/**
   * Apply the 'search by role' filter to the lucene query string.
   *
   * @param parametersMap
   * @param filters
   */
  protected void buildSearchByRoleQuery(Map<String, String> parametersMap, List<String> filters) {
    SearchableRole role =
        SearchableRole.valueOf(getSearchParam(parametersMap, REQUEST_PARAMETERS.role.toString()));
    String userid = getSearchParam(parametersMap, REQUEST_PARAMETERS.userid.toString());
    AuthorizableManager authorizableManager = null;
    Session adminSession = null;
    try {
      adminSession = repository.loginAdministrative();
      authorizableManager = adminSession.getAuthorizableManager();
      Authorizable au = authorizableManager.findAuthorizable(userid);
      List<Authorizable> groups = AuthorizableUtil.getUserFacingGroups(au, authorizableManager);
      groups.add(au);

      List<String> groupStrs = new ArrayList<String>(groups.size());
      for (Authorizable memberAuthz : groups) {
        groupStrs.add(ClientUtils.escapeQueryChars(memberAuthz.getId()));
      }

      filters.add(String.format(ROLE_TEMPLATE, role.toString(), JOINER_OR.join(groupStrs)));
      adminSession.logout();
    } catch (ClientPoolException e) {
      throw new RuntimeException(e);
    } catch (StorageClientException e) {
      throw new RuntimeException(e);
    } catch (AccessDeniedException e) {
      throw new RuntimeException(e);
    } finally {
      SparseUtils.logoutQuietly(adminSession);
    }
  }
  /**
   * {@inheritDoc}
   *
   * @see
   *     org.sakaiproject.nakamura.api.solr.IndexingHandler#getDocuments(org.sakaiproject.nakamura.api.solr.RepositorySession,
   *     org.osgi.service.event.Event)
   */
  public Collection<SolrInputDocument> getDocuments(
      RepositorySession repositorySession, Event event) {
    String path = (String) event.getProperty(FIELD_PATH);

    logger.info("Indexing connections at path {}", path);
    List<SolrInputDocument> documents = Lists.newArrayList();
    if (!StringUtils.isBlank(path)) {
      try {
        Session session = repositorySession.adaptTo(Session.class);
        ContentManager cm = session.getContentManager();
        Content content = cm.get(path);

        int lastSlash = path.lastIndexOf('/');
        String contactName = path.substring(lastSlash + 1);
        AuthorizableManager am = session.getAuthorizableManager();
        Authorizable contactAuth = am.findAuthorizable(contactName);

        if (content != null && contactAuth != null) {
          SolrInputDocument doc = new SolrInputDocument();
          for (Entry<String, String> prop : WHITELISTED_PROPS.entrySet()) {
            String key = prop.getKey();
            Object value = content.getProperty(key);
            if (value != null) {
              doc.addField(WHITELISTED_PROPS.get(key), value);
            }
          }

          // flatten out the contact so we can search it
          Map<String, Object> contactProps = contactAuth.getSafeProperties();
          if (contactAuth != null) {
            for (String prop : FLATTENED_PROPS) {
              Object value = contactProps.get(prop);
              if (value != null) {
                doc.addField(prop, value);
              }
            }
          }

