View Javadoc
1   /**
2    * Copyright 2005-2016 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.rice.kns.util;
17  
18  import org.apache.commons.lang.StringEscapeUtils;
19  import org.apache.commons.lang.StringUtils;
20  import org.apache.log4j.Level;
21  import org.apache.log4j.Logger;
22  import org.apache.struts.Globals;
23  import org.apache.struts.action.ActionForm;
24  import org.apache.struts.action.ActionMapping;
25  import org.apache.struts.action.ActionServletWrapper;
26  import org.apache.struts.upload.CommonsMultipartRequestHandler;
27  import org.apache.struts.upload.FormFile;
28  import org.apache.struts.upload.MultipartRequestHandler;
29  import org.apache.struts.upload.MultipartRequestWrapper;
30  import org.kuali.rice.core.api.CoreApiServiceLocator;
31  import org.kuali.rice.core.api.config.property.ConfigContext;
32  import org.kuali.rice.core.api.config.property.ConfigurationService;
33  import org.kuali.rice.core.api.util.RiceKeyConstants;
34  import org.kuali.rice.kew.api.action.ActionRequest;
35  import org.kuali.rice.kew.api.action.RecipientType;
36  import org.kuali.rice.kim.api.role.Role;
37  import org.kuali.rice.kim.api.services.KimApiServiceLocator;
38  import org.kuali.rice.kns.datadictionary.KNSDocumentEntry;
39  import org.kuali.rice.kns.datadictionary.MaintenanceDocumentEntry;
40  import org.kuali.rice.kns.document.authorization.DocumentAuthorizer;
41  import org.kuali.rice.kns.service.KNSServiceLocator;
42  import org.kuali.rice.kns.web.struts.action.KualiMultipartRequestHandler;
43  import org.kuali.rice.kns.web.struts.form.KualiDocumentFormBase;
44  import org.kuali.rice.kns.web.struts.form.KualiForm;
45  import org.kuali.rice.kns.web.struts.form.KualiMaintenanceForm;
46  import org.kuali.rice.kns.web.struts.form.pojo.PojoFormBase;
47  import org.kuali.rice.kns.web.ui.Field;
48  import org.kuali.rice.kns.web.ui.Row;
49  import org.kuali.rice.kns.web.ui.Section;
50  import org.kuali.rice.krad.datadictionary.AttributeDefinition;
51  import org.kuali.rice.krad.datadictionary.AttributeSecurity;
52  import org.kuali.rice.krad.datadictionary.DataDictionary;
53  import org.kuali.rice.krad.datadictionary.DataDictionaryEntryBase;
54  import org.kuali.rice.krad.datadictionary.mask.MaskFormatter;
55  import org.kuali.rice.krad.document.Document;
56  import org.kuali.rice.krad.exception.ValidationException;
57  import org.kuali.rice.krad.service.KRADServiceLocatorWeb;
58  import org.kuali.rice.krad.util.GlobalVariables;
59  import org.kuali.rice.krad.util.KRADConstants;
60  import org.kuali.rice.krad.util.MessageMap;
61  import org.kuali.rice.krad.util.ObjectUtils;
62  
63  import javax.servlet.ServletException;
64  import javax.servlet.http.HttpServletRequest;
65  import javax.servlet.http.HttpServletResponse;
66  import javax.servlet.http.HttpSession;
67  import javax.servlet.jsp.PageContext;
68  import java.io.ByteArrayOutputStream;
69  import java.io.IOException;
70  import java.io.InputStream;
71  import java.io.OutputStream;
72  import java.net.URI;
73  import java.net.URISyntaxException;
74  import java.util.Arrays;
75  import java.util.Collection;
76  import java.util.Enumeration;
77  import java.util.HashMap;
78  import java.util.Hashtable;
79  import java.util.Iterator;
80  import java.util.LinkedHashMap;
81  import java.util.List;
82  import java.util.Map;
83  import java.util.Set;
84  import java.util.regex.Matcher;
85  import java.util.regex.Pattern;
86  
87  /**
88   * General helper methods for handling requests.
89   *
90   * @deprecated Only used in KNS classes, use KRAD.
91   */
92  @Deprecated
93  public class WebUtils {
94  	private static final Logger LOG = Logger.getLogger(WebUtils.class);
95  
96  	private static final String IMAGE_COORDINATE_CLICKED_X_EXTENSION = ".x";
97  	private static final String IMAGE_COORDINATE_CLICKED_Y_EXTENSION = ".y";
98  
99  	private static final String APPLICATION_IMAGE_URL_PROPERTY_PREFIX = "application.custom.image.url";
100 	private static final String DEFAULT_IMAGE_URL_PROPERTY_NAME = "kr.externalizable.images.url";
101 
102     /**
103      * Prefixes indicating an absolute url
104      */
105     private static final String[] SCHEMES = { "http://", "https://" };
106 
107 	/**
108 	 * A request attribute name that indicates that a
109 	 * {@link org.kuali.rice.kns.exception.FileUploadLimitExceededException} has already been thrown for the
110 	 * request.
111 	 */
112 	public static final String FILE_UPLOAD_LIMIT_EXCEEDED_EXCEPTION_ALREADY_THROWN = "fileUploadLimitExceededExceptionAlreadyThrown";
113 
114 	private static ConfigurationService configurationService;
115 
116 	/**
117 	 * Checks for methodToCall parameter, and picks off the value using set dot
118 	 * notation. Handles the problem of image submits.
