001    /**
002     * Copyright 2004-2013 The Kuali Foundation
003     *
004     * Licensed under the Educational Community License, Version 2.0 (the "License");
005     * you may not use this file except in compliance with the License.
006     * You may obtain a copy of the License at
007     *
008     * http://www.opensource.org/licenses/ecl2.php
009     *
010     * Unless required by applicable law or agreed to in writing, software
011     * distributed under the License is distributed on an "AS IS" BASIS,
012     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013     * See the License for the specific language governing permissions and
014     * limitations under the License.
015     */
016    package org.kuali.hr.time.authorization;
017    
018    import org.apache.commons.lang.StringUtils;
019    import org.apache.log4j.Logger;
020    import org.kuali.hr.time.roles.UserRoles;
021    import org.kuali.hr.time.util.TKContext;
022    import org.kuali.hr.time.util.TkConstants;
023    import org.kuali.rice.krad.bo.BusinessObject;
024    
025    /**
026     * Implements Authorization logic for the "Departmental Rules":
027     *
028     * ClockLocationRule
029     * TimeCollectionRule
030     * DeptLunchRule
031     * WorkArea
032     *
033     * See:
034     * https://wiki.kuali.org/display/KPME/Role+Security+Grid
035     */
036    public class DepartmentalRuleAuthorizer extends TkMaintenanceDocumentAuthorizerBase {
037    
038          private static final Logger LOG = Logger.getLogger(DepartmentalRuleAuthorizer.class);
039    
040        @Override
041        public boolean rolesIndicateGeneralReadAccess() {
042            return getRoles().isSystemAdmin() ||
043                            getRoles().isGlobalViewOnly() ||
044                    getRoles().getOrgAdminCharts().size() > 0 ||
045                    getRoles().getOrgAdminDepartments().size() > 0 ||
046                    getRoles().getDepartmentViewOnlyDepartments().size() > 0 ||
047                    getRoles().isAnyApproverActive();
048        }
049    
050        @Override
051        public boolean rolesIndicateGeneralWriteAccess() {
052            return getRoles().isSystemAdmin() ||
053                    getRoles().getOrgAdminCharts().size() > 0 ||
054                    getRoles().getOrgAdminDepartments().size() > 0;
055        }
056    
057        @Override
058        public boolean rolesIndicateWriteAccess(BusinessObject bo) {
059            return bo instanceof DepartmentalRule && DepartmentalRuleAuthorizer.hasAccessToWrite((DepartmentalRule)bo);
060        }
061    
062        @Override
063        public boolean rolesIndicateReadAccess(BusinessObject bo) {
064            return bo instanceof DepartmentalRule && DepartmentalRuleAuthorizer.hasAccessToRead((DepartmentalRule)bo);
065        }
066    
067        public static boolean hasAccessToWrite(DepartmentalRule dr) {
068            boolean ret = false;
069            if (TKContext.getUser().isSystemAdmin())
070                return true;
071    
072            if (dr != null && TKContext.getUser().getDepartmentAdminAreas().size() > 0) {
073                String dept = dr.getDept();
074                if (StringUtils.equals(dept, TkConstants.WILDCARD_CHARACTER)) {
075                    // Must be system administrator
076                    ret = false;
077                } else {
078                    // Must have parent Department
079                    ret = TKContext.getUser().getDepartmentAdminAreas().contains(dr.getDept());
080                }
081            }
082    
083            return ret;
084        }
085    
086        /**
087         * Static helper method to provide a single point of access for both Kuali
088         * Rice maintenance page hooks as well as Lookupable filtering.
089         *
090         * @param dr The business object under investigation.
091         *
092         * @return true if readable by current context user, false otherwise.
093         */
094        public static boolean hasAccessToRead(DepartmentalRule dr) {
095            boolean ret = false;
096            if (TKContext.getUser().isSystemAdmin() || TKContext.getUser().isGlobalViewOnly())
097                return true;
098    
099            if (dr != null) {
100                //    dept     | workArea   | meaning
101                //    ---------|------------|
102                // 1: %        ,  -1        , any dept/work area valid roles
103                //*2: %        ,  <defined> , must have work area <-- *
104                // 3: <defined>, -1         , must have dept, any work area
105                // 4: <defined>, <defined>  , must have work area or department defined
106                //
107                // * Not permitted.
108    
109    
110                if (StringUtils.equals(dr.getDept(), TkConstants.WILDCARD_CHARACTER) &&
111                        dr.getWorkArea().equals(TkConstants.WILDCARD_LONG)) {
112                    // case 1
113                    ret = TKContext.getUser().getApproverWorkAreas().size() > 0 || TKContext.getUser().getLocationAdminAreas().size() > 0 ||
114                                    TKContext.getUser().getDepartmentAdminAreas().size() > 0;
115                } else if (StringUtils.equals(dr.getDept(), TkConstants.WILDCARD_CHARACTER)) {
116                    // case 2 *
117                    // Should not encounter this case.
118                    LOG.error("Invalid case encountered while scanning business objects: Wildcard Department & Defined workArea.");
119                } else if (dr.getWorkArea().equals(TkConstants.WILDCARD_LONG)) {
120                    // case 3
121                    ret = TKContext.getUser().getDepartmentAdminAreas().contains(dr.getDept());
122                } else {
123                    ret = TKContext.getUser().getApproverWorkAreas().contains(dr.getWorkArea()) ||
124                                    TKContext.getUser().getDepartmentAdminAreas().contains(dr.getDept());
125                }
126            }
127    
128            return ret;
129        }
130    
131    }