001
014
015 package com.liferay.portal.security.permission;
016
017 import com.liferay.portal.kernel.dao.orm.QueryUtil;
018 import com.liferay.portal.kernel.exception.PortalException;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.kernel.security.permission.ActionKeys;
022 import com.liferay.portal.kernel.security.permission.PermissionChecker;
023 import com.liferay.portal.kernel.security.permission.ResourceActionsUtil;
024 import com.liferay.portal.kernel.security.permission.ResourceBlockIdsBag;
025 import com.liferay.portal.kernel.security.permission.UserBag;
026 import com.liferay.portal.kernel.security.permission.UserBagFactoryUtil;
027 import com.liferay.portal.kernel.util.ArrayUtil;
028 import com.liferay.portal.kernel.util.CharPool;
029 import com.liferay.portal.kernel.util.GetterUtil;
030 import com.liferay.portal.kernel.util.ListUtil;
031 import com.liferay.portal.kernel.util.SetUtil;
032 import com.liferay.portal.kernel.util.Validator;
033 import com.liferay.portal.model.Group;
034 import com.liferay.portal.model.GroupConstants;
035 import com.liferay.portal.model.GroupedModel;
036 import com.liferay.portal.model.Layout;
037 import com.liferay.portal.model.Organization;
038 import com.liferay.portal.model.OrganizationConstants;
039 import com.liferay.portal.model.PermissionedModel;
040 import com.liferay.portal.model.PortletConstants;
041 import com.liferay.portal.model.Resource;
042 import com.liferay.portal.model.ResourceBlockConstants;
043 import com.liferay.portal.model.ResourceConstants;
044 import com.liferay.portal.model.Role;
045 import com.liferay.portal.model.RoleConstants;
046 import com.liferay.portal.model.Team;
047 import com.liferay.portal.model.User;
048 import com.liferay.portal.service.GroupLocalServiceUtil;
049 import com.liferay.portal.service.LayoutLocalServiceUtil;
050 import com.liferay.portal.service.OrganizationLocalServiceUtil;
051 import com.liferay.portal.service.ResourceBlockLocalServiceUtil;
052 import com.liferay.portal.service.ResourceLocalServiceUtil;
053 import com.liferay.portal.service.ResourcePermissionLocalServiceUtil;
054 import com.liferay.portal.service.RoleLocalServiceUtil;
055 import com.liferay.portal.service.TeamLocalServiceUtil;
056 import com.liferay.portal.service.UserGroupRoleLocalServiceUtil;
057 import com.liferay.portal.service.UserLocalServiceUtil;
058 import com.liferay.portal.service.permission.LayoutPrototypePermissionUtil;
059 import com.liferay.portal.service.permission.LayoutSetPrototypePermissionUtil;
060 import com.liferay.portal.service.permission.PortletPermissionUtil;
061
062 import java.util.ArrayList;
063 import java.util.Arrays;
064 import java.util.Collections;
065 import java.util.LinkedHashMap;
066 import java.util.List;
067 import java.util.Set;
068
069 import org.apache.commons.lang.time.StopWatch;
070
071
078 public class AdvancedPermissionChecker extends BasePermissionChecker {
079
080 @Override
081 public AdvancedPermissionChecker clone() {
082 return new AdvancedPermissionChecker();
083 }
084
085 public ResourceBlockIdsBag getGuestResourceBlockIdsBag(
086 long companyId, long groupId, String name)
087 throws Exception {
088
089 ResourceBlockIdsBag resourceBlockIdsBag =
090 PermissionCacheUtil.getResourceBlockIdsBag(
091 companyId, groupId, defaultUserId, name);
092
093 if (resourceBlockIdsBag != null) {
094 return resourceBlockIdsBag;
095 }
096
097 try {
098 resourceBlockIdsBag =
099 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
100 getCompanyId(), groupId, name, getGuestUserRoleIds());
101
102 PermissionCacheUtil.putResourceBlockIdsBag(
103 companyId, groupId, defaultUserId, name, resourceBlockIdsBag);
104
105 return resourceBlockIdsBag;
106 }
107 catch (Exception e) {
108 PermissionCacheUtil.removeResourceBlockIdsBag(
109 getCompanyId(), groupId, defaultUserId, name);
110
111 throw e;
112 }
113 }
114
115
121 public long[] getGuestUserRoleIds() throws Exception {
122 Group guestGroup = GroupLocalServiceUtil.getGroup(
123 getCompanyId(), GroupConstants.GUEST);
124
125 long[] roleIds = PermissionCacheUtil.getUserGroupRoleIds(
126 defaultUserId, guestGroup.getGroupId());
127
128 if (roleIds != null) {
129 return roleIds;
130 }
131
132 try {
133 List<Role> roles = RoleLocalServiceUtil.getUserRelatedRoles(
134 defaultUserId, Collections.singletonList(guestGroup));
135
136
137
138
139
140
141 roleIds = ListUtil.toLongArray(roles, Role.ROLE_ID_ACCESSOR);
142
143 Arrays.sort(roleIds);
144
145 PermissionCacheUtil.putUserGroupRoleIds(
