From 759a0716f3b0c11dc402150a593e47bafe1a32e9 Mon Sep 17 00:00:00 2001 From: jensp Date: Fri, 2 Mar 2018 13:58:55 +0000 Subject: [PATCH] CCM NG: PermissionChecking for ItemListComponentRenderer and fixed PartyAddForm git-svn-id: https://svn.libreccm.org/ccm/ccm_ng@5323 8810af33-2d31-482b-a856-94f89814c4df Former-commit-id: dd8f95061fc794b9adfa46eecda90222439bc4a1 --- .../com/arsdigita/cms/ui/PartyAddForm.java | 2 +- .../cms/ui/role/RoleAdminPaneController.java | 37 ++++- .../cms/ui/role/RolePartyAddForm.java | 63 ++++---- .../pagemodel/ItemListComponentRenderer.java | 135 +++++++++++++++++- 4 files changed, 198 insertions(+), 39 deletions(-) diff --git a/ccm-cms/src/main/java/com/arsdigita/cms/ui/PartyAddForm.java b/ccm-cms/src/main/java/com/arsdigita/cms/ui/PartyAddForm.java index 79d98c8b4..f8ffdbbcd 100755 --- a/ccm-cms/src/main/java/com/arsdigita/cms/ui/PartyAddForm.java +++ b/ccm-cms/src/main/java/com/arsdigita/cms/ui/PartyAddForm.java @@ -49,8 +49,8 @@ import java.util.TooManyListenersException; /** * Form for adding multiple parties to a role. * - * @author Yannick Bülter * @author Scott Seago (scott@arsdigita.com) + * @author Yannick Bülter */ public abstract class PartyAddForm extends SimpleContainer implements FormInitListener, FormProcessListener { diff --git a/ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RoleAdminPaneController.java b/ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RoleAdminPaneController.java index fa5f818b6..4a9f3f131 100644 --- a/ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RoleAdminPaneController.java +++ b/ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RoleAdminPaneController.java @@ -23,9 +23,11 @@ import com.arsdigita.kernel.KernelConfig; import org.libreccm.configuration.ConfigurationManager; import org.libreccm.security.Party; +import org.libreccm.security.PartyRepository; import org.libreccm.security.Permission; import org.libreccm.security.PermissionManager; import org.libreccm.security.Role; +import org.libreccm.security.RoleManager; import org.libreccm.security.RoleRepository; import org.librecms.contentsection.ContentSection; import org.librecms.contentsection.ContentSectionManager; @@ -51,22 +53,28 @@ import javax.transaction.Transactional; * @author Jens Pelzetter */ @RequestScoped -public class RoleAdminPaneController { +class RoleAdminPaneController { + + @Inject + private ConfigurationManager confManager; + + @Inject + private PartyRepository partyRepo; @Inject private PermissionManager permissionManager; @Inject - private ContentSectionRepository sectionRepo; + private RoleManager roleManager; + + @Inject + private RoleRepository roleRepo; @Inject private ContentSectionManager sectionManager; @Inject - private RoleRepository roleRepo; - - @Inject - private ConfigurationManager confManager; + private ContentSectionRepository sectionRepo; @Transactional(Transactional.TxType.REQUIRED) public List findRolesForContentSection(final ContentSection section) { @@ -358,4 +366,21 @@ public class RoleAdminPaneController { return role; } + @Transactional(Transactional.TxType.REQUIRED) + public void assignRoleToParty(final long roleId, final long partyId) { + + final Role role = roleRepo + .findById(roleId) + .orElseThrow(() -> new IllegalArgumentException(String + .format("No role with ID %d in the database.", + roleId))); + final Party party = partyRepo + .findById(partyId) + .orElseThrow(() -> new IllegalArgumentException(String + .format("No party with ID %d in the database.", + partyId))); + + roleManager.assignRoleToParty(role, party); + } + } diff --git a/ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RolePartyAddForm.java b/ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RolePartyAddForm.java index 8ea8f15dd..372445bdf 100755 --- a/ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RolePartyAddForm.java +++ b/ccm-cms/src/main/java/com/arsdigita/cms/ui/role/RolePartyAddForm.java @@ -32,8 +32,13 @@ import com.arsdigita.util.Assert; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.libreccm.cdi.utils.CdiUtil; -import org.libreccm.security.