/**
* Set authorizable id.
*
* @param request The sling request.
* @param node The node where the authorizableId property is set
* @throws RepositoryException if there is an error when saving to repository
*/
private void setAuthorizableId(final SlingHttpServletRequest request, final Node node)
throws RepositoryException {
final String userIdentifier = request.getParameter(CollabUser.PROP_NAME);
final Profile sessionProfile = getSessionProfile(request);
String sessionUserId = null;
if (sessionProfile != null) {
sessionUserId = sessionProfile.getAuthorizable().getID();
}
if (StringUtils.isNotBlank(sessionUserId)) {
final boolean anonymous = "anonymous".equals(sessionUserId);
final boolean authorMode = isAuthorMode();
if (!anonymous && authorMode) {
final boolean userExists = userExists(userIdentifier, node.getSession());
final boolean hasPermissions =
hasPermissions(userIdentifier, getRequestSession(request), node.getSession());
// use node.getSession() because that's an admin session
if (userExists && hasPermissions) {
JcrUtil.setProperty(node, "authorizableId", userIdentifier);
if (!userIdentifier.equals(sessionUserId)) {
log.warn(
"host {} posted a comment with different userIdentifier ({}) than sessionUserId ({})",
new String[] {request.getRemoteAddr(), userIdentifier, sessionUserId});
}
} else {
log.warn(
"host {} posted a comment with an unknown userIdentifier ({})",
request.getRemoteAddr(),
userIdentifier);
}
} else if (!anonymous && !authorMode) {
final String userId = sessionUserId;
if (userIdentifier != null && !sessionUserId.equals(userIdentifier)) {
final StringBuilder exception = new StringBuilder("host ");
exception.append(request.getRemoteAddr());
exception.append("posted a comment with suspect userIdentifier (");
exception.append(userIdentifier);
exception.append("), sessionUserId (");
exception.append(sessionUserId);
exception.append(")");
final String exceptionMessage = exception.toString();
if (log.isWarnEnabled()) {
log.warn(exceptionMessage);
}
throw new CommentException(exceptionMessage);
}
JcrUtil.setProperty(node, "authorizableId", userId);
}
}
}
/**
* Return if user has permission.
*
* @param userIdentifier The user id
* @param requestSession The {@link Session}.
* @param adminSession The administrator {@link Session}.
* @return if user has permission.
*/
private boolean hasPermissions(
final String userIdentifier, final Session requestSession, final Session adminSession) {
try {
if (StringUtils.isNotBlank(userIdentifier)) {
final UserManager um = userManagerFactory.createUserManager(adminSession);
if (um != null) {
final Profile profile = um.get(userIdentifier).getProfile();
if (profile != null) {
if (requestSession != null) {
return requestSession.hasPermission(profile.getPath(), Session.ACTION_READ);
}
}
}
}
return false;
} catch (final RepositoryException e) {
return false;
} catch (final NoSuchAuthorizableException e) {
return false;
}
}