private void throwSecurityViolationIfNotAllowed(final IObject i) {
final String type = i.getClass().getName();
final Details d = i.getDetails();
final long user = d.getOwner().getId();
final long group = d.getGroup().getId();
final EventContext ec = getSecuritySystem().getEventContext();
final boolean root = ec.isCurrentUserAdmin();
final List<Long> leaderof = ec.getLeaderOfGroupsList();
final boolean pi = leaderof.contains(group);
final boolean own = ec.getCurrentUserId().equals(user);
if (!own && !root && !pi) {
if (log.isWarnEnabled()) {
log.warn(
String.format(
"User %d attempted to delete " + type + " %d belonging to User %d",
ec.getCurrentUserId(),
i.getId(),
user));
}
throw new SecurityViolation(
String.format("User %s cannot delete %s %d ", ec.getCurrentUserName(), type, i.getId()));
}
}
public boolean doLogin(boolean readOnly, boolean isClose) {
try {
secSys.loadEventContext(readOnly, isClose);
} catch (SessionTimeoutException ste) {
// If this is a CloseOnNoSessionContext then we skip all handling
// since almost any action by the close() method will try to load
// the context and will fail. This assumes that EventHandler is
// the most inner handler. If this changes, then this logic may
// need to be pushed down further.
if (ste.sessionContext instanceof BasicSecurityWiring.CloseOnNoSessionContext) {
log.debug("CloseOnNoSessionContext. Skipping");
return false;
}
throw ste;
}
// now the user can be considered to be logged in.
EventContext ec = secSys.getEventContext();
if (!readOnly) {
sql.prepareSession(ec.getCurrentEventId(), ec.getCurrentUserId(), ec.getCurrentGroupId());
}
if (log.isInfoEnabled()) {
StringBuilder sb = new StringBuilder();
sb.append(" Auth:\tuser="******",group=");
sb.append(ec.getCurrentGroupId());
sb.append(",event=");
sb.append(ec.getCurrentEventId());
sb.append("(");
sb.append(ec.getCurrentEventType());
sb.append("),sess=");
sb.append(ec.getCurrentSessionUuid());
Long shareId = ec.getCurrentShareId();
if (shareId != null) {
sb.append(",share=");
sb.append(shareId);
}
log.info(sb.toString());
}
return true;
}
public boolean isOwnerOrSupervisor(IObject object) {
if (object == null) {
throw new ApiUsageException("Object can't be null");
}
final Long o = HibernateUtils.nullSafeOwnerId(object);
final Long g = HibernateUtils.nullSafeGroupId(object);
final EventContext ec = getCurrentEventContext();
final boolean isAdmin = ec.isCurrentUserAdmin();
final boolean isPI = ec.getLeaderOfGroupsList().contains(g);
final boolean isOwner = ec.getCurrentUserId().equals(o);
if (isAdmin || isPI || isOwner) {
return true;
}
return false;
}