          doc.addField(_DOC_SOURCE_OBJECT, content);
          documents.add(doc);
        } else {
          logger.warn(
              "Did not index {}: Content == {}; Contact Auth == {}",
              new Object[] {path, content, contactAuth});
        }
      } catch (StorageClientException e) {
        logger.error(e.getMessage(), e);
      } catch (AccessDeniedException e) {
        logger.error(e.getMessage(), e);
      }
    }
    logger.debug("Got documents {} ", documents);
    return documents;
  }
 public CreateContentPoolServletTest()
     throws ClientPoolException, StorageClientException, AccessDeniedException,
         ClassNotFoundException {
   MockitoAnnotations.initMocks(this);
   BaseMemoryRepository baseMemoryRepository = new BaseMemoryRepository();
   repository = baseMemoryRepository.getRepository();
   Session session = repository.loginAdministrative();
   AuthorizableManager authorizableManager = session.getAuthorizableManager();
   authorizableManager.createUser("ieb", "Ian Boston", "test", ImmutableMap.of("x", (Object) "y"));
   org.sakaiproject.nakamura.api.lite.authorizable.Authorizable authorizable =
       authorizableManager.findAuthorizable("ieb");
   System.err.println("Got ieb as " + authorizable);
   session.logout();
 }
 private void writeProfileMap(
     javax.jcr.Session jcrSession,
     AuthorizableManager um,
     ExtendedJSONWriter writer,
     String user,
     boolean detailed)
     throws JSONException, AccessDeniedException, StorageClientException, RepositoryException {
   Authorizable au = um.findAuthorizable(user);
   if (au != null) {
     ValueMap profileMap;
     if (detailed) {
       profileMap = profileService.getProfileMap(au, jcrSession);
     } else {
       profileMap = new ValueMapDecorator(basicUserInfoService.getProperties(au));
     }
     if (profileMap != null) {
       writer.valueMap(profileMap);
     }
   } else {
     writer.object();
     writer.key("userid");
     writer.value(user);
     writer.endObject();
   }
 }
 private Group getPeerGroupOf(
     Group group, AuthorizableManager authorizableManager, Map<String, Object> toSave)
     throws AccessDeniedException, StorageClientException {
   Group peerGroup = null;
   if (group.hasProperty(UserConstants.PROP_MANAGERS_GROUP)) {
     String managersGroupId = (String) group.getProperty(UserConstants.PROP_MANAGERS_GROUP);
     if (group.getId().equals(managersGroupId)) {
       return group;
     }
     peerGroup = (Group) toSave.get(managersGroupId);
     if (peerGroup == null) {
       if (LOGGER.isDebugEnabled()) {
         LOGGER.debug(
             "For {} Not in toSave List loading Managers Group from store {} ",
             group.getId(),
             managersGroupId);
       }
       peerGroup = (Group) authorizableManager.findAuthorizable(managersGroupId);
     } else {
       if (LOGGER.isDebugEnabled()) {
         LOGGER.debug(
             "For {} got Managers Group from save list {} ", group.getId(), managersGroupId);
       }
     }
   } else if (group.hasProperty(UserConstants.PROP_MANAGED_GROUP)) {
     String managedGroupId = (String) group.getProperty(UserConstants.PROP_MANAGED_GROUP);
     if (group.getId().equals(managedGroupId)) {
       return group;
     }
     peerGroup = (Group) toSave.get(managedGroupId);
     if (peerGroup == null) {
       if (LOGGER.isDebugEnabled()) {
         LOGGER.debug(
             "For {} Not in toSave List loading Managed Group from store {} ",
             group.getId(),
             managedGroupId);
       }
       peerGroup = (Group) authorizableManager.findAuthorizable(managedGroupId);
     } else {
       if (LOGGER.isDebugEnabled()) {
         LOGGER.debug(
             "For {} got Managed Group from save list {} ", group.getId(), managedGroupId);
       }
     }
   }
   return peerGroup;
 }
  @POST
  @Path("{type:user|group}/{userid}")
  public Response doUpdateAuthorizable(
      @Context HttpServletRequest request,
      @Context HttpServletResponse response,
      @PathParam(value = "type") String authorizableType,
      @PathParam(value = "userid") String authorizableId) {
    try {
      AuthorizableManager authorizableManager = getAuthorizableManager(request, response);
      Authorizable authorizable = authorizableManager.findAuthorizable(authorizableId);
      Response checkType = checkType(authorizable, authorizableType);
      if (checkType != null) {
        return checkType;
      }

      // process the post request.
      AuthorizableHelper authorizableHelper = new AuthorizableHelper(authorizableManager);
      ModificationRequest modificationRequest = new ModificationRequest();
      modificationRequest.processRequest(request);
      authorizableHelper.applyProperties(authorizable, modificationRequest);
      authorizableHelper.save();
      final List<String> feedback = modificationRequest.getFeedback();

      return Response.ok(
              new StreamingOutput() {
                @Override
                public void write(OutputStream output) throws IOException, WebApplicationException {
                  ResponseUtils.writeFeedback(feedback, output);
                }
              })
          .type(MediaType.APPLICATION_JSON_TYPE.toString() + "; charset=utf-8")
          .lastModified(new Date())
          .build();

    } catch (StorageClientException e) {
      return ResponseUtils.getResponse(
          HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
    } catch (AccessDeniedException e) {
      return ResponseUtils.getResponse(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
    } catch (IOException e) {
      return ResponseUtils.getResponse(
          HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
    } catch (FileUploadException e) {
      return ResponseUtils.getResponse(
          HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
    }
  }
예제 #7
0
  /**
   * {@inheritDoc}
   *
   * @see
   *     org.sakaiproject.nakamura.meservice.LiteAbstractMyGroupsServlet#getGroups(org.apache.jackrabbit.api.security.user.Authorizable,
   *     org.apache.jackrabbit.api.security.user.UserManager)
   */
  @Override
  protected TreeMap<String, Group> getGroups(
      Authorizable member, AuthorizableManager userManager, final SlingHttpServletRequest request)
      throws StorageClientException, AccessDeniedException {
    TreeMap<String, Group> groups = new TreeMap<String, Group>();
    String[] principals = member.getPrincipals();
    for (String principal : principals) {
      Authorizable group = userManager.findAuthorizable(principal);
      if (group == null || !(group instanceof Group) || group.getId().equals(Group.EVERYONE)) {
        // we don't want the "everyone" group in this feed
        continue;
      }
      if (group.getProperty(UserConstants.PROP_MANAGED_GROUP) != null) {
        // fetch the group that the manager group manages
        group =
            userManager.findAuthorizable(
                (String) group.getProperty(UserConstants.PROP_MANAGED_GROUP));
        if (group == null
            || !(group instanceof Group)
            || group.getProperty("sakai:group-title") == null) {
          continue;
        }
      }

      if (isPseudoGroup((Group) group) && !isManagerGroup((Group) group, userManager)) {
        // The group we want is the child of the pseudo group
        group =
            userManager.findAuthorizable(
                (String) group.getProperty(UserConstants.PROP_PSEUDO_GROUP_PARENT));
      }

