View Javadoc
1   /**
2    * Copyright 2005-2015 The Kuali Foundation
3    *
4    * Licensed under the Educational Community License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.opensource.org/licenses/ecl2.php
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  package org.kuali.rice.kns.util;
17  
18  import java.io.ByteArrayOutputStream;
19  import java.io.IOException;
20  import java.io.InputStream;
21  import java.io.OutputStream;
22  import java.util.Arrays;
23  import java.util.Collection;
24  import java.util.Enumeration;
25  import java.util.HashMap;
26  import java.util.Hashtable;
27  import java.util.Iterator;
28  import java.util.LinkedHashMap;
29  import java.util.List;
30  import java.util.Map;
31  import java.util.Set;
32  import java.util.regex.Matcher;
33  import java.util.regex.Pattern;
34  
35  import javax.servlet.ServletException;
36  import javax.servlet.http.HttpServletRequest;
37  import javax.servlet.http.HttpServletResponse;
38  import javax.servlet.http.HttpSession;
39  import javax.servlet.jsp.PageContext;
40  
41  import org.apache.commons.lang.StringEscapeUtils;
42  import org.apache.commons.lang.StringUtils;
43  import org.apache.log4j.Level;
44  import org.apache.log4j.Logger;
45  import org.apache.struts.Globals;
46  import org.apache.struts.action.ActionForm;
47  import org.apache.struts.action.ActionMapping;
48  import org.apache.struts.action.ActionServletWrapper;
49  import org.apache.struts.upload.CommonsMultipartRequestHandler;
50  import org.apache.struts.upload.FormFile;
51  import org.apache.struts.upload.MultipartRequestHandler;
52  import org.apache.struts.upload.MultipartRequestWrapper;
53  import org.kuali.rice.core.api.CoreApiServiceLocator;
54  import org.kuali.rice.core.api.config.property.ConfigContext;
55  import org.kuali.rice.core.api.config.property.ConfigurationService;
56  import org.kuali.rice.core.api.util.RiceKeyConstants;
57  import org.kuali.rice.kew.api.action.ActionRequest;
58  import org.kuali.rice.kew.api.action.RecipientType;
59  import org.kuali.rice.kim.api.role.Role;
60  import org.kuali.rice.kim.api.services.KimApiServiceLocator;
61  import org.kuali.rice.kns.datadictionary.KNSDocumentEntry;
62  import org.kuali.rice.kns.datadictionary.MaintenanceDocumentEntry;
63  import org.kuali.rice.kns.document.authorization.DocumentAuthorizer;
64  import org.kuali.rice.kns.service.KNSServiceLocator;
65  import org.kuali.rice.kns.web.struts.action.KualiMultipartRequestHandler;
66  import org.kuali.rice.kns.web.struts.form.KualiDocumentFormBase;
67  import org.kuali.rice.kns.web.struts.form.KualiForm;
68  import org.kuali.rice.kns.web.struts.form.KualiMaintenanceForm;
69  import org.kuali.rice.kns.web.struts.form.pojo.PojoFormBase;
70  import org.kuali.rice.kns.web.ui.Field;
71  import org.kuali.rice.kns.web.ui.Row;
72  import org.kuali.rice.kns.web.ui.Section;
73  import org.kuali.rice.krad.datadictionary.AttributeDefinition;
74  import org.kuali.rice.krad.datadictionary.AttributeSecurity;
75  import org.kuali.rice.krad.datadictionary.DataDictionary;
76  import org.kuali.rice.krad.datadictionary.DataDictionaryEntryBase;
77  import org.kuali.rice.krad.datadictionary.mask.MaskFormatter;
78  import org.kuali.rice.krad.document.Document;
79  import org.kuali.rice.krad.exception.ValidationException;
80  import org.kuali.rice.krad.service.KRADServiceLocatorWeb;
81  import org.kuali.rice.krad.util.GlobalVariables;
82  import org.kuali.rice.krad.util.KRADConstants;
83  import org.kuali.rice.krad.util.MessageMap;
84  import org.kuali.rice.krad.util.ObjectUtils;
85  
86  /**
87   * General helper methods for handling requests.
