001    /**
002     * Copyright (c) 2000-2012 Liferay, Inc. All rights reserved.
003     *
004     * The contents of this file are subject to the terms of the Liferay Enterprise
005     * Subscription License ("License"). You may not use this file except in
006     * compliance with the License. You can obtain a copy of the License by
007     * contacting Liferay, Inc. See the License for the specific language governing
008     * permissions and limitations under the License, including but not limited to
009     * distribution rights of the Software.
010     *
011     *
012     *
013     */
014    
015    package com.liferay.portal.security.permission;
016    
017    import com.liferay.portal.NoSuchResourceException;
018    import com.liferay.portal.kernel.dao.orm.QueryUtil;
019    import com.liferay.portal.kernel.exception.SystemException;
020    import com.liferay.portal.kernel.log.Log;
021    import com.liferay.portal.kernel.log.LogFactoryUtil;
022    import com.liferay.portal.kernel.util.ArrayUtil;
023    import com.liferay.portal.kernel.util.CharPool;
024    import com.liferay.portal.kernel.util.GetterUtil;
025    import com.liferay.portal.kernel.util.SetUtil;
026    import com.liferay.portal.kernel.util.UniqueList;
027    import com.liferay.portal.kernel.util.Validator;
028    import com.liferay.portal.model.Group;
029    import com.liferay.portal.model.GroupConstants;
030    import com.liferay.portal.model.GroupedModel;
031    import com.liferay.portal.model.Layout;
032    import com.liferay.portal.model.Organization;
033    import com.liferay.portal.model.Permission;
034    import com.liferay.portal.model.PermissionedModel;
035    import com.liferay.portal.model.PortletConstants;
036    import com.liferay.portal.model.Resource;
037    import com.liferay.portal.model.ResourceBlockConstants;
038    import com.liferay.portal.model.ResourceConstants;
039    import com.liferay.portal.model.Role;
040    import com.liferay.portal.model.RoleConstants;
041    import com.liferay.portal.model.Team;
042    import com.liferay.portal.model.UserGroup;
043    import com.liferay.portal.security.permission.comparator.PermissionActionIdComparator;
044    import com.liferay.portal.service.GroupLocalServiceUtil;
045    import com.liferay.portal.service.LayoutLocalServiceUtil;
046    import com.liferay.portal.service.OrganizationLocalServiceUtil;
047    import com.liferay.portal.service.PermissionLocalServiceUtil;
048    import com.liferay.portal.service.ResourceBlockLocalServiceUtil;
049    import com.liferay.portal.service.ResourceLocalServiceUtil;
050    import com.liferay.portal.service.ResourcePermissionLocalServiceUtil;
051    import com.liferay.portal.service.RoleLocalServiceUtil;
052    import com.liferay.portal.service.TeamLocalServiceUtil;
053    import com.liferay.portal.service.UserGroupLocalServiceUtil;
054    import com.liferay.portal.service.permission.PortletPermissionUtil;
055    import com.liferay.portal.util.PropsValues;
056    
057    import java.util.ArrayList;
058    import java.util.Collections;
059    import java.util.HashMap;
060    import java.util.LinkedHashMap;
061    import java.util.List;
062    import java.util.Map;
063    import java.util.Set;
064    
065    import org.apache.commons.lang.time.StopWatch;
066    
067    /**
068     * @author Charles May
069     * @author Brian Wing Shun Chan
070     * @author Raymond Augé
071     * @author Wesley Gong
072     * @author Connor McKay
073     */
074    public class AdvancedPermissionChecker extends BasePermissionChecker {
075    
076            @Override
077            public AdvancedPermissionChecker clone() {
078                    return new AdvancedPermissionChecker();
079            }
080    
081            @Override
082            public List<Long> getGuestResourceBlockIds(
083                    long companyId, long groupId, String name, String actionId) {
084    
085                    try {
086                            ResourceBlockIdsBag resourceBlockIdsBag =
087                                    getGuestResourceBlockIdsBag(companyId, groupId, name);
088    
089                            return ResourceBlockLocalServiceUtil.getResourceBlockIds(
090                                    resourceBlockIdsBag, name, actionId);
091                    }
092                    catch (Exception e) {
093                    }
094    
095                    return Collections.emptyList();
096            }
097    
098            public ResourceBlockIdsBag getGuestResourceBlockIdsBag(
099                            long companyId, long groupId, String name)
100                    throws Exception {
101    
102                    // checkGuest is irrelevant for the guest role, so it is assumed true
103    
104                    ResourceBlockIdsBag resourceBlockIdsBag =
105                            PermissionCacheUtil.getResourceBlockIdsBag(
106                                    companyId, groupId, defaultUserId, name, true);
107    
108                    if (resourceBlockIdsBag != null) {
109                            return resourceBlockIdsBag;
110                    }
111    
112                    try {
113                            PermissionCheckerBag bag = getGuestUserBag();
114    
115                            long[] roleIds = bag.getRoleIds();
116    
117                            resourceBlockIdsBag =
118                                    ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
119                                            getCompanyId(), groupId, name, roleIds);
120    
121                            PermissionCacheUtil.putResourceBlockIdsBag(
122                                    companyId, groupId, defaultUserId, name, true,
123                                    resourceBlockIdsBag);
124    
125                            return resourceBlockIdsBag;
126                    }
127                    finally {
128                            if (resourceBlockIdsBag == null) {
129                                    resourceBlockIdsBag = new ResourceBlockIdsBag();
130                            }
131    
132                            PermissionCacheUtil.putResourceBlockIdsBag(
133                                    companyId, defaultUserId, groupId, name, true,
134                                    resourceBlockIdsBag);
135                    }
136            }
137    
138            /**
139             * Returns the permission checker bag for the guest user.
