/**
* @throws SDataException
* @throws RepositoryException
*/
public CHSNodeMap(ContentEntity n, int depth, ResourceDefinition rp) throws SDataException {
String lock = ContentHostingService.AUTH_RESOURCE_HIDDEN;
sessionManager = Kernel.sessionManager();
entityManager = Kernel.entityManager();
String userId = sessionManager.getCurrentSessionUserId();
String reference = n.getReference();
Reference referenceObj = entityManager.newReference(reference);
Collection<?> groups = referenceObj.getAuthzGroups();
boolean canSeeHidden = Kernel.securityService().unlock(userId, lock, reference, groups);
if (!canSeeHidden && !n.isAvailable()) {
throw new SDataAccessException(403, "Permission denied on item");
}
contentHostingService = Kernel.contentHostingService();
authZGroupService = Kernel.authzGroupService();
depth--;
put("mixinNodeType", getMixinTypes(n));
put("properties", getProperties(n));
put("name", getName(n));
if (rp != null) {
put("path", rp.getExternalPath(n.getId()));
}
put("permissions", getPermissions(n));
if (n instanceof ContentResource) {
put("primaryNodeType", "nt:file");
addFile((ContentResource) n);
} else {
put("primaryNodeType", "nt:folder");
addFolder((ContentCollection) n, rp, depth);
}
}
private Map<String, String> getPermissions(ContentEntity n) throws SDataException {
Map<String, String> map = new HashMap<String, String>();
if (n instanceof ContentCollection) {
map.put("read", String.valueOf(contentHostingService.allowGetCollection(n.getId())));
map.put("remove", String.valueOf(contentHostingService.allowRemoveCollection(n.getId())));
map.put("write", String.valueOf(contentHostingService.allowUpdateCollection(n.getId())));
String ref = n.getReference();
Reference reference = entityManager.newReference(n.getReference());
if (log.isDebugEnabled()) {
log.debug("Got Reference " + reference + " for " + n.getReference());
}
Collection<?> groups = reference.getAuthzGroups();
String user = sessionManager.getCurrentSessionUserId();
map.put(
"admin",
String.valueOf(
authZGroupService.isAllowed(
sessionManager.getCurrentSessionUserId(),
AuthzGroupService.SECURE_UPDATE_AUTHZ_GROUP,
groups)));
} else {
map.put("read", String.valueOf(contentHostingService.allowGetResource(n.getId())));
map.put("remove", String.valueOf(contentHostingService.allowRemoveResource(n.getId())));
map.put("write", String.valueOf(contentHostingService.allowUpdateResource(n.getId())));
}
return map;
}
/** {@inheritDoc} */
public Collection getEntityAuthzGroups(Reference ref, String userId) {
// double check that it's mine
if (APPLICATION_ID != ref.getType()) return null;
Collection rv = new Vector();
// if the reference is an AuthzGroup, and not a special one
// get the list of realms for the azGroup-referenced resource
if ((ref.getId() != null) && (ref.getId().length() > 0) && (!ref.getId().startsWith("!"))) {
// add the current user's azGroup (for what azGroup stuff everyone can do, i.e. add)
ref.addUserAuthzGroup(rv, sessionManager().getCurrentSessionUserId());
// make a new reference on the azGroup's id
Reference refnew = entityManager().newReference(ref.getId());
rv.addAll(refnew.getAuthzGroups(userId));
}
return rv;
}
/**
* build the context.
*
* @return The name of the template to use.
*/
public static String buildHelperContext(
VelocityPortlet portlet, Context context, RunData rundata, SessionState state) {
// in state is the realm id
context.put("thelp", rb);
String realmId = (String) state.getAttribute(STATE_REALM_ID);
// in state is the realm to use for roles - if not, use realmId
String realmRolesId = (String) state.getAttribute(STATE_REALM_ROLES_ID);
context.put("viewRealmId", realmRolesId);
// get the realm locked for editing
AuthzGroup edit = (AuthzGroup) state.getAttribute(STATE_REALM_EDIT);
if (edit == null) {
if (AuthzGroupService.allowUpdate(realmId)) {
try {
edit = AuthzGroupService.getAuthzGroup(realmId);
state.setAttribute(STATE_REALM_EDIT, edit);
} catch (GroupNotDefinedException e) {
try {
// we can create the realm
edit = AuthzGroupService.addAuthzGroup(realmId);
state.setAttribute(STATE_REALM_EDIT, edit);
} catch (GroupIdInvalidException ee) {
M_log.warn("PermissionsAction.buildHelperContext: addRealm: " + ee);
cleanupState(state);
return null;
} catch (GroupAlreadyDefinedException ee) {
M_log.warn("PermissionsAction.buildHelperContext: addRealm: " + ee);
cleanupState(state);
return null;
} catch (AuthzPermissionException ee) {
M_log.warn("PermissionsAction.buildHelperContext: addRealm: " + ee);
cleanupState(state);
return null;
}
}
}
// no permission
else {
M_log.warn("PermissionsAction.buildHelperContext: no permission: " + realmId);
cleanupState(state);
return null;
}
}
AuthzGroup viewEdit = null;
// check wither the current realm id is of site group type
if (realmId.indexOf(SiteService.REFERENCE_ROOT) != -1) {
