001 /**
002 * Copyright 2004-2013 The Kuali Foundation
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016 package org.kuali.hr.time.authorization;
017
018 import java.util.HashMap;
019 import java.util.HashSet;
020 import java.util.Map;
021 import java.util.Set;
022
023 import org.kuali.hr.time.roles.TkUserRoles;
024 import org.kuali.hr.time.roles.UserRoles;
025 import org.kuali.hr.time.util.TKContext;
026 import org.kuali.hr.time.util.TKUser;
027 import org.kuali.rice.kim.api.identity.Person;
028 import org.kuali.rice.kns.document.authorization.DocumentAuthorizer;
029 import org.kuali.rice.kns.document.authorization.MaintenanceDocumentAuthorizer;
030 import org.kuali.rice.krad.bo.BusinessObject;
031 import org.kuali.rice.krad.document.Document;
032 import org.kuali.rice.krad.maintenance.MaintenanceDocument;
033 import org.kuali.rice.krad.util.GlobalVariables;
034 import org.kuali.rice.krad.util.KRADConstants;
035
036 /**
037 * Base class for the implementation of Authorization in KPME Time and Attendance.
038 *
039 * Role Security Grid Documentation:
040 * https://wiki.kuali.org/display/KPME/Role+Security+Grid
041 */
042 public abstract class TkMaintenanceDocumentAuthorizerBase implements MaintenanceDocumentAuthorizer, DocumentAuthorizer {
043
044 // Methods from BusinessObjectAuthorizer
045
046 @Override
047 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId) {
048 return true;
049 }
050
051 @Override
052 public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId) {
053 return true;
054 }
055
056 @Override
057 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
058 return true;
059 }
060
061 @Override
062 public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
063 return true;
064 }
065
066 @Override
067 public Map<String, String> getCollectionItemRoleQualifications(BusinessObject collectionItemBusinessObject) {
068 return new HashMap<String,String>();
069 }
070
071 @Override
072 public Map<String, String> getCollectionItemPermissionDetails(BusinessObject collectionItemBusinessObject) {
073 return new HashMap<String,String>();
074 }
075
076 // Methods from MaintenanceDocumentAuthorizer
077
078 @Override
079 public boolean canCreate(Class boClass, Person user) {
080 return this.rolesIndicateGeneralWriteAccess();
081 }
082
083 @Override
084 /**
085 * In lookup, called for each Business object if the user can edit or not.
086 */
087 public boolean canMaintain(Object dataObject, Person user) {
088 return this.rolesIndicateWriteAccess((BusinessObject) dataObject);
089 }
090
091 @Override
092 /**
093 * Called when submit is clicked from maintenance doc
094 */
095 public boolean canCreateOrMaintain(MaintenanceDocument maintenanceDocument, Person user){
096 return this.rolesIndicateWriteAccess((BusinessObject) maintenanceDocument.getNewMaintainableObject().getDataObject());
097 }
098
099 @Override
100 public Set<String> getSecurePotentiallyReadOnlySectionIds() {
101 return new HashSet<String>();
102 }
103
104 // Methods from DocumentAuthorizer
105
106
107 /**
108 * Copied from DocumentAuthorizerBase
109 */
110 @Override
111 public Set<String> getDocumentActions(Document document, Person user, Set<String> documentActions) {
112 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT) && !canEdit(document, user)) {
113 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT);
114 }
115
116 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_COPY) && !canCopy(document, user)) {
117 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_COPY);
118 }
119
120 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CLOSE) && !canClose(document, user)) {
121 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CLOSE);
122 }
123
124 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RELOAD) && !canReload(document, user)) {
125 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RELOAD);
126 }
127
128 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE) && !canBlanketApprove(document, user)) {
129 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE);
130 }
131
132 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CANCEL) && !canCancel(document, user)) {
133 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CANCEL);
134 }
135
136 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RECALL) && !canRecall(document, user)) {
137 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RECALL);
138 }
139
140 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SAVE) && !canSave(document, user)) {
141 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SAVE);
142 }
143
144 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ROUTE) && !canRoute(document, user)) {
145 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ROUTE);
146 }
147
148 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE) && !canAcknowledge(document, user)) {
149 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE);
150 }
151
152 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_FYI) && !canFyi(document, user)) {
153 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_FYI);
154 }
155
156 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_APPROVE) && !canApprove(document, user)) {
157 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
158 }
159
160 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE) && !canDisapprove(document, user)) {
161 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
162 }
163
164 if (!canSendAnyTypeAdHocRequests(document, user)) {
165 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ADD_ADHOC_REQUESTS);
166 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_ADHOC_REQUESTS);
167 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
168 }
169
170 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI) && !canSendNoteFyi(document, user)) {
171 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
172 }
173
174 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ANNOTATE) && !canAnnotate(document, user)) {
175 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ANNOTATE);
176 }
177
178 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW) && !canEditDocumentOverview(
179 document, user)) {
180 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW);
181 }
182
183 if (documentActions.contains(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT) && !canPerformRouteReport(document,
184 user)) {
185 documentActions.remove(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT);
186 }
187
188 return documentActions;
189 }
190
191 @Override
192 /**
193 * TODO: What is this used for? It's called often.