140             *
141             * @return the permission checker bag for the guest user
142             * @throws Exception if an exception occurred
143             */
144            public PermissionCheckerBag getGuestUserBag() throws Exception {
145                    Group guestGroup = GroupLocalServiceUtil.getGroup(
146                            getCompanyId(), GroupConstants.GUEST);
147    
148                    PermissionCheckerBag bag = PermissionCacheUtil.getBag(
149                            defaultUserId, guestGroup.getGroupId());
150    
151                    if (bag == null) {
152                            try {
153                                    List<Group> groups = new ArrayList<Group>();
154    
155                                    groups.add(guestGroup);
156    
157                                    List<Role> roles = RoleLocalServiceUtil.getUserRelatedRoles(
158                                            defaultUserId, groups);
159    
160                                    bag = new PermissionCheckerBagImpl(
161                                            defaultUserId, new ArrayList<Group>(),
162                                            new ArrayList<Organization>(), new ArrayList<Group>(),
163                                            new ArrayList<Group>(), groups, roles);
164                            }
165                            finally {
166                                    if (bag == null) {
167                                            bag = new PermissionCheckerBagImpl(
168                                                    defaultUserId, new ArrayList<Group>(),
169                                                    new ArrayList<Organization>(), new ArrayList<Group>(),
170                                                    new ArrayList<Group>(), new ArrayList<Group>(),
171                                                    new ArrayList<Role>());
172                                    }
173    
174                                    PermissionCacheUtil.putBag(
175                                            defaultUserId, guestGroup.getGroupId(), bag);
176                            }
177                    }
178    
179                    return bag;
180            }
181    
182            @Override
183            public List<Long> getOwnerResourceBlockIds(
184                    long companyId, long groupId, String name, String actionId) {
185    
186                    try {
187                            ResourceBlockIdsBag resourceBlockIdsBag =
188                                    getOwnerResourceBlockIdsBag(companyId, groupId, name);
189    
190                            return ResourceBlockLocalServiceUtil.getResourceBlockIds(
191                                    resourceBlockIdsBag, name, actionId);
192                    }
193                    catch (Exception e) {
194                    }
195    
196                    return Collections.emptyList();
197            }
198    
199            public ResourceBlockIdsBag getOwnerResourceBlockIdsBag(
200                            long companyId, long groupId, String name)
201                    throws SystemException {
202    
203                    // checkGuest is irrelevant for the owner role, so it is assumed true
204    
205                    ResourceBlockIdsBag resourceBlockIdsBag =
206                            PermissionCacheUtil.getResourceBlockIdsBag(
207                                    companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name,
208                                    true);
209    
210                    if (resourceBlockIdsBag != null) {
211                            return resourceBlockIdsBag;
212                    }
213    
214                    try {
215                            long[] roleIds = {getOwnerRoleId()};
216    
217                            resourceBlockIdsBag =
218                                    ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
219                                            getCompanyId(), groupId, name, roleIds);
220    
221                            PermissionCacheUtil.putResourceBlockIdsBag(
222                                    companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name,
223                                    true, resourceBlockIdsBag);
224    
225                            return resourceBlockIdsBag;
226                    }
227                    finally {
228                            if (resourceBlockIdsBag == null) {
229                                    resourceBlockIdsBag = new ResourceBlockIdsBag();
230                            }
231    
232                            PermissionCacheUtil.putResourceBlockIdsBag(
233                                    companyId, ResourceBlockConstants.OWNER_USER_ID, groupId, name,
234                                    true, resourceBlockIdsBag);
235                    }
236            }
237    
238            @Override
239            public List<Long> getResourceBlockIds(
240                    long companyId, long groupId, long userId, String name,
241                    String actionId) {
242    
243                    try {
244                            ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
245                                    companyId, groupId, userId, name);
246    
247                            return ResourceBlockLocalServiceUtil.getResourceBlockIds(
248                                    resourceBlockIdsBag, name, actionId);
249                    }
250                    catch (Exception e) {
251                    }
252    
253                    return Collections.emptyList();
254            }
255    
256            public ResourceBlockIdsBag getResourceBlockIdsBag(
257                            long companyId, long groupId, long userId, String name)
258                    throws Exception {
259    
260                    ResourceBlockIdsBag resourceBlockIdsBag =
261                            PermissionCacheUtil.getResourceBlockIdsBag(
262                                    companyId, groupId, userId, name, checkGuest);
263    
264                    if (resourceBlockIdsBag != null) {
265                            return resourceBlockIdsBag;
266                    }
267    
268                    try {
269                            long[] roleIds = getRoleIds(userId, groupId);
270    
271                            resourceBlockIdsBag =
272                                    ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
273                                            getCompanyId(), groupId, name, roleIds);
274    
275                            PermissionCacheUtil.putResourceBlockIdsBag(
276                                    companyId, groupId, userId, name, checkGuest,
277                                    resourceBlockIdsBag);
278    
279                            return resourceBlockIdsBag;
280                    }
