LibreCCM
/
libreccm
3
0
Fork 0
Code Issues 10 Pull Requests Packages Releases Wiki Activity

CCM NG: PermissionChecking for ItemListComponentRenderer and fixed PartyAddForm 

git-svn-id: https://svn.libreccm.org/ccm/ccm_ng@5323 8810af33-2d31-482b-a856-94f89814c4df
pull/2/head
jensp 2018-03-02 13:58:55 +00:00
parent 4fe76adcfc
commit 311bb635bb
4 changed files with 198 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ccm-cms/src/main/java/com/arsdigita/cms/ui/PartyAddForm.java
View File

@ -49,8 +49,8 @@ import java.util.TooManyListenersException;
/** /**
* Form for adding multiple parties to a role. * Form for adding multiple parties to a role.
* *
* @author <a href="mailto:yannick.buelter@yabue.de">Yannick Bülter</a>
* @author Scott Seago (scott@arsdigita.com) * @author Scott Seago (scott@arsdigita.com)
* @author <a href="mailto:yannick.buelter@yabue.de">Yannick Bülter</a>
*/ */
public abstract class PartyAddForm extends SimpleContainer public abstract class PartyAddForm extends SimpleContainer
implements FormInitListener, FormProcessListener { implements FormInitListener, FormProcessListener {

37
ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RoleAdminPaneController.java
View File

@ -23,9 +23,11 @@ import com.arsdigita.kernel.KernelConfig;
import org.libreccm.configuration.ConfigurationManager; import org.libreccm.configuration.ConfigurationManager;
import org.libreccm.security.Party; import org.libreccm.security.Party;
import org.libreccm.security.PartyRepository;
import org.libreccm.security.Permission; import org.libreccm.security.Permission;
import org.libreccm.security.PermissionManager; import org.libreccm.security.PermissionManager;
import org.libreccm.security.Role; import org.libreccm.security.Role;
import org.libreccm.security.RoleManager;
import org.libreccm.security.RoleRepository; import org.libreccm.security.RoleRepository;
import org.librecms.contentsection.ContentSection; import org.librecms.contentsection.ContentSection;
import org.librecms.contentsection.ContentSectionManager; import org.librecms.contentsection.ContentSectionManager;
@ -51,22 +53,28 @@ import javax.transaction.Transactional;
* @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a> * @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
*/ */
@RequestScoped @RequestScoped
public class RoleAdminPaneController { class RoleAdminPaneController {
@Inject
private ConfigurationManager confManager;
@Inject
private PartyRepository partyRepo;
@Inject @Inject
private PermissionManager permissionManager; private PermissionManager permissionManager;
@Inject @Inject
private ContentSectionRepository sectionRepo; private RoleManager roleManager;
@Inject
private RoleRepository roleRepo;
@Inject @Inject
private ContentSectionManager sectionManager; private ContentSectionManager sectionManager;
@Inject @Inject
private RoleRepository roleRepo; private ContentSectionRepository sectionRepo;
@Inject
private ConfigurationManager confManager;
@Transactional(Transactional.TxType.REQUIRED) @Transactional(Transactional.TxType.REQUIRED)
public List<Role> findRolesForContentSection(final ContentSection section) { public List<Role> findRolesForContentSection(final ContentSection section) {
@ -358,4 +366,21 @@ public class RoleAdminPaneController {
return role; return role;
} }
@Transactional(Transactional.TxType.REQUIRED)
public void assignRoleToParty(final long roleId, final long partyId) {
final Role role = roleRepo
.findById(roleId)
.orElseThrow(() -> new IllegalArgumentException(String
.format("No role with ID %d in the database.",
roleId)));
final Party party = partyRepo
.findById(partyId)
.orElseThrow(() -> new IllegalArgumentException(String
.format("No party with ID %d in the database.",
partyId)));
roleManager.assignRoleToParty(role, party);
}
} }

63
ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RolePartyAddForm.java
View File

