View Javadoc

1   /**
2    * Copyright 2004-2013 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.hr.time.authorization;
17  
18  import java.util.HashMap;
19  import java.util.HashSet;
20  import java.util.Map;
21  import java.util.Set;
22  
23  import org.kuali.hr.time.roles.TkUserRoles;
24  import org.kuali.hr.time.roles.UserRoles;
25  import org.kuali.hr.time.util.TKContext;
26  import org.kuali.hr.time.util.TKUser;
27  import org.kuali.rice.kim.api.identity.Person;
28  import org.kuali.rice.kns.document.authorization.DocumentAuthorizer;
29  import org.kuali.rice.kns.document.authorization.MaintenanceDocumentAuthorizer;
30  import org.kuali.rice.krad.bo.BusinessObject;
31  import org.kuali.rice.krad.document.Document;
32  import org.kuali.rice.krad.maintenance.MaintenanceDocument;
33  import org.kuali.rice.krad.util.GlobalVariables;
34  import org.kuali.rice.krad.util.KRADConstants;
35  
36  /**
37   * Base class for the implementation of Authorization in KPME Time and Attendance.
38   *
39   * Role Security Grid Documentation:
40   * https://wiki.kuali.org/display/KPME/Role+Security+Grid
41   */
42  public abstract class TkMaintenanceDocumentAuthorizerBase implements MaintenanceDocumentAuthorizer, DocumentAuthorizer {
43  
44      // Methods from BusinessObjectAuthorizer
45  
46      @Override
47      public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId) {
48          return true;
49      }
50  
51      @Override
52      public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId) {
53          return true;
54      }
55  
56      @Override
57      public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
58          return true;
59      }
60      
61      @Override
62      public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
63      	return true;
64      }
65  
66      @Override
67      public Map<String, String> getCollectionItemRoleQualifications(BusinessObject collectionItemBusinessObject) {
68          return new HashMap<String,String>();
69      }
70  
71      @Override
72      public Map<String, String> getCollectionItemPermissionDetails(BusinessObject collectionItemBusinessObject) {
73          return new HashMap<String,String>();
74      }
75  
76      // Methods from MaintenanceDocumentAuthorizer
77  
78      @Override
79      public boolean canCreate(Class boClass, Person user) {
80          return this.rolesIndicateGeneralWriteAccess();
81      }
82  
83      @Override
84      /**
85       * In lookup, called for each Business object if the user can edit or not.
86       */
87      public boolean canMaintain(Object dataObject, Person user) {
88          return this.rolesIndicateWriteAccess((BusinessObject) dataObject);
89      }
90  
91      @Override
92      /**
93       * Called when submit is clicked from maintenance doc
94       */
95      public boolean canCreateOrMaintain(MaintenanceDocument maintenanceDocument, Person user){
96          return this.rolesIndicateWriteAccess((BusinessObject) maintenanceDocument.getNewMaintainableObject().getDataObject());
97      }
98  
99      @Override
100     public Set<String> getSecurePotentiallyReadOnlySectionIds() {
101         return new HashSet<String>();
102     }
103 
104     // Methods from DocumentAuthorizer
105     
106 
107     /**
108      * Copied from DocumentAuthorizerBase
109      */
110 	@Override
111 	public Set<String> getDocumentActions(Document document, Person user, Set<String> documentActions) {
112         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT) && !canEdit(document, user)) {
113             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT);
114         }
115 
116         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_COPY) && !canCopy(document, user)) {
117             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_COPY);
118         }
119 
120         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CLOSE) && !canClose(document, user)) {
121             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CLOSE);
122         }
123 
124         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RELOAD) && !canReload(document, user)) {
125             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RELOAD);
126         }
127 
128         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE) && !canBlanketApprove(document, user)) {
129             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE);
130         }
131 
132         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CANCEL) && !canCancel(document, user)) {
133             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CANCEL);
134         }
135 
136         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RECALL) && !canRecall(document, user)) {
137             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RECALL);
138         }
139 
140         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SAVE) && !canSave(document, user)) {
141             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SAVE);
142         }
143 
144         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ROUTE) && !canRoute(document, user)) {
145             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ROUTE);
146         }
147 
148         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE) && !canAcknowledge(document, user)) {
149             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE);
150         }
151 
152         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_FYI) && !canFyi(document, user)) {
153             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_FYI);
154         }
155 
156         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_APPROVE) && !canApprove(document, user)) {
157             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
158         }
159 
160         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE) && !canDisapprove(document, user)) {
161             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
162         }
163 
164         if (!canSendAnyTypeAdHocRequests(document, user)) {
165             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ADD_ADHOC_REQUESTS);
166             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_ADHOC_REQUESTS);
167             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
168         }
169 
170         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI) && !canSendNoteFyi(document, user)) {
171             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
172         }
173 
174         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ANNOTATE) && !canAnnotate(document, user)) {
175             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ANNOTATE);
176         }
177 
178         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW) && !canEditDocumentOverview(
179                 document, user)) {
180             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW);
181         }
182 
183         if (documentActions.contains(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT) && !canPerformRouteReport(document,
184                 user)) {
185             documentActions.remove(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT);
186         }
187 
188         return documentActions;
189 	}
190 
191     @Override
192     /**
193      * TODO: What is this used for? It's called often.
