001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.permission;
016    
017    import com.liferay.portal.kernel.dao.orm.QueryUtil;
018    import com.liferay.portal.kernel.exception.NoSuchResourcePermissionException;
019    import com.liferay.portal.kernel.exception.PortalException;
020    import com.liferay.portal.kernel.log.Log;
021    import com.liferay.portal.kernel.log.LogFactoryUtil;
022    import com.liferay.portal.kernel.model.Company;
023    import com.liferay.portal.kernel.model.Group;
024    import com.liferay.portal.kernel.model.GroupConstants;
025    import com.liferay.portal.kernel.model.GroupedModel;
026    import com.liferay.portal.kernel.model.Layout;
027    import com.liferay.portal.kernel.model.Organization;
028    import com.liferay.portal.kernel.model.OrganizationConstants;
029    import com.liferay.portal.kernel.model.PermissionedModel;
030    import com.liferay.portal.kernel.model.PortletConstants;
031    import com.liferay.portal.kernel.model.Resource;
032    import com.liferay.portal.kernel.model.ResourceBlockConstants;
033    import com.liferay.portal.kernel.model.ResourceConstants;
034    import com.liferay.portal.kernel.model.Role;
035    import com.liferay.portal.kernel.model.RoleConstants;
036    import com.liferay.portal.kernel.model.Team;
037    import com.liferay.portal.kernel.security.permission.ActionKeys;
038    import com.liferay.portal.kernel.security.permission.PermissionChecker;
039    import com.liferay.portal.kernel.security.permission.ResourceActionsUtil;
040    import com.liferay.portal.kernel.security.permission.ResourceBlockIdsBag;
041    import com.liferay.portal.kernel.security.permission.UserBag;
042    import com.liferay.portal.kernel.security.permission.UserBagFactoryUtil;
043    import com.liferay.portal.kernel.service.GroupLocalServiceUtil;
044    import com.liferay.portal.kernel.service.LayoutLocalServiceUtil;
045    import com.liferay.portal.kernel.service.OrganizationLocalServiceUtil;
046    import com.liferay.portal.kernel.service.ResourceBlockLocalServiceUtil;
047    import com.liferay.portal.kernel.service.ResourceLocalServiceUtil;
048    import com.liferay.portal.kernel.service.ResourcePermissionLocalServiceUtil;
049    import com.liferay.portal.kernel.service.RoleLocalServiceUtil;
050    import com.liferay.portal.kernel.service.TeamLocalServiceUtil;
051    import com.liferay.portal.kernel.service.UserGroupRoleLocalServiceUtil;
052    import com.liferay.portal.kernel.service.permission.LayoutPrototypePermissionUtil;
053    import com.liferay.portal.kernel.service.permission.LayoutSetPrototypePermissionUtil;
054    import com.liferay.portal.kernel.service.permission.PortletPermissionUtil;
055    import com.liferay.portal.kernel.util.ArrayUtil;
056    import com.liferay.portal.kernel.util.CharPool;
057    import com.liferay.portal.kernel.util.GetterUtil;
058    import com.liferay.portal.kernel.util.ListUtil;
059    import com.liferay.portal.kernel.util.SetUtil;
060    import com.liferay.portal.kernel.util.StringBundler;
061    import com.liferay.portal.kernel.util.Validator;
062    
063    import java.util.ArrayList;
064    import java.util.Arrays;
065    import java.util.Collections;
066    import java.util.LinkedHashMap;
067    import java.util.List;
068    import java.util.Set;
069    
070    import org.apache.commons.lang.time.StopWatch;
071    
072    /**
073     * @author Charles May
074     * @author Brian Wing Shun Chan
075     * @author Raymond Aug??
076     * @author Wesley Gong
077     * @author Connor McKay
078     */
079    public class AdvancedPermissionChecker extends BasePermissionChecker {
080    
081            @Override
082            public AdvancedPermissionChecker clone() {
083                    return new AdvancedPermissionChecker();
084            }
085    
086            public ResourceBlockIdsBag getGuestResourceBlockIdsBag(
087                            long companyId, long groupId, String name)
088                    throws Exception {
089    
090                    ResourceBlockIdsBag resourceBlockIdsBag =
091                            PermissionCacheUtil.getResourceBlockIdsBag(
092                                    companyId, groupId, defaultUserId, name);
093    
094                    if (resourceBlockIdsBag != null) {
095                            return resourceBlockIdsBag;
096                    }
097    
098                    try {
099                            resourceBlockIdsBag =
100                                    ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
101                                            getCompanyId(), groupId, name, getGuestUserRoleIds());
102    
103                            PermissionCacheUtil.putResourceBlockIdsBag(
104                                    companyId, groupId, defaultUserId, name, resourceBlockIdsBag);
105    
106                            return resourceBlockIdsBag;
107                    }
108                    catch (Exception e) {
109                            PermissionCacheUtil.removeResourceBlockIdsBag(
110                                    getCompanyId(), groupId, defaultUserId, name);
111    
112                            throw e;
113                    }
114            }
115    
116            /**
117             * Returns the permission checker bag for the guest user.
118             *
119             * @return the permission checker bag for the guest user
120             * @throws Exception if an exception occurred
121             */
122            public long[] getGuestUserRoleIds() throws Exception {
123                    Group guestGroup = GroupLocalServiceUtil.getGroup(
124                            getCompanyId(), GroupConstants.GUEST);
125    
126                    long[] roleIds = PermissionCacheUtil.getUserGroupRoleIds(
127                            defaultUserId, guestGroup.getGroupId());
128    
129                    if (roleIds != null) {
130                            return roleIds;
131                    }
132    
133                    try {
134                            List<Role> roles = RoleLocalServiceUtil.getUserRelatedRoles(
135                                    defaultUserId, Collections.singletonList(guestGroup));
136    
137                            // Only use the guest group for deriving the roles for
138                            // unauthenticated users. Do not add the group to the permission bag
139                            // as this implies group membership which is incorrect in the case
140                            // of unauthenticated users.
