001
014
015 package com.liferay.portal.security.permission;
016
017 import com.liferay.portal.kernel.dao.orm.QueryUtil;
018 import com.liferay.portal.kernel.exception.PortalException;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.kernel.security.permission.ActionKeys;
022 import com.liferay.portal.kernel.security.permission.PermissionChecker;
023 import com.liferay.portal.kernel.security.permission.ResourceActionsUtil;
024 import com.liferay.portal.kernel.security.permission.ResourceBlockIdsBag;
025 import com.liferay.portal.kernel.security.permission.UserBag;
026 import com.liferay.portal.kernel.security.permission.UserBagFactoryUtil;
027 import com.liferay.portal.kernel.util.ArrayUtil;
028 import com.liferay.portal.kernel.util.CharPool;
029 import com.liferay.portal.kernel.util.GetterUtil;
030 import com.liferay.portal.kernel.util.ListUtil;
031 import com.liferay.portal.kernel.util.SetUtil;
032 import com.liferay.portal.kernel.util.Validator;
033 import com.liferay.portal.model.Group;
034 import com.liferay.portal.model.GroupConstants;
035 import com.liferay.portal.model.GroupedModel;
036 import com.liferay.portal.model.Layout;
037 import com.liferay.portal.model.Organization;
038 import com.liferay.portal.model.OrganizationConstants;
039 import com.liferay.portal.model.PermissionedModel;
040 import com.liferay.portal.model.PortletConstants;
041 import com.liferay.portal.model.Resource;
042 import com.liferay.portal.model.ResourceBlockConstants;
043 import com.liferay.portal.model.ResourceConstants;
044 import com.liferay.portal.model.Role;
045 import com.liferay.portal.model.RoleConstants;
046 import com.liferay.portal.model.Team;
047 import com.liferay.portal.model.User;
048 import com.liferay.portal.service.GroupLocalServiceUtil;
049 import com.liferay.portal.service.LayoutLocalServiceUtil;
050 import com.liferay.portal.service.OrganizationLocalServiceUtil;
051 import com.liferay.portal.service.ResourceBlockLocalServiceUtil;
052 import com.liferay.portal.service.ResourceLocalServiceUtil;
053 import com.liferay.portal.service.ResourcePermissionLocalServiceUtil;
054 import com.liferay.portal.service.RoleLocalServiceUtil;
055 import com.liferay.portal.service.TeamLocalServiceUtil;
056 import com.liferay.portal.service.UserGroupRoleLocalServiceUtil;
057 import com.liferay.portal.service.UserLocalServiceUtil;
058 import com.liferay.portal.service.permission.LayoutPrototypePermissionUtil;
059 import com.liferay.portal.service.permission.LayoutSetPrototypePermissionUtil;
060 import com.liferay.portal.service.permission.PortletPermissionUtil;
061
062 import java.util.ArrayList;
063 import java.util.Arrays;
064 import java.util.Collections;
065 import java.util.LinkedHashMap;
066 import java.util.List;
067 import java.util.Set;
068
069 import org.apache.commons.lang.time.StopWatch;
070
071
078 public class AdvancedPermissionChecker extends BasePermissionChecker {
079
080 @Override
081 public AdvancedPermissionChecker clone() {
082 return new AdvancedPermissionChecker();
083 }
084
085 public ResourceBlockIdsBag getGuestResourceBlockIdsBag(
086 long companyId, long groupId, String name)
087 throws Exception {
088
089 ResourceBlockIdsBag resourceBlockIdsBag =
090 PermissionCacheUtil.getResourceBlockIdsBag(
091 companyId, groupId, defaultUserId, name);
092
093 if (resourceBlockIdsBag != null) {
094 return resourceBlockIdsBag;
095 }
096
097 try {
098 resourceBlockIdsBag =
099 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
100 getCompanyId(), groupId, name, getGuestUserRoleIds());
101
102 PermissionCacheUtil.putResourceBlockIdsBag(
103 companyId, groupId, defaultUserId, name, resourceBlockIdsBag);
104
105 return resourceBlockIdsBag;
106 }
107 catch (Exception e) {
108 PermissionCacheUtil.removeResourceBlockIdsBag(
109 getCompanyId(), groupId, defaultUserId, name);
110
111 throw e;
112 }
113 }
114
115
121 public long[] getGuestUserRoleIds() throws Exception {
122 Group guestGroup = GroupLocalServiceUtil.getGroup(
123 getCompanyId(), GroupConstants.GUEST);
124
125 long[] roleIds = PermissionCacheUtil.getUserGroupRoleIds(
126 defaultUserId, guestGroup.getGroupId());
127
128 if (roleIds != null) {
129 return roleIds;
130 }
131
132 try {
133 List<Role> roles = RoleLocalServiceUtil.getUserRelatedRoles(
134 defaultUserId, Collections.singletonList(guestGroup));
135
136
137
138
139
140
141 roleIds = ListUtil.toLongArray(roles, Role.ROLE_ID_ACCESSOR);
142
143 Arrays.sort(roleIds);
144
145 PermissionCacheUtil.putUserGroupRoleIds(
146 defaultUserId, guestGroup.getGroupId(), roleIds);
147 }
