001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.model.impl;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.portlet.PortletModeFactory;
019    import com.liferay.portal.kernel.util.ArrayUtil;
020    import com.liferay.portal.kernel.util.GetterUtil;
021    import com.liferay.portal.kernel.util.ParamUtil;
022    import com.liferay.portal.kernel.util.PropsKeys;
023    import com.liferay.portal.kernel.util.PropsUtil;
024    import com.liferay.portal.kernel.util.StringUtil;
025    import com.liferay.portal.kernel.util.Validator;
026    import com.liferay.portal.kernel.util.WebKeys;
027    import com.liferay.portal.model.Layout;
028    import com.liferay.portal.model.LayoutTypeAccessPolicy;
029    import com.liferay.portal.model.LayoutTypePortlet;
030    import com.liferay.portal.model.Portlet;
031    import com.liferay.portal.security.auth.AuthTokenUtil;
032    import com.liferay.portal.security.auth.PrincipalException;
033    import com.liferay.portal.security.permission.ActionKeys;
034    import com.liferay.portal.security.permission.PermissionChecker;
035    import com.liferay.portal.security.permission.PermissionThreadLocal;
036    import com.liferay.portal.service.permission.LayoutPermissionUtil;
037    import com.liferay.portal.service.permission.PortletPermissionUtil;
038    import com.liferay.portal.theme.ThemeDisplay;
039    import com.liferay.portal.util.PortalUtil;
040    
041    import javax.portlet.PortletMode;
042    
043    import javax.servlet.http.HttpServletRequest;
044    
045    /**
046     * @author Adolfo P??rez
047     */
048    public class DefaultLayoutTypeAccessPolicyImpl
049            implements LayoutTypeAccessPolicy {
050    
051            public static LayoutTypeAccessPolicy create() {
052                    return _instance;
053            }
054    
055            @Override
056            public void checkAccessAllowedToPortlet(
057                            HttpServletRequest request, Layout layout, Portlet portlet)
058                    throws PortalException {
059    
060                    if (layout.isTypeControlPanel()) {
061                            isAccessAllowedToControlPanelPortlet(request, layout, portlet);
062    
063                            return;
064                    }
065    
066                    if (isAccessAllowedToLayoutPortlet(request, layout, portlet)) {
067                            PortalUtil.addPortletDefaultResource(request, portlet);
068    
069                            if (hasAccessPermission(request, layout, portlet)) {
070                                    return;
071                            }
072                    }
073    
074                    throw new PrincipalException(
075                            "User does not have permission to access portlet " +
076                                    portlet.getPortletId());
077            }
078    
079            @Override
080            public boolean isAddLayoutAllowed(
081                            PermissionChecker permissionChecker, Layout layout)
082                    throws PortalException {
083    
084                    if (layout.isTypeControlPanel()) {
085                            return false;
086                    }
087    
088                    return LayoutPermissionUtil.contains(
089                            permissionChecker, layout, ActionKeys.ADD_LAYOUT);
090            }
091    
092            @Override
093            public boolean isCustomizeLayoutAllowed(
094                            PermissionChecker permissionChecker, Layout layout)
095                    throws PortalException {
096    
097                    if (layout.isTypeControlPanel()) {
098                            return false;
099                    }
100    
101                    return LayoutPermissionUtil.contains(
102                            permissionChecker, layout, ActionKeys.CUSTOMIZE);
103            }
104    
105            @Override
106            public boolean isDeleteLayoutAllowed(
107                            PermissionChecker permissionChecker, Layout layout)
108                    throws PortalException {
109    
110                    if (layout.isTypeControlPanel()) {
111                            return false;
112                    }
113    
114                    return LayoutPermissionUtil.contains(
115                            permissionChecker, layout, ActionKeys.DELETE);
116            }
117    
118            @Override
119            public boolean isUpdateLayoutAllowed(
120                            PermissionChecker permissionChecker, Layout layout)
121                    throws PortalException {
122    
123                    if (layout.isTypeControlPanel()) {
124                            return false;
125                    }
126    
127                    return LayoutPermissionUtil.contains(
128                            permissionChecker, layout, ActionKeys.UPDATE);
129            }
130    
131            @Override
132            public boolean isViewLayoutAllowed(
133                            PermissionChecker permissionChecker, Layout layout)
134                    throws PortalException {
135    
136                    if (layout.isTypeControlPanel()) {
137                            return false;
138                    }
139    
140                    return LayoutPermissionUtil.contains(
141                            permissionChecker, layout, ActionKeys.VIEW);
142            }
143    
144            protected boolean hasAccessPermission(
145                            HttpServletRequest request, Layout layout, Portlet portlet)
146                    throws PortalException {
147    
148                    PermissionChecker permissionChecker =
149                            PermissionThreadLocal.getPermissionChecker();
150    
151                    ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
152                            WebKeys.THEME_DISPLAY);
153    
154                    PortletMode portletMode = PortletMode.VIEW;
155    
156                    String portletId = portlet.getPortletId();
157                    String ppid = request.getParameter("p_p_id");
158                    String ppmode = request.getParameter("p_p_mode");
159    
160                    if (portletId.equals(ppid) && (ppmode != null)) {
161                            portletMode = PortletModeFactory.getPortletMode(ppmode);
162                    }
163    
164                    return PortletPermissionUtil.hasAccessPermission(
165                            permissionChecker, themeDisplay.getScopeGroupId(), layout, portlet,