119 	 * 
120 	 * @param request
121 	 * @return methodToCall String
122 	 */
123 	public static String parseMethodToCall(ActionForm form, HttpServletRequest request) {
124 		String methodToCall = null;
125 
126 		// check if is specified cleanly
127 		if (StringUtils.isNotBlank(request.getParameter(KRADConstants.DISPATCH_REQUEST_PARAMETER))) {
128 			if (form instanceof KualiForm
129 					&& !((KualiForm) form).shouldMethodToCallParameterBeUsed(KRADConstants.DISPATCH_REQUEST_PARAMETER,
130 							request.getParameter(KRADConstants.DISPATCH_REQUEST_PARAMETER), request)) {
131 				throw new RuntimeException("Cannot verify that the methodToCall should be "
132 						+ request.getParameter(KRADConstants.DISPATCH_REQUEST_PARAMETER));
133 			}
134 			methodToCall = request.getParameter(KRADConstants.DISPATCH_REQUEST_PARAMETER);
135 			// include .x at the end of the parameter to make it consistent w/
136 			// other parameters
137 			request.setAttribute(KRADConstants.METHOD_TO_CALL_ATTRIBUTE, KRADConstants.DISPATCH_REQUEST_PARAMETER + "."
138 					+ methodToCall + IMAGE_COORDINATE_CLICKED_X_EXTENSION);
139 		}
140 
141 		/**
142 		 * The reason why we are checking for a ".x" at the end of the parameter
143 		 * name: It is for the image names that in addition to sending the form
144 		 * data, the web browser sends the x,y coordinate of where the user
145 		 * clicked on the image. If the image input is not given a name then the
146 		 * browser sends the x and y coordinates as the "x" and "y" input
147 		 * fields. If the input image does have a name, the x and y coordinates
148 		 * are sent using the format name.x and name.y.
149 		 */
150 		if (methodToCall == null) {
151 			// iterate through parameters looking for methodToCall
152 			for (Enumeration i = request.getParameterNames(); i.hasMoreElements();) {
153 				String parameterName = (String) i.nextElement();
154 
155 				// check if the parameter name is a specifying the methodToCall
156 				if (isMethodToCall(parameterName)) {
157 					methodToCall = getMethodToCallSettingAttribute(form, request, parameterName);
158 					break;
159 				}
160 				else {
161 					// KULRICE-1218: Check if the parameter's values match (not
162 					// just the name)
163 					for (String value : request.getParameterValues(parameterName)) {
164 						// adding period to startsWith check - don't want to get
165 						// confused with methodToCallFoobar
166 						if (isMethodToCall(value)) {
167 							methodToCall = getMethodToCallSettingAttribute(form, request, value);
168 							// why is there not a break outer loop here?
169 						}
170 					}
171 				}
172 			}
173 		}
174 
175 		return methodToCall;
176 	}
177 
178     /**
179 	 * Checks if a string signifies a methodToCall string
180 	 * 
181 	 * @param string
182 	 *            the string to check
183 	 * @return true if is a methodToCall
184 	 */
185 	private static boolean isMethodToCall(String string) {
186 		// adding period to startsWith check - don't want to get confused with
187 		// methodToCallFoobar
188 		return string.startsWith(KRADConstants.DISPATCH_REQUEST_PARAMETER + ".");
189 	}
190 
191 	/**
192 	 * Parses out the methodToCall command and also sets the request attribute
193 	 * for the methodToCall.
194 	 * 
195 	 * @param form
196 	 *            the ActionForm
197 	 * @param request
198 	 *            the request to set the attribute on
199 	 * @param string
200 	 *            the methodToCall string
201 	 * @return the methodToCall command
202 	 */
203 	private static String getMethodToCallSettingAttribute(ActionForm form, HttpServletRequest request, String string) {
204 
205 		if (form instanceof KualiForm
206 				&& !((KualiForm) form).shouldMethodToCallParameterBeUsed(string, request.getParameter(string), request)) {
207 			throw new RuntimeException("Cannot verify that the methodToCall should be " + string);
208 		}
209 		// always adding a coordinate even if not an image
210 		final String attributeValue = endsWithCoordinates(string) ? string : string
211 				+ IMAGE_COORDINATE_CLICKED_X_EXTENSION;
212 		final String methodToCall = StringUtils.substringBetween(attributeValue,
213 				KRADConstants.DISPATCH_REQUEST_PARAMETER + ".", ".");
214 		request.setAttribute(KRADConstants.METHOD_TO_CALL_ATTRIBUTE, attributeValue);
215 		return methodToCall;
216 	}
217 
218 	/**
219 	 * Iterates through and logs (at the given level) all attributes and
220 	 * parameters of the given request onto the given Logger
221 	 * 
222 	 * @param request
223 	 * @param logger
224 	 */
225 	public static void logRequestContents(Logger logger, Level level, HttpServletRequest request) {
226 		if (logger.isEnabledFor(level)) {
227 			logger.log(level, "--------------------");
228 			logger.log(level, "HttpRequest attributes:");
229 			for (Enumeration e = request.getAttributeNames(); e.hasMoreElements();) {
230 				String attrName = (String) e.nextElement();
231 				Object attrValue = request.getAttribute(attrName);
232 
233 				if (attrValue.getClass().isArray()) {
234 					logCollection(logger, level, attrName, Arrays.asList((Object[]) attrValue));
235 				}
236 				else if (attrValue instanceof Collection) {
