001 /**
002 * Copyright 2004-2013 The Kuali Foundation
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016 package org.kuali.hr.time.authorization;
017
018 import java.util.HashMap;
019 import java.util.HashSet;
020 import java.util.Map;
021 import java.util.Set;
022
023 import org.kuali.hr.time.roles.TkUserRoles;
024 import org.kuali.hr.time.roles.UserRoles;
025 import org.kuali.rice.kew.api.document.DocumentStatus;
026 import org.kuali.rice.kim.api.identity.Person;
027 import org.kuali.rice.kns.document.authorization.DocumentAuthorizer;
028 import org.kuali.rice.kns.document.authorization.MaintenanceDocumentAuthorizer;
029 import org.kuali.rice.krad.bo.BusinessObject;
030 import org.kuali.rice.krad.document.Document;
031 import org.kuali.rice.krad.maintenance.MaintenanceDocument;
032 import org.kuali.rice.krad.util.GlobalVariables;
033 import org.kuali.rice.krad.util.KRADConstants;
034
035 /**
036 * Base class for the implementation of Authorization in KPME Time and Attendance.
037 *
038 * Role Security Grid Documentation:
039 * https://wiki.kuali.org/display/KPME/Role+Security+Grid
040 */
041 public abstract class TkMaintenanceDocumentAuthorizerBase implements MaintenanceDocumentAuthorizer, DocumentAuthorizer {
042
043 // Methods from BusinessObjectAuthorizer
044
045 @Override
046 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId) {
047 return true;
048 }
049
050 @Override
051 public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId) {
052 return true;
053 }
054
055 @Override
056 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
057 return true;
058 }
059
060 @Override
061 public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
062 return true;
063 }
064
065 @Override
066 public Map<String, String> getCollectionItemRoleQualifications(BusinessObject collectionItemBusinessObject) {
067 return new HashMap<String,String>();
068 }
069
070 @Override
071 public Map<String, String> getCollectionItemPermissionDetails(BusinessObject collectionItemBusinessObject) {
072 return new HashMap<String,String>();
073 }
074
075 // Methods from MaintenanceDocumentAuthorizer
076
077 @Override
078 public boolean canCreate(Class boClass, Person user) {
079 return this.rolesIndicateGeneralWriteAccess();
080 }
081
082 @Override
083 /**
084 * In lookup, called for each Business object if the user can edit or not.
085 */
086 public boolean canMaintain(Object dataObject, Person user) {
087 return this.rolesIndicateWriteAccess((BusinessObject) dataObject);
088 }
089
090 @Override
091 /**
092 * Called when submit is clicked from maintenance doc
093 */
094 public boolean canCreateOrMaintain(MaintenanceDocument maintenanceDocument, Person user){
095 return this.rolesIndicateWriteAccess((BusinessObject) maintenanceDocument.getNewMaintainableObject().getDataObject());
096 }
097
098 @Override
099 public Set<String> getSecurePotentiallyReadOnlySectionIds() {
100 return new HashSet<String>();
101 }
102
103 // Methods from DocumentAuthorizer
104
105
106 /**
107 * Copied from DocumentAuthorizerBase
108 */
109 @Override
110 public Set<String> getDocumentActions(Document document, Person user, Set<String> documentActions) {
111 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT) && !canEdit(document, user)) {
112 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT);
113 }
114
115 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_COPY) && !canCopy(document, user)) {
116 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_COPY);
117 }
118
119 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CLOSE) && !canClose(document, user)) {
120 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CLOSE);
121 }
122
123 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RELOAD) && !canReload(document, user)) {
124 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RELOAD);
125 }
126
127 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE) && !canBlanketApprove(document, user)) {
128 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE);
129 }
130
131 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CANCEL) && !canCancel(document, user)) {
132 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CANCEL);
133 }
134
135 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RECALL) && !canRecall(document, user)) {
136 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RECALL);
137 }
138
139 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SAVE) && !canSave(document, user)) {
140 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SAVE);
141 }
142
143 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ROUTE) && !canRoute(document, user)) {
144 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ROUTE);
145 }
146
147 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE) && !canAcknowledge(document, user)) {
148 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE);
149 }
150
151 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_FYI) && !canFyi(document, user)) {
152 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_FYI);
153 }
154
155 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_APPROVE) && !canApprove(document, user)) {
156 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
157 }
158
159 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE) && !canDisapprove(document, user)) {
160 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
161 }
162
163 if (!canSendAnyTypeAdHocRequests(document, user)) {
164 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ADD_ADHOC_REQUESTS);
165 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_ADHOC_REQUESTS);
166 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
167 }
168
169 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI) && !canSendNoteFyi(document, user)) {
170 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
171 }
172
173 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ANNOTATE) && !canAnnotate(document, user)) {
174 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ANNOTATE);
175 }
176
177 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW) && !canEditDocumentOverview(
178 document, user)) {
179 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW);
180 }
181
182 if (documentActions.contains(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT) && !canPerformRouteReport(document,
183 user)) {
184 documentActions.remove(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT);
185 }
186
187 DocumentStatus documentStatus = document.getDocumentHeader().getWorkflowDocument().getStatus();
188
189 if (DocumentStatus.INITIATED.equals(documentStatus) || DocumentStatus.SAVED.equals(documentStatus)) {
190 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
191 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
192 } else if (DocumentStatus.FINAL.equals(documentStatus)) {
193 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
194 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
195 }
196
197 return documentActions;
198 }
199
200 @Override
201 /**
202 * TODO: What is this used for? It's called often.
