public boolean allowCreation(IObject iObject) { Assert.notNull(iObject); Class<?> cls = iObject.getClass(); boolean sysType = sysTypes.isSystemType(cls) || sysTypes.isInSystemGroup(iObject.getDetails()); if (!sysType && currentUser.isGraphCritical()) { // ticket:1769 Long uid = currentUser.getOwner().getId(); return objectBelongsToUser(iObject, uid); } else if (tokenHolder.hasPrivilegedToken(iObject) || currentUser.getCurrentEventContext().isCurrentUserAdmin()) { return true; } else if (sysType) { return false; } return true; }
private boolean allowUpdateOrDelete(IObject iObject, Details trustedDetails, boolean update) { Assert.notNull(iObject); BasicEventContext c = currentUser.current(); Long uid = c.getCurrentUserId(); boolean sysType = sysTypes.isSystemType(iObject.getClass()) || sysTypes.isInSystemGroup(iObject.getDetails()); // needs no details info if (tokenHolder.hasPrivilegedToken(iObject)) { return true; // ticket:1794, allow move to "user } else if (update && !sysType && currentUser.isGraphCritical()) { // ticket:1769 return objectBelongsToUser(iObject, uid); } else if (c.isCurrentUserAdmin()) { return true; } else if (sysType) { return false; } // previously we were taking the details directly from iObject // iObject, however, is in a critical state. Values such as // Permissions, owner, and group may have been changed. Details d = trustedDetails; // this can now only happen if a table doesn't have permissions // and there aren't any of those. so let it be updated. if (d == null) { return true; } // the owner and group information might be null if the type // is intended to be a system-type but isn't marked as one // via SecuritySystem.isSystemType(). A NPE here might imply // that that information is out of sync. Long o = d.getOwner() == null ? null : d.getOwner().getId(); Long g = d.getGroup() == null ? null : d.getGroup().getId(); // needs no permissions info if (g != null && c.getLeaderOfGroupsList().contains(g)) { return true; } Permissions p = d.getPermissions(); // this should never occur. if (p == null) { throw new InternalException( "Permissions null! Security system " + "failure -- refusing to continue. The Permissions should " + "be set to a default value."); } // standard if (p.isGranted(WORLD, WRITE)) { return true; } if (p.isGranted(USER, WRITE) && o != null && o.equals(c.getOwner().getId())) { return true; } /* ticket:1992 - removing concept of GROUP-WRITE if (p.isGranted(GROUP, WRITE) && g != null && c.getMemberOfGroupsList().contains(g)) { return true; } */ return false; }