281                    finally {
282                            if (resourceBlockIdsBag == null) {
283                                    resourceBlockIdsBag = new ResourceBlockIdsBag();
284                            }
285    
286                            PermissionCacheUtil.putResourceBlockIdsBag(
287                                    companyId, userId, groupId, name, checkGuest,
288                                    resourceBlockIdsBag);
289                    }
290            }
291    
292            @Override
293            public long[] getRoleIds(long userId, long groupId) {
294                    PermissionCheckerBag bag = null;
295    
296                    try {
297                            bag = getUserBag(userId, groupId);
298                    }
299                    catch (Exception e) {
300                    }
301    
302                    if (bag != null) {
303                            if (checkGuest) {
304                                    Set<Long> roleIds = SetUtil.fromArray(bag.getRoleIds());
305    
306                                    try {
307                                            PermissionCheckerBag guestBag = getGuestUserBag();
308    
309                                            if (guestBag != null) {
310                                                    for (long roleId : guestBag.getRoleIds()) {
311                                                            roleIds.add(roleId);
312                                                    }
313                                            }
314                                    }
315                                    catch (Exception e) {
316                                    }
317    
318                                    return ArrayUtil.toArray(
319                                            roleIds.toArray(new Long[roleIds.size()]));
320                            }
321                            else {
322                                    return bag.getRoleIds();
323                            }
324                    }
325    
326                    return PermissionChecker.DEFAULT_ROLE_IDS;
327            }
328    
329            /**
330             * Returns the permission checker bag for the user and group. Users can have
331             * different roles and permissions in different groups.
332             *
333             * @param  userId the primary key of the user
334             * @param  groupId the primary key of the group
335             * @return the permission checker bag for the user and group
336             * @throws Exception if a user or group with the primary key could not be
337             *         found
338             */
339            public PermissionCheckerBag getUserBag(long userId, long groupId)
340                    throws Exception {
341    
342                    PermissionCheckerBag bag = PermissionCacheUtil.getBag(userId, groupId);
343    
344                    if (bag != null) {
345                            return bag;
346                    }
347    
348                    try {
349                            Group group = null;
350    
351                            if (groupId > 0) {
352                                    group = GroupLocalServiceUtil.getGroup(groupId);
353    
354                                    if (group.isLayout()) {
355                                            long parentGroupId = group.getParentGroupId();
356    
357                                            if (parentGroupId > 0) {
358                                                    group = GroupLocalServiceUtil.getGroup(parentGroupId);
359                                            }
360                                    }
361                            }
362    
363                            List<Group> userGroups = GroupLocalServiceUtil.getUserGroups(
364                                    userId, true);
365    
366                            List<Organization> userOrgs = getUserOrgs(userId);
367    
368                            List<Group> userOrgGroups =
369                                    GroupLocalServiceUtil.getOrganizationsGroups(userOrgs);
370    
371                            List<UserGroup> userUserGroups =
372                                    UserGroupLocalServiceUtil.getUserUserGroups(userId);
373    
374                            List<Group> userUserGroupGroups =
375                                    GroupLocalServiceUtil.getUserGroupsGroups(userUserGroups);
376    
377                            List<Group> groups = new ArrayList<Group>(
378                                    userGroups.size() + userOrgGroups.size() +
379                                            userUserGroupGroups.size());
380    
381                            groups.addAll(userGroups);
382                            groups.addAll(userOrgGroups);
383                            groups.addAll(userUserGroupGroups);
384    
385                            List<Role> roles = new UniqueList<Role>();
386    
387                            if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 3) ||
388                                    (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 4) ||
389                                    (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 5) ||
390                                    (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6)) {
391    
392                                    if (groups.size() > 0) {
393                                            List<Role> userRelatedRoles=
394                                                    RoleLocalServiceUtil.getUserRelatedRoles(
395                                                            userId, groups);
396    
397                                            roles.addAll(userRelatedRoles);
398                                    }
399                                    else {
400                                            roles.addAll(RoleLocalServiceUtil.getUserRoles(userId));
401                                    }
402    
403                                    List<Role> userGroupRoles =
404                                            RoleLocalServiceUtil.getUserGroupRoles(userId, groupId);
405    
406                                    roles.addAll(userGroupRoles);
407    
408                                    List<Role> userGroupGroupRoles =
409                                            RoleLocalServiceUtil.getUserGroupGroupRoles(
410                                                    userId, groupId);
411    
412                                    roles.addAll(userGroupGroupRoles);
413    
414                                    if (group != null) {
415                                            if (group.isOrganization() &&
416                                                    userOrgGroups.contains(group)) {
417    
418                                                    Role organizationUserRole =
