001
014
015 package com.liferay.portal.security.permission;
016
017 import com.liferay.portal.kernel.dao.orm.QueryUtil;
018 import com.liferay.portal.kernel.exception.NoSuchResourcePermissionException;
019 import com.liferay.portal.kernel.exception.PortalException;
020 import com.liferay.portal.kernel.log.Log;
021 import com.liferay.portal.kernel.log.LogFactoryUtil;
022 import com.liferay.portal.kernel.model.Company;
023 import com.liferay.portal.kernel.model.Group;
024 import com.liferay.portal.kernel.model.GroupConstants;
025 import com.liferay.portal.kernel.model.GroupedModel;
026 import com.liferay.portal.kernel.model.Layout;
027 import com.liferay.portal.kernel.model.Organization;
028 import com.liferay.portal.kernel.model.OrganizationConstants;
029 import com.liferay.portal.kernel.model.PermissionedModel;
030 import com.liferay.portal.kernel.model.PortletConstants;
031 import com.liferay.portal.kernel.model.Resource;
032 import com.liferay.portal.kernel.model.ResourceBlockConstants;
033 import com.liferay.portal.kernel.model.ResourceConstants;
034 import com.liferay.portal.kernel.model.Role;
035 import com.liferay.portal.kernel.model.RoleConstants;
036 import com.liferay.portal.kernel.model.Team;
037 import com.liferay.portal.kernel.security.permission.ActionKeys;
038 import com.liferay.portal.kernel.security.permission.PermissionChecker;
039 import com.liferay.portal.kernel.security.permission.ResourceActionsUtil;
040 import com.liferay.portal.kernel.security.permission.ResourceBlockIdsBag;
041 import com.liferay.portal.kernel.security.permission.UserBag;
042 import com.liferay.portal.kernel.security.permission.UserBagFactoryUtil;
043 import com.liferay.portal.kernel.service.GroupLocalServiceUtil;
044 import com.liferay.portal.kernel.service.LayoutLocalServiceUtil;
045 import com.liferay.portal.kernel.service.OrganizationLocalServiceUtil;
046 import com.liferay.portal.kernel.service.ResourceBlockLocalServiceUtil;
047 import com.liferay.portal.kernel.service.ResourceLocalServiceUtil;
048 import com.liferay.portal.kernel.service.ResourcePermissionLocalServiceUtil;
049 import com.liferay.portal.kernel.service.RoleLocalServiceUtil;
050 import com.liferay.portal.kernel.service.TeamLocalServiceUtil;
051 import com.liferay.portal.kernel.service.UserGroupRoleLocalServiceUtil;
052 import com.liferay.portal.kernel.service.permission.LayoutPrototypePermissionUtil;
053 import com.liferay.portal.kernel.service.permission.LayoutSetPrototypePermissionUtil;
054 import com.liferay.portal.kernel.service.permission.PortletPermissionUtil;
055 import com.liferay.portal.kernel.util.ArrayUtil;
056 import com.liferay.portal.kernel.util.CharPool;
057 import com.liferay.portal.kernel.util.GetterUtil;
058 import com.liferay.portal.kernel.util.ListUtil;
059 import com.liferay.portal.kernel.util.SetUtil;
060 import com.liferay.portal.kernel.util.StringBundler;
061 import com.liferay.portal.kernel.util.Validator;
062
063 import java.util.ArrayList;
064 import java.util.Arrays;
065 import java.util.Collections;
066 import java.util.LinkedHashMap;
067 import java.util.List;
068 import java.util.Set;
069
070 import org.apache.commons.lang.time.StopWatch;
071
072
079 public class AdvancedPermissionChecker extends BasePermissionChecker {
080
081 @Override
082 public AdvancedPermissionChecker clone() {
083 return new AdvancedPermissionChecker();
084 }
085
086 public ResourceBlockIdsBag getGuestResourceBlockIdsBag(
087 long companyId, long groupId, String name)
088 throws Exception {
089
090 ResourceBlockIdsBag resourceBlockIdsBag =
091 PermissionCacheUtil.getResourceBlockIdsBag(
092 companyId, groupId, defaultUserId, name);
093
094 if (resourceBlockIdsBag != null) {
095 return resourceBlockIdsBag;
096 }
097
098 try {
099 resourceBlockIdsBag =
100 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
101 getCompanyId(), groupId, name, getGuestUserRoleIds());
102
103 PermissionCacheUtil.putResourceBlockIdsBag(
104 companyId, groupId, defaultUserId, name, resourceBlockIdsBag);
105
106 return resourceBlockIdsBag;
107 }
108 catch (Exception e) {
109 PermissionCacheUtil.removeResourceBlockIdsBag(
110 getCompanyId(), groupId, defaultUserId, name);
111
112 throw e;
113 }
114 }
115
116
122 public long[] getGuestUserRoleIds() throws Exception {
123 Group guestGroup = GroupLocalServiceUtil.getGroup(
124 getCompanyId(), GroupConstants.GUEST);
125
