001 /** 002 * Copyright 2004-2012 The Kuali Foundation 003 * 004 * Licensed under the Educational Community License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.opensource.org/licenses/ecl2.php 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 package org.kuali.hr.time.authorization; 017 018 import java.util.HashMap; 019 import java.util.HashSet; 020 import java.util.Map; 021 import java.util.Set; 022 023 import org.kuali.hr.time.roles.TkUserRoles; 024 import org.kuali.hr.time.roles.UserRoles; 025 import org.kuali.hr.time.util.TKContext; 026 import org.kuali.hr.time.util.TKUser; 027 import org.kuali.rice.kim.api.identity.Person; 028 import org.kuali.rice.kns.document.authorization.DocumentAuthorizer; 029 import org.kuali.rice.kns.document.authorization.MaintenanceDocumentAuthorizer; 030 import org.kuali.rice.krad.bo.BusinessObject; 031 import org.kuali.rice.krad.document.Document; 032 import org.kuali.rice.krad.maintenance.MaintenanceDocument; 033 import org.kuali.rice.krad.util.GlobalVariables; 034 import org.kuali.rice.krad.util.KRADConstants; 035 036 /** 037 * Base class for the implementation of Authorization in KPME Time and Attendance. 038 * 039 * Role Security Grid Documentation: 040 * https://wiki.kuali.org/display/KPME/Role+Security+Grid 041 */ 042 public abstract class TkMaintenanceDocumentAuthorizerBase implements MaintenanceDocumentAuthorizer, DocumentAuthorizer { 043 044 // Methods from BusinessObjectAuthorizer 045 046 @Override 047 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId) { 048 return true; 049 } 050 051 @Override 052 public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId) { 053 return true; 054 } 055 056 @Override 057 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) { 058 return true; 059 } 060 061 @Override 062 public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) { 063 return true; 064 } 065 066 @Override 067 public Map<String, String> getCollectionItemRoleQualifications(BusinessObject collectionItemBusinessObject) { 068 return new HashMap<String,String>(); 069 } 070 071 @Override 072 public Map<String, String> getCollectionItemPermissionDetails(BusinessObject collectionItemBusinessObject) { 073 return new HashMap<String,String>(); 074 } 075 076 // Methods from MaintenanceDocumentAuthorizer 077 078 @Override 079 public boolean canCreate(Class boClass, Person user) { 080 return this.rolesIndicateGeneralWriteAccess(); 081 } 082 083 @Override 084 /** 085 * In lookup, called for each Business object if the user can edit or not. 086 */ 087 public boolean canMaintain(Object dataObject, Person user) { 088 return this.rolesIndicateWriteAccess((BusinessObject) dataObject); 089 } 090 091 @Override 092 /** 093 * Called when submit is clicked from maintenance doc 094 */ 095 public boolean canCreateOrMaintain(MaintenanceDocument maintenanceDocument, Person user){ 096 return this.rolesIndicateWriteAccess((BusinessObject) maintenanceDocument.getNewMaintainableObject().getDataObject()); 097 } 098 099 @Override 100 public Set<String> getSecurePotentiallyReadOnlySectionIds() { 101 return new HashSet<String>(); 102 } 103 104 // Methods from DocumentAuthorizer 105 106 107 /** 108 * Copied from DocumentAuthorizerBase 109 */ 110 @Override 111 public Set<String> getDocumentActions(Document document, Person user, Set<String> documentActions) { 112 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT) && !canEdit(document, user)) { 113 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT); 114 } 115 116 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_COPY) && !canCopy(document, user)) { 117 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_COPY); 118 } 119 120 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CLOSE) && !canClose(document, user)) { 121 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CLOSE); 122 } 123 124 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RELOAD) && !canReload(document, user)) { 125 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RELOAD); 126 } 127 128 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE) && !canBlanketApprove(document, user)) { 129 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE); 130 } 131 132 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CANCEL) && !canCancel(document, user)) { 133 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CANCEL); 134 } 135 136 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RECALL) && !canRecall(document, user)) { 137 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RECALL); 138 } 139 140 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SAVE) && !canSave(document, user)) { 141 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SAVE); 142 } 143 144 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ROUTE) && !canRoute(document, user)) { 145 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ROUTE); 146 } 147 148 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE) && !canAcknowledge(document, user)) { 149 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE); 150 } 151 152 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_FYI) && !canFyi(document, user)) { 153 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_FYI); 154 } 155 156 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_APPROVE) && !canApprove(document, user)) { 157 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE); 158 } 159 160 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE) && !canDisapprove(document, user)) { 161 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE); 162 } 163 164 if (!canSendAnyTypeAdHocRequests(document, user)) { 165 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ADD_ADHOC_REQUESTS); 166 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_ADHOC_REQUESTS); 167 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI); 168 } 169 170 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI) && !canSendNoteFyi(document, user)) { 171 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI); 172 } 173 174 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ANNOTATE) && !canAnnotate(document, user)) { 175 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ANNOTATE); 176 } 177 178 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW) && !canEditDocumentOverview( 179 document, user)) { 180 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW); 181 } 182 183 if (documentActions.contains(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT) && !canPerformRouteReport(document, 184 user)) { 185 documentActions.remove(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT); 186 } 187 188 return documentActions; 189 } 190 191 @Override 192 /** 193 * TODO: What is this used for? It's called often. 