148 catch (Exception e) {
149 PermissionCacheUtil.removeUserGroupRoleIds(
150 defaultUserId, guestGroup.getGroupId());
151
152 throw e;
153 }
154
155 return roleIds;
156 }
157
158 @Override
159 public List<Long> getOwnerResourceBlockIds(
160 long companyId, long groupId, String name, String actionId) {
161
162 try {
163 ResourceBlockIdsBag resourceBlockIdsBag =
164 getOwnerResourceBlockIdsBag(companyId, groupId, name);
165
166 return ResourceBlockLocalServiceUtil.getResourceBlockIds(
167 resourceBlockIdsBag, name, actionId);
168 }
169 catch (Exception e) {
170 if (_log.isDebugEnabled()) {
171 _log.debug(e, e);
172 }
173 }
174
175 return Collections.emptyList();
176 }
177
178 public ResourceBlockIdsBag getOwnerResourceBlockIdsBag(
179 long companyId, long groupId, String name) {
180
181 ResourceBlockIdsBag resourceBlockIdsBag =
182 PermissionCacheUtil.getResourceBlockIdsBag(
183 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name);
184
185 if (resourceBlockIdsBag != null) {
186 return resourceBlockIdsBag;
187 }
188
189 try {
190 long[] roleIds = {getOwnerRoleId()};
191
192 resourceBlockIdsBag =
193 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
194 getCompanyId(), groupId, name, roleIds);
195
196 PermissionCacheUtil.putResourceBlockIdsBag(
197 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name,
198 resourceBlockIdsBag);
199
200 return resourceBlockIdsBag;
201 }
202 catch (Exception e) {
203 PermissionCacheUtil.removeResourceBlockIdsBag(
204 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name);
205
206 throw e;
207 }
208 }
209
210 @Override
211 public List<Long> getResourceBlockIds(
212 long companyId, long groupId, long userId, String name,
213 String actionId) {
214
215 try {
216 ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
217 companyId, groupId, userId, name);
218
219 return ResourceBlockLocalServiceUtil.getResourceBlockIds(
220 resourceBlockIdsBag, name, actionId);
221 }
222 catch (Exception e) {
223 if (_log.isDebugEnabled()) {
224 _log.debug(e, e);
225 }
226 }
227
228 return Collections.emptyList();
229 }
230
231 public ResourceBlockIdsBag getResourceBlockIdsBag(
232 long companyId, long groupId, long userId, String name)
233 throws Exception {
234
235 ResourceBlockIdsBag resourceBlockIdsBag =
236 PermissionCacheUtil.getResourceBlockIdsBag(
237 companyId, groupId, userId, name);
238
239 if (resourceBlockIdsBag != null) {
240 return resourceBlockIdsBag;
241 }
242
243 try {
244 long[] roleIds = getRoleIds(userId, groupId);
245
246 resourceBlockIdsBag =
247 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
248 getCompanyId(), groupId, name, roleIds);
249
250 PermissionCacheUtil.putResourceBlockIdsBag(
251 companyId, groupId, userId, name, resourceBlockIdsBag);
252
253 return resourceBlockIdsBag;
254 }
255 catch (Exception e) {
256 PermissionCacheUtil.removeResourceBlockIdsBag(
257 companyId, groupId, userId, name);
258
259 throw e;
260 }
261 }
262
263 @Override
264 public long[] getRoleIds(long userId, long groupId) {
265 long[] roleIds = null;
266
267 try {
268 roleIds = doGetRoleIds(userId, groupId);
269 }
270 catch (Exception e) {
271 if (_log.isDebugEnabled()) {
272 _log.debug(e, e);
273 }
274
275 return PermissionChecker.DEFAULT_ROLE_IDS;
276 }
277
278 if (!checkGuest) {
279 return roleIds;
280 }
281
282 Set<Long> roleIdsSet = SetUtil.fromArray(roleIds);
283
284 try {
285 for (long roleId : getGuestUserRoleIds()) {
286 roleIdsSet.add(roleId);
287 }
288 }
289 catch (Exception e) {
290 if (_log.isDebugEnabled()) {
291 _log.debug(e, e);
292 }
293 }
294
295 return ArrayUtil.toArray(
296 roleIdsSet.toArray(new Long[roleIdsSet.size()]));
297 }
298
299 @Override
300 public UserBag getUserBag() throws PortalException {
301 return UserBagFactoryUtil.create(getUserId());
302 }
303
304 @Override
305 public boolean hasOwnerPermission(
306 long companyId, String name, String primKey, long ownerId,
307 String actionId) {
308
309 if (ownerId != getUserId()) {
310 return false;
311 }
312
313 if (ownerId == defaultUserId) {
314 if (actionId.equals(ActionKeys.VIEW)) {
315 return true;
316 }
317 else {
318 return false;
319 }
320 }
321
322 try {
323 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
324 PermissionedModel permissionedModel =
325 ResourceBlockLocalServiceUtil.getPermissionedModel(
326 name, GetterUtil.getLong(primKey));
327
328 long groupId = 0;
329
330 if (permissionedModel instanceof GroupedModel) {
331 GroupedModel groupedModel = (GroupedModel)permissionedModel;
332
333 groupId = groupedModel.getGroupId();
334 }
335
336 ResourceBlockIdsBag resourceBlockIdsBag =