194      */
195     public boolean canInitiate(String documentTypeName, Person user) {
196         return this.rolesIndicateGeneralReadAccess();
197     }
198 
199     @Override
200     /**
201      * 
202      * One Reference in KualiDocumentActionBase:366
203      */
204     public boolean canOpen(Document document, Person user) {
205     	return this.rolesIndicateGeneralReadAccess();
206     }
207     
208     @Override
209     public boolean canEdit(Document document, Person user) {
210     	return this.rolesIndicateGeneralWriteAccess();
211     }
212     
213     @Override
214     public boolean canAnnotate(Document document, Person user) {
215     	return true;
216     }
217 
218     @Override
219     public boolean canReload(Document document, Person user) {
220     	return true;
221     }
222 
223     @Override
224     public boolean canClose(Document document, Person user) {
225     	return true;
226     }
227 
228     @Override
229     public boolean canSave(Document document, Person user) {
230     	return this.rolesIndicateGeneralWriteAccess();
231     }
232 
233     @Override
234     public boolean canRoute(Document document, Person user) {
235     	return true;
236     }
237 
238     @Override
239     public boolean canCancel(Document document, Person user) {
240     	return true;
241     }
242 
243     @Override
244     public boolean canCopy(Document document, Person user) {
245     	return this.rolesIndicateGeneralWriteAccess();
246     }
247 
248     @Override
249     public boolean canPerformRouteReport(Document document, Person user) {
250     	return true;
251     }
252 
253     @Override
254     public boolean canBlanketApprove(Document document, Person user) {
255     	return true;
256     }
257 
258     @Override
259     public boolean canApprove(Document document, Person user) {
260     	return true;
261     }
262 
263     @Override
264     public boolean canDisapprove(Document document, Person user) {
265     	return true;
266     }
267 
268     @Override
269     public boolean canSendNoteFyi(Document document, Person user) {
270     	return true;
271     }
272 
273     @Override
274     public boolean canEditDocumentOverview(Document document, Person user) {
275     	return true;
276     }
277 
278     @Override
279     public boolean canFyi(Document document, Person user) {
280     	return true;
281     }
282 
283     @Override
284     public boolean canAcknowledge(Document document, Person user) {
285     	return true;
286     }
287 
288     @Override
289     public boolean canReceiveAdHoc(Document document, Person user, String actionRequestCode) {
290         return true;
291     }
292 
293     @Override
294     public boolean canAddNoteAttachment(Document document, String attachmentTypeCode, Person user) {
295         return true;
296     }
297 
298     @Override
299     public boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode, String createdBySelfOnly, Person user) {
300         return true;
301     }
302 
303 	@Override
304 	public boolean canViewNoteAttachment(Document document,String attachmentTypeCode, Person user) {
305 		return true;
306 	}
307 
308     @Override
309     public boolean canViewNoteAttachment(Document document, String attachmentTypeCode, String authorUniversalIdentifier, Person user) {
310         return true;
311     }
312 
313     @Override
314     public boolean canSendAdHocRequests(Document document, String actionRequestCd, Person user) {
315         return true;
316     }
317     
318     @Override
319     public boolean canSendAnyTypeAdHocRequests(Document document, Person user) {
320     	return true;
321     }
322 
323     @Override
324     public boolean canTakeRequestedAction(Document document, String actionRequestCode, Person user) {
325     	return true;
326     }
327     
328     @Override
329     public boolean canRecall(Document document, Person user) {
330     	return true;
331     }
332     
333     // Methods from DataObjectAuthorizer
334     
335     @Override
336     public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId) {
337     	return true;
338     }
339 
340     @Override
341     public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId) {
342     	return true;
343     }
344 
345     @Override
346     public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId,
347             Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
348     	return true;
349     }
350 
351 
352     // Methods from InquiryOrMaintenanceDocumentAuthorizer
353 
354     @Override
355     /**
356      * Can't return null.
357      */
358     public Set<String> getSecurePotentiallyHiddenSectionIds() {
359         return new HashSet<String>();
360     }
361 
362     // Override this if necessary:
363 
364     /**
365      * Returns the UserRoles object for the CURRENT user. This will take into
366      * account target/backdoor user status. Subclasses can override this if
367      * necessary.
368      *
369      * @return The UserRoles object for the current user.
370      */
371     public UserRoles getRoles() {
372         return TkUserRoles.getUserRoles(GlobalVariables.getUserSession().getPrincipalId());
373     }
374 
375     // Subclasses will implement these methods
376 
377     /**
378      * Method to indicate whether or not the Context current user can read
379      * objects if the current maintenance type.
380      *
381      * @return true if readable, false otherwise.
382      */
383     abstract public boolean rolesIndicateGeneralReadAccess();
384 
385     /**
386      * Method to indicate whether or not the Context current user can create/edit
387      * objects if the current maintenance type.
388      *
389      * @return true if create/editable, false otherwise.
390      */
391     abstract public boolean rolesIndicateGeneralWriteAccess();
392 
393     /**
394      * Indicates whether or not the current Context user has create/edit rights
395      * to the provided BusinessObject.
396      *
397      * @param bo The BusinessObject under investigation.
398      *
399      * @return true if editable, false otherwise.
400      */
401     abstract public boolean rolesIndicateWriteAccess(BusinessObject bo);
402 
403     /**
404      * Indicates whether or not the current Context user has view rights to the
405      * provided BusinessObject.
406      *
407      * @param bo The BusinessObject under investigation.
408      *
409      * @return true if editable, false otherwise.
410      */
411     abstract public boolean rolesIndicateReadAccess(BusinessObject bo);
412 }