static boolean checkCrossDomain(
Provisioning prov, Domain granteeDomain, Domain targetDomain, Group grantedOn)
throws ServiceException {
// sanity check, should not happen
// if we get here, the target can inherit rights from a group,
// and it must be a domain-ed entry and have a domain
if (targetDomain == null) return true; // let it through, or throw?
Domain grantedOnTargetInDomain = grantedOn.getDomain();
if (grantedOnTargetInDomain == null) {
// really an error, can't find the domain for the DL
// return false so ACL granted on this inherited DL target
// will be ignored
ZimbraLog.acl.warn(
"cannot get domain for dl " + grantedOn.getName() + " for checking cross doamin right");
return false;
}
// check if the authed admin is in the same domain of the target.
// If it is, no issue
if (targetDomain.getId().equals(granteeDomain.getId())) return true;
// check if this inherited target is in the same domain as the
// doamin fo the actual target entry. If it is, no issue.
if (targetDomain.getId().equals(grantedOnTargetInDomain.getId())) return true;
return checkCrossDomainAdminRight(prov, granteeDomain, targetDomain, false);
}
static boolean crossDomainOK(
Provisioning prov,
MailTarget grantee,
Domain granteeDomain,
Domain targetDomain,
Group grantedOn)
throws ServiceException {
if (!CrossDomain.checkCrossDomain(prov, granteeDomain, targetDomain, grantedOn)) {
sLog.info(
"No cross domain right for %s on domain %s, skipping positive grants on dl %s",
grantee.getName(), targetDomain.getName(), grantedOn.getName());
return false;
}
return true;
}