337 getOwnerResourceBlockIdsBag(companyId, groupId, name);
338
339 return ResourceBlockLocalServiceUtil.hasPermission(
340 name, permissionedModel, actionId, resourceBlockIdsBag);
341 }
342
343 return ResourcePermissionLocalServiceUtil.hasResourcePermission(
344 companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey,
345 getOwnerRoleId(), actionId);
346 }
347 catch (Exception e) {
348 if (_log.isDebugEnabled()) {
349 _log.debug(e, e);
350 }
351 }
352
353 return false;
354 }
355
356 @Override
357 public boolean hasPermission(
358 long groupId, String name, String primKey, String actionId) {
359
360 StopWatch stopWatch = new StopWatch();
361
362 stopWatch.start();
363
364 Group group = null;
365
366 try {
367 if (groupId > 0) {
368 group = GroupLocalServiceUtil.getGroup(groupId);
369
370
371
372
373 if (group.isLayout() &&
374 !ResourceBlockLocalServiceUtil.isSupported(name)) {
375
376 Layout layout = LayoutLocalServiceUtil.getLayout(
377 group.getClassPK());
378
379 groupId = layout.getGroupId();
380
381 group = GroupLocalServiceUtil.getGroup(groupId);
382 }
383
384
385
386
387 if (group.isUser() && (group.getClassPK() == getUserId())) {
388 group = GroupLocalServiceUtil.getGroup(
389 getCompanyId(), GroupConstants.USER_PERSONAL_SITE);
390
391 groupId = group.getGroupId();
392 }
393 }
394 }
395 catch (Exception e) {
396 _log.error(e, e);
397 }
398
399 Boolean value = PermissionCacheUtil.getPermission(
400 user.getUserId(), signedIn, groupId, name, primKey, actionId);
401
402 if (value != null) {
403 return value;
404 }
405
406 try {
407 value = hasPermissionImpl(groupId, name, primKey, actionId);
408
409 if (_log.isDebugEnabled()) {
410 _log.debug(
411 "Checking permission for " + groupId + " " + name +
412 " " + primKey + " " + actionId + " takes " +
413 stopWatch.getTime() + " ms");
414 }
415
416 PermissionCacheUtil.putPermission(
417 user.getUserId(), signedIn, groupId, name, primKey, actionId,
418 value);
419 }
420 catch (Exception e) {
421 PermissionCacheUtil.removePermission(
422 user.getUserId(), signedIn, groupId, name, primKey, actionId);
423
424 throw e;
425 }
426
427 return value;
428 }
429
430 @Override
431 public boolean hasUserPermission(
432 long groupId, String name, String primKey, String actionId,
433 boolean checkAdmin) {
434
435 try {
436 return hasUserPermissionImpl(
437 groupId, name, primKey, actionId, checkAdmin);
438 }
439 catch (Exception e) {
440 _log.error(e, e);
441
442 return false;
443 }
444 }
445
446 @Override
447 public boolean isCompanyAdmin() {
448 try {
449 return isCompanyAdminImpl(user.getCompanyId());
450 }
451 catch (Exception e) {
452 _log.error(e, e);
453
454 return false;
455 }
456 }
457
458 @Override
459 public boolean isCompanyAdmin(long companyId) {
460 try {
461 return isCompanyAdminImpl(companyId);
462 }
463 catch (Exception e) {
464 _log.error(e, e);
465
466 return false;
467 }
468 }
469
470 @Override
471 public boolean isContentReviewer(long companyId, long groupId) {
472 try {
473 return isContentReviewerImpl(companyId, groupId);
474 }
475 catch (Exception e) {
476 _log.error(e, e);
477 }
478
479 return false;
480 }
481
482 @Override
483 public boolean isGroupAdmin(long groupId) {
484 try {
485 return isGroupAdminImpl(groupId);
486 }
487 catch (Exception e) {
488 _log.error(e, e);
489
490 return false;
491 }
492 }
493
494 @Override
495 public boolean isGroupMember(long groupId) {
496 try {
497 return isGroupMemberImpl(groupId);
498 }
499 catch (Exception e) {
500 _log.error(e, e);
501
502 return false;
503 }
504 }
505
506 @Override
507 public boolean isGroupOwner(long groupId) {
508 try {
509 return isGroupOwnerImpl(groupId);
510 }
511 catch (Exception e) {
512 _log.error(e, e);
513
514 return false;
515 }
516 }
517
518 @Override
519 public boolean isOrganizationAdmin(long organizationId) {
520 try {
521 return isOrganizationAdminImpl(organizationId);
522 }
523 catch (Exception e) {
524 _log.error(e, e);
525
526 return false;
527 }
528 }
529
530 @Override
531 public boolean isOrganizationOwner(long organizationId) {
532 try {
533 return isOrganizationOwnerImpl(organizationId);
534 }
535 catch (Exception e) {
536 _log.error(e, e);
537
538 return false;
539 }
540 }
541
542 protected void addTeamRoles(long userId, Group group, Set<Long> roleIds)
543 throws Exception {
544
545 List<Team> userTeams = TeamLocalServiceUtil.getUserTeams(
546 userId, group.getGroupId());
547
548 for (Team team : userTeams) {
549 Role role = RoleLocalServiceUtil.getTeamRole(
550 team.getCompanyId(), team.getTeamId());
551
552 roleIds.add(role.getRoleId());
