001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.log.Log;
019    import com.liferay.portal.kernel.log.LogFactoryUtil;
020    import com.liferay.portal.kernel.spring.osgi.OSGiBeanProperties;
021    import com.liferay.portal.model.Contact;
022    import com.liferay.portal.model.Group;
023    import com.liferay.portal.model.Organization;
024    import com.liferay.portal.model.ResourceConstants;
025    import com.liferay.portal.model.RoleConstants;
026    import com.liferay.portal.model.User;
027    import com.liferay.portal.security.auth.PrincipalException;
028    import com.liferay.portal.security.permission.ActionKeys;
029    import com.liferay.portal.security.permission.BaseModelPermissionChecker;
030    import com.liferay.portal.security.permission.PermissionChecker;
031    import com.liferay.portal.service.OrganizationLocalServiceUtil;
032    import com.liferay.portal.service.UserGroupRoleLocalServiceUtil;
033    import com.liferay.portal.service.UserLocalServiceUtil;
034    import com.liferay.portal.util.PortalUtil;
035    
036    import java.util.List;
037    
038    /**
039     * @author Charles May
040     * @author Jorge Ferrer
041     */
042    @OSGiBeanProperties(
043            property = {"model.class.name=com.liferay.portal.model.User"}
044    )
045    public class UserPermissionImpl
046            implements BaseModelPermissionChecker, UserPermission {
047    
048            /**
049             * @deprecated As of 6.2.0, replaced by {@link #check(PermissionChecker,
050             *             long, long[], String)}
051             */
052            @Deprecated
053            @Override
054            public void check(
055                            PermissionChecker permissionChecker, long userId,
056                            long organizationId, long locationId, String actionId)
057                    throws PrincipalException {
058    
059                    check(
060                            permissionChecker, userId, new long[] {organizationId, locationId},
061                            actionId);
062            }
063    
064            @Override
065            public void check(
066                            PermissionChecker permissionChecker, long userId,
067                            long[] organizationIds, String actionId)
068                    throws PrincipalException {
069    
070                    if (!contains(permissionChecker, userId, organizationIds, actionId)) {
071                            throw new PrincipalException();
072                    }
073            }
074    
075            @Override
076            public void check(
077                            PermissionChecker permissionChecker, long userId, String actionId)
078                    throws PrincipalException {
079    
080                    if (!contains(permissionChecker, userId, actionId)) {
081                            throw new PrincipalException();
082                    }
083            }
084    
085            @Override
086            public void checkBaseModel(
087                            PermissionChecker permissionChecker, long groupId, long primaryKey,
088                            String actionId)
089                    throws PortalException {
090    
091                    List<Organization> organizations =
092                            OrganizationLocalServiceUtil.getUserOrganizations(primaryKey);
093    
094                    long[] organizationsIds = new long[organizations.size()];
095    
096                    for (int i = 0; i < organizations.size(); i++) {
097                            Organization organization = organizations.get(i);
098    
099                            organizationsIds[i] = organization.getOrganizationId();
100                    }
101    
102                    check(permissionChecker, primaryKey, organizationsIds, actionId);
103            }
104    
105            /**
106             * @deprecated As of 6.2.0, replaced by {@link #contains(PermissionChecker,
107             *             long, long[], String)}
108             */
109            @Deprecated
110            @Override
111            public boolean contains(
112                    PermissionChecker permissionChecker, long userId, long organizationId,
113                    long locationId, String actionId) {
114    
115                    return contains(
116                            permissionChecker, userId, new long[] {organizationId, locationId},
117                            actionId);
118            }
119    
120            @Override
121            public boolean contains(
122                    PermissionChecker permissionChecker, long userId,
123                    long[] organizationIds, String actionId) {
124    
125                    try {
126                            User user = null;
127    
128                            if (userId != ResourceConstants.PRIMKEY_DNE) {
129                                    user = UserLocalServiceUtil.getUserById(userId);
130    
131                                    if ((actionId.equals(ActionKeys.DELETE) ||
132                                             actionId.equals(ActionKeys.IMPERSONATE) ||
133                                             actionId.equals(ActionKeys.PERMISSIONS) ||
134                                             actionId.equals(ActionKeys.UPDATE) ||
135                                             actionId.equals(ActionKeys.VIEW)) &&
136                                            !permissionChecker.isOmniadmin() &&
137                                            (PortalUtil.isOmniadmin(user) ||
138                                             (!permissionChecker.isCompanyAdmin() &&
139                                              PortalUtil.isCompanyAdmin(user)))) {
140    
141                                            return false;
142                                    }
143    
144                                    Contact contact = user.getContact();
145    
146                                    if (permissionChecker.hasOwnerPermission(
147                                                    permissionChecker.getCompanyId(), User.class.getName(),
148                                                    userId, contact.getUserId(), actionId) ||
149                                            (permissionChecker.getUserId() == userId)) {
150    
151                                            return true;
152                                    }
153                            }
154    
155                            if (permissionChecker.hasPermission(
156                                            0, User.class.getName(), userId, actionId)) {
157    
158                                    return true;
159                            }
160    
161                            if (user == null) {
162                                    return false;
163                            }
164    
165                            if (organizationIds == null) {
166                                    organizationIds = user.getOrganizationIds();
167                            }
168    
169                            for (long organizationId : organizationIds) {
170                                    Organization organization =
171                                            OrganizationLocalServiceUtil.getOrganization(
172                                                    organizationId);
173    
174                                    if (OrganizationPermissionUtil.contains(
175                                                    permissionChecker, organization,
176                                                    ActionKeys.MANAGE_USERS)) {
177    
178                                            if (permissionChecker.getUserId() == user.getUserId()) {
179                                                    return true;
180                                            }
181    
182                                            Group organizationGroup = organization.getGroup();
183    
184                                            // Organization administrators can only manage normal users.
185                                            // Owners can only manage normal users and administrators.
186    
187                                            if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
188                                                            user.getUserId(), organizationGroup.getGroupId(),
189                                                            RoleConstants.ORGANIZATION_OWNER, true)) {
190    
191                                                    continue;
192                                            }
193                                            else if (UserGroupRoleLocalServiceUtil.hasUserGroupRole(
194                                                                    user.getUserId(),
195                                                                    organizationGroup.getGroupId(),
196                                                                    RoleConstants.ORGANIZATION_ADMINISTRATOR,
197                                                                    true) &&
198                                                             !UserGroupRoleLocalServiceUtil.hasUserGroupRole(
199                                                                    permissionChecker.getUserId(),
200                                                                    organizationGroup.getGroupId(),
201                                                                    RoleConstants.ORGANIZATION_OWNER, true)) {
202    
203                                                    continue;
204                                            }
205    
206                                            return true;
207                                    }
208                            }
209                    }
210                    catch (Exception e) {
211                            _log.error(e, e);
212                    }
213    
214                    return false;
215            }
216    
217            @Override
218            public boolean contains(
219                    PermissionChecker permissionChecker, long userId, String actionId) {
220    
221                    return contains(permissionChecker, userId, null, actionId);
222            }
223    
224            private static Log _log = LogFactoryUtil.getLog(UserPermissionImpl.class);
225    
226    }