001
014
015 package com.liferay.portal.service.permission;
016
017 import com.liferay.portal.kernel.exception.PortalException;
018 import com.liferay.portal.kernel.log.Log;
019 import com.liferay.portal.kernel.log.LogFactoryUtil;
020 import com.liferay.portal.kernel.model.Contact;
021 import com.liferay.portal.kernel.model.Group;
022 import com.liferay.portal.kernel.model.Organization;
023 import com.liferay.portal.kernel.model.ResourceConstants;
024 import com.liferay.portal.kernel.model.RoleConstants;
025 import com.liferay.portal.kernel.model.User;
026 import com.liferay.portal.kernel.security.auth.PrincipalException;
027 import com.liferay.portal.kernel.security.permission.ActionKeys;
028 import com.liferay.portal.kernel.security.permission.BaseModelPermissionChecker;
029 import com.liferay.portal.kernel.security.permission.PermissionChecker;
030 import com.liferay.portal.kernel.service.OrganizationLocalServiceUtil;
031 import com.liferay.portal.kernel.service.UserGroupRoleLocalServiceUtil;
032 import com.liferay.portal.kernel.service.UserLocalServiceUtil;
033 import com.liferay.portal.kernel.service.permission.OrganizationPermissionUtil;
034 import com.liferay.portal.kernel.service.permission.UserPermission;
035 import com.liferay.portal.kernel.spring.osgi.OSGiBeanProperties;
036 import com.liferay.portal.kernel.util.PortalUtil;
037
038 import java.util.List;
039
040
044 @OSGiBeanProperties(
045 property = {"model.class.name=com.liferay.portal.kernel.model.User"}
046 )
047 public class UserPermissionImpl
048 implements BaseModelPermissionChecker, UserPermission {
049
050 @Override
051 public void check(
052 PermissionChecker permissionChecker, long userId,
053 long[] organizationIds, String actionId)
054 throws PrincipalException {
055
056 if (!contains(permissionChecker, userId, organizationIds, actionId)) {
057 throw new PrincipalException.MustHavePermission(
058 permissionChecker, User.class.getName(), userId, actionId);
059 }
060 }
061
062 @Override
063 public void check(
064 PermissionChecker permissionChecker, long userId, String actionId)
065 throws PrincipalException {
066
067 if (!contains(permissionChecker, userId, actionId)) {
068 throw new PrincipalException.MustHavePermission(
069 permissionChecker, User.class.getName(), userId, actionId);
070 }
071 }
072
073 @Override
074 public void checkBaseModel(
075 PermissionChecker permissionChecker, long groupId, long primaryKey,
076 String actionId)
077 throws PortalException {
078
079 List<Organization> organizations =
080 OrganizationLocalServiceUtil.getUserOrganizations(primaryKey);
081
082 long[] organizationsIds = new long[organizations.size()];
083
084 for (int i = 0; i < organizations.size(); i++) {
085 Organization organization = organizations.get(i);
086
087 organizationsIds[i] = organization.getOrganizationId();
088 }
089
090 check(permissionChecker, primaryKey, organizationsIds, actionId);
091 }
092
093 @Override
094 public boolean contains(
095 PermissionChecker permissionChecker, long userId,
096 long[] organizationIds, String actionId) {
097
098 try {
099 User user = null;
100
101 if (userId != ResourceConstants.PRIMKEY_DNE) {
102 user = UserLocalServiceUtil.getUserById(userId);
103
104 if ((actionId.equals(ActionKeys.DELETE) ||
105 actionId.equals(ActionKeys.IMPERSONATE) ||
106 actionId.equals(ActionKeys.PERMISSIONS) ||
107 actionId.equals(ActionKeys.UPDATE) ||
108 actionId.equals(ActionKeys.VIEW)) &&
109 !permissionChecker.isOmniadmin() &&
110 (PortalUtil.isOmniadmin(user) ||
111 (!permissionChecker.isCompanyAdmin() &&
112 PortalUtil.isCompanyAdmin(user)))) {
113
114 return false;
115 }
116
117 Contact contact = user.getContact();
118
119 if (permissionChecker.hasOwnerPermission(
120 permissionChecker.getCompanyId(), User.class.getName(),
121 userId, contact.getUserId(), actionId) ||
122 (permissionChecker.getUserId() == userId)) {
123
124 return true;
125 }
126
127 if (permissionChecker.hasPermission(
128 0, User.class.getName(), userId, actionId)) {
129
130 return true;
131 }
132 }
133 else {
134 if (permissionChecker.hasPermission(
135 0, User.class.getName(), User.class.getName(),
136 actionId)) {
137
138 return true;
139 }
140 }
141
142 if (user == null) {
143 return false;
144 }
145
146 if (organizationIds == null) {
147 organizationIds = user.getOrganizationIds();
148 }
149
150 for (long organizationId : organizationIds) {
151 Organization organization =
152 OrganizationLocalServiceUtil.getOrganization(
153 organizationId);
154
155 if (OrganizationPermissionUtil.contains(
156 permissionChecker, organization,
157 ActionKeys.MANAGE_USERS)) {
158
159 if (permissionChecker.getUserId() == user.getUserId()) {
160 return true;
161 }
162
163 Group organizationGroup = organization.getGroup();
164
165
166
167
168 if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
169 user.getUserId(), organizationGroup.getGroupId(),
170 RoleConstants.ORGANIZATION_OWNER, true)) {
171
172 continue;
173 }
174 else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
175 user.getUserId(),
176 organizationGroup.getGroupId(),
177 RoleConstants.ORGANIZATION_ADMINISTRATOR,
178 true) &&
179 !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
180 permissionChecker.getUserId(),
181 organizationGroup.getGroupId(),
182 RoleConstants.ORGANIZATION_OWNER, true)) {
183
184 continue;
185 }
186
187 return true;
188 }
189 }
190 }
191 catch (Exception e) {
192 _log.error(e, e);
193 }
194
195 return false;
196 }
197
198 @Override
199 public boolean contains(
200 PermissionChecker permissionChecker, long userId, String actionId) {
201
202 return contains(permissionChecker, userId, null, actionId);
203 }
204
205 private static final Log _log = LogFactoryUtil.getLog(
206 UserPermissionImpl.class);
207
208 }