194 */ 195 public boolean canInitiate(String documentTypeName, Person user) { 196 return this.rolesIndicateGeneralReadAccess(); 197 } 198 199 @Override 200 /** 201 * 202 * One Reference in KualiDocumentActionBase:366 203 */ 204 public boolean canOpen(Document document, Person user) { 205 return this.rolesIndicateGeneralReadAccess(); 206 } 207 208 @Override 209 public boolean canEdit(Document document, Person user) { 210 return this.rolesIndicateGeneralWriteAccess(); 211 } 212 213 @Override 214 public boolean canAnnotate(Document document, Person user) { 215 return true; 216 } 217 218 @Override 219 public boolean canReload(Document document, Person user) { 220 return true; 221 } 222 223 @Override 224 public boolean canClose(Document document, Person user) { 225 return true; 226 } 227 228 @Override 229 public boolean canSave(Document document, Person user) { 230 return this.rolesIndicateGeneralWriteAccess(); 231 } 232 233 @Override 234 public boolean canRoute(Document document, Person user) { 235 return true; 236 } 237 238 @Override 239 public boolean canCancel(Document document, Person user) { 240 return true; 241 } 242 243 @Override 244 public boolean canCopy(Document document, Person user) { 245 return this.rolesIndicateGeneralWriteAccess(); 246 } 247 248 @Override 249 public boolean canPerformRouteReport(Document document, Person user) { 250 return true; 251 } 252 253 @Override 254 public boolean canBlanketApprove(Document document, Person user) { 255 return true; 256 } 257 258 @Override 259 public boolean canApprove(Document document, Person user) { 260 return true; 261 } 262 263 @Override 264 public boolean canDisapprove(Document document, Person user) { 265 return true; 266 } 267 268 @Override 269 public boolean canSendNoteFyi(Document document, Person user) { 270 return true; 271 } 272 273 @Override 274 public boolean canEditDocumentOverview(Document document, Person user) { 275 return true; 276 } 277 278 @Override 279 public boolean canFyi(Document document, Person user) { 280 return true; 281 } 282 283 @Override 284 public boolean canAcknowledge(Document document, Person user) { 285 return true; 286 } 287 288 @Override 289 public boolean canReceiveAdHoc(Document document, Person user, String actionRequestCode) { 290 return true; 291 } 292 293 @Override 294 public boolean canAddNoteAttachment(Document document, String attachmentTypeCode, Person user) { 295 return true; 296 } 297 298 @Override 299 public boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode, String createdBySelfOnly, Person user) { 300 return true; 301 } 302 303 @Override 304 public boolean canViewNoteAttachment(Document document,String attachmentTypeCode, Person user) { 305 return true; 306 } 307 308 @Override 309 public boolean canViewNoteAttachment(Document document, String attachmentTypeCode, String authorUniversalIdentifier, Person user) { 310 return true; 311 } 312 313 @Override 314 public boolean canSendAdHocRequests(Document document, String actionRequestCd, Person user) { 315 return true; 316 } 317 318 @Override 319 public boolean canSendAnyTypeAdHocRequests(Document document, Person user) { 320 return true; 321 } 322 323 @Override 324 public boolean canTakeRequestedAction(Document document, String actionRequestCode, Person user) { 325 return true; 326 } 327 328 @Override 329 public boolean canRecall(Document document, Person user) { 330 return true; 331 } 332 333 // Methods from DataObjectAuthorizer 334 335 @Override 336 public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId) { 337 return true; 338 } 339 340 @Override 341 public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId) { 342 return true; 343 } 344 345 @Override 346 public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId, 347 Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) { 348 return true; 349 } 350 351 352 // Methods from InquiryOrMaintenanceDocumentAuthorizer 353 354 @Override 355 /** 356 * Can't return null. 357 */ 358 public Set<String> getSecurePotentiallyHiddenSectionIds() { 359 return new HashSet<String>(); 360 } 361 362 // Override this if necessary: 363 364 /** 365 * Returns the UserRoles object for the CURRENT user. This will take into 366 * account target/backdoor user status. Subclasses can override this if 367 * necessary. 368 * 369 * @return The UserRoles object for the current user. 370 */ 371 public UserRoles getRoles() { 372 return TkUserRoles.getUserRoles(GlobalVariables.getUserSession().getPrincipalId()); 373 } 374 375 // Subclasses will implement these methods 376 377 /** 378 * Method to indicate whether or not the Context current user can read 379 * objects if the current maintenance type. 380 * 381 * @return true if readable, false otherwise. 382 */ 383 abstract public boolean rolesIndicateGeneralReadAccess(); 384 385 /** 386 * Method to indicate whether or not the Context current user can create/edit 387 * objects if the current maintenance type. 388 * 389 * @return true if create/editable, false otherwise. 390 */ 391 abstract public boolean rolesIndicateGeneralWriteAccess(); 392 393 /** 394 * Indicates whether or not the current Context user has create/edit rights 395 * to the provided BusinessObject. 396 * 397 * @param bo The BusinessObject under investigation. 398 * 399 * @return true if editable, false otherwise. 400 */ 401 abstract public boolean rolesIndicateWriteAccess(BusinessObject bo); 402 403 /** 404 * Indicates whether or not the current Context user has view rights to the 405 * provided BusinessObject. 406 * 407 * @param bo The BusinessObject under investigation. 408 * 409 * @return true if editable, false otherwise. 410 */ 411 abstract public boolean rolesIndicateReadAccess(BusinessObject bo); 412 }