001    /**
002     * Copyright 2004-2013 The Kuali Foundation
003     *
004     * Licensed under the Educational Community License, Version 2.0 (the "License");
005     * you may not use this file except in compliance with the License.
006     * You may obtain a copy of the License at
007     *
008     * http://www.opensource.org/licenses/ecl2.php
009     *
010     * Unless required by applicable law or agreed to in writing, software
011     * distributed under the License is distributed on an "AS IS" BASIS,
012     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013     * See the License for the specific language governing permissions and
014     * limitations under the License.
015     */
016    package org.kuali.hr.time.authorization;
017    
018    import org.apache.commons.lang.StringUtils;
019    import org.apache.log4j.Logger;
020    import org.kuali.hr.time.roles.UserRoles;
021    import org.kuali.hr.time.util.TKContext;
022    import org.kuali.hr.time.util.TKUser;
023    import org.kuali.hr.time.util.TkConstants;
024    import org.kuali.rice.krad.bo.BusinessObject;
025    
026    /**
027     * Implements Authorization logic for the "Departmental Rules":
028     *
029     * ClockLocationRule
030     * TimeCollectionRule
031     * DeptLunchRule
032     * WorkArea
033     *
034     * See:
035     * https://wiki.kuali.org/display/KPME/Role+Security+Grid
036     */
037    public class DepartmentalRuleAuthorizer extends TkMaintenanceDocumentAuthorizerBase {
038    
039          private static final Logger LOG = Logger.getLogger(DepartmentalRuleAuthorizer.class);
040    
041        @Override
042        public boolean rolesIndicateGeneralReadAccess() {
043            return getRoles().isSystemAdmin() ||
044                            getRoles().isGlobalViewOnly() ||
045                    getRoles().getOrgAdminCharts().size() > 0 ||
046                    getRoles().getOrgAdminDepartments().size() > 0 ||
047                    getRoles().getDepartmentViewOnlyDepartments().size() > 0 ||
048                    getRoles().isAnyApproverActive();
049        }
050    
051        @Override
052        public boolean rolesIndicateGeneralWriteAccess() {
053            return getRoles().isSystemAdmin() ||
054                    getRoles().getOrgAdminCharts().size() > 0 ||
055                    getRoles().getOrgAdminDepartments().size() > 0;
056        }
057    
058        @Override
059        public boolean rolesIndicateWriteAccess(BusinessObject bo) {
060            return bo instanceof DepartmentalRule && DepartmentalRuleAuthorizer.hasAccessToWrite((DepartmentalRule)bo);
061        }
062    
063        @Override
064        public boolean rolesIndicateReadAccess(BusinessObject bo) {
065            return bo instanceof DepartmentalRule && DepartmentalRuleAuthorizer.hasAccessToRead((DepartmentalRule)bo);
066        }
067    
068        public static boolean hasAccessToWrite(DepartmentalRule dr) {
069            boolean ret = false;
070            if (TKUser.isSystemAdmin())
071                return true;
072    
073            if (dr != null && TKUser.getDepartmentAdminAreas().size() > 0) {
074                String dept = dr.getDept();
075                if (StringUtils.equals(dept, TkConstants.WILDCARD_CHARACTER)) {
076                    // Must be system administrator
077                    ret = false;
078                } else {
079                    // Must have parent Department
080                    ret = TKUser.getDepartmentAdminAreas().contains(dr.getDept());
081                }
082            }
083    
084            return ret;
085        }
086    
087        /**
088         * Static helper method to provide a single point of access for both Kuali
089         * Rice maintenance page hooks as well as Lookupable filtering.
090         *
091         * @param dr The business object under investigation.
092         *
093         * @return true if readable by current context user, false otherwise.
094         */
095        public static boolean hasAccessToRead(DepartmentalRule dr) {
096            boolean ret = false;
097            if (TKUser.isSystemAdmin() || TKUser.isGlobalViewOnly())
098                return true;
099    
100            if (dr != null) {
101                //    dept     | workArea   | meaning
102                //    ---------|------------|
103                // 1: %        ,  -1        , any dept/work area valid roles
104                //*2: %        ,  <defined> , must have work area <-- *
105                // 3: <defined>, -1         , must have dept, any work area
106                // 4: <defined>, <defined>  , must have work area or department defined
107                //
108                // * Not permitted.
109    
110    
111                if (StringUtils.equals(dr.getDept(), TkConstants.WILDCARD_CHARACTER) &&
112                        dr.getWorkArea().equals(TkConstants.WILDCARD_LONG)) {
113                    // case 1
114                    ret = TKUser.getApproverWorkAreas().size() > 0 || TKUser.getLocationAdminAreas().size() > 0 ||
115                                    TKUser.getDepartmentAdminAreas().size() > 0;
116                } else if (StringUtils.equals(dr.getDept(), TkConstants.WILDCARD_CHARACTER)) {
117                    // case 2 *
118                    // Should not encounter this case.
119                    LOG.error("Invalid case encountered while scanning business objects: Wildcard Department & Defined workArea.");
120                } else if (dr.getWorkArea().equals(TkConstants.WILDCARD_LONG)) {
121                    // case 3
122                    ret = TKUser.getDepartmentAdminAreas().contains(dr.getDept());
123                } else {
124                    ret = TKUser.getApproverWorkAreas().contains(dr.getWorkArea()) ||
125                                    TKUser.getDepartmentAdminAreas().contains(dr.getDept());
126                }
127            }
128    
129            return ret;
130        }
131    
132    }