419                                                            RoleLocalServiceUtil.getRole(
420                                                                    group.getCompanyId(),
421                                                                    RoleConstants.ORGANIZATION_USER);
422    
423                                                    roles.add(organizationUserRole);
424                                            }
425    
426                                            if (group.isSite() &&
427                                                    (userGroups.contains(group) ||
428                                                     userOrgGroups.contains(group))) {
429    
430                                                    Role siteMemberRole = RoleLocalServiceUtil.getRole(
431                                                            group.getCompanyId(), RoleConstants.SITE_MEMBER);
432    
433                                                    roles.add(siteMemberRole);
434                                            }
435    
436                                            if ((group.isOrganization() &&
437                                                     userOrgGroups.contains(group)) ||
438                                                    (group.isSite() && userGroups.contains(group))) {
439    
440                                                    addTeamRoles(userId, group, roles);
441                                            }
442                                    }
443                            }
444                            else {
445                                    roles = new ArrayList<Role>();
446                            }
447    
448                            bag = new PermissionCheckerBagImpl(
449                                    userId, userGroups, userOrgs, userOrgGroups,
450                                    userUserGroupGroups, groups, roles);
451    
452                            return bag;
453                    }
454                    finally {
455                            if (bag == null) {
456                                    bag = new PermissionCheckerBagImpl(
457                                            userId, new ArrayList<Group>(),
458                                            new ArrayList<Organization>(), new ArrayList<Group>(),
459                                            new ArrayList<Group>(), new ArrayList<Group>(),
460                                            new ArrayList<Role>());
461                            }
462    
463                            PermissionCacheUtil.putBag(userId, groupId, bag);
464                    }
465            }
466    
467            public boolean hasOwnerPermission(
468                    long companyId, String name, String primKey, long ownerId,
469                    String actionId) {
470    
471                    if (ownerId != getUserId()) {
472                            return false;
473                    }
474    
475                    if (ownerId == defaultUserId) {
476                            if (actionId.equals(ActionKeys.VIEW)) {
477                                    return true;
478                            }
479                            else {
480                                    return false;
481                            }
482                    }
483    
484                    try {
485                            if (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) {
486                                    if (ResourceBlockLocalServiceUtil.isSupported(name)) {
487                                            PermissionedModel permissionedModel =
488                                                    ResourceBlockLocalServiceUtil.getPermissionedModel(
489                                                            name, GetterUtil.getLong(primKey));
490    
491                                            long groupId = 0;
492    
493                                            if (permissionedModel instanceof GroupedModel) {
494                                                    GroupedModel groupedModel =
495                                                            (GroupedModel)permissionedModel;
496    
497                                                    groupId = groupedModel.getGroupId();
498                                            }
499    
500                                            ResourceBlockIdsBag resourceBlockIdsBag =
501                                                    getOwnerResourceBlockIdsBag(companyId, groupId, name);
502    
503                                            return ResourceBlockLocalServiceUtil.hasPermission(
504                                                    name, permissionedModel, actionId, resourceBlockIdsBag);
505                                    }
506    
507                                    return ResourcePermissionLocalServiceUtil.hasResourcePermission(
508                                            companyId, name, ResourceConstants.SCOPE_INDIVIDUAL,
509                                            primKey, getOwnerRoleId(), actionId);
510                            }
511    
512                            ResourceActionsUtil.checkAction(name, actionId);
513    
514                            Resource resource = ResourceLocalServiceUtil.getResource(
515                                    companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);
516    
517                            List<Permission> permissions =
518                                    PermissionLocalServiceUtil.getRolePermissions(
519                                            getOwnerRoleId(), resource.getResourceId());
520    
521                            int pos = Collections.binarySearch(
522                                    permissions, actionId, new PermissionActionIdComparator());
523    
524                            if (pos >= 0) {
525                                    return true;
526                            }
527                    }
528                    catch (Exception e) {
529                            if (_log.isDebugEnabled()) {
530                                    _log.debug(e, e);
531                            }
532                    }
533    
534                    return false;
535            }
536    
537            public boolean hasPermission(
538                    long groupId, String name, String primKey, String actionId) {
539    
540                    StopWatch stopWatch = null;
541    
542                    if (_log.isDebugEnabled()) {
543                            stopWatch = new StopWatch();
544    
545                            stopWatch.start();
546                    }
547    
548                    Group group = null;
549    
550                    // If the current group is a staging group, check the live group. If the
551                    // current group is a scope group for a layout, check the original
552                    // group.