553 }
554
555 LinkedHashMap<String, Object> teamParams = new LinkedHashMap<>();
556
557 teamParams.put("usersUserGroups", userId);
558
559 List<Team> userGroupTeams = TeamLocalServiceUtil.search(
560 group.getGroupId(), null, null, teamParams, QueryUtil.ALL_POS,
561 QueryUtil.ALL_POS, null);
562
563 for (Team team : userGroupTeams) {
564 Role role = RoleLocalServiceUtil.getTeamRole(
565 team.getCompanyId(), team.getTeamId());
566
567 roleIds.add(role.getRoleId());
568 }
569 }
570
571 protected boolean doCheckPermission(
572 long companyId, long groupId, String name, String primKey,
573 String actionId, StopWatch stopWatch)
574 throws Exception {
575
576 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 1);
577
578 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
579 ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
580 companyId, groupId, getUserId(), name);
581
582 boolean value = ResourceBlockLocalServiceUtil.hasPermission(
583 name, GetterUtil.getLong(primKey), actionId,
584 resourceBlockIdsBag);
585
586 logHasUserPermission(
587 groupId, name, primKey, actionId, stopWatch, 2);
588
589 return value;
590 }
591
592 List<Resource> resources = getResources(
593 companyId, groupId, name, primKey, actionId);
594
595 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 3);
596
597
598
599
600
601
602 boolean value = ResourceLocalServiceUtil.hasUserPermissions(
603 user.getUserId(), groupId, resources, actionId,
604 doGetRoleIds(user.getUserId(), groupId));
605
606 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 4);
607
608 return value;
609 }
610
611 protected long[] doGetRoleIds(long userId, long groupId) throws Exception {
612 long[] roleIds = PermissionCacheUtil.getUserGroupRoleIds(
613 userId, groupId);
614
615 if (roleIds != null) {
616 return roleIds;
617 }
618
619 try {
620 Group group = null;
621
622 long parentGroupId = 0;
623
624 if (groupId > 0) {
625 group = GroupLocalServiceUtil.getGroup(groupId);
626
627 if (group.isLayout()) {
628 parentGroupId = group.getParentGroupId();
629
630 if (parentGroupId > 0) {
631 group = GroupLocalServiceUtil.getGroup(parentGroupId);
632 }
633 }
634 }
635
636 UserBag userBag = getUserBag();
637
638 Set<Long> roleIdsSet = SetUtil.fromArray(userBag.getRoleIds());
639
640 List<Role> userGroupRoles = RoleLocalServiceUtil.getUserGroupRoles(
641 userId, groupId);
642
643 for (Role userGroupRole : userGroupRoles) {
644 roleIdsSet.add(userGroupRole.getRoleId());
645 }
646
647 if (parentGroupId > 0) {
648 userGroupRoles = RoleLocalServiceUtil.getUserGroupRoles(
649 userId, parentGroupId);
650
651 for (Role userGroupRole : userGroupRoles) {
652 roleIdsSet.add(userGroupRole.getRoleId());
653 }
654 }
655
656 List<Role> userGroupGroupRoles =
657 RoleLocalServiceUtil.getUserGroupGroupRoles(userId, groupId);
658
659 for (Role userGroupGroupRole : userGroupGroupRoles) {
660 roleIdsSet.add(userGroupGroupRole.getRoleId());
661 }
662
663 if (parentGroupId > 0) {
664 userGroupGroupRoles =
665 RoleLocalServiceUtil.getUserGroupGroupRoles(
666 userId, parentGroupId);
667
668 for (Role userGroupGroupRole : userGroupGroupRoles) {
669 roleIdsSet.add(userGroupGroupRole.getRoleId());
670 }
671 }
672
673 if (group != null) {
674 if (group.isOrganization() && userBag.hasUserOrgGroup(group)) {
675 Role organizationUserRole = RoleLocalServiceUtil.getRole(
676 group.getCompanyId(), RoleConstants.ORGANIZATION_USER);
677
678 roleIdsSet.add(organizationUserRole.getRoleId());
679 }
680
681 if ((group.isSite() &&
682 (userBag.hasUserGroup(group) ||
683 userBag.hasUserOrgGroup(group))) ||
684 group.isUserPersonalSite()) {
685
686 Role siteMemberRole = RoleLocalServiceUtil.getRole(
687 group.getCompanyId(), RoleConstants.SITE_MEMBER);
688
689 roleIdsSet.add(siteMemberRole.getRoleId());
690 }
691
692 if ((group.isOrganization() &&
693 userBag.hasUserOrgGroup(group)) ||
694 (group.isSite() && userBag.hasUserGroup(group))) {
695
696 addTeamRoles(userId, group, roleIdsSet);
697 }
698 }
699
700 roleIds = ArrayUtil.toLongArray(roleIdsSet);
701
702 Arrays.sort(roleIds);
703
704 PermissionCacheUtil.putUserGroupRoleIds(userId, groupId, roleIds);
705
706 return roleIds;
707 }
708 catch (Exception e) {
709 PermissionCacheUtil.removeUserGroupRoleIds(userId, groupId);
710
711 throw e;
712 }
713 }
714
715
737 protected List<Resource> getResources(
738 long companyId, long groupId, String name, String primKey,
739 String actionId)
740 throws Exception {
741
742
743
744 List<Resource> resources = new ArrayList<>(4);
745
746 Resource individualResource = ResourceLocalServiceUtil.getResource(
