View Javadoc

1   /**
2    * Copyright 2004-2013 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.hr.time.authorization;
17  
18  import java.util.HashMap;
19  import java.util.HashSet;
20  import java.util.Map;
21  import java.util.Set;
22  
23  import org.apache.commons.lang.StringUtils;
24  import org.kuali.hr.time.roles.TkUserRoles;
25  import org.kuali.hr.time.roles.UserRoles;
26  import org.kuali.hr.time.util.TKContext;
27  import org.kuali.hr.time.util.TKUser;
28  import org.kuali.rice.kim.api.identity.Person;
29  import org.kuali.rice.kns.document.authorization.DocumentAuthorizer;
30  import org.kuali.rice.kns.document.authorization.MaintenanceDocumentAuthorizer;
31  import org.kuali.rice.krad.bo.BusinessObject;
32  import org.kuali.rice.krad.document.Document;
33  import org.kuali.rice.krad.maintenance.MaintenanceDocument;
34  import org.kuali.rice.krad.util.GlobalVariables;
35  import org.kuali.rice.krad.util.KRADConstants;
36  
37  /**
38   * Base class for the implementation of Authorization in KPME Time and Attendance.
39   *
40   * Role Security Grid Documentation:
41   * https://wiki.kuali.org/display/KPME/Role+Security+Grid
42   */
43  public abstract class TkMaintenanceDocumentAuthorizerBase implements MaintenanceDocumentAuthorizer, DocumentAuthorizer {
44  
45      // Methods from BusinessObjectAuthorizer
46  
47      @Override
48      public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId) {
49          return true;
50      }
51  
52      @Override
53      public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId) {
54          return true;
55      }
56  
57      @Override
58      public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
59          return true;
60      }
61      
62      @Override
63      public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
64      	return true;
65      }
66  
67      @Override
68      public Map<String, String> getCollectionItemRoleQualifications(BusinessObject collectionItemBusinessObject) {
69          return new HashMap<String,String>();
70      }
71  
72      @Override
73      public Map<String, String> getCollectionItemPermissionDetails(BusinessObject collectionItemBusinessObject) {
74          return new HashMap<String,String>();
75      }
76  
77      // Methods from MaintenanceDocumentAuthorizer
78  
79      @Override
80      public boolean canCreate(Class boClass, Person user) {
81          return this.rolesIndicateGeneralWriteAccess();
82      }
83  
84      @Override
85      /**
86       * In lookup, called for each Business object if the user can edit or not.
87       */
88      public boolean canMaintain(Object dataObject, Person user) {
89          return this.rolesIndicateWriteAccess((BusinessObject) dataObject);
90      }
91  
92      @Override
93      /**
94       * Called when submit is clicked from maintenance doc
95       */
96      public boolean canCreateOrMaintain(MaintenanceDocument maintenanceDocument, Person user){
97          return this.rolesIndicateWriteAccess((BusinessObject) maintenanceDocument.getNewMaintainableObject().getDataObject());
98      }
99  
100     @Override
101     public Set<String> getSecurePotentiallyReadOnlySectionIds() {
102         return new HashSet<String>();
103     }
104 
105     // Methods from DocumentAuthorizer
106     
107 
108     /**
109      * Copied from DocumentAuthorizerBase
110      */
111 	@Override
112 	public Set<String> getDocumentActions(Document document, Person user, Set<String> documentActions) {
113         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT) && !canEdit(document, user)) {
114             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT);
115         }
116 
117         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_COPY) && !canCopy(document, user)) {
118             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_COPY);
119         }
120 
121         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CLOSE) && !canClose(document, user)) {
122             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CLOSE);
123         }
124 
125         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RELOAD) && !canReload(document, user)) {
126             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RELOAD);
127         }
128 
129         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE) && !canBlanketApprove(document, user)) {
130             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE);
131         }
132 
133         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CANCEL) && !canCancel(document, user)) {
134             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CANCEL);
135         }
136 
137         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RECALL) && !canRecall(document, user)) {
138             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RECALL);
139         }
140 
141         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SAVE) && !canSave(document, user)) {
142             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SAVE);
143         }
144 
145         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ROUTE) && !canRoute(document, user)) {
146             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ROUTE);
147         }
148 
149         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE) && !canAcknowledge(document, user)) {
150             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE);
151         }
152 
153         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_FYI) && !canFyi(document, user)) {
154             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_FYI);
155         }
156 
157         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_APPROVE) && !canApprove(document, user)) {
158             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
159         }
160 
161         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE) && !canDisapprove(document, user)) {
162             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
163         }
164 
165         if (!canSendAnyTypeAdHocRequests(document, user)) {
166             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ADD_ADHOC_REQUESTS);
167             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_ADHOC_REQUESTS);
168             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
169         }
170 
171         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI) && !canSendNoteFyi(document, user)) {
172             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
173         }
174 
175         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ANNOTATE) && !canAnnotate(document, user)) {
176             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ANNOTATE);
177         }
178 
179         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW) && !canEditDocumentOverview(
180                 document, user)) {
181             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW);
182         }
183 
184         if (documentActions.contains(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT) && !canPerformRouteReport(document,
185                 user)) {
186             documentActions.remove(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT);
187         }
188         // looking at the document status
189         String documentStatus = document.getDocumentHeader().getWorkflowDocument().getStatus().name();
190 
191         if (StringUtils.equals(documentStatus, "FINAL")) {
192             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
193             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
194         }
195 
196         return documentActions;
197 	}
198 
199     @Override
200     /**
201      * TODO: What is this used for? It's called often.
