示例#1
0
  NamedEntry getGranteeEntry(Provisioning prov, Element eGrantee, GranteeType granteeType)
      throws ServiceException {
    if (!granteeType.allowedForAdminRights())
      throw ServiceException.INVALID_REQUEST(
          "unsupported grantee type: " + granteeType.getCode(), null);

    GranteeBy granteeBy = GranteeBy.fromString(eGrantee.getAttribute(AdminConstants.A_BY));
    String grantee = eGrantee.getText();

    return GranteeType.lookupGrantee(prov, granteeType, granteeBy, grantee);
  }
示例#2
0
  /**
   * check the checkRight right
   *
   * <p>check if the authed admin has the checkRight right on the user/group it is checking right
   * for.
   *
   * @param zsc
   * @param granteeType
   * @param granteeBy
   * @param grantee
   * @return whether the checkRight right is checked
   * @throws ServiceException
   */
  protected boolean checkCheckRightRight(
      ZimbraSoapContext zsc,
      GranteeType granteeType,
      GranteeBy granteeBy,
      String grantee,
      boolean granteeCanBeExternalEmailAddr)
      throws ServiceException {

    NamedEntry granteeEntry = null;

    try {
      granteeEntry =
          GranteeType.lookupGrantee(Provisioning.getInstance(), granteeType, granteeBy, grantee);
    } catch (ServiceException e) {
      // grantee to check could be an external email address
      ZimbraLog.acl.debug("unable to find grantee", e);
    }

    if (granteeEntry != null) {
      // call checkRight instead of checkAccountRight because there is no
      // backward compatibility issue for this SOAP.
      //
      // Note: granteeEntry is the target for the R_checkRight{Usr}/{Grp} right here
      if (granteeType == GranteeType.GT_USER) checkRight(zsc, granteeEntry, Admin.R_checkRightUsr);
      else if (granteeType == GranteeType.GT_GROUP)
        checkRight(zsc, granteeEntry, Admin.R_checkRightGrp);
      else
        throw ServiceException.PERM_DENIED(
            "invalid grantee type for check right:" + granteeType.getCode());

      return true;
    } else {
      if (granteeCanBeExternalEmailAddr) return false;
      else throw ServiceException.PERM_DENIED("unable to check checkRight right for " + grantee);
    }
  }