*; -import org.librecms.CmsConstants; + +import org.libreccm.security.Party; +import org.libreccm.security.PartyRepository; +import org.libreccm.security.Role; +import org.libreccm.security.RoleManager; +import org.libreccm.security.RoleRepository; +import org.libreccm.security.User; import org.librecms.contentsection.privileges.AdminPrivileges; import java.util.Arrays; @@ -54,64 +59,72 @@ import java.util.List; */ class RolePartyAddForm extends PartyAddForm { - private static Logger LOGGER = LogManager.getLogger(RolePartyAddForm.class); + private static final Logger LOGGER = LogManager + .getLogger(RolePartyAddForm.class); - private SingleSelectionModel m_roles; + private final SingleSelectionModel roleSelectionModel; - RolePartyAddForm(SingleSelectionModel roles, TextField search) { + RolePartyAddForm(final SingleSelectionModel roleSelectionModel, + final TextField search) { + super(search); - m_roles = roles; + this.roleSelectionModel = roleSelectionModel; - getForm().addSubmissionListener(new FormSecurityListener( - AdminPrivileges.ADMINISTER_ROLES)); + super + .getForm() + .addSubmissionListener( + new FormSecurityListener(AdminPrivileges.ADMINISTER_ROLES)); } @Override - protected List makeQuery(PageState s) { - Assert.isTrue(m_roles.isSelected(s)); + protected List makeQuery(final PageState state) { final CdiUtil cdiUtil = CdiUtil.createCdiUtil(); final PartyRepository partyRepository = cdiUtil.findBean( PartyRepository.class); - final String searchQuery = (String) getSearchWidget().getValue(s); + final String searchQuery = (String) getSearchWidget().getValue(state); return partyRepository.searchByName(searchQuery); } @Override public void process(FormSectionEvent event) throws FormProcessException { - FormData data = event.getFormData(); - PageState state = event.getPageState(); - Assert.isTrue(m_roles.isSelected(state)); + + final FormData data = event.getFormData(); + final PageState state = event.getPageState(); - String[] parties = (String[]) data.get("parties"); + final String[] parties = (String[]) data.get("parties"); LOGGER.debug("PARTIES = " + Arrays.toString(parties)); if (parties == null) { throw new FormProcessException(GlobalizationUtil.globalize( "cms.ui.role.no_party_selected")); } - final Long roleId = new Long((String) m_roles.getSelectedKey(state)); + final Long roleId = Long + .parseLong(roleSelectionModel.getSelectedKey(state)); final CdiUtil cdiUtil = CdiUtil.createCdiUtil(); - final RoleRepository roleRepository = cdiUtil.findBean( - RoleRepository.class); - final PartyRepository partyRepository = cdiUtil.findBean( - PartyRepository.class); - final RoleManager roleManager = cdiUtil.findBean(RoleManager.class); +// final RoleRepository roleRepository = cdiUtil.findBean( +// RoleRepository.class); +// final PartyRepository partyRepository = cdiUtil.findBean( +// PartyRepository.class); +// final RoleManager roleManager = cdiUtil.findBean(RoleManager.class); + final RoleAdminPaneController controller = cdiUtil + .findBean(RoleAdminPaneController.class); - final Role role = roleRepository.findById(roleId).get(); +// final Role role = roleRepository.findById(roleId).get(); // Add each checked party to the role - Party party; +// Party party; for (int i = 0; i < parties.length; i++) { if (LOGGER.isDebugEnabled()) { LOGGER.debug("parties[" + i + "] = " + parties[i]); } - party = partyRepository.findByName(parties[i]).get(); - roleManager.assignRoleToParty(role, party); +// party = partyRepository.findById(Long.parseLong(parties[i])).get(); +// roleManager.assignRoleToParty(role, party); + controller.assignRoleToParty(roleId, Long.parseLong(parties[i])); } } diff --git a/ccm-cms/src/main/java/org/librecms/pagemodel/ItemListComponentRenderer.java b/ccm-cms/src/main/java/org/librecms/pagemodel/ItemListComponentRenderer.java index 2429ca962..31cfa0bab 100644 --- a/ccm-cms/src/main/java/org/librecms/pagemodel/ItemListComponentRenderer.java +++ b/ccm-cms/src/main/java/org/librecms/pagemodel/ItemListComponentRenderer.java @@ -54,7 +54,20 @@ import javax.servlet.http.HttpServletRequest; import static org.librecms.pages.PagesConstants.