CCM NG: PermissionChecking for ItemListComponentRenderer and fixed PartyAddForm
git-svn-id: https://svn.libreccm.org/ccm/ccm_ng@5323 8810af33-2d31-482b-a856-94f89814c4dfccm-docs
jensp
parent
3046dc9490
commit
6e3a25f4c5
|
|
@ -49,8 +49,8 @@ import java.util.TooManyListenersException;
|
|||
/**
|
||||
* Form for adding multiple parties to a role.
|
||||
*
|
||||
* @author <a href="mailto:yannick.buelter@yabue.de">Yannick Bülter</a>
|
||||
* @author Scott Seago (scott@arsdigita.com)
|
||||
* @author <a href="mailto:yannick.buelter@yabue.de">Yannick Bülter</a>
|
||||
*/
|
||||
public abstract class PartyAddForm extends SimpleContainer
|
||||
implements FormInitListener, FormProcessListener {
|
||||
|
|
|
|||
|
|
@ -23,9 +23,11 @@ import com.arsdigita.kernel.KernelConfig;
|
|||
|
||||
import org.libreccm.configuration.ConfigurationManager;
|
||||
import org.libreccm.security.Party;
|
||||
import org.libreccm.security.PartyRepository;
|
||||
import org.libreccm.security.Permission;
|
||||
import org.libreccm.security.PermissionManager;
|
||||
import org.libreccm.security.Role;
|
||||
import org.libreccm.security.RoleManager;
|
||||
import org.libreccm.security.RoleRepository;
|
||||
import org.librecms.contentsection.ContentSection;
|
||||
import org.librecms.contentsection.ContentSectionManager;
|
||||
|
|
@ -51,22 +53,28 @@ import javax.transaction.Transactional;
|
|||
* @author <a href="mailto:jens.pelzetter@googlemail.com">Jens Pelzetter</a>
|
||||
*/
|
||||
@RequestScoped
|
||||
public class RoleAdminPaneController {
|
||||
class RoleAdminPaneController {
|
||||
|
||||
@Inject
|
||||
private ConfigurationManager confManager;
|
||||
|
||||
@Inject
|
||||
private PartyRepository partyRepo;
|
||||
|
||||
@Inject
|
||||
private PermissionManager permissionManager;
|
||||
|
||||
@Inject
|
||||
private ContentSectionRepository sectionRepo;
|
||||
|
||||
@Inject
|
||||
private ContentSectionManager sectionManager;
|
||||
private RoleManager roleManager;
|
||||
|
||||
@Inject
|
||||
private RoleRepository roleRepo;
|
||||
|
||||
@Inject
|
||||
private ConfigurationManager confManager;
|
||||
private ContentSectionManager sectionManager;
|
||||
|
||||
@Inject
|
||||
private ContentSectionRepository sectionRepo;
|
||||
|
||||
@Transactional(Transactional.TxType.REQUIRED)
|
||||
public List<Role> findRolesForContentSection(final ContentSection section) {
|
||||
|
|
@ -358,4 +366,21 @@ public class RoleAdminPaneController {
|
|||
return role;
|
||||
}
|
||||
|
||||
@Transactional(Transactional.TxType.REQUIRED)
|
||||
public void assignRoleToParty(final long roleId, final long partyId) {
|
||||
|
||||
final Role role = roleRepo
|
||||
.findById(roleId)
|
||||
.orElseThrow(() -> new IllegalArgumentException(String
|
||||
.format("No role with ID %d in the database.",
|
||||
roleId)));
|
||||
final Party party = partyRepo
|
||||
.findById(partyId)
|
||||
.orElseThrow(() -> new IllegalArgumentException(String
|
||||
.format("No party with ID %d in the database.",
|
||||
partyId)));
|
||||
|
||||
roleManager.assignRoleToParty(role, party);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,8 +32,13 @@ import com.arsdigita.util.Assert;
|
|||
import org.apache.logging.log4j.LogManager;
|
||||
import org.apache.logging.log4j.Logger;