141    
142                            roleIds = ListUtil.toLongArray(roles, Role.ROLE_ID_ACCESSOR);
143    
144                            Arrays.sort(roleIds);
145    
146                            PermissionCacheUtil.putUserGroupRoleIds(
147                                    defaultUserId, guestGroup.getGroupId(), roleIds);
148                    }
149                    catch (Exception e) {
150                            PermissionCacheUtil.removeUserGroupRoleIds(
151                                    defaultUserId, guestGroup.getGroupId());
152    
153                            throw e;
154                    }
155    
156                    return roleIds;
157            }
158    
159            @Override
160            public List<Long> getOwnerResourceBlockIds(
161                    long companyId, long groupId, String name, String actionId) {
162    
163                    try {
164                            ResourceBlockIdsBag resourceBlockIdsBag =
165                                    getOwnerResourceBlockIdsBag(companyId, groupId, name);
166    
167                            return ResourceBlockLocalServiceUtil.getResourceBlockIds(
168                                    resourceBlockIdsBag, name, actionId);
169                    }
170                    catch (Exception e) {
171                            if (_log.isDebugEnabled()) {
172                                    _log.debug(e, e);
173                            }
174                    }
175    
176                    return Collections.emptyList();
177            }
178    
179            public ResourceBlockIdsBag getOwnerResourceBlockIdsBag(
180                    long companyId, long groupId, String name) {
181    
182                    ResourceBlockIdsBag resourceBlockIdsBag =
183                            PermissionCacheUtil.getResourceBlockIdsBag(
184                                    companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name);
185    
186                    if (resourceBlockIdsBag != null) {
187                            return resourceBlockIdsBag;
188                    }
189    
190                    try {
191                            long[] roleIds = {getOwnerRoleId()};
192    
193                            resourceBlockIdsBag =
194                                    ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
195                                            getCompanyId(), groupId, name, roleIds);
196    
197                            PermissionCacheUtil.putResourceBlockIdsBag(
198                                    companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name,
199                                    resourceBlockIdsBag);
200    
201                            return resourceBlockIdsBag;
202                    }
203                    catch (Exception e) {
204                            PermissionCacheUtil.removeResourceBlockIdsBag(
205                                    companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name);
206    
207                            throw e;
208                    }
209            }
210    
211            @Override
212            public List<Long> getResourceBlockIds(
213                    long companyId, long groupId, long userId, String name,
214                    String actionId) {
215    
216                    try {
217                            ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
218                                    companyId, groupId, name, getRoleIds(getUserId(), groupId));
219    
220                            return ResourceBlockLocalServiceUtil.getResourceBlockIds(
221                                    resourceBlockIdsBag, name, actionId);
222                    }
223                    catch (Exception e) {
224                            if (_log.isDebugEnabled()) {
225                                    _log.debug(e, e);
226                            }
227                    }
228    
229                    return Collections.emptyList();
230            }
231    
232            public ResourceBlockIdsBag getResourceBlockIdsBag(
233                            long companyId, long groupId, String name, long[] roleIds)
234                    throws Exception {
235    
236                    ResourceBlockIdsBag resourceBlockIdsBag =
237                            PermissionCacheUtil.getResourceBlockIdsBag(
238                                    companyId, groupId, getUserId(), name);
239    
240                    if (resourceBlockIdsBag != null) {
241                            return resourceBlockIdsBag;
242                    }
243    
244                    try {
245                            resourceBlockIdsBag =
246                                    ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
247                                            getCompanyId(), groupId, name, roleIds);
248    
249                            PermissionCacheUtil.putResourceBlockIdsBag(
250                                    companyId, groupId, getUserId(), name, resourceBlockIdsBag);
251    
252                            return resourceBlockIdsBag;
253                    }
254                    catch (Exception e) {
255                            PermissionCacheUtil.removeResourceBlockIdsBag(
256                                    companyId, groupId, getUserId(), name);
257    
258                            throw e;
259                    }
260            }
261    
262            @Override
263            public long[] getRoleIds(long userId, long groupId) {
264                    try {
265                            return doGetRoleIds(userId, groupId);
266                    }
267                    catch (Exception e) {
268                            if (_log.isDebugEnabled()) {
269                                    _log.debug(e, e);
270                            }
271    
272                            return PermissionChecker.DEFAULT_ROLE_IDS;
273                    }
274            }
275    
276            @Override
277            public UserBag getUserBag() throws PortalException {
278                    return UserBagFactoryUtil.create(getUserId());
279            }
280    
281            @Override
282            public boolean hasOwnerPermission(
283                    long companyId, String name, String primKey, long ownerId,
284                    String actionId) {
285    
286                    if (ownerId != getUserId()) {
287                            return false;
288                    }
289    
290                    boolean ownerIsDefaultUser = false;
291    
292                    if (ownerId == defaultUserId) {
293                            ownerIsDefaultUser = true;
294                    }
295    
296                    if (ownerIsDefaultUser) {
297                            List<String> guestUnsupportedActions;
298    
299                            if (name.indexOf(CharPool.PERIOD) != -1) {
300                                    guestUnsupportedActions =
301                                            ResourceActionsUtil.getModelResourceGuestUnsupportedActions(
302                                                    name);
303                            }
304                            else {
305                                    guestUnsupportedActions =
306                                            ResourceActionsUtil.
307                                                    getPortletResourceGuestUnsupportedActions(name);
308                            }
309    
310                            if (guestUnsupportedActions.contains(actionId)) {
311                                    return false;
312                            }
313                    }
314    
315                    try {
316                            if (ResourceBlockLocalServiceUtil.isSupported(name)) {
317                                    PermissionedModel permissionedModel =
318                                            ResourceBlockLocalServiceUtil.getPermissionedModel(
319                                                    name, GetterUtil.getLong(primKey));
320    
321                                    long groupId = 0;
322    
323                                    if (permissionedModel instanceof GroupedModel) {
324                                            GroupedModel groupedModel = (GroupedModel)permissionedModel;
325    
326                                            groupId = groupedModel.getGroupId();
327                                    }
328    
329                                    ResourceBlockIdsBag resourceBlockIdsBag = null;
330    
331                                    if (ownerIsDefaultUser) {
332                                            resourceBlockIdsBag = getGuestResourceBlockIdsBag(
333                                                    companyId, groupId, name);
334                                    }
335                                    else {
336                                            resourceBlockIdsBag = getOwnerResourceBlockIdsBag(
337                                                    companyId, groupId, name);
338                                    }
339    
340                                    return ResourceBlockLocalServiceUtil.hasPermission(
341                                            name, permissionedModel, actionId, resourceBlockIdsBag);
342                            }
343    
344                            long ownerRoleId = getOwnerRoleId();
345    
346                            if (ownerIsDefaultUser) {
347                                    Role guestRole = RoleLocalServiceUtil.getRole(
348                                            companyId, RoleConstants.GUEST);
349    
350                                    ownerRoleId = guestRole.getRoleId();
351                            }
352    
353                            return ResourcePermissionLocalServiceUtil.hasResourcePermission(
354                                    companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey,
355                                    ownerRoleId, actionId);
356                    }
357                    catch (Exception e) {
358                            if (_log.isDebugEnabled()) {
359                                    _log.debug(e, e);
360                            }
361                    }
362    
363                    return false;
364            }
365    
366            @Override
367            public boolean hasPermission(
368                    long groupId, String name, String primKey, String actionId) {
369    
370                    StopWatch stopWatch = new StopWatch();
371    
372                    stopWatch.start();
373    
374                    boolean checkOwnerPermission = false;
375                    Group group = null;
376    
377                    try {
378                            if (groupId > 0) {
379                                    group = GroupLocalServiceUtil.getGroup(groupId);
380    
381                                    // If the group is a scope group for a layout, check the
382                                    // original group.