553    
554                    try {
555                            if (groupId > 0) {
556                                    group = GroupLocalServiceUtil.getGroup(groupId);
557    
558                                    if (group.isUser() && (group.getClassPK() == getUserId())) {
559                                            group = GroupLocalServiceUtil.getGroup(
560                                                    getCompanyId(), GroupConstants.USER_PERSONAL_SITE);
561    
562                                            groupId = group.getGroupId();
563                                    }
564    
565                                    if (group.isLayout()) {
566                                            Layout layout = LayoutLocalServiceUtil.getLayout(
567                                                    group.getClassPK());
568    
569                                            groupId = layout.getGroupId();
570    
571                                            group = GroupLocalServiceUtil.getGroup(groupId);
572                                    }
573    
574                                    if (group.isStagingGroup()) {
575                                            if (primKey.equals(String.valueOf(groupId))) {
576                                                    primKey = String.valueOf(group.getLiveGroupId());
577                                            }
578    
579                                            groupId = group.getLiveGroupId();
580                                            group = group.getLiveGroup();
581                                    }
582                            }
583                    }
584                    catch (Exception e) {
585                            _log.error(e, e);
586                    }
587    
588                    Boolean value = PermissionCacheUtil.getPermission(
589                            user.getUserId(), signedIn, checkGuest, groupId, name, primKey,
590                            actionId);
591    
592                    if (value == null) {
593                            try {
594                                    value = Boolean.valueOf(
595                                            hasPermissionImpl(groupId, name, primKey, actionId));
596    
597                                    if (_log.isDebugEnabled()) {
598                                            _log.debug(
599                                                    "Checking permission for " + groupId + " " + name +
600                                                            " " + primKey + " " + actionId + " takes " +
601                                                                    stopWatch.getTime() + " ms");
602                                    }
603                            }
604                            finally {
605                                    if (value == null) {
606                                            value = Boolean.FALSE;
607                                    }
608    
609                                    PermissionCacheUtil.putPermission(
610                                            user.getUserId(), signedIn, checkGuest, groupId, name,
611                                            primKey, actionId, value);
612                            }
613                    }
614    
615                    return value.booleanValue();
616            }
617    
618            public boolean hasUserPermission(
619                    long groupId, String name, String primKey, String actionId,
620                    boolean checkAdmin) {
621    
622                    try {
623                            return hasUserPermissionImpl(
624                                    groupId, name, primKey, actionId, checkAdmin);
625                    }
626                    catch (Exception e) {
627                            _log.error(e, e);
628    
629                            return false;
630                    }
631            }
632    
633            public boolean isCompanyAdmin() {
634                    try {
635                            return isCompanyAdminImpl();
636                    }
637                    catch (Exception e) {
638                            _log.error(e, e);
639    
640                            return false;
641                    }
642            }
643    
644            public boolean isCompanyAdmin(long companyId) {
645                    try {
646                            return isCompanyAdminImpl(companyId);
647                    }
648                    catch (Exception e) {
649                            _log.error(e, e);
650    
651                            return false;
652                    }
653            }
654    
655            public boolean isGroupAdmin(long groupId) {
656                    try {
657                            return isGroupAdminImpl(groupId);
658                    }
659                    catch (Exception e) {
660                            _log.error(e, e);
661    
662                            return false;
663                    }
664            }
665    
666            public boolean isGroupMember(long groupId) {
667                    try {
668                            return isGroupMemberImpl(groupId);
669                    }
670                    catch (Exception e) {
671                            _log.error(e, e);
672    
673                            return false;
674                    }
675            }
676    
677            public boolean isGroupOwner(long groupId) {
678                    try {
679                            return isGroupOwnerImpl(groupId);
680                    }
681                    catch (Exception e) {
682                            _log.error(e, e);
683    
684                            return false;
685                    }
686            }
687    
688            public boolean isOrganizationAdmin(long organizationId) {
689                    try {
690                            return isOrganizationAdminImpl(organizationId);
691                    }
692                    catch (Exception e) {
693                            _log.error(e, e);
694    
695                            return false;
696                    }
697            }
698    
699            protected void addTeamRoles(long userId, Group group, List<Role> roles)
700                    throws Exception {
701    
702                    if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 5) ||
703                            (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6)) {
704    
705                            List<Team> userTeams = TeamLocalServiceUtil.getUserTeams(
706                                    userId, group.getGroupId());
707    
708                            for (Team team : userTeams) {
709                                    Role role = RoleLocalServiceUtil.getTeamRole(
710                                            team.getCompanyId(), team.getTeamId());
711    
712                                    roles.add(role);
713                            }
714    
715                            LinkedHashMap<String, Object> teamParams =
716                                    new LinkedHashMap<String, Object>();
717    
718                            teamParams.put("usersUserGroups", userId);
719    
720                            List<Team> userGroupTeams = TeamLocalServiceUtil.search(
721                                    group.getGroupId(), null, null, teamParams, QueryUtil.ALL_POS,
722                                    QueryUtil.ALL_POS, null);
723    
724                            for (Team team : userGroupTeams) {
725                                    Role role = RoleLocalServiceUtil.getTeamRole(
726                                            team.getCompanyId(), team.getTeamId());
727    
728                                    roles.add(role);
729                            }
730                    }
731            }
732    
733            /**
734             * Returns representations of the resource at each scope level.
735             *
736             * <p>
737             * For example, if the class name and primary key of a blog entry were
738             * passed to this method, it would return a resource for the blog entry
739             * itself (individual scope), a resource representing all blog entries
740             * within its group (group scope), a resource standing for all blog entries
741             * within a group the user has a suitable role in (group-template scope),
742             * and a resource signifying all blog entries within the company (company
743             * scope).