203 */
204 public boolean canInitiate(String documentTypeName, Person user) {
205 return this.rolesIndicateGeneralReadAccess();
206 }
207
208 @Override
209 /**
210 *
211 * One Reference in KualiDocumentActionBase:366
212 */
213 public boolean canOpen(Document document, Person user) {
214 return this.rolesIndicateGeneralReadAccess();
215 }
216
217 @Override
218 public boolean canEdit(Document document, Person user) {
219 return this.rolesIndicateGeneralWriteAccess();
220 }
221
222 @Override
223 public boolean canAnnotate(Document document, Person user) {
224 return true;
225 }
226
227 @Override
228 public boolean canReload(Document document, Person user) {
229 return true;
230 }
231
232 @Override
233 public boolean canClose(Document document, Person user) {
234 return true;
235 }
236
237 @Override
238 public boolean canSave(Document document, Person user) {
239 return this.rolesIndicateGeneralWriteAccess();
240 }
241
242 @Override
243 public boolean canRoute(Document document, Person user) {
244 return true;
245 }
246
247 @Override
248 public boolean canCancel(Document document, Person user) {
249 return true;
250 }
251
252 @Override
253 public boolean canCopy(Document document, Person user) {
254 return this.rolesIndicateGeneralWriteAccess();
255 }
256
257 @Override
258 public boolean canPerformRouteReport(Document document, Person user) {
259 return true;
260 }
261
262 @Override
263 public boolean canBlanketApprove(Document document, Person user) {
264 return true;
265 }
266
267 @Override
268 public boolean canApprove(Document document, Person user) {
269 return true;
270 }
271
272 @Override
273 public boolean canDisapprove(Document document, Person user) {
274 return true;
275 }
276
277 @Override
278 public boolean canSendNoteFyi(Document document, Person user) {
279 return true;
280 }
281
282 @Override
283 public boolean canEditDocumentOverview(Document document, Person user) {
284 return true;
285 }
286
287 @Override
288 public boolean canFyi(Document document, Person user) {
289 return true;
290 }
291
292 @Override
293 public boolean canAcknowledge(Document document, Person user) {
294 return true;
295 }
296
297 @Override
298 public boolean canReceiveAdHoc(Document document, Person user, String actionRequestCode) {
299 return true;
300 }
301
302 @Override
303 public boolean canAddNoteAttachment(Document document, String attachmentTypeCode, Person user) {
304 return true;
305 }
306
307 @Override
308 public boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode, String createdBySelfOnly, Person user) {
309 return true;
310 }
311
312 @Override
313 public boolean canViewNoteAttachment(Document document,String attachmentTypeCode, Person user) {
314 return true;
315 }
316
317 @Override
318 public boolean canViewNoteAttachment(Document document, String attachmentTypeCode, String authorUniversalIdentifier, Person user) {
319 return true;
320 }
321
322 @Override
323 public boolean canSendAdHocRequests(Document document, String actionRequestCd, Person user) {
324 return true;
325 }
326
327 @Override
328 public boolean canSendAnyTypeAdHocRequests(Document document, Person user) {
329 return true;
330 }
331
332 @Override
333 public boolean canTakeRequestedAction(Document document, String actionRequestCode, Person user) {
334 return true;
335 }
336
337 @Override
338 public boolean canRecall(Document document, Person user) {
339 return true;
340 }
341
342 // Methods from DataObjectAuthorizer
343
344 @Override
345 public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId) {
346 return true;
347 }
348
349 @Override
350 public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId) {
351 return true;
352 }
353
354 @Override
355 public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId,
356 Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
357 return true;
358 }
359
360
361 // Methods from InquiryOrMaintenanceDocumentAuthorizer
362
363 @Override
364 /**
365 * Can't return null.
366 */
367 public Set<String> getSecurePotentiallyHiddenSectionIds() {
368 return new HashSet<String>();
369 }
370
371 // Override this if necessary:
372
373 /**
374 * Returns the UserRoles object for the CURRENT user. This will take into
375 * account target/backdoor user status. Subclasses can override this if
376 * necessary.
377 *
378 * @return The UserRoles object for the current user.
379 */
380 public UserRoles getRoles() {
381 return TkUserRoles.getUserRoles(GlobalVariables.getUserSession().getPrincipalId());
382 }
383
384 // Subclasses will implement these methods
385
386 /**
387 * Method to indicate whether or not the Context current user can read
388 * objects if the current maintenance type.
389 *
390 * @return true if readable, false otherwise.
391 */
392 abstract public boolean rolesIndicateGeneralReadAccess();
393
394 /**
395 * Method to indicate whether or not the Context current user can create/edit
396 * objects if the current maintenance type.
397 *
398 * @return true if create/editable, false otherwise.
399 */
400 abstract public boolean rolesIndicateGeneralWriteAccess();
401
402 /**
403 * Indicates whether or not the current Context user has create/edit rights
404 * to the provided BusinessObject.
405 *
406 * @param bo The BusinessObject under investigation.
407 *
408 * @return true if editable, false otherwise.
409 */
410 abstract public boolean rolesIndicateWriteAccess(BusinessObject bo);
411
412 /**
413 * Indicates whether or not the current Context user has view rights to the
414 * provided BusinessObject.
415 *
416 * @param bo The BusinessObject under investigation.
417 *
418 * @return true if editable, false otherwise.
419 */
420 abstract public boolean rolesIndicateReadAccess(BusinessObject bo);
421 }