146 defaultUserId, guestGroup.getGroupId(), roleIds);
147 }
148 catch (Exception e) {
149 PermissionCacheUtil.removeUserGroupRoleIds(
150 defaultUserId, guestGroup.getGroupId());
151
152 throw e;
153 }
154
155 return roleIds;
156 }
157
158 @Override
159 public List<Long> getOwnerResourceBlockIds(
160 long companyId, long groupId, String name, String actionId) {
161
162 try {
163 ResourceBlockIdsBag resourceBlockIdsBag =
164 getOwnerResourceBlockIdsBag(companyId, groupId, name);
165
166 return ResourceBlockLocalServiceUtil.getResourceBlockIds(
167 resourceBlockIdsBag, name, actionId);
168 }
169 catch (Exception e) {
170 if (_log.isDebugEnabled()) {
171 _log.debug(e, e);
172 }
173 }
174
175 return Collections.emptyList();
176 }
177
178 public ResourceBlockIdsBag getOwnerResourceBlockIdsBag(
179 long companyId, long groupId, String name) {
180
181 ResourceBlockIdsBag resourceBlockIdsBag =
182 PermissionCacheUtil.getResourceBlockIdsBag(
183 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name);
184
185 if (resourceBlockIdsBag != null) {
186 return resourceBlockIdsBag;
187 }
188
189 try {
190 long[] roleIds = {getOwnerRoleId()};
191
192 resourceBlockIdsBag =
193 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
194 getCompanyId(), groupId, name, roleIds);
195
196 PermissionCacheUtil.putResourceBlockIdsBag(
197 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name,
198 resourceBlockIdsBag);
199
200 return resourceBlockIdsBag;
201 }
202 catch (Exception e) {
203 PermissionCacheUtil.removeResourceBlockIdsBag(
204 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name);
205
206 throw e;
207 }
208 }
209
210 @Override
211 public List<Long> getResourceBlockIds(
212 long companyId, long groupId, long userId, String name,
213 String actionId) {
214
215 try {
216 ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
217 companyId, groupId, name, getRoleIds(getUserId(), groupId));
218
219 return ResourceBlockLocalServiceUtil.getResourceBlockIds(
220 resourceBlockIdsBag, name, actionId);
221 }
222 catch (Exception e) {
223 if (_log.isDebugEnabled()) {
224 _log.debug(e, e);
225 }
226 }
227
228 return Collections.emptyList();
229 }
230
231 public ResourceBlockIdsBag getResourceBlockIdsBag(
232 long companyId, long groupId, String name, long[] roleIds)
233 throws Exception {
234
235 ResourceBlockIdsBag resourceBlockIdsBag =
236 PermissionCacheUtil.getResourceBlockIdsBag(
237 companyId, groupId, getUserId(), name);
238
239 if (resourceBlockIdsBag != null) {
240 return resourceBlockIdsBag;
241 }
242
243 try {
244 resourceBlockIdsBag =
245 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
246 getCompanyId(), groupId, name, roleIds);
247
248 PermissionCacheUtil.putResourceBlockIdsBag(
249 companyId, groupId, getUserId(), name, resourceBlockIdsBag);
250
251 return resourceBlockIdsBag;
252 }
253 catch (Exception e) {
254 PermissionCacheUtil.removeResourceBlockIdsBag(
255 companyId, groupId, getUserId(), name);
256
257 throw e;
258 }
259 }
260
261 @Override
262 public long[] getRoleIds(long userId, long groupId) {
263 try {
264 return doGetRoleIds(userId, groupId);
265 }
266 catch (Exception e) {
267 if (_log.isDebugEnabled()) {
268 _log.debug(e, e);
269 }
270
271 return PermissionChecker.DEFAULT_ROLE_IDS;
272 }
273 }
274
275 @Override
276 public UserBag getUserBag() throws PortalException {
277 return UserBagFactoryUtil.create(getUserId());
278 }
279
280 @Override
281 public boolean hasOwnerPermission(
282 long companyId, String name, String primKey, long ownerId,
283 String actionId) {
284
285 if (ownerId != getUserId()) {
286 return false;
287 }
288
289 if (ownerId == defaultUserId) {
290 if (actionId.equals(ActionKeys.VIEW)) {
291 return true;
292 }
293 else {
294 return false;
295 }
296 }
297
298 try {
299 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
300 PermissionedModel permissionedModel =
301 ResourceBlockLocalServiceUtil.getPermissionedModel(
302 name, GetterUtil.getLong(primKey));
303
304 long groupId = 0;
305
306 if (permissionedModel instanceof GroupedModel) {
307 GroupedModel groupedModel = (GroupedModel)permissionedModel;
308
309 groupId = groupedModel.getGroupId();
310 }
311
312 ResourceBlockIdsBag resourceBlockIdsBag =
313 getOwnerResourceBlockIdsBag(companyId, groupId, name);
314
315 return ResourceBlockLocalServiceUtil.hasPermission(
316 name, permissionedModel, actionId, resourceBlockIdsBag);
317 }
318
319 return ResourcePermissionLocalServiceUtil.hasResourcePermission(
320 companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey,
