001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.log.Log;
019    import com.liferay.portal.kernel.log.LogFactoryUtil;
020    import com.liferay.portal.kernel.model.Contact;
021    import com.liferay.portal.kernel.model.Group;
022    import com.liferay.portal.kernel.model.Organization;
023    import com.liferay.portal.kernel.model.ResourceConstants;
024    import com.liferay.portal.kernel.model.RoleConstants;
025    import com.liferay.portal.kernel.model.User;
026    import com.liferay.portal.kernel.security.auth.PrincipalException;
027    import com.liferay.portal.kernel.security.permission.ActionKeys;
028    import com.liferay.portal.kernel.security.permission.BaseModelPermissionChecker;
029    import com.liferay.portal.kernel.security.permission.PermissionChecker;
030    import com.liferay.portal.kernel.service.OrganizationLocalServiceUtil;
031    import com.liferay.portal.kernel.service.UserGroupRoleLocalServiceUtil;
032    import com.liferay.portal.kernel.service.UserLocalServiceUtil;
033    import com.liferay.portal.kernel.service.permission.OrganizationPermissionUtil;
034    import com.liferay.portal.kernel.service.permission.UserPermission;
035    import com.liferay.portal.kernel.spring.osgi.OSGiBeanProperties;
036    import com.liferay.portal.kernel.util.PortalUtil;
037    
038    import java.util.List;
039    
040    /**
041     * @author Charles May
042     * @author Jorge Ferrer
043     */
044    @OSGiBeanProperties(
045            property = {"model.class.name=com.liferay.portal.kernel.model.User"}
046    )
047    public class UserPermissionImpl
048            implements BaseModelPermissionChecker, UserPermission {
049    
050            @Override
051            public void check(
052                            PermissionChecker permissionChecker, long userId,
053                            long[] organizationIds, String actionId)
054                    throws PrincipalException {
055    
056                    if (!contains(permissionChecker, userId, organizationIds, actionId)) {
057                            throw new PrincipalException.MustHavePermission(
058                                    permissionChecker, User.class.getName(), userId, actionId);
059                    }
060            }
061    
062            @Override
063            public void check(
064                            PermissionChecker permissionChecker, long userId, String actionId)
065                    throws PrincipalException {
066    
067                    if (!contains(permissionChecker, userId, actionId)) {
068                            throw new PrincipalException.MustHavePermission(
069                                    permissionChecker, User.class.getName(), userId, actionId);
070                    }
071            }
072    
073            @Override
074            public void checkBaseModel(
075                            PermissionChecker permissionChecker, long groupId, long primaryKey,
076                            String actionId)
077                    throws PortalException {
078    
079                    List<Organization> organizations =
080                            OrganizationLocalServiceUtil.getUserOrganizations(primaryKey);
081    
082                    long[] organizationsIds = new long[organizations.size()];
083    
084                    for (int i = 0; i < organizations.size(); i++) {
085                            Organization organization = organizations.get(i);
086    
087                            organizationsIds[i] = organization.getOrganizationId();
088                    }
089    
090                    check(permissionChecker, primaryKey, organizationsIds, actionId);
091            }
092    
093            @Override
094            public boolean contains(
095                    PermissionChecker permissionChecker, long userId,
096                    long[] organizationIds, String actionId) {
097    
098                    try {
099                            User user = null;
100    
101                            if (userId != ResourceConstants.PRIMKEY_DNE) {
102                                    user = UserLocalServiceUtil.getUserById(userId);
103    
104                                    if ((actionId.equals(ActionKeys.DELETE) ||
105                                             actionId.equals(ActionKeys.IMPERSONATE) ||
106                                             actionId.equals(ActionKeys.PERMISSIONS) ||
107                                             actionId.equals(ActionKeys.UPDATE) ||
108                                             actionId.equals(ActionKeys.VIEW)) &&
109                                            !permissionChecker.isOmniadmin() &&
110                                            (PortalUtil.isOmniadmin(user) ||
111                                             (!permissionChecker.isCompanyAdmin() &&
112                                              PortalUtil.isCompanyAdmin(user)))) {
113    
114                                            return false;
115                                    }
116    
117                                    Contact contact = user.getContact();
118    
119                                    if (permissionChecker.hasOwnerPermission(
120                                                    permissionChecker.getCompanyId(), User.class.getName(),
121                                                    userId, contact.getUserId(), actionId) ||
122                                            (permissionChecker.getUserId() == userId)) {
123    
124                                            return true;
125                                    }
126    
127                                    if (permissionChecker.hasPermission(
128                                                    0, User.class.getName(), userId, actionId)) {
129    
130                                            return true;
131                                    }
132                            }
133                            else {
134                                    if (permissionChecker.hasPermission(
135                                                    0, User.class.getName(), User.class.getName(),
136                                                    actionId)) {
137    
138                                            return true;
139                                    }
140                            }
141    
142                            if (user == null) {
143                                    return false;
144                            }
145    
146                            if (organizationIds == null) {
147                                    organizationIds = user.getOrganizationIds();
148                            }
149    
150                            for (long organizationId : organizationIds) {
151                                    Organization organization =
152                                            OrganizationLocalServiceUtil.getOrganization(
153                                                    organizationId);
154    
155                                    if (OrganizationPermissionUtil.contains(
156                                                    permissionChecker, organization,
157                                                    ActionKeys.MANAGE_USERS)) {
158    
159                                            if (permissionChecker.getUserId() == user.getUserId()) {
160                                                    return true;
161                                            }
162    
163                                            Group organizationGroup = organization.getGroup();
164    
165                                            // Organization administrators can only manage normal users.
166                                            // Owners can only manage normal users and administrators.
167    
168                                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
169                                                            user.getUserId(), organizationGroup.getGroupId(),
170                                                            RoleConstants.ORGANIZATION_OWNER, true)) {
171    
172                                                    continue;
173                                            }
174                                            else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
175                                                                    user.getUserId(),
176                                                                    organizationGroup.getGroupId(),
177                                                                    RoleConstants.ORGANIZATION_ADMINISTRATOR,
178                                                                    true) &&
179                                                             !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
180                                                                     permissionChecker.getUserId(),
181                                                                    organizationGroup.getGroupId(),
182                                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
183    
184                                                    continue;
185                                            }
186    
187                                            return true;
188                                    }
189                            }
190                    }
191                    catch (Exception e) {
192                            _log.error(e, e);
193                    }
194    
195                    return false;
196            }
197    
198            @Override
199            public boolean contains(
200                    PermissionChecker permissionChecker, long userId, String actionId) {
201    
202                    return contains(permissionChecker, userId, null, actionId);
203            }
204    
205            private static final Log _log = LogFactoryUtil.getLog(
206                    UserPermissionImpl.class);
207    
208    }