126 long[] roleIds = PermissionCacheUtil.getUserGroupRoleIds(
127 defaultUserId, guestGroup.getGroupId());
128
129 if (roleIds != null) {
130 return roleIds;
131 }
132
133 try {
134 List<Role> roles = RoleLocalServiceUtil.getUserRelatedRoles(
135 defaultUserId, Collections.singletonList(guestGroup));
136
137
138
139
140
141
142 roleIds = ListUtil.toLongArray(roles, Role.ROLE_ID_ACCESSOR);
143
144 Arrays.sort(roleIds);
145
146 PermissionCacheUtil.putUserGroupRoleIds(
147 defaultUserId, guestGroup.getGroupId(), roleIds);
148 }
149 catch (Exception e) {
150 PermissionCacheUtil.removeUserGroupRoleIds(
151 defaultUserId, guestGroup.getGroupId());
152
153 throw e;
154 }
155
156 return roleIds;
157 }
158
159 @Override
160 public List<Long> getOwnerResourceBlockIds(
161 long companyId, long groupId, String name, String actionId) {
162
163 try {
164 ResourceBlockIdsBag resourceBlockIdsBag =
165 getOwnerResourceBlockIdsBag(companyId, groupId, name);
166
167 return ResourceBlockLocalServiceUtil.getResourceBlockIds(
168 resourceBlockIdsBag, name, actionId);
169 }
170 catch (Exception e) {
171 if (_log.isDebugEnabled()) {
172 _log.debug(e, e);
173 }
174 }
175
176 return Collections.emptyList();
177 }
178
179 public ResourceBlockIdsBag getOwnerResourceBlockIdsBag(
180 long companyId, long groupId, String name) {
181
182 ResourceBlockIdsBag resourceBlockIdsBag =
183 PermissionCacheUtil.getResourceBlockIdsBag(
184 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name);
185
186 if (resourceBlockIdsBag != null) {
187 return resourceBlockIdsBag;
188 }
189
190 try {
191 long[] roleIds = {getOwnerRoleId()};
192
193 resourceBlockIdsBag =
194 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
195 getCompanyId(), groupId, name, roleIds);
196
197 PermissionCacheUtil.putResourceBlockIdsBag(
198 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name,
199 resourceBlockIdsBag);
200
201 return resourceBlockIdsBag;
202 }
203 catch (Exception e) {
204 PermissionCacheUtil.removeResourceBlockIdsBag(
205 companyId, groupId, ResourceBlockConstants.OWNER_USER_ID, name);
206
207 throw e;
208 }
209 }
210
211 @Override
212 public List<Long> getResourceBlockIds(
213 long companyId, long groupId, long userId, String name,
214 String actionId) {
215
216 try {
217 ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
218 companyId, groupId, name, getRoleIds(getUserId(), groupId));
219
220 return ResourceBlockLocalServiceUtil.getResourceBlockIds(
221 resourceBlockIdsBag, name, actionId);
222 }
223 catch (Exception e) {
224 if (_log.isDebugEnabled()) {
225 _log.debug(e, e);
226 }
227 }
228
229 return Collections.emptyList();
230 }
231
232 public ResourceBlockIdsBag getResourceBlockIdsBag(
233 long companyId, long groupId, String name, long[] roleIds)
234 throws Exception {
235
236 ResourceBlockIdsBag resourceBlockIdsBag =
237 PermissionCacheUtil.getResourceBlockIdsBag(
238 companyId, groupId, getUserId(), name);
239
240 if (resourceBlockIdsBag != null) {
241 return resourceBlockIdsBag;
242 }
243
244 try {
245 resourceBlockIdsBag =
246 ResourceBlockLocalServiceUtil.getResourceBlockIdsBag(
247 getCompanyId(), groupId, name, roleIds);
248
249 PermissionCacheUtil.putResourceBlockIdsBag(
250 companyId, groupId, getUserId(), name, resourceBlockIdsBag);
251
252 return resourceBlockIdsBag;
253 }
254 catch (Exception e) {
255 PermissionCacheUtil.removeResourceBlockIdsBag(
256 companyId, groupId, getUserId(), name);
257
258 throw e;
259 }
260 }
261
262 @Override
263 public long[] getRoleIds(long userId, long groupId) {
264 try {
265 return doGetRoleIds(userId, groupId);
266 }
267 catch (Exception e) {
268 if (_log.isDebugEnabled()) {
269 _log.debug(e, e);
270 }
271
272 return PermissionChecker.DEFAULT_ROLE_IDS;
273 }
274 }
275
276 @Override
277 public UserBag getUserBag() throws PortalException {
278 return UserBagFactoryUtil.create(getUserId());
279 }
280
281 @Override
282 public boolean hasOwnerPermission(
283 long companyId, String name, String primKey, long ownerId,
284 String actionId) {
285
286 if (ownerId != getUserId()) {
287 return false;
288 }
289
290 boolean ownerIsDefaultUser = false;
291
292 if (ownerId == defaultUserId) {
293 ownerIsDefaultUser = true;
294 }
295
296 if (ownerIsDefaultUser) {
297 List<String> guestUnsupportedActions;
298
299 if (name.indexOf(CharPool.PERIOD) != -1) {
300 guestUnsupportedActions =
301 ResourceActionsUtil.getModelResourceGuestUnsupportedActions(
302 name);