237 					logCollection(logger, level, attrName, (Collection) attrValue);
238 				}
239 				else if (attrValue instanceof Map) {
240 					logMap(logger, level, attrName, (Map) attrValue);
241 				}
242 				else {
243 					logObject(logger, level, attrName, attrValue);
244 				}
245 			}
246 
247 			logger.log(level, "--------------------");
248 			logger.log(level, "HttpRequest parameters:");
249 			for (Enumeration i = request.getParameterNames(); i.hasMoreElements();) {
250 				String paramName = (String) i.nextElement();
251 				String[] paramValues = (String[]) request.getParameterValues(paramName);
252 
253 				logArray(logger, level, paramName, paramValues);
254 			}
255 
256 			logger.log(level, "--------------------");
257 		}
258 	}
259 
260 	private static void logArray(Logger logger, Level level, String arrayName, Object[] array) {
261 		StringBuffer value = new StringBuffer("[");
262 		for (int i = 0; i < array.length; ++i) {
263 			if (i > 0) {
264 				value.append(",");
265 			}
266 			value.append(array[i]);
267 		}
268 		value.append("]");
269 
270 		logThing(logger, level, arrayName, value);
271 	}
272 
273 	private static void logCollection(Logger logger, Level level, String collectionName, Collection c) {
274 		StringBuffer value = new StringBuffer("{");
275 		for (Iterator i = c.iterator(); i.hasNext();) {
276 			value.append(i.next());
277 			if (i.hasNext()) {
278 				value.append(",");
279 			}
280 		}
281 		value.append("}");
282 
283 		logThing(logger, level, collectionName, value);
284 	}
285 
286 	private static void logMap(Logger logger, Level level, String mapName, Map m) {
287 		StringBuffer value = new StringBuffer("{");
288 		for (Iterator i = m.entrySet().iterator(); i.hasNext();) {
289 			Map.Entry e = (Map.Entry) i.next();
290 			value.append("('" + e.getKey() + "','" + e.getValue() + "')");
291 		}
292 		value.append("}");
293 
294 		logThing(logger, level, mapName, value);
295 	}
296 
297 	private static void logObject(Logger logger, Level level, String objectName, Object o) {
298 		logThing(logger, level, objectName, "'" + o + "'");
299 	}
300 
301 	private static void logThing(Logger logger, Level level, String thingName, Object thing) {
302 		logger.log(level, "    '" + thingName + "' => " + thing);
303 	}
304 
305 	/**
306 	 * A file that is not of type text/plain or text/html can be output through
307 	 * the response using this method.
308 	 * 
309 	 * @param response
310 	 * @param contentType
311 	 * @param byteArrayOutputStream
312 	 * @param fileName
313 	 */
314 	public static void saveMimeOutputStreamAsFile(HttpServletResponse response, String contentType,
315 			ByteArrayOutputStream byteArrayOutputStream, String fileName) throws IOException {
316 
317         // If there are quotes in the name, we should replace them to avoid issues.
318         // The filename will be wrapped with quotes below when it is set in the header
319         String updateFileName;
320         if(fileName.contains("\"")) {
321             updateFileName = fileName.replaceAll("\"", "");
322         } else {
323             updateFileName =  fileName;
324         }
325 
326 		// set response
327 		response.setContentType(contentType);
328         response.setHeader("Content-disposition", "attachment; filename=\"" + updateFileName + "\"");
329         response.setHeader("Expires", "0");
330 		response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
331 		response.setHeader("Pragma", "public");
332 		response.setContentLength(byteArrayOutputStream.size());
333 
334 		// write to output
335 		OutputStream outputStream = response.getOutputStream();
336 		byteArrayOutputStream.writeTo(response.getOutputStream());
337 		outputStream.flush();
338 		outputStream.close();
339 	}
340 
341 	/**
342 	 * A file that is not of type text/plain or text/html can be output through
343 	 * the response using this method.
344 	 * 
345 	 * @param response
346 	 * @param contentType
347 	 * @param inStream
348 	 * @param fileName
349 	 */
350 	public static void saveMimeInputStreamAsFile(HttpServletResponse response, String contentType,
351 			InputStream inStream, String fileName, int fileSize) throws IOException {
352 
353         // If there are quotes in the name, we should replace them to avoid issues.
354         // The filename will be wrapped with quotes below when it is set in the header
355         String updateFileName;
356         if(fileName.contains("\"")) {
357             updateFileName = fileName.replaceAll("\"", "");
358         } else {
359             updateFileName =  fileName;
360         }
361 
362 		// set response
363 		response.setContentType(contentType);
364         response.setHeader("Content-disposition", "attachment; filename=\"" + updateFileName + "\"");
365         response.setHeader("Expires", "0");
366 		response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
367 		response.setHeader("Pragma", "public");
368 		response.setContentLength(fileSize);
369 
370 		// write to output
371 		OutputStream out = response.getOutputStream();
372 		while (inStream.available() > 0) {
373 			out.write(inStream.read());
374 		}
375 		out.flush();
376 	}
377 
378 	/**
379 	 * JSTL function to return the tab state of the tab from the form.