383    
384                                    if (group.isLayout() &&
385                                            !ResourceBlockLocalServiceUtil.isSupported(name)) {
386    
387                                            Layout layout = LayoutLocalServiceUtil.getLayout(
388                                                    group.getClassPK());
389    
390                                            groupId = layout.getGroupId();
391    
392                                            group = GroupLocalServiceUtil.getGroup(groupId);
393                                    }
394                                    else if (group.isUserPersonalSite()) {
395                                            return false;
396                                    }
397    
398                                    // If the group is a personal site, check the "User Personal
399                                    // Site" group.
400    
401                                    if (group.isUser() && (group.getClassPK() == getUserId())) {
402                                            checkOwnerPermission = true;
403    
404                                            group = GroupLocalServiceUtil.getGroup(
405                                                    getCompanyId(), GroupConstants.USER_PERSONAL_SITE);
406    
407                                            groupId = group.getGroupId();
408                                    }
409                            }
410                    }
411                    catch (Exception e) {
412                            _log.error(e, e);
413                    }
414    
415                    long[] roleIds = getRoleIds(getUserId(), groupId);
416    
417                    Boolean value = PermissionCacheUtil.getPermission(
418                            groupId, name, primKey, roleIds, actionId);
419    
420                    if (value != null) {
421                            return value;
422                    }
423    
424                    try {
425                            if (checkOwnerPermission) {
426                                    value = hasOwnerPermission(
427                                            getCompanyId(), name, primKey, getUserId(), actionId);
428                            }
429    
430                            if ((value == null) || !value) {
431                                    value = hasPermissionImpl(
432                                            groupId, name, primKey, roleIds, actionId);
433                            }
434    
435                            if (_log.isDebugEnabled()) {
436                                    _log.debug(
437                                            "Checking permission for " + groupId + " " + name + " " +
438                                                    primKey + " " + actionId + " takes " +
439                                                            stopWatch.getTime() + " ms");
440                            }
441    
442                            PermissionCacheUtil.putPermission(
443                                    groupId, name, primKey, roleIds, actionId, value);
444                    }
445                    catch (Exception e) {
446                            PermissionCacheUtil.removePermission(
447                                    groupId, name, primKey, roleIds, actionId);
448    
449                            throw e;
450                    }
451    
452                    return value;
453            }
454    
455            @Override
456            public boolean isCompanyAdmin() {
457                    try {
458                            return isCompanyAdminImpl(user.getCompanyId());
459                    }
460                    catch (Exception e) {
461                            _log.error(e, e);
462    
463                            return false;
464                    }
465            }
466    
467            @Override
468            public boolean isCompanyAdmin(long companyId) {
469                    try {
470                            return isCompanyAdminImpl(companyId);
471                    }
472                    catch (Exception e) {
473                            _log.error(e, e);
474    
475                            return false;
476                    }
477            }
478    
479            @Override
480            public boolean isContentReviewer(long companyId, long groupId) {
481                    try {
482                            return isContentReviewerImpl(companyId, groupId);
483                    }
484                    catch (Exception e) {
485                            _log.error(e, e);
486                    }
487    
488                    return false;
489            }
490    
491            @Override
492            public boolean isGroupAdmin(long groupId) {
493                    try {
494                            return isGroupAdminImpl(groupId);
495                    }
496                    catch (Exception e) {
497                            _log.error(e, e);
498    
499                            return false;
500                    }
501            }
502    
503            @Override
504            public boolean isGroupMember(long groupId) {
505                    try {
506                            return isGroupMemberImpl(groupId);
507                    }
508                    catch (Exception e) {
509                            _log.error(e, e);
510    
511                            return false;
512                    }
513            }
514    
515            @Override
516            public boolean isGroupOwner(long groupId) {
517                    try {
518                            return isGroupOwnerImpl(groupId);
519                    }
520                    catch (Exception e) {
521                            _log.error(e, e);
522    
523                            return false;
524                    }
525            }
526    
527            @Override
528            public boolean isOrganizationAdmin(long organizationId) {
529                    try {
530                            return isOrganizationAdminImpl(organizationId);
531                    }
532                    catch (Exception e) {
533                            _log.error(e, e);
534    
535                            return false;
536                    }
537            }
538    
539            @Override
540            public boolean isOrganizationOwner(long organizationId) {
541                    try {
542                            return isOrganizationOwnerImpl(organizationId);
543                    }
544                    catch (Exception e) {
545                            _log.error(e, e);
546    
547                            return false;
548                    }
549            }
550    
551            protected void addTeamRoles(long userId, Group group, Set<Long> roleIds)
552                    throws Exception {
553    
554                    List<Team> userTeams = TeamLocalServiceUtil.getUserTeams(
555                            userId, group.getGroupId());
556    
557                    for (Team team : userTeams) {
558                            Role role = RoleLocalServiceUtil.getTeamRole(
559                                    team.getCompanyId(), team.getTeamId());
560    
561                            roleIds.add(role.getRoleId());
562                    }
563    
564                    LinkedHashMap<String, Object> teamParams = new LinkedHashMap<>();
565    
566                    teamParams.put("usersUserGroups", userId);
567    
568                    List<Team> userGroupTeams = TeamLocalServiceUtil.search(
569                            group.getGroupId(), null, null, teamParams, QueryUtil.ALL_POS,
570                            QueryUtil.ALL_POS, null);
571    
572                    for (Team team : userGroupTeams) {
573                            Role role = RoleLocalServiceUtil.getTeamRole(
574                                    team.getCompanyId(), team.getTeamId());
575    
576                            roleIds.add(role.getRoleId());
577                    }
578            }
579    
580            protected boolean doCheckPermission(
581                            long companyId, long groupId, String name, String primKey,
582                            long[] roleIds, String actionId, StopWatch stopWatch)
583                    throws Exception {
584    
585                    logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 1);
586    
587                    if (ResourceBlockLocalServiceUtil.isSupported(name)) {
588                            ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
589                                    companyId, groupId, name, roleIds);
590    
591                            boolean value = ResourceBlockLocalServiceUtil.hasPermission(
592                                    name, GetterUtil.getLong(primKey), actionId,
593                                    resourceBlockIdsBag);
594    
595                            logHasUserPermission(
596                                    groupId, name, primKey, actionId, stopWatch, 2);
597    
598                            return value;
599                    }
600    
601                    List<Resource> resources = getResources(
602                            companyId, groupId, name, primKey, actionId);
603    
604                    resources = fixMissingResources(
605                            companyId, groupId, name, primKey, actionId, resources);
606    
607                    logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 3);
608    
609                    // Check if user has access to perform the action on the given resource
610                    // scopes. The resources are scoped to check first for an individual
611                    // class, then for the group that the class may belong to, and then for
612                    // the company that the class belongs to.