202      */
203     public boolean canInitiate(String documentTypeName, Person user) {
204         return this.rolesIndicateGeneralReadAccess();
205     }
206 
207     @Override
208     /**
209      * 
210      * One Reference in KualiDocumentActionBase:366
211      */
212     public boolean canOpen(Document document, Person user) {
213     	return this.rolesIndicateGeneralReadAccess();
214     }
215     
216     @Override
217     public boolean canEdit(Document document, Person user) {
218     	return this.rolesIndicateGeneralWriteAccess();
219     }
220     
221     @Override
222     public boolean canAnnotate(Document document, Person user) {
223     	return true;
224     }
225 
226     @Override
227     public boolean canReload(Document document, Person user) {
228     	return true;
229     }
230 
231     @Override
232     public boolean canClose(Document document, Person user) {
233     	return true;
234     }
235 
236     @Override
237     public boolean canSave(Document document, Person user) {
238     	return this.rolesIndicateGeneralWriteAccess();
239     }
240 
241     @Override
242     public boolean canRoute(Document document, Person user) {
243     	return true;
244     }
245 
246     @Override
247     public boolean canCancel(Document document, Person user) {
248     	return true;
249     }
250 
251     @Override
252     public boolean canCopy(Document document, Person user) {
253     	return this.rolesIndicateGeneralWriteAccess();
254     }
255 
256     @Override
257     public boolean canPerformRouteReport(Document document, Person user) {
258     	return true;
259     }
260 
261     @Override
262     public boolean canBlanketApprove(Document document, Person user) {
263     	return true;
264     }
265 
266     @Override
267     public boolean canApprove(Document document, Person user) {
268     	return true;
269     }
270 
271     @Override
272     public boolean canDisapprove(Document document, Person user) {
273     	return true;
274     }
275 
276     @Override
277     public boolean canSendNoteFyi(Document document, Person user) {
278     	return true;
279     }
280 
281     @Override
282     public boolean canEditDocumentOverview(Document document, Person user) {
283     	return true;
284     }
285 
286     @Override
287     public boolean canFyi(Document document, Person user) {
288     	return true;
289     }
290 
291     @Override
292     public boolean canAcknowledge(Document document, Person user) {
293     	return true;
294     }
295 
296     @Override
297     public boolean canReceiveAdHoc(Document document, Person user, String actionRequestCode) {
298         return true;
299     }
300 
301     @Override
302     public boolean canAddNoteAttachment(Document document, String attachmentTypeCode, Person user) {
303         return true;
304     }
305 
306     @Override
307     public boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode, String createdBySelfOnly, Person user) {
308         return true;
309     }
310 
311 	@Override
312 	public boolean canViewNoteAttachment(Document document,String attachmentTypeCode, Person user) {
313 		return true;
314 	}
315 
316     @Override
317     public boolean canViewNoteAttachment(Document document, String attachmentTypeCode, String authorUniversalIdentifier, Person user) {
318         return true;
319     }
320 
321     @Override
322     public boolean canSendAdHocRequests(Document document, String actionRequestCd, Person user) {
323         return true;
324     }
325     
326     @Override
327     public boolean canSendAnyTypeAdHocRequests(Document document, Person user) {
328     	return true;
329     }
330 
331     @Override
332     public boolean canTakeRequestedAction(Document document, String actionRequestCode, Person user) {
333     	return true;
334     }
335     
336     @Override
337     public boolean canRecall(Document document, Person user) {
338     	return true;
339     }
340     
341     // Methods from DataObjectAuthorizer
342     
343     @Override
344     public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId) {
345     	return true;
346     }
347 
348     @Override
349     public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId) {
350     	return true;
351     }
352 
353     @Override
354     public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId,
355             Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
356     	return true;
357     }
358 
359 
360     // Methods from InquiryOrMaintenanceDocumentAuthorizer
361 
362     @Override
363     /**
364      * Can't return null.
365      */
366     public Set<String> getSecurePotentiallyHiddenSectionIds() {
367         return new HashSet<String>();
368     }
369 
370     // Override this if necessary:
371 
372     /**
373      * Returns the UserRoles object for the CURRENT user. This will take into
374      * account target/backdoor user status. Subclasses can override this if
375      * necessary.
376      *
377      * @return The UserRoles object for the current user.
378      */
379     public UserRoles getRoles() {
380         return TkUserRoles.getUserRoles(GlobalVariables.getUserSession().getPrincipalId());
381     }
382 
383     // Subclasses will implement these methods
384 
385     /**
386      * Method to indicate whether or not the Context current user can read
387      * objects if the current maintenance type.
388      *
389      * @return true if readable, false otherwise.
390      */
391     abstract public boolean rolesIndicateGeneralReadAccess();
392 
393     /**
394      * Method to indicate whether or not the Context current user can create/edit
395      * objects if the current maintenance type.
396      *
397      * @return true if create/editable, false otherwise.
398      */
399     abstract public boolean rolesIndicateGeneralWriteAccess();
400 
401     /**
402      * Indicates whether or not the current Context user has create/edit rights
403      * to the provided BusinessObject.
404      *
405      * @param bo The BusinessObject under investigation.
406      *
407      * @return true if editable, false otherwise.
408      */
409     abstract public boolean rolesIndicateWriteAccess(BusinessObject bo);
410 
411     /**
412      * Indicates whether or not the current Context user has view rights to the
413      * provided BusinessObject.
414      *
415      * @param bo The BusinessObject under investigation.
416      *
417      * @return true if editable, false otherwise.
418      */
419     abstract public boolean rolesIndicateReadAccess(BusinessObject bo);
420 }