88   *
89   * @deprecated Only used in KNS classes, use KRAD.
90   */
91  @Deprecated
92  public class WebUtils {
93  	private static final Logger LOG = Logger.getLogger(WebUtils.class);
94  
95  	private static final String IMAGE_COORDINATE_CLICKED_X_EXTENSION = ".x";
96  	private static final String IMAGE_COORDINATE_CLICKED_Y_EXTENSION = ".y";
97  
98  	private static final String APPLICATION_IMAGE_URL_PROPERTY_PREFIX = "application.custom.image.url";
99  	private static final String DEFAULT_IMAGE_URL_PROPERTY_NAME = "kr.externalizable.images.url";
100 
101     /**
102      * Prefixes indicating an absolute url
103      */
104     private static final String[] SCHEMES = { "http://", "https://" };
105 
106 	/**
107 	 * A request attribute name that indicates that a
108 	 * {@link org.kuali.rice.kns.exception.FileUploadLimitExceededException} has already been thrown for the
109 	 * request.
110 	 */
111 	public static final String FILE_UPLOAD_LIMIT_EXCEEDED_EXCEPTION_ALREADY_THROWN = "fileUploadLimitExceededExceptionAlreadyThrown";
112 
113 	private static ConfigurationService configurationService;
114 
115 	/**
116 	 * Checks for methodToCall parameter, and picks off the value using set dot
117 	 * notation. Handles the problem of image submits.
118 	 * 
119 	 * @param request
120 	 * @return methodToCall String
121 	 */
122 	public static String parseMethodToCall(ActionForm form, HttpServletRequest request) {
123 		String methodToCall = null;
124 
125 		// check if is specified cleanly
126 		if (StringUtils.isNotBlank(request.getParameter(KRADConstants.DISPATCH_REQUEST_PARAMETER))) {
127 			if (form instanceof KualiForm
128 					&& !((KualiForm) form).shouldMethodToCallParameterBeUsed(KRADConstants.DISPATCH_REQUEST_PARAMETER,
129 							request.getParameter(KRADConstants.DISPATCH_REQUEST_PARAMETER), request)) {
130 				throw new RuntimeException("Cannot verify that the methodToCall should be "
131 						+ request.getParameter(KRADConstants.DISPATCH_REQUEST_PARAMETER));
132 			}
133 			methodToCall = request.getParameter(KRADConstants.DISPATCH_REQUEST_PARAMETER);
134 			// include .x at the end of the parameter to make it consistent w/
135 			// other parameters
136 			request.setAttribute(KRADConstants.METHOD_TO_CALL_ATTRIBUTE, KRADConstants.DISPATCH_REQUEST_PARAMETER + "."
137 					+ methodToCall + IMAGE_COORDINATE_CLICKED_X_EXTENSION);
138 		}
139 
140 		/**
141 		 * The reason why we are checking for a ".x" at the end of the parameter
142 		 * name: It is for the image names that in addition to sending the form
143 		 * data, the web browser sends the x,y coordinate of where the user
144 		 * clicked on the image. If the image input is not given a name then the
145 		 * browser sends the x and y coordinates as the "x" and "y" input
146 		 * fields. If the input image does have a name, the x and y coordinates
147 		 * are sent using the format name.x and name.y.
148 		 */
149 		if (methodToCall == null) {
150 			// iterate through parameters looking for methodToCall
151 			for (Enumeration i = request.getParameterNames(); i.hasMoreElements();) {
152 				String parameterName = (String) i.nextElement();
153 
154 				// check if the parameter name is a specifying the methodToCall
155 				if (isMethodToCall(parameterName)) {
156 					methodToCall = getMethodToCallSettingAttribute(form, request, parameterName);
157 					break;
158 				}
159 				else {
160 					// KULRICE-1218: Check if the parameter's values match (not
161 					// just the name)
162 					for (String value : request.getParameterValues(parameterName)) {
163 						// adding period to startsWith check - don't want to get
164 						// confused with methodToCallFoobar
165 						if (isMethodToCall(value)) {
166 							methodToCall = getMethodToCallSettingAttribute(form, request, value);
167 							// why is there not a break outer loop here?
