View Javadoc
1   /**
2    * Copyright 2004-2014 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.kpme.tklm.common;
17  
18  import org.apache.commons.lang.StringUtils;
19  import org.apache.log4j.Logger;
20  import org.joda.time.DateTime;
21  import org.joda.time.LocalDate;
22  import org.kuali.kpme.core.api.department.Department;
23  import org.kuali.kpme.core.api.namespace.KPMENamespace;
24  import org.kuali.kpme.core.role.KPMERole;
25  import org.kuali.kpme.core.service.HrServiceLocator;
26  import org.kuali.kpme.core.util.HrConstants;
27  import org.kuali.kpme.core.util.HrContext;
28  import org.kuali.kpme.tklm.time.rules.clocklocation.ClockLocationRule;
29  import org.kuali.kpme.tklm.time.util.TkContext;
30  import org.kuali.rice.krad.util.GlobalVariables;
31  
32  public class AuthorizationValidationUtils {
33  	
34      private static final Logger LOG = Logger.getLogger(AuthorizationValidationUtils.class);
35  
36      /**
37       * Indicates whether or not the current user can wildcard the work area
38       * of the specified DepartmentalRule.
39       *
40       * @param clockLocationRule The ClockLocationRule we are investigating.
41       *
42       * @return true if you can wildcard the WorkArea, false otherwise.
43       */
44      public static boolean canWildcardWorkArea(ClockLocationRule clockLocationRule) {
45      	boolean canWildcardWorkArea = false;
46      	
47      	if (HrContext.isSystemAdmin()) {
48          	return true;
49      	}
50      	
51      	if (clockLocationRule != null) {
52  	    	String principalId = GlobalVariables.getUserSession().getPrincipalId();
53  	    	String department = clockLocationRule.getDept();
54  	    	String groupKeyCode = clockLocationRule.getGroupKeyCode();
55  	    	Department departmentObj = HrServiceLocator.getDepartmentService().getDepartment(department, groupKeyCode, LocalDate.now());
56  			String location = departmentObj != null ? departmentObj.getGroupKey().getLocationId() : null;
57  			
58  	        if (!HrConstants.WILDCARD_CHARACTER.equals(department)) {
59  	        	canWildcardWorkArea = HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, groupKeyCode, LocalDate.now().toDateTimeAtStartOfDay())
60  	        			|| HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, groupKeyCode, LocalDate.now().toDateTimeAtStartOfDay())
61  	        			|| HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_LOCATION_ADMINISTRATOR.getRoleName(), location, LocalDate.now().toDateTimeAtStartOfDay())
62  	        			|| HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_LOCATION_ADMINISTRATOR.getRoleName(), location, LocalDate.now().toDateTimeAtStartOfDay());
63  	        }
64      	}
65          
66          return canWildcardWorkArea;
67      }
68  
69      /**
70       * Can the current user use a wildcard for the department?
71       *
72       * @param clockLocationRule The ClockLocationRule we are examining.
73       *
74       * @return true if so, false otherwise.
75       */
76      public static boolean canWildcardDepartment(ClockLocationRule clockLocationRule) {
77          return HrContext.isSystemAdmin();
78      }
79      
80      /**
81       * Static helper method to provide a single point of access for both Kuali
82       * Rice maintenance page hooks as well as Lookupable filtering.
83       *
84       * @param clockLocationRule The business object under investigation.
85       * @return true if writable by current context user, false otherwise.
86       * @deprecated - doesn't seem to be used anywhere
87       */
88      public static boolean hasAccessToWrite(ClockLocationRule clockLocationRule) {
89          boolean hasAccessToWrite = false;
90          
91          if (HrContext.isSystemAdmin()) {
92          	return true;
93      	}
94          
95          if (clockLocationRule != null) {
96  	    	String principalId = GlobalVariables.getUserSession().getPrincipalId();
97  	    	String department = clockLocationRule.getDept();
98  	    	String groupKeyCode = clockLocationRule.getGroupKeyCode();
99  	    	Department departmentObj = HrServiceLocator.getDepartmentService().getDepartment(department, groupKeyCode, LocalDate.now());
100 			String location = departmentObj != null ? departmentObj.getGroupKey().getLocationId() : null;
101 	        
102 	        if (!HrConstants.WILDCARD_CHARACTER.equals(department)) {
103 	        	hasAccessToWrite = HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, groupKeyCode, LocalDate.now().toDateTimeAtStartOfDay())
104 	        			|| HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, groupKeyCode, LocalDate.now().toDateTimeAtStartOfDay())
105 	        			|| HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_LOCATION_ADMINISTRATOR.getRoleName(), location, LocalDate.now().toDateTimeAtStartOfDay())
106 	        			|| HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_LOCATION_ADMINISTRATOR.getRoleName(), location, LocalDate.now().toDateTimeAtStartOfDay());
107 	        }
108         }
109 
110         return hasAccessToWrite;
111     }
112     
113     /**
114      * Static helper method to provide a single point of access for both Kuali
115      * Rice maintenance page hooks as well as Lookupable filtering.