303 }
304 else {
305 guestUnsupportedActions =
306 ResourceActionsUtil.
307 getPortletResourceGuestUnsupportedActions(name);
308 }
309
310 if (guestUnsupportedActions.contains(actionId)) {
311 return false;
312 }
313 }
314
315 try {
316 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
317 PermissionedModel permissionedModel =
318 ResourceBlockLocalServiceUtil.getPermissionedModel(
319 name, GetterUtil.getLong(primKey));
320
321 long groupId = 0;
322
323 if (permissionedModel instanceof GroupedModel) {
324 GroupedModel groupedModel = (GroupedModel)permissionedModel;
325
326 groupId = groupedModel.getGroupId();
327 }
328
329 ResourceBlockIdsBag resourceBlockIdsBag = null;
330
331 if (ownerIsDefaultUser) {
332 resourceBlockIdsBag = getGuestResourceBlockIdsBag(
333 companyId, groupId, name);
334 }
335 else {
336 resourceBlockIdsBag = getOwnerResourceBlockIdsBag(
337 companyId, groupId, name);
338 }
339
340 return ResourceBlockLocalServiceUtil.hasPermission(
341 name, permissionedModel, actionId, resourceBlockIdsBag);
342 }
343
344 long ownerRoleId = getOwnerRoleId();
345
346 if (ownerIsDefaultUser) {
347 Role guestRole = RoleLocalServiceUtil.getRole(
348 companyId, RoleConstants.GUEST);
349
350 ownerRoleId = guestRole.getRoleId();
351 }
352
353 return ResourcePermissionLocalServiceUtil.hasResourcePermission(
354 companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey,
355 ownerRoleId, actionId);
356 }
357 catch (Exception e) {
358 if (_log.isDebugEnabled()) {
359 _log.debug(e, e);
360 }
361 }
362
363 return false;
364 }
365
366 @Override
367 public boolean hasPermission(
368 long groupId, String name, String primKey, String actionId) {
369
370 StopWatch stopWatch = new StopWatch();
371
372 stopWatch.start();
373
374 boolean checkOwnerPermission = false;
375 Group group = null;
376
377 try {
378 if (groupId > 0) {
379 group = GroupLocalServiceUtil.getGroup(groupId);
380
381
382
383
384 if (group.isLayout() &&
385 !ResourceBlockLocalServiceUtil.isSupported(name)) {
386
387 Layout layout = LayoutLocalServiceUtil.getLayout(
388 group.getClassPK());
389
390 groupId = layout.getGroupId();
391
392 group = GroupLocalServiceUtil.getGroup(groupId);
393 }
394 else if (group.isUserPersonalSite()) {
395 return false;
396 }
397
398
399
400
401 if (group.isUser() && (group.getClassPK() == getUserId())) {
402 checkOwnerPermission = true;
403
404 group = GroupLocalServiceUtil.getGroup(
405 getCompanyId(), GroupConstants.USER_PERSONAL_SITE);
406
407 groupId = group.getGroupId();
408 }
409 }
410 }
411 catch (Exception e) {
412 _log.error(e, e);
413 }
414
415 long[] roleIds = getRoleIds(getUserId(), groupId);
416
417 Boolean value = PermissionCacheUtil.getPermission(
418 groupId, name, primKey, roleIds, actionId);
419
420 if (value != null) {
421 return value;
422 }
423
424 try {
425 if (checkOwnerPermission) {
426 value = hasOwnerPermission(
427 getCompanyId(), name, primKey, getUserId(), actionId);
428 }
429
430 if ((value == null) || !value) {
431 value = hasPermissionImpl(
432 groupId, name, primKey, roleIds, actionId);
433 }
434
435 if (_log.isDebugEnabled()) {
436 _log.debug(
437 "Checking permission for " + groupId + " " + name + " " +
438 primKey + " " + actionId + " takes " +
439 stopWatch.getTime() + " ms");
440 }
441
442 PermissionCacheUtil.putPermission(
443 groupId, name, primKey, roleIds, actionId, value);
444 }
445 catch (Exception e) {
446 PermissionCacheUtil.removePermission(
447 groupId, name, primKey, roleIds, actionId);
448
449 throw e;
450 }
451
452 return value;
453 }
454
455 @Override
456 public boolean isCompanyAdmin() {
457 try {
458 return isCompanyAdminImpl(user.getCompanyId());
459 }
460 catch (Exception e) {
461 _log.error(e, e);
462
463 return false;
464 }
465 }
466
467 @Override
468 public boolean isCompanyAdmin(long companyId) {
469 try {
470 return isCompanyAdminImpl(companyId);
471 }
472 catch (Exception e) {
473 _log.error(e, e);
474
475 return false;
476 }
477 }
478
479 @Override
480 public boolean isContentReviewer(long companyId, long groupId) {
481 try {
482 return isContentReviewerImpl(companyId, groupId);
483 }
484 catch (Exception e) {
485 _log.error(e, e);
486 }
487
488 return false;
489 }
490
491 @Override
492 public boolean isGroupAdmin(long groupId) {
493 try {
494 return isGroupAdminImpl(groupId);
495 }
496 catch (Exception e) {
497 _log.error(e, e);
498
499 return false;
500 }
501 }
502
503 @Override
504 public boolean isGroupMember(long groupId) {
505 try {
506 return isGroupMemberImpl(groupId);
507 }
508 catch (Exception e) {
509 _log.error(e, e);
510
511 return false;
512 }
513 }
514
515 @Override
516 public boolean isGroupOwner(long groupId) {
517 try {
518 return isGroupOwnerImpl(groupId);
519 }
520 catch (Exception e) {
521 _log.error(e, e);
522
523 return false;
524 }
525 }
526
527 @Override
528 public boolean isOrganizationAdmin(long organizationId) {
529 try {
530 return isOrganizationAdminImpl(organizationId);
531 }
532 catch (Exception e) {
533 _log.error(e, e);
534
535 return false;
536 }
537 }
538
539 @Override
540 public boolean isOrganizationOwner(long organizationId) {
541 try {
542 return isOrganizationOwnerImpl(organizationId);
543 }
544 catch (Exception e) {
545 _log.error(e, e);
546
547 return false;
548 }
549 }
550