744             * </p>
745             *
746             * @param  companyId the primary key of the company
747             * @param  groupId the primary key of the group containing the resource
748             * @param  name the resource's name, which can be either a class name or a
749             *         portlet ID
750             * @param  primKey the primary key of the resource
751             * @param  actionId unused
752             * @return representations of the resource at each scope level
753             * @throws Exception if an exception occurred
754             */
755            protected List<Resource> getResources(
756                            long companyId, long groupId, String name, String primKey,
757                            String actionId)
758                    throws Exception {
759    
760                    // Individual
761    
762                    List<Resource> resources = new ArrayList<Resource>(4);
763    
764                    try {
765                            Resource resource = ResourceLocalServiceUtil.getResource(
766                                    companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);
767    
768                            resources.add(resource);
769                    }
770                    catch (NoSuchResourceException nsre) {
771                            if (_log.isWarnEnabled()) {
772                                    _log.warn(
773                                            "Resource " + companyId + " " + name + " " +
774                                                    ResourceConstants.SCOPE_INDIVIDUAL + " " + primKey +
775                                                            " does not exist");
776                            }
777                    }
778    
779                    // Group
780    
781                    try {
782                            if (groupId > 0) {
783                                    Resource resource = ResourceLocalServiceUtil.getResource(
784                                            companyId, name, ResourceConstants.SCOPE_GROUP,
785                                            String.valueOf(groupId));
786    
787                                    resources.add(resource);
788                            }
789                    }
790                    catch (NoSuchResourceException nsre) {
791                            if (_log.isWarnEnabled()) {
792                                    _log.warn(
793                                            "Resource " + companyId + " " + name + " " +
794                                                    ResourceConstants.SCOPE_GROUP + " " + groupId +
795                                                            " does not exist");
796                            }
797                    }
798    
799                    // Group template
800    
801                    try {
802                            if (signedIn && (groupId > 0)) {
803                                    Resource resource = ResourceLocalServiceUtil.getResource(
804                                            companyId, name, ResourceConstants.SCOPE_GROUP_TEMPLATE,
805                                            String.valueOf(GroupConstants.DEFAULT_PARENT_GROUP_ID));
806    
807                                    resources.add(resource);
808                            }
809                    }
810                    catch (NoSuchResourceException nsre) {
811                            if (_log.isWarnEnabled()) {
812                                    _log.warn(
813                                            "Resource " + companyId + " " + name + " " +
814                                                    ResourceConstants.SCOPE_GROUP_TEMPLATE + " " +
815                                                            GroupConstants.DEFAULT_PARENT_GROUP_ID +
816                                                                    " does not exist");
817                            }
818                    }
819    
820                    // Company
821    
822                    try {
823                            Resource resource = ResourceLocalServiceUtil.getResource(
824                                    companyId, name, ResourceConstants.SCOPE_COMPANY,
825                                    String.valueOf(companyId));
826    
827                            resources.add(resource);
828                    }
829                    catch (NoSuchResourceException nsre) {
830                            if (_log.isWarnEnabled()) {
831                                    _log.warn(
832                                            "Resource " + companyId + " " + name + " " +
833                                                    ResourceConstants.SCOPE_COMPANY + " " + companyId +
834                                                            " does not exist");
835                            }
836                    }
837    
838                    return resources;
839            }
840    
841            /**
842             * Returns all of the organizations that the user is a member of, including
843             * their parent organizations.
844             *
845             * @param  userId the primary key of the user
846             * @return all of the organizations that the user is a member of, including
847             *         their parent organizations
848             * @throws Exception if a user with the primary key could not be found
849             */
850            protected List<Organization> getUserOrgs(long userId) throws Exception {
851                    List<Organization> userOrgs =
852                            OrganizationLocalServiceUtil.getUserOrganizations(userId);
853    
854                    if (userOrgs.size() == 0) {
855                            return userOrgs;
856                    }
857    
858                    List<Organization> organizations = new UniqueList<Organization>();
859    
860                    for (Organization organization : userOrgs) {
861                            if (!organizations.contains(organization)) {
862                                    organizations.add(organization);
863    
864                                    List<Organization> ancestorOrganizations =
865                                            OrganizationLocalServiceUtil.getParentOrganizations(
866                                                    organization.getOrganizationId());
867    
868                                    organizations.addAll(ancestorOrganizations);
869                            }
870                    }
871    
872                    return organizations;
873            }
874    
875            protected boolean hasGuestPermission(
876                            long groupId, String name, String primKey, String actionId)
877                    throws Exception {
878    
879                    ResourceActionsUtil.checkAction(name, actionId);
880    
881                    if (name.indexOf(CharPool.PERIOD) != -1) {
882    
883                            // Check unsupported model actions
884    
885                            List<String> actions = ResourceActionsUtil.
886                                    getModelResourceGuestUnsupportedActions(name);
887    
888                            if (actions.contains(actionId)) {
889                                    return false;