380 	 * 
381 	 * @param form
382 	 * @param tabKey
383 	 * @return
384 	 */
385 	public static String getTabState(KualiForm form, String tabKey) {
386 		return form.getTabState(tabKey);
387 	}
388 
389 	public static void incrementTabIndex(KualiForm form, String tabKey) {
390 		form.incrementTabIndex();
391 	}
392 
393     /**
394      * Attempts to reopen sub tabs which would have been closed for inactive records
395      *
396      * @param sections the list of Sections whose rows and fields to set the open tab state on
397      * @param tabStates the map of tabKey->tabState.  This map will be modified to set entries to "OPEN"
398      * @param collectionName the name of the collection reopening
399      */
400     public static void reopenInactiveRecords(List<Section> sections, Map<String, String> tabStates, String collectionName) {
401         for (Section section : sections) {
402             for (Row row: section.getRows()) {
403                 for (Field field : row.getFields()) {
404                     if (field != null) {
405                         if (Field.CONTAINER.equals(field.getFieldType()) && StringUtils.startsWith(field.getContainerName(), collectionName)) {
406                             final String tabKey = WebUtils.generateTabKey(FieldUtils.generateCollectionSubTabName(field));
407                             tabStates.put(tabKey, KualiForm.TabState.OPEN.name());
408                         }
409                     }
410                 }
411             }
412         }
413     }
414 
415 	/**
416 	 * Generates a String from the title that can be used as a Map key.
417 	 * 
418 	 * @param tabTitle
419 	 * @return
420 	 */
421 	public static String generateTabKey(String tabTitle) {
422 		String key = "";
423 		if (!StringUtils.isBlank(tabTitle)) {
424 			key = tabTitle.replaceAll("\\W", "");
425 			// if (key.length() > 25) {
426 			// key = key.substring(0, 24);
427 			// }
428 		}
429 
430 		return key;
431 	}
432 
433 	public static void getMultipartParameters(HttpServletRequest request, ActionServletWrapper servletWrapper,
434 			ActionForm form, ActionMapping mapping) {
435 		Map params = new HashMap();
436 
437 		// Get the ActionServletWrapper from the form bean
438 		// ActionServletWrapper servletWrapper = getServletWrapper();
439 
440 		try {
441 			CommonsMultipartRequestHandler multipartHandler = new CommonsMultipartRequestHandler();
442 			if (multipartHandler != null) {
443 				// Set servlet and mapping info
444 				if (servletWrapper != null) {
445 					// from pojoformbase
446 					// servlet only affects tempdir on local disk
447 					servletWrapper.setServletFor(multipartHandler);
448 				}
449 				multipartHandler.setMapping((ActionMapping) request.getAttribute(Globals.MAPPING_KEY));
450 				// Initialize multipart request class handler
451 				multipartHandler.handleRequest(request);
452 
453 				Collection<FormFile> files = multipartHandler.getFileElements().values();
454 				Enumeration keys = multipartHandler.getFileElements().keys();
455 
456 				while (keys.hasMoreElements()) {
457 					Object key = keys.nextElement();
458 					FormFile file = (FormFile) multipartHandler.getFileElements().get(key);
459 					long maxSize = WebUtils.getMaxUploadSize(form);
460 					if (LOG.isDebugEnabled()) {
461 						LOG.debug(file.getFileSize());
462 					}
463 					if (maxSize > 0 && Long.parseLong(file.getFileSize() + "") > maxSize) {
464 
465 						GlobalVariables.getMessageMap().putError(key.toString(),
466 								RiceKeyConstants.ERROR_UPLOADFILE_SIZE,
467 								new String[] { file.getFileName(), Long.toString(maxSize) });
468 
469 					}
470 				}
471 
472 				// get file elements for kualirequestprocessor
473 				if (servletWrapper == null) {
474 					request.setAttribute(KRADConstants.UPLOADED_FILE_REQUEST_ATTRIBUTE_KEY,
475 							getFileParametersForMultipartRequest(request, multipartHandler));
476 				}
477 			}
478 		}
479 		catch (ServletException e) {
480 			throw new ValidationException("unable to handle multipart request " + e.getMessage(), e);
481 		}
482 	}
483 
484 	public static long getMaxUploadSize(ActionForm form) {
485 		long max = 0L;
486 		KualiMultipartRequestHandler multipartHandler = new KualiMultipartRequestHandler();
487 		if (form instanceof PojoFormBase) {
488 			max = multipartHandler.calculateMaxUploadSizeToMaxOfList(((PojoFormBase) form).getMaxUploadSizes());
489 		}
490 		if (LOG.isDebugEnabled()) {
491 			LOG.debug("Max File Upload Size: " + max);
492 		}
493 		return max;
494 	}
495 
496 	private static Map getFileParametersForMultipartRequest(HttpServletRequest request,
497 			MultipartRequestHandler multipartHandler) {
498 		Map parameters = new HashMap();
499 		Hashtable elements = multipartHandler.getFileElements();
500 		Enumeration e = elements.keys();
501 		while (e.hasMoreElements()) {
502 			String key = (String) e.nextElement();
503 			parameters.put(key, elements.get(key));
504 		}
505 
506 		if (request instanceof MultipartRequestWrapper) {
507 			request = (HttpServletRequest) ((MultipartRequestWrapper) request).getRequest();
508 			e = request.getParameterNames();
509 			while (e.hasMoreElements()) {
510 				String key = (String) e.nextElement();
511 				parameters.put(key, request.getParameterValues(key));
512 			}
513 		}
