001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.model.Contact;
020    import com.liferay.portal.model.Group;
021    import com.liferay.portal.model.Organization;
022    import com.liferay.portal.model.ResourceConstants;
023    import com.liferay.portal.model.RoleConstants;
024    import com.liferay.portal.model.User;
025    import com.liferay.portal.security.auth.PrincipalException;
026    import com.liferay.portal.security.permission.ActionKeys;
027    import com.liferay.portal.security.permission.PermissionChecker;
028    import com.liferay.portal.service.OrganizationLocalServiceUtil;
029    import com.liferay.portal.service.UserGroupRoleLocalServiceUtil;
030    import com.liferay.portal.service.UserLocalServiceUtil;
031    import com.liferay.portal.util.PortalUtil;
032    
033    /**
034     * @author Charles May
035     * @author Jorge Ferrer
036     */
037    public class UserPermissionImpl implements UserPermission {
038    
039            /**
040             * @deprecated As of 6.2.0, replaced by {@link #check(PermissionChecker,
041             *             long, long[], String)}
042             */
043            public void check(
044                            PermissionChecker permissionChecker, long userId,
045                            long organizationId, long locationId, String actionId)
046                    throws PrincipalException {
047    
048                    check(
049                            permissionChecker, userId, new long[] {organizationId, locationId},
050                            actionId);
051            }
052    
053            public void check(
054                            PermissionChecker permissionChecker, long userId,
055                            long[] organizationIds, String actionId)
056                    throws PrincipalException {
057    
058                    if (!contains(permissionChecker, userId, organizationIds, actionId)) {
059                            throw new PrincipalException();
060                    }
061            }
062    
063            public void check(
064                            PermissionChecker permissionChecker, long userId, String actionId)
065                    throws PrincipalException {
066    
067                    if (!contains(permissionChecker, userId, actionId)) {
068                            throw new PrincipalException();
069                    }
070            }
071    
072            /**
073             * @deprecated As of 6.2.0, replaced by {@link #contains(PermissionChecker,
074             *             long, long[], String)}
075             */
076            public boolean contains(
077                    PermissionChecker permissionChecker, long userId, long organizationId,
078                    long locationId, String actionId) {
079    
080                    return contains(
081                            permissionChecker, userId, new long[] {organizationId, locationId},
082                            actionId);
083            }
084    
085            public boolean contains(
086                    PermissionChecker permissionChecker, long userId,
087                    long[] organizationIds, String actionId) {
088    
089                    if ((actionId.equals(ActionKeys.DELETE) ||
090                             actionId.equals(ActionKeys.IMPERSONATE) ||
091                             actionId.equals(ActionKeys.PERMISSIONS) ||
092                             actionId.equals(ActionKeys.UPDATE)) &&
093                            PortalUtil.isOmniadmin(userId) &&
094                            !permissionChecker.isOmniadmin()) {
095    
096                            return false;
097                    }
098    
099                    try {
100                            User user = null;
101    
102                            if (userId != ResourceConstants.PRIMKEY_DNE) {
103                                    user = UserLocalServiceUtil.getUserById(userId);
104    
105                                    Contact contact = user.getContact();
106    
107                                    if (permissionChecker.hasOwnerPermission(
108                                                    permissionChecker.getCompanyId(), User.class.getName(),
109                                                    userId, contact.getUserId(), actionId) ||
110                                            (permissionChecker.getUserId() == userId)) {
111    
112                                            return true;
113                                    }
114                            }
115    
116                            if (permissionChecker.hasPermission(
117                                            0, User.class.getName(), userId, actionId)) {
118    
119                                    return true;
120                            }
121    
122                            if (user == null) {
123                                    return false;
124                            }
125    
126                            if (organizationIds == null) {
127                                    organizationIds = user.getOrganizationIds();
128                            }
129    
130                            for (long organizationId : organizationIds) {
131                                    if (OrganizationPermissionUtil.contains(
132                                                    permissionChecker, organizationId,
133                                                    ActionKeys.MANAGE_USERS)) {
134    
135                                            if (permissionChecker.getUserId() == user.getUserId()) {
136                                                    return true;
137                                            }
138    
139                                            Organization organization =
140                                                    OrganizationLocalServiceUtil.getOrganization(
141                                                            organizationId);
142    
143                                            Group organizationGroup = organization.getGroup();
144    
145                                            // Organization administrators can only manage normal users.
146                                            // Owners can only manage normal users and administrators.
147    
148                                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
149                                                            user.getUserId(), organizationGroup.getGroupId(),
150                                                            RoleConstants.ORGANIZATION_OWNER, true)) {
151    
152                                                    continue;
153                                            }
154                                            else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
155                                                                    user.getUserId(),
156                                                                    organizationGroup.getGroupId(),
157                                                                    RoleConstants.ORGANIZATION_ADMINISTRATOR,
158                                                                    true) &&
159                                                             !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
160                                                                    permissionChecker.getUserId(),
161                                                                    organizationGroup.getGroupId(),
162                                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
163    
164                                                    continue;
165                                            }
166    
167                                            return true;
168                                    }
169                            }
170                    }
171                    catch (Exception e) {
172                            _log.error(e, e);
173                    }
174    
175                    return false;
176            }
177    
178            public boolean contains(
179                    PermissionChecker permissionChecker, long userId, String actionId) {
180    
181                    return contains(permissionChecker, userId, null, actionId);
182            }
183    
184            private static Log _log = LogFactoryUtil.getLog(UserPermissionImpl.class);
185    
186    }