168 						}
169 					}
170 				}
171 			}
172 		}
173 
174 		return methodToCall;
175 	}
176 
177     /**
178 	 * Checks if a string signifies a methodToCall string
179 	 * 
180 	 * @param string
181 	 *            the string to check
182 	 * @return true if is a methodToCall
183 	 */
184 	private static boolean isMethodToCall(String string) {
185 		// adding period to startsWith check - don't want to get confused with
186 		// methodToCallFoobar
187 		return string.startsWith(KRADConstants.DISPATCH_REQUEST_PARAMETER + ".");
188 	}
189 
190 	/**
191 	 * Parses out the methodToCall command and also sets the request attribute
192 	 * for the methodToCall.
193 	 * 
194 	 * @param form
195 	 *            the ActionForm
196 	 * @param request
197 	 *            the request to set the attribute on
198 	 * @param string
199 	 *            the methodToCall string
200 	 * @return the methodToCall command
201 	 */
202 	private static String getMethodToCallSettingAttribute(ActionForm form, HttpServletRequest request, String string) {
203 
204 		if (form instanceof KualiForm
205 				&& !((KualiForm) form).shouldMethodToCallParameterBeUsed(string, request.getParameter(string), request)) {
206 			throw new RuntimeException("Cannot verify that the methodToCall should be " + string);
207 		}
208 		// always adding a coordinate even if not an image
209 		final String attributeValue = endsWithCoordinates(string) ? string : string
210 				+ IMAGE_COORDINATE_CLICKED_X_EXTENSION;
211 		final String methodToCall = StringUtils.substringBetween(attributeValue,
212 				KRADConstants.DISPATCH_REQUEST_PARAMETER + ".", ".");
213 		request.setAttribute(KRADConstants.METHOD_TO_CALL_ATTRIBUTE, attributeValue);
214 		return methodToCall;
215 	}
216 
217 	/**
218 	 * Iterates through and logs (at the given level) all attributes and
219 	 * parameters of the given request onto the given Logger
220 	 * 
221 	 * @param request
222 	 * @param logger
223 	 */
224 	public static void logRequestContents(Logger logger, Level level, HttpServletRequest request) {
225 		if (logger.isEnabledFor(level)) {
226 			logger.log(level, "--------------------");
227 			logger.log(level, "HttpRequest attributes:");
228 			for (Enumeration e = request.getAttributeNames(); e.hasMoreElements();) {
229 				String attrName = (String) e.nextElement();
230 				Object attrValue = request.getAttribute(attrName);
231 
232 				if (attrValue.getClass().isArray()) {
233 					logCollection(logger, level, attrName, Arrays.asList((Object[]) attrValue));
234 				}
235 				else if (attrValue instanceof Collection) {
236 					logCollection(logger, level, attrName, (Collection) attrValue);
237 				}
238 				else if (attrValue instanceof Map) {
239 					logMap(logger, level, attrName, (Map) attrValue);
240 				}
241 				else {
242 					logObject(logger, level, attrName, attrValue);
243 				}
244 			}
245 
246 			logger.log(level, "--------------------");
247 			logger.log(level, "HttpRequest parameters:");
248 			for (Enumeration i = request.getParameterNames(); i.hasMoreElements();) {
249 				String paramName = (String) i.nextElement();
250 				String[] paramValues = (String[]) request.getParameterValues(paramName);
251 
252 				logArray(logger, level, paramName, paramValues);
253 			}
254 
255 			logger.log(level, "--------------------");
256 		}
257 	}
258 
259 	private static void logArray(Logger logger, Level level, String arrayName, Object[] array) {
260 		StringBuffer value = new StringBuffer("[");
261 		for (int i = 0; i < array.length; ++i) {
262 			if (i > 0) {
263 				value.append(",");
264 			}
265 			value.append(array[i]);
266 		}
267 		value.append("]");
268 
269 		logThing(logger, level, arrayName, value);
270 	}
271 
272 	private static void logCollection(Logger logger, Level level, String collectionName, Collection c) {
273 		StringBuffer value = new StringBuffer("{");
274 		for (Iterator i = c.iterator(); i.hasNext();) {
