1 /**
2 * Copyright 2004-2014 The Kuali Foundation
3 *
4 * Licensed under the Educational Community License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.opensource.org/licenses/ecl2.php
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 package org.kuali.kpme.tklm.common;
17
18 import org.apache.log4j.Logger;
19 import org.joda.time.DateTime;
20 import org.joda.time.LocalDate;
21 import org.kuali.kpme.core.KPMENamespace;
22 import org.kuali.kpme.core.authorization.DepartmentalRule;
23 import org.kuali.kpme.core.department.Department;
24 import org.kuali.kpme.core.role.KPMERole;
25 import org.kuali.kpme.core.service.HrServiceLocator;
26 import org.kuali.kpme.core.util.HrConstants;
27 import org.kuali.kpme.core.util.HrContext;
28 import org.kuali.kpme.tklm.time.util.TkContext;
29 import org.kuali.rice.krad.util.GlobalVariables;
30
31 public class AuthorizationValidationUtils {
32
33 private static final Logger LOG = Logger.getLogger(AuthorizationValidationUtils.class);
34
35 /**
36 * Indicates whether or not the current user can wildcard the work area
37 * of the specified DepartmentalRule.
38 *
39 * @param departmentalRule The DepartmentalRule we are investigating.
40 *
41 * @return true if you can wildcard the WorkArea, false otherwise.
42 */
43 public static boolean canWildcardWorkArea(DepartmentalRule departmentalRule) {
44 boolean canWildcardWorkArea = false;
45
46 if (HrContext.isSystemAdmin()) {
47 return true;
48 }
49
50 if (departmentalRule != null) {
51 String principalId = GlobalVariables.getUserSession().getPrincipalId();
52 String department = departmentalRule.getDept();
53 Department departmentObj = HrServiceLocator.getDepartmentService().getDepartmentWithoutRoles(department, LocalDate.now());
54 String location = departmentObj != null ? departmentObj.getLocation() : null;
55
56 if (!HrConstants.WILDCARD_CHARACTER.equals(department)) {
57 canWildcardWorkArea = HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, LocalDate.now().toDateTimeAtStartOfDay())
58 || HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, LocalDate.now().toDateTimeAtStartOfDay())
59 || HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_LOCATION_ADMINISTRATOR.getRoleName(), location, LocalDate.now().toDateTimeAtStartOfDay())
60 || HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_LOCATION_ADMINISTRATOR.getRoleName(), location, LocalDate.now().toDateTimeAtStartOfDay());
61 }
62 }
63
64 return canWildcardWorkArea;
65 }
66
67 /**
68 * Can the current user use a wildcard for the department?
69 *
70 * @param departmentalRule The DepartmentalRule we are examining.
71 *
72 * @return true if so, false otherwise.
73 */
74 public static boolean canWildcardDepartment(DepartmentalRule departmentalRule) {
75 return HrContext.isSystemAdmin();
76 }
77
78 public static boolean hasAccessToWrite(DepartmentalRule departmentalRule) {
79 boolean hasAccessToWrite = false;
80
81 if (HrContext.isSystemAdmin()) {
82 return true;
83 }
84
85 if (departmentalRule != null) {
86 String principalId = GlobalVariables.getUserSession().getPrincipalId();
87 String department = departmentalRule.getDept();
88 Department departmentObj = HrServiceLocator.getDepartmentService().getDepartmentWithoutRoles(department, LocalDate.now());
89 String location = departmentObj != null ? departmentObj.getLocation() : null;
90
91 if (!HrConstants.WILDCARD_CHARACTER.equals(department)) {
92 hasAccessToWrite = HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, LocalDate.now().toDateTimeAtStartOfDay())
93 || HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, LocalDate.now().toDateTimeAtStartOfDay())
94 || HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_LOCATION_ADMINISTRATOR.getRoleName(), location, LocalDate.now().toDateTimeAtStartOfDay())
95 || HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_LOCATION_ADMINISTRATOR.getRoleName(), location, LocalDate.now().toDateTimeAtStartOfDay());
96 }
97 }
98
99 return hasAccessToWrite;
100 }
101
102 /**
103 * Static helper method to provide a single point of access for both Kuali
104 * Rice maintenance page hooks as well as Lookupable filtering.
105 *
106 * @param departmentalRule The business object under investigation.
107 *
108 * @return true if readable by current context user, false otherwise.
109 */
110 public static boolean hasAccessToRead(DepartmentalRule departmentalRule) {
111 boolean hasAccessToRead = false;
112
113 if (HrContext.isSystemAdmin() || HrContext.isGlobalViewOnly())
114 return true;
115
116 if (departmentalRule != null) {
117 // dept | workArea | meaning
118 // ---------|------------|
119 // 1: % , -1 , any dept/work area valid roles
120 //*2: % , <defined> , must have work area <-- *
121 // 3: <defined>, -1 , must have dept, any work area
122 // 4: <defined>, <defined> , must have work area or department defined
123 //
124 // * Not permitted.
125
126 String principalId = GlobalVariables.getUserSession().getPrincipalId();
127 Long workArea = departmentalRule.getWorkArea();
128 String department = departmentalRule.getDept();
129 Department departmentObj = HrServiceLocator.getDepartmentService().getDepartmentWithoutRoles(department, LocalDate.now());
130 String location = departmentObj != null ? departmentObj.getLocation() : null;
131 DateTime date = LocalDate.now().toDateTimeAtStartOfDay();
132 if (HrConstants.WILDCARD_CHARACTER.equals(department) && HrConstants.WILDCARD_LONG.equals(workArea)) {
133 // case 1
134 hasAccessToRead = HrContext.isAnyApprover() || TkContext.isDepartmentAdmin() || TkContext.isLocationAdmin();
135 } else if (HrConstants.WILDCARD_CHARACTER.equals(department)) {
136 // case 2 *
137 // Should not encounter this case.
138 LOG.error("Invalid case encountered while scanning business objects: Wildcard Department & Defined workArea.");
139 } else if (HrConstants.WILDCARD_LONG.equals(workArea)) {
140 // case 3
141 hasAccessToRead = HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, date)
142 || HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, date)
143 || HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_LOCATION_ADMINISTRATOR.getRoleName(), location, date)
144 || HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_LOCATION_ADMINISTRATOR.getRoleName(), location, date);
145 } else {
146 hasAccessToRead = HrServiceLocator.getKPMERoleService().principalHasRoleInWorkArea(principalId, KPMENamespace.KPME_HR.getNamespaceCode(), KPMERole.APPROVER_DELEGATE.getRoleName(), workArea, date)
147 || HrServiceLocator.getKPMERoleService().principalHasRoleInWorkArea(principalId, KPMENamespace.KPME_HR.getNamespaceCode(), KPMERole.APPROVER.getRoleName(), workArea, date)
148 || HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, date)
149 || HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, date)
150 || HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_LOCATION_ADMINISTRATOR.getRoleName(), location, date)
151 || HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_LOCATION_ADMINISTRATOR.getRoleName(), location, date);
152 }
153 }
154
155 return hasAccessToRead;
156 }
157 }