001/* 002 * Copyright 2009 The Kuali Foundation. 003 * 004 * Licensed under the Educational Community License, Version 1.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.opensource.org/licenses/ecl1.php 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016package org.kuali.ole.sec.document.authorization; 017 018import java.util.Iterator; 019import java.util.Map; 020import java.util.Set; 021 022import org.kuali.ole.sec.SecConstants; 023import org.kuali.ole.sec.SecKeyConstants; 024import org.kuali.ole.sec.businessobject.AccessSecurityRestrictionInfo; 025import org.kuali.ole.sec.service.AccessSecurityService; 026import org.kuali.ole.sys.OLEConstants; 027import org.kuali.ole.sys.businessobject.AccountingLine; 028import org.kuali.ole.sys.context.SpringContext; 029import org.kuali.ole.sys.document.AccountingDocument; 030import org.kuali.rice.coreservice.framework.parameter.ParameterService; 031import org.kuali.rice.kim.api.identity.Person; 032import org.kuali.rice.kns.document.authorization.TransactionalDocumentAuthorizer; 033import org.kuali.rice.krad.bo.BusinessObject; 034import org.kuali.rice.krad.document.Document; 035import org.kuali.rice.krad.util.GlobalVariables; 036import org.kuali.rice.krad.util.KRADConstants; 037 038 039/** 040 * TransactionDocumentAuthorizer that wraps access security checks around another TransactionDocumentAuthorizer configured for the document type 041 */ 042public class SecTransactionalDocumentAuthorizer implements TransactionalDocumentAuthorizer { 043 protected TransactionalDocumentAuthorizer documentAuthorizer; 044 045 private static AccessSecurityService accessSecurityService; 046 047 protected AccessSecurityService getAccessSecurityService() { 048 if ( accessSecurityService == null ) { 049 accessSecurityService = SpringContext.getBean(AccessSecurityService.class); 050 } 051 return accessSecurityService; 052 } 053 054 public Set<String> getEditModes(Document document, Person user, Set<String> editModes) { 055 return documentAuthorizer.getEditModes(document, user, editModes); 056 } 057 058 public boolean canAddNoteAttachment(Document document, String attachmentTypeCode, Person user) { 059 return documentAuthorizer.canAddNoteAttachment(document, attachmentTypeCode, user); 060 } 061 062 public boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode, String createdBySelfOnly, Person user) { 063 return documentAuthorizer.canDeleteNoteAttachment(document, attachmentTypeCode, createdBySelfOnly, user); 064 } 065 066 public boolean canInitiate(String documentTypeName, Person user) { 067 return documentAuthorizer.canInitiate(documentTypeName, user); 068 } 069 070 /** 071 * If user has open permission then does further checks to verify there are no access security restriction setup that prevents the user from opening the document 072 * 073 * @see org.kuali.rice.krad.document.authorization.DocumentAuthorizer#canOpen(org.kuali.rice.krad.document.Document, org.kuali.rice.kim.api.identity.Person) 074 */ 075 public boolean canOpen(Document document, Person user) { 076 boolean canOpen = documentAuthorizer.canOpen(document, user); 077 if (canOpen) { 078 AccessSecurityRestrictionInfo restrictionInfo = new AccessSecurityRestrictionInfo(); 079 canOpen = getAccessSecurityService().canViewDocument((AccountingDocument) document, user, restrictionInfo); 080 if (!canOpen) { 081 GlobalVariables.getUserSession().addObject(SecConstants.OPEN_DOCUMENT_SECURITY_ACCESS_DENIED_ERROR_KEY, restrictionInfo); 082 } 083 } 084 085 return canOpen; 086 } 087 088 public boolean canReceiveAdHoc(Document document, Person user, String actionRequestCode) { 089 return documentAuthorizer.canReceiveAdHoc(document, user, actionRequestCode); 090 } 091 092 public boolean canSendAdHocRequests(Document document, String actionRequestCd, Person user) { 093 return documentAuthorizer.canSendAdHocRequests(document, actionRequestCd, user); 094 } 095 096 /** 097 * If user has permission to view notes/attachments then does further checks to verify there are no access security restriction setup that prevents the user from viewing the 098 * notes/attachments 099 * 100 * @see org.kuali.rice.krad.document.authorization.DocumentAuthorizer#canViewNoteAttachment(org.kuali.rice.krad.document.Document, java.lang.String, org.kuali.rice.kim.api.identity.Person) 