@Override
public void initialize(
Subject subject,
CallbackHandler callbackHandler,
Map<String, ?> sharedState,
Map<String, ?> options) {
if (adminId == null || SecurityConstants.ADMIN_ID.equals(adminId)) {
try {
adminId = getSecurityHelper().getSuperAdminId();
} catch (RepositoryException e) {
e.printStackTrace();
}
}
super.initialize(subject, callbackHandler, sharedState, options);
}
/*
* (non-Javadoc)
*
* @seeorg.apache.sling.jackrabbit.usermanager.post.AbstractAuthorizablePostServlet#
* handleOperation(org.apache.sling.api.SlingHttpServletRequest,
* org.apache.sling.api.servlets.HtmlResponse, java.util.List)
*/
@Override
@edu.umd.cs.findbugs.annotations.SuppressWarnings(
justification = "If there is an exception, the user is certainly not admin",
value = {"REC_CATCH_EXCEPTION"})
protected void handleOperation(
SlingHttpServletRequest request, HtmlResponse response, List<Modification> changes)
throws RepositoryException {
// KERN-432 dont allow anon users to access create group.
if (SecurityConstants.ANONYMOUS_ID.equals(request.getRemoteUser())) {
response.setStatus(403, "AccessDenied");
}
// check that the submitted parameter values have valid values.
final String principalName = request.getParameter(SlingPostConstants.RP_NODE_NAME);
if (principalName == null) {
throw new RepositoryException("Group name was not submitted");
}
NameSanitizer san = new NameSanitizer(principalName, false);
san.validate();
// check for allow create Group
boolean allowCreateGroup = false;
User currentUser = null;
try {
Session currentSession = request.getResourceResolver().adaptTo(Session.class);
UserManager um = AccessControlUtil.getUserManager(currentSession);
currentUser = (User) um.getAuthorizable(currentSession.getUserID());
if (currentUser.isAdmin()) {
LOGGER.debug("User is an admin ");
allowCreateGroup = true;
} else {
LOGGER.debug("Checking for membership of one of {} ", Arrays.toString(authorizedGroups));
PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(currentSession);
PrincipalIterator pi =
principalManager.getGroupMembership(
principalManager.getPrincipal(currentSession.getUserID()));
Set<String> groups = new HashSet<String>();
for (; pi.hasNext(); ) {
groups.add(pi.nextPrincipal().getName());
}
for (String groupName : authorizedGroups) {
if (groups.contains(groupName)) {
allowCreateGroup = true;
break;
}
// TODO: move this nasty hack into the PrincipalManager dynamic groups need to
// be in the principal manager for this to work.
if ("authenticated".equals(groupName)
&& !SecurityConstants.ADMIN_ID.equals(currentUser.getID())) {
allowCreateGroup = true;
break;
}
// just check via the user manager for dynamic resolution.
Group group = (Group) um.getAuthorizable(groupName);
LOGGER.debug("Checking for group {} {} ", groupName, group);
if (group != null && group.isMember(currentUser)) {
allowCreateGroup = true;
LOGGER.debug("User is a member of {} {} ", groupName, group);
break;
}
}
}
} catch (Exception ex) {
LOGGER.warn(
"Failed to determin if the user is an admin, assuming not. Cause: " + ex.getMessage());
allowCreateGroup = false;
}
if (!allowCreateGroup) {
LOGGER.debug("User is not allowed to create groups ");
response.setStatus(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to create groups");
return;
}
Session session = getSession();
try {
UserManager userManager = AccessControlUtil.getUserManager(session);
Authorizable authorizable = userManager.getAuthorizable(principalName);
if (authorizable != null) {
// principal already exists!
throw new RepositoryException(
"A principal already exists with the requested name: " + principalName);
} else {
Group group =
userManager.createGroup(
new Principal() {
public String getName() {
return principalName;
}
});
String groupPath =
AuthorizableResourceProvider.SYSTEM_USER_MANAGER_GROUP_PREFIX + group.getID();
Map<String, RequestProperty> reqProperties = collectContent(request, response, groupPath);
response.setPath(groupPath);
response.setLocation(externalizePath(request, groupPath));
response.setParentLocation(
externalizePath(request, AuthorizableResourceProvider.SYSTEM_USER_MANAGER_GROUP_PATH));
changes.add(Modification.onCreated(groupPath));
// It is not allowed to touch the rep:group-managers property directly.
String key = SYSTEM_USER_MANAGER_GROUP_PREFIX + principalName + "/";
reqProperties.remove(key + PROP_GROUP_MANAGERS);
reqProperties.remove(key + PROP_GROUP_VIEWERS);
// write content from form
writeContent(session, group, reqProperties, changes);
// update the group memberships, although this uses session from the request, it
// only
// does so for finding authorizables, so its ok that we are using an admin session
// here.
updateGroupMembership(request, group, changes);
updateOwnership(request, group, new String[] {currentUser.getID()}, changes);
sakaiAuthorizableService.postprocess(group, session);
// Launch an OSGi event for creating a group.
try {
Dictionary<String, String> properties = new Hashtable<String, String>();
properties.put(UserConstants.EVENT_PROP_USERID, principalName);
EventUtils.sendOsgiEvent(properties, UserConstants.TOPIC_GROUP_CREATED, eventAdmin);
} catch (Exception e) {
// Trap all exception so we don't disrupt the normal behaviour.
LOGGER.error("Failed to launch an OSGi event for creating a user.", e);
}
}
} catch (RepositoryException re) {
throw new RepositoryException("Failed to create new group.", re);
} finally {
ungetSession(session);
}
}