001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.model.Contact;
020    import com.liferay.portal.model.Group;
021    import com.liferay.portal.model.Organization;
022    import com.liferay.portal.model.ResourceConstants;
023    import com.liferay.portal.model.RoleConstants;
024    import com.liferay.portal.model.User;
025    import com.liferay.portal.security.auth.PrincipalException;
026    import com.liferay.portal.security.permission.ActionKeys;
027    import com.liferay.portal.security.permission.PermissionChecker;
028    import com.liferay.portal.service.OrganizationLocalServiceUtil;
029    import com.liferay.portal.service.UserGroupRoleLocalServiceUtil;
030    import com.liferay.portal.service.UserLocalServiceUtil;
031    import com.liferay.portal.util.PortalUtil;
032    
033    /**
034     * @author Charles May
035     * @author Jorge Ferrer
036     */
037    public class UserPermissionImpl implements UserPermission {
038    
039            /**
040             * @deprecated As of 6.2.0, replaced by {@link #check(PermissionChecker,
041             *             long, long[], String)}
042             */
043            @Override
044            public void check(
045                            PermissionChecker permissionChecker, long userId,
046                            long organizationId, long locationId, String actionId)
047                    throws PrincipalException {
048    
049                    check(
050                            permissionChecker, userId, new long[] {organizationId, locationId},
051                            actionId);
052            }
053    
054            @Override
055            public void check(
056                            PermissionChecker permissionChecker, long userId,
057                            long[] organizationIds, String actionId)
058                    throws PrincipalException {
059    
060                    if (!contains(permissionChecker, userId, organizationIds, actionId)) {
061                            throw new PrincipalException();
062                    }
063            }
064    
065            @Override
066            public void check(
067                            PermissionChecker permissionChecker, long userId, String actionId)
068                    throws PrincipalException {
069    
070                    if (!contains(permissionChecker, userId, actionId)) {
071                            throw new PrincipalException();
072                    }
073            }
074    
075            /**
076             * @deprecated As of 6.2.0, replaced by {@link #contains(PermissionChecker,
077             *             long, long[], String)}
078             */
079            @Override
080            public boolean contains(
081                    PermissionChecker permissionChecker, long userId, long organizationId,
082                    long locationId, String actionId) {
083    
084                    return contains(
085                            permissionChecker, userId, new long[] {organizationId, locationId},
086                            actionId);
087            }
088    
089            @Override
090            public boolean contains(
091                    PermissionChecker permissionChecker, long userId,
092                    long[] organizationIds, String actionId) {
093    
094                    if ((actionId.equals(ActionKeys.DELETE) ||
095                             actionId.equals(ActionKeys.IMPERSONATE) ||
096                             actionId.equals(ActionKeys.PERMISSIONS) ||
097                             actionId.equals(ActionKeys.UPDATE)) &&
098                            PortalUtil.isOmniadmin(userId) &&
099                            !permissionChecker.isOmniadmin()) {
100    
101                            return false;
102                    }
103    
104                    try {
105                            User user = null;
106    
107                            if (userId != ResourceConstants.PRIMKEY_DNE) {
108                                    user = UserLocalServiceUtil.getUserById(userId);
109    
110                                    Contact contact = user.getContact();
111    
112                                    if (permissionChecker.hasOwnerPermission(
113                                                    permissionChecker.getCompanyId(), User.class.getName(),
114                                                    userId, contact.getUserId(), actionId) ||
115                                            (permissionChecker.getUserId() == userId)) {
116    
117                                            return true;
118                                    }
119                            }
120    
121                            if (permissionChecker.hasPermission(
122                                            0, User.class.getName(), userId, actionId)) {
123    
124                                    return true;
125                            }
126    
127                            if (user == null) {
128                                    return false;
129                            }
130    
131                            if (organizationIds == null) {
132                                    organizationIds = user.getOrganizationIds();
133                            }
134    
135                            for (long organizationId : organizationIds) {
136                                    if (OrganizationPermissionUtil.contains(
137                                                    permissionChecker, organizationId,
138                                                    ActionKeys.MANAGE_USERS)) {
139    
140                                            if (permissionChecker.getUserId() == user.getUserId()) {
141                                                    return true;
142                                            }
143    
144                                            Organization organization =
145                                                    OrganizationLocalServiceUtil.getOrganization(
146                                                            organizationId);
147    
148                                            Group organizationGroup = organization.getGroup();
149    
150                                            // Organization administrators can only manage normal users.
151                                            // Owners can only manage normal users and administrators.
152    
153                                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
154                                                            user.getUserId(), organizationGroup.getGroupId(),
155                                                            RoleConstants.ORGANIZATION_OWNER, true)) {
156    
157                                                    continue;
158                                            }
159                                            else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
160                                                                    user.getUserId(),
161                                                                    organizationGroup.getGroupId(),
162                                                                    RoleConstants.ORGANIZATION_ADMINISTRATOR,
163                                                                    true) &&
164                                                             !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
165                                                                    permissionChecker.getUserId(),
166                                                                    organizationGroup.getGroupId(),
167                                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
168    
169                                                    continue;
170                                            }
171    
172                                            return true;
173                                    }
174                            }
175                    }
176                    catch (Exception e) {
177                            _log.error(e, e);
178                    }
179    
180                    return false;
181            }
182    
183            @Override
184            public boolean contains(
185                    PermissionChecker permissionChecker, long userId, String actionId) {
186    
187                    return contains(permissionChecker, userId, null, actionId);
188            }
189    
190            private static Log _log = LogFactoryUtil.getLog(UserPermissionImpl.class);
191    
192    }