/**
* Checks if the current {@link Thread} has non-null {@link Experimenter}, {@link Event}, and
* {@linkExperimenterGroup}, required for proper functioning of the security system.
*/
public boolean isReady() {
BasicEventContext c = current();
if (c.getEvent() != null && c.getGroup() != null && c.getOwner() != null) {
return true;
}
return false;
}
/**
* Creates a {@link Details} object for the current security context.
*
* <p>The {@link Permissions} on the instance are calculated from the current group as well as the
* user's umask.
*
* @return
* @see <a href="https://trac.openmicroscopy.org.uk/trac/omero/ticket:1434">ticket:1434</a>
*/
public Details createDetails() {
BasicEventContext c = current();
Details d = Details.create();
d.setCreationEvent(c.getEvent());
d.setUpdateEvent(c.getEvent());
d.setOwner(c.getOwner());
d.setGroup(c.getGroup());
// ticket:1434
Permissions groupPerms = c.getCurrentGroupPermissions();
Permissions userUmask = c.getCurrentUmask();
Permissions p = new Permissions(groupPerms);
p.revokeAll(userUmask);
d.setPermissions(p);
return d;
}
public Event newEvent(Session session, EventType type, TokenHolder tokenHolder) {
BasicEventContext c = current();
Event e = new Event();
e.setType(type);
e.setTime(new Timestamp(System.currentTimeMillis()));
tokenHolder.setToken(e.getGraphHolder());
e.getDetails().setPermissions(Permissions.READ_ONLY);
// Proxied if necessary
e.setExperimenter(c.getOwner());
e.setExperimenterGroup(c.getGroup());
e.setSession(session);
c.setEvent(e);
return e;
}
/**
* delegates to SecurityFilter because that is where the logic is defined for the {@link
* #enableReadFilter(Object) read filter}
*
* <p>Ignores the id for the moment.
*
* <p>Though we pass in whether or not a share is active for completeness, a different {@link
* ACLVoter} implementation will almost certainly be active for share use.
*/
public boolean allowLoad(Class<? extends IObject> klass, Details d, long id) {
Assert.notNull(klass);
if (d == null
|| sysTypes.isSystemType(klass)
|| sysTypes.isInSystemGroup(d)
|| sysTypes.isInUserGroup(d)) {
return true;
}
final BasicEventContext c = currentUser.current();
final boolean nonPrivate =
c.getCurrentGroupPermissions().isGranted(Role.GROUP, Right.READ)
|| c.getCurrentGroupPermissions().isGranted(Role.WORLD, Right.READ);
final boolean isShare = c.getCurrentShareId() != null;
final boolean adminOrPi =
c.isCurrentUserAdmin() || c.getLeaderOfGroupsList().contains(c.getCurrentGroupId());
return securityFilter.passesFilter(
d, c.getGroup().getId(), c.getOwner().getId(), nonPrivate, adminOrPi, isShare);
}
private boolean allowUpdateOrDelete(IObject iObject, Details trustedDetails, boolean update) {
Assert.notNull(iObject);
BasicEventContext c = currentUser.current();
Long uid = c.getCurrentUserId();
boolean sysType =
sysTypes.isSystemType(iObject.getClass()) || sysTypes.isInSystemGroup(iObject.getDetails());
// needs no details info
if (tokenHolder.hasPrivilegedToken(iObject)) {
return true; // ticket:1794, allow move to "user
} else if (update && !sysType && currentUser.isGraphCritical()) { // ticket:1769
return objectBelongsToUser(iObject, uid);
} else if (c.isCurrentUserAdmin()) {
return true;
} else if (sysType) {
return false;
}
// previously we were taking the details directly from iObject
// iObject, however, is in a critical state. Values such as
// Permissions, owner, and group may have been changed.
Details d = trustedDetails;
// this can now only happen if a table doesn't have permissions
// and there aren't any of those. so let it be updated.
if (d == null) {
return true;
}
// the owner and group information might be null if the type
// is intended to be a system-type but isn't marked as one
// via SecuritySystem.isSystemType(). A NPE here might imply
// that that information is out of sync.
Long o = d.getOwner() == null ? null : d.getOwner().getId();
Long g = d.getGroup() == null ? null : d.getGroup().getId();
// needs no permissions info
if (g != null && c.getLeaderOfGroupsList().contains(g)) {
return true;
}
Permissions p = d.getPermissions();
// this should never occur.
if (p == null) {
throw new InternalException(
"Permissions null! Security system "
+ "failure -- refusing to continue. The Permissions should "
+ "be set to a default value.");
}
// standard
if (p.isGranted(WORLD, WRITE)) {
return true;
}
if (p.isGranted(USER, WRITE) && o != null && o.equals(c.getOwner().getId())) {
return true;
}
/* ticket:1992 - removing concept of GROUP-WRITE
if (p.isGranted(GROUP, WRITE) && g != null
&& c.getMemberOfGroupsList().contains(g)) {
return true;
}
*/
return false;
}