String siteId = realmId.replaceAll(SiteService.REFERENCE_ROOT + "/", "");
context.put("siteRef", realmId);
if (state.getAttribute(STATE_GROUP_AWARE) != null
&& ((Boolean) state.getAttribute(STATE_GROUP_AWARE)).booleanValue()) {
// only show groups for group-aware tools
try {
Site site = SiteService.getSite(siteId);
Collection groups = site.getGroups();
if (groups != null && !groups.isEmpty()) {
Iterator iGroups = groups.iterator();
for (; iGroups.hasNext(); ) {
Group group = (Group) iGroups.next();
// need to either have realm update permission on the group level or better at the
// site level
if (!AuthzGroupService.allowUpdate(group.getReference())) {
iGroups.remove();
}
}
context.put("groups", groups);
}
} catch (Exception siteException) {
M_log.warn(
"PermissionsAction.buildHelperContext: getsite of realm id = "
+ realmId
+ siteException);
}
}
// get the realm locked for editing
viewEdit = (AuthzGroup) state.getAttribute(STATE_VIEW_REALM_EDIT);
if (viewEdit == null) {
if (AuthzGroupService.allowUpdate(realmRolesId)
|| AuthzGroupService.allowUpdate(SiteService.siteReference(siteId))) {
try {
viewEdit = AuthzGroupService.getAuthzGroup(realmRolesId);
state.setAttribute(STATE_VIEW_REALM_EDIT, viewEdit);
} catch (GroupNotDefinedException e) {
M_log.warn(
"PermissionsAction.buildHelperContext: getRealm with id= "
+ realmRolesId
+ " : "
+ e);
cleanupState(state);
return null;
}
}
// no permission
else {
M_log.warn("PermissionsAction.buildHelperContext: no permission: " + realmId);
cleanupState(state);
return null;
}
}
}
// in state is the prefix for abilities to present
String prefix = (String) state.getAttribute(STATE_PREFIX);
// in state is the list of abilities we will present
List functions = (List) state.getAttribute(STATE_ABILITIES);
if (functions == null) {
// get all functions prefixed with our prefix
functions = FunctionManager.getRegisteredFunctions(prefix);
}
if (functions != null && !functions.isEmpty()) {
List<String> nFunctions = new Vector<String>();
if (!realmRolesId.equals(realmId)) {
// editing groups within site, need to filter out those permissions only applicable to site
// level
for (Iterator iFunctions = functions.iterator(); iFunctions.hasNext(); ) {
String function = (String) iFunctions.next();
if (function.indexOf("all.groups") == -1) {
nFunctions.add(function);
}
}
} else {
nFunctions.addAll(functions);
}
state.setAttribute(STATE_ABILITIES, nFunctions);
context.put("abilities", nFunctions);
// get function description from passed in HashMap
// output permission descriptions
Map<String, String> functionDescriptions =
(Map<String, String>) state.getAttribute(STATE_PERMISSION_DESCRIPTIONS);
if (functionDescriptions != null) {
Set keySet = functionDescriptions.keySet();
for (Object function : functions) {
String desc = (String) function;
String descKey = PermissionsHelper.PREFIX_PERMISSION_DESCRIPTION + function;
if (keySet.contains(descKey)) {
// use function description
desc = (String) functionDescriptions.get(descKey);
}
functionDescriptions.put((String) function, desc);
}
context.put("functionDescriptions", functionDescriptions);
}
}
// in state is the description of the edit
String description = (String) state.getAttribute(STATE_DESCRIPTION);
// the list of roles
List roles = (List) state.getAttribute(STATE_ROLES);
if (roles == null) {
// get the roles from the edit, unless another is specified
AuthzGroup roleRealm = viewEdit != null ? viewEdit : edit;
if (realmRolesId != null) {
try {
roleRealm = AuthzGroupService.getAuthzGroup(realmRolesId);
} catch (Exception e) {
M_log.warn(
"PermissionsHelperAction.buildHelperContext: getRolesRealm: "
+ realmRolesId
+ " : "
+ e);
}
}
roles = new Vector();
roles.addAll(roleRealm.getRoles());
Collections.sort(roles);
state.setAttribute(STATE_ROLES, roles);
}
// the abilities not including this realm for each role
Map rolesAbilities = (Map) state.getAttribute(STATE_ROLE_ABILITIES);
if (rolesAbilities == null) {
rolesAbilities = new Hashtable();
state.setAttribute(STATE_ROLE_ABILITIES, rolesAbilities);
// get this resource's role Realms,those that refine the role definitions, but not it's own
Reference ref =
EntityManager.newReference(viewEdit != null ? viewEdit.getId() : edit.getId());
Collection realms = ref.getAuthzGroups();
realms.remove(ref.getReference());
for (Iterator iRoles = roles.iterator(); iRoles.hasNext(); ) {
Role role = (Role) iRoles.next();
Set locks = AuthzGroupService.getAllowedFunctions(role.getId(), realms);
rolesAbilities.put(role.getId(), locks);
}
}
context.put("realm", viewEdit != null ? viewEdit : edit);
context.put("prefix", prefix);
context.put("description", description);
if (roles.size() > 0) {
context.put("roles", roles);
}
context.put("rolesAbilities", rolesAbilities);
// make sure observers are disabled
VelocityPortletPaneledAction.disableObservers(state);
return TEMPLATE_MAIN;
}
