001 /**
002 * Copyright 2004-2013 The Kuali Foundation
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016 package org.kuali.hr.time.authorization;
017
018 import java.util.HashMap;
019 import java.util.HashSet;
020 import java.util.Map;
021 import java.util.Set;
022
023 import org.apache.commons.lang.StringUtils;
024 import org.kuali.hr.time.roles.TkUserRoles;
025 import org.kuali.hr.time.roles.UserRoles;
026 import org.kuali.hr.time.util.TKContext;
027 import org.kuali.hr.time.util.TKUser;
028 import org.kuali.rice.kim.api.identity.Person;
029 import org.kuali.rice.kns.document.authorization.DocumentAuthorizer;
030 import org.kuali.rice.kns.document.authorization.MaintenanceDocumentAuthorizer;
031 import org.kuali.rice.krad.bo.BusinessObject;
032 import org.kuali.rice.krad.document.Document;
033 import org.kuali.rice.krad.maintenance.MaintenanceDocument;
034 import org.kuali.rice.krad.util.GlobalVariables;
035 import org.kuali.rice.krad.util.KRADConstants;
036
037 /**
038 * Base class for the implementation of Authorization in KPME Time and Attendance.
039 *
040 * Role Security Grid Documentation:
041 * https://wiki.kuali.org/display/KPME/Role+Security+Grid
042 */
043 public abstract class TkMaintenanceDocumentAuthorizerBase implements MaintenanceDocumentAuthorizer, DocumentAuthorizer {
044
045 // Methods from BusinessObjectAuthorizer
046
047 @Override
048 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId) {
049 return true;
050 }
051
052 @Override
053 public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId) {
054 return true;
055 }
056
057 @Override
058 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
059 return true;
060 }
061
062 @Override
063 public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
064 return true;
065 }
066
067 @Override
068 public Map<String, String> getCollectionItemRoleQualifications(BusinessObject collectionItemBusinessObject) {
069 return new HashMap<String,String>();
070 }
071
072 @Override
073 public Map<String, String> getCollectionItemPermissionDetails(BusinessObject collectionItemBusinessObject) {
074 return new HashMap<String,String>();
075 }
076
077 // Methods from MaintenanceDocumentAuthorizer
078
079 @Override
080 public boolean canCreate(Class boClass, Person user) {
081 return this.rolesIndicateGeneralWriteAccess();
082 }
083
084 @Override
085 /**
086 * In lookup, called for each Business object if the user can edit or not.
087 */
088 public boolean canMaintain(Object dataObject, Person user) {
089 return this.rolesIndicateWriteAccess((BusinessObject) dataObject);
090 }
091
092 @Override
093 /**
094 * Called when submit is clicked from maintenance doc
095 */
096 public boolean canCreateOrMaintain(MaintenanceDocument maintenanceDocument, Person user){
097 return this.rolesIndicateWriteAccess((BusinessObject) maintenanceDocument.getNewMaintainableObject().getDataObject());
098 }
099
100 @Override
101 public Set<String> getSecurePotentiallyReadOnlySectionIds() {
102 return new HashSet<String>();
103 }
104
105 // Methods from DocumentAuthorizer
106
107
108 /**
109 * Copied from DocumentAuthorizerBase
110 */
111 @Override
112 public Set<String> getDocumentActions(Document document, Person user, Set<String> documentActions) {
113 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT) && !canEdit(document, user)) {
114 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT);
115 }
116
117 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_COPY) && !canCopy(document, user)) {
118 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_COPY);
119 }
120
121 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CLOSE) && !canClose(document, user)) {
122 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CLOSE);
123 }
124
125 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RELOAD) && !canReload(document, user)) {
126 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RELOAD);
127 }
128
129 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE) && !canBlanketApprove(document, user)) {
130 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_BLANKET_APPROVE);
131 }
132
133 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_CANCEL) && !canCancel(document, user)) {
134 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_CANCEL);
135 }
136
137 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_RECALL) && !canRecall(document, user)) {
138 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_RECALL);
139 }
140
141 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SAVE) && !canSave(document, user)) {
142 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SAVE);
143 }
144
145 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ROUTE) && !canRoute(document, user)) {
146 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ROUTE);
147 }
148
149 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE) && !canAcknowledge(document, user)) {
150 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ACKNOWLEDGE);
151 }
152
153 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_FYI) && !canFyi(document, user)) {
154 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_FYI);
155 }
156
157 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_APPROVE) && !canApprove(document, user)) {
158 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
159 }
160
161 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE) && !canDisapprove(document, user)) {
162 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
163 }
164
165 if (!canSendAnyTypeAdHocRequests(document, user)) {
166 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ADD_ADHOC_REQUESTS);
167 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_ADHOC_REQUESTS);
168 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
169 }
170
171 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI) && !canSendNoteFyi(document, user)) {
172 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_SEND_NOTE_FYI);
173 }
174
175 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_ANNOTATE) && !canAnnotate(document, user)) {
176 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_ANNOTATE);
177 }
178
179 if (documentActions.contains(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW) && !canEditDocumentOverview(
180 document, user)) {
181 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_EDIT_DOCUMENT_OVERVIEW);
182 }
183
184 if (documentActions.contains(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT) && !canPerformRouteReport(document,
185 user)) {
186 documentActions.remove(KRADConstants.KUALI_ACTION_PERFORM_ROUTE_REPORT);
187 }
188 // looking at the document status
189 String documentStatus = document.getDocumentHeader().getWorkflowDocument().getStatus().name();
190
191 if (StringUtils.equals(documentStatus, "FINAL")) {
192 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_APPROVE);
193 documentActions.remove(KRADConstants.KUALI_ACTION_CAN_DISAPPROVE);
194 }
195
196 return documentActions;
197 }
198
199 @Override
200 /**
201 * TODO: What is this used for? It's called often.