      // KERN-1600 Group's without a title should only be system groups for things like
      // managing contacts. The UI requires a title.
      if (group.getProperty("sakai:group-title") != null) {
        final String category = stringRequestParameter(request, "category", null);
        if (category == null) { // no filtering
          groups.put(group.getId(), (Group) group);
        } else { // KERN-1865 category filter
          if (category.equals(group.getProperty("sakai:category"))) {
            groups.put(group.getId(), (Group) group);
          }
        }
      }
    }
    return groups;
  }
 /**
  * Same as writeResults logic, but counts number of results iterated over.
  *
  * @param request
  * @param write
  * @param iterator
  * @return Set containing all unique paths processed.
  * @throws JSONException
  */
 public Set<String> writeResultsInternal(
     SlingHttpServletRequest request, JSONWriter write, Iterator<Result> iterator)
     throws JSONException {
   final Set<String> uniquePaths = new HashSet<String>();
   final Integer iDepth = (Integer) request.getAttribute("depth");
   int depth = 0;
   if (iDepth != null) {
     depth = iDepth.intValue();
   }
   try {
     javax.jcr.Session jcrSession = request.getResourceResolver().adaptTo(javax.jcr.Session.class);
     final Session session = StorageClientUtils.adaptToSession(jcrSession);
     while (iterator.hasNext()) {
       final Result result = iterator.next();
       uniquePaths.add(result.getPath());
       try {
         if ("authorizable".equals(result.getFirstValue("resourceType"))) {
           AuthorizableManager authManager = session.getAuthorizableManager();
           Authorizable auth = authManager.findAuthorizable((String) result.getFirstValue("id"));
           if (auth != null) {
             write.object();
             ValueMap map = profileService.getProfileMap(auth, jcrSession);
             ExtendedJSONWriter.writeValueMapInternals(write, map);
             write.endObject();
           }
         } else {
           String contentPath = result.getPath();
           final Content content = session.getContentManager().get(contentPath);
           if (content != null) {
             handleContent(content, session, write, depth);
           } else {
             LOGGER.debug("Found null content item while writing results [{}]", contentPath);
           }
         }
       } catch (AccessDeniedException e) {
         // do nothing
       } catch (RepositoryException e) {
         throw new JSONException(e);
       }
     }
   } catch (StorageClientException e) {
     throw new JSONException(e);
   }
   return uniquePaths;
 }
  @Override
  protected TreeMap<String, Group> getGroups(
      Authorizable member, AuthorizableManager userManager, SlingHttpServletRequest request)
      throws StorageClientException, AccessDeniedException {
    TreeMap<String, Group> managedGroups = new TreeMap<String, Group>();
    Iterator<Group> allGroupsIter = member.memberOf(userManager);
    for (String principal : member.getPrincipals()) {
      Group group = (Group) userManager.findAuthorizable(principal);
      if (group != null && !group.getId().equals(Group.EVERYONE)) {

        boolean isManager = false;

        if (isPseudoGroup(group) && isManagerGroup(group, userManager)) {
          // The group we want is the child of the pseudo group
          isManager = true;
          group =
              (Group)
                  userManager.findAuthorizable(
                      (String) group.getProperty(UserConstants.PROP_PSEUDO_GROUP_PARENT));
        } else {
          for (String managerId :
              StorageClientUtils.nonNullStringArray(
                  (String[]) group.getProperty(UserConstants.PROP_GROUP_MANAGERS))) {
            if (member.getId().equals(managerId)) {
              isManager = true;
              break;
            }
          }
        }

        if (isManager) {
          final String category = stringRequestParameter(request, "category", null);
          if (category == null) { // no filtering
            managedGroups.put(group.getId(), group);
          } else { // KERN-1865 category filter
            if (category.equals(group.getProperty("sakai:category"))) {
              managedGroups.put(group.getId(), group);
            }
          }
        }
      }
    }

    return managedGroups;
  }
  @GET
  @Path("{type:user|group}/{userid}.{format}")
  public Response getUser(
      @Context HttpServletRequest request,
      @Context HttpServletResponse response,
      @PathParam(value = "type") String authorizableType,
      @PathParam(value = "userid") String authorizableId,
      @PathParam(value = "format") final String outputFormat) {
    try {

      AuthorizableManager authorizableManager = getAuthorizableManager(request, response);
      final Authorizable authorizable = authorizableManager.findAuthorizable(authorizableId);
      Response checkType = checkType(authorizable, authorizableType);
      if (checkType != null) {
        return checkType;
      }
      Date lastModified = new Date();
      Long lm = (Long) authorizable.getProperty(Authorizable.LASTMODIFIED_FIELD);
      if (lm == null) {
        lm = (Long) authorizable.getProperty(Authorizable.CREATED_FIELD);
      }
      if (lm != null) {
        lastModified = new Date(lm);
      }
      return Response.ok(
              new StreamingOutput() {
                @Override
                public void write(OutputStream output) throws IOException, WebApplicationException {
                  ResponseUtils.writeTree(authorizable, outputFormat, output);
                }
              })
          .type(MediaType.APPLICATION_JSON_TYPE.toString() + "; charset=utf-8")
          .lastModified(lastModified)
          .build();

