View Javadoc

1   /**
2    * Copyright 2004-2013 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.hr.time.authorization;
17  
18  import java.util.HashMap;
19  import java.util.HashSet;
20  import java.util.Map;
21  import java.util.Set;
22  
23  import org.kuali.hr.time.roles.TkUserRoles;
24  import org.kuali.hr.time.roles.UserRoles;
25  import org.kuali.rice.kew.api.document.DocumentStatus;
26  import org.kuali.rice.kim.api.identity.Person;
27  import org.kuali.rice.kns.document.authorization.DocumentAuthorizer;
28  import org.kuali.rice.kns.document.authorization.MaintenanceDocumentAuthorizer;
29  import org.kuali.rice.krad.bo.BusinessObject;
30  import org.kuali.rice.krad.document.Document;
31  import org.kuali.rice.krad.maintenance.MaintenanceDocument;
32  import org.kuali.rice.krad.util.GlobalVariables;
33  import org.kuali.rice.krad.util.KRADConstants;
34  
35  /**
36   * Base class for the implementation of Authorization in KPME Time and Attendance.
37   *
38   * Role Security Grid Documentation:
39   * https://wiki.kuali.org/display/KPME/Role+Security+Grid
40   */
41  public abstract class TkMaintenanceDocumentAuthorizerBase implements MaintenanceDocumentAuthorizer, DocumentAuthorizer {
42  
43      // Methods from BusinessObjectAuthorizer
44  
45      @Override
46      public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId) {
47          return true;
48      }
49  
50      @Override
51      public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId) {
52          return true;
53      }
54  
55      @Override
56      public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
57          return true;
58      }
59      
60      @Override
61      public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
62      	return true;
63      }
64  
65      @Override
66      public Map<String, String> getCollectionItemRoleQualifications(BusinessObject collectionItemBusinessObject) {
67          return new HashMap<String,String>();
68      }
69  
70      @Override
71      public Map<String, String> getCollectionItemPermissionDetails(BusinessObject collectionItemBusinessObject) {
72          return new HashMap<String,String>();
73      }
74  
75      // Methods from MaintenanceDocumentAuthorizer
76  
77      @Override
78      public boolean canCreate(Class boClass, Person user) {
79          return this.rolesIndicateGeneralWriteAccess();
80      }
81  
82      @Override
83      /**
84       * In lookup, called for each Business object if the user can edit or not.
85       */
86      public boolean canMaintain(Object dataObject, Person user) {
87          return this.rolesIndicateWriteAccess((BusinessObject) dataObject);
88      }
89  
90      @Override
91      /**
92       * Called when submit is clicked from maintenance doc
93       */
94      public boolean canCreateOrMaintain(MaintenanceDocument maintenanceDocument, Person user){
95          return this.rolesIndicateWriteAccess((BusinessObject) maintenanceDocument.getNewMaintainableObject().getDataObject());
96      }
97  
98      @Override
99      public Set<String> getSecurePotentiallyReadOnlySectionIds() {
100         return new HashSet<String>();
101     }
102 
103     // Methods from DocumentAuthorizer
104     
105 
106     /**
107      * Copied from DocumentAuthorizerBase
108      */
109 	@Override
110 	public Set<String> getDocumentActions(Document document, Person user, Set<String> documentActions) {
111         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT) && !canEdit(document, user)) {
112             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT);
113         }
114 
115         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_COPY) && !canCopy(document, user)) {
116             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_COPY);
117         }
118 
119         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CLOSE) && !canClose(document, user)) {
120             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CLOSE);
121         }
122 
123         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RELOAD) && !canReload(document, user)) {
124             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RELOAD);
125         }
126 
127         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE) && !canBlanketApprove(document, user)) {
128             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE);
129         }
130 
131         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CANCEL) && !canCancel(document, user)) {
132             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CANCEL);
133         }
134 
135         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RECALL) && !canRecall(document, user)) {
136             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RECALL);
137         }
138 
139         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SAVE) && !canSave(document, user)) {
140             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SAVE);
141         }
142 
143         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ROUTE) && !canRoute(document, user)) {
144             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ROUTE);
145         }
146 
147         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE) && !canAcknowledge(document, user)) {
148             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE);
149         }
150 
151         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_FYI) && !canFyi(document, user)) {
152             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_FYI);
153         }
154 
155         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_APPROVE) && !canApprove(document, user)) {
156             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
157         }
158 
159         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE) && !canDisapprove(document, user)) {
160             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
161         }
162 
163         if (!canSendAnyTypeAdHocRequests(document, user)) {
164             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ADD_ADHOC_REQUESTS);
165             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_ADHOC_REQUESTS);
166             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
167         }
168 
169         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI) && !canSendNoteFyi(document, user)) {
170             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
171         }
172 
173         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ANNOTATE) && !canAnnotate(document, user)) {
174             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ANNOTATE);
175         }
176 
177         if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW) && !canEditDocumentOverview(
178                 document, user)) {
179             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW);
180         }
181 
182         if (documentActions.contains(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT) && !canPerformRouteReport(document,
183                 user)) {
184             documentActions.remove(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT);
185         }
186 
187         DocumentStatus documentStatus = document.getDocumentHeader().getWorkflowDocument().getStatus();
188 
189         if (DocumentStatus.INITIATED.equals(documentStatus) || DocumentStatus.SAVED.equals(documentStatus)) {
190             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
191             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
192         } else if (DocumentStatus.FINAL.equals(documentStatus)) {
193             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
194             documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
195         }
196 
197         return documentActions;
198 	}
199 
200     @Override
201     /**
202      * TODO: What is this used for? It's called often.