@ -32,8 +32,13 @@ import com.arsdigita.util.Assert;
import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
import org.libreccm.cdi.utils.CdiUtil; import org.libreccm.cdi.utils.CdiUtil;
import org.libreccm.security.*;
import org.librecms.CmsConstants; import org.libreccm.security.Party;
import org.libreccm.security.PartyRepository;
import org.libreccm.security.Role;
import org.libreccm.security.RoleManager;
import org.libreccm.security.RoleRepository;
import org.libreccm.security.User;
import org.librecms.contentsection.privileges.AdminPrivileges; import org.librecms.contentsection.privileges.AdminPrivileges;
import java.util.Arrays; import java.util.Arrays;
@ -54,64 +59,72 @@ import java.util.List;
*/ */
class RolePartyAddForm extends PartyAddForm { class RolePartyAddForm extends PartyAddForm {
private static Logger LOGGER = LogManager.getLogger(RolePartyAddForm.class); private static final Logger LOGGER = LogManager
.getLogger(RolePartyAddForm.class);
private SingleSelectionModel m_roles; private final SingleSelectionModel<String> roleSelectionModel;
RolePartyAddForm(SingleSelectionModel roles, TextField search) { RolePartyAddForm(final SingleSelectionModel<String> roleSelectionModel,
final TextField search) {
super(search); super(search);
m_roles = roles; this.roleSelectionModel = roleSelectionModel;
getForm().addSubmissionListener(new FormSecurityListener( super
AdminPrivileges.ADMINISTER_ROLES)); .getForm()
.addSubmissionListener(
new FormSecurityListener(AdminPrivileges.ADMINISTER_ROLES));
} }
@Override @Override
protected List<Party> makeQuery(PageState s) { protected List<Party> makeQuery(final PageState state) {
Assert.isTrue(m_roles.isSelected(s));
final CdiUtil cdiUtil = CdiUtil.createCdiUtil(); final CdiUtil cdiUtil = CdiUtil.createCdiUtil();
final PartyRepository partyRepository = cdiUtil.findBean( final PartyRepository partyRepository = cdiUtil.findBean(
PartyRepository.class); PartyRepository.class);
final String searchQuery = (String) getSearchWidget().getValue(s); final String searchQuery = (String) getSearchWidget().getValue(state);
return partyRepository.searchByName(searchQuery); return partyRepository.searchByName(searchQuery);
} }
@Override @Override
public void process(FormSectionEvent event) throws FormProcessException { public void process(FormSectionEvent event) throws FormProcessException {
FormData data = event.getFormData();
PageState state = event.getPageState(); final FormData data = event.getFormData();
Assert.isTrue(m_roles.isSelected(state)); final PageState state = event.getPageState();
String[] parties = (String[]) data.get("parties"); final String[] parties = (String[]) data.get("parties");
LOGGER.debug("PARTIES = " + Arrays.toString(parties)); LOGGER.debug("PARTIES = " + Arrays.toString(parties));
if (parties == null) { if (parties == null) {
throw new FormProcessException(GlobalizationUtil.globalize( throw new FormProcessException(GlobalizationUtil.globalize(
"cms.ui.role.no_party_selected")); "cms.ui.role.no_party_selected"));
} }
final Long roleId = new Long((String) m_roles.getSelectedKey(state)); final Long roleId = Long
.parseLong(roleSelectionModel.getSelectedKey(state));
final CdiUtil cdiUtil = CdiUtil.createCdiUtil(); final CdiUtil cdiUtil = CdiUtil.createCdiUtil();
final RoleRepository roleRepository = cdiUtil.findBean( // final RoleRepository roleRepository = cdiUtil.findBean(
RoleRepository.class); // RoleRepository.class);
final PartyRepository partyRepository = cdiUtil.findBean( // final PartyRepository partyRepository = cdiUtil.findBean(
PartyRepository.class); // PartyRepository.class);
final RoleManager roleManager = cdiUtil.findBean(RoleManager.class); // final RoleManager roleManager = cdiUtil.findBean(RoleManager.class);
final RoleAdminPaneController controller = cdiUtil
.findBean(RoleAdminPaneController.class);
final Role role = roleRepository.findById(roleId).get(); // final Role role = roleRepository.findById(roleId).get();
// Add each checked party to the role // Add each checked party to the role
Party party; // Party party;
for (int i = 0; i < parties.length; i++) { for (int i = 0; i < parties.length; i++) {
if (LOGGER.isDebugEnabled()) { if (LOGGER.isDebugEnabled()) {
LOGGER.debug("parties[" + i + "] = " + parties[i]); LOGGER.debug("parties[" + i + "] = " + parties[i]);
} }
party = partyRepository.findByName(parties[i]).get(); // party = partyRepository.findById(Long.parseLong(parties[i])).get();
roleManager.assignRoleToParty(role, party); // roleManager.assignRoleToParty(role, party);
controller.assignRoleToParty(roleId, Long.parseLong(parties[i]));
} }
} }

135
ccm-cms/src/main/java/org/librecms/pagemodel/ItemListComponentRenderer.java
View File