613    
614                    boolean value = ResourceLocalServiceUtil.hasUserPermissions(
615                            user.getUserId(), groupId, resources, actionId, roleIds);
616    
617                    logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 4);
618    
619                    return value;
620            }
621    
622            protected long[] doGetRoleIds(long userId, long groupId) throws Exception {
623                    if (!signedIn) {
624                            return getGuestUserRoleIds();
625                    }
626    
627                    long[] roleIds = PermissionCacheUtil.getUserGroupRoleIds(
628                            userId, groupId);
629    
630                    if (roleIds != null) {
631                            return roleIds;
632                    }
633    
634                    try {
635                            Group group = null;
636    
637                            long parentGroupId = 0;
638    
639                            if (groupId > 0) {
640                                    group = GroupLocalServiceUtil.getGroup(groupId);
641    
642                                    if (group.isLayout()) {
643                                            parentGroupId = group.getParentGroupId();
644    
645                                            if (parentGroupId > 0) {
646                                                    group = GroupLocalServiceUtil.getGroup(parentGroupId);
647                                            }
648                                    }
649                            }
650    
651                            UserBag userBag = getUserBag();
652    
653                            Set<Long> roleIdsSet = SetUtil.fromArray(userBag.getRoleIds());
654    
655                            List<Role> userGroupRoles = RoleLocalServiceUtil.getUserGroupRoles(
656                                    userId, groupId);
657    
658                            for (Role userGroupRole : userGroupRoles) {
659                                    roleIdsSet.add(userGroupRole.getRoleId());
660                            }
661    
662                            if (parentGroupId > 0) {
663                                    userGroupRoles = RoleLocalServiceUtil.getUserGroupRoles(
664                                            userId, parentGroupId);
665    
666                                    for (Role userGroupRole : userGroupRoles) {
667                                            roleIdsSet.add(userGroupRole.getRoleId());
668                                    }
669                            }
670    
671                            List<Role> userGroupGroupRoles =
672                                    RoleLocalServiceUtil.getUserGroupGroupRoles(userId, groupId);
673    
674                            for (Role userGroupGroupRole : userGroupGroupRoles) {
675                                    roleIdsSet.add(userGroupGroupRole.getRoleId());
676                            }
677    
678                            if (parentGroupId > 0) {
679                                    userGroupGroupRoles =
680                                            RoleLocalServiceUtil.getUserGroupGroupRoles(
681                                                    userId, parentGroupId);
682    
683                                    for (Role userGroupGroupRole : userGroupGroupRoles) {
684                                            roleIdsSet.add(userGroupGroupRole.getRoleId());
685                                    }
686                            }
687    
688                            if (group != null) {
689                                    if (group.isOrganization() && userBag.hasUserOrgGroup(group)) {
690                                            Role organizationUserRole = RoleLocalServiceUtil.getRole(
691                                                    group.getCompanyId(), RoleConstants.ORGANIZATION_USER);
692    
693                                            roleIdsSet.add(organizationUserRole.getRoleId());
694                                    }
695    
696                                    if ((group.isSite() &&
697                                             (userBag.hasUserGroup(group) ||
698                                              userBag.hasUserOrgGroup(group))) ||
699                                            group.isUserPersonalSite()) {
700    
701                                            Role siteMemberRole = RoleLocalServiceUtil.getRole(
702                                                    group.getCompanyId(), RoleConstants.SITE_MEMBER);
703    
704                                            roleIdsSet.add(siteMemberRole.getRoleId());
705                                    }
706    
707                                    if ((group.isOrganization() &&
708                                             userBag.hasUserOrgGroup(group)) ||
709                                            (group.isSite() && userBag.hasUserGroup(group))) {
710    
711                                            addTeamRoles(userId, group, roleIdsSet);
712                                    }
713                            }
714    
715                            if (checkGuest) {
716                                    for (long roleId : getGuestUserRoleIds()) {
717                                            roleIdsSet.add(roleId);
718                                    }
719                            }
720    
721                            roleIds = ArrayUtil.toLongArray(roleIdsSet);
722    
723                            Arrays.sort(roleIds);
724    
725                            PermissionCacheUtil.putUserGroupRoleIds(userId, groupId, roleIds);
726    
727                            return roleIds;
728                    }
729                    catch (Exception e) {
730                            PermissionCacheUtil.removeUserGroupRoleIds(userId, groupId);
731    
732                            throw e;
733                    }
734            }
735    
736            protected List<Resource> fixMissingResources(
737                            long companyId, long groupId, String name, String primKey,
738                            String actionId, List<Resource> resources)
739                    throws Exception {
740    
741                    int count =
742                            ResourcePermissionLocalServiceUtil.getResourcePermissionsCount(
743                                    companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);
744    
745                    if (count > 0) {
746                            return resources;
747                    }
748    
749                    String newIndividualResourcePrimKey = null;
750    
751                    if (primKey.contains(PortletConstants.LAYOUT_SEPARATOR)) {
752    
753                            // Using defaults because custom permissions defined for portlet
754                            // resource are not defined
755    
756                            newIndividualResourcePrimKey = name;
757    
758                            if (_log.isDebugEnabled()) {
759                                    String message =
760                                            "Using defaults because custom permissions for " +
761                                                    "portlet resource " + name + " are not defined";
762    
763                                    _log.debug(message, new IllegalArgumentException(message));
764                            }
765                    }
766    
767                    else if ((groupId > 0) &&
768                                     ResourceActionsUtil.isRootModelResource(name)) {
769    
770                            // Using defaults because custom permissions defined for root model
771                            // resource are not defined
772    
773                            newIndividualResourcePrimKey = name;
774    
775                            if (_log.isDebugEnabled()) {
776                                    String message =
777                                            "Using defaults because custom permissions for " +
778                                                    "root model resource " + name + " are not defined";
779    
780                                    _log.debug(message, new IllegalArgumentException(message));
781                            }
782                    }
783    
784                    else if (primKey.equals("0") ||
785                                     primKey.equals(String.valueOf(ResourceConstants.PRIMKEY_DNE))
786                                             ||
787                                     (primKey.equals(String.valueOf(companyId)) &&
788                                      !name.equals(Company.class.getName()))) {
789    
790                            newIndividualResourcePrimKey = name;
791    
792                            if (_log.isWarnEnabled()) {
793                                    StringBundler sb = new StringBundler(9);
794    
795                                    sb.append("Using ");
796                                    sb.append(name);
797                                    sb.append(" as the primary key instead of the legacy primary ");
798                                    sb.append("key ");
799                                    sb.append(primKey);
800                                    sb.append(" that was used for permission checking of ");
801                                    sb.append(name);
802                                    sb.append(" in company ");
803                                    sb.append(companyId);
804    
805                                    _log.warn(
806                                            sb.toString(), new IllegalArgumentException(sb.toString()));
807                            }
808                    }
809    
810                    if (newIndividualResourcePrimKey != null) {
811                            Resource individualResource = resources.get(0);
812    
813                            if (individualResource.getScope() !=
814                                            ResourceConstants.SCOPE_INDIVIDUAL) {
815    
816                                    throw new IllegalArgumentException(
817                                            "The first resource must be an individual scope");
818                            }
819    
820                            individualResource.setPrimKey(name);
821                    }
822    
823                    return resources;
824            }
825    
826            /**
827             * Returns representations of the resource at each scope level.
