View Javadoc

1   /**
2    * Copyright 2004-2013 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.hr.time.authorization;
17  
18  import org.apache.commons.lang.StringUtils;
19  import org.apache.log4j.Logger;
20  import org.kuali.hr.time.roles.UserRoles;
21  import org.kuali.hr.time.util.TKContext;
22  import org.kuali.hr.time.util.TkConstants;
23  import org.kuali.rice.krad.bo.BusinessObject;
24  
25  /**
26   * Implements Authorization logic for the "Departmental Rules":
27   *
28   * ClockLocationRule
29   * TimeCollectionRule
30   * DeptLunchRule
31   * WorkArea
32   *
33   * See:
34   * https://wiki.kuali.org/display/KPME/Role+Security+Grid
35   */
36  public class DepartmentalRuleAuthorizer extends TkMaintenanceDocumentAuthorizerBase {
37  
38        private static final Logger LOG = Logger.getLogger(DepartmentalRuleAuthorizer.class);
39  
40      @Override
41      public boolean rolesIndicateGeneralReadAccess() {
42          return getRoles().isSystemAdmin() ||
43          		getRoles().isGlobalViewOnly() ||
44                  getRoles().getOrgAdminCharts().size() > 0 ||
45                  getRoles().getOrgAdminDepartments().size() > 0 ||
46                  getRoles().getDepartmentViewOnlyDepartments().size() > 0 ||
47                  getRoles().isAnyApproverActive();
48      }
49  
50      @Override
51      public boolean rolesIndicateGeneralWriteAccess() {
52          return getRoles().isSystemAdmin() ||
53                  getRoles().getOrgAdminCharts().size() > 0 ||
54                  getRoles().getOrgAdminDepartments().size() > 0;
55      }
56  
57      @Override
58      public boolean rolesIndicateWriteAccess(BusinessObject bo) {
59          return bo instanceof DepartmentalRule && DepartmentalRuleAuthorizer.hasAccessToWrite((DepartmentalRule)bo);
60      }
61  
62      @Override
63      public boolean rolesIndicateReadAccess(BusinessObject bo) {
64          return bo instanceof DepartmentalRule && DepartmentalRuleAuthorizer.hasAccessToRead((DepartmentalRule)bo);
65      }
66  
67      public static boolean hasAccessToWrite(DepartmentalRule dr) {
68          boolean ret = false;
69          if (TKContext.getUser().isSystemAdmin())
70              return true;
71  
72          if (dr != null && TKContext.getUser().getDepartmentAdminAreas().size() > 0) {
73              String dept = dr.getDept();
74              if (StringUtils.equals(dept, TkConstants.WILDCARD_CHARACTER)) {
75                  // Must be system administrator
76                  ret = false;
77              } else {
78                  // Must have parent Department
79                  ret = TKContext.getUser().getDepartmentAdminAreas().contains(dr.getDept());
80              }
81          }
82  
83          return ret;
84      }
85  
86      /**
87       * Static helper method to provide a single point of access for both Kuali
88       * Rice maintenance page hooks as well as Lookupable filtering.
89       *
90       * @param dr The business object under investigation.
91       *
92       * @return true if readable by current context user, false otherwise.
93       */
94      public static boolean hasAccessToRead(DepartmentalRule dr) {
95          boolean ret = false;
96          if (TKContext.getUser().isSystemAdmin() || TKContext.getUser().isGlobalViewOnly())
97              return true;
98  
99          if (dr != null) {
100             //    dept     | workArea   | meaning
101             //    ---------|------------|
102             // 1: %        ,  -1        , any dept/work area valid roles
103             //*2: %        ,  <defined> , must have work area <-- *
104             // 3: <defined>, -1         , must have dept, any work area
105             // 4: <defined>, <defined>  , must have work area or department defined
106             //
107             // * Not permitted.
108 
109 
110             if (StringUtils.equals(dr.getDept(), TkConstants.WILDCARD_CHARACTER) &&
111                     dr.getWorkArea().equals(TkConstants.WILDCARD_LONG)) {
112                 // case 1
113                 ret = TKContext.getUser().getApproverWorkAreas().size() > 0 || TKContext.getUser().getLocationAdminAreas().size() > 0 ||
114                 		TKContext.getUser().getDepartmentAdminAreas().size() > 0;
115             } else if (StringUtils.equals(dr.getDept(), TkConstants.WILDCARD_CHARACTER)) {
116                 // case 2 *
117                 // Should not encounter this case.
118                 LOG.error("Invalid case encountered while scanning business objects: Wildcard Department & Defined workArea.");
119             } else if (dr.getWorkArea().equals(TkConstants.WILDCARD_LONG)) {
120                 // case 3
121                 ret = TKContext.getUser().getDepartmentAdminAreas().contains(dr.getDept());
122             } else {
123                 ret = TKContext.getUser().getApproverWorkAreas().contains(dr.getWorkArea()) ||
124                 		TKContext.getUser().getDepartmentAdminAreas().contains(dr.getDept());
125             }
126         }
127 
128         return ret;
129     }
130 
131 }