101 */ 102 public boolean canViewNoteAttachment(Document document, String attachmentTypeCode, Person user) { 103 boolean canView = documentAuthorizer.canViewNoteAttachment(document, attachmentTypeCode, user); 104 if (canView) { 105 canView = getAccessSecurityService().canViewDocumentNotesAttachments((AccountingDocument) document, user); 106 107 if (!canView) { 108 GlobalVariables.getMessageMap().putInfo(OLEConstants.GLOBAL_ERRORS, SecKeyConstants.MESSAGE_DOCUMENT_NOTES_RESTRICTED, (String) null); 109 } 110 } 111 112 return canView; 113 } 114 115 /** 116 * If there are line restrictions and the initiator override flag is turned on, we need to disable the copy and error correct buttons since those would result in documents 117 * displaying the restricted lines 118 * 119 * @see org.kuali.rice.krad.document.authorization.DocumentAuthorizer#getDocumentActions(org.kuali.rice.krad.document.Document, org.kuali.rice.kim.api.identity.Person, java.util.Set) 120 */ 121 public Set<String> getDocumentActions(Document document, Person user, Set<String> documentActions) { 122 Set<String> documentActionsToReturn = documentAuthorizer.getDocumentActions(document, user, documentActions); 123 124 boolean alwaysAllowInitiatorAccess = SpringContext.getBean(ParameterService.class).getParameterValueAsBoolean(SecConstants.ACCESS_SECURITY_NAMESPACE_CODE, SecConstants.ALL_PARAMETER_DETAIL_COMPONENT, SecConstants.SecurityParameterNames.ALWAYS_ALLOW_INITIATOR_LINE_ACCESS_IND); 125 if (alwaysAllowInitiatorAccess) { 126 // determine if any lines are view restricted 127 boolean hasViewRestrictions = false; 128 129 AccountingDocument accountingDocument = (AccountingDocument) document; 130 for (Iterator iterator = accountingDocument.getSourceAccountingLines().iterator(); iterator.hasNext();) { 131 AccountingLine line = (AccountingLine) iterator.next(); 132 if (!getAccessSecurityService().canViewDocumentAccountingLine(accountingDocument, line, user)) { 133 hasViewRestrictions = true; 134 break; 135 } 136 } 137 138 if (!hasViewRestrictions) { 139 for (Iterator iterator = accountingDocument.getTargetAccountingLines().iterator(); iterator.hasNext();) { 140 AccountingLine line = (AccountingLine) iterator.next(); 141 if (!getAccessSecurityService().canViewDocumentAccountingLine(accountingDocument, line, user)) { 142 hasViewRestrictions = true; 143 break; 144 } 145 } 146 } 147 148 // if we have restrictions then disable copy and error correction 149 if (hasViewRestrictions) { 150 if (documentActionsToReturn.contains(KRADConstants.KUALI_ACTION_CAN_COPY)) { 151 documentActionsToReturn.remove(KRADConstants.KUALI_ACTION_CAN_COPY); 152 GlobalVariables.getMessageMap().putInfo(OLEConstants.GLOBAL_ERRORS, SecKeyConstants.MESSAGE_DOCUMENT_COPY_RESTRICTED, (String) null); 153 } 154 155 if (documentActionsToReturn.contains(OLEConstants.KFS_ACTION_CAN_ERROR_CORRECT)) { 156 documentActionsToReturn.remove(OLEConstants.KFS_ACTION_CAN_ERROR_CORRECT); 157 GlobalVariables.getMessageMap().putInfo(OLEConstants.GLOBAL_ERRORS, SecKeyConstants.MESSAGE_DOCUMENT_ERROR_CORRECT_RESTRICTED, (String) null); 158 } 159 } 160 } 161 162 return documentActionsToReturn; 163 } 164 165 public Map<String, String> getCollectionItemPermissionDetails(BusinessObject collectionItemBusinessObject) { 166 return documentAuthorizer.getCollectionItemPermissionDetails(collectionItemBusinessObject); 167 } 168 169 public Map<String, String> getCollectionItemRoleQualifications(BusinessObject collectionItemBusinessObject) { 170 return documentAuthorizer.getCollectionItemRoleQualifications(collectionItemBusinessObject); 171 } 172 173 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId) { 174 return documentAuthorizer.isAuthorized(businessObject, namespaceCode, permissionName, principalId); 175 } 176 177 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) { 178 return documentAuthorizer.isAuthorized(businessObject, namespaceCode, permissionName, principalId, additionalPermissionDetails, additionalRoleQualifiers); 179 } 180 181 public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId) { 182 return documentAuthorizer.isAuthorizedByTemplate(businessObject, namespaceCode, permissionTemplateName, principalId); 