828             *
829             * <p>
830             * For example, if the class name and primary key of a blog entry were
831             * passed to this method, it would return a resource for the blog entry
832             * itself (individual scope), a resource representing all blog entries
833             * within its group (group scope), a resource standing for all blog entries
834             * within a group the user has a suitable role in (group-template scope),
835             * and a resource signifying all blog entries within the company (company
836             * scope).
837             * </p>
838             *
839             * @param  companyId the primary key of the company
840             * @param  groupId the primary key of the group containing the resource
841             * @param  name the resource's name, which can be either a class name or a
842             *         portlet ID
843             * @param  primKey the primary key of the resource
844             * @param  actionId unused
845             * @return representations of the resource at each scope level
846             * @throws Exception if an exception occurred
847             */
848            protected List<Resource> getResources(
849                            long companyId, long groupId, String name, String primKey,
850                            String actionId)
851                    throws Exception {
852    
853                    // Individual
854    
855                    List<Resource> resources = new ArrayList<>(4);
856    
857                    Resource individualResource = ResourceLocalServiceUtil.getResource(
858                            companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);
859    
860                    resources.add(individualResource);
861    
862                    // Group
863    
864                    if (groupId > 0) {
865                            Resource groupResource = ResourceLocalServiceUtil.getResource(
866                                    companyId, name, ResourceConstants.SCOPE_GROUP,
867                                    String.valueOf(groupId));
868    
869                            resources.add(groupResource);
870                    }
871    
872                    // Group template
873    
874                    if (signedIn && (groupId > 0)) {
875                            Resource groupTemplateResource =
876                                    ResourceLocalServiceUtil.getResource(
877                                            companyId, name, ResourceConstants.SCOPE_GROUP_TEMPLATE,
878                                            String.valueOf(GroupConstants.DEFAULT_PARENT_GROUP_ID));
879    
880                            resources.add(groupTemplateResource);
881                    }
882    
883                    // Company
884    
885                    Resource companyResource = ResourceLocalServiceUtil.getResource(
886                            companyId, name, ResourceConstants.SCOPE_COMPANY,
887                            String.valueOf(companyId));
888    
889                    resources.add(companyResource);
890    
891                    return resources;
892            }
893    
894            protected boolean hasGuestPermission(
895                            long groupId, String name, String primKey, String actionId)
896                    throws Exception {
897    
898                    List<String> resourceActions = ResourceActionsUtil.getResourceActions(
899                            name);
900    
901                    if (!resourceActions.contains(actionId)) {
902                            return false;
903                    }
904    
905                    if (name.indexOf(CharPool.PERIOD) != -1) {
906    
907                            // Check unsupported model actions
908    
909                            List<String> actions =
910                                    ResourceActionsUtil.getModelResourceGuestUnsupportedActions(
911                                            name);
912    
913                            if (actions.contains(actionId)) {
914                                    return false;
915                            }
916                    }
917                    else {
918    
919                            // Check unsupported portlet actions
920    
921                            List<String> actions =
922                                    ResourceActionsUtil.getPortletResourceGuestUnsupportedActions(
923                                            name);
924    
925                            if (actions.contains(actionId)) {
926                                    return false;
927                            }
928                    }
929    
930                    long companyId = user.getCompanyId();
931    
932                    if (groupId > 0) {
933                            Group group = GroupLocalServiceUtil.getGroup(groupId);
934    
935                            companyId = group.getCompanyId();
936                    }
937    
938                    try {
939                            if (ResourceBlockLocalServiceUtil.isSupported(name)) {
940                                    ResourceBlockIdsBag resourceBlockIdsBag =
941                                            getGuestResourceBlockIdsBag(companyId, groupId, name);
942    
943                                    return ResourceBlockLocalServiceUtil.hasPermission(
944                                            name, GetterUtil.getLong(primKey), actionId,
945                                            resourceBlockIdsBag);
946                            }
947    
948                            List<Resource> resources = getResources(
949                                    companyId, groupId, name, primKey, actionId);
950    
951                            resources = fixMissingResources(
952                                    companyId, groupId, name, primKey, actionId, resources);
953    
954                            return ResourceLocalServiceUtil.hasUserPermissions(
955                                    defaultUserId, groupId, resources, actionId,
956                                    getGuestUserRoleIds());
957                    }
958                    catch (NoSuchResourcePermissionException nsrpe) {
959                            throw new IllegalArgumentException(
960                                    "Someone may be trying to circumvent the permission checker: " +
961                                            nsrpe.getMessage(),
962                                    nsrpe);
963                    }
964                    catch (Exception e) {
965                            _log.error(e, e);
966    
967                            return false;
968                    }
969            }
970    
971            protected boolean hasPermissionImpl(
972                    long groupId, String name, String primKey, long[] roleIds,
973                    String actionId) {
974    
975                    try {
976                            if (!signedIn) {
977                                    return hasGuestPermission(groupId, name, primKey, actionId);
978                            }
979    
980                            return hasUserPermissionImpl(
981                                    groupId, name, primKey, roleIds, actionId);
982                    }
983                    catch (IllegalArgumentException iae) {
984                            throw iae;
985                    }
986                    catch (Exception e) {
987                            _log.error(e, e);
988    
989                            return false;
990                    }
991            }
992    
993            protected boolean hasUserPermissionImpl(
994                            long groupId, String name, String primKey, long[] roleIds,
995                            String actionId)
996                    throws Exception {
997    
998                    StopWatch stopWatch = new StopWatch();
999    
1000                    stopWatch.start();
1001    
1002                    long companyId = user.getCompanyId();
1003    
1004                    if (groupId > 0) {
1005                            Group group = GroupLocalServiceUtil.getGroup(groupId);
1006    
1007                            companyId = group.getCompanyId();
1008                    }
1009    
1010                    try {
1011                            boolean hasPermission = doCheckPermission(
1012                                    companyId, groupId, name, primKey, roleIds, actionId,
1013                                    stopWatch);
1014    
1015                            if (hasPermission) {
1016                                    return true;
1017                            }
1018                    }
1019                    catch (NoSuchResourcePermissionException nsrpe) {
1020                            throw new IllegalArgumentException(
1021                                    "Someone may be trying to circumvent the permission checker: " +
1022                                            nsrpe.getMessage(),
1023                                    nsrpe);
1024                    }
1025    
1026                    if (isOmniadmin()) {
