/** * delegates to SecurityFilter because that is where the logic is defined for the {@link * #enableReadFilter(Object) read filter} * * <p>Ignores the id for the moment. * * <p>Though we pass in whether or not a share is active for completeness, a different {@link * ACLVoter} implementation will almost certainly be active for share use. */ public boolean allowLoad(Class<? extends IObject> klass, Details d, long id) { Assert.notNull(klass); if (d == null || sysTypes.isSystemType(klass) || sysTypes.isInSystemGroup(d) || sysTypes.isInUserGroup(d)) { return true; } final BasicEventContext c = currentUser.current(); final boolean nonPrivate = c.getCurrentGroupPermissions().isGranted(Role.GROUP, Right.READ) || c.getCurrentGroupPermissions().isGranted(Role.WORLD, Right.READ); final boolean isShare = c.getCurrentShareId() != null; final boolean adminOrPi = c.isCurrentUserAdmin() || c.getLeaderOfGroupsList().contains(c.getCurrentGroupId()); return securityFilter.passesFilter( d, c.getGroup().getId(), c.getOwner().getId(), nonPrivate, adminOrPi, isShare); }
private boolean allowUpdateOrDelete(IObject iObject, Details trustedDetails, boolean update) { Assert.notNull(iObject); BasicEventContext c = currentUser.current(); Long uid = c.getCurrentUserId(); boolean sysType = sysTypes.isSystemType(iObject.getClass()) || sysTypes.isInSystemGroup(iObject.getDetails()); // needs no details info if (tokenHolder.hasPrivilegedToken(iObject)) { return true; // ticket:1794, allow move to "user } else if (update && !sysType && currentUser.isGraphCritical()) { // ticket:1769 return objectBelongsToUser(iObject, uid); } else if (c.isCurrentUserAdmin()) { return true; } else if (sysType) { return false; } // previously we were taking the details directly from iObject // iObject, however, is in a critical state. Values such as // Permissions, owner, and group may have been changed. Details d = trustedDetails; // this can now only happen if a table doesn't have permissions // and there aren't any of those. so let it be updated. if (d == null) { return true; } // the owner and group information might be null if the type // is intended to be a system-type but isn't marked as one // via SecuritySystem.isSystemType(). A NPE here might imply // that that information is out of sync. Long o = d.getOwner() == null ? null : d.getOwner().getId(); Long g = d.getGroup() == null ? null : d.getGroup().getId(); // needs no permissions info if (g != null && c.getLeaderOfGroupsList().contains(g)) { return true; } Permissions p = d.getPermissions(); // this should never occur. if (p == null) { throw new InternalException( "Permissions null! Security system " + "failure -- refusing to continue. The Permissions should " + "be set to a default value."); } // standard if (p.isGranted(WORLD, WRITE)) { return true; } if (p.isGranted(USER, WRITE) && o != null && o.equals(c.getOwner().getId())) { return true; } /* ticket:1992 - removing concept of GROUP-WRITE if (p.isGranted(GROUP, WRITE) && g != null && c.getMemberOfGroupsList().contains(g)) { return true; } */ return false; }