001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.log.Log;
019    import com.liferay.portal.kernel.log.LogFactoryUtil;
020    import com.liferay.portal.kernel.model.Contact;
021    import com.liferay.portal.kernel.model.Group;
022    import com.liferay.portal.kernel.model.Organization;
023    import com.liferay.portal.kernel.model.ResourceConstants;
024    import com.liferay.portal.kernel.model.RoleConstants;
025    import com.liferay.portal.kernel.model.User;
026    import com.liferay.portal.kernel.security.auth.PrincipalException;
027    import com.liferay.portal.kernel.security.permission.ActionKeys;
028    import com.liferay.portal.kernel.security.permission.BaseModelPermissionChecker;
029    import com.liferay.portal.kernel.security.permission.PermissionChecker;
030    import com.liferay.portal.kernel.service.OrganizationLocalServiceUtil;
031    import com.liferay.portal.kernel.service.UserGroupRoleLocalServiceUtil;
032    import com.liferay.portal.kernel.service.UserLocalServiceUtil;
033    import com.liferay.portal.kernel.service.permission.OrganizationPermissionUtil;
034    import com.liferay.portal.kernel.service.permission.UserPermission;
035    import com.liferay.portal.kernel.spring.osgi.OSGiBeanProperties;
036    import com.liferay.portal.kernel.util.PortalUtil;
037    
038    import java.util.List;
039    
040    /**
041     * @author Charles May
042     * @author Jorge Ferrer
043     */
044    @OSGiBeanProperties(
045            property = {"model.class.name=com.liferay.portal.kernel.model.User"}
046    )
047    public class UserPermissionImpl
048            implements BaseModelPermissionChecker, UserPermission {
049    
050            /**
051             * @deprecated As of 6.2.0, replaced by {@link #check(PermissionChecker,
052             *             long, long[], String)}
053             */
054            @Deprecated
055            @Override
056            public void check(
057                            PermissionChecker permissionChecker, long userId,
058                            long organizationId, long locationId, String actionId)
059                    throws PrincipalException {
060    
061                    check(
062                            permissionChecker, userId, new long[] {organizationId, locationId},
063                            actionId);
064            }
065    
066            @Override
067            public void check(
068                            PermissionChecker permissionChecker, long userId,
069                            long[] organizationIds, String actionId)
070                    throws PrincipalException {
071    
072                    if (!contains(permissionChecker, userId, organizationIds, actionId)) {
073                            throw new PrincipalException.MustHavePermission(
074                                    permissionChecker, User.class.getName(), userId, actionId);
075                    }
076            }
077    
078            @Override
079            public void check(
080                            PermissionChecker permissionChecker, long userId, String actionId)
081                    throws PrincipalException {
082    
083                    if (!contains(permissionChecker, userId, actionId)) {
084                            throw new PrincipalException.MustHavePermission(
085                                    permissionChecker, User.class.getName(), userId, actionId);
086                    }
087            }
088    
089            @Override
090            public void checkBaseModel(
091                            PermissionChecker permissionChecker, long groupId, long primaryKey,
092                            String actionId)
093                    throws PortalException {
094    
095                    List<Organization> organizations =
096                            OrganizationLocalServiceUtil.getUserOrganizations(primaryKey);
097    
098                    long[] organizationsIds = new long[organizations.size()];
099    
100                    for (int i = 0; i < organizations.size(); i++) {
101                            Organization organization = organizations.get(i);
102    
103                            organizationsIds[i] = organization.getOrganizationId();
104                    }
105    
106                    check(permissionChecker, primaryKey, organizationsIds, actionId);
107            }
108    
109            /**
110             * @deprecated As of 6.2.0, replaced by {@link #contains(PermissionChecker,
111             *             long, long[], String)}
112             */
113            @Deprecated
114            @Override
115            public boolean contains(
116                    PermissionChecker permissionChecker, long userId, long organizationId,
117                    long locationId, String actionId) {
118    
119                    return contains(
120                            permissionChecker, userId, new long[] {organizationId, locationId},
121                            actionId);
122            }
123    
124            @Override
125            public boolean contains(
126                    PermissionChecker permissionChecker, long userId,
127                    long[] organizationIds, String actionId) {
128    
129                    try {
130                            User user = null;
131    
132                            if (userId != ResourceConstants.PRIMKEY_DNE) {
133                                    user = UserLocalServiceUtil.getUserById(userId);
134    
135                                    if ((actionId.equals(ActionKeys.DELETE) ||
136                                             actionId.equals(ActionKeys.IMPERSONATE) ||
137                                             actionId.equals(ActionKeys.PERMISSIONS) ||
138                                             actionId.equals(ActionKeys.UPDATE) ||
139                                             actionId.equals(ActionKeys.VIEW)) &&
140                                            !permissionChecker.isOmniadmin() &&
141                                            (PortalUtil.isOmniadmin(user) ||
142                                             (!permissionChecker.isCompanyAdmin() &&
143                                              PortalUtil.isCompanyAdmin(user)))) {
144    
145                                            return false;
146                                    }
147    
148                                    Contact contact = user.getContact();
149    
150                                    if (permissionChecker.hasOwnerPermission(
151                                                    permissionChecker.getCompanyId(), User.class.getName(),
152                                                    userId, contact.getUserId(), actionId) ||
153                                            (permissionChecker.getUserId() == userId)) {
154    
155                                            return true;
156                                    }
157                            }
158    
159                            if (permissionChecker.hasPermission(
160                                            0, User.class.getName(), userId, actionId)) {
161    
162                                    return true;
163                            }
164    
165                            if (user == null) {
166                                    return false;
167                            }
168    
169                            if (organizationIds == null) {
170                                    organizationIds = user.getOrganizationIds();
171                            }
172    
173                            for (long organizationId : organizationIds) {
174                                    Organization organization =
175                                            OrganizationLocalServiceUtil.getOrganization(
176                                                    organizationId);
177    
178                                    if (OrganizationPermissionUtil.contains(
179                                                    permissionChecker, organization,
180                                                    ActionKeys.MANAGE_USERS)) {
181    
182                                            if (permissionChecker.getUserId() == user.getUserId()) {
183                                                    return true;
184                                            }
185    
186                                            Group organizationGroup = organization.getGroup();
187    
188                                            // Organization administrators can only manage normal users.
189                                            // Owners can only manage normal users and administrators.
190    
191                                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
192                                                            user.getUserId(), organizationGroup.getGroupId(),
193                                                            RoleConstants.ORGANIZATION_OWNER, true)) {
194    
195                                                    continue;
196                                            }
197                                            else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
198                                                                    user.getUserId(),
199                                                                    organizationGroup.getGroupId(),
200                                                                    RoleConstants.ORGANIZATION_ADMINISTRATOR,
201                                                                    true) &&
202                                                             !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
203                                                                     permissionChecker.getUserId(),
204                                                                    organizationGroup.getGroupId(),
205                                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
206    
207                                                    continue;
208                                            }
209    
210                                            return true;
211                                    }
212                            }
213                    }
214                    catch (Exception e) {
215                            _log.error(e, e);
216                    }
217    
218                    return false;
219            }
220    
221            @Override
222            public boolean contains(
223                    PermissionChecker permissionChecker, long userId, String actionId) {
224    
225                    return contains(permissionChecker, userId, null, actionId);
226            }
227    
228            private static final Log _log = LogFactoryUtil.getLog(
229                    UserPermissionImpl.class);
230    
231    }