001/* 002 * Copyright 2020 Anyware Services 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016package org.ametys.plugins.workspaces.project.rights.accesscontroller; 017 018import java.util.HashMap; 019import java.util.Map; 020import java.util.Set; 021 022import org.apache.avalon.framework.service.ServiceException; 023import org.apache.avalon.framework.service.ServiceManager; 024import org.apache.avalon.framework.service.Serviceable; 025import org.apache.commons.lang3.ArrayUtils; 026 027import org.ametys.core.group.GroupIdentity; 028import org.ametys.core.right.AccessController; 029import org.ametys.core.user.UserIdentity; 030import org.ametys.plugins.frontedition.AmetysFrontEditionHelper; 031import org.ametys.plugins.workspaces.members.JCRProjectMember.MemberType; 032import org.ametys.plugins.workspaces.members.ProjectMemberManager; 033import org.ametys.plugins.workspaces.members.ProjectMemberManager.ProjectMember; 034import org.ametys.plugins.workspaces.project.ProjectConstants; 035import org.ametys.plugins.workspaces.project.objects.Project; 036 037/** 038 * {@link AccessController} for a {@link Project} 039 * The projects' managers have some rights on their projects 040 * The projects' members can read their projects 041 */ 042public class ProjectAccessController implements AccessController, Serviceable 043{ 044 /** The project members */ 045 protected ProjectMemberManager _projectMembers; 046 /** The rights to give for managers */ 047 protected Set<String> _managerRights = Set.of(ProjectConstants.RIGHT_PROJECT_EDIT, ProjectConstants.RIGHT_PROJECT_DELETE, AmetysFrontEditionHelper.FRONT_EDITION_RIGHT_ID); 048 /** The rights to give for members */ 049 protected Set<String> _memberRights = Set.of(AmetysFrontEditionHelper.FRONT_EDITION_RIGHT_ID); // Needed to allow front-edition access on home page (to create news or alerts) 050 051 052 public void service(ServiceManager manager) throws ServiceException 053 { 054 _projectMembers = (ProjectMemberManager) manager.lookup(ProjectMemberManager.ROLE); 055 } 056 057 public boolean isSupported(Object object) 058 { 059 return object instanceof Project; 060 } 061 062 public AccessResult getPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object) 063 { 064 Project project = (Project) object; 065 066 if (_managerRights.contains(rightId) 067 && ArrayUtils.contains(project.getManagers(), user)) 068 { 069 return AccessResult.USER_ALLOWED; 070 } 071 else if (_memberRights.contains(rightId)) 072 { 073 ProjectMember projectMember = _projectMembers.getProjectMember(project, user, userGroups); 074 if (projectMember != null) 075 { 076 return MemberType.USER == projectMember.getType() ? AccessResult.USER_ALLOWED : AccessResult.GROUP_ALLOWED; 077 } 078 } 079 080 return AccessResult.UNKNOWN; 081 } 082 083 public AccessResult getReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object) 084 { 085 Project project = (Project) object; 086 087 if (ArrayUtils.contains(project.getManagers(), user)) 088 { 089 return AccessResult.USER_ALLOWED; 090 } 091 else 092 { 093 ProjectMember projectMember = _projectMembers.getProjectMember(project, user, userGroups); 094 if (projectMember != null) 095 { 096 return MemberType.USER == projectMember.getType() ? AccessResult.USER_ALLOWED : AccessResult.GROUP_ALLOWED; 097 } 098 } 099 100 return AccessResult.UNKNOWN; 101 } 102 103 public Map<String, AccessResult> getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object) 104 { 105 Map<String, AccessResult> permissionByRight = new HashMap<>(); 106 107 Project project = (Project) object; 108 if (ArrayUtils.contains(project.getManagers(), user)) 109 { 110 for (String managerRight : _managerRights) 111 { 112 permissionByRight.put(managerRight, AccessResult.USER_ALLOWED); 113 } 114 } 115 else 116 { 117 ProjectMember projectMember = _projectMembers.getProjectMember(project, user, userGroups); 118 if (projectMember != null) 119 { 120 for (String memberRight : _memberRights) 121 { 122 permissionByRight.put(memberRight, MemberType.USER == projectMember.getType() ? AccessResult.USER_ALLOWED : AccessResult.GROUP_ALLOWED); 123 } 124 } 125 } 126 127 return permissionByRight; 128 } 129 130 public AccessResult getPermissionForAnonymous(String rightId, Object object) 131 { 132 return AccessResult.UNKNOWN; 133 } 134 135 public AccessResult getReadAccessPermissionForAnonymous(Object object) 136 { 137 return AccessResult.UNKNOWN; 138 } 139 140 public AccessResult getPermissionForAnyConnectedUser(String rightId, Object object) 141 { 142 return AccessResult.UNKNOWN; 143 } 144 145 public AccessResult getReadAccessPermissionForAnyConnectedUser(Object object) 146 { 147 return AccessResult.UNKNOWN; 148 } 149 150 public Map<UserIdentity, AccessResult> getPermissionByUser(String rightId, Object object) 151 { 152 Map<UserIdentity, AccessResult> permissionByUser = new HashMap<>(); 153 154 if (_managerRights.contains(rightId)) 155 { 156 Project project = (Project) object; 157 158 for (UserIdentity manager : project.getManagers()) 159 { 160 permissionByUser.put(manager, AccessResult.USER_ALLOWED); 161 } 162 } 163 164 return permissionByUser; 165 } 166 167 public Map<UserIdentity, AccessResult> getReadAccessPermissionByUser(Object object) 168 { 169 Map<UserIdentity, AccessResult> permissionByUser = new HashMap<>(); 170 171 Project project = (Project) object; 172 173 for (UserIdentity manager : project.getManagers()) 174 { 175 permissionByUser.put(manager, AccessResult.USER_ALLOWED); 176 } 177 for (ProjectMember member : _projectMembers.getProjectMembers(project, false, false)) 178 { 179 if (member.getType() == MemberType.USER) 180 { 181 permissionByUser.put(member.getUser().getIdentity(), AccessResult.USER_ALLOWED); 182 } 183 } 184 185 return permissionByUser; 186 } 187 188 public Map<GroupIdentity, AccessResult> getPermissionByGroup(String rightId, Object object) 189 { 190 return Map.of(); 191 } 192 193 public Map<GroupIdentity, AccessResult> getReadAccessPermissionByGroup(Object object) 194 { 195 Map<GroupIdentity, AccessResult> permissionByGroup = new HashMap<>(); 196 197 Project project = (Project) object; 198 199 for (ProjectMember member : _projectMembers.getProjectMembers(project, false, false)) 200 { 201 if (member.getType() == MemberType.GROUP) 202 { 203 permissionByGroup.put(member.getGroup().getIdentity(), AccessResult.USER_ALLOWED); 204 } 205 } 206 207 return permissionByGroup; 208 } 209 210 public boolean hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId) 211 { 212 return false; 213 } 214 215 public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups) 216 { 217 return false; 218 } 219 220 public boolean hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId) 221 { 222 return false; 223 } 224 225 public boolean hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts) 226 { 227 return false; 228 } 229 230 public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId) 231 { 232 return false; 233 } 234 235 public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts) 236 { 237 return false; 238 } 239}