747 companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);
748
749 resources.add(individualResource);
750
751
752
753 if (groupId > 0) {
754 Resource groupResource = ResourceLocalServiceUtil.getResource(
755 companyId, name, ResourceConstants.SCOPE_GROUP,
756 String.valueOf(groupId));
757
758 resources.add(groupResource);
759 }
760
761
762
763 if (signedIn && (groupId > 0)) {
764 Resource groupTemplateResource =
765 ResourceLocalServiceUtil.getResource(
766 companyId, name, ResourceConstants.SCOPE_GROUP_TEMPLATE,
767 String.valueOf(GroupConstants.DEFAULT_PARENT_GROUP_ID));
768
769 resources.add(groupTemplateResource);
770 }
771
772
773
774 Resource companyResource = ResourceLocalServiceUtil.getResource(
775 companyId, name, ResourceConstants.SCOPE_COMPANY,
776 String.valueOf(companyId));
777
778 resources.add(companyResource);
779
780 return resources;
781 }
782
783 protected boolean hasGuestPermission(
784 long groupId, String name, String primKey, String actionId)
785 throws Exception {
786
787 try {
788 ResourceActionsUtil.checkAction(name, actionId);
789 }
790 catch (Exception e) {
791 if (_log.isDebugEnabled()) {
792 _log.debug(
793 "Guest does not have permission to " + actionId + " on " +
794 name + " with primary key " + primKey);
795 }
796
797 return false;
798 }
799
800 if (name.indexOf(CharPool.PERIOD) != -1) {
801
802
803
804 List<String> actions =
805 ResourceActionsUtil.getModelResourceGuestUnsupportedActions(
806 name);
807
808 if (actions.contains(actionId)) {
809 return false;
810 }
811 }
812 else {
813
814
815
816 List<String> actions =
817 ResourceActionsUtil.getPortletResourceGuestUnsupportedActions(
818 name);
819
820 if (actions.contains(actionId)) {
821 return false;
822 }
823 }
824
825 long companyId = user.getCompanyId();
826
827 List<Resource> resources = getResources(
828 companyId, groupId, name, primKey, actionId);
829
830 try {
831 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
832 ResourceBlockIdsBag resourceBlockIdsBag =
833 getGuestResourceBlockIdsBag(companyId, groupId, name);
834
835 return ResourceBlockLocalServiceUtil.hasPermission(
836 name, GetterUtil.getLong(primKey), actionId,
837 resourceBlockIdsBag);
838 }
839
840 return ResourceLocalServiceUtil.hasUserPermissions(
841 defaultUserId, groupId, resources, actionId,
842 getGuestUserRoleIds());
843 }
844 catch (Exception e) {
845 _log.error(e, e);
846
847 return false;
848 }
849 }
850
851 protected boolean hasPermissionImpl(
852 long groupId, String name, String primKey, String actionId) {
853
854 try {
855 if (!signedIn) {
856 return hasGuestPermission(groupId, name, primKey, actionId);
857 }
858
859 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
860
861
862
863
864
865 return hasUserPermission(
866 groupId, name, primKey, actionId, true);
867 }
868
869 boolean value = false;
870
871 if (checkGuest) {
872 value = hasGuestPermission(groupId, name, primKey, actionId);
873 }
874
875 if (!value) {
876 value = hasUserPermission(
877 groupId, name, primKey, actionId, true);
878 }
879
880 return value;
881 }
882 catch (Exception e) {
883 _log.error(e, e);
884
885 return false;
886 }
887 }
888
889 protected boolean hasUserPermissionImpl(
890 long groupId, String name, String primKey, String actionId,
891 boolean checkAdmin)
892 throws Exception {
893
894 StopWatch stopWatch = new StopWatch();
895
896 stopWatch.start();
897
898 long companyId = user.getCompanyId();
899
900 if (groupId > 0) {
901 Group group = GroupLocalServiceUtil.getGroup(groupId);
902
903 companyId = group.getCompanyId();
904 }
905 else if (name.equals(User.class.getName())) {
906 User user = UserLocalServiceUtil.fetchUser(
907 GetterUtil.getLong(primKey));
908
909 if (user != null) {
910 companyId = user.getCompanyId();
911 }
912 }
913
914 boolean hasLayoutManagerPermission = true;
915
916
917
918
919 if (Validator.isNotNull(name) && Validator.isNotNull(primKey) &&
920 primKey.contains(PortletConstants.LAYOUT_SEPARATOR)) {
921
922 hasLayoutManagerPermission =
923 PortletPermissionUtil.hasLayoutManagerPermission(
924 name, actionId);
925 }
926
927 if (checkAdmin) {
928 if (isCompanyAdminImpl(companyId)) {
929 return true;
930 }
931
932 if (name.equals(Organization.class.getName())) {
933 if (isOrganizationAdminImpl(GetterUtil.getLong(primKey))) {
934 return true;
935 }
936 }
937 else if (isGroupAdminImpl(groupId) && hasLayoutManagerPermission) {
938 return true;
939 }
940 }
941
942 return doCheckPermission(
943 companyId, groupId, name, primKey, actionId, stopWatch);
944 }
945
946 protected boolean isCompanyAdminImpl(long companyId) throws Exception {