551 protected void addTeamRoles(long userId, Group group, Set<Long> roleIds)
552 throws Exception {
553
554 List<Team> userTeams = TeamLocalServiceUtil.getUserTeams(
555 userId, group.getGroupId());
556
557 for (Team team : userTeams) {
558 Role role = RoleLocalServiceUtil.getTeamRole(
559 team.getCompanyId(), team.getTeamId());
560
561 roleIds.add(role.getRoleId());
562 }
563
564 LinkedHashMap<String, Object> teamParams = new LinkedHashMap<>();
565
566 teamParams.put("usersUserGroups", userId);
567
568 List<Team> userGroupTeams = TeamLocalServiceUtil.search(
569 group.getGroupId(), null, null, teamParams, QueryUtil.ALL_POS,
570 QueryUtil.ALL_POS, null);
571
572 for (Team team : userGroupTeams) {
573 Role role = RoleLocalServiceUtil.getTeamRole(
574 team.getCompanyId(), team.getTeamId());
575
576 roleIds.add(role.getRoleId());
577 }
578 }
579
580 protected boolean doCheckPermission(
581 long companyId, long groupId, String name, String primKey,
582 long[] roleIds, String actionId, StopWatch stopWatch)
583 throws Exception {
584
585 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 1);
586
587 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
588 ResourceBlockIdsBag resourceBlockIdsBag = getResourceBlockIdsBag(
589 companyId, groupId, name, roleIds);
590
591 boolean value = ResourceBlockLocalServiceUtil.hasPermission(
592 name, GetterUtil.getLong(primKey), actionId,
593 resourceBlockIdsBag);
594
595 logHasUserPermission(
596 groupId, name, primKey, actionId, stopWatch, 2);
597
598 return value;
599 }
600
601 List<Resource> resources = getResources(
602 companyId, groupId, name, primKey, actionId);
603
604 resources = fixMissingResources(
605 companyId, groupId, name, primKey, actionId, resources);
606
607 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 3);
608
609
610
611
612
613
614 boolean value = ResourceLocalServiceUtil.hasUserPermissions(
615 user.getUserId(), groupId, resources, actionId, roleIds);
616
617 logHasUserPermission(groupId, name, primKey, actionId, stopWatch, 4);
618
619 return value;
620 }
621
622 protected long[] doGetRoleIds(long userId, long groupId) throws Exception {
623 if (!signedIn) {
624 return getGuestUserRoleIds();
625 }
626
627 long[] roleIds = PermissionCacheUtil.getUserGroupRoleIds(
628 userId, groupId);
629
630 if (roleIds != null) {
631 return roleIds;
632 }
633
634 try {
635 Group group = null;
636
637 long parentGroupId = 0;
638
639 if (groupId > 0) {
640 group = GroupLocalServiceUtil.getGroup(groupId);
641
642 if (group.isLayout()) {
643 parentGroupId = group.getParentGroupId();
644
645 if (parentGroupId > 0) {
646 group = GroupLocalServiceUtil.getGroup(parentGroupId);
647 }
648 }
649 }
650
651 UserBag userBag = getUserBag();
652
653 Set<Long> roleIdsSet = SetUtil.fromArray(userBag.getRoleIds());
654
655 List<Role> userGroupRoles = RoleLocalServiceUtil.getUserGroupRoles(
656 userId, groupId);
657
658 for (Role userGroupRole : userGroupRoles) {
659 roleIdsSet.add(userGroupRole.getRoleId());
660 }
661
662 if (parentGroupId > 0) {
663 userGroupRoles = RoleLocalServiceUtil.getUserGroupRoles(
664 userId, parentGroupId);
665
666 for (Role userGroupRole : userGroupRoles) {
667 roleIdsSet.add(userGroupRole.getRoleId());
668 }
669 }
670
671 List<Role> userGroupGroupRoles =
672 RoleLocalServiceUtil.getUserGroupGroupRoles(userId, groupId);
673
674 for (Role userGroupGroupRole : userGroupGroupRoles) {
675 roleIdsSet.add(userGroupGroupRole.getRoleId());
676 }
677
678 if (parentGroupId > 0) {
679 userGroupGroupRoles =
680 RoleLocalServiceUtil.getUserGroupGroupRoles(
681 userId, parentGroupId);
682
683 for (Role userGroupGroupRole : userGroupGroupRoles) {
684 roleIdsSet.add(userGroupGroupRole.getRoleId());
685 }
686 }
687
688 if (group != null) {
689 if (group.isOrganization() && userBag.hasUserOrgGroup(group)) {
690 Role organizationUserRole = RoleLocalServiceUtil.getRole(
691 group.getCompanyId(), RoleConstants.ORGANIZATION_USER);
692
693 roleIdsSet.add(organizationUserRole.getRoleId());
694 }
695
696 if ((group.isSite() &&
697 (userBag.hasUserGroup(group) ||
698 userBag.hasUserOrgGroup(group))) ||
699 group.isUserPersonalSite()) {
700
701 Role siteMemberRole = RoleLocalServiceUtil.getRole(
702 group.getCompanyId(), RoleConstants.SITE_MEMBER);
703
704 roleIdsSet.add(siteMemberRole.getRoleId());
705 }
706
707 if ((group.isOrganization() &&
708 userBag.hasUserOrgGroup(group)) ||
709 (group.isSite() && userBag.hasUserGroup(group))) {
710
711 addTeamRoles(userId, group, roleIdsSet);
712 }
713 }
714
715 if (checkGuest) {
716 for (long roleId : getGuestUserRoleIds()) {
717 roleIdsSet.add(roleId);
718 }
719 }
720
721 roleIds = ArrayUtil.toLongArray(roleIdsSet);
722
723 Arrays.sort(roleIds);
724
725 PermissionCacheUtil.putUserGroupRoleIds(userId, groupId, roleIds);
726
727 return roleIds;
728 }
729 catch (Exception e) {
730 PermissionCacheUtil.removeUserGroupRoleIds(userId, groupId);
731
732 throw e;
733 }
734 }
735
736 protected List<Resource> fixMissingResources(
737 long companyId, long groupId, String name, String primKey,
738 String actionId, List<Resource> resources)
739 throws Exception {
740
741 int count =
742 ResourcePermissionLocalServiceUtil.getResourcePermissionsCount(
743 companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);
744