321 getOwnerRoleId(), actionId);
322 }
323 catch (Exception e) {
324 if (_log.isDebugEnabled()) {
325 _log.debug(e, e);
326 }
327 }
328
329 return false;
330 }
331
332 @Override
333 public boolean hasPermission(
334 long groupId, String name, String primKey, String actionId) {
335
336 StopWatch stopWatch = new StopWatch();
337
338 stopWatch.start();
339
340 boolean checkOwnerPermission = false;
341 Group group = null;
342
343 try {
344 if (groupId > 0) {
345 group = GroupLocalServiceUtil.getGroup(groupId);
346
347
348
349
350 if (group.isLayout() &&
351 !ResourceBlockLocalServiceUtil.isSupported(name)) {
352
353 Layout layout = LayoutLocalServiceUtil.getLayout(
354 group.getClassPK());
355
356 groupId = layout.getGroupId();
357
358 group = GroupLocalServiceUtil.getGroup(groupId);
359 }
360
361
362
363
364 if (group.isUser() && (group.getClassPK() == getUserId())) {
365 checkOwnerPermission = true;
366
367 group = GroupLocalServiceUtil.getGroup(
368 getCompanyId(), GroupConstants.USER_PERSONAL_SITE);
369
370 groupId = group.getGroupId();
371 }
372 }
373 }
374 catch (Exception e) {
375 _log.error(e, e);
376 }
377
378 long[] roleIds = getRoleIds(getUserId(), groupId);
379
380 Boolean value = PermissionCacheUtil.getPermission(
381 groupId, name, primKey, roleIds, actionId);
382
383 if (value != null) {
384 return value;
385 }
386
387 try {
388 if (checkOwnerPermission) {
389 value = hasOwnerPermission(
390 getCompanyId(), name, primKey, getUserId(), actionId);
391 }
392
393 if ((value == null) || !value) {
394 value = hasPermissionImpl(
395 groupId, name, primKey, roleIds, actionId);
396 }
397
398 if (_log.isDebugEnabled()) {
399 _log.debug(
400 "Checking permission for " + groupId + " " + name +
401 " " + primKey + " " + actionId + " takes " +
402 stopWatch.getTime() + " ms");
403 }
404
405 PermissionCacheUtil.putPermission(
406 groupId, name, primKey, roleIds, actionId, value);
407 }
408 catch (Exception e) {
409 PermissionCacheUtil.removePermission(
410 groupId, name, primKey, roleIds, actionId);
411
412 throw e;
413 }
414
415 return value;
416 }
417
418 @Override
419 public boolean isCompanyAdmin() {
420 try {
421 return isCompanyAdminImpl(user.getCompanyId());
422 }
423 catch (Exception e) {
424 _log.error(e, e);
425
426 return false;
427 }
428 }
429
430 @Override
431 public boolean isCompanyAdmin(long companyId) {
432 try {
433 return isCompanyAdminImpl(companyId);
434 }
435 catch (Exception e) {
436 _log.error(e, e);
437
438 return false;
439 }
440 }
441
442 @Override
443 public boolean isContentReviewer(long companyId, long groupId) {
444 try {
445 return isContentReviewerImpl(companyId, groupId);
446 }
447 catch (Exception e) {
448 _log.error(e, e);
449 }
450
451 return false;
452 }
453
454 @Override
455 public boolean isGroupAdmin(long groupId) {
456 try {
457 return isGroupAdminImpl(groupId);
458 }
459 catch (Exception e) {
460 _log.error(e, e);
461
462 return false;
463 }
464 }
465
466 @Override
467 public boolean isGroupMember(long groupId) {
468 try {
469 return isGroupMemberImpl(groupId);
470 }
471 catch (Exception e) {
472 _log.error(e, e);
473
474 return false;
475 }
476 }
477
478 @Override
479 public boolean isGroupOwner(long groupId) {
480 try {
481 return isGroupOwnerImpl(groupId);
482 }
483 catch (Exception e) {
484 _log.error(e, e);
485
486 return false;
487 }
488 }
489
490 @Override
491 public boolean isOrganizationAdmin(long organizationId) {
492 try {
493 return isOrganizationAdminImpl(organizationId);
494 }
495 catch (Exception e) {
496 _log.error(e, e);
497
498 return false;
499 }
500 }
501
502 @Override
503 public boolean isOrganizationOwner(long organizationId) {
504 try {
505 return isOrganizationOwnerImpl(organizationId);
506 }
507 catch (Exception e) {
508 _log.error(e, e);
509
510 return false;
511 }
512 }
513
514 protected void addTeamRoles(long userId, Group group, Set<Long> roleIds)
515 throws Exception {
516
517 List<Team> userTeams = TeamLocalServiceUtil.getUserTeams(
518 userId, group.getGroupId());
519
520 for (Team team : userTeams) {
521 Role role = RoleLocalServiceUtil.getTeamRole(
522 team.getCompanyId(), team.getTeamId());
523
524 roleIds.add(role.getRoleId());
525 }
526
527 LinkedHashMap<String, Object> teamParams = new LinkedHashMap<>();
528
529 teamParams.put("usersUserGroups", userId);
530
531 List<Team> userGroupTeams = TeamLocalServiceUtil.search(
532 group.getGroupId(), null, null, teamParams, QueryUtil.ALL_POS,
533 QueryUtil.ALL_POS, null);
534
535 for (Team team : userGroupTeams) {
536 Role role = RoleLocalServiceUtil.getTeamRole(
537 team.getCompanyId(), team.getTeamId());
538
539 roleIds.add(role.getRoleId());
540 }
541 }
542
543 protected boolean doCheckPermission(
544 long companyId, long groupId, String name, String primKey,
545 long[] roleIds, String actionId, StopWatch stopWatch)
546 throws Exception {
547
548 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 1);
549
550 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
551 ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
552 companyId, groupId, name, roleIds);
553
554 boolean value = ResourceBlockLocalServiceUtil.hasPermission(
555 name, GetterUtil.getLong(primKey), actionId,
556 resourceBlockIdsBag);
557
558 logHasUserPermission(
559 groupId, name, primKey, actionId, stopWatch, 2);
560
561 return value;
562 }
563
564 List<Resource> resources = getResources(
565 companyId, groupId, name, primKey, actionId);
566
567 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 3);
568
569
570
571
572
573
574 boolean value = ResourceLocalServiceUtil.hasUserPermissions(
575 user.getUserId(), groupId, resources, actionId, roleIds);
576
577 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 4);
578
579 return value;
580 }
581
582 protected long[] doGetRoleIds(long userId, long groupId) throws Exception {
583 if (!signedIn) {
584 return getGuestUserRoleIds();
585 }
586
587 long[] roleIds = PermissionCacheUtil.getUserGroupRoleIds(
588 userId, groupId);
589
590 if (roleIds != null) {
591 return roleIds;
592 }
593
594 try {
595 Group group = null;
596
597 long parentGroupId = 0;
598
599 if (groupId > 0) {
600 group = GroupLocalServiceUtil.getGroup(groupId);
601
602 if (group.isLayout()) {
603 parentGroupId = group.getParentGroupId();
604
605 if (parentGroupId > 0) {
606 group = GroupLocalServiceUtil.getGroup(parentGroupId);
607 }
608 }
609 }
610
611 UserBag userBag = getUserBag();
612
613 Set<Long> roleIdsSet = SetUtil.fromArray(userBag.getRoleIds());
614
615 List<Role> userGroupRoles = RoleLocalServiceUtil.getUserGroupRoles(
616 userId, groupId);
617
618 for (Role userGroupRole : userGroupRoles) {
619 roleIdsSet.add(userGroupRole.getRoleId());
620 }
621
622 if (parentGroupId > 0) {
623 userGroupRoles = RoleLocalServiceUtil.getUserGroupRoles(
624 userId, parentGroupId);
625
626 for (Role userGroupRole : userGroupRoles) {
627 roleIdsSet.add(userGroupRole.getRoleId());
628 }
629 }
630
631 List<Role> userGroupGroupRoles =
632 RoleLocalServiceUtil.getUserGroupGroupRoles(userId, groupId);
633
634 for (Role userGroupGroupRole : userGroupGroupRoles) {
635 roleIdsSet.add(userGroupGroupRole.getRoleId());
636 }
637
638 if (parentGroupId > 0) {
639 userGroupGroupRoles =
640 RoleLocalServiceUtil.getUserGroupGroupRoles(
641 userId, parentGroupId);
642
643 for (Role userGroupGroupRole : userGroupGroupRoles) {
644 roleIdsSet.add(userGroupGroupRole.getRoleId());
645 }
646 }
647
648 if (group != null) {
649 if (group.isOrganization() && userBag.hasUserOrgGroup(group)) {
650 Role organizationUserRole = RoleLocalServiceUtil.getRole(
651 group.getCompanyId(), RoleConstants.ORGANIZATION_USER);
652
653 roleIdsSet.add(organizationUserRole.getRoleId());
654 }
655
656 if ((group.isSite() &&
657 (userBag.hasUserGroup(group) ||
658 userBag.hasUserOrgGroup(group))) ||
659 group.isUserPersonalSite()) {
660
661 Role siteMemberRole = RoleLocalServiceUtil.getRole(
662 group.getCompanyId(), RoleConstants.SITE_MEMBER);
663
664 roleIdsSet.add(siteMemberRole.getRoleId());
665 }
666
667 if ((group.isOrganization() &&
668 userBag.hasUserOrgGroup(group)) ||
669 (group.isSite() && userBag.hasUserGroup(group))) {
670
671 addTeamRoles(userId, group, roleIdsSet);
672 }
673 }
674
675 if (checkGuest) {
676 for (long roleId : getGuestUserRoleIds()) {
677 roleIdsSet.add(roleId);
678 }
679 }
680
681 roleIds = ArrayUtil.toLongArray(roleIdsSet);
682
683 Arrays.sort(roleIds);
684
685 PermissionCacheUtil.putUserGroupRoleIds(userId, groupId, roleIds);
686
687 return roleIds;
688 }
689 catch (Exception e) {
690 PermissionCacheUtil.removeUserGroupRoleIds(userId, groupId);
691
692 throw e;
693 }
694 }
695
696
718 protected List<Resource> getResources(
719 long companyId, long groupId, String name, String primKey,
720 String actionId)
721 throws Exception {
722
723
724
725 List<Resource> resources = new ArrayList<>(4);
726
727 Resource individualResource = ResourceLocalServiceUtil.getResource(
728 companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);
729
730 resources.add(individualResource);
731
732
733
734 if (groupId > 0) {
735 Resource groupResource = ResourceLocalServiceUtil.getResource(
736 companyId, name, ResourceConstants.SCOPE_GROUP,
737 String.valueOf(groupId));
738
739 resources.add(groupResource);
740 }
741
742
743
744 if (signedIn && (groupId > 0)) {
745 Resource groupTemplateResource =
746 ResourceLocalServiceUtil.getResource(
747 companyId, name, ResourceConstants.SCOPE_GROUP_TEMPLATE,
748 String.valueOf(GroupConstants.DEFAULT_PARENT_GROUP_ID));
749
750 resources.add(groupTemplateResource);
751 }
752
753
754
755 Resource companyResource = ResourceLocalServiceUtil.getResource(
756 companyId, name, ResourceConstants.SCOPE_COMPANY,
757 String.valueOf(companyId));
758
759 resources.add(companyResource);
760
761 return resources;
762 }
763
764 protected boolean hasGuestPermission(
765 long groupId, String name, String primKey, String actionId)
766 throws Exception {
767
768 List<String> resourceActions = ResourceActionsUtil.getResourceActions(
769 name);
770
771 if (!resourceActions.contains(actionId)) {
772 return false;
773 }
774
775 if (name.indexOf(CharPool.PERIOD) != -1) {
776
777
778
779 List<String> actions =
780 ResourceActionsUtil.getModelResourceGuestUnsupportedActions(
781 name);
782
783 if (actions.contains(actionId)) {
784 return false;
785 }
786 }
787 else {
788
789
790
791 List<String> actions =
792 ResourceActionsUtil.getPortletResourceGuestUnsupportedActions(
793 name);
794
795 if (actions.contains(actionId)) {
796 return false;
797 }
798 }
799
800 long companyId = user.getCompanyId();
801
802 List<Resource> resources = getResources(
803 companyId, groupId, name, primKey, actionId);
804
805 try {
806 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
807 ResourceBlockIdsBag resourceBlockIdsBag =
808 getGuestResourceBlockIdsBag(companyId, groupId, name);
809
810 return ResourceBlockLocalServiceUtil.hasPermission(
811 name, GetterUtil.getLong(primKey), actionId,
812 resourceBlockIdsBag);
813 }
814
815 return ResourceLocalServiceUtil.hasUserPermissions(
816 defaultUserId, groupId, resources, actionId,
817 getGuestUserRoleIds());
818 }
819 catch (Exception e) {
820 _log.error(e, e);
821
822 return false;
823 }
824 }
825
826 protected boolean hasPermissionImpl(
827 long groupId, String name, String primKey, long[] roleIds,
828 String actionId) {
829
830 try {
831 if (!signedIn) {
832 return hasGuestPermission(groupId, name, primKey, actionId);
833 }
834
835 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
836 return hasUserPermissionImpl(
837 groupId, name, primKey, roleIds, actionId);
838 }
839
840 return hasUserPermissionImpl(
841 groupId, name, primKey, roleIds, actionId);
842 }
843 catch (Exception e) {
844 _log.error(e, e);
845
846 return false;
847 }
848 }
849
850 protected boolean hasUserPermissionImpl(
851 long groupId, String name, String primKey, long[] roleIds,
852 String actionId)
853 throws Exception {
854
855 StopWatch stopWatch = new StopWatch();
856
857 stopWatch.start();
858
859 long companyId = user.getCompanyId();
860
861 if (groupId > 0) {
862 Group group = GroupLocalServiceUtil.getGroup(groupId);
863
864 companyId = group.getCompanyId();
865 }
866 else if (name.equals(User.class.getName())) {
867 User user = UserLocalServiceUtil.fetchUser(
868 GetterUtil.getLong(primKey));
869
870 if (user != null) {
871 companyId = user.getCompanyId();
872 }
873 }
874
875 boolean hasLayoutManagerPermission = true;
876
877
878
879
880 if (Validator.isNotNull(name) && Validator.isNotNull(primKey) &&
881 primKey.contains(PortletConstants.LAYOUT_SEPARATOR)) {
882
883 hasLayoutManagerPermission =
884 PortletPermissionUtil.hasLayoutManagerPermission(
885 name, actionId);
886 }
887
888 if (isCompanyAdminImpl(companyId)) {
889 return true;
890 }
891
892 if (name.equals(Organization.class.getName())) {
893 if (isOrganizationAdminImpl(GetterUtil.getLong(primKey))) {
894 return true;
895 }
896 }
897 else if (isGroupAdminImpl(groupId) && hasLayoutManagerPermission) {
898 return true;
899 }
900
901 return doCheckPermission(
902 companyId, groupId, name, primKey, roleIds, actionId, stopWatch);
903 }
904
905 protected boolean isCompanyAdminImpl(long companyId) throws Exception {
906 if (!signedIn) {
907 return false;
908 }
909
910 if (isOmniadmin()) {
911 return true;
912 }
913
914 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
915 getUserId(), companyId, RoleConstants.ADMINISTRATOR);
916
917 try {
918 if (value == null) {
919 value = RoleLocalServiceUtil.hasUserRole(
