001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.spring.osgi.OSGiBeanProperties;
019    import com.liferay.portal.model.Group;
020    import com.liferay.portal.model.User;
021    import com.liferay.portal.security.auth.PrincipalException;
022    import com.liferay.portal.security.permission.ActionKeys;
023    import com.liferay.portal.security.permission.BaseModelPermissionChecker;
024    import com.liferay.portal.security.permission.PermissionChecker;
025    import com.liferay.portal.service.GroupLocalServiceUtil;
026    import com.liferay.portal.service.UserLocalServiceUtil;
027    
028    /**
029     * @author Brian Wing Shun Chan
030     * @author Raymond Aug??
031     */
032    @OSGiBeanProperties(
033            property = {"model.class.name=com.liferay.portal.model.Group"}
034    )
035    public class GroupPermissionImpl
036            implements BaseModelPermissionChecker, GroupPermission {
037    
038            @Override
039            public void check(
040                            PermissionChecker permissionChecker, Group group, String actionId)
041                    throws PortalException {
042    
043                    if (!contains(permissionChecker, group, actionId)) {
044                            throw new PrincipalException.MustHavePermission(
045                                    permissionChecker, Group.class.getName(), group.getGroupId(),
046                                    actionId);
047                    }
048            }
049    
050            @Override
051            public void check(
052                            PermissionChecker permissionChecker, long groupId, String actionId)
053                    throws PortalException {
054    
055                    if (!contains(permissionChecker, groupId, actionId)) {
056                            throw new PrincipalException.MustHavePermission(
057                                    permissionChecker, Group.class.getName(), groupId, actionId);
058                    }
059            }
060    
061            @Override
062            public void check(PermissionChecker permissionChecker, String actionId)
063                    throws PortalException {
064    
065                    if (!contains(permissionChecker, actionId)) {
066                            throw new PrincipalException.MustHavePermission(
067                                    permissionChecker, Group.class.getName(), Long.valueOf(0),
068                                    actionId);
069                    }
070            }
071    
072            @Override
073            public void checkBaseModel(
074                            PermissionChecker permissionChecker, long groupId, long primaryKey,
075                            String actionId)
076                    throws PortalException {
077    
078                    check(permissionChecker, primaryKey, actionId);
079            }
080    
081            @Override
082            public boolean contains(
083                            PermissionChecker permissionChecker, Group group, String actionId)
084                    throws PortalException {
085    
086                    if ((actionId.equals(ActionKeys.ADD_LAYOUT) ||
087                             actionId.equals(ActionKeys.MANAGE_LAYOUTS)) &&
088                            (group.hasLocalOrRemoteStagingGroup() ||
089                             group.isLayoutPrototype())) {
090    
091                            return false;
092                    }
093    
094                    long groupId = group.getGroupId();
095    
096                    if (group.isStagingGroup()) {
097                            group = group.getLiveGroup();
098                    }
099    
100                    if (group.isUser()) {
101    
102                            // An individual user would never reach this block because he would
103                            // be an administrator of his own layouts. However, a user who
104                            // manages a set of organizations may be modifying pages of a user
105                            // he manages.
106    
107                            User user = UserLocalServiceUtil.getUserById(group.getClassPK());
108    
109                            if ((permissionChecker.getUserId() != user.getUserId()) &&
110                                    UserPermissionUtil.contains(
111                                            permissionChecker, user.getUserId(),
112                                            user.getOrganizationIds(), ActionKeys.UPDATE)) {
113    
114                                    return true;
115                            }
116                    }
117    
118                    if (actionId.equals(ActionKeys.ADD_COMMUNITY) &&
119                            (permissionChecker.hasPermission(
120                                    groupId, Group.class.getName(), groupId,
121                                    ActionKeys.MANAGE_SUBGROUPS) ||
122                             PortalPermissionUtil.contains(
123                                     permissionChecker, ActionKeys.ADD_COMMUNITY))) {
124    
125                            return true;
126                    }
127                    else if (actionId.equals(ActionKeys.ADD_LAYOUT) &&
128                                     permissionChecker.hasPermission(
129                                             groupId, Group.class.getName(), groupId,
130                                             ActionKeys.MANAGE_LAYOUTS)) {
131    
132                            return true;
133                    }
134                    else if ((actionId.equals(ActionKeys.EXPORT_IMPORT_LAYOUTS) ||
135                                      actionId.equals(ActionKeys.EXPORT_IMPORT_PORTLET_INFO)) &&
136                                     permissionChecker.hasPermission(
137                                             groupId, Group.class.getName(), groupId,
138                                             ActionKeys.PUBLISH_STAGING)) {
139    
140                            return true;
141                    }
142                    else if (actionId.equals(ActionKeys.VIEW) &&
143                                     (permissionChecker.hasPermission(
144                                             groupId, Group.class.getName(), groupId,
145                                             ActionKeys.ASSIGN_USER_ROLES) ||
146                                      permissionChecker.hasPermission(
147                                             groupId, Group.class.getName(), groupId,
148                                             ActionKeys.MANAGE_LAYOUTS))) {
149    
150                            return true;
151                    }
152                    else if (actionId.equals(ActionKeys.VIEW_STAGING) &&
153                                     (permissionChecker.hasPermission(
154                                             groupId, Group.class.getName(), groupId,
155                                             ActionKeys.MANAGE_LAYOUTS) ||
156                                      permissionChecker.hasPermission(
157                                             groupId, Group.class.getName(), groupId,
158                                             ActionKeys.MANAGE_STAGING) ||
159                                      permissionChecker.hasPermission(
160                                             groupId, Group.class.getName(), groupId,
161                                             ActionKeys.PUBLISH_STAGING) ||
162                                      permissionChecker.hasPermission(
163                                             groupId, Group.class.getName(), groupId,
164                                             ActionKeys.UPDATE))) {
165    
166                            return true;
167                    }
168    
169                    // Group id must be set so that users can modify their personal pages
170    
171                    if (permissionChecker.hasPermission(
172                                    groupId, Group.class.getName(), groupId, actionId)) {
173    
174                            return true;
175                    }
176    
177                    while (!group.isRoot()) {
178                            if (contains(
179                                            permissionChecker, group.getParentGroupId(),
180                                            ActionKeys.MANAGE_SUBGROUPS)) {
181    
182                                    return true;
183                            }
184    
185                            group = group.getParentGroup();
186                    }
187    
188                    return false;
189            }
190    
191            @Override
192            public boolean contains(
193                            PermissionChecker permissionChecker, long groupId, String actionId)
194                    throws PortalException {
195    
196                    if (groupId > 0) {
197                            Group group = GroupLocalServiceUtil.getGroup(groupId);
198    
199                            return contains(permissionChecker, group, actionId);
200                    }
201                    else {
202                            return false;
203                    }
204            }
205    
206            @Override
207            public boolean contains(
208                    PermissionChecker permissionChecker, String actionId) {
209    
210                    return permissionChecker.hasPermission(
211                            0, Group.class.getName(), 0, actionId);
212            }
213    
214    }