890                            }
891                    }
892                    else {
893    
894                            // Check unsupported portlet actions
895    
896                            List<String> actions = ResourceActionsUtil.
897                                    getPortletResourceGuestUnsupportedActions(name);
898    
899                            if (actions.contains(actionId)) {
900                                    return false;
901                            }
902                    }
903    
904                    long companyId = user.getCompanyId();
905    
906                    List<Resource> resources = getResources(
907                            companyId, groupId, name, primKey, actionId);
908    
909                    PermissionCheckerBag bag = getGuestUserBag();
910    
911                    try {
912                            if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) &&
913                                    ResourceBlockLocalServiceUtil.isSupported(name)) {
914    
915                                    ResourceBlockIdsBag resourceBlockIdsBag =
916                                            getGuestResourceBlockIdsBag(companyId, groupId, name);
917    
918                                    return ResourceBlockLocalServiceUtil.hasPermission(
919                                            name, GetterUtil.getLong(primKey), actionId,
920                                            resourceBlockIdsBag);
921                            }
922    
923                            return PermissionLocalServiceUtil.hasUserPermissions(
924                                    defaultUserId, groupId, resources, actionId, bag);
925                    }
926                    catch (Exception e) {
927                            _log.error(e, e);
928    
929                            return false;
930                    }
931            }
932    
933            protected boolean hasPermissionImpl(
934                    long groupId, String name, String primKey, String actionId) {
935    
936                    try {
937                            if (!signedIn) {
938                                    return hasGuestPermission(groupId, name, primKey, actionId);
939                            }
940    
941                            if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) &&
942                                    ResourceBlockLocalServiceUtil.isSupported(name)) {
943    
944                                    // It is not necessary to check guest permissions separately,
945                                    // as the user's resource block IDs bag will already have the
946                                    // guest permissions in it if checkGuest is true.
947    
948                                    return hasUserPermission(
949                                            groupId, name, primKey, actionId, true);
950                            }
951    
952                            boolean value = false;
953    
954                            if (checkGuest) {
955                                    value = hasGuestPermission(groupId, name, primKey, actionId);
956                            }
957    
958                            if (!value) {
959                                    value = hasUserPermission(
960                                            groupId, name, primKey, actionId, true);
961                            }
962    
963                            return value;
964                    }
965                    catch (Exception e) {
966                            _log.error(e, e);
967    
968                            return false;
969                    }
970            }
971    
972            protected boolean hasUserPermissionImpl(
973                            long groupId, String name, String primKey, String actionId,
974                            boolean checkAdmin)
975                    throws Exception {
976    
977                    StopWatch stopWatch = null;
978    
979                    if (_log.isDebugEnabled()) {
980                            stopWatch = new StopWatch();
981    
982                            stopWatch.start();
983                    }
984    
985                    long companyId = user.getCompanyId();
986    
987                    boolean hasLayoutManagerPermission = true;
988    
989                    // Check if the layout manager has permission to do this action for the
990                    // current portlet
991    
992                    if (Validator.isNotNull(name) && Validator.isNotNull(primKey) &&
993                            (primKey.indexOf(PortletConstants.LAYOUT_SEPARATOR) != -1)) {
994    
995                            hasLayoutManagerPermission =
996                                    PortletPermissionUtil.hasLayoutManagerPermission(
997                                            name, actionId);
998                    }
999    
1000                    if (checkAdmin) {
1001                            if (isCompanyAdminImpl(companyId)) {
1002                                    return true;
1003                            }
1004    
1005                            if (name.equals(Organization.class.getName())) {
1006                                    long organizationId = GetterUtil.getInteger(primKey);
1007    
1008                                    if (isOrganizationAdminImpl(organizationId)) {
1009                                            return true;
1010                                    }
1011                            }
1012                            else if (isGroupAdminImpl(groupId) && hasLayoutManagerPermission) {
1013                                    return true;
1014                            }
1015                    }
1016    
1017                    logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 1);
1018    
1019                    if ((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6) &&
1020                            ResourceBlockLocalServiceUtil.isSupported(name)) {
1021    
1022                            ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
1023                                    companyId, groupId, getUserId(), name);
1024    
1025                            boolean value = ResourceBlockLocalServiceUtil.hasPermission(
1026                                    name, GetterUtil.getLong(primKey), actionId,
1027                                    resourceBlockIdsBag);
1028    
1029                            logHasUserPermission(
1030                                    groupId, name, primKey, actionId, stopWatch, 2);
1031    
1032                            return value;
1033                    }
1034    
1035                    List<Resource> resources = getResources(
1036                            companyId, groupId, name, primKey, actionId);
1037    
1038                    logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 3);
1039    
1040                    // Check if user has access to perform the action on the given
1041                    // resource scopes. The resources are scoped to check first for an
1042                    // individual class, then for the group that the class may belong
1043                    // to, and then for the company that the class belongs to.