514 		else {
515 			LOG.debug("Gathering multipart parameters for unwrapped request");
516 		}
517 		return parameters;
518 	}
519 
520 	// end multipart
521 
522 	public static void registerEditableProperty(PojoFormBase form, String editablePropertyName) {
523 		form.registerEditableProperty(editablePropertyName);
524 	}
525 
526 	public static boolean isDocumentSession(Document document, PojoFormBase docForm) {
527 		boolean sessionDoc = document instanceof org.kuali.rice.krad.document.SessionDocument;
528 		boolean dataDictionarySessionDoc = false;
529 		if (!sessionDoc) {
530 			DataDictionary dataDictionary = KRADServiceLocatorWeb.getDataDictionaryService().getDataDictionary();
531 			if (docForm instanceof KualiMaintenanceForm) {
532 				KualiMaintenanceForm maintenanceForm = (KualiMaintenanceForm) docForm;
533 				if (dataDictionary != null) {
534 					if (maintenanceForm.getDocTypeName() != null) {
535                         MaintenanceDocumentEntry maintenanceDocumentEntry = (MaintenanceDocumentEntry) dataDictionary.getDocumentEntry(maintenanceForm.getDocTypeName());
536 						dataDictionarySessionDoc = maintenanceDocumentEntry.isSessionDocument();
537 					}
538 				}
539 			}
540 			else {
541 				if (document != null && dataDictionary != null) {
542 					KNSDocumentEntry documentEntry = (KNSDocumentEntry) dataDictionary.getDocumentEntry(document.getClass().getName());
543 					dataDictionarySessionDoc = documentEntry.isSessionDocument();
544 				}
545 			}
546 		}
547 		return sessionDoc || dataDictionarySessionDoc;
548 	}
549 
550 	public static boolean isFormSessionDocument(PojoFormBase form) {
551 		Document document = null;
552 		if (KualiDocumentFormBase.class.isAssignableFrom(form.getClass())) {
553 			KualiDocumentFormBase docForm = (KualiDocumentFormBase) form;
554 			document = docForm.getDocument();
555 		}
556 		return isDocumentSession(document, form);
557 	}
558 
559 	public static String KEY_KUALI_FORM_IN_SESSION = "KualiForm";
560 
561 	public static ActionForm getKualiForm(PageContext pageContext) {
562 		return getKualiForm((HttpServletRequest) pageContext.getRequest());
563 	}
564 
565 	public static ActionForm getKualiForm(HttpServletRequest request) {
566 		if (request.getAttribute(KEY_KUALI_FORM_IN_SESSION) != null) {
567 			return (ActionForm) request.getAttribute(KEY_KUALI_FORM_IN_SESSION);
568 		}
569 		else {
570 			final HttpSession session = request.getSession(false);
571 			return session != null ? (ActionForm) session.getAttribute(KEY_KUALI_FORM_IN_SESSION) : null;
572 		}
573 	}
574 
575 	public static boolean isPropertyEditable(Set<String> editableProperties, String propertyName) {
576 		if (LOG.isDebugEnabled()) {
577 			LOG.debug("isPropertyEditable(" + propertyName + ")");
578 		}
579 
580 		boolean returnVal = editableProperties == null
581 				|| editableProperties.contains(propertyName)
582 				|| (getIndexOfCoordinateExtension(propertyName) == -1 ? false : editableProperties
583 						.contains(propertyName.substring(0, getIndexOfCoordinateExtension(propertyName))));
584 		if (!returnVal) {
585 			if (LOG.isDebugEnabled()) {
586 				LOG.debug("isPropertyEditable(" + propertyName + ") == false / editableProperties: "
587 						+ editableProperties);
588 			}
589 		}
590 		return returnVal;
591 	}
592 
593 	public static boolean endsWithCoordinates(String parameter) {
594 		return parameter.endsWith(WebUtils.IMAGE_COORDINATE_CLICKED_X_EXTENSION)
595 				|| parameter.endsWith(WebUtils.IMAGE_COORDINATE_CLICKED_Y_EXTENSION);
596 	}
597 
598 	public static int getIndexOfCoordinateExtension(String parameter) {
599 		int indexOfCoordinateExtension = parameter.lastIndexOf(WebUtils.IMAGE_COORDINATE_CLICKED_X_EXTENSION);
600         if (indexOfCoordinateExtension == -1) {
601             indexOfCoordinateExtension = parameter.lastIndexOf(WebUtils.IMAGE_COORDINATE_CLICKED_Y_EXTENSION);
602         }
603 		return indexOfCoordinateExtension;
604 	}
605 
606     public static boolean isInquiryHiddenField(String className, String fieldName, Object formObject, String propertyName) {
607     	boolean isHidden = false;
608     	String hiddenInquiryFields = getKualiConfigurationService().getPropertyValueAsString(className + ".hidden");
609     	if (StringUtils.isEmpty(hiddenInquiryFields)) {
610     		return isHidden;
611     	}
612     	List hiddenFields = Arrays.asList(hiddenInquiryFields.replaceAll(" ", "").split(","));
613     	if (hiddenFields.contains(fieldName.trim())) {
614     		isHidden = true;
615     	}
616     	return isHidden;
617     }
618 
619     public static boolean isHiddenKimObjectType(String type, String configParameter) {
620     	boolean hideType = false;
621     	String hiddenTypes = getKualiConfigurationService().getPropertyValueAsString(configParameter);
622     	if (StringUtils.isEmpty(hiddenTypes)) {
623     		return hideType;
624     	}
625     	List hiddenTypeValues = Arrays.asList(hiddenTypes.replaceAll(" ", "").split(","));
626     	if (hiddenTypeValues.contains(type.trim())) {
627     		hideType = true;
628     	}
629     	return hideType;
630     }
631 
632 	public static String getFullyMaskedValue(String className, String fieldName, Object formObject, String propertyName) {
633 		String displayMaskValue = null;
634 		Object propertyValue = ObjectUtils.getPropertyValue(formObject, propertyName);