947 if (!signedIn) {
948 return false;
949 }
950
951 if (isOmniadmin()) {
952 return true;
953 }
954
955 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
956 getUserId(), companyId, RoleConstants.ADMINISTRATOR);
957
958 try {
959 if (value == null) {
960 value = RoleLocalServiceUtil.hasUserRole(
961 user.getUserId(), companyId, RoleConstants.ADMINISTRATOR,
962 true);
963
964 PermissionCacheUtil.putUserPrimaryKeyRole(
965 getUserId(), companyId, RoleConstants.ADMINISTRATOR, value);
966 }
967 }
968 catch (Exception e) {
969 PermissionCacheUtil.removeUserPrimaryKeyRole(
970 getUserId(), companyId, RoleConstants.ADMINISTRATOR);
971
972 throw e;
973 }
974
975 return value;
976 }
977
978 protected boolean isContentReviewerImpl(long groupId)
979 throws PortalException {
980
981 if (isCompanyAdmin() || isGroupAdmin(groupId)) {
982 return true;
983 }
984
985 Group group = GroupLocalServiceUtil.getGroup(groupId);
986
987 if (RoleLocalServiceUtil.hasUserRole(
988 getUserId(), group.getCompanyId(),
989 RoleConstants.PORTAL_CONTENT_REVIEWER, true)) {
990
991 return true;
992 }
993
994 if (group.isSite()) {
995 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
996 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER,
997 true)) {
998
999 return true;
1000 }
1001 }
1002
1003 return false;
1004 }
1005
1006 protected boolean isContentReviewerImpl(long companyId, long groupId)
1007 throws Exception {
1008
1009 if (!signedIn) {
1010 return false;
1011 }
1012
1013 if (isOmniadmin()) {
1014 return true;
1015 }
1016
1017 if (isCompanyAdmin(companyId)) {
1018 return true;
1019 }
1020
1021 if (groupId <= 0) {
1022 return false;
1023 }
1024
1025 if (isGroupAdmin(groupId)) {
1026 return true;
1027 }
1028
1029 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1030 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER);
1031
1032 try {
1033 if (value == null) {
1034 value = isContentReviewerImpl(groupId);
1035
1036 PermissionCacheUtil.putUserPrimaryKeyRole(
1037 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER,
1038 value);
1039 }
1040 }
1041 catch (Exception e) {
1042 PermissionCacheUtil.removeUserPrimaryKeyRole(
1043 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER);
1044
1045 throw e;
1046 }
1047
1048 return value;
1049 }
1050
1051 protected boolean isGroupAdminImpl(Group group) throws Exception {
1052 if (group.isLayout()) {
1053 long parentGroupId = group.getParentGroupId();
1054
1055 if (parentGroupId == GroupConstants.DEFAULT_PARENT_GROUP_ID) {
1056 return false;
1057 }
1058
1059 group = GroupLocalServiceUtil.getGroup(parentGroupId);
1060 }
1061
1062 if (group.isSite()) {
1063 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1064 getUserId(), group.getGroupId(),
1065 RoleConstants.SITE_ADMINISTRATOR, true) ||
1066 UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1067 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1068 true)) {
1069
1070 return true;
1071 }
1072
1073 StopWatch stopWatch = new StopWatch();
1074
1075 stopWatch.start();
1076
1077 while (!group.isRoot()) {
1078 Group parentGroup = group.getParentGroup();
1079
1080 if (doCheckPermission(
1081 parentGroup.getCompanyId(), parentGroup.getGroupId(),
1082 Group.class.getName(),
1083 String.valueOf(parentGroup.getGroupId()),
1084 ActionKeys.MANAGE_SUBGROUPS, stopWatch)) {
1085
1086 return true;
1087 }
1088
1089 group = parentGroup;
1090 }
1091 }
1092
1093 if (group.isCompany()) {
1094 if (isCompanyAdmin()) {
1095 return true;
1096 }
1097 else {
1098 return false;
1099 }
1100 }
1101 else if (group.isLayoutPrototype()) {
1102 if (LayoutPrototypePermissionUtil.contains(
1103 this, group.getClassPK(), ActionKeys.UPDATE)) {
1104
1105 return true;
1106 }
1107 else {
1108 return false;
1109 }
1110 }
1111 else if (group.isLayoutSetPrototype()) {
1112 if (LayoutSetPrototypePermissionUtil.contains(
1113 this, group.getClassPK(), ActionKeys.UPDATE)) {
1114
1115 return true;
1116 }
1117 else {
1118 return false;
1119 }
1120 }
1121 else if (group.isOrganization()) {
1122 long organizationId = group.getOrganizationId();
1123
1124 while (organizationId !=
1125 OrganizationConstants.DEFAULT_PARENT_ORGANIZATION_ID) {
1126
1127 Organization organization =
1128 OrganizationLocalServiceUtil.getOrganization(
1129 organizationId);
1130
1131 long organizationGroupId = organization.getGroupId();
1132
1133 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1134 getUserId(), organizationGroupId,
1135 RoleConstants.ORGANIZATION_ADMINISTRATOR, true) ||
1136 UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1137 getUserId(), organizationGroupId,