275 			value.append(i.next());
276 			if (i.hasNext()) {
277 				value.append(",");
278 			}
279 		}
280 		value.append("}");
281 
282 		logThing(logger, level, collectionName, value);
283 	}
284 
285 	private static void logMap(Logger logger, Level level, String mapName, Map m) {
286 		StringBuffer value = new StringBuffer("{");
287 		for (Iterator i = m.entrySet().iterator(); i.hasNext();) {
288 			Map.Entry e = (Map.Entry) i.next();
289 			value.append("('" + e.getKey() + "','" + e.getValue() + "')");
290 		}
291 		value.append("}");
292 
293 		logThing(logger, level, mapName, value);
294 	}
295 
296 	private static void logObject(Logger logger, Level level, String objectName, Object o) {
297 		logThing(logger, level, objectName, "'" + o + "'");
298 	}
299 
300 	private static void logThing(Logger logger, Level level, String thingName, Object thing) {
301 		logger.log(level, "    '" + thingName + "' => " + thing);
302 	}
303 
304 	/**
305 	 * A file that is not of type text/plain or text/html can be output through
306 	 * the response using this method.
307 	 * 
308 	 * @param response
309 	 * @param contentType
310 	 * @param byteArrayOutputStream
311 	 * @param fileName
312 	 */
313 	public static void saveMimeOutputStreamAsFile(HttpServletResponse response, String contentType,
314 			ByteArrayOutputStream byteArrayOutputStream, String fileName) throws IOException {
315 
316         // If there are quotes in the name, we should replace them to avoid issues.
317         // The filename will be wrapped with quotes below when it is set in the header
318         String updateFileName;
319         if(fileName.contains("\"")) {
320             updateFileName = fileName.replaceAll("\"", "");
321         } else {
322             updateFileName =  fileName;
323         }
324 
325 		// set response
326 		response.setContentType(contentType);
327         response.setHeader("Content-disposition", "attachment; filename=\"" + updateFileName + "\"");
328         response.setHeader("Expires", "0");
329 		response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
330 		response.setHeader("Pragma", "public");
331 		response.setContentLength(byteArrayOutputStream.size());
332 
333 		// write to output
334 		OutputStream outputStream = response.getOutputStream();
335 		byteArrayOutputStream.writeTo(response.getOutputStream());
336 		outputStream.flush();
337 		outputStream.close();
338 	}
339 
340 	/**
341 	 * A file that is not of type text/plain or text/html can be output through
342 	 * the response using this method.
343 	 * 
344 	 * @param response
345 	 * @param contentType
346 	 * @param inStream
347 	 * @param fileName
348 	 */
349 	public static void saveMimeInputStreamAsFile(HttpServletResponse response, String contentType,
350 			InputStream inStream, String fileName, int fileSize) throws IOException {
351 
352         // If there are quotes in the name, we should replace them to avoid issues.
353         // The filename will be wrapped with quotes below when it is set in the header
354         String updateFileName;
355         if(fileName.contains("\"")) {
356             updateFileName = fileName.replaceAll("\"", "");
357         } else {
358             updateFileName =  fileName;
359         }
360 
361 		// set response
362 		response.setContentType(contentType);
363         response.setHeader("Content-disposition", "attachment; filename=\"" + updateFileName + "\"");
364         response.setHeader("Expires", "0");
365 		response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
366 		response.setHeader("Pragma", "public");
367 		response.setContentLength(fileSize);
368 
369 		// write to output
370 		OutputStream out = response.getOutputStream();
371 		while (inStream.available() > 0) {
372 			out.write(inStream.read());
373 		}
374 		out.flush();
375 	}
376 
377 	/**
378 	 * JSTL function to return the tab state of the tab from the form.