635 
636 		DataDictionaryEntryBase entry = (DataDictionaryEntryBase) KRADServiceLocatorWeb.getDataDictionaryService()
637 				.getDataDictionary().getDictionaryObjectEntry(className);
638 		AttributeDefinition a = entry.getAttributeDefinition(fieldName);
639 
640 		AttributeSecurity attributeSecurity = a.getAttributeSecurity();
641 		if (attributeSecurity != null && attributeSecurity.isMask()) {
642 			MaskFormatter maskFormatter = attributeSecurity.getMaskFormatter();
643 			displayMaskValue = maskFormatter.maskValue(propertyValue);
644 
645 		}
646 		return displayMaskValue;
647 	}
648 
649 	public static String getPartiallyMaskedValue(String className, String fieldName, Object formObject,
650 			String propertyName) {
651 		String displayMaskValue = null;
652 		Object propertyValue = ObjectUtils.getPropertyValue(formObject, propertyName);
653 
654 		DataDictionaryEntryBase entry = (DataDictionaryEntryBase) KRADServiceLocatorWeb.getDataDictionaryService()
655 				.getDataDictionary().getDictionaryObjectEntry(className);
656 		AttributeDefinition a = entry.getAttributeDefinition(fieldName);
657 
658 		AttributeSecurity attributeSecurity = a.getAttributeSecurity();
659 		if (attributeSecurity != null && attributeSecurity.isPartialMask()) {
660 			MaskFormatter partialMaskFormatter = attributeSecurity.getPartialMaskFormatter();
661 			displayMaskValue = partialMaskFormatter.maskValue(propertyValue);
662 
663 		}
664 		return displayMaskValue;
665 	}
666 
667 	public static boolean canFullyUnmaskField(String businessObjectClassName, String fieldName, KualiForm form) {
668 		Class businessObjClass = null;
669 		try {
670 			businessObjClass = Class.forName(businessObjectClassName);
671 		}
672 		catch (Exception e) {
673 			throw new RuntimeException("Unable to resolve class name: " + businessObjectClassName);
674 		}
675 		if (form instanceof KualiDocumentFormBase) {
676 			return KNSServiceLocator.getBusinessObjectAuthorizationService().canFullyUnmaskField(
677 					GlobalVariables.getUserSession().getPerson(), businessObjClass, fieldName,
678 					((KualiDocumentFormBase) form).getDocument());
679 		}
680 		else {
681 			return KNSServiceLocator.getBusinessObjectAuthorizationService().canFullyUnmaskField(
682 					GlobalVariables.getUserSession().getPerson(), businessObjClass, fieldName, null);
683 		}
684 	}
685 
686 	public static boolean canPartiallyUnmaskField(String businessObjectClassName, String fieldName, KualiForm form) {
687 		Class businessObjClass = null;
688 		try {
689 			businessObjClass = Class.forName(businessObjectClassName);
690 		}
691 		catch (Exception e) {
692 			throw new RuntimeException("Unable to resolve class name: " + businessObjectClassName);
693 		}
694 		if (form instanceof KualiDocumentFormBase) {
695 			return KNSServiceLocator.getBusinessObjectAuthorizationService().canPartiallyUnmaskField(
696 					GlobalVariables.getUserSession().getPerson(), businessObjClass, fieldName,
697 					((KualiDocumentFormBase) form).getDocument());
698 		}
699 		else {
700 			return KNSServiceLocator.getBusinessObjectAuthorizationService().canPartiallyUnmaskField(
701 					GlobalVariables.getUserSession().getPerson(), businessObjClass, fieldName, null);
702 		}
703 	}
704 
705 	public static boolean canAddNoteAttachment(Document document) {
706 		boolean canViewNoteAttachment = false;
707 		DocumentAuthorizer documentAuthorizer = KNSServiceLocator.getDocumentHelperService().getDocumentAuthorizer(
708 				document);
709 		canViewNoteAttachment = documentAuthorizer.canAddNoteAttachment(document, null, GlobalVariables
710 				.getUserSession().getPerson());
711 		return canViewNoteAttachment;
712 	}
713 
714 	public static boolean canViewNoteAttachment(Document document, String attachmentTypeCode) {
715 		boolean canViewNoteAttachment = false;
716 		DocumentAuthorizer documentAuthorizer = KNSServiceLocator.getDocumentHelperService().getDocumentAuthorizer(
717 				document);
718 		canViewNoteAttachment = documentAuthorizer.canViewNoteAttachment(document, attachmentTypeCode, GlobalVariables
719 				.getUserSession().getPerson());
720 		return canViewNoteAttachment;
721 	}
722 
723 	public static boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode,
724 			String authorUniversalIdentifier) {
725 		boolean canDeleteNoteAttachment = false;
726 		DocumentAuthorizer documentAuthorizer = KNSServiceLocator.getDocumentHelperService().getDocumentAuthorizer(
727 				document);
728 		canDeleteNoteAttachment = documentAuthorizer.canDeleteNoteAttachment(document, attachmentTypeCode, "false",
729 				GlobalVariables.getUserSession().getPerson());
730 		if (canDeleteNoteAttachment) {
731 			return canDeleteNoteAttachment;
732 		}
733 		else {
734 			canDeleteNoteAttachment = documentAuthorizer.canDeleteNoteAttachment(document, attachmentTypeCode, "true",
735 					GlobalVariables.getUserSession().getPerson());
736 			if (canDeleteNoteAttachment
737 					&& !authorUniversalIdentifier.equals(GlobalVariables.getUserSession().getPerson().getPrincipalId())) {
738 				canDeleteNoteAttachment = false;
739 			}
740 		}
741 		return canDeleteNoteAttachment;
742 	}
743 
744 	public static void reuseErrorMapFromPreviousRequest(KualiDocumentFormBase kualiDocumentFormBase) {
