NamedEntry getGranteeEntry(Provisioning prov, Element eGrantee, GranteeType granteeType)
throws ServiceException {
if (!granteeType.allowedForAdminRights())
throw ServiceException.INVALID_REQUEST(
"unsupported grantee type: " + granteeType.getCode(), null);
GranteeBy granteeBy = GranteeBy.fromString(eGrantee.getAttribute(AdminConstants.A_BY));
String grantee = eGrantee.getText();
return GranteeType.lookupGrantee(prov, granteeType, granteeBy, grantee);
}
/**
* check the checkRight right
*
* <p>check if the authed admin has the checkRight right on the user/group it is checking right
* for.
*
* @param zsc
* @param granteeType
* @param granteeBy
* @param grantee
* @return whether the checkRight right is checked
* @throws ServiceException
*/
protected boolean checkCheckRightRight(
ZimbraSoapContext zsc,
GranteeType granteeType,
GranteeBy granteeBy,
String grantee,
boolean granteeCanBeExternalEmailAddr)
throws ServiceException {
NamedEntry granteeEntry = null;
try {
granteeEntry =
GranteeType.lookupGrantee(Provisioning.getInstance(), granteeType, granteeBy, grantee);
} catch (ServiceException e) {
// grantee to check could be an external email address
ZimbraLog.acl.debug("unable to find grantee", e);
}
if (granteeEntry != null) {
// call checkRight instead of checkAccountRight because there is no
// backward compatibility issue for this SOAP.
//
// Note: granteeEntry is the target for the R_checkRight{Usr}/{Grp} right here
if (granteeType == GranteeType.GT_USER) checkRight(zsc, granteeEntry, Admin.R_checkRightUsr);
else if (granteeType == GranteeType.GT_GROUP)
checkRight(zsc, granteeEntry, Admin.R_checkRightGrp);
else
throw ServiceException.PERM_DENIED(
"invalid grantee type for check right:" + granteeType.getCode());
return true;
} else {
if (granteeCanBeExternalEmailAddr) return false;
else throw ServiceException.PERM_DENIED("unable to check checkRight right for " + grantee);
}
}