166                            portletMode);
167            }
168    
169            protected void isAccessAllowedToControlPanelPortlet(
170                            HttpServletRequest request, Layout layout, Portlet portlet)
171                    throws PortalException {
172    
173                    PermissionChecker permissionChecker =
174                            PermissionThreadLocal.getPermissionChecker();
175    
176                    ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
177                            WebKeys.THEME_DISPLAY);
178    
179                    if (PortletPermissionUtil.hasControlPanelAccessPermission(
180                                    permissionChecker, themeDisplay.getScopeGroupId(), portlet)) {
181    
182                            return;
183                    }
184    
185                    if (isAccessGrantedByRuntimePortlet(request)) {
186                            return;
187                    }
188    
189                    if (isAccessGrantedByPortletAuthenticationToken(
190                                    request, layout, portlet)) {
191    
192                            return;
193                    }
194    
195                    throw new PrincipalException(
196                            "User does not have permission to access Control Panel portlet " +
197                                    portlet.getPortletId());
198            }
199    
200            protected boolean isAccessAllowedToLayoutPortlet(
201                            HttpServletRequest request, Layout layout, Portlet portlet)
202                    throws PortalException {
203    
204                    if (isAccessGrantedByRuntimePortlet(request)) {
205                            return true;
206                    }
207    
208                    if (isAccessGrantedByPortletOnPage(layout, portlet)) {
209                            return true;
210                    }
211    
212                    if (isAccessGrantedByPortletAuthenticationToken(
213                                    request, layout, portlet)) {
214    
215                            return true;
216                    }
217    
218                    return false;
219            }
220    
221            protected boolean isAccessGrantedByPortletAuthenticationToken(
222                    HttpServletRequest request, Layout layout, Portlet portlet) {
223    
224                    String portletId = portlet.getPortletId();
225    
226                    if (!portlet.isAddDefaultResource()) {
227                            return false;
228                    }
229    
230                    if (!_PORTLET_ADD_DEFAULT_RESOURCE_CHECK_ENABLED) {
231                            return true;
232                    }
233    
234                    String namespace = PortalUtil.getPortletNamespace(portletId);
235    
236                    String strutsAction = ParamUtil.getString(
237                            request, namespace + "struts_action");
238    
239                    if (Validator.isNull(strutsAction)) {
240                            strutsAction = ParamUtil.getString(request, "struts_action");
241                    }
242    
243                    String requestPortletAuthenticationToken = ParamUtil.getString(
244                            request, "p_p_auth");
245    
246                    if (Validator.isNull(requestPortletAuthenticationToken)) {
247                            HttpServletRequest originalRequest =
248                                    PortalUtil.getOriginalServletRequest(request);
249    
250                            requestPortletAuthenticationToken = ParamUtil.getString(
251                                    originalRequest, "p_p_auth");
252                    }
253    
254                    if (AuthTokenUtil.isValidPortletInvocationToken(
255                                    request, layout.getPlid(), portletId, strutsAction,
256                                    requestPortletAuthenticationToken)) {
257    
258                            return true;
259                    }
260    
261                    return false;
262            }
263    
264            protected boolean isAccessGrantedByPortletOnPage(
265                            Layout layout, Portlet portlet)
266                    throws PortalException {
267    
268                    String portletId = portlet.getPortletId();
269    
270                    if (layout.isTypePanel() && isPanelSelectedPortlet(layout, portletId)) {
271                            return true;
272                    }
273    
274                    LayoutTypePortlet layoutTypePortlet =
275                            (LayoutTypePortlet)layout.getLayoutType();
276    
277                    if ((layoutTypePortlet != null) &&
278                            layoutTypePortlet.hasPortletId(portletId)) {
279    
280                            return true;
281                    }
282    
283                    return false;
284            }
285    
286            protected boolean isAccessGrantedByRuntimePortlet(
287                    HttpServletRequest request) {
288    
289                    Boolean renderPortletResource = (Boolean)request.getAttribute(
290                            WebKeys.RENDER_PORTLET_RESOURCE);
291    
292                    if (renderPortletResource != null) {
293                            return renderPortletResource;
294                    }
295    
296                    return false;
297            }
298    
299            protected boolean isPanelSelectedPortlet(Layout layout, String portletId) {
300                    String panelSelectedPortlets = layout.getTypeSettingsProperty(
301                            "panelSelectedPortlets");
302    
303                    if (Validator.isNotNull(panelSelectedPortlets)) {
304                            String[] panelSelectedPortletsArray = StringUtil.split(
305                                    panelSelectedPortlets);
306    
307                            return ArrayUtil.contains(panelSelectedPortletsArray, portletId);
308                    }
309    
310                    return false;
311            }
312    
313            private static final boolean _PORTLET_ADD_DEFAULT_RESOURCE_CHECK_ENABLED =
314                    GetterUtil.getBoolean(
315                            PropsUtil.get(
316                                    PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_ENABLED));
317    
318            private static final LayoutTypeAccessPolicy _instance =
319                    new DefaultLayoutTypeAccessPolicyImpl();
320    
321    }