001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.model.impl;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.portlet.PortletModeFactory;
019    import com.liferay.portal.kernel.util.ArrayUtil;
020    import com.liferay.portal.kernel.util.GetterUtil;
021    import com.liferay.portal.kernel.util.ParamUtil;
022    import com.liferay.portal.kernel.util.PropsKeys;
023    import com.liferay.portal.kernel.util.PropsUtil;
024    import com.liferay.portal.kernel.util.StringUtil;
025    import com.liferay.portal.kernel.util.Validator;
026    import com.liferay.portal.kernel.util.WebKeys;
027    import com.liferay.portal.model.Layout;
028    import com.liferay.portal.model.LayoutTypeAccessPolicy;
029    import com.liferay.portal.model.LayoutTypePortlet;
030    import com.liferay.portal.model.Portlet;
031    import com.liferay.portal.security.auth.AuthTokenUtil;
032    import com.liferay.portal.security.auth.PrincipalException;
033    import com.liferay.portal.security.permission.ActionKeys;
034    import com.liferay.portal.security.permission.PermissionChecker;
035    import com.liferay.portal.security.permission.PermissionThreadLocal;
036    import com.liferay.portal.service.permission.LayoutPermissionUtil;
037    import com.liferay.portal.service.permission.PortletPermissionUtil;
038    import com.liferay.portal.theme.ThemeDisplay;
039    import com.liferay.portal.util.PortalUtil;
040    
041    import javax.portlet.PortletMode;
042    
043    import javax.servlet.http.HttpServletRequest;
044    
045    /**
046     * @author Adolfo P??rez
047     */
048    public class DefaultLayoutTypeAccessPolicyImpl
049            implements LayoutTypeAccessPolicy {
050    
051            public static LayoutTypeAccessPolicy create() {
052                    return _instance;
053            }
054    
055            @Override
056            public void checkAccessAllowedToPortlet(
057                            HttpServletRequest request, Layout layout, Portlet portlet)
058                    throws PortalException {
059    
060                    if (isAccessAllowedToLayoutPortlet(request, layout, portlet)) {
061                            PortalUtil.addPortletDefaultResource(request, portlet);
062    
063                            if (hasAccessPermission(request, layout, portlet)) {
064                                    return;
065                            }
066                    }
067    
068                    throw new PrincipalException.MustHavePermission(
069                                    PortalUtil.getUserId(request), portlet.getDisplayName(),
070                                    portlet.getPortletId(), ActionKeys.ACCESS);
071            }
072    
073            @Override
074            public boolean isAddLayoutAllowed(
075                            PermissionChecker permissionChecker, Layout layout)
076                    throws PortalException {
077    
078                    return LayoutPermissionUtil.contains(
079                            permissionChecker, layout, ActionKeys.ADD_LAYOUT);
080            }
081    
082            @Override
083            public boolean isCustomizeLayoutAllowed(
084                            PermissionChecker permissionChecker, Layout layout)
085                    throws PortalException {
086    
087                    return LayoutPermissionUtil.contains(
088                            permissionChecker, layout, ActionKeys.CUSTOMIZE);
089            }
090    
091            @Override
092            public boolean isDeleteLayoutAllowed(
093                            PermissionChecker permissionChecker, Layout layout)
094                    throws PortalException {
095    
096                    return LayoutPermissionUtil.contains(
097                            permissionChecker, layout, ActionKeys.DELETE);
098            }
099    
100            @Override
101            public boolean isUpdateLayoutAllowed(
102                            PermissionChecker permissionChecker, Layout layout)
103                    throws PortalException {
104    
105                    return LayoutPermissionUtil.contains(
106                            permissionChecker, layout, ActionKeys.UPDATE);
107            }
108    
109            @Override
110            public boolean isViewLayoutAllowed(
111                            PermissionChecker permissionChecker, Layout layout)
112                    throws PortalException {
113    
114                    return LayoutPermissionUtil.contains(
115                            permissionChecker, layout, ActionKeys.VIEW);
116            }
117    
118            protected boolean hasAccessPermission(
119                            HttpServletRequest request, Layout layout, Portlet portlet)
120                    throws PortalException {
121    
122                    PermissionChecker permissionChecker =
123                            PermissionThreadLocal.getPermissionChecker();
124    
125                    ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
126                            WebKeys.THEME_DISPLAY);
127    
128                    PortletMode portletMode = PortletMode.VIEW;
129    
130                    String portletId = portlet.getPortletId();
131                    String ppid = request.getParameter("p_p_id");
132                    String ppmode = request.getParameter("p_p_mode");
133    
134                    if (portletId.equals(ppid) && (ppmode != null)) {