*; import org.libreccm.pagemodel.RendersComponent; +import org.libreccm.security.Permission; +import org.libreccm.security.PermissionChecker; +import org.libreccm.security.Role; +import org.libreccm.security.RoleManager; +import org.libreccm.security.Shiro; +import org.libreccm.security.User; +import org.libreccm.security.UserRepository; import org.librecms.contentsection.ContentItemVersion; +import org.librecms.contentsection.privileges.ItemPrivileges; + +import java.util.Optional; + +import javax.persistence.criteria.JoinType; +import javax.persistence.criteria.Predicate; /** * Renderer for the {@link ItemListComponent}. @@ -78,6 +91,18 @@ public class ItemListComponentRenderer @Inject private HttpServletRequest request; + @Inject + private PermissionChecker permissionChecker; + + @Inject + private RoleManager roleManager; + + @Inject + private Shiro shiro; + + @Inject + private UserRepository userRepository; + @Override public Map renderComponent( final ItemListComponent componentModel, @@ -114,7 +139,7 @@ public class ItemListComponentRenderer final List categories = new ArrayList<>(); if (componentModel.isDescending()) { categories.addAll(collectCategories(category)); - } + } categories.add(category); final Class limitToType = getLimitToType( @@ -164,17 +189,113 @@ public class ItemListComponentRenderer .from(limitToType); final Join catJoin = from .join("categories"); + final Join permissionsJoin = from + .join("permissions", JoinType.LEFT); - criteriaQuery.where(criteriaBuilder + final Optional user = shiro.getUser(); + final List roles; + if (user.isPresent()) { + final User theUser = userRepository + .findById(user.get().getPartyId()) + .orElseThrow(() -> new IllegalArgumentException(String + .format( + "No user with id %d in the database. " + + "Where did that ID come from?", + user.get().getPartyId()))); + roles = roleManager.findAllRolesForUser(theUser); + } else { + + final Optional publicUser; + + final KernelConfig kernelConfig = confManager + .findConfiguration(KernelConfig.class); + final String principal = (String) shiro + .getPublicUser() + .getPrincipal(); + if (kernelConfig.emailIsPrimaryIdentifier()) { + publicUser = userRepository.findByEmailAddress(principal); + } else { + publicUser = userRepository.findByName(principal); + } + + if (publicUser.isPresent()) { + roles = roleManager.findAllRolesForUser(publicUser.get()); + } else { + roles = Collections.emptyList(); + } + } + + final boolean isSystemUser = shiro.isSystemUser(); + final boolean isAdmin = permissionChecker.isPermitted("*"); + + final Predicate permissionsCheck; + if (roles.isEmpty()) { + permissionsCheck = criteriaBuilder + .or( + criteriaBuilder.equal(criteriaBuilder.literal(true), + isSystemUser), + criteriaBuilder.equal(criteriaBuilder.literal(true), + isAdmin) + ); + } else { + permissionsCheck = criteriaBuilder + .or( + criteriaBuilder + .and( + criteriaBuilder.in(permissionsJoin.get("grantee")) + .value(roles), + criteriaBuilder + .equal( + permissionsJoin.get("grantedPrivilege"), + criteriaBuilder.selectCase() + .when( + criteriaBuilder.equal( + from.get("version"), + ContentItemVersion.DRAFT), + ItemPrivileges.PREVIEW) + .otherwise( + ItemPrivileges.VIEW_PUBLISHED)) + ), + criteriaBuilder + .equal(criteriaBuilder.literal(true), + isSystemUser), + criteriaBuilder + .equal(criteriaBuilder.literal(true), + isAdmin) + ); + } + + criteriaQuery.distinct(true).where(criteriaBuilder .and(catJoin.get("category").in(categories), criteriaBuilder.equal(catJoin.get("indexObject"), false), criteriaBuilder.equal(catJoin.get("type"), ""), criteriaBuilder.equal(from.get("version"), - ContentItemVersion.LIVE))); -// criteriaQuery -// .where(criteriaBuilder -// .and(catJoin.get("category").in(categories), -// criteriaBuilder.equal(catJoin.get("index"), false))); + ContentItemVersion.LIVE), + permissionsCheck +// criteriaBuilder.or( +// criteriaBuilder.and( +// criteriaBuilder +// .in(permissionsJoin.get("grantee")) +// .value(roles), +// criteriaBuilder.equal( +// permissionsJoin.get("grantedPrivilege"), +// criteriaBuilder.selectCase() +// .when( +// criteriaBuilder +// .equal(from.get("version"), +// ContentItemVersion.DRAFT), +// ItemPrivileges.PREVIEW) +// .otherwise(ItemPrivileges.VIEW_PUBLISHED)) +// ), +// criteriaBuilder +// .equal(criteriaBuilder.literal(true), +// isSystemUser), +// criteriaBuilder +// .equal(criteriaBuilder.literal(true), +// isAdmin) +// ) + ) + ); criteriaQuery .orderBy(listOrder