001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * The contents of this file are subject to the terms of the Liferay Enterprise
005     * Subscription License ("License"). You may not use this file except in
006     * compliance with the License. You can obtain a copy of the License by
007     * contacting Liferay, Inc. See the License for the specific language governing
008     * permissions and limitations under the License, including but not limited to
009     * distribution rights of the Software.
010     *
011     *
012     *
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.model.Contact;
020    import com.liferay.portal.model.Group;
021    import com.liferay.portal.model.Organization;
022    import com.liferay.portal.model.ResourceConstants;
023    import com.liferay.portal.model.RoleConstants;
024    import com.liferay.portal.model.User;
025    import com.liferay.portal.security.auth.PrincipalException;
026    import com.liferay.portal.security.permission.ActionKeys;
027    import com.liferay.portal.security.permission.PermissionChecker;
028    import com.liferay.portal.service.OrganizationLocalServiceUtil;
029    import com.liferay.portal.service.UserGroupRoleLocalServiceUtil;
030    import com.liferay.portal.service.UserLocalServiceUtil;
031    import com.liferay.portal.util.PortalUtil;
032    
033    /**
034     * @author Charles May
035     * @author Jorge Ferrer
036     */
037    public class UserPermissionImpl implements UserPermission {
038    
039            /**
040             * @deprecated As of 6.2.0, replaced by {@link #check(PermissionChecker,
041             *             long, long[], String)}
042             */
043            @Override
044            public void check(
045                            PermissionChecker permissionChecker, long userId,
046                            long organizationId, long locationId, String actionId)
047                    throws PrincipalException {
048    
049                    check(
050                            permissionChecker, userId, new long[] {organizationId, locationId},
051                            actionId);
052            }
053    
054            @Override
055            public void check(
056                            PermissionChecker permissionChecker, long userId,
057                            long[] organizationIds, String actionId)
058                    throws PrincipalException {
059    
060                    if (!contains(permissionChecker, userId, organizationIds, actionId)) {
061                            throw new PrincipalException();
062                    }
063            }
064    
065            @Override
066            public void check(
067                            PermissionChecker permissionChecker, long userId, String actionId)
068                    throws PrincipalException {
069    
070                    if (!contains(permissionChecker, userId, actionId)) {
071                            throw new PrincipalException();
072                    }
073            }
074    
075            /**
076             * @deprecated As of 6.2.0, replaced by {@link #contains(PermissionChecker,
077             *             long, long[], String)}
078             */
079            @Override
080            public boolean contains(
081                    PermissionChecker permissionChecker, long userId, long organizationId,
082                    long locationId, String actionId) {
083    
084                    return contains(
085                            permissionChecker, userId, new long[] {organizationId, locationId},
086                            actionId);
087            }
088    
089            @Override
090            public boolean contains(
091                    PermissionChecker permissionChecker, long userId,
092                    long[] organizationIds, String actionId) {
093    
094                    try {
095                            User user = null;
096    
097                            if (userId != ResourceConstants.PRIMKEY_DNE) {
098                                    user = UserLocalServiceUtil.getUserById(userId);
099    
100                                    if ((actionId.equals(ActionKeys.DELETE) ||
101                                             actionId.equals(ActionKeys.IMPERSONATE) ||
102                                             actionId.equals(ActionKeys.PERMISSIONS) ||
103                                             actionId.equals(ActionKeys.UPDATE)) &&
104                                            !permissionChecker.isOmniadmin() &&
105                                            (PortalUtil.isOmniadmin(user) ||
106                                             (!permissionChecker.isCompanyAdmin() &&
107                                              PortalUtil.isCompanyAdmin(user)))) {
108    
109                                            return false;
110                                    }
111    
112                                    Contact contact = user.getContact();
113    
114                                    if (permissionChecker.hasOwnerPermission(
115                                                    permissionChecker.getCompanyId(), User.class.getName(),
116                                                    userId, contact.getUserId(), actionId) ||
117                                            (permissionChecker.getUserId() == userId)) {
118    
119                                            return true;
120                                    }
121                            }
122    
123                            if (permissionChecker.hasPermission(
124                                            0, User.class.getName(), userId, actionId)) {
125    
126                                    return true;
127                            }
128    
129                            if (user == null) {
130                                    return false;
131                            }
132    
133                            if (organizationIds == null) {
134                                    organizationIds = user.getOrganizationIds();
135                            }
136    
137                            for (long organizationId : organizationIds) {
138                                    if (OrganizationPermissionUtil.contains(
139                                                    permissionChecker, organizationId,
140                                                    ActionKeys.MANAGE_USERS)) {
141    
142                                            if (permissionChecker.getUserId() == user.getUserId()) {
143                                                    return true;
144                                            }
145    
146                                            Organization organization =
147                                                    OrganizationLocalServiceUtil.getOrganization(
148                                                            organizationId);
149    
150                                            Group organizationGroup = organization.getGroup();
151    
152                                            // Organization administrators can only manage normal users.
153                                            // Owners can only manage normal users and administrators.
154    
155                                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
156                                                            user.getUserId(), organizationGroup.getGroupId(),
157                                                            RoleConstants.ORGANIZATION_OWNER, true)) {
158    
159                                                    continue;
160                                            }
161                                            else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
162                                                                    user.getUserId(),
163                                                                    organizationGroup.getGroupId(),
164                                                                    RoleConstants.ORGANIZATION_ADMINISTRATOR,
165                                                                    true) &&
166                                                             !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
167                                                                    permissionChecker.getUserId(),
168                                                                    organizationGroup.getGroupId(),
169                                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
170    
171                                                    continue;
172                                            }
173    
174                                            return true;
175                                    }
176                            }
177                    }
178                    catch (Exception e) {
179                            _log.error(e, e);
180                    }
181    
182                    return false;
183            }
184    
185            @Override
186            public boolean contains(
187                    PermissionChecker permissionChecker, long userId, String actionId) {
188    
189                    return contains(permissionChecker, userId, null, actionId);
190            }
191    
192            private static Log _log = LogFactoryUtil.getLog(UserPermissionImpl.class);
193    
194    }