135                            portletMode = PortletModeFactory.getPortletMode(ppmode);
136                    }
137    
138                    return PortletPermissionUtil.hasAccessPermission(
139                            permissionChecker, themeDisplay.getScopeGroupId(), layout, portlet,
140                            portletMode);
141            }
142    
143            protected boolean isAccessAllowedToLayoutPortlet(
144                    HttpServletRequest request, Layout layout, Portlet portlet) {
145    
146                    if (isAccessGrantedByRuntimePortlet(request)) {
147                            return true;
148                    }
149    
150                    if (isAccessGrantedByPortletOnPage(layout, portlet)) {
151                            return true;
152                    }
153    
154                    if (isAccessGrantedByPortletAuthenticationToken(
155                                    request, layout, portlet)) {
156    
157                            return true;
158                    }
159    
160                    return false;
161            }
162    
163            protected boolean isAccessGrantedByPortletAuthenticationToken(
164                    HttpServletRequest request, Layout layout, Portlet portlet) {
165    
166                    String portletId = portlet.getPortletId();
167    
168                    if (!portlet.isAddDefaultResource()) {
169                            return false;
170                    }
171    
172                    if (!_PORTLET_ADD_DEFAULT_RESOURCE_CHECK_ENABLED) {
173                            return true;
174                    }
175    
176                    String namespace = PortalUtil.getPortletNamespace(portletId);
177    
178                    String strutsAction = ParamUtil.getString(
179                            request, namespace + "struts_action");
180    
181                    if (Validator.isNull(strutsAction)) {
182                            strutsAction = ParamUtil.getString(request, "struts_action");
183                    }
184    
185                    String requestPortletAuthenticationToken = ParamUtil.getString(
186                            request, "p_p_auth");
187    
188                    if (Validator.isNull(requestPortletAuthenticationToken)) {
189                            HttpServletRequest originalRequest =
190                                    PortalUtil.getOriginalServletRequest(request);
191    
192                            requestPortletAuthenticationToken = ParamUtil.getString(
193                                    originalRequest, "p_p_auth");
194                    }
195    
196                    if (AuthTokenUtil.isValidPortletInvocationToken(
197                                    request, layout.getPlid(), portletId, strutsAction,
198                                    requestPortletAuthenticationToken)) {
199    
200                            return true;
201                    }
202    
203                    return false;
204            }
205    
206            protected boolean isAccessGrantedByPortletOnPage(
207                    Layout layout, Portlet portlet) {
208    
209                    String portletId = portlet.getPortletId();
210    
211                    if (layout.isTypePanel() && isPanelSelectedPortlet(layout, portletId)) {
212                            return true;
213                    }
214    
215                    LayoutTypePortlet layoutTypePortlet =
216                            (LayoutTypePortlet)layout.getLayoutType();
217    
218                    if ((layoutTypePortlet != null) &&
219                            layoutTypePortlet.hasPortletId(portletId)) {
220    
221                            return true;
222                    }
223    
224                    return false;
225            }
226    
227            protected boolean isAccessGrantedByRuntimePortlet(
228                    HttpServletRequest request) {
229    
230                    Boolean renderPortletResource = (Boolean)request.getAttribute(
231                            WebKeys.RENDER_PORTLET_RESOURCE);
232    
233                    if (renderPortletResource != null) {
234                            return renderPortletResource;
235                    }
236    
237                    return false;
238            }
239    
240            protected boolean isPanelSelectedPortlet(Layout layout, String portletId) {
241                    String panelSelectedPortlets = layout.getTypeSettingsProperty(
242                            "panelSelectedPortlets");
243    
244                    if (Validator.isNotNull(panelSelectedPortlets)) {
245                            String[] panelSelectedPortletsArray = StringUtil.split(
246                                    panelSelectedPortlets);
247    
248                            return ArrayUtil.contains(panelSelectedPortletsArray, portletId);
249                    }
250    
251                    return false;
252            }
253    
254            private static final boolean _PORTLET_ADD_DEFAULT_RESOURCE_CHECK_ENABLED =
255                    GetterUtil.getBoolean(
256                            PropsUtil.get(
257                                    PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_ENABLED));
258    
259            private static final LayoutTypeAccessPolicy _instance =
260                    new DefaultLayoutTypeAccessPolicyImpl();
261    
262    }