1044    
1045                    PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);
1046    
1047                    boolean value = PermissionLocalServiceUtil.hasUserPermissions(
1048                            user.getUserId(), groupId, resources, actionId, bag);
1049    
1050                    logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 4);
1051    
1052                    return value;
1053            }
1054    
1055            protected boolean isCompanyAdminImpl() throws Exception {
1056                    return isCompanyAdminImpl(user.getCompanyId());
1057            }
1058    
1059            protected boolean isCompanyAdminImpl(long companyId) throws Exception {
1060                    if (!signedIn) {
1061                            return false;
1062                    }
1063    
1064                    if (isOmniadmin()) {
1065                            return true;
1066                    }
1067    
1068                    Boolean value = companyAdmins.get(companyId);
1069    
1070                    if (value == null) {
1071                            boolean hasAdminRole = RoleLocalServiceUtil.hasUserRole(
1072                                    user.getUserId(), companyId, RoleConstants.ADMINISTRATOR, true);
1073    
1074                            value = Boolean.valueOf(hasAdminRole);
1075    
1076                            companyAdmins.put(companyId, value);
1077                    }
1078    
1079                    return value.booleanValue();
1080            }
1081    
1082            protected boolean isGroupAdminImpl(long groupId) throws Exception {
1083                    if (!signedIn) {
1084                            return false;
1085                    }
1086    
1087                    if (isOmniadmin()) {
1088                            return true;
1089                    }
1090    
1091                    if (groupId <= 0) {
1092                            return false;
1093                    }
1094    
1095                    Group group = GroupLocalServiceUtil.getGroup(groupId);
1096    
1097                    if (isCompanyAdmin(group.getCompanyId())) {
1098                            return true;
1099                    }
1100    
1101                    PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);
1102    
1103                    if (bag == null) {
1104                            _log.error("Bag should never be null");
1105                    }
1106    
1107                    if (bag.isGroupAdmin(this, group)) {
1108                            return true;
1109                    }
1110                    else {
1111                            return false;
1112                    }
1113            }
1114    
1115            protected boolean isGroupMemberImpl(long groupId) throws Exception {
1116                    if (!signedIn) {
1117                            return false;
1118                    }
1119    
1120                    if (groupId <= 0) {
1121                            return false;
1122                    }
1123    
1124                    Group group = GroupLocalServiceUtil.getGroup(groupId);
1125    
1126                    PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);
1127    
1128                    if (bag == null) {
1129                            _log.error("Bag should never be null");
1130                    }
1131    
1132                    if (bag.isGroupMember(this, group)) {
1133                            return true;
1134                    }
1135                    else {
1136                            return false;
1137                    }
1138            }
1139    
1140            protected boolean isGroupOwnerImpl(long groupId) throws Exception {
1141                    if (!signedIn) {
1142                            return false;
1143                    }
1144    
1145                    if (isOmniadmin()) {
1146                            return true;
1147                    }
1148    
1149                    if (groupId <= 0) {
1150                            return false;
1151                    }
1152    
1153                    Group group = GroupLocalServiceUtil.getGroup(groupId);
1154    
1155                    if (isCompanyAdmin(group.getCompanyId())) {
1156                            return true;
1157                    }
1158    
1159                    PermissionCheckerBag bag = getUserBag(user.getUserId(), groupId);
1160    
1161                    if (bag == null) {
1162                            _log.error("Bag should never be null");
1163                    }
1164    
1165                    if (bag.isGroupOwner(this, group)) {
1166                            return true;
1167                    }
1168                    else {
1169                            return false;
1170                    }
1171            }
1172    
1173            protected boolean isOrganizationAdminImpl(long organizationId)
1174                    throws Exception {
1175    
1176                    if (!signedIn) {
1177                            return false;
1178                    }
1179    
1180                    if (isOmniadmin()) {
1181                            return true;
1182                    }
1183    
1184                    if (organizationId <= 0) {
1185                            return false;
1186                    }
1187    
1188                    Organization organization =
1189                            OrganizationLocalServiceUtil.fetchOrganization(organizationId);
1190    
1191                    if (organization == null) {
1192                            return false;
1193                    }
1194    
1195                    if (isCompanyAdmin(organization.getCompanyId())) {
1196                            return true;
1197                    }
1198    
1199                    PermissionCheckerBag bag = getUserBag(
1200                            user.getUserId(), organization.getGroupId());
1201    
1202                    if (bag == null) {
1203                            _log.error("Bag should never be null");
1204                    }
1205    
1206                    if (bag.isOrganizationAdmin(this, organization)) {
1207                            return true;
1208                    }
1209                    else {
1210                            return false;
1211                    }
1212            }
1213    
1214            protected void logHasUserPermission(
1215                    long groupId, String name, String primKey, String actionId,
1216                    StopWatch stopWatch, int block) {
1217    
1218                    if (!_log.isDebugEnabled()) {
1219                            return;
1220                    }
1221    
1222                    _log.debug(
1223                            "Checking user permission block " + block + " for " + groupId +
1224                                    " " + name + " " + primKey + " " + actionId + " takes " +
1225                                            stopWatch.getTime() + " ms");
1226            }
1227    
1228            /**
1229             * @deprecated
1230             */
1231            protected static final String RESULTS_SEPARATOR = "_RESULTS_SEPARATOR_";
1232    
1233            protected Map<Long, Boolean> companyAdmins = new HashMap<Long, Boolean>();
1234    
1235            private static Log _log = LogFactoryUtil.getLog(
1236                    AdvancedPermissionChecker.class);
1237    
1238    }