示例#1
0
  private void throwSecurityViolationIfNotAllowed(final IObject i) {

    final String type = i.getClass().getName();
    final Details d = i.getDetails();
    final long user = d.getOwner().getId();
    final long group = d.getGroup().getId();

    final EventContext ec = getSecuritySystem().getEventContext();
    final boolean root = ec.isCurrentUserAdmin();
    final List<Long> leaderof = ec.getLeaderOfGroupsList();
    final boolean pi = leaderof.contains(group);
    final boolean own = ec.getCurrentUserId().equals(user);

    if (!own && !root && !pi) {
      if (log.isWarnEnabled()) {
        log.warn(
            String.format(
                "User %d attempted to delete " + type + " %d belonging to User %d",
                ec.getCurrentUserId(),
                i.getId(),
                user));
      }
      throw new SecurityViolation(
          String.format("User %s cannot delete %s %d ", ec.getCurrentUserName(), type, i.getId()));
    }
  }
示例#2
0
  public boolean doLogin(boolean readOnly, boolean isClose) {

    try {
      secSys.loadEventContext(readOnly, isClose);
    } catch (SessionTimeoutException ste) {
      // If this is a CloseOnNoSessionContext then we skip all handling
      // since almost any action by the close() method will try to load
      // the context and will fail. This assumes that EventHandler is
      // the most inner handler. If this changes, then this logic may
      // need to be pushed down further.
      if (ste.sessionContext instanceof BasicSecurityWiring.CloseOnNoSessionContext) {
        log.debug("CloseOnNoSessionContext. Skipping");
        return false;
      }
      throw ste;
    }

    // now the user can be considered to be logged in.
    EventContext ec = secSys.getEventContext();
    if (!readOnly) {
      sql.prepareSession(ec.getCurrentEventId(), ec.getCurrentUserId(), ec.getCurrentGroupId());
    }
    if (log.isInfoEnabled()) {
      StringBuilder sb = new StringBuilder();
      sb.append(" Auth:\tuser="******",group=");
      sb.append(ec.getCurrentGroupId());
      sb.append(",event=");
      sb.append(ec.getCurrentEventId());
      sb.append("(");
      sb.append(ec.getCurrentEventType());
      sb.append("),sess=");
      sb.append(ec.getCurrentSessionUuid());
      Long shareId = ec.getCurrentShareId();
      if (shareId != null) {
        sb.append(",share=");
        sb.append(shareId);
      }
      log.info(sb.toString());
    }
    return true;
  }
示例#3
0
  public boolean isOwnerOrSupervisor(IObject object) {
    if (object == null) {
      throw new ApiUsageException("Object can't be null");
    }
    final Long o = HibernateUtils.nullSafeOwnerId(object);
    final Long g = HibernateUtils.nullSafeGroupId(object);

    final EventContext ec = getCurrentEventContext();
    final boolean isAdmin = ec.isCurrentUserAdmin();
    final boolean isPI = ec.getLeaderOfGroupsList().contains(g);
    final boolean isOwner = ec.getCurrentUserId().equals(o);

    if (isAdmin || isPI || isOwner) {
      return true;
    }
    return false;
  }