1138 RoleConstants.ORGANIZATION_OWNER, true)) {
1139
1140 return true;
1141 }
1142
1143 organizationId = organization.getParentOrganizationId();
1144 }
1145
1146 StopWatch stopWatch = new StopWatch();
1147
1148 stopWatch.start();
1149
1150 Organization organization =
1151 OrganizationLocalServiceUtil.getOrganization(
1152 group.getOrganizationId());
1153
1154 while (!organization.isRoot()) {
1155 Organization parentOrganization =
1156 organization.getParentOrganization();
1157
1158 Group parentGroup = parentOrganization.getGroup();
1159
1160 if (doCheckPermission(
1161 parentGroup.getCompanyId(), parentGroup.getGroupId(),
1162 Organization.class.getName(),
1163 String.valueOf(parentOrganization.getOrganizationId()),
1164 ActionKeys.MANAGE_SUBORGANIZATIONS, stopWatch)) {
1165
1166 return true;
1167 }
1168
1169 organization = parentOrganization;
1170 }
1171 }
1172
1173 return false;
1174 }
1175
1176 protected boolean isGroupAdminImpl(long groupId) throws Exception {
1177 if (!signedIn) {
1178 return false;
1179 }
1180
1181 if (isOmniadmin()) {
1182 return true;
1183 }
1184
1185 if (groupId <= 0) {
1186 return false;
1187 }
1188
1189 Group group = GroupLocalServiceUtil.getGroup(groupId);
1190
1191 if (isCompanyAdmin(group.getCompanyId())) {
1192 return true;
1193 }
1194
1195 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1196 getUserId(), group.getGroupId(), RoleConstants.SITE_ADMINISTRATOR);
1197
1198 try {
1199 if (value == null) {
1200 value = isGroupAdminImpl(group);
1201
1202 PermissionCacheUtil.putUserPrimaryKeyRole(
1203 getUserId(), group.getGroupId(),
1204 RoleConstants.SITE_ADMINISTRATOR, value);
1205 }
1206 }
1207 catch (Exception e) {
1208 PermissionCacheUtil.removeUserPrimaryKeyRole(
1209 getUserId(), group.getGroupId(),
1210 RoleConstants.SITE_ADMINISTRATOR);
1211
1212 throw e;
1213 }
1214
1215 return value;
1216 }
1217
1218 protected boolean isGroupMemberImpl(long groupId) throws Exception {
1219 if (!signedIn) {
1220 return false;
1221 }
1222
1223 if (groupId <= 0) {
1224 return false;
1225 }
1226
1227 long[] roleIds = doGetRoleIds(getUserId(), groupId);
1228
1229 Group group = GroupLocalServiceUtil.getGroup(groupId);
1230
1231 Role role = RoleLocalServiceUtil.getRole(
1232 group.getCompanyId(), RoleConstants.SITE_MEMBER);
1233
1234 if (Arrays.binarySearch(roleIds, role.getRoleId()) >= 0) {
1235 return true;
1236 }
1237
1238 UserBag userBag = getUserBag();
1239
1240 return userBag.hasUserGroup(group);
1241 }
1242
1243 protected boolean isGroupOwnerImpl(Group group) throws PortalException {
1244 if (group.isSite()) {
1245 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1246 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1247 true)) {
1248
1249 return true;
1250 }
1251 }
1252
1253 if (group.isLayoutPrototype()) {
1254 if (LayoutPrototypePermissionUtil.contains(
1255 this, group.getClassPK(), ActionKeys.UPDATE)) {
1256
1257 return true;
1258 }
1259 else {
1260 return false;
1261 }
1262 }
1263 else if (group.isLayoutSetPrototype()) {
1264 if (LayoutSetPrototypePermissionUtil.contains(
1265 this, group.getClassPK(), ActionKeys.UPDATE)) {
1266
1267 return true;
1268 }
1269 else {
1270 return false;
1271 }
1272 }
1273 else if (group.isOrganization()) {
1274 long organizationId = group.getOrganizationId();
1275
1276 while (organizationId !=
1277 OrganizationConstants.DEFAULT_PARENT_ORGANIZATION_ID) {
1278
1279 Organization organization =
1280 OrganizationLocalServiceUtil.getOrganization(
1281 organizationId);
1282
1283 long organizationGroupId = organization.getGroupId();
1284
1285 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1286 getUserId(), organizationGroupId,
1287 RoleConstants.ORGANIZATION_OWNER, true)) {
1288
1289 return true;
1290 }
1291
1292 organizationId = organization.getParentOrganizationId();
1293 }
1294 }
1295 else if (group.isUser()) {
1296 long groupUserId = group.getClassPK();
1297
1298 if (getUserId() == groupUserId) {
1299 return true;
1300 }
1301 }
1302
1303 return false;
1304 }
1305
1306 protected boolean isGroupOwnerImpl(long groupId) throws Exception {
1307 if (!signedIn) {
1308 return false;
1309 }
1310
1311 if (isOmniadmin()) {
1312 return true;
1313 }
1314
1315 if (groupId <= 0) {
1316 return false;
1317 }
1318
1319 Group group = GroupLocalServiceUtil.getGroup(groupId);
1320
1321 if (isCompanyAdmin(group.getCompanyId())) {
1322 return true;
1323 }
1324
1325 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1326 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER);
1327
1328 try {