|
||||
import org.libreccm.cdi.utils.CdiUtil;
|
||||
import org.libreccm.security.*;
|
||||
import org.librecms.CmsConstants;
|
||||
|
||||
import org.libreccm.security.Party;
|
||||
import org.libreccm.security.PartyRepository;
|
||||
import org.libreccm.security.Role;
|
||||
import org.libreccm.security.RoleManager;
|
||||
import org.libreccm.security.RoleRepository;
|
||||
import org.libreccm.security.User;
|
||||
import org.librecms.contentsection.privileges.AdminPrivileges;
|
||||
|
||||
import java.util.Arrays;
|
||||
|
|
@ -54,64 +59,72 @@ import java.util.List;
|
|||
*/
|
||||
class RolePartyAddForm extends PartyAddForm {
|
||||
|
||||
private static Logger LOGGER = LogManager.getLogger(RolePartyAddForm.class);
|
||||
private static final Logger LOGGER = LogManager
|
||||
.getLogger(RolePartyAddForm.class);
|
||||
|
||||
private SingleSelectionModel m_roles;
|
||||
private final SingleSelectionModel<String> roleSelectionModel;
|
||||
|
||||
RolePartyAddForm(final SingleSelectionModel<String> roleSelectionModel,
|
||||
final TextField search) {
|
||||
|
||||
RolePartyAddForm(SingleSelectionModel roles, TextField search) {
|
||||
super(search);
|
||||
|
||||
m_roles = roles;
|
||||
this.roleSelectionModel = roleSelectionModel;
|
||||
|
||||
getForm().addSubmissionListener(new FormSecurityListener(
|
||||
AdminPrivileges.ADMINISTER_ROLES));
|
||||
super
|
||||
.getForm()
|
||||
.addSubmissionListener(
|
||||
new FormSecurityListener(AdminPrivileges.ADMINISTER_ROLES));
|
||||
}
|
||||
|
||||
@Override
|
||||
protected List<Party> makeQuery(PageState s) {
|
||||
Assert.isTrue(m_roles.isSelected(s));
|
||||
protected List<Party> makeQuery(final PageState state) {
|
||||
|
||||
final CdiUtil cdiUtil = CdiUtil.createCdiUtil();
|
||||
final PartyRepository partyRepository = cdiUtil.findBean(
|
||||
PartyRepository.class);
|
||||
|
||||
final String searchQuery = (String) getSearchWidget().getValue(s);
|
||||
final String searchQuery = (String) getSearchWidget().getValue(state);
|
||||
|
||||
return partyRepository.searchByName(searchQuery);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void process(FormSectionEvent event) throws FormProcessException {
|
||||
FormData data = event.getFormData();
|
||||
PageState state = event.getPageState();
|
||||
Assert.isTrue(m_roles.isSelected(state));
|
||||
|
||||
String[] parties = (String[]) data.get("parties");
|
||||
final FormData data = event.getFormData();
|
||||
final PageState state = event.getPageState();
|
||||
|
||||
final String[] parties = (String[]) data.get("parties");
|
||||
LOGGER.debug("PARTIES = " + Arrays.toString(parties));
|
||||
if (parties == null) {
|
||||
throw new FormProcessException(GlobalizationUtil.globalize(
|
||||
"cms.ui.role.no_party_selected"));
|
||||
}
|
||||
|
||||
final Long roleId = new Long((String) m_roles.getSelectedKey(state));
|
||||
final Long roleId = Long
|
||||
.parseLong(roleSelectionModel.getSelectedKey(state));
|
||||
|
||||
final CdiUtil cdiUtil = CdiUtil.createCdiUtil();
|
||||
final RoleRepository roleRepository = cdiUtil.findBean(
|
||||
RoleRepository.class);
|
||||
final PartyRepository partyRepository = cdiUtil.findBean(
|
||||
PartyRepository.class);
|
||||
final RoleManager roleManager = cdiUtil.findBean(RoleManager.class);
