001    /**
002     * Copyright (c) 2000-2012 Liferay, Inc. All rights reserved.
003     *
004     * The contents of this file are subject to the terms of the Liferay Enterprise
005     * Subscription License ("License"). You may not use this file except in
006     * compliance with the License. You can obtain a copy of the License by
007     * contacting Liferay, Inc. See the License for the specific language governing
008     * permissions and limitations under the License, including but not limited to
009     * distribution rights of the Software.
010     *
011     *
012     *
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.model.Contact;
020    import com.liferay.portal.model.Group;
021    import com.liferay.portal.model.Organization;
022    import com.liferay.portal.model.ResourceConstants;
023    import com.liferay.portal.model.RoleConstants;
024    import com.liferay.portal.model.User;
025    import com.liferay.portal.security.auth.PrincipalException;
026    import com.liferay.portal.security.permission.ActionKeys;
027    import com.liferay.portal.security.permission.PermissionChecker;
028    import com.liferay.portal.service.OrganizationLocalServiceUtil;
029    import com.liferay.portal.service.UserGroupRoleLocalServiceUtil;
030    import com.liferay.portal.service.UserLocalServiceUtil;
031    import com.liferay.portal.util.PortalUtil;
032    import com.liferay.portal.util.PropsValues;
033    
034    /**
035     * @author Charles May
036     * @author Jorge Ferrer
037     */
038    public class UserPermissionImpl implements UserPermission {
039    
040            /**
041             * @deprecated Replaced by {@link #check(PermissionChecker, long, long[],
042             *             String)}
043             */
044            public void check(
045                            PermissionChecker permissionChecker, long userId,
046                            long organizationId, long locationId, String actionId)
047                    throws PrincipalException {
048    
049                    check(
050                            permissionChecker, userId, new long[] {organizationId, locationId},
051                            actionId);
052            }
053    
054            public void check(
055                            PermissionChecker permissionChecker, long userId,
056                            long[] organizationIds, String actionId)
057                    throws PrincipalException {
058    
059                    if (!contains(permissionChecker, userId, organizationIds, actionId)) {
060                            throw new PrincipalException();
061                    }
062            }
063    
064            public void check(
065                            PermissionChecker permissionChecker, long userId, String actionId)
066                    throws PrincipalException {
067    
068                    if (!contains(permissionChecker, userId, actionId)) {
069                            throw new PrincipalException();
070                    }
071            }
072    
073            /**
074             * @deprecated Replaced by {@link #contains(PermissionChecker, long, long[],
075             *             String)}
076             */
077            public boolean contains(
078                    PermissionChecker permissionChecker, long userId, long organizationId,
079                    long locationId, String actionId) {
080    
081                    return contains(
082                            permissionChecker, userId, new long[] {organizationId, locationId},
083                            actionId);
084            }
085    
086            public boolean contains(
087                    PermissionChecker permissionChecker, long userId,
088                    long[] organizationIds, String actionId) {
089    
090                    if (actionId.equals(ActionKeys.IMPERSONATE) &&
091                            PortalUtil.isOmniadmin(userId) &&
092                            !permissionChecker.isOmniadmin()) {
093    
094                            return false;
095                    }
096    
097                    try {
098                            User user = null;
099    
100                            if (userId != ResourceConstants.PRIMKEY_DNE) {
101                                    user = UserLocalServiceUtil.getUserById(userId);
102    
103                                    Contact contact = user.getContact();
104    
105                                    if ((((PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 5) ||
106                                              (PropsValues.PERMISSIONS_USER_CHECK_ALGORITHM == 6)) &&
107                                             (permissionChecker.hasOwnerPermission(
108                                                    permissionChecker.getCompanyId(), User.class.getName(),
109                                                    userId, contact.getUserId(), actionId))) ||
110                                            (permissionChecker.getUserId() == userId)) {
111    
112                                            return true;
113                                    }
114                            }
115    
116                            if (permissionChecker.hasPermission(
117                                            0, User.class.getName(), userId, actionId)) {
118    
119                                    return true;
120                            }
121    
122                            if (user == null) {
123                                    return false;
124                            }
125    
126                            if (organizationIds == null) {
127                                    organizationIds = user.getOrganizationIds();
128                            }
129    
130                            for (long organizationId : organizationIds) {
131                                    if (OrganizationPermissionUtil.contains(
132                                                    permissionChecker, organizationId,
133                                                    ActionKeys.MANAGE_USERS)) {
134    
135                                            if (permissionChecker.getUserId() == user.getUserId()) {
136                                                    return true;
137                                            }
138    
139                                            Organization organization =
140                                                    OrganizationLocalServiceUtil.getOrganization(
141                                                            organizationId);
142    
143                                            Group organizationGroup = organization.getGroup();
144    
145                                            // Organization administrators can only manage normal
146                                            // users. Owners can only manage normal users and
147                                            // administrators.
148    
149                                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
150                                                            user.getUserId(), organizationGroup.getGroupId(),
151                                                            RoleConstants.ORGANIZATION_OWNER, true)) {
152    
153                                                    continue;
154                                            }
155                                            else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
156                                                                    user.getUserId(),
157                                                                    organizationGroup.getGroupId(),
158                                                                    RoleConstants.ORGANIZATION_ADMINISTRATOR,
159                                                                    true) &&
160                                                             !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
161                                                                    permissionChecker.getUserId(),
162                                                                    organizationGroup.getGroupId(),
163                                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
164    
165                                                    continue;
166                                            }
167    
168                                            return true;
169                                    }
170                            }
171                    }
172                    catch (Exception e) {
173                            _log.error(e, e);
174                    }
175    
176                    return false;
177            }
178    
179            public boolean contains(
180                    PermissionChecker permissionChecker, long userId, String actionId) {
181    
182                    return contains(permissionChecker, userId, null, actionId);
183            }
184    
185            private static Log _log = LogFactoryUtil.getLog(UserPermissionImpl.class);
186    
187    }