745 		if (kualiDocumentFormBase.getMessageMapFromPreviousRequest() == null) {
746 			LOG.error("Error map from previous request is null!");
747 			return;
748 		}
749 		MessageMap errorMapFromGlobalVariables = GlobalVariables.getMessageMap();
750 		if (kualiDocumentFormBase.getMessageMapFromPreviousRequest() == errorMapFromGlobalVariables) {
751 			// if we've switched them already, then return early and do nothing
752 			return;
753 		}
754 		if (!errorMapFromGlobalVariables.hasNoErrors()) {
755 			throw new RuntimeException("Cannot replace error map because it is not empty");
756 		}
757 		GlobalVariables.setMessageMap(kualiDocumentFormBase.getMessageMapFromPreviousRequest());
758 		GlobalVariables.getMessageMap().clearErrorPath();
759 	}
760 
761 	/**
762 	 * Excapes out HTML to prevent XSS attacks, and replaces the following
763 	 * strings to allow for a limited set of HTML tags
764 	 * 
765 	 * <li>[X] and [/X], where X represents any 1 or 2 letter string may be used
766 	 * to specify the equivalent tag in HTML (i.e. &lt;X&gt; and &lt;/X&gt;) <li>
767 	 * [font COLOR], where COLOR represents any valid html color (i.e. color
768 	 * name or hexcode preceeded by #) will be filtered into &lt;font
769 	 * color="COLOR"/&gt; <li>[/font] will be filtered into &lt;/font&gt; <li>
770 	 * [table CLASS], where CLASS gives the style class to use, will be filter
771 	 * into &lt;table class="CLASS"/&gt; <li>[/table] will be filtered into
772 	 * &lt;/table&gt; <li>[td CLASS], where CLASS gives the style class to use,
773 	 * will be filter into &lt;td class="CLASS"/&gt;
774 	 * 
775 	 * @param inputString
776 	 * @return
777 	 */
778 	public static String filterHtmlAndReplaceRiceMarkup(String inputString) {
779 		String outputString = StringEscapeUtils.escapeHtml(inputString);
780 		// string has been escaped of all <, >, and & (and other characters)
781 
782         Map<String, String> findAndReplacePatterns = new LinkedHashMap<String, String>();
783 
784         // now replace our rice custom markup into html
785 
786         // DON'T ALLOW THE SCRIPT TAG OR ARBITRARY IMAGES/URLS/ETC. THROUGH
787 
788         //strip out instances where javascript precedes a URL
789         findAndReplacePatterns.put("\\[a ((javascript|JAVASCRIPT|JavaScript).+)\\]", "");
790         //turn passed a href value into appropriate tag
791         findAndReplacePatterns.put("\\[a (.+)\\]", "<a href=\"$1\">");
792         findAndReplacePatterns.put("\\[/a\\]", "</a>");
793         
794 		// filter any one character tags
795 		findAndReplacePatterns.put("\\[([A-Za-z])\\]", "<$1>");
796 		findAndReplacePatterns.put("\\[/([A-Za-z])\\]", "</$1>");
797 		// filter any two character tags
798 		findAndReplacePatterns.put("\\[([A-Za-z]{2})\\]", "<$1>");
799 		findAndReplacePatterns.put("\\[/([A-Za-z]{2})\\]", "</$1>");
800 		// filter the font tag
801 		findAndReplacePatterns.put("\\[font (#[0-9A-Fa-f]{1,6}|[A-Za-z]+)\\]", "<font color=\"$1\">");
802 		findAndReplacePatterns.put("\\[/font\\]", "</font>");
803 		// filter the table tag
804 		findAndReplacePatterns.put("\\[table\\]", "<table>");
805 		findAndReplacePatterns.put("\\[table ([A-Za-z]+)\\]", "<table class=\"$1\">");
806 		findAndReplacePatterns.put("\\[/table\\]", "</table>");
807 		// fiter td with class
808 		findAndReplacePatterns.put("\\[td ([A-Za-z]+)\\]", "<td class=\"$1\">");
809 
810 		for (String findPattern : findAndReplacePatterns.keySet()) {
811 			Pattern p = Pattern.compile(findPattern);
812 			Matcher m = p.matcher(outputString);
813 			if (m.find()) {
814 				String replacePattern = findAndReplacePatterns.get(findPattern);
815 				outputString = m.replaceAll(replacePattern);
816 			}
817 		}
818 
819 		return outputString;
820 	}
821 
822     /**
823 	 * Determines and returns the URL for question button images; looks first
824 	 * for a property "application.custom.image.url", and if that is missing,
825 	 * uses the image url returned by getDefaultButtonImageUrl()
826 	 * 
827 	 * @param imageName
828 	 *            the name of the image to find a button for
829 	 * @return the URL where question button images are located
830 	 */
831 	public static String getButtonImageUrl(String imageName) {
832 		String buttonImageUrl = getKualiConfigurationService().getPropertyValueAsString(
833                 WebUtils.APPLICATION_IMAGE_URL_PROPERTY_PREFIX + "." + imageName);
834 		if (StringUtils.isBlank(buttonImageUrl)) {
835 			buttonImageUrl = getDefaultButtonImageUrl(imageName);
836 		}
837 		return buttonImageUrl;
838 	}
839 
840     public static String getAttachmentImageForUrl(String contentType) {
841         String image = getKualiConfigurationService().getPropertyValueAsString(KRADConstants.ATTACHMENT_IMAGE_PREFIX + contentType);
842         if (StringUtils.isEmpty(image)) {
843             return getKualiConfigurationService().getPropertyValueAsString(KRADConstants.ATTACHMENT_IMAGE_DEFAULT);
844         }
845         return image;
846     }
847 
848 	/**
849 	 * Generates a default button image URL, in the form of:
850 	 * ${kr.externalizable.images.url}buttonsmall_${imageName}.gif
851 	 * 
852 	 * @param imageName
853 	 *            the image name to generate a default button name for
854 	 * @return the default button image url
855 	 */
856 	public static String getDefaultButtonImageUrl(String imageName) {