1329 if (value == null) {
1330 value = isGroupOwnerImpl(group);
1331
1332 PermissionCacheUtil.putUserPrimaryKeyRole(
1333 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1334 value);
1335 }
1336 }
1337 catch (Exception e) {
1338 PermissionCacheUtil.removeUserPrimaryKeyRole(
1339 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER);
1340
1341 throw e;
1342 }
1343
1344 return value;
1345 }
1346
1347 protected boolean isOrganizationAdminImpl(long organizationId)
1348 throws Exception {
1349
1350 if (!signedIn) {
1351 return false;
1352 }
1353
1354 if (isOmniadmin()) {
1355 return true;
1356 }
1357
1358 if (organizationId <= 0) {
1359 return false;
1360 }
1361
1362 Organization organization =
1363 OrganizationLocalServiceUtil.fetchOrganization(organizationId);
1364
1365 if (organization == null) {
1366 return false;
1367 }
1368
1369 if (isCompanyAdmin(organization.getCompanyId())) {
1370 return true;
1371 }
1372
1373 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1374 getUserId(), organization.getOrganizationId(),
1375 RoleConstants.ORGANIZATION_ADMINISTRATOR);
1376
1377 try {
1378 if (value == null) {
1379 value = isOrganizationAdminImpl(organization);
1380
1381 PermissionCacheUtil.putUserPrimaryKeyRole(
1382 getUserId(), organization.getOrganizationId(),
1383 RoleConstants.ORGANIZATION_ADMINISTRATOR, value);
1384 }
1385 }
1386 catch (Exception e) {
1387 PermissionCacheUtil.removeUserPrimaryKeyRole(
1388 getUserId(), organization.getOrganizationId(),
1389 RoleConstants.ORGANIZATION_ADMINISTRATOR);
1390
1391 throw e;
1392 }
1393
1394 return value;
1395 }
1396
1397 protected boolean isOrganizationAdminImpl(Organization organization)
1398 throws PortalException {
1399
1400 while (organization != null) {
1401 long organizationGroupId = organization.getGroupId();
1402
1403 long userId = getUserId();
1404
1405 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1406 userId, organizationGroupId,
1407 RoleConstants.ORGANIZATION_ADMINISTRATOR, true) ||
1408 UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1409 userId, organizationGroupId,
1410 RoleConstants.ORGANIZATION_OWNER, true)) {
1411
1412 return true;
1413 }
1414
1415 organization = organization.getParentOrganization();
1416 }
1417
1418 return false;
1419 }
1420
1421 protected boolean isOrganizationOwnerImpl(long organizationId)
1422 throws Exception {
1423
1424 if (!signedIn) {
1425 return false;
1426 }
1427
1428 if (isOmniadmin()) {
1429 return true;
1430 }
1431
1432 if (organizationId <= 0) {
1433 return false;
1434 }
1435
1436 Organization organization =
1437 OrganizationLocalServiceUtil.fetchOrganization(organizationId);
1438
1439 if (organization == null) {
1440 return false;
1441 }
1442
1443 if (isCompanyAdmin(organization.getCompanyId())) {
1444 return true;
1445 }
1446
1447 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1448 getUserId(), organization.getOrganizationId(),
1449 RoleConstants.ORGANIZATION_OWNER);
1450
1451 try {
1452 if (value == null) {
1453 value = isOrganizationOwnerImpl(organization);
1454
1455 PermissionCacheUtil.putUserPrimaryKeyRole(
1456 getUserId(), organization.getOrganizationId(),
1457 RoleConstants.ORGANIZATION_OWNER, value);
1458 }
1459 }
1460 catch (Exception e) {
1461 PermissionCacheUtil.removeUserPrimaryKeyRole(
1462 getUserId(), organization.getOrganizationId(),
1463 RoleConstants.ORGANIZATION_OWNER);
1464
1465 throw e;
1466 }
1467
1468 return value;
1469 }
1470
1471 protected boolean isOrganizationOwnerImpl(Organization organization)
1472 throws PortalException {
1473
1474 while (organization != null) {
1475 long organizationGroupId = organization.getGroupId();
1476
1477 long userId = getUserId();
1478
1479 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1480 userId, organizationGroupId,
1481 RoleConstants.ORGANIZATION_OWNER, true)) {
1482
1483 return true;
1484 }
1485
1486 organization = organization.getParentOrganization();
1487 }
1488
1489 return false;
1490 }
1491
1492 protected void logHasUserPermission(
1493 long groupId, String name, String primKey, String actionId,
1494 StopWatch stopWatch, int block) {
1495
1496 if (!_log.isDebugEnabled()) {
1497 return;
1498 }
1499
1500 _log.debug(
1501 "Checking user permission block " + block + " for " + groupId +
1502 " " + name + " " + primKey + " " + actionId + " takes " +
1503 stopWatch.getTime() + " ms");
1504 }
1505
1506
1509 @Deprecated
1510 protected static final String RESULTS_SEPARATOR = "_RESULTS_SEPARATOR_";
1511
1512 private static final Log _log = LogFactoryUtil.getLog(
1513 AdvancedPermissionChecker.class);
1514
1515 }