    } catch (StorageClientException e) {
      return ResponseUtils.getResponse(
          HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
    } catch (AccessDeniedException e) {
      return ResponseUtils.getResponse(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
    }
  }
  /**
   * Process a query string to search using Solr.
   *
   * @param request
   * @param query
   * @param asAnon
   * @param rs
   * @return
   * @throws SolrSearchException
   */
  private SolrSearchResultSet processSolrQuery(
      SlingHttpServletRequest request, Query query, boolean asAnon)
      throws StorageClientException, AccessDeniedException, SolrServerException {
    String queryString = query.getQueryString();
    // apply readers restrictions.
    if (asAnon) {
      queryString = "(" + queryString + ")  AND readers:" + User.ANON_USER;
    } else {
      Session session =
          StorageClientUtils.adaptToSession(
              request.getResourceResolver().adaptTo(javax.jcr.Session.class));
      if (!User.ADMIN_USER.equals(session.getUserId())) {
        AuthorizableManager am = session.getAuthorizableManager();
        Authorizable user = am.findAuthorizable(session.getUserId());
        Set<String> readers = Sets.newHashSet();
        for (Iterator<Group> gi = user.memberOf(am); gi.hasNext(); ) {
          readers.add(gi.next().getId());
        }
        readers.add(session.getUserId());
        queryString =
            "(" + queryString + ") AND readers:(" + StringUtils.join(readers, " OR ") + ")";
      }
    }

    SolrQuery solrQuery = buildQuery(request, queryString, query.getOptions());

    SolrServer solrServer = solrSearchService.getServer();
    try {
      LOGGER.info("Performing Query {} ", URLDecoder.decode(solrQuery.toString(), "UTF-8"));
    } catch (UnsupportedEncodingException e) {
    }
    QueryResponse response = solrServer.query(solrQuery);
    SolrDocumentList resultList = response.getResults();
    LOGGER.info("Got {} hits in {} ms", resultList.size(), response.getElapsedTime());
    return new SolrSearchResultSetImpl(response);
  }
  @Before
  public void setUp() throws Exception {
    provider = new MyRelatedGroupsPropertyProvider(searchServiceFactory);
    when(request.getRemoteUser()).thenReturn("user1");

    when(repo.loginAdministrative()).thenReturn(session);
    when(session.getAuthorizableManager()).thenReturn(authMgr);
    when(authMgr.findAuthorizable("user1")).thenReturn(auth1);

    Group group1 = mock(Group.class);
    when(group1.getId()).thenReturn("group1");
    when(group1.getProperty(GROUP_TITLE_PROPERTY)).thenReturn("Group 1 Test");
    when(group1.getProperty("sakai:tag-uuid")).thenReturn(new String[] {"123-456"});

    when(auth1.memberOf(authMgr)).thenReturn(Sets.newHashSet(group1).iterator());

    when(searchServiceFactory.getSearchResultSet(eq(request), any(Query.class))).thenReturn(rs);
  }
  /**
   * Retrieves the list of members.
   *
   * <p>{@inheritDoc}
   *
   * @see
   *     org.apache.sling.api.servlets.SlingSafeMethodsServlet#doGet(org.apache.sling.api.SlingHttpServletRequest,
   *     org.apache.sling.api.SlingHttpServletResponse)
   */
  @Override
  protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response)
      throws ServletException, IOException {
    try {
      // Get hold of the actual file.
      Resource resource = request.getResource();
      javax.jcr.Session jcrSession = request.getResourceResolver().adaptTo(javax.jcr.Session.class);
      Session session = resource.adaptTo(Session.class);

      AuthorizableManager am = session.getAuthorizableManager();
      AccessControlManager acm = session.getAccessControlManager();
      Content node = resource.adaptTo(Content.class);
      Authorizable thisUser = am.findAuthorizable(session.getUserId());

      if (!acm.can(thisUser, Security.ZONE_CONTENT, resource.getPath(), Permissions.CAN_READ)) {
        response.sendError(HttpServletResponse.SC_NOT_FOUND);
        return;
      }

      Map<String, Object> properties = node.getProperties();
      String[] managers = (String[]) properties.get(POOLED_CONTENT_USER_MANAGER);
      String[] editors = (String[]) properties.get(POOLED_CONTENT_USER_EDITOR);
      String[] viewers = (String[]) properties.get(POOLED_CONTENT_USER_VIEWER);

      boolean detailed = false;
      boolean tidy = false;
      for (String selector : request.getRequestPathInfo().getSelectors()) {
        if ("detailed".equals(selector)) {
          detailed = true;
        } else if ("tidy".equals(selector)) {
          tidy = true;
        }
      }