379 	 * 
380 	 * @param form
381 	 * @param tabKey
382 	 * @return
383 	 */
384 	public static String getTabState(KualiForm form, String tabKey) {
385 		return form.getTabState(tabKey);
386 	}
387 
388 	public static void incrementTabIndex(KualiForm form, String tabKey) {
389 		form.incrementTabIndex();
390 	}
391 
392     /**
393      * Attempts to reopen sub tabs which would have been closed for inactive records
394      *
395      * @param sections the list of Sections whose rows and fields to set the open tab state on
396      * @param tabStates the map of tabKey->tabState.  This map will be modified to set entries to "OPEN"
397      * @param collectionName the name of the collection reopening
398      */
399     public static void reopenInactiveRecords(List<Section> sections, Map<String, String> tabStates, String collectionName) {
400         for (Section section : sections) {
401             for (Row row: section.getRows()) {
402                 for (Field field : row.getFields()) {
403                     if (field != null) {
404                         if (Field.CONTAINER.equals(field.getFieldType()) && StringUtils.startsWith(field.getContainerName(), collectionName)) {
405                             final String tabKey = WebUtils.generateTabKey(FieldUtils.generateCollectionSubTabName(field));
406                             tabStates.put(tabKey, KualiForm.TabState.OPEN.name());
407                         }
408                     }
409                 }
410             }
411         }
412     }
413 
414 	/**
415 	 * Generates a String from the title that can be used as a Map key.
416 	 * 
417 	 * @param tabTitle
418 	 * @return
419 	 */
420 	public static String generateTabKey(String tabTitle) {
421 		String key = "";
422 		if (!StringUtils.isBlank(tabTitle)) {
423 			key = tabTitle.replaceAll("\\W", "");
424 			// if (key.length() > 25) {
425 			// key = key.substring(0, 24);
426 			// }
427 		}
428 
429 		return key;
430 	}
431 
432 	public static void getMultipartParameters(HttpServletRequest request, ActionServletWrapper servletWrapper,
433 			ActionForm form, ActionMapping mapping) {
434 		Map params = new HashMap();
435 
436 		// Get the ActionServletWrapper from the form bean
437 		// ActionServletWrapper servletWrapper = getServletWrapper();
438 
439 		try {
440 			CommonsMultipartRequestHandler multipartHandler = new CommonsMultipartRequestHandler();
441 			if (multipartHandler != null) {
442 				// Set servlet and mapping info
443 				if (servletWrapper != null) {
444 					// from pojoformbase
445 					// servlet only affects tempdir on local disk
446 					servletWrapper.setServletFor(multipartHandler);
447 				}
448 				multipartHandler.setMapping((ActionMapping) request.getAttribute(Globals.MAPPING_KEY));
449 				// Initialize multipart request class handler
450 				multipartHandler.handleRequest(request);
451 
452 				Collection<FormFile> files = multipartHandler.getFileElements().values();
453 				Enumeration keys = multipartHandler.getFileElements().keys();
454 
455 				while (keys.hasMoreElements()) {
456 					Object key = keys.nextElement();
457 					FormFile file = (FormFile) multipartHandler.getFileElements().get(key);
458 					long maxSize = WebUtils.getMaxUploadSize(form);
459 					if (LOG.isDebugEnabled()) {
460 						LOG.debug(file.getFileSize());
461 					}
462 					if (maxSize > 0 && Long.parseLong(file.getFileSize() + "") > maxSize) {
463 
464 						GlobalVariables.getMessageMap().putError(key.toString(),
465 								RiceKeyConstants.ERROR_UPLOADFILE_SIZE,
466 								new String[] { file.getFileName(), Long.toString(maxSize) });
467 
468 					}
469 				}
470 
471 				// get file elements for kualirequestprocessor
472 				if (servletWrapper == null) {
473 					request.setAttribute(KRADConstants.UPLOADED_FILE_REQUEST_ATTRIