001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.model.Group;
019    import com.liferay.portal.kernel.model.User;
020    import com.liferay.portal.kernel.security.auth.PrincipalException;
021    import com.liferay.portal.kernel.security.permission.ActionKeys;
022    import com.liferay.portal.kernel.security.permission.BaseModelPermissionChecker;
023    import com.liferay.portal.kernel.security.permission.PermissionChecker;
024    import com.liferay.portal.kernel.service.GroupLocalServiceUtil;
025    import com.liferay.portal.kernel.service.UserLocalServiceUtil;
026    import com.liferay.portal.kernel.service.permission.GroupPermission;
027    import com.liferay.portal.kernel.service.permission.PortalPermissionUtil;
028    import com.liferay.portal.kernel.service.permission.UserPermissionUtil;
029    import com.liferay.portal.kernel.spring.osgi.OSGiBeanProperties;
030    
031    /**
032     * @author Brian Wing Shun Chan
033     * @author Raymond Augé
034     */
035    @OSGiBeanProperties(
036            property = {"model.class.name=com.liferay.portal.kernel.model.Group"}
037    )
038    public class GroupPermissionImpl
039            implements BaseModelPermissionChecker, GroupPermission {
040    
041            @Override
042            public void check(
043                            PermissionChecker permissionChecker, Group group, String actionId)
044                    throws PortalException {
045    
046                    if (!contains(permissionChecker, group, actionId)) {
047                            throw new PrincipalException.MustHavePermission(
048                                    permissionChecker, Group.class.getName(), group.getGroupId(),
049                                    actionId);
050                    }
051            }
052    
053            @Override
054            public void check(
055                            PermissionChecker permissionChecker, long groupId, String actionId)
056                    throws PortalException {
057    
058                    if (!contains(permissionChecker, groupId, actionId)) {
059                            throw new PrincipalException.MustHavePermission(
060                                    permissionChecker, Group.class.getName(), groupId, actionId);
061                    }
062            }
063    
064            @Override
065            public void check(PermissionChecker permissionChecker, String actionId)
066                    throws PortalException {
067    
068                    if (!contains(permissionChecker, actionId)) {
069                            throw new PrincipalException.MustHavePermission(
070                                    permissionChecker, Group.class.getName(), Long.valueOf(0),
071                                    actionId);
072                    }
073            }
074    
075            @Override
076            public void checkBaseModel(
077                            PermissionChecker permissionChecker, long groupId, long primaryKey,
078                            String actionId)
079                    throws PortalException {
080    
081                    check(permissionChecker, primaryKey, actionId);
082            }
083    
084            @Override
085            public boolean contains(
086                            PermissionChecker permissionChecker, Group group, String actionId)
087                    throws PortalException {
088    
089                    if ((actionId.equals(ActionKeys.ADD_LAYOUT) ||
090                             actionId.equals(ActionKeys.MANAGE_LAYOUTS)) &&
091                            (group.hasLocalOrRemoteStagingGroup() ||
092                             group.isLayoutPrototype())) {
093    
094                            return false;
095                    }
096    
097                    long groupId = group.getGroupId();
098    
099                    if (group.isStagingGroup()) {
100                            group = group.getLiveGroup();
101                    }
102    
103                    if (group.isUser()) {
104    
105                            // An individual user would never reach this block because he would
106                            // be an administrator of his own layouts. However, a user who
107                            // manages a set of organizations may be modifying pages of a user
108                            // he manages.
109    
110                            User user = UserLocalServiceUtil.getUserById(group.getClassPK());
111    
112                            if ((permissionChecker.getUserId() != user.getUserId()) &&
113                                    UserPermissionUtil.contains(
114                                            permissionChecker, user.getUserId(),
115                                            user.getOrganizationIds(), ActionKeys.UPDATE)) {
116    
117                                    return true;
118                            }
119                    }
120    
121                    if (actionId.equals(ActionKeys.ADD_COMMUNITY) &&
122                            (permissionChecker.hasPermission(
123                                    groupId, Group.class.getName(), groupId,
124                                    ActionKeys.MANAGE_SUBGROUPS) ||
125                             PortalPermissionUtil.contains(
126                                     permissionChecker, ActionKeys.ADD_COMMUNITY))) {
127    
128                            return true;
129                    }
130                    else if (actionId.equals(ActionKeys.ADD_LAYOUT) &&
131                                     permissionChecker.hasPermission(
132                                             groupId, Group.class.getName(), groupId,
133                                             ActionKeys.MANAGE_LAYOUTS)) {
134    
135                            return true;
136                    }
137                    else if ((actionId.equals(ActionKeys.EXPORT_IMPORT_LAYOUTS) ||
138                                      actionId.equals(ActionKeys.EXPORT_IMPORT_PORTLET_INFO)) &&
139                                     permissionChecker.hasPermission(
140                                             groupId, Group.class.getName(), groupId,
141                                             ActionKeys.PUBLISH_STAGING)) {
142    
143                            return true;
144                    }
145                    else if (actionId.equals(ActionKeys.VIEW) &&
146                                     (permissionChecker.hasPermission(
147                                             groupId, Group.class.getName(), groupId,
148                                             ActionKeys.ASSIGN_USER_ROLES) ||
149                                      permissionChecker.hasPermission(
150                                             groupId, Group.class.getName(), groupId,
151                                             ActionKeys.MANAGE_LAYOUTS))) {
152    
153                            return true;
154                    }
155                    else if (actionId.equals(ActionKeys.VIEW_STAGING) &&
156                                     (permissionChecker.hasPermission(
157                                             groupId, Group.class.getName(), groupId,
158                                             ActionKeys.MANAGE_LAYOUTS) ||
159                                      permissionChecker.hasPermission(
160                                             groupId, Group.class.getName(), groupId,
161                                             ActionKeys.MANAGE_STAGING) ||
162                                      permissionChecker.hasPermission(
163                                             groupId, Group.class.getName(), groupId,
164                                             ActionKeys.PUBLISH_STAGING) ||
165                                      permissionChecker.hasPermission(
166                                             groupId, Group.class.getName(), groupId,
167                                             ActionKeys.UPDATE))) {
168    
169                            return true;
170                    }
171    
172                    // Group id must be set so that users can modify their personal pages
173    
174                    if (permissionChecker.hasPermission(
175                                    groupId, Group.class.getName(), groupId, actionId)) {
176    
177                            return true;
178                    }
179    
180                    while (!group.isRoot()) {
181                            if (contains(
182                                            permissionChecker, group.getParentGroupId(),
183                                            ActionKeys.MANAGE_SUBGROUPS)) {
184    
185                                    return true;
186                            }
187    
188                            group = group.getParentGroup();
189                    }
190    
191                    return false;
192            }
193    
194            @Override
195            public boolean contains(
196                            PermissionChecker permissionChecker, long groupId, String actionId)
197                    throws PortalException {
198    
199                    if (groupId > 0) {
200                            Group group = GroupLocalServiceUtil.getGroup(groupId);
201    
202                            return contains(permissionChecker, group, actionId);
203                    }
204                    else {
205                            return false;
206                    }
207            }
208    
209            @Override
210            public boolean contains(
211                    PermissionChecker permissionChecker, String actionId) {
212    
213                    return permissionChecker.hasPermission(
214                            0, Group.class.getName(), 0, actionId);
215            }
216    
217    }