      // Loop over the sets and output it.
      ExtendedJSONWriter writer = new ExtendedJSONWriter(response.getWriter());
      writer.setTidy(tidy);
      writer.object();
      writer.key("managers");
      writer.array();
      for (String manager : StorageClientUtils.nonNullStringArray(managers)) {
        try {
          writeProfileMap(jcrSession, am, writer, manager, detailed);
        } catch (AccessDeniedException e) {
          LOGGER.debug("Skipping private manager [{}]", manager);
        }
      }
      writer.endArray();
      writer.key("editors");
      writer.array();
      for (String editor : StorageClientUtils.nonNullStringArray(editors)) {
        try {
          writeProfileMap(jcrSession, am, writer, editor, detailed);
        } catch (AccessDeniedException e) {
          LOGGER.debug("Skipping private editor [{}]", editor);
        }
      }
      writer.endArray();
      writer.key("viewers");
      writer.array();
      for (String viewer : StorageClientUtils.nonNullStringArray(viewers)) {
        try {
          writeProfileMap(jcrSession, am, writer, viewer, detailed);
        } catch (AccessDeniedException e) {
          LOGGER.debug("Skipping private viewer [{}]", viewer);
        }
      }
      writer.endArray();
      writer.endObject();
    } catch (JSONException e) {
      response.sendError(SC_INTERNAL_SERVER_ERROR, "Failed to generate proper JSON.");
      LOGGER.error(e.getMessage(), e);
    } catch (StorageClientException e) {
      response.sendError(SC_INTERNAL_SERVER_ERROR, "Failed to generate proper JSON.");
      LOGGER.error(e.getMessage(), e);
    } catch (AccessDeniedException e) {
      response.sendError(SC_INTERNAL_SERVER_ERROR, "Failed to generate proper JSON.");
      LOGGER.error(e.getMessage(), e);
    } catch (RepositoryException e) {
      response.sendError(SC_INTERNAL_SERVER_ERROR, "Failed to generate proper JSON.");
      LOGGER.error(e.getMessage(), e);
    }
  }
  /**
   * Manipulate the member list for this file.
   *
   * <p>{@inheritDoc}
   *
   * @see
   *     org.apache.sling.api.servlets.SlingAllMethodsServlet#doPost(org.apache.sling.api.SlingHttpServletRequest,
   *     org.apache.sling.api.SlingHttpServletResponse)
   */
  @SuppressWarnings("unchecked")
  @Override
  protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response)
      throws ServletException, IOException {
    // fail if anonymous
    String remoteUser = request.getRemoteUser();
    if (User.ANON_USER.equals(remoteUser)) {
      response.sendError(SC_FORBIDDEN, "Anonymous users cannot update content members.");
      return;
    }
    Session session = null;
    boolean releaseSession = false;
    try {
      Resource resource = request.getResource();
      session = resource.adaptTo(Session.class);
      Content pooledContent = resource.adaptTo(Content.class);
      AccessControlManager accessControlManager = session.getAccessControlManager();
      AuthorizableManager authorizableManager = session.getAuthorizableManager();
      User thisUser = authorizableManager.getUser();
      if (!accessControlManager.can(
          thisUser, Security.ZONE_CONTENT, pooledContent.getPath(), Permissions.CAN_READ)) {
        response.sendError(SC_FORBIDDEN, "Insufficient permission to read this content.");
      }

      Map<String, Object> properties = pooledContent.getProperties();
      String[] managers =
          StorageClientUtils.nonNullStringArray(
              (String[]) properties.get(POOLED_CONTENT_USER_MANAGER));
      String[] editors =
          StorageClientUtils.nonNullStringArray(
              (String[]) properties.get(POOLED_CONTENT_USER_EDITOR));
      String[] viewers =
          StorageClientUtils.nonNullStringArray(
              (String[]) properties.get(POOLED_CONTENT_USER_VIEWER));

      Set<String> managerSet = Sets.newHashSet(managers);
      Set<String> editorSet = Sets.newHashSet(editors);
      Set<String> viewerSet = Sets.newHashSet(viewers);

      List<String> removeViewers =
          Arrays.asList(
              StorageClientUtils.nonNullStringArray(request.getParameterValues(":viewer@Delete")));
      List<String> removeManagers =
          Arrays.asList(
              StorageClientUtils.nonNullStringArray(request.getParameterValues(":manager@Delete")));
      List<String> removeEditors =
          Arrays.asList(
              StorageClientUtils.nonNullStringArray(request.getParameterValues(":editor@Delete")));
      List<String> addViewers =
          Arrays.asList(
              StorageClientUtils.nonNullStringArray(request.getParameterValues(":viewer")));
      List<String> addManagers =
          Arrays.asList(
              StorageClientUtils.nonNullStringArray(request.getParameterValues(":manager")));
      List<String> addEditors =
          Arrays.asList(
              StorageClientUtils.nonNullStringArray(request.getParameterValues(":editor")));

      if (!accessControlManager.can(
          thisUser, Security.ZONE_CONTENT, pooledContent.getPath(), Permissions.CAN_WRITE)) {
        if (!addManagers.isEmpty()) {
          response.sendError(SC_FORBIDDEN, "Non-managers may not add managers to content.");
          return;
        }

        for (String name : removeManagers) {
          // asking to remove managers who don't exist is harmless
          if (managerSet.contains(name)) {
            response.sendError(SC_FORBIDDEN, "Non-managers may not remove managers from content.");
            return;
          }
        }

        if (addViewers.contains(User.ANON_USER) || addViewers.contains(Group.EVERYONE)) {
          response.sendError(
              SC_FORBIDDEN, "Non-managers may not add 'anonymous' or 'everyone' as viewers.");
          return;
        }

        if (addEditors.contains(User.ANON_USER) || addEditors.contains(Group.EVERYONE)) {
          response.sendError(
              SC_FORBIDDEN, "Non-managers may not add 'anonymous' or 'everyone' as editors.");
          return;
        }

        for (String name : removeViewers) {
          if (!thisUser.getId().equals(name)) {
            Authorizable viewer = authorizableManager.findAuthorizable(name);
            if (viewer != null
                && !accessControlManager.can(
                    thisUser, Security.ZONE_AUTHORIZABLES, name, Permissions.CAN_WRITE)) {
              response.sendError(
                  SC_FORBIDDEN,
                  "Non-managers may not remove any viewer other than themselves or a group which they manage.");
            }
          }
        }