203      */
204     public boolean canInitiate(String documentTypeName, Person user) {
205         return this.rolesIndicateGeneralReadAccess();
206     }
207 
208     @Override
209     /**
210      * 
211      * One Reference in KualiDocumentActionBase:366
212      */
213     public boolean canOpen(Document document, Person user) {
214     	return this.rolesIndicateGeneralReadAccess();
215     }
216     
217     @Override
218     public boolean canEdit(Document document, Person user) {
219     	return this.rolesIndicateGeneralWriteAccess();
220     }
221     
222     @Override
223     public boolean canAnnotate(Document document, Person user) {
224     	return true;
225     }
226 
227     @Override
228     public boolean canReload(Document document, Person user) {
229     	return true;
230     }
231 
232     @Override
233     public boolean canClose(Document document, Person user) {
234     	return true;
235     }
236 
237     @Override
238     public boolean canSave(Document document, Person user) {
239     	return this.rolesIndicateGeneralWriteAccess();
240     }
241 
242     @Override
243     public boolean canRoute(Document document, Person user) {
244     	return true;
245     }
246 
247     @Override
248     public boolean canCancel(Document document, Person user) {
249     	return true;
250     }
251 
252     @Override
253     public boolean canCopy(Document document, Person user) {
254     	return this.rolesIndicateGeneralWriteAccess();
255     }
256 
257     @Override
258     public boolean canPerformRouteReport(Document document, Person user) {
259     	return true;
260     }
261 
262     @Override
263     public boolean canBlanketApprove(Document document, Person user) {
264     	return true;
265     }
266 
267     @Override
268     public boolean canApprove(Document document, Person user) {
269     	return true;
270     }
271 
272     @Override
273     public boolean canDisapprove(Document document, Person user) {
274     	return true;
275     }
276 
277     @Override
278     public boolean canSendNoteFyi(Document document, Person user) {
279     	return true;
280     }
281 
282     @Override
283     public boolean canEditDocumentOverview(Document document, Person user) {
284     	return true;
285     }
286 
287     @Override
288     public boolean canFyi(Document document, Person user) {
289     	return true;
290     }
291 
292     @Override
293     public boolean canAcknowledge(Document document, Person user) {
294     	return true;
295     }
296 
297     @Override
298     public boolean canReceiveAdHoc(Document document, Person user, String actionRequestCode) {
299         return true;
300     }
301 
302     @Override
303     public boolean canAddNoteAttachment(Document document, String attachmentTypeCode, Person user) {
304         return true;
305     }
306 
307     @Override
308     public boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode, String createdBySelfOnly, Person user) {
309         return true;
310     }
311 
312 	@Override
313 	public boolean canViewNoteAttachment(Document document,String attachmentTypeCode, Person user) {
314 		return true;
315 	}
316 
317     @Override
318     public boolean canViewNoteAttachment(Document document, String attachmentTypeCode, String authorUniversalIdentifier, Person user) {
319         return true;
320     }
321 
322     @Override
323     public boolean canSendAdHocRequests(Document document, String actionRequestCd, Person user) {
324         return true;
325     }
326     
327     @Override
328     public boolean canSendAnyTypeAdHocRequests(Document document, Person user) {
329     	return true;
330     }
331 
332     @Override
333     public boolean canTakeRequestedAction(Document document, String actionRequestCode, Person user) {
334     	return true;
335     }
336     
337     @Override
338     public boolean canRecall(Document document, Person user) {
339     	return true;
340     }
341     
342     // Methods from DataObjectAuthorizer
343     
344     @Override
345     public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId) {
346     	return true;
347     }
348 
349     @Override
350     public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId) {
351     	return true;
352     }
353 
354     @Override
355     public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId,
356             Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
357     	return true;
358     }
359 
360 
361     // Methods from InquiryOrMaintenanceDocumentAuthorizer
362 
363     @Override
364     /**
365      * Can't return null.
366      */
367     public Set<String> getSecurePotentiallyHiddenSectionIds() {
368         return new HashSet<String>();
369     }
370 
371     // Override this if necessary:
372 
373     /**
374      * Returns the UserRoles object for the CURRENT user. This will take into
375      * account target/backdoor user status. Subclasses can override this if
376      * necessary.
377      *
378      * @return The UserRoles object for the current user.
379      */
380     public UserRoles getRoles() {
381         return TkUserRoles.getUserRoles(GlobalVariables.getUserSession().getPrincipalId());
382     }
383 
384     // Subclasses will implement these methods
385 
386     /**
387      * Method to indicate whether or not the Context current user can read
388      * objects if the current maintenance type.
389      *
390      * @return true if readable, false otherwise.
391      */
392     abstract public boolean rolesIndicateGeneralReadAccess();
393 
394     /**
395      * Method to indicate whether or not the Context current user can create/edit
396      * objects if the current maintenance type.
397      *
398      * @return true if create/editable, false otherwise.
399      */
400     abstract public boolean rolesIndicateGeneralWriteAccess();
401 
402     /**
403      * Indicates whether or not the current Context user has create/edit rights
404      * to the provided BusinessObject.
405      *
406      * @param bo The BusinessObject under investigation.
407      *
408      * @return true if editable, false otherwise.
409      */
410     abstract public boolean rolesIndicateWriteAccess(BusinessObject bo);
411 
412     /**
413      * Indicates whether or not the current Context user has view rights to the
414      * provided BusinessObject.
415      *
416      * @param bo The BusinessObject under investigation.
417      *
418      * @return true if editable, false otherwise.
419      */
420     abstract public boolean rolesIndicateReadAccess(BusinessObject bo);
421 }