857 		return getKualiConfigurationService().getPropertyValueAsString(WebUtils.DEFAULT_IMAGE_URL_PROPERTY_NAME)
858 				+ "buttonsmall_" + imageName + ".gif";
859 	}
860 
861     /**
862 	 * @return an implementation of the KualiConfigurationService
863 	 */
864 	public static ConfigurationService getKualiConfigurationService() {
865 		if (configurationService == null) {
866 			configurationService = CoreApiServiceLocator.getKualiConfigurationService();
867 		}
868 		return configurationService;
869 	}
870 	
871     /**
872      * Takes a string an converts the whitespace which would be ignored in an
873      * HTML document into HTML elements so the whitespace is preserved
874      * 
875      * @param startingString The string to preserve whitespace in
876      * @return A string whose whitespace has been converted to HTML elements to preserve the whitespace in an HTML document
877      */
878     public static String preserveWhitespace(String startingString) {
879     	String convertedString = startingString.replaceAll("\n", "<br />");
880     	convertedString = convertedString.replaceAll("  ", "&nbsp;&nbsp;").replaceAll("(&nbsp; | &nbsp;)", "&nbsp;&nbsp;");
881     	return convertedString;
882     }
883     
884     public static String getKimGroupDisplayName(String groupId) {
885     	if(StringUtils.isBlank(groupId)) {
886     		throw new IllegalArgumentException("Group ID must have a value");
887     	}
888     	return KimApiServiceLocator.getGroupService().getGroup(groupId).getName();
889     }
890     
891     public static String getPrincipalDisplayName(String principalId) {
892     	if(StringUtils.isBlank(principalId)) {
893     		throw new IllegalArgumentException("Principal ID must have a value");
894     	}
895         if (KimApiServiceLocator.getIdentityService().getDefaultNamesForPrincipalId(principalId) == null){
896             return "";
897         }
898         else {
899     	    return KimApiServiceLocator.getIdentityService().getDefaultNamesForPrincipalId(principalId).getDefaultName().getCompositeName();
900         }
901     }
902 
903     /**
904      * Takes an {@link org.kuali.rice.kew.api.action.ActionRequest} with a recipient type of
905      * {@link org.kuali.rice.kew.api.action.RecipientType#ROLE} and returns the display name for the role.
906      *
907      * @param actionRequest the action request
908      * @return the display name for the role
909      * @throws IllegalArgumentException if the action request is null, or the recipient type is not ROLE
910      */
911     public static String getRoleDisplayName(ActionRequest actionRequest) {
912         String result;
913 
914         if(actionRequest == null) {
915             throw new IllegalArgumentException("actionRequest must be non-null");
916         }
917         if (RecipientType.ROLE != actionRequest.getRecipientType()) {
918             throw new IllegalArgumentException("actionRequest recipient must be a Role");
919         }
920 
921         Role role = KimApiServiceLocator.getRoleService().getRole(actionRequest.getRoleName());
922 
923         if (role != null) {
924             result = role.getName();
925         } else if (!StringUtils.isBlank(actionRequest.getQualifiedRoleNameLabel())) {
926             result = actionRequest.getQualifiedRoleNameLabel();
927         } else {
928             result = actionRequest.getRoleName();
929         }
930 
931         return result;
932     }
933 
934     /**
935      * Returns an absolute URL which is a combination of a base part plus path,
936      * or in the case that the path is already an absolute URL, the path alone
937      * @param base the url base path
938      * @param path the path to append to base
939      * @return an absolute URL representing the combination of base+path, or path alone if it is already absolute
940      */
941     public static String toAbsoluteURL(String base, String path) {
942         boolean abs = false;
943         if (StringUtils.isBlank(path)) {
944             path = "";
945         } else {
946             for (String scheme: SCHEMES) {
947                 if (path.startsWith(scheme)) {
948                     abs = true;
949                     break;
950                 }
951             }
952         }
953         if (abs) {
954             return path;
955         }
956         return base + path;
957     }
958     
959     public static String sanitizeBackLocation(String backLocation) {
960         if(StringUtils.isBlank(backLocation)) {
961             return backLocation;
962         }
963 		// if it's a relative URL then we should be good regardless
964 		try {
965 			URI uri = new URI(backLocation);
966 			if (!uri.isAbsolute()) {
967 				return backLocation;
968 			}
969 		} catch (URISyntaxException e) {
970 			// move on to the other checks if it doesn't parse up as a URI for some reason
971 		}
972         Pattern pattern = Pattern.compile(ConfigContext.getCurrentContextConfig().getProperty(KRADConstants.BACK_LOCATION_ALLOWED_REGEX));
973         if(pattern.matcher(backLocation).matches()) {
974             return backLocation;
975         } else {
976             return ConfigContext.getCurrentContextConfig().getProperty(KRADConstants.BACK_LOCATION_DEFAULT_URL);
977         }
978     }
979 
980 }