        // the request has passed all the rules that govern non-manager users
        // so we'll grant an administrative session
        session = session.getRepository().loginAdministrative();
        releaseSession = true;
      }
      List<AclModification> aclModifications = Lists.newArrayList();

      for (String addManager : addManagers) {
        if ((addManager.length() > 0) && !managerSet.contains(addManager)) {
          managerSet.add(addManager);
          AclModification.addAcl(true, Permissions.CAN_MANAGE, addManager, aclModifications);
        }
      }

      for (String removeManager : removeManagers) {
        if ((removeManager.length() > 0) && managerSet.contains(removeManager)) {
          managerSet.remove(removeManager);
          AclModification.removeAcl(true, Permissions.CAN_MANAGE, removeManager, aclModifications);
        }
      }

      for (String addEditor : addEditors) {
        if ((addEditor.length() > 0) && !editorSet.contains(addEditor)) {
          editorSet.add(addEditor);
          AclModification.addAcl(true, PERMISSION_EDITOR, addEditor, aclModifications);
        }
      }

      for (String removeEditor : removeEditors) {
        if ((removeEditor.length() > 0) && editorSet.contains(removeEditor)) {
          editorSet.remove(removeEditor);
          AclModification.removeAcl(true, PERMISSION_EDITOR, removeEditor, aclModifications);
        }
      }

      for (String addViewer : addViewers) {
        if ((addViewer.length() > 0) && !viewerSet.contains(addViewer)) {
          viewerSet.add(addViewer);
          AclModification.addAcl(true, Permissions.CAN_READ, addViewer, aclModifications);
        }
      }

      for (String removeViewer : removeViewers) {
        removeViewer = removeViewer.trim();
        if ((removeViewer.length() > 0) && viewerSet.contains(removeViewer)) {
          viewerSet.remove(removeViewer);
          if (!managerSet.contains(removeViewer)) {
            AclModification.removeAcl(true, Permissions.CAN_READ, removeViewer, aclModifications);
          }
        }
      }

      updateContentMembers(session, pooledContent, viewerSet, managerSet, editorSet);
      updateContentAccess(session, pooledContent, aclModifications);

      this.authorizableCountChanger.notify(
          UserConstants.CONTENT_ITEMS_PROP,
          addViewers,
          addEditors,
          addManagers,
          removeViewers,
          removeEditors,
          removeManagers);

      response.setStatus(SC_OK);

    } catch (StorageClientException e) {
      LOGGER.error(e.getMessage());
      response.sendError(
          SC_INTERNAL_SERVER_ERROR, "StorageClientException: " + e.getLocalizedMessage());
    } catch (AccessDeniedException e) {
      response.sendError(
          SC_FORBIDDEN,
          "Insufficient permission to update content members at " + request.getRequestURI());
    } finally {
      if (session != null && releaseSession) {
        try {
          session.logout();
        } catch (ClientPoolException e) {
          LOGGER.error(e.getMessage());
        }
      }
    }
  }
  private SolrInputDocument handleMessageIndexing(Map<String, Object> props) throws Exception {
    String messagePath = "a:user1/messagePath";

    Content content = new Content(messagePath, props);
    Authorizable sender = mock(Authorizable.class);

    when(sender.getId()).thenReturn("sender");
    when(sender.isGroup()).thenReturn(Boolean.FALSE);
    when(sender.getProperty(eq("firstName"))).thenReturn("test");
    when(sender.getProperty(eq("lastName"))).thenReturn("user");

    Authorizable user1 = mock(Authorizable.class);
    when(user1.getId()).thenReturn("user1");
    when(user1.isGroup()).thenReturn(Boolean.FALSE);
    when(user1.getProperty(eq("firstName"))).thenReturn("user");
    when(user1.getProperty(eq("lastName"))).thenReturn("one");

    when(authorizableManager.findAuthorizable(anyString())).thenReturn(sender);
    when(repositorySession.adaptTo(Session.class)).thenReturn(session);
    when(session.getAuthorizableManager()).thenReturn(authorizableManager);
    when(session.getContentManager()).thenReturn(contentManager);
    when(contentManager.get(messagePath)).thenReturn(content);

    MessageIndexingHandler handler = new MessageIndexingHandler();
    handler.dateParser = this.dateParser;
    Event event = new Event("topic", buildEventProperties(messagePath));

    Collection<SolrInputDocument> documents = handler.getDocuments(repositorySession, event);

    assertNotNull(documents);
    assertTrue(!documents.isEmpty());

    Iterator<SolrInputDocument> docIt = documents.iterator();

    SolrInputDocument doc = docIt.next();

