View Javadoc

1   /**
2    * Copyright 2004-2013 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.hr.time.authorization;
17  
18  import org.apache.commons.lang.StringUtils;
19  import org.apache.log4j.Logger;
20  import org.kuali.hr.time.roles.UserRoles;
21  import org.kuali.hr.time.util.TKContext;
22  import org.kuali.hr.time.util.TKUser;
23  import org.kuali.hr.time.util.TkConstants;
24  import org.kuali.rice.krad.bo.BusinessObject;
25  
26  /**
27   * Implements Authorization logic for the "Departmental Rules":
28   *
29   * ClockLocationRule
30   * TimeCollectionRule
31   * DeptLunchRule
32   * WorkArea
33   *
34   * See:
35   * https://wiki.kuali.org/display/KPME/Role+Security+Grid
36   */
37  public class DepartmentalRuleAuthorizer extends TkMaintenanceDocumentAuthorizerBase {
38  
39        private static final Logger LOG = Logger.getLogger(DepartmentalRuleAuthorizer.class);
40  
41      @Override
42      public boolean rolesIndicateGeneralReadAccess() {
43          return getRoles().isSystemAdmin() ||
44          		getRoles().isGlobalViewOnly() ||
45                  getRoles().getOrgAdminCharts().size() > 0 ||
46                  getRoles().getOrgAdminDepartments().size() > 0 ||
47                  getRoles().getDepartmentViewOnlyDepartments().size() > 0 ||
48                  getRoles().isAnyApproverActive();
49      }
50  
51      @Override
52      public boolean rolesIndicateGeneralWriteAccess() {
53          return getRoles().isSystemAdmin() ||
54                  getRoles().getOrgAdminCharts().size() > 0 ||
55                  getRoles().getOrgAdminDepartments().size() > 0;
56      }
57  
58      @Override
59      public boolean rolesIndicateWriteAccess(BusinessObject bo) {
60          return bo instanceof DepartmentalRule && DepartmentalRuleAuthorizer.hasAccessToWrite((DepartmentalRule)bo);
61      }
62  
63      @Override
64      public boolean rolesIndicateReadAccess(BusinessObject bo) {
65          return bo instanceof DepartmentalRule && DepartmentalRuleAuthorizer.hasAccessToRead((DepartmentalRule)bo);
66      }
67  
68      public static boolean hasAccessToWrite(DepartmentalRule dr) {
69          boolean ret = false;
70          if (TKUser.isSystemAdmin())
71              return true;
72  
73          if (dr != null && TKUser.getDepartmentAdminAreas().size() > 0) {
74              String dept = dr.getDept();
75              if (StringUtils.equals(dept, TkConstants.WILDCARD_CHARACTER)) {
76                  // Must be system administrator
77                  ret = false;
78              } else {
79                  // Must have parent Department
80                  ret = TKUser.getDepartmentAdminAreas().contains(dr.getDept());
81              }
82          }
83  
84          return ret;
85      }
86  
87      /**
88       * Static helper method to provide a single point of access for both Kuali
89       * Rice maintenance page hooks as well as Lookupable filtering.
90       *
91       * @param dr The business object under investigation.
92       *
93       * @return true if readable by current context user, false otherwise.
94       */
95      public static boolean hasAccessToRead(DepartmentalRule dr) {
96          boolean ret = false;
97          if (TKUser.isSystemAdmin() || TKUser.isGlobalViewOnly())
98              return true;
99  
100         if (dr != null) {
101             //    dept     | workArea   | meaning
102             //    ---------|------------|
103             // 1: %        ,  -1        , any dept/work area valid roles
104             //*2: %        ,  <defined> , must have work area <-- *
105             // 3: <defined>, -1         , must have dept, any work area
106             // 4: <defined>, <defined>  , must have work area or department defined
107             //
108             // * Not permitted.
109 
110 
111             if (StringUtils.equals(dr.getDept(), TkConstants.WILDCARD_CHARACTER) &&
112                     dr.getWorkArea().equals(TkConstants.WILDCARD_LONG)) {
113                 // case 1
114                 ret = TKUser.getApproverWorkAreas().size() > 0 || TKUser.getLocationAdminAreas().size() > 0 ||
115                 		TKUser.getDepartmentAdminAreas().size() > 0;
116             } else if (StringUtils.equals(dr.getDept(), TkConstants.WILDCARD_CHARACTER)) {
117                 // case 2 *
118                 // Should not encounter this case.
119                 LOG.error("Invalid case encountered while scanning business objects: Wildcard Department & Defined workArea.");
120             } else if (dr.getWorkArea().equals(TkConstants.WILDCARD_LONG)) {
121                 // case 3
122                 ret = TKUser.getDepartmentAdminAreas().contains(dr.getDept());
123             } else {
124                 ret = TKUser.getApproverWorkAreas().contains(dr.getWorkArea()) ||
125                 		TKUser.getDepartmentAdminAreas().contains(dr.getDept());
126             }
127         }
128 
129         return ret;
130     }
131 
132 }