001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.log.Log;
019    import com.liferay.portal.kernel.log.LogFactoryUtil;
020    import com.liferay.portal.kernel.spring.osgi.OSGiBeanProperties;
021    import com.liferay.portal.model.Contact;
022    import com.liferay.portal.model.Group;
023    import com.liferay.portal.model.Organization;
024    import com.liferay.portal.model.ResourceConstants;
025    import com.liferay.portal.model.RoleConstants;
026    import com.liferay.portal.model.User;
027    import com.liferay.portal.security.auth.PrincipalException;
028    import com.liferay.portal.security.permission.ActionKeys;
029    import com.liferay.portal.security.permission.BaseModelPermissionChecker;
030    import com.liferay.portal.security.permission.PermissionChecker;
031    import com.liferay.portal.service.OrganizationLocalServiceUtil;
032    import com.liferay.portal.service.UserGroupRoleLocalServiceUtil;
033    import com.liferay.portal.service.UserLocalServiceUtil;
034    import com.liferay.portal.util.PortalUtil;
035    
036    import java.util.List;
037    
038    /**
039     * @author Charles May
040     * @author Jorge Ferrer
041     */
042    @OSGiBeanProperties(
043            property = {"model.class.name=com.liferay.portal.model.User"}
044    )
045    public class UserPermissionImpl
046            implements BaseModelPermissionChecker, UserPermission {
047    
048            /**
049             * @deprecated As of 6.2.0, replaced by {@link #check(PermissionChecker,
050             *             long, long[], String)}
051             */
052            @Deprecated
053            @Override
054            public void check(
055                            PermissionChecker permissionChecker, long userId,
056                            long organizationId, long locationId, String actionId)
057                    throws PrincipalException {
058    
059                    check(
060                            permissionChecker, userId, new long[] {organizationId, locationId},
061                            actionId);
062            }
063    
064            @Override
065            public void check(
066                            PermissionChecker permissionChecker, long userId,
067                            long[] organizationIds, String actionId)
068                    throws PrincipalException {
069    
070                    if (!contains(permissionChecker, userId, organizationIds, actionId)) {
071                            throw new PrincipalException.MustHavePermission(
072                                    permissionChecker, User.class.getName(), userId, actionId);
073                    }
074            }
075    
076            @Override
077            public void check(
078                            PermissionChecker permissionChecker, long userId, String actionId)
079                    throws PrincipalException {
080    
081                    if (!contains(permissionChecker, userId, actionId)) {
082                            throw new PrincipalException.MustHavePermission(
083                                    permissionChecker, User.class.getName(), userId, actionId);
084                    }
085            }
086    
087            @Override
088            public void checkBaseModel(
089                            PermissionChecker permissionChecker, long groupId, long primaryKey,
090                            String actionId)
091                    throws PortalException {
092    
093                    List<Organization> organizations =
094                            OrganizationLocalServiceUtil.getUserOrganizations(primaryKey);
095    
096                    long[] organizationsIds = new long[organizations.size()];
097    
098                    for (int i = 0; i < organizations.size(); i++) {
099                            Organization organization = organizations.get(i);
100    
101                            organizationsIds[i] = organization.getOrganizationId();
102                    }
103    
104                    check(permissionChecker, primaryKey, organizationsIds, actionId);
105            }
106    
107            /**
108             * @deprecated As of 6.2.0, replaced by {@link #contains(PermissionChecker,
109             *             long, long[], String)}
110             */
111            @Deprecated
112            @Override
113            public boolean contains(
114                    PermissionChecker permissionChecker, long userId, long organizationId,
115                    long locationId, String actionId) {
116    
117                    return contains(
118                            permissionChecker, userId, new long[] {organizationId, locationId},
119                            actionId);
120            }
121    
122            @Override
123            public boolean contains(
124                    PermissionChecker permissionChecker, long userId,
125                    long[] organizationIds, String actionId) {
126    
127                    try {
128                            User user = null;
129    
130                            if (userId != ResourceConstants.PRIMKEY_DNE) {
131                                    user = UserLocalServiceUtil.getUserById(userId);
132    
133                                    if ((actionId.equals(ActionKeys.DELETE) ||
134                                             actionId.equals(ActionKeys.IMPERSONATE) ||
135                                             actionId.equals(ActionKeys.PERMISSIONS) ||
136                                             actionId.equals(ActionKeys.UPDATE) ||
137                                             actionId.equals(ActionKeys.VIEW)) &&
138                                            !permissionChecker.isOmniadmin() &&
139                                            (PortalUtil.isOmniadmin(user) ||
140                                             (!permissionChecker.isCompanyAdmin() &&
141                                              PortalUtil.isCompanyAdmin(user)))) {
142    
143                                            return false;
144                                    }
145    
146                                    Contact contact = user.getContact();
147    
148                                    if (permissionChecker.hasOwnerPermission(
149                                                    permissionChecker.getCompanyId(), User.class.getName(),
150                                                    userId, contact.getUserId(), actionId) ||
151                                            (permissionChecker.getUserId() == userId)) {
152    
153                                            return true;
154                                    }
155                            }
156    
157                            if (permissionChecker.hasPermission(
158                                            0, User.class.getName(), userId, actionId)) {
159    
160                                    return true;
161                            }
162    
163                            if (user == null) {
164                                    return false;
165                            }
166    
167                            if (organizationIds == null) {
168                                    organizationIds = user.getOrganizationIds();
169                            }
170    
171                            for (long organizationId : organizationIds) {
172                                    Organization organization =
173                                            OrganizationLocalServiceUtil.getOrganization(
174                                                    organizationId);
175    
176                                    if (OrganizationPermissionUtil.contains(
177                                                    permissionChecker, organization,
178                                                    ActionKeys.MANAGE_USERS)) {
179    
180                                            if (permissionChecker.getUserId() == user.getUserId()) {
181                                                    return true;
182                                            }
183    
184                                            Group organizationGroup = organization.getGroup();
185    
186                                            // Organization administrators can only manage normal users.
187                                            // Owners can only manage normal users and administrators.
188    
189                                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
190                                                            user.getUserId(), organizationGroup.getGroupId(),
191                                                            RoleConstants.ORGANIZATION_OWNER, true)) {
192    
193                                                    continue;
194                                            }
195                                            else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
196                                                                    user.getUserId(),
197                                                                    organizationGroup.getGroupId(),
198                                                                    RoleConstants.ORGANIZATION_ADMINISTRATOR,
199                                                                    true) &&
200                                                             !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
201                                                                     permissionChecker.getUserId(),
202                                                                    organizationGroup.getGroupId(),
203                                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
204    
205                                                    continue;
206                                            }
207    
208                                            return true;
209                                    }
210                            }
211                    }
212                    catch (Exception e) {
213                            _log.error(e, e);
214                    }
215    
216                    return false;
217            }
218    
219            @Override
220            public boolean contains(
221                    PermissionChecker permissionChecker, long userId, String actionId) {
222    
223                    return contains(permissionChecker, userId, null, actionId);
224            }
225    
226            private static final Log _log = LogFactoryUtil.getLog(
227                    UserPermissionImpl.class);
228    
229    }