920 user.getUserId(), companyId, RoleConstants.ADMINISTRATOR,
921 true);
922
923 PermissionCacheUtil.putUserPrimaryKeyRole(
924 getUserId(), companyId, RoleConstants.ADMINISTRATOR, value);
925 }
926 }
927 catch (Exception e) {
928 PermissionCacheUtil.removeUserPrimaryKeyRole(
929 getUserId(), companyId, RoleConstants.ADMINISTRATOR);
930
931 throw e;
932 }
933
934 return value;
935 }
936
937 protected boolean isContentReviewerImpl(long groupId)
938 throws PortalException {
939
940 if (isCompanyAdmin() || isGroupAdmin(groupId)) {
941 return true;
942 }
943
944 Group group = GroupLocalServiceUtil.getGroup(groupId);
945
946 if (RoleLocalServiceUtil.hasUserRole(
947 getUserId(), group.getCompanyId(),
948 RoleConstants.PORTAL_CONTENT_REVIEWER, true)) {
949
950 return true;
951 }
952
953 if (group.isSite()) {
954 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
955 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER,
956 true)) {
957
958 return true;
959 }
960 }
961
962 return false;
963 }
964
965 protected boolean isContentReviewerImpl(long companyId, long groupId)
966 throws Exception {
967
968 if (!signedIn) {
969 return false;
970 }
971
972 if (isOmniadmin()) {
973 return true;
974 }
975
976 if (isCompanyAdmin(companyId)) {
977 return true;
978 }
979
980 if (groupId <= 0) {
981 return false;
982 }
983
984 if (isGroupAdmin(groupId)) {
985 return true;
986 }
987
988 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
989 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER);
990
991 try {
992 if (value == null) {
993 value = isContentReviewerImpl(groupId);
994
995 PermissionCacheUtil.putUserPrimaryKeyRole(
996 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER,
997 value);
998 }
999 }
1000 catch (Exception e) {
1001 PermissionCacheUtil.removeUserPrimaryKeyRole(
1002 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER);
1003
1004 throw e;
1005 }
1006
1007 return value;
1008 }
1009
1010 protected boolean isGroupAdminImpl(Group group) throws Exception {
1011 if (group.isLayout()) {
1012 long parentGroupId = group.getParentGroupId();
1013
1014 if (parentGroupId == GroupConstants.DEFAULT_PARENT_GROUP_ID) {
1015 return false;
1016 }
1017
1018 group = GroupLocalServiceUtil.getGroup(parentGroupId);
1019 }
1020
1021 if (group.isSite()) {
1022 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1023 getUserId(), group.getGroupId(),
1024 RoleConstants.SITE_ADMINISTRATOR, true) ||
1025 UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1026 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1027 true)) {
1028
1029 return true;
1030 }
1031
1032 StopWatch stopWatch = new StopWatch();
1033
1034 stopWatch.start();
1035
1036 while (!group.isRoot()) {
1037 Group parentGroup = group.getParentGroup();
1038
1039 long[] roleIds = getRoleIds(
1040 getUserId(), parentGroup.getGroupId());
1041
1042 if (doCheckPermission(
1043 parentGroup.getCompanyId(), parentGroup.getGroupId(),
1044 Group.class.getName(),
1045 String.valueOf(parentGroup.getGroupId()), roleIds,
1046 ActionKeys.MANAGE_SUBGROUPS, stopWatch)) {
1047
1048 return true;
1049 }
1050
1051 group = parentGroup;
1052 }
1053 }
1054
1055 if (group.isCompany()) {
1056 if (isCompanyAdmin()) {
1057 return true;
1058 }
1059 else {
1060 return false;
1061 }
1062 }
1063 else if (group.isLayoutPrototype()) {
1064 if (LayoutPrototypePermissionUtil.contains(
1065 this, group.getClassPK(), ActionKeys.UPDATE)) {
1066
1067 return true;
1068 }
1069 else {
1070 return false;
1071 }
1072 }
1073 else if (group.isLayoutSetPrototype()) {
1074 if (LayoutSetPrototypePermissionUtil.contains(
1075 this, group.getClassPK(), ActionKeys.UPDATE)) {
1076
1077 return true;
1078 }
1079 else {
1080 return false;
1081 }
1082 }
1083 else if (group.isOrganization()) {
1084 long organizationId = group.getOrganizationId();
1085
1086 while (organizationId !=
1087 OrganizationConstants.DEFAULT_PARENT_ORGANIZATION_ID) {
1088
1089 Organization organization =
1090 OrganizationLocalServiceUtil.getOrganization(
1091 organizationId);
1092
1093 long organizationGroupId = organization.getGroupId();
1094
1095 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1096 getUserId(), organizationGroupId,
1097 RoleConstants.ORGANIZATION_ADMINISTRATOR, true) ||
1098 UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1099 getUserId(), organizationGroupId,
1100 RoleConstants.ORGANIZATION_OWNER, true)) {
1101
1102 return true;
1103 }
1104
1105 organizationId = organization.getParentOrganizationId();
1106 }
1107