202 */
203 public boolean canInitiate(String documentTypeName, Person user) {
204 return this.rolesIndicateGeneralReadAccess();
205 }
206
207 @Override
208 /**
209 *
210 * One Reference in KualiDocumentActionBase:366
211 */
212 public boolean canOpen(Document document, Person user) {
213 return this.rolesIndicateGeneralReadAccess();
214 }
215
216 @Override
217 public boolean canEdit(Document document, Person user) {
218 return this.rolesIndicateGeneralWriteAccess();
219 }
220
221 @Override
222 public boolean canAnnotate(Document document, Person user) {
223 return true;
224 }
225
226 @Override
227 public boolean canReload(Document document, Person user) {
228 return true;
229 }
230
231 @Override
232 public boolean canClose(Document document, Person user) {
233 return true;
234 }
235
236 @Override
237 public boolean canSave(Document document, Person user) {
238 return this.rolesIndicateGeneralWriteAccess();
239 }
240
241 @Override
242 public boolean canRoute(Document document, Person user) {
243 return true;
244 }
245
246 @Override
247 public boolean canCancel(Document document, Person user) {
248 return true;
249 }
250
251 @Override
252 public boolean canCopy(Document document, Person user) {
253 return this.rolesIndicateGeneralWriteAccess();
254 }
255
256 @Override
257 public boolean canPerformRouteReport(Document document, Person user) {
258 return true;
259 }
260
261 @Override
262 public boolean canBlanketApprove(Document document, Person user) {
263 return true;
264 }
265
266 @Override
267 public boolean canApprove(Document document, Person user) {
268 return true;
269 }
270
271 @Override
272 public boolean canDisapprove(Document document, Person user) {
273 return true;
274 }
275
276 @Override
277 public boolean canSendNoteFyi(Document document, Person user) {
278 return true;
279 }
280
281 @Override
282 public boolean canEditDocumentOverview(Document document, Person user) {
283 return true;
284 }
285
286 @Override
287 public boolean canFyi(Document document, Person user) {
288 return true;
289 }
290
291 @Override
292 public boolean canAcknowledge(Document document, Person user) {
293 return true;
294 }
295
296 @Override
297 public boolean canReceiveAdHoc(Document document, Person user, String actionRequestCode) {
298 return true;
299 }
300
301 @Override
302 public boolean canAddNoteAttachment(Document document, String attachmentTypeCode, Person user) {
303 return true;
304 }
305
306 @Override
307 public boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode, String createdBySelfOnly, Person user) {
308 return true;
309 }
310
311 @Override
312 public boolean canViewNoteAttachment(Document document,String attachmentTypeCode, Person user) {
313 return true;
314 }
315
316 @Override
317 public boolean canViewNoteAttachment(Document document, String attachmentTypeCode, String authorUniversalIdentifier, Person user) {
318 return true;
319 }
320
321 @Override
322 public boolean canSendAdHocRequests(Document document, String actionRequestCd, Person user) {
323 return true;
324 }
325
326 @Override
327 public boolean canSendAnyTypeAdHocRequests(Document document, Person user) {
328 return true;
329 }
330
331 @Override
332 public boolean canTakeRequestedAction(Document document, String actionRequestCode, Person user) {
333 return true;
334 }
335
336 @Override
337 public boolean canRecall(Document document, Person user) {
338 return true;
339 }
340
341 // Methods from DataObjectAuthorizer
342
343 @Override
344 public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId) {
345 return true;
346 }
347
348 @Override
349 public boolean isAuthorizedByTemplate(Object dataObject, String namespaceCode, String permissionTemplateName, String principalId) {
350 return true;
351 }
352
353 @Override
354 public boolean isAuthorized(Object dataObject, String namespaceCode, String permissionName, String principalId,
355 Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
356 return true;
357 }
358
359
360 // Methods from InquiryOrMaintenanceDocumentAuthorizer
361
362 @Override
363 /**
364 * Can't return null.
365 */
366 public Set<String> getSecurePotentiallyHiddenSectionIds() {
367 return new HashSet<String>();
368 }
369
370 // Override this if necessary:
371
372 /**
373 * Returns the UserRoles object for the CURRENT user. This will take into
374 * account target/backdoor user status. Subclasses can override this if
375 * necessary.
376 *
377 * @return The UserRoles object for the current user.
378 */
379 public UserRoles getRoles() {
380 return TkUserRoles.getUserRoles(GlobalVariables.getUserSession().getPrincipalId());
381 }
382
383 // Subclasses will implement these methods
384
385 /**
386 * Method to indicate whether or not the Context current user can read
387 * objects if the current maintenance type.
388 *
389 * @return true if readable, false otherwise.
390 */
391 abstract public boolean rolesIndicateGeneralReadAccess();
392
393 /**
394 * Method to indicate whether or not the Context current user can create/edit
395 * objects if the current maintenance type.
396 *
397 * @return true if create/editable, false otherwise.
398 */
399 abstract public boolean rolesIndicateGeneralWriteAccess();
400
401 /**
402 * Indicates whether or not the current Context user has create/edit rights
403 * to the provided BusinessObject.
404 *
405 * @param bo The BusinessObject under investigation.
406 *
407 * @return true if editable, false otherwise.
408 */
409 abstract public boolean rolesIndicateWriteAccess(BusinessObject bo);
410
411 /**
412 * Indicates whether or not the current Context user has view rights to the
413 * provided BusinessObject.
414 *
415 * @param bo The BusinessObject under investigation.
416 *
417 * @return true if editable, false otherwise.
418 */
419 abstract public boolean rolesIndicateReadAccess(BusinessObject bo);
420 }