@ -54,7 +54,20 @@ import javax.servlet.http.HttpServletRequest;
import static org.librecms.pages.PagesConstants.*; import static org.librecms.pages.PagesConstants.*;
import org.libreccm.pagemodel.RendersComponent; import org.libreccm.pagemodel.RendersComponent;
import org.libreccm.security.Permission;
import org.libreccm.security.PermissionChecker;
import org.libreccm.security.Role;
import org.libreccm.security.RoleManager;
import org.libreccm.security.Shiro;
import org.libreccm.security.User;
import org.libreccm.security.UserRepository;
import org.librecms.contentsection.ContentItemVersion; import org.librecms.contentsection.ContentItemVersion;
import org.librecms.contentsection.privileges.ItemPrivileges;
import java.util.Optional;
import javax.persistence.criteria.JoinType;
import javax.persistence.criteria.Predicate;
/** /**
* Renderer for the {@link ItemListComponent}. * Renderer for the {@link ItemListComponent}.
@ -78,6 +91,18 @@ public class ItemListComponentRenderer
@Inject @Inject
private HttpServletRequest request; private HttpServletRequest request;
@Inject
private PermissionChecker permissionChecker;
@Inject
private RoleManager roleManager;
@Inject
private Shiro shiro;
@Inject
private UserRepository userRepository;
@Override @Override
public Map<String, Object> renderComponent( public Map<String, Object> renderComponent(
final ItemListComponent componentModel, final ItemListComponent componentModel,
@ -114,7 +139,7 @@ public class ItemListComponentRenderer
final List<Category> categories = new ArrayList<>(); final List<Category> categories = new ArrayList<>();
if (componentModel.isDescending()) { if (componentModel.isDescending()) {
categories.addAll(collectCategories(category)); categories.addAll(collectCategories(category));
} }
categories.add(category); categories.add(category);
final Class<? extends ContentItem> limitToType = getLimitToType( final Class<? extends ContentItem> limitToType = getLimitToType(
@ -164,17 +189,113 @@ public class ItemListComponentRenderer
.from(limitToType); .from(limitToType);
final Join<? extends ContentItem, Categorization> catJoin = from final Join<? extends ContentItem, Categorization> catJoin = from
.join("categories"); .join("categories");
final Join<? extends ContentItem, Permission> permissionsJoin = from
.join("permissions", JoinType.LEFT);
criteriaQuery.where(criteriaBuilder final Optional<User> user = shiro.getUser();
final List<Role> roles;
if (user.isPresent()) {
final User theUser = userRepository
.findById(user.get().getPartyId())
.orElseThrow(() -> new IllegalArgumentException(String
.format(
"No user with id %d in the database. "
+ "Where did that ID come from?",
user.get().getPartyId())));
roles = roleManager.findAllRolesForUser(theUser);
} else {
final Optional<User> publicUser;
final KernelConfig kernelConfig = confManager
.findConfiguration(KernelConfig.class);
final String principal = (String) shiro
.getPublicUser()
.getPrincipal();
if (kernelConfig.emailIsPrimaryIdentifier()) {
publicUser = userRepository.findByEmailAddress(principal);
} else {
publicUser = userRepository.findByName(principal);
}
if (publicUser.isPresent()) {
roles = roleManager.findAllRolesForUser(publicUser.get());
} else {
roles = Collections.emptyList();
}
}
final boolean isSystemUser = shiro.isSystemUser();
final boolean isAdmin = permissionChecker.isPermitted("*");
final Predicate permissionsCheck;
if (roles.isEmpty()) {
permissionsCheck = criteriaBuilder
.or(
criteriaBuilder.equal(criteriaBuilder.literal(true),
isSystemUser),
criteriaBuilder.equal(criteriaBuilder.literal(true),
isAdmin)
);
} else {
permissionsCheck = criteriaBuilder
.or(
criteriaBuilder
.and(
criteriaBuilder.in(permissionsJoin.get("grantee"))
.value(roles),
criteriaBuilder
.equal(
permissionsJoin.get("grantedPrivilege"),
criteriaBuilder.selectCase()
.when(
criteriaBuilder.equal(
from.get("version"),
ContentItemVersion.DRAFT),
ItemPrivileges.PREVIEW)
.otherwise(
ItemPrivileges.VIEW_PUBLISHED))
),
criteriaBuilder
.equal(criteriaBuilder.literal(true),
isSystemUser),
criteriaBuilder
.equal(criteriaBuilder.literal(true),
isAdmin)
);
}
criteriaQuery.distinct(true).where(criteriaBuilder
.and(catJoin.get("category").in(categories), .and(catJoin.get("category").in(categories),
criteriaBuilder.equal(catJoin.get("indexObject"), false), criteriaBuilder.equal(catJoin.get("indexObject"), false),
criteriaBuilder.equal(catJoin.get("type"), ""), criteriaBuilder.equal(catJoin.get("type"), ""),
criteriaBuilder.equal(from.get("version"), criteriaBuilder.equal(from.get("version"),
ContentItemVersion.LIVE))); ContentItemVersion.LIVE),
// criteriaQuery permissionsCheck
// .where(criteriaBuilder // criteriaBuilder.or(
// .and(catJoin.get("category").in(categories), // criteriaBuilder.and(
// criteriaBuilder.equal(catJoin.get("index"), false))); // criteriaBuilder
// .in(permissionsJoin.get("grantee"))
// .value(roles),
// criteriaBuilder.equal(
// permissionsJoin.get("grantedPrivilege"),
// criteriaBuilder.selectCase()
// .when(
// criteriaBuilder
// .equal(from.get("version"),
// ContentItemVersion.DRAFT),
// ItemPrivileges.PREVIEW)
// .otherwise(ItemPrivileges.VIEW_PUBLISHED))
// ),
// criteriaBuilder
// .equal(criteriaBuilder.literal(true),
// isSystemUser),
// criteriaBuilder
// .equal(criteriaBuilder.literal(true),
// isAdmin)
// )
)
);
criteriaQuery criteriaQuery
.orderBy(listOrder .orderBy(listOrder