1108 StopWatch stopWatch = new StopWatch();
1109
1110 stopWatch.start();
1111
1112 Organization organization =
1113 OrganizationLocalServiceUtil.getOrganization(
1114 group.getOrganizationId());
1115
1116 while (!organization.isRoot()) {
1117 Organization parentOrganization =
1118 organization.getParentOrganization();
1119
1120 Group parentGroup = parentOrganization.getGroup();
1121
1122 long[] roleIds = getRoleIds(
1123 getUserId(), parentGroup.getGroupId());
1124
1125 if (doCheckPermission(
1126 parentGroup.getCompanyId(), parentGroup.getGroupId(),
1127 Organization.class.getName(),
1128 String.valueOf(parentOrganization.getOrganizationId()),
1129 roleIds, ActionKeys.MANAGE_SUBORGANIZATIONS,
1130 stopWatch)) {
1131
1132 return true;
1133 }
1134
1135 organization = parentOrganization;
1136 }
1137 }
1138
1139 return false;
1140 }
1141
1142 protected boolean isGroupAdminImpl(long groupId) throws Exception {
1143 if (!signedIn) {
1144 return false;
1145 }
1146
1147 if (isOmniadmin()) {
1148 return true;
1149 }
1150
1151 if (groupId <= 0) {
1152 return false;
1153 }
1154
1155 Group group = GroupLocalServiceUtil.getGroup(groupId);
1156
1157 if (isCompanyAdmin(group.getCompanyId())) {
1158 return true;
1159 }
1160
1161 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1162 getUserId(), group.getGroupId(), RoleConstants.SITE_ADMINISTRATOR);
1163
1164 try {
1165 if (value == null) {
1166 value = isGroupAdminImpl(group);
1167
1168 PermissionCacheUtil.putUserPrimaryKeyRole(
1169 getUserId(), group.getGroupId(),
1170 RoleConstants.SITE_ADMINISTRATOR, value);
1171 }
1172 }
1173 catch (Exception e) {
1174 PermissionCacheUtil.removeUserPrimaryKeyRole(
1175 getUserId(), group.getGroupId(),
1176 RoleConstants.SITE_ADMINISTRATOR);
1177
1178 throw e;
1179 }
1180
1181 return value;
1182 }
1183
1184 protected boolean isGroupMemberImpl(long groupId) throws Exception {
1185 if (!signedIn) {
1186 return false;
1187 }
1188
1189 if (groupId <= 0) {
1190 return false;
1191 }
1192
1193 long[] roleIds = getRoleIds(getUserId(), groupId);
1194
1195 Group group = GroupLocalServiceUtil.getGroup(groupId);
1196
1197 Role role = RoleLocalServiceUtil.getRole(
1198 group.getCompanyId(), RoleConstants.SITE_MEMBER);
1199
1200 if (Arrays.binarySearch(roleIds, role.getRoleId()) >= 0) {
1201 return true;
1202 }
1203
1204 UserBag userBag = getUserBag();
1205
1206 return userBag.hasUserGroup(group);
1207 }
1208
1209 protected boolean isGroupOwnerImpl(Group group) throws PortalException {
1210 if (group.isSite()) {
1211 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1212 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1213 true)) {
1214
1215 return true;
1216 }
1217 }
1218
1219 if (group.isLayoutPrototype()) {
1220 if (LayoutPrototypePermissionUtil.contains(
1221 this, group.getClassPK(), ActionKeys.UPDATE)) {
1222
1223 return true;
1224 }
1225 else {
1226 return false;
1227 }
1228 }
1229 else if (group.isLayoutSetPrototype()) {
1230 if (LayoutSetPrototypePermissionUtil.contains(
1231 this, group.getClassPK(), ActionKeys.UPDATE)) {
1232
1233 return true;
1234 }
1235 else {
1236 return false;
1237 }
1238 }
1239 else if (group.isOrganization()) {
1240 long organizationId = group.getOrganizationId();
1241
1242 while (organizationId !=
1243 OrganizationConstants.DEFAULT_PARENT_ORGANIZATION_ID) {
1244
1245 Organization organization =
1246 OrganizationLocalServiceUtil.getOrganization(
1247 organizationId);
1248
1249 long organizationGroupId = organization.getGroupId();
1250
1251 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1252 getUserId(), organizationGroupId,
1253 RoleConstants.ORGANIZATION_OWNER, true)) {
1254
1255 return true;
1256 }
1257
1258 organizationId = organization.getParentOrganizationId();
1259 }
1260 }
1261 else if (group.isUser()) {
1262 long groupUserId = group.getClassPK();
1263
1264 if (getUserId() == groupUserId) {
1265 return true;
1266 }
1267 }
1268
1269 return false;
1270 }
1271
1272 protected boolean isGroupOwnerImpl(long groupId) throws Exception {
1273 if (!signedIn) {
1274 return false;
1275 }
1276
1277 if (isOmniadmin()) {
1278 return true;
1279 }
1280
1281 if (groupId <= 0) {
1282 return false;
1283 }
1284
1285 Group group = GroupLocalServiceUtil.getGroup(groupId);
1286
1287 if (isCompanyAdmin(group.getCompanyId())) {
1288 return true;
1289 }
1290
1291 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1292 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER);
1293
1294 try {
1295 if (value == null) {
1296 value = isGroupOwnerImpl(group);
1297