183 } 184 185 public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) { 186 return documentAuthorizer.isAuthorizedByTemplate(businessObject, namespaceCode, permissionTemplateName, principalId, additionalPermissionDetails, additionalRoleQualifiers); 187 } 188 @Override 189 public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) { 190 return documentAuthorizer.isAuthorizedByTemplate(dataObject, namespaceCode, permissionTemplateName, principalId, additionalPermissionDetails, additionalRoleQualifiers); 191 } 192 193 public void setDocumentAuthorizer(TransactionalDocumentAuthorizer documentAuthorizer) { 194 this.documentAuthorizer = documentAuthorizer; 195 } 196 197 public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId) { 198 return documentAuthorizer.isAuthorized(dataObject, namespaceCode, permissionName, principalId); 199 } 200 201 public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId) { 202 return documentAuthorizer.isAuthorizedByTemplate(dataObject, namespaceCode, permissionTemplateName, principalId); 203 } 204 205 public boolean canEdit(Document document, Person user) { 206 return documentAuthorizer.canEdit(document, user); 207 } 208 209 public boolean canAnnotate(Document document, Person user) { 210 return documentAuthorizer.canAnnotate(document, user); 211 } 212 213 public boolean canReload(Document document, Person user) { 214 return documentAuthorizer.canReload(document, user); 215 } 216 217 public boolean canClose(Document document, Person user) { 218 return documentAuthorizer.canClose(document, user); 219 } 220 221 public boolean canSave(Document document, Person user) { 222 return documentAuthorizer.canSave(document, user); 223 } 224 225 public boolean canRoute(Document document, Person user) { 226 return documentAuthorizer.canRoute(document, user); 227 } 228 229 public boolean canCancel(Document document, Person user) { 230 return documentAuthorizer.canCancel(document, user); 231 } 232 233 public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) { 234 return documentAuthorizer.isAuthorized(dataObject, namespaceCode, permissionName, principalId, additionalPermissionDetails, additionalRoleQualifiers); 235 } 236 237 public boolean canCopy(Document document, Person user) { 238 return documentAuthorizer.canCopy(document, user); 239 } 240 241 public boolean canPerformRouteReport(Document document, Person user) { 242 return documentAuthorizer.canPerformRouteReport(document, user); 243 } 244 245 public boolean canBlanketApprove(Document document, Person user) { 246 return documentAuthorizer.canBlanketApprove(document, user); 247 } 248 249 public boolean canApprove(Document document, Person user) { 250 return documentAuthorizer.canApprove(document, user); 251 } 252 253 public boolean canDisapprove(Document document, Person user) { 254 return documentAuthorizer.canDisapprove(document, user); 255 } 256 257 public boolean canSendNoteFyi(Document document, Person user) { 258 return documentAuthorizer.canSendNoteFyi(document, user); 259 } 260 261 public boolean canEditDocumentOverview(Document document, Person user) { 262 return documentAuthorizer.canEditDocumentOverview(document, user); 263 } 264 265 public boolean canFyi(Document document, Person user) { 266 return documentAuthorizer.canFyi(document, user); 267 } 268 269 public boolean canAcknowledge(Document document, Person user) { 270 return documentAuthorizer.canAcknowledge(document, user); 271 } 272 273 public boolean canViewNoteAttachment(Document document, String attachmentTypeCode, String authorUniversalIdentifier, Person user) { 274 return documentAuthorizer.canViewNoteAttachment(document, attachmentTypeCode, authorUniversalIdentifier, user); 275 } 276 277 public boolean canSendAnyTypeAdHocRequests(Document document, Person user) { 278 return documentAuthorizer.canSendAnyTypeAdHocRequests(document, user); 279 } 280 281 public boolean canTakeRequestedAction(Document document, String actionRequestCode, Person user) { 282 return documentAuthorizer.canTakeRequestedAction(document, actionRequestCode, user); 283 } 284 285 @Override 286 public boolean canRecall(Document document, Person user) { 287 return documentAuthorizer.canRecall(document, user); 288 } 289 290}