001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.service.permission;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.spring.osgi.OSGiBeanProperties;
019    import com.liferay.portal.model.Group;
020    import com.liferay.portal.model.User;
021    import com.liferay.portal.security.auth.PrincipalException;
022    import com.liferay.portal.security.permission.ActionKeys;
023    import com.liferay.portal.security.permission.BaseModelPermissionChecker;
024    import com.liferay.portal.security.permission.PermissionChecker;
025    import com.liferay.portal.service.GroupLocalServiceUtil;
026    import com.liferay.portal.service.UserLocalServiceUtil;
027    
028    /**
029     * @author Brian Wing Shun Chan
030     * @author Raymond Aug??
031     */
032    @OSGiBeanProperties(
033            property = {"model.class.name=com.liferay.portal.model.Group"}
034    )
035    public class GroupPermissionImpl
036            implements BaseModelPermissionChecker, GroupPermission {
037    
038            @Override
039            public void check(
040                            PermissionChecker permissionChecker, Group group, String actionId)
041                    throws PortalException {
042    
043                    if (!contains(permissionChecker, group, actionId)) {
044                            throw new PrincipalException();
045                    }
046            }
047    
048            @Override
049            public void check(
050                            PermissionChecker permissionChecker, long groupId, String actionId)
051                    throws PortalException {
052    
053                    if (!contains(permissionChecker, groupId, actionId)) {
054                            throw new PrincipalException();
055                    }
056            }
057    
058            @Override
059            public void check(PermissionChecker permissionChecker, String actionId)
060                    throws PortalException {
061    
062                    if (!contains(permissionChecker, actionId)) {
063                            throw new PrincipalException();
064                    }
065            }
066    
067            @Override
068            public void checkBaseModel(
069                            PermissionChecker permissionChecker, long groupId, long primaryKey,
070                            String actionId)
071                    throws PortalException {
072    
073                    check(permissionChecker, primaryKey, actionId);
074            }
075    
076            @Override
077            public boolean contains(
078                            PermissionChecker permissionChecker, Group group, String actionId)
079                    throws PortalException {
080    
081                    if ((actionId.equals(ActionKeys.ADD_LAYOUT) ||
082                             actionId.equals(ActionKeys.MANAGE_LAYOUTS)) &&
083                            (group.hasLocalOrRemoteStagingGroup() ||
084                             group.isLayoutPrototype())) {
085    
086                            return false;
087                    }
088    
089                    long groupId = group.getGroupId();
090    
091                    if (group.isStagingGroup()) {
092                            group = group.getLiveGroup();
093                    }
094    
095                    if (group.isUser()) {
096    
097                            // An individual user would never reach this block because he would
098                            // be an administrator of his own layouts. However, a user who
099                            // manages a set of organizations may be modifying pages of a user
100                            // he manages.
101    
102                            User user = UserLocalServiceUtil.getUserById(group.getClassPK());
103    
104                            if ((permissionChecker.getUserId() != user.getUserId()) &&
105                                    UserPermissionUtil.contains(
106                                            permissionChecker, user.getUserId(),
107                                            user.getOrganizationIds(), ActionKeys.UPDATE)) {
108    
109                                    return true;
110                            }
111                    }
112    
113                    if (actionId.equals(ActionKeys.ADD_COMMUNITY) &&
114                            (permissionChecker.hasPermission(
115                                    groupId, Group.class.getName(), groupId,
116                                    ActionKeys.MANAGE_SUBGROUPS) ||
117                             PortalPermissionUtil.contains(
118                                     permissionChecker, ActionKeys.ADD_COMMUNITY))) {
119    
120                            return true;
121                    }
122                    else if (actionId.equals(ActionKeys.ADD_LAYOUT) &&
123                                     permissionChecker.hasPermission(
124                                             groupId, Group.class.getName(), groupId,
125                                             ActionKeys.MANAGE_LAYOUTS)) {
126    
127                            return true;
128                    }
129                    else if ((actionId.equals(ActionKeys.EXPORT_IMPORT_LAYOUTS) ||
130                                      actionId.equals(ActionKeys.EXPORT_IMPORT_PORTLET_INFO)) &&
131                                     permissionChecker.hasPermission(
132                                             groupId, Group.class.getName(), groupId,
133                                             ActionKeys.PUBLISH_STAGING)) {
134    
135                            return true;
136                    }
137                    else if (actionId.equals(ActionKeys.VIEW) &&
138                                     (permissionChecker.hasPermission(
139                                             groupId, Group.class.getName(), groupId,
140                                             ActionKeys.ASSIGN_USER_ROLES) ||
141                                      permissionChecker.hasPermission(
142                                             groupId, Group.class.getName(), groupId,
143                                             ActionKeys.MANAGE_LAYOUTS))) {
144    
145                            return true;
146                    }
147                    else if (actionId.equals(ActionKeys.VIEW_STAGING) &&
148                                     (permissionChecker.hasPermission(
149                                             groupId, Group.class.getName(), groupId,
150                                             ActionKeys.MANAGE_LAYOUTS) ||
151                                      permissionChecker.hasPermission(
152                                             groupId, Group.class.getName(), groupId,
153                                             ActionKeys.MANAGE_STAGING) ||
154                                      permissionChecker.hasPermission(
155                                             groupId, Group.class.getName(), groupId,
156                                             ActionKeys.PUBLISH_STAGING) ||
157                                      permissionChecker.hasPermission(
158                                             groupId, Group.class.getName(), groupId,
159                                             ActionKeys.UPDATE))) {
160    
161                            return true;
162                    }
163    
164                    // Group id must be set so that users can modify their personal pages
165    
166                    if (permissionChecker.hasPermission(
167                                    groupId, Group.class.getName(), groupId, actionId)) {
168    
169                            return true;
170                    }
171    
172                    while (!group.isRoot()) {
173                            if (contains(
174                                            permissionChecker, group.getParentGroupId(),
175                                            ActionKeys.MANAGE_SUBGROUPS)) {
176    
177                                    return true;
178                            }
179    
180                            group = group.getParentGroup();
181                    }
182    
183                    return false;
184            }
185    
186            @Override
187            public boolean contains(
188                            PermissionChecker permissionChecker, long groupId, String actionId)
189                    throws PortalException {
190    
191                    if (groupId > 0) {
192                            Group group = GroupLocalServiceUtil.getGroup(groupId);
193    
194                            return contains(permissionChecker, group, actionId);
195                    }
196                    else {
197                            return false;
198                    }
199            }
200    
201            @Override
202            public boolean contains(
203                    PermissionChecker permissionChecker, String actionId) {
204    
205                    return permissionChecker.hasPermission(
206                            0, Group.class.getName(), 0, actionId);
207            }
208    
209    }