    // test basic message properties
    assertEquals("test-messagestore", doc.getField("messagestore").getValue());
    assertEquals("test-messagebox", doc.getField("messagebox").getValue());
    assertEquals("test-type", doc.getField("type").getValue());
    assertEquals("test-category", doc.getField("category").getValue());
    assertEquals("test-from", doc.getField("from").getValue());
    assertEquals("test-to", doc.getField("to").getValue());
    assertEquals("test-read", doc.getField("read").getValue());
    assertEquals("test-marker", doc.getField("marker").getValue());
    assertEquals("test-sendstate", doc.getField("sendstate").getValue());
    assertEquals("test-initialpost", doc.getField("initialpost").getValue());
    assertEquals("test-title", doc.getField("title").getValue());
    assertEquals("test-content", doc.getField("content").getValue());

    // ensure unexpected value is skipped
    assertNull(doc.getField("notindexed"));

    // test sender name is set
    assertEquals("test", doc.getField("firstName").getValue());
    assertEquals("user", doc.getField("lastName").getValue());

    // an additional doc should have been added for authorizable searching:
    assertTrue(docIt.hasNext());
    SolrInputDocument authDoc = docIt.next();

    // test values set for user/group searching
    assertEquals("test-title", authDoc.getField("title").getValue());
    assertEquals("test-content", authDoc.getField("content").getValue());
    assertEquals("u", authDoc.getField("type").getValue());
    assertEquals(content, authDoc.getField(IndexingHandler._DOC_SOURCE_OBJECT).getValue());
    assertEquals("user1", authDoc.getField(IndexingHandler.FIELD_PATH).getValue());
    assertEquals(messagePath + "-auth", authDoc.getField(IndexingHandler.FIELD_ID).getValue());
    assertEquals("user1", authDoc.getField("returnpath").getValue());

    assertTrue(!docIt.hasNext());
    return doc;
  }
  protected void updateGroupMembership(
      SlingHttpServletRequest request,
      Session session,
      Authorizable authorizable,
      String paramName,
      List<Modification> changes,
      Map<String, Object> toSave)
      throws AccessDeniedException, StorageClientException {
    if (authorizable instanceof Group) {
      Group group = ((Group) authorizable);
      String groupPath =
          LiteAuthorizableResourceProvider.SYSTEM_USER_MANAGER_GROUP_PREFIX + group.getId();

      boolean changed = false;

      AuthorizableManager authorizableManager = session.getAuthorizableManager();

      // first remove any members posted as ":member@Delete"
      String[] membersToDelete =
          request.getParameterValues(paramName + SlingPostConstants.SUFFIX_DELETE);
      if (membersToDelete != null) {
        toSave.put(group.getId(), group);
        LOGGER.info("Members to delete {} ", membersToDelete);
        for (String member : membersToDelete) {
          String memberId = getAuthIdFromParameter(member);
          group.removeMember(memberId);
          changed = true;
        }
      }

      Joinable groupJoin = getJoinable(group);

      // second add any members posted as ":member"
      String[] membersToAdd = request.getParameterValues(paramName);
      if (membersToAdd != null) {
        LOGGER.info("Members to add {} ", membersToAdd);
        Group peerGroup = getPeerGroupOf(group, authorizableManager, toSave);
        List<Authorizable> membersToRemoveFromPeer = new ArrayList<Authorizable>();
        for (String member : membersToAdd) {
          String memberId = getAuthIdFromParameter(member);
          Authorizable memberAuthorizable = (Authorizable) toSave.get(memberId);
          if (memberAuthorizable == null) {
            memberAuthorizable = authorizableManager.findAuthorizable(memberId);
          }
          if (memberAuthorizable != null) {
            if (!User.ADMIN_USER.equals(session.getUserId())
                && !UserConstants.ANON_USERID.equals(session.getUserId())
                && Joinable.yes.equals(groupJoin)
                && memberAuthorizable.getId().equals(session.getUserId())) {
              LOGGER.debug("Is Joinable {} {} ", groupJoin, session.getUserId());
              // we can grab admin session since group allows all users to join
              Session adminSession = getSession();
              try {
                AuthorizableManager adminAuthorizableManager =
                    adminSession.getAuthorizableManager();
                Group adminAuthGroup =
                    (Group) adminAuthorizableManager.findAuthorizable(group.getId());
                if (adminAuthGroup != null) {
                  adminAuthGroup.addMember(memberAuthorizable.getId());
                  adminAuthorizableManager.updateAuthorizable(adminAuthGroup);
                  changed = true;
                }
              } finally {
                ungetSession(adminSession);
              }
            } else {
              LOGGER.info(
                  "Group {} is not Joinable: User {} adding {}  ",
                  new Object[] {
                    group.getId(), session.getUserId(), memberAuthorizable.getId(),
                  });
              // group is restricted, so use the current user's authorization
              // to add the member to the group:

              group.addMember(memberAuthorizable.getId());
              if (LOGGER.isInfoEnabled()) {
                LOGGER.info(
                    "{} Membership now {} {} {}",
                    new Object[] {
                      group.getId(),
                      Arrays.toString(group.getMembers()),
                      Arrays.toString(group.getMembersAdded()),
                      Arrays.toString(group.getMembersRemoved())
                    });
              }
              toSave.put(group.getId(), group);
              Group gt = (Group) toSave.get(group.getId());
              if (LOGGER.isInfoEnabled()) {
                LOGGER.info(
                    "{} Membership now {} {} {}",
                    new Object[] {
                      group.getId(),
                      Arrays.toString(gt.getMembers()),
                      Arrays.toString(gt.getMembersAdded()),
                      Arrays.toString(gt.getMembersRemoved())
                    });
              }
              changed = true;
            }
            if (peerGroup != null && peerGroup.getId() != group.getId()) {
              Set<String> members = ImmutableSet.of(peerGroup.getMembers());
              if (members.contains(memberAuthorizable.getId())) {
                membersToRemoveFromPeer.add(memberAuthorizable);
              }
            }
          } else {
            LOGGER.warn("member not found {} ", memberId);
          }
        }
        if ((peerGroup != null) && (membersToRemoveFromPeer.size() > 0)) {
          for (Authorizable member : membersToRemoveFromPeer) {
            if (LOGGER.isInfoEnabled()) {
              LOGGER.info("Removing Member {} from {} ", member.getId(), peerGroup.getId());
            }
            peerGroup.removeMember(member.getId());
          }
          toSave.put(peerGroup.getId(), peerGroup);
          if (LOGGER.isInfoEnabled()) {
            LOGGER.info(
                "{} Just Updated Peer Group Membership now {} {} {}",
                new Object[] {
                  peerGroup.getId(),
                  Arrays.toString(peerGroup.getMembers()),
                  Arrays.toString(peerGroup.getMembersAdded()),
                  Arrays.toString(peerGroup.getMembersRemoved())
                });
          }
        }
      }

      if (changed) {
        // add an entry to the changes list to record the membership
        // change
        changes.add(Modification.onModified(groupPath + "/members"));
      }
    }
  }
  @SuppressWarnings("unchecked")
  public void onMessage(Message message) {
    log.debug("Receiving a message on {} : {}", SyncJMSMessageProducer.QUEUE_NAME, message);
    try {

      String topic = message.getJMSType();
      String groupId = (String) message.getStringProperty("path");

      String operation = "UNKNOWN";

      // A group was DELETED
      if ("org/sakaiproject/nakamura/lite/authorizables/DELETE".equals(topic)
          && config.getDeletesEnabled()) {
        Map<String, Object> attributes =
            (Map<String, Object>) message.getObjectProperty(StoreListener.BEFORE_EVENT_PROPERTY);
        grouperManager.deleteGroup(groupId, attributes);
        operation = "DELETED";
      }

      // A new group was ADDED or an existing group was UPDATED
      if ("org/sakaiproject/nakamura/lite/authorizables/ADDED".equals(topic)
          || "org/sakaiproject/nakamura/lite/authorizables/UPDATED".equals(topic)) {
        // These events should be under org/sakaiproject/nakamura/lite/authorizables/UPDATED
        // http://jira.sakaiproject.org/browse/KERN-1795
        String membersAdded =
            (String) message.getStringProperty(GrouperEventUtils.MEMBERS_ADDED_PROP);
        if (membersAdded != null) {
          // membership adds can be attached to the same event for the group add.
          grouperManager.createGroup(groupId, config.getGroupTypes());
          grouperManager.addMemberships(
              groupId, Arrays.asList(StringUtils.split(membersAdded, ",")));
          operation = "ADD_MEMBERS";
        }

        String membersRemoved =
            (String) message.getStringProperty(GrouperEventUtils.MEMBERS_REMOVED_PROP);
        if (membersRemoved != null) {
          grouperManager.removeMemberships(
              groupId, Arrays.asList(StringUtils.split(membersRemoved, ",")));
          operation = "REMOVE_MEMBERS";
        }

        if (membersAdded == null && membersRemoved == null) {
          org.sakaiproject.nakamura.api.lite.Session repositorySession =
              repository.loginAdministrative();
          AuthorizableManager am = repositorySession.getAuthorizableManager();
          Group group = (Group) am.findAuthorizable(groupId);
          repositorySession.logout();

          if (groupId.startsWith(ContactsGrouperNameProviderImpl.CONTACTS_GROUPID_PREFIX)) {
            // TODO Why are we not getting added and removed properties on the Message
            grouperManager.createGroup(groupId, null);
            grouperManager.addMemberships(groupId, Arrays.asList(group.getMembers()));
            operation = "UPDATE CONTACTS";
          } else {
            grouperManager.createGroup(groupId, config.getGroupTypes());
            grouperManager.addMemberships(groupId, Arrays.asList(group.getMembers()));
            operation = "CREATE";
          }
        }
      }

      // The message was processed successfully. No exceptions were thrown.
      // We acknowledge the message and its removed from the queue
      message.acknowledge();

      // We got a message that we didn't know what to do with.
      if (operation.equals("UNKNOWN")) {
        log.error(
            "I don't know what to do with this topic: {}. Turn on debug logs to see the message.",
            topic);
        log.debug(message.toString());
      } else {
        log.info("Successfully processed and acknowledged. {}, {}", operation, groupId);
        log.debug(message.toString());
      }

    } catch (JMSException jmse) {
      log.error("JMSException while processing message.", jmse);
    } catch (Exception e) {
      log.error("Exception while processing message.", e);
    }
  }