1027                            return true;
1028                    }
1029    
1030                    if (name.equals(Organization.class.getName())) {
1031                            if (isOrganizationAdminImpl(GetterUtil.getLong(primKey))) {
1032                                    return true;
1033                            }
1034                    }
1035    
1036                    if (isCompanyAdminImpl(companyId)) {
1037                            return true;
1038                    }
1039    
1040                    if (isGroupAdminImpl(groupId)) {
1041                            boolean hasLayoutManagerPermission = true;
1042    
1043                            // Check if the layout manager has permission to do this action for
1044                            // the current portlet
1045    
1046                            if (Validator.isNotNull(name) && Validator.isNotNull(primKey) &&
1047                                    primKey.contains(PortletConstants.LAYOUT_SEPARATOR)) {
1048    
1049                                    hasLayoutManagerPermission =
1050                                            PortletPermissionUtil.hasLayoutManagerPermission(
1051                                                    name, actionId);
1052                            }
1053    
1054                            if (hasLayoutManagerPermission) {
1055                                    return true;
1056                            }
1057                    }
1058    
1059                    return false;
1060            }
1061    
1062            protected boolean isCompanyAdminImpl(long companyId) throws Exception {
1063                    if (!signedIn) {
1064                            return false;
1065                    }
1066    
1067                    if (isOmniadmin()) {
1068                            return true;
1069                    }
1070    
1071                    Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1072                            getUserId(), companyId, RoleConstants.ADMINISTRATOR);
1073    
1074                    try {
1075                            if (value == null) {
1076                                    value = RoleLocalServiceUtil.hasUserRole(
1077                                            user.getUserId(), companyId, RoleConstants.ADMINISTRATOR,
1078                                            true);
1079    
1080                                    PermissionCacheUtil.putUserPrimaryKeyRole(
1081                                            getUserId(), companyId, RoleConstants.ADMINISTRATOR, value);
1082                            }
1083                    }
1084                    catch (Exception e) {
1085                            PermissionCacheUtil.removeUserPrimaryKeyRole(
1086                                    getUserId(), companyId, RoleConstants.ADMINISTRATOR);
1087    
1088                            throw e;
1089                    }
1090    
1091                    return value;
1092            }
1093    
1094            protected boolean isContentReviewerImpl(long groupId)
1095                    throws PortalException {
1096    
1097                    if (isCompanyAdmin() || isGroupAdmin(groupId)) {
1098                            return true;
1099                    }
1100    
1101                    Group group = GroupLocalServiceUtil.getGroup(groupId);
1102    
1103                    if (RoleLocalServiceUtil.hasUserRole(
1104                                    getUserId(), group.getCompanyId(),
1105                                    RoleConstants.PORTAL_CONTENT_REVIEWER, true)) {
1106    
1107                            return true;
1108                    }
1109    
1110                    if (group.isSite()) {
1111                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1112                                            getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER,
1113                                            true)) {
1114    
1115                                    return true;
1116                            }
1117                    }
1118    
1119                    return false;
1120            }
1121    
1122            protected boolean isContentReviewerImpl(long companyId, long groupId)
1123                    throws Exception {
1124    
1125                    if (!signedIn) {
1126                            return false;
1127                    }
1128    
1129                    if (isOmniadmin()) {
1130                            return true;
1131                    }
1132    
1133                    if (isCompanyAdmin(companyId)) {
1134                            return true;
1135                    }
1136    
1137                    if (groupId <= 0) {
1138                            return false;
1139                    }
1140    
1141                    if (isGroupAdmin(groupId)) {
1142                            return true;
1143                    }
1144    
1145                    Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1146                            getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER);
1147    
1148                    try {
1149                            if (value == null) {
1150                                    value = isContentReviewerImpl(groupId);
1151    
1152                                    PermissionCacheUtil.putUserPrimaryKeyRole(
1153                                            getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER,
1154                                            value);
1155                            }
1156                    }
1157                    catch (Exception e) {
1158                            PermissionCacheUtil.removeUserPrimaryKeyRole(
1159                                    getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER);
1160    
1161                            throw e;
1162                    }
1163    
1164                    return value;
1165            }
1166    
1167            protected boolean isGroupAdminImpl(Group group) throws Exception {
1168                    if (group.isLayout()) {
1169                            long parentGroupId = group.getParentGroupId();
1170    
1171                            if (parentGroupId == GroupConstants.DEFAULT_PARENT_GROUP_ID) {
1172                                    return false;
1173                            }
1174    
1175                            group = GroupLocalServiceUtil.getGroup(parentGroupId);
1176                    }
1177    
1178                    if (group.isSite()) {
1179                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1180                                            getUserId(), group.getGroupId(),
1181                                            RoleConstants.SITE_ADMINISTRATOR, true) ||
1182                                    UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1183                                            getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1184                                            true)) {
1185    
1186                                    return true;
1187                            }
1188    
1189                            StopWatch stopWatch = new StopWatch();
1190    
1191                            stopWatch.start();
1192    
1193                            while (!group.isRoot()) {
1194                                    Group parentGroup = group.getParentGroup();
1195    
1196                                    long[] roleIds = getRoleIds(
1197                                            getUserId(), parentGroup.getGroupId());
1198    
1199                                    if (doCheckPermission(
1200                                                    parentGroup.getCompanyId(), parentGroup.getGroupId(),
1201                                                    Group.class.getName(),
1202                                                    String.valueOf(parentGroup.getGroupId()), roleIds,
1203                                                    ActionKeys.MANAGE_SUBGROUPS, stopWatch)) {
1204    
1205                                            return true;
1206                                    }
1207    
1208                                    group = parentGroup;
1209                            }
1210                    }
1211    
1212                    if (group.isCompany()) {
1213                            if (isCompanyAdmin()) {
1214                                    return true;
1215                            }
1216                            else {
1217                                    return false;
1218                            }
1219                    }
1220                    else if (group.isLayoutPrototype()) {
1221                            if (LayoutPrototypePermissionUtil.contains(
1222                                            this, group.getClassPK(), ActionKeys.UPDATE)) {
1223    
1224                                    return true;
1225                            }
1226                            else {
1227                                    return false;
1228                            }
1229                    }
1230                    else if (group.isLayoutSetPrototype()) {
1231                            if (LayoutSetPrototypePermissionUtil.contains(
1232                                            this, group.getClassPK(), ActionKeys.UPDATE)) {
1233    
1234                                    return true;
1235                            }
1236                            else {
1237                                    return false;
1238                            }
1239                    }
1240                    else if (group.isOrganization()) {
1241                            long organizationId = group.getOrganizationId();
1242    
1243                            while (organizationId !=
1244                                                    OrganizationConstants.DEFAULT_PARENT_ORGANIZATION_ID) {
1245    
1246                                    Organization organization =
1247                                            OrganizationLocalServiceUtil.getOrganization(
1248                                                    organizationId);
1249    
1250                                    long organizationGroupId = organization.getGroupId();
1251    
1252                                    if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1253                                                    getUserId(), organizationGroupId,
1254                                                    RoleConstants.ORGANIZATION_ADMINISTRATOR, true) ||
1255                                            UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1256                                                    getUserId(), organizationGroupId,
1257                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
1258    
1259                                            return true;
1260                                    }
1261    
1262                                    organizationId = organization.getParentOrganizationId();
1263                            }
1264    
1265                            StopWatch stopWatch = new StopWatch();
1266    
1267                            stopWatch.start();
1268    
1269                            Organization organization =
1270                                    OrganizationLocalServiceUtil.getOrganization(
1271                                            group.getOrganizationId());
1272    
1273                            while (!organization.isRoot()) {
1274                                    Organization parentOrganization =
1275                                            organization.getParentOrganization();
1276    
1277                                    Group parentGroup = parentOrganization.getGroup();
1278    
1279                                    long[] roleIds = getRoleIds(
1280                                            getUserId(), parentGroup.getGroupId());
1281    
1282                                    if (doCheckPermission(
1283                                                    parentGroup.getCompanyId(), parentGroup.getGroupId(),
1284                                                    Organization.class.getName(),
1285                                                    String.valueOf(parentOrganization.getOrganizationId()),
1286                                                    roleIds, ActionKeys.MANAGE_SUBORGANIZATIONS,
1287                                                    stopWatch)) {
1288    
1289                                            return true;
1290                                    }
1291    
1292                                    organization = parentOrganization;
1293                            }
1294                    }
1295    
1296                    return false;
1297            }
1298    
1299            protected boolean isGroupAdminImpl(long groupId) throws Exception {
1300                    if (!signedIn) {
1301                            return false;
1302                    }
1303    
1304                    if (isOmniadmin()) {
1305                            return true;
1306                    }
1307    
1308                    if (groupId <= 0) {
1309                            return false;
1310                    }
1311    
1312                    Group group = GroupLocalServiceUtil.getGroup(groupId);
1313    
1314                    if (isCompanyAdmin(group.getCompanyId())) {
1315                            return true;
1316                    }
1317    
1318                    Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1319                            getUserId(), group.getGroupId(), RoleConstants.SITE_ADMINISTRATOR);
1320    
1321                    try {
1322                            if (value == null) {
1323                                    value = isGroupAdminImpl(group);
1324    
1325                                    PermissionCacheUtil.putUserPrimaryKeyRole(
1326                                            getUserId(), group.getGroupId(),
1327                                            RoleConstants.SITE_ADMINISTRATOR, value);
1328                            }
1329                    }
1330                    catch (Exception e) {
1331                            PermissionCacheUtil.removeUserPrimaryKeyRole(
1332                                    getUserId(), group.getGroupId(),
1333                                    RoleConstants.SITE_ADMINISTRATOR);
1334    
1335                            throw e;
1336                    }
1337    
1338                    return value;
1339            }
1340    
1341            protected boolean isGroupMemberImpl(long groupId) throws Exception {
1342                    if (!signedIn) {
1343                            return false;
1344                    }
1345    
1346                    if (groupId <= 0) {
1347                            return false;
1348                    }
1349    
1350                    long[] roleIds = getRoleIds(getUserId(), groupId);
1351    
1352                    Group group = GroupLocalServiceUtil.getGroup(groupId);
1353    
1354                    Role role = RoleLocalServiceUtil.getRole(
1355                            group.getCompanyId(), RoleConstants.SITE_MEMBER);
1356    
1357                    if (Arrays.binarySearch(roleIds, role.getRoleId()) >= 0) {
1358                            return true;
1359                    }
1360    
1361                    UserBag userBag = getUserBag();
1362    
1363                    return userBag.hasUserGroup(group);
1364            }
1365    
1366            protected boolean isGroupOwnerImpl(Group group) throws PortalException {
1367                    if (group.isSite()) {
1368                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1369                                            getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1370                                            true)) {
1371    
1372                                    return true;
1373                            }
1374                    }
1375    
1376                    if (group.isLayoutPrototype()) {
1377                            if (LayoutPrototypePermissionUtil.contains(
1378                                            this, group.getClassPK(), ActionKeys.UPDATE)) {
1379    
1380                                    return true;
1381                            }
1382                            else {
1383                                    return false;
1384                            }
1385                    }
1386                    else if (group.isLayoutSetPrototype()) {
1387                            if (LayoutSetPrototypePermissionUtil.contains(
1388                                            this, group.getClassPK(), ActionKeys.UPDATE)) {
1389    
1390                                    return true;
1391                            }
1392                            else {
1393                                    return false;
1394                            }
1395                    }
1396                    else if (group.isOrganization()) {
1397                            long organizationId = group.getOrganizationId();
1398    
1399                            while (organizationId !=
1400                                                    OrganizationConstants.DEFAULT_PARENT_ORGANIZATION_ID) {
1401    
1402                                    Organization organization =
1403                                            OrganizationLocalServiceUtil.getOrganization(
1404                                                    organizationId);
1405    
1406                                    long organizationGroupId = organization.getGroupId();
1407    
1408                                    if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1409                                                    getUserId(), organizationGroupId,
1410                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
1411    
1412                                            return true;
1413                                    }
1414    
1415                                    organizationId = organization.getParentOrganizationId();
1416                            }
1417                    }
1418                    else if (group.isUser()) {
1419                            long groupUserId = group.getClassPK();
1420    
1421                            if (getUserId() == groupUserId) {
1422                                    return true;
1423                            }
1424                    }
1425    
1426                    return false;
1427            }
1428    
1429            protected boolean isGroupOwnerImpl(long groupId) throws Exception {
1430                    if (!signedIn) {
1431                            return false;
1432                    }
1433    
1434                    if (isOmniadmin()) {
1435                            return true;
1436                    }
1437    
1438                    if (groupId <= 0) {
1439                            return false;
1440                    }
1441    
1442                    Group group = GroupLocalServiceUtil.getGroup(groupId);
1443    
1444                    if (isCompanyAdmin(group.getCompanyId())) {
1445                            return true;
1446                    }
1447    
1448                    Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1449                            getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER);
1450    
1451                    try {
1452                            if (value == null) {
1453                                    value = isGroupOwnerImpl(group);
1454    
1455                                    PermissionCacheUtil.putUserPrimaryKeyRole(
1456                                            getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1457                                            value);
1458                            }
1459                    }
1460                    catch (Exception e) {
1461                            PermissionCacheUtil.removeUserPrimaryKeyRole(
1462                                    getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER);
1463    
1464                            throw e;
1465                    }
1466    
1467                    return value;
1468            }
1469    
1470            protected boolean isOrganizationAdminImpl(long organizationId)
1471                    throws Exception {
1472    
1473                    if (!signedIn) {
1474                            return false;
1475                    }
1476    
1477                    if (isOmniadmin()) {
1478                            return true;
1479                    }
1480    
1481                    if (organizationId <= 0) {
1482                            return false;
1483                    }
1484    
1485                    Organization organization =
1486                            OrganizationLocalServiceUtil.fetchOrganization(organizationId);
1487    
1488                    if (organization == null) {
1489                            return false;
1490                    }
1491    
1492                    if (isCompanyAdmin(organization.getCompanyId())) {
1493                            return true;
1494                    }
1495    
1496                    Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1497                            getUserId(), organization.getOrganizationId(),
1498                            RoleConstants.ORGANIZATION_ADMINISTRATOR);
1499    
1500                    try {
1501                            if (value == null) {
1502                                    value = isOrganizationAdminImpl(organization);
1503    
1504                                    PermissionCacheUtil.putUserPrimaryKeyRole(
1505                                            getUserId(), organization.getOrganizationId(),
1506                                            RoleConstants.ORGANIZATION_ADMINISTRATOR, value);
1507                            }
1508                    }
1509                    catch (Exception e) {
1510                            PermissionCacheUtil.removeUserPrimaryKeyRole(
1511                                    getUserId(), organization.getOrganizationId(),
1512                                    RoleConstants.ORGANIZATION_ADMINISTRATOR);
1513    
1514                            throw e;
1515                    }
1516    
1517                    return value;
1518            }
1519    
1520            protected boolean isOrganizationAdminImpl(Organization organization)
1521                    throws PortalException {
1522    
1523                    while (organization != null) {
1524                            long organizationGroupId = organization.getGroupId();
1525    
1526                            long userId = getUserId();
1527    
1528                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1529                                            userId, organizationGroupId,
1530                                            RoleConstants.ORGANIZATION_ADMINISTRATOR, true) ||
1531                                    UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1532                                            userId, organizationGroupId,
1533                                            RoleConstants.ORGANIZATION_OWNER, true)) {
1534    
1535                                    return true;
1536                            }
1537    
1538                            organization = organization.getParentOrganization();
1539                    }
1540    
1541                    return false;
1542            }
1543    
1544            protected boolean isOrganizationOwnerImpl(long organizationId)
1545                    throws Exception {
1546    
1547                    if (!signedIn) {
1548                            return false;
1549                    }
1550    
1551                    if (isOmniadmin()) {
1552                            return true;
1553                    }
1554    
1555                    if (organizationId <= 0) {
1556                            return false;
1557                    }
1558    
1559                    Organization organization =
1560                            OrganizationLocalServiceUtil.fetchOrganization(organizationId);
1561    
1562                    if (organization == null) {
1563                            return false;
1564                    }
1565    
1566                    if (isCompanyAdmin(organization.getCompanyId())) {
1567                            return true;
1568                    }
1569    
1570                    Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1571                            getUserId(), organization.getOrganizationId(),
1572                            RoleConstants.ORGANIZATION_OWNER);
1573    
1574                    try {
1575                            if (value == null) {
1576                                    value = isOrganizationOwnerImpl(organization);
1577    
1578                                    PermissionCacheUtil.putUserPrimaryKeyRole(
1579                                            getUserId(), organization.getOrganizationId(),
1580                                            RoleConstants.ORGANIZATION_OWNER, value);
1581                            }
1582                    }
1583                    catch (Exception e) {
1584                            PermissionCacheUtil.removeUserPrimaryKeyRole(
1585                                    getUserId(), organization.getOrganizationId(),
1586                                    RoleConstants.ORGANIZATION_OWNER);
1587    
1588                            throw e;
1589                    }
1590    
1591                    return value;
1592            }
1593    
1594            protected boolean isOrganizationOwnerImpl(Organization organization)
1595                    throws PortalException {
1596    
1597                    while (organization != null) {
1598                            long organizationGroupId = organization.getGroupId();
1599    
1600                            long userId = getUserId();
1601    
1602                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1603                                            userId, organizationGroupId,
1604                                            RoleConstants.ORGANIZATION_OWNER, true)) {
1605    
1606                                    return true;
1607                            }
1608    
1609                            organization = organization.getParentOrganization();
1610                    }
1611    
1612                    return false;
1613            }
1614    
1615            protected void logHasUserPermission(
1616                    long groupId, String name, String primKey, String actionId,
1617                    StopWatch stopWatch, int block) {
1618    
1619                    if (!_log.isDebugEnabled()) {
1620                            return;
1621                    }
1622    
1623                    _log.debug(
1624                            "Checking user permission block " + block + " for " + groupId +
1625                                    " " + name + " " + primKey + " " + actionId + " takes " +
1626                                            stopWatch.getTime() + " ms");
1627            }
1628    
1629            /**
1630             * @deprecated As of 6.1.0
1631             */
1632            @Deprecated
1633            protected static final String RESULTS_SEPARATOR = "_RESULTS_SEPARATOR_";
1634    
1635            private static final Log _log = LogFactoryUtil.getLog(
1636                    AdvancedPermissionChecker.class);
1637    
1638    }