116      *
117      * @param clockLocationRule The business object under investigation.
118      * @return true if readable by current context user, false otherwise.
119      * @deprecated - doesn't seem to be used anywhere
120      */
121     public static boolean hasAccessToRead(ClockLocationRule clockLocationRule) {
122         boolean hasAccessToRead = false;
123         
124         if (HrContext.isSystemAdmin() || HrContext.isGlobalViewOnly())
125             return true;
126 
127         if (clockLocationRule != null) {
128             //    dept     | workArea   | meaning
129             //    ---------|------------|
130             // 1: %        ,  -1        , any dept/work area valid roles
131             //*2: %        ,  <defined> , must have work area <-- *
132             // 3: <defined>, -1         , must have dept, any work area
133             // 4: <defined>, <defined>  , must have work area or department defined
134             //
135             // * Not permitted.
136 
137         	String principalId = GlobalVariables.getUserSession().getPrincipalId();
138         	Long workArea = clockLocationRule.getWorkArea();
139         	String department = clockLocationRule.getDept();
140 	    	String groupKeyCode = clockLocationRule.getGroupKeyCode();
141         	Department departmentObj = HrServiceLocator.getDepartmentService().getDepartment(department, groupKeyCode, LocalDate.now());
142     		String location = departmentObj != null ? departmentObj.getGroupKey().getLocationId() : null;
143             DateTime date = LocalDate.now().toDateTimeAtStartOfDay();
144             if (HrConstants.WILDCARD_CHARACTER.equals(department) && HrConstants.WILDCARD_LONG.equals(workArea)) {
145                 // case 1
146             	hasAccessToRead = HrContext.isAnyApprover() || TkContext.isDepartmentAdmin() || TkContext.isLocationAdmin();
147             } else if (HrConstants.WILDCARD_CHARACTER.equals(department)) {
148                 // case 2 *
149                 // Should not encounter this case.
150                 LOG.error("Invalid case encountered while scanning business objects: Wildcard Department & Defined workArea.");
151             } else if (HrConstants.WILDCARD_LONG.equals(workArea)) {
152                 // case 3
153             	hasAccessToRead = HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, groupKeyCode, date)
154             			|| HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, groupKeyCode, date)
155             			|| HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_LOCATION_ADMINISTRATOR.getRoleName(), location, date)
156             			|| HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_LOCATION_ADMINISTRATOR.getRoleName(), location, date);
157             } else {
158             	hasAccessToRead = HrServiceLocator.getKPMERoleService().principalHasRoleInWorkArea(principalId, KPMENamespace.KPME_HR.getNamespaceCode(), KPMERole.APPROVER_DELEGATE.getRoleName(), workArea, date)
159                 		|| HrServiceLocator.getKPMERoleService().principalHasRoleInWorkArea(principalId, KPMENamespace.KPME_HR.getNamespaceCode(), KPMERole.APPROVER.getRoleName(), workArea, date)
160                 		|| HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, groupKeyCode, date)
161             			|| HrServiceLocator.getKPMERoleService().principalHasRoleInDepartment(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_DEPARTMENT_ADMINISTRATOR.getRoleName(), department, groupKeyCode, date)
162             			|| HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_TK.getNamespaceCode(), KPMERole.TIME_LOCATION_ADMINISTRATOR.getRoleName(), location, date)
163             			|| HrServiceLocator.getKPMERoleService().principalHasRoleInLocation(principalId, KPMENamespace.KPME_LM.getNamespaceCode(), KPMERole.LEAVE_LOCATION_ADMINISTRATOR.getRoleName(), location, date);
164             }
165         }
166 
167         return hasAccessToRead;
168     }
169     
170     /**
171      * For ClockLocationRule object, if a work area is defined, you can not
172      * leave the department field with a wildcard. Permission for wildcarding
173      * will be checked with other methods.
174      *
175      * @param clr The ClockLocationRule to examine.
176      * @return true if valid, false otherwise.
177      */
178     public static boolean validateWorkAreaDeptWildcarding(ClockLocationRule clr) {
179         boolean ret = true;
180 
181         if (StringUtils.equals(clr.getDept(), HrConstants.WILDCARD_CHARACTER)) {
182             ret = clr.getWorkArea().equals(HrConstants.WILDCARD_LONG);
183         }
184 
185         return ret;
186     }
187 }