|
||||
// final RoleRepository roleRepository = cdiUtil.findBean(
|
||||
// RoleRepository.class);
|
||||
// final PartyRepository partyRepository = cdiUtil.findBean(
|
||||
// PartyRepository.class);
|
||||
// final RoleManager roleManager = cdiUtil.findBean(RoleManager.class);
|
||||
final RoleAdminPaneController controller = cdiUtil
|
||||
.findBean(RoleAdminPaneController.class);
|
||||
|
||||
final Role role = roleRepository.findById(roleId).get();
|
||||
// final Role role = roleRepository.findById(roleId).get();
|
||||
|
||||
// Add each checked party to the role
|
||||
Party party;
|
||||
// Party party;
|
||||
for (int i = 0; i < parties.length; i++) {
|
||||
if (LOGGER.isDebugEnabled()) {
|
||||
LOGGER.debug("parties[" + i + "] = " + parties[i]);
|
||||
}
|
||||
party = partyRepository.findByName(parties[i]).get();
|
||||
roleManager.assignRoleToParty(role, party);
|
||||
// party = partyRepository.findById(Long.parseLong(parties[i])).get();
|
||||
// roleManager.assignRoleToParty(role, party);
|
||||
controller.assignRoleToParty(roleId, Long.parseLong(parties[i]));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -54,7 +54,20 @@ import javax.servlet.http.HttpServletRequest;
|
|||
import static org.librecms.pages.PagesConstants.*;
|
||||
|
||||
import org.libreccm.pagemodel.RendersComponent;
|
||||
import org.libreccm.security.Permission;
|
||||
import org.libreccm.security.PermissionChecker;
|
||||
import org.libreccm.security.Role;
|
||||
import org.libreccm.security.RoleManager;
|
||||
import org.libreccm.security.Shiro;
|
||||
import org.libreccm.security.User;
|
||||
import org.libreccm.security.UserRepository;
|
||||
import org.librecms.contentsection.ContentItemVersion;
|
||||
import org.librecms.contentsection.privileges.ItemPrivileges;
|
||||
|
||||
import java.util.Optional;
|
||||
|
||||
import javax.persistence.criteria.JoinType;
|
||||
import javax.persistence.criteria.Predicate;
|
||||
|
||||
/**
|
||||
* Renderer for the {@link ItemListComponent}.
|
||||
|
|
@ -78,6 +91,18 @@ public class ItemListComponentRenderer
|
|||
@Inject
|
||||
private HttpServletRequest request;
|
||||
|
||||
@Inject
|
||||
private PermissionChecker permissionChecker;
|
||||
|
||||
@Inject
|
||||
private RoleManager roleManager;
|
||||
|
||||
@Inject
|
||||
private Shiro shiro;
|
||||
|
||||
@Inject
|
||||
private UserRepository userRepository;
|
||||
|
||||
@Override
|
||||
public Map<String, Object> renderComponent(
|
||||
final ItemListComponent componentModel,
|
||||
|
|
@ -164,17 +189,113 @@ public class ItemListComponentRenderer
|
|||
.from(limitToType);
|
||||
final Join<? extends ContentItem, Categorization> catJoin = from
|
||||
.join("categories");
|
||||
final Join<? extends ContentItem, Permission> permissionsJoin = from
|
||||
.join("permissions", JoinType.LEFT);
|
||||
|
||||
criteriaQuery.where(criteriaBuilder
|
||||
final Optional<User> user = shiro.getUser();
|
||||
final List<Role> roles;
|
||||
if (user.isPresent()) {
|
||||
final User theUser = userRepository
|
||||
.findById(user.get().getPartyId())
|
||||
.orElseThrow(() -> new IllegalArgumentException(String
|
||||
.format(
|
||||
"No user with id %d in the database. "
|
||||
+ "Where did that ID come from?",