194 */
195 public boolean canInitiate(String documentTypeName, Person user) {
196 return this.rolesIndicateGeneralReadAccess();
197 }
198
199 @Override
200 /**
201 *
202 * One Reference in KualiDocumentActionBase:366
203 */
204 public boolean canOpen(Document document, Person user) {
205 return this.rolesIndicateGeneralReadAccess();
206 }
207
208 @Override
209 public boolean canEdit(Document document, Person user) {
210 return this.rolesIndicateGeneralWriteAccess();
211 }
212
213 @Override
214 public boolean canAnnotate(Document document, Person user) {
215 return true;
216 }
217
218 @Override
219 public boolean canReload(Document document, Person user) {
220 return true;
221 }
222
223 @Override
224 public boolean canClose(Document document, Person user) {
225 return true;
226 }
227
228 @Override
229 public boolean canSave(Document document, Person user) {
230 return this.rolesIndicateGeneralWriteAccess();
231 }
232
233 @Override
234 public boolean canRoute(Document document, Person user) {
235 return true;
236 }
237
238 @Override
239 public boolean canCancel(Document document, Person user) {
240 return true;
241 }
242
243 @Override
244 public boolean canCopy(Document document, Person user) {
245 return this.rolesIndicateGeneralWriteAccess();
246 }
247
248 @Override
249 public boolean canPerformRouteReport(Document document, Person user) {
250 return true;
251 }
252
253 @Override
254 public boolean canBlanketApprove(Document document, Person user) {
255 return true;
256 }
257
258 @Override
259 public boolean canApprove(Document document, Person user) {
260 return true;
261 }
262
263 @Override
264 public boolean canDisapprove(Document document, Person user) {
265 return true;
266 }
267
268 @Override
269 public boolean canSendNoteFyi(Document document, Person user) {
270 return true;
271 }
272
273 @Override
274 public boolean canEditDocumentOverview(Document document, Person user) {
275 return true;
276 }
277
278 @Override
279 public boolean canFyi(Document document, Person user) {
280 return true;
281 }
282
283 @Override
284 public boolean canAcknowledge(Document document, Person user) {
285 return true;
286 }
287
288 @Override
289 public boolean canReceiveAdHoc(Document document, Person user, String actionRequestCode) {
290 return true;
291 }
292
293 @Override
294 public boolean canAddNoteAttachment(Document document, String attachmentTypeCode, Person user) {
295 return true;
296 }
297
298 @Override
299 public boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode, String createdBySelfOnly, Person user) {
300 return true;
301 }
302
303 @Override
304 public boolean canViewNoteAttachment(Document document,String attachmentTypeCode, Person user) {
305 return true;
306 }
307
308 @Override
309 public boolean canViewNoteAttachment(Document document, String attachmentTypeCode, String authorUniversalIdentifier, Person user) {
310 return true;
311 }
312
313 @Override
314 public boolean canSendAdHocRequests(Document document, String actionRequestCd, Person user) {
315 return true;
316 }
317
318 @Override
319 public boolean canSendAnyTypeAdHocRequests(Document document, Person user) {
320 return true;
321 }
322
323 @Override
324 public boolean canTakeRequestedAction(Document document, String actionRequestCode, Person user) {
325 return true;
326 }
327
328 @Override
329 public boolean canRecall(Document document, Person user) {
330 return true;
331 }
332
333 // Methods from DataObjectAuthorizer
334
335 @Override
336 public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId) {
337 return true;
338 }
339
340 @Override
341 public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId) {
342 return true;
343 }
344
345 @Override
346 public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId,
347 Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
348 return true;
349 }
350
351
352 // Methods from InquiryOrMaintenanceDocumentAuthorizer
353
354 @Override
355 /**
356 * Can't return null.
357 */
358 public Set<String> getSecurePotentiallyHiddenSectionIds() {
359 return new HashSet<String>();
360 }
361
362 // Override this if necessary:
363
364 /**
365 * Returns the UserRoles object for the CURRENT user. This will take into
366 * account target/backdoor user status. Subclasses can override this if
367 * necessary.
368 *
369 * @return The UserRoles object for the current user.
370 */
371 public UserRoles getRoles() {
372 return TkUserRoles.getUserRoles(GlobalVariables.getUserSession().getPrincipalId());
373 }
374
375 // Subclasses will implement these methods
376
377 /**
378 * Method to indicate whether or not the Context current user can read
379 * objects if the current maintenance type.
380 *
381 * @return true if readable, false otherwise.
382 */
383 abstract public boolean rolesIndicateGeneralReadAccess();
384
385 /**
386 * Method to indicate whether or not the Context current user can create/edit
387 * objects if the current maintenance type.
388 *
389 * @return true if create/editable, false otherwise.
390 */
391 abstract public boolean rolesIndicateGeneralWriteAccess();
392
393 /**
394 * Indicates whether or not the current Context user has create/edit rights
395 * to the provided BusinessObject.
396 *
397 * @param bo The BusinessObject under investigation.
398 *
399 * @return true if editable, false otherwise.
400 */
401 abstract public boolean rolesIndicateWriteAccess(BusinessObject bo);
402
403 /**
404 * Indicates whether or not the current Context user has view rights to the
405 * provided BusinessObject.
406 *
407 * @param bo The BusinessObject under investigation.
408 *
409 * @return true if editable, false otherwise.
410 */
411 abstract public boolean rolesIndicateReadAccess(BusinessObject bo);
412 }