1298 PermissionCacheUtil.putUserPrimaryKeyRole(
1299 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1300 value);
1301 }
1302 }
1303 catch (Exception e) {
1304 PermissionCacheUtil.removeUserPrimaryKeyRole(
1305 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER);
1306
1307 throw e;
1308 }
1309
1310 return value;
1311 }
1312
1313 protected boolean isOrganizationAdminImpl(long organizationId)
1314 throws Exception {
1315
1316 if (!signedIn) {
1317 return false;
1318 }
1319
1320 if (isOmniadmin()) {
1321 return true;
1322 }
1323
1324 if (organizationId <= 0) {
1325 return false;
1326 }
1327
1328 Organization organization =
1329 OrganizationLocalServiceUtil.fetchOrganization(organizationId);
1330
1331 if (organization == null) {
1332 return false;
1333 }
1334
1335 if (isCompanyAdmin(organization.getCompanyId())) {
1336 return true;
1337 }
1338
1339 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1340 getUserId(), organization.getOrganizationId(),
1341 RoleConstants.ORGANIZATION_ADMINISTRATOR);
1342
1343 try {
1344 if (value == null) {
1345 value = isOrganizationAdminImpl(organization);
1346
1347 PermissionCacheUtil.putUserPrimaryKeyRole(
1348 getUserId(), organization.getOrganizationId(),
1349 RoleConstants.ORGANIZATION_ADMINISTRATOR, value);
1350 }
1351 }
1352 catch (Exception e) {
1353 PermissionCacheUtil.removeUserPrimaryKeyRole(
1354 getUserId(), organization.getOrganizationId(),
1355 RoleConstants.ORGANIZATION_ADMINISTRATOR);
1356
1357 throw e;
1358 }
1359
1360 return value;
1361 }
1362
1363 protected boolean isOrganizationAdminImpl(Organization organization)
1364 throws PortalException {
1365
1366 while (organization != null) {
1367 long organizationGroupId = organization.getGroupId();
1368
1369 long userId = getUserId();
1370
1371 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1372 userId, organizationGroupId,
1373 RoleConstants.ORGANIZATION_ADMINISTRATOR, true) ||
1374 UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1375 userId, organizationGroupId,
1376 RoleConstants.ORGANIZATION_OWNER, true)) {
1377
1378 return true;
1379 }
1380
1381 organization = organization.getParentOrganization();
1382 }
1383
1384 return false;
1385 }
1386
1387 protected boolean isOrganizationOwnerImpl(long organizationId)
1388 throws Exception {
1389
1390 if (!signedIn) {
1391 return false;
1392 }
1393
1394 if (isOmniadmin()) {
1395 return true;
1396 }
1397
1398 if (organizationId <= 0) {
1399 return false;
1400 }
1401
1402 Organization organization =
1403 OrganizationLocalServiceUtil.fetchOrganization(organizationId);
1404
1405 if (organization == null) {
1406 return false;
1407 }
1408
1409 if (isCompanyAdmin(organization.getCompanyId())) {
1410 return true;
1411 }
1412
1413 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1414 getUserId(), organization.getOrganizationId(),
1415 RoleConstants.ORGANIZATION_OWNER);
1416
1417 try {
1418 if (value == null) {
1419 value = isOrganizationOwnerImpl(organization);
1420
1421 PermissionCacheUtil.putUserPrimaryKeyRole(
1422 getUserId(), organization.getOrganizationId(),
1423 RoleConstants.ORGANIZATION_OWNER, value);
1424 }
1425 }
1426 catch (Exception e) {
1427 PermissionCacheUtil.removeUserPrimaryKeyRole(
1428 getUserId(), organization.getOrganizationId(),
1429 RoleConstants.ORGANIZATION_OWNER);
1430
1431 throw e;
1432 }
1433
1434 return value;
1435 }
1436
1437 protected boolean isOrganizationOwnerImpl(Organization organization)
1438 throws PortalException {
1439
1440 while (organization != null) {
1441 long organizationGroupId = organization.getGroupId();
1442
1443 long userId = getUserId();
1444
1445 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1446 userId, organizationGroupId,
1447 RoleConstants.ORGANIZATION_OWNER, true)) {
1448
1449 return true;
1450 }
1451
1452 organization = organization.getParentOrganization();
1453 }
1454
1455 return false;
1456 }
1457
1458 protected void logHasUserPermission(
1459 long groupId, String name, String primKey, String actionId,
1460 StopWatch stopWatch, int block) {
1461
1462 if (!_log.isDebugEnabled()) {
1463 return;
1464 }
1465
1466 _log.debug(
1467 "Checking user permission block " + block + " for " + groupId +
1468 " " + name + " " + primKey + " " + actionId + " takes " +
1469 stopWatch.getTime() + " ms");
1470 }
1471
1472
1475 @Deprecated
1476 protected static final String RESULTS_SEPARATOR = "_RESULTS_SEPARATOR_";
1477
1478 private static final Log _log = LogFactoryUtil.getLog(
1479 AdvancedPermissionChecker.class);
1480
1481 }