, actionId)) {
130    
131                                    return true;
132                            }
133    
134                            if (user == null) {
135                                    return false;
136                            }
137    
138                            if (organizationIds == null) {
139                                    organizationIds = user.getOrganizationIds();
140                            }
141    
142                            for (long organizationId : organizationIds) {
143                                    if (OrganizationPermissionUtil.contains(
144                                                    permissionChecker, organizationId,
145                                                    ActionKeys.MANAGE_USERS)) {
146    
147                                            if (permissionChecker.getUserId() == user.getUserId()) {
148                                                    return true;
149                                            }
150    
151                                            Organization organization =
152                                                    OrganizationLocalServiceUtil.getOrganization(
153                                                            organizationId);
154    
155                                            Group organizationGroup = organization.getGroup();
156    
157                                            // Organization administrators can only manage normal users.
158                                            // Owners can only manage normal users and administrators.
159    
160                                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
161                                                            user.getUserId(), organizationGroup.getGroupId(),
162                                                            RoleConstants.ORGANIZATION_OWNER, true)) {
163    
164                                                    continue;
165                                            }
166                                            else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
167                                                                    user.getUserId(),
168                                                                    organizationGroup.getGroupId(),
169                                                                    RoleConstants.ORGANIZATION_ADMINISTRATOR,
170                                                                    true) &&
171                                                             !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
172                                                                    permissionChecker.getUserId(),
173                                                                    organizationGroup.getGroupId(),
174                                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
175    
176                                                    continue;
177                                            }
178    
179                                            return true;
180                                    }
181                            }
182                    }
183                    catch (Exception e) {
184                            _log.error(e, e);
185                    }
186    
187                    return false;
188            }
189    
190            @Override
191            public boolean contains(
192                    PermissionChecker permissionChecker, long userId, String actionId) {
193    
194                    return contains(permissionChecker, userId, null, actionId);
195            }
196    
197            @Override
198            public boolean hasMembershipProtected(
199                            PermissionChecker permissionChecker, Group group, Role role,
200                            User user)
201                    throws PortalException, SystemException {
202    
203                    if (role.getType() == RoleConstants.TYPE_ORGANIZATION) {
204                            Organization organization =
205                                    OrganizationLocalServiceUtil.getOrganization(
206                                            group.getClassPK());
207    
208                            return hasMembershipProtected(
209                                    permissionChecker, organization, role, user);
210                    }
211    
212                    if (permissionChecker.isGroupOwner(group.getGroupId())) {
213                            return false;
214                    }
215    
216                    String roleName = role.getName();
217    
218                    if (!roleName.equals(RoleConstants.SITE_ADMINISTRATOR) &&
219                            !roleName.equals(RoleConstants.SITE_OWNER)) {
220    
221                            return false;
222                    }
223    
224                    if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
225                                    user.getUserId(), group.getGroupId(), role.getRoleId())) {
226    
227                            return true;
228                    }
229    
230                    return false;
231            }
232    
233            @Override
234            public boolean hasMembershipProtected(
235                            PermissionChecker permissionChecker, Group group, User user)
236                    throws PortalException, SystemException {
237    
238                    if (permissionChecker.isGroupOwner(group.getGroupId())) {
239                            return false;
240                    }
241    
242                    Role siteAdministratorRole = RoleLocalServiceUtil.getRole(
243                            permissionChecker.getCompanyId(), RoleConstants.SITE_ADMINISTRATOR);
244    
245                    if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
246                                    user.getUserId(), group.getGroupId(),
247                                    siteAdministratorRole.getRoleId())) {
248    
249                            return true;
250                    }
251    
252                    Role siteOwnerRole = RoleLocalServiceUtil.getRole(
253                            permissionChecker.getCompanyId(), RoleConstants.SITE_OWNER);
254    
255                    if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
256                                    user.getUserId(), group.getGroupId(),
257                                    siteOwnerRole.getRoleId())) {
258    
259                            return true;
260                    }
261    
262                    return false;
263            }
264    
265            @Override
266            public boolean hasMembershipProtected(
267                            PermissionChecker permissionChecker, Organization organization,
268                            Role role, User user)
269                    throws SystemException {
270    
271                    Group group = organization.getGroup();
272    
273                    if (permissionChecker.isOrganizationOwner(group.getOrganizationId())) {
274                            return false;
275                    }
276    
277                    String roleName = role.getName();
278    
279                    if (!roleName.equals(RoleConstants.ORGANIZATION_ADMINISTRATOR) &&
280                            !roleName.equals(RoleConstants.ORGANIZATION_OWNER)) {
281    
282                            return false;
283                    }
284    
285                    if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
286                                    user.getUserId(), group.getGroupId(), role.getRoleId())) {
287    
288                            return true;
289                    }
290    
291                    return false;
292            }
293    
294            @Override
295            public boolean hasMembershipProtected(
296                            PermissionChecker permissionChecker, Organization organization,
297                            User user)
298                    throws PortalException, SystemException {
299    
300                    Group group = organization.getGroup();
301    
302                    if (permissionChecker.isOrganizationOwner(group.getOrganizationId())) {
303                            return false;
304                    }
305    
306                    Role organizationAdministratorRole = RoleLocalServiceUtil.getRole(
307                            permissionChecker.getCompanyId(),
308                            RoleConstants.ORGANIZATION_ADMINISTRATOR);
309    
310                    if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
311                                    user.getUserId(), group.getGroupId(),
312                                    organizationAdministratorRole.getRoleId())) {
313    
314                            return true;
315                    }
316    
317                    Role organizationOwnerRole = RoleLocalServiceUtil.getRole(
318                            permissionChecker.getCompanyId(), RoleConstants.ORGANIZATION_OWNER);
319    
320                    if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
321                                    user.getUserId(), group.getGroupId(),
322                                    organizationOwnerRole.getRoleId())) {
323    
324                            return true;
325                    }
326    
327                    return false;
328            }
329    
330            private static Log _log = LogFactoryUtil.getLog(UserPermissionImpl.class);
331    
332    }