|
||||
user.get().getPartyId())));
|
||||
roles = roleManager.findAllRolesForUser(theUser);
|
||||
} else {
|
||||
|
||||
final Optional<User> publicUser;
|
||||
|
||||
final KernelConfig kernelConfig = confManager
|
||||
.findConfiguration(KernelConfig.class);
|
||||
final String principal = (String) shiro
|
||||
.getPublicUser()
|
||||
.getPrincipal();
|
||||
if (kernelConfig.emailIsPrimaryIdentifier()) {
|
||||
publicUser = userRepository.findByEmailAddress(principal);
|
||||
} else {
|
||||
publicUser = userRepository.findByName(principal);
|
||||
}
|
||||
|
||||
if (publicUser.isPresent()) {
|
||||
roles = roleManager.findAllRolesForUser(publicUser.get());
|
||||
} else {
|
||||
roles = Collections.emptyList();
|
||||
}
|
||||
}
|
||||
|
||||
final boolean isSystemUser = shiro.isSystemUser();
|
||||
final boolean isAdmin = permissionChecker.isPermitted("*");
|
||||
|
||||
final Predicate permissionsCheck;
|
||||
if (roles.isEmpty()) {
|
||||
permissionsCheck = criteriaBuilder
|
||||
.or(
|
||||
criteriaBuilder.equal(criteriaBuilder.literal(true),
|
||||
isSystemUser),
|
||||
criteriaBuilder.equal(criteriaBuilder.literal(true),
|
||||
isAdmin)
|
||||
);
|
||||
} else {
|
||||
permissionsCheck = criteriaBuilder
|
||||
.or(
|
||||
criteriaBuilder
|
||||
.and(
|
||||
criteriaBuilder.in(permissionsJoin.get("grantee"))
|
||||
.value(roles),
|
||||
criteriaBuilder
|
||||
.equal(
|
||||
permissionsJoin.get("grantedPrivilege"),
|
||||
criteriaBuilder.selectCase()
|
||||
.when(
|
||||
criteriaBuilder.equal(
|
||||
from.get("version"),
|
||||
ContentItemVersion.DRAFT),
|
||||
ItemPrivileges.PREVIEW)
|
||||
.otherwise(
|
||||
ItemPrivileges.VIEW_PUBLISHED))
|
||||
),
|
||||
criteriaBuilder
|
||||
.equal(criteriaBuilder.literal(true),
|
||||
isSystemUser),
|
||||
criteriaBuilder
|
||||
.equal(criteriaBuilder.literal(true),
|
||||
isAdmin)
|
||||
);
|
||||
}
|
||||
|
||||
criteriaQuery.distinct(true).where(criteriaBuilder
|
||||
.and(catJoin.get("category").in(categories),
|
||||
criteriaBuilder.equal(catJoin.get("indexObject"), false),
|
||||
criteriaBuilder.equal(catJoin.get("type"), ""),
|
||||
criteriaBuilder.equal(from.get("version"),
|
||||
ContentItemVersion.LIVE)));
|
||||
// criteriaQuery
|
||||
// .where(criteriaBuilder
|
||||
// .and(catJoin.get("category").in(categories),
|
||||
// criteriaBuilder.equal(catJoin.get("index"), false)));
|
||||
ContentItemVersion.LIVE),
|
||||
permissionsCheck
|
||||
// criteriaBuilder.or(
|
||||
// criteriaBuilder.and(
|
||||
// criteriaBuilder
|
||||
// .in(permissionsJoin.get("grantee"))
|
||||
// .value(roles),
|
||||
// criteriaBuilder.equal(
|
||||
// permissionsJoin.get("grantedPrivilege"),
|
||||
// criteriaBuilder.selectCase()
|
||||
// .when(
|
||||
// criteriaBuilder
|
||||
// .equal(from.get("version"),
|
||||
// ContentItemVersion.DRAFT),
|
||||
// ItemPrivileges.PREVIEW)
|
||||
// .otherwise(ItemPrivileges.VIEW_PUBLISHED))
|
||||
// ),
|
||||
// criteriaBuilder
|
||||
// .equal(criteriaBuilder.literal(true),
|
||||
// isSystemUser),
|
||||
// criteriaBuilder
|
||||
// .equal(criteriaBuilder.literal(true),
|
||||
// isAdmin)
|
||||
// )
|
||||
)
|
||||
);
|
||||
|
||||
criteriaQuery
|
||||
.orderBy(listOrder
|
||||
|
|
|
|||
Loading…
Reference in New Issue