745 if (count > 0) {
746 return resources;
747 }
748
749 String newIndividualResourcePrimKey = null;
750
751 if (primKey.contains(PortletConstants.LAYOUT_SEPARATOR)) {
752
753
754
755
756 newIndividualResourcePrimKey = name;
757
758 if (_log.isDebugEnabled()) {
759 String message =
760 "Using defaults because custom permissions for " +
761 "portlet resource " + name + " are not defined";
762
763 _log.debug(message, new IllegalArgumentException(message));
764 }
765 }
766
767 else if ((groupId > 0) &&
768 ResourceActionsUtil.isRootModelResource(name)) {
769
770
771
772
773 newIndividualResourcePrimKey = name;
774
775 if (_log.isDebugEnabled()) {
776 String message =
777 "Using defaults because custom permissions for " +
778 "root model resource " + name + " are not defined";
779
780 _log.debug(message, new IllegalArgumentException(message));
781 }
782 }
783
784 else if (primKey.equals("0") ||
785 primKey.equals(String.valueOf(ResourceConstants.PRIMKEY_DNE))
786 ||
787 (primKey.equals(String.valueOf(companyId)) &&
788 !name.equals(Company.class.getName()))) {
789
790 newIndividualResourcePrimKey = name;
791
792 if (_log.isWarnEnabled()) {
793 StringBundler sb = new StringBundler(9);
794
795 sb.append("Using ");
796 sb.append(name);
797 sb.append(" as the primary key instead of the legacy primary ");
798 sb.append("key ");
799 sb.append(primKey);
800 sb.append(" that was used for permission checking of ");
801 sb.append(name);
802 sb.append(" in company ");
803 sb.append(companyId);
804
805 _log.warn(
806 sb.toString(), new IllegalArgumentException(sb.toString()));
807 }
808 }
809
810 if (newIndividualResourcePrimKey != null) {
811 Resource individualResource = resources.get(0);
812
813 if (individualResource.getScope() !=
814 ResourceConstants.SCOPE_INDIVIDUAL) {
815
816 throw new IllegalArgumentException(
817 "The first resource must be an individual scope");
818 }
819
820 individualResource.setPrimKey(name);
821 }
822
823 return resources;
824 }
825
826
848 protected List<Resource> getResources(
849 long companyId, long groupId, String name, String primKey,
850 String actionId)
851 throws Exception {
852
853
854
855 List<Resource> resources = new ArrayList<>(4);
856
857 Resource individualResource = ResourceLocalServiceUtil.getResource(
858 companyId, name, ResourceConstants.SCOPE_INDIVIDUAL, primKey);
859
860 resources.add(individualResource);
861
862
863
864 if (groupId > 0) {
865 Resource groupResource = ResourceLocalServiceUtil.getResource(
866 companyId, name, ResourceConstants.SCOPE_GROUP,
867 String.valueOf(groupId));
868
869 resources.add(groupResource);
870 }
871
872
873
874 if (signedIn && (groupId > 0)) {
875 Resource groupTemplateResource =
876 ResourceLocalServiceUtil.getResource(
877 companyId, name, ResourceConstants.SCOPE_GROUP_TEMPLATE,
878 String.valueOf(GroupConstants.DEFAULT_PARENT_GROUP_ID));
879
880 resources.add(groupTemplateResource);
881 }
882
883
884
885 Resource companyResource = ResourceLocalServiceUtil.getResource(
886 companyId, name, ResourceConstants.SCOPE_COMPANY,
887 String.valueOf(companyId));
888
889 resources.add(companyResource);
890
891 return resources;
892 }
893
894 protected boolean hasGuestPermission(
895 long groupId, String name, String primKey, String actionId)
896 throws Exception {
897
898 List<String> resourceActions = ResourceActionsUtil.getResourceActions(
899 name);
900
901 if (!resourceActions.contains(actionId)) {
902 return false;
903 }
904
905 if (name.indexOf(CharPool.PERIOD) != -1) {
906
907
908
909 List<String> actions =
910 ResourceActionsUtil.getModelResourceGuestUnsupportedActions(
911 name);
912
913 if (actions.contains(actionId)) {
914 return false;
915 }
916 }
917 else {
918
919
920
921 List<String> actions =
922 ResourceActionsUtil.getPortletResourceGuestUnsupportedActions(
923 name);
924
925 if (actions.contains(actionId)) {
926 return false;
927 }
928 }
929
930 long companyId = user.getCompanyId();
931
932 if (groupId > 0) {
933 Group group = GroupLocalServiceUtil.getGroup(groupId);
934
935 companyId = group.getCompanyId();
936 }
937
938 try {
939 if (ResourceBlockLocalServiceUtil.isSupported(name)) {
940 ResourceBlockIdsBag resourceBlockIdsBag =
941 getGuestResourceBlockIdsBag(companyId, groupId, name);
942
943 return ResourceBlockLocalServiceUtil.hasPermission(
944 name, GetterUtil.getLong(primKey), actionId,
945 resourceBlockIdsBag);
946 }
947
948 List<Resource> resources = getResources(
949 companyId, groupId, name, primKey, actionId);
950
951 resources = fixMissingResources(
952 companyId, groupId, name, primKey, actionId, resources);
953
954 return ResourceLocalServiceUtil.hasUserPermissions(
955 defaultUserId, groupId, resources, actionId,
956 getGuestUserRoleIds());
957 }
958 catch (NoSuchResourcePermissionException nsrpe) {
959 throw new IllegalArgumentException(
960 "Someone may be trying to circumvent the permission checker: " +
961 nsrpe.getMessage(),
962 nsrpe);
963 }
964 catch (Exception e) {
965 _log.error(e, e);
966
967 return false;
968 }
969 }
970
971 protected boolean hasPermissionImpl(
972 long groupId, String name, String primKey, long[] roleIds,
973 String actionId) {
974
975 try {
976 if (!signedIn) {
977 return hasGuestPermission(groupId, name, primKey, actionId);
978 }
979
980 return hasUserPermissionImpl(
981 groupId, name, primKey, roleIds, actionId);
982 }
983 catch (IllegalArgumentException iae) {
984 throw iae;
985 }
986 catch (Exception e) {
987 _log.error(e, e);
988
989 return false;
990 }
991 }
992
993 protected boolean hasUserPermissionImpl(
994 long groupId, String name, String primKey, long[] roleIds,
995 String actionId)
996 throws Exception {
997
998 StopWatch stopWatch = new StopWatch();
999
1000 stopWatch.start();
1001
1002 long companyId = user.getCompanyId();
1003
1004 if (groupId > 0) {
1005 Group group = GroupLocalServiceUtil.getGroup(groupId);
1006
1007 companyId = group.getCompanyId();
1008 }
1009
1010 try {
1011 boolean hasPermission = doCheckPermission(
1012 companyId, groupId, name, primKey, roleIds, actionId,
1013 stopWatch);
1014
1015 if (hasPermission) {
1016 return true;
1017 }
1018 }
1019 catch (NoSuchResourcePermissionException nsrpe) {
1020 throw new IllegalArgumentException(
1021 "Someone may be trying to circumvent the permission checker: " +
1022 nsrpe.getMessage(),
1023 nsrpe);
1024 }
1025
1026 if (isOmniadmin()) {
1027 return true;
1028 }
1029
1030 if (name.equals(Organization.class.getName())) {
1031 if (isOrganizationAdminImpl(GetterUtil.getLong(primKey))) {
1032 return true;
1033 }
1034 }
1035
1036 if (isCompanyAdminImpl(companyId)) {
1037 return true;
1038 }
1039
1040 if (isGroupAdminImpl(groupId)) {
1041 boolean hasLayoutManagerPermission = true;
1042
1043
1044
1045
1046 if (Validator.isNotNull(name) && Validator.isNotNull(primKey) &&
1047 primKey.contains(PortletConstants.LAYOUT_SEPARATOR)) {
1048
1049 hasLayoutManagerPermission =
1050 PortletPermissionUtil.hasLayoutManagerPermission(
1051 name, actionId);
1052 }
1053
1054 if (hasLayoutManagerPermission) {
1055 return true;
1056 }
1057 }
1058
1059 return false;
1060 }
1061
1062 protected boolean isCompanyAdminImpl(long companyId) throws Exception {
1063 if (!signedIn) {
1064 return false;
1065 }
1066
1067 if (isOmniadmin()) {
1068 return true;
1069 }
1070
1071 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1072 getUserId(), companyId, RoleConstants.ADMINISTRATOR);
1073
1074 try {
1075 if (value == null) {
1076 value = RoleLocalServiceUtil.hasUserRole(
1077 user.getUserId(), companyId, RoleConstants.ADMINISTRATOR,
1078 true);
1079
1080 PermissionCacheUtil.putUserPrimaryKeyRole(
1081 getUserId(), companyId, RoleConstants.ADMINISTRATOR, value);
1082 }
1083 }
1084 catch (Exception e) {
1085 PermissionCacheUtil.removeUserPrimaryKeyRole(
1086 getUserId(), companyId, RoleConstants.ADMINISTRATOR);
1087
1088 throw e;
1089 }
1090
1091 return value;
1092 }
1093
1094 protected boolean isContentReviewerImpl(long groupId)
1095 throws PortalException {
1096
1097 if (isCompanyAdmin() || isGroupAdmin(groupId)) {
1098 return true;
1099 }
1100
1101 Group group = GroupLocalServiceUtil.getGroup(groupId);
1102
1103 if (RoleLocalServiceUtil.hasUserRole(
1104 getUserId(), group.getCompanyId(),
1105 RoleConstants.PORTAL_CONTENT_REVIEWER, true)) {
1106
1107 return true;
1108 }
1109
1110 if (group.isSite()) {
1111 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1112 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER,
1113 true)) {
1114
1115 return true;
1116 }
1117 }
1118
1119 return false;
1120 }
1121
1122 protected boolean isContentReviewerImpl(long companyId, long groupId)
1123 throws Exception {
1124
1125 if (!signedIn) {
1126 return false;
1127 }
1128
1129 if (isOmniadmin()) {
1130 return true;
1131 }
1132
1133 if (isCompanyAdmin(companyId)) {
1134 return true;
1135 }
1136
1137 if (groupId <= 0) {
1138 return false;
1139 }
1140
1141 if (isGroupAdmin(groupId)) {
1142 return true;
1143 }
1144
1145 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1146 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER);
1147
1148 try {
1149 if (value == null) {
1150 value = isContentReviewerImpl(groupId);
1151
1152 PermissionCacheUtil.putUserPrimaryKeyRole(
1153 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER,
1154 value);
1155 }
1156 }
1157 catch (Exception e) {
1158 PermissionCacheUtil.removeUserPrimaryKeyRole(
1159 getUserId(), groupId, RoleConstants.SITE_CONTENT_REVIEWER);
1160
1161 throw e;
1162 }
1163
1164 return value;
1165 }
1166
1167 protected boolean isGroupAdminImpl(Group group) throws Exception {
1168 if (group.isLayout()) {
1169 long parentGroupId = group.getParentGroupId();
1170
1171 if (parentGroupId == GroupConstants.DEFAULT_PARENT_GROUP_ID) {
1172 return false;
1173 }
1174
1175 group = GroupLocalServiceUtil.getGroup(parentGroupId);
1176 }
1177
1178 if (group.isSite()) {
1179 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1180 getUserId(), group.getGroupId(),
1181 RoleConstants.SITE_ADMINISTRATOR, true) ||
1182 UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1183 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1184 true)) {
1185
1186 return true;
1187 }
1188
1189 StopWatch stopWatch = new StopWatch();
1190
1191 stopWatch.start();
1192
1193 while (!group.isRoot()) {
1194 Group parentGroup = group.getParentGroup();
1195
1196 long[] roleIds = getRoleIds(
1197 getUserId(), parentGroup.getGroupId());
1198
1199 if (doCheckPermission(
1200 parentGroup.getCompanyId(), parentGroup.getGroupId(),
1201 Group.class.getName(),
1202 String.valueOf(parentGroup.getGroupId()), roleIds,
1203 ActionKeys.MANAGE_SUBGROUPS, stopWatch)) {
1204
1205 return true;
1206 }
1207
1208 group = parentGroup;
1209 }
1210 }
1211
1212 if (group.isCompany()) {
1213 if (isCompanyAdmin()) {
1214 return true;
1215 }
1216 else {
1217 return false;
1218 }
1219 }
1220 else if (group.isLayoutPrototype()) {
1221 if (LayoutPrototypePermissionUtil.contains(
1222 this, group.getClassPK(), ActionKeys.UPDATE)) {
1223
1224 return true;
1225 }
1226 else {
1227 return false;
1228 }
1229 }
1230 else if (group.isLayoutSetPrototype()) {
1231 if (LayoutSetPrototypePermissionUtil.contains(
1232 this, group.getClassPK(), ActionKeys.UPDATE)) {
1233
1234 return true;
1235 }
1236 else {
1237 return false;
1238 }
1239 }
1240 else if (group.isOrganization()) {
1241 long organizationId = group.getOrganizationId();
1242
1243 while (organizationId !=
1244 OrganizationConstants.DEFAULT_PARENT_ORGANIZATION_ID) {
1245
1246 Organization organization =
1247 OrganizationLocalServiceUtil.getOrganization(
1248 organizationId);
1249
1250 long organizationGroupId = organization.getGroupId();
1251
1252 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1253 getUserId(), organizationGroupId,
1254 RoleConstants.ORGANIZATION_ADMINISTRATOR, true) ||
1255 UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1256 getUserId(), organizationGroupId,
1257 RoleConstants.ORGANIZATION_OWNER, true)) {
1258
1259 return true;
1260 }
1261
1262 organizationId = organization.getParentOrganizationId();
1263 }
1264
1265 StopWatch stopWatch = new StopWatch();
1266
1267 stopWatch.start();
1268
1269 Organization organization =
1270 OrganizationLocalServiceUtil.getOrganization(
1271 group.getOrganizationId());
1272
1273 while (!organization.isRoot()) {
1274 Organization parentOrganization =
1275 organization.getParentOrganization();
1276
1277 Group parentGroup = parentOrganization.getGroup();
1278
1279 long[] roleIds = getRoleIds(
1280 getUserId(), parentGroup.getGroupId());
1281
1282 if (doCheckPermission(
1283 parentGroup.getCompanyId(), parentGroup.getGroupId(),
1284 Organization.class.getName(),
1285 String.valueOf(parentOrganization.getOrganizationId()),
1286 roleIds, ActionKeys.MANAGE_SUBORGANIZATIONS,
1287 stopWatch)) {
1288
1289 return true;
1290 }
1291
1292 organization = parentOrganization;
1293 }
1294 }
1295
1296 return false;
1297 }
1298
1299 protected boolean isGroupAdminImpl(long groupId) throws Exception {
1300 if (!signedIn) {
1301 return false;
1302 }
1303
1304 if (isOmniadmin()) {
1305 return true;
1306 }
1307
1308 if (groupId <= 0) {
1309 return false;
1310 }
1311
1312 Group group = GroupLocalServiceUtil.getGroup(groupId);
1313
1314 if (isCompanyAdmin(group.getCompanyId())) {
1315 return true;
1316 }
1317
1318 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1319 getUserId(), group.getGroupId(), RoleConstants.SITE_ADMINISTRATOR);
1320
1321 try {
1322 if (value == null) {
1323 value = isGroupAdminImpl(group);
1324
1325 PermissionCacheUtil.putUserPrimaryKeyRole(
1326 getUserId(), group.getGroupId(),
1327 RoleConstants.SITE_ADMINISTRATOR, value);
1328 }
1329 }
1330 catch (Exception e) {
1331 PermissionCacheUtil.removeUserPrimaryKeyRole(
1332 getUserId(), group.getGroupId(),
1333 RoleConstants.SITE_ADMINISTRATOR);
1334
1335 throw e;
1336 }
1337
1338 return value;
1339 }
1340
1341 protected boolean isGroupMemberImpl(long groupId) throws Exception {
1342 if (!signedIn) {
1343 return false;
1344 }
1345
1346 if (groupId <= 0) {
1347 return false;
1348 }
1349
1350 long[] roleIds = getRoleIds(getUserId(), groupId);
1351
1352 Group group = GroupLocalServiceUtil.getGroup(groupId);
1353
1354 Role role = RoleLocalServiceUtil.getRole(
1355 group.getCompanyId(), RoleConstants.SITE_MEMBER);
1356
1357 if (Arrays.binarySearch(roleIds, role.getRoleId()) >= 0) {
1358 return true;
1359 }
1360
1361 UserBag userBag = getUserBag();
1362
1363 return userBag.hasUserGroup(group);
1364 }
1365
1366 protected boolean isGroupOwnerImpl(Group group) throws PortalException {
1367 if (group.isSite()) {
1368 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1369 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1370 true)) {
1371
1372 return true;
1373 }
1374 }
1375
1376 if (group.isLayoutPrototype()) {
1377 if (LayoutPrototypePermissionUtil.contains(
1378 this, group.getClassPK(), ActionKeys.UPDATE)) {
1379
1380 return true;
1381 }
1382 else {
1383 return false;
1384 }
1385 }
1386 else if (group.isLayoutSetPrototype()) {
1387 if (LayoutSetPrototypePermissionUtil.contains(
1388 this, group.getClassPK(), ActionKeys.UPDATE)) {
1389
1390 return true;
1391 }
1392 else {
1393 return false;
1394 }
1395 }
1396 else if (group.isOrganization()) {
1397 long organizationId = group.getOrganizationId();
1398
1399 while (organizationId !=
1400 OrganizationConstants.DEFAULT_PARENT_ORGANIZATION_ID) {
1401
1402 Organization organization =
1403 OrganizationLocalServiceUtil.getOrganization(
1404 organizationId);
1405
1406 long organizationGroupId = organization.getGroupId();
1407
1408 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1409 getUserId(), organizationGroupId,
1410 RoleConstants.ORGANIZATION_OWNER, true)) {
1411
1412 return true;
1413 }
1414
1415 organizationId = organization.getParentOrganizationId();
1416 }
1417 }
1418 else if (group.isUser()) {
1419 long groupUserId = group.getClassPK();
1420
1421 if (getUserId() == groupUserId) {
1422 return true;
1423 }
1424 }
1425
1426 return false;
1427 }
1428
1429 protected boolean isGroupOwnerImpl(long groupId) throws Exception {
1430 if (!signedIn) {
1431 return false;
1432 }
1433
1434 if (isOmniadmin()) {
1435 return true;
1436 }
1437
1438 if (groupId <= 0) {
1439 return false;
1440 }
1441
1442 Group group = GroupLocalServiceUtil.getGroup(groupId);
1443
1444 if (isCompanyAdmin(group.getCompanyId())) {
1445 return true;
1446 }
1447
1448 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1449 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER);
1450
1451 try {
1452 if (value == null) {
1453 value = isGroupOwnerImpl(group);
1454
1455 PermissionCacheUtil.putUserPrimaryKeyRole(
1456 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER,
1457 value);
1458 }
1459 }
1460 catch (Exception e) {
1461 PermissionCacheUtil.removeUserPrimaryKeyRole(
1462 getUserId(), group.getGroupId(), RoleConstants.SITE_OWNER);
1463
1464 throw e;
1465 }
1466
1467 return value;
1468 }
1469
1470 protected boolean isOrganizationAdminImpl(long organizationId)
1471 throws Exception {
1472
1473 if (!signedIn) {
1474 return false;
1475 }
1476
1477 if (isOmniadmin()) {
1478 return true;
1479 }
1480
1481 if (organizationId <= 0) {
1482 return false;
1483 }
1484
1485 Organization organization =
1486 OrganizationLocalServiceUtil.fetchOrganization(organizationId);
1487
1488 if (organization == null) {
1489 return false;
1490 }
1491
1492 if (isCompanyAdmin(organization.getCompanyId())) {
1493 return true;
1494 }
1495
1496 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1497 getUserId(), organization.getOrganizationId(),
1498 RoleConstants.ORGANIZATION_ADMINISTRATOR);
1499
1500 try {
1501 if (value == null) {
1502 value = isOrganizationAdminImpl(organization);
1503
1504 PermissionCacheUtil.putUserPrimaryKeyRole(
1505 getUserId(), organization.getOrganizationId(),
1506 RoleConstants.ORGANIZATION_ADMINISTRATOR, value);
1507 }
1508 }
1509 catch (Exception e) {
1510 PermissionCacheUtil.removeUserPrimaryKeyRole(
1511 getUserId(), organization.getOrganizationId(),
1512 RoleConstants.ORGANIZATION_ADMINISTRATOR);
1513
1514 throw e;
1515 }
1516
1517 return value;
1518 }
1519
1520 protected boolean isOrganizationAdminImpl(Organization organization)
1521 throws PortalException {
1522
1523 while (organization != null) {
1524 long organizationGroupId = organization.getGroupId();
1525
1526 long userId = getUserId();
1527
1528 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1529 userId, organizationGroupId,
1530 RoleConstants.ORGANIZATION_ADMINISTRATOR, true) ||
1531 UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1532 userId, organizationGroupId,
1533 RoleConstants.ORGANIZATION_OWNER, true)) {
1534
1535 return true;
1536 }
1537
1538 organization = organization.getParentOrganization();
1539 }
1540
1541 return false;
1542 }
1543
1544 protected boolean isOrganizationOwnerImpl(long organizationId)
1545 throws Exception {
1546
1547 if (!signedIn) {
1548 return false;
1549 }
1550
1551 if (isOmniadmin()) {
1552 return true;
1553 }
1554
1555 if (organizationId <= 0) {
1556 return false;
1557 }
1558
1559 Organization organization =
1560 OrganizationLocalServiceUtil.fetchOrganization(organizationId);
1561
1562 if (organization == null) {
1563 return false;
1564 }
1565
1566 if (isCompanyAdmin(organization.getCompanyId())) {
1567 return true;
1568 }
1569
1570 Boolean value = PermissionCacheUtil.getUserPrimaryKeyRole(
1571 getUserId(), organization.getOrganizationId(),
1572 RoleConstants.ORGANIZATION_OWNER);
1573
1574 try {
1575 if (value == null) {
1576 value = isOrganizationOwnerImpl(organization);
1577
1578 PermissionCacheUtil.putUserPrimaryKeyRole(
1579 getUserId(), organization.getOrganizationId(),
1580 RoleConstants.ORGANIZATION_OWNER, value);
1581 }
1582 }
1583 catch (Exception e) {
1584 PermissionCacheUtil.removeUserPrimaryKeyRole(
1585 getUserId(), organization.getOrganizationId(),
1586 RoleConstants.ORGANIZATION_OWNER);
1587
1588 throw e;
1589 }
1590
1591 return value;
1592 }
1593
1594 protected boolean isOrganizationOwnerImpl(Organization organization)
1595 throws PortalException {
1596
1597 while (organization != null) {
1598 long organizationGroupId = organization.getGroupId();
1599
1600 long userId = getUserId();
1601
1602 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
1603 userId, organizationGroupId,
1604 RoleConstants.ORGANIZATION_OWNER, true)) {
1605
1606 return true;
1607 }
1608
1609 organization = organization.getParentOrganization();
1610 }
1611
1612 return false;
1613 }
1614
1615 protected void logHasUserPermission(
1616 long groupId, String name, String primKey, String actionId,
1617 StopWatch stopWatch, int block) {
1618
1619 if (!_log.isDebugEnabled()) {
1620 return;
1621 }
1622
1623 _log.debug(
1624 "Checking user permission block " + block + " for " + groupId +
1625 " " + name + " " + primKey + " " + actionId + " takes " +
1626 stopWatch.getTime() + " ms");
1627 }
1628
1629
1632 @Deprecated
1633 protected static final String RESULTS_SEPARATOR = "_RESULTS_SEPARATOR_";
1634
1635 private static final Log _log = LogFactoryUtil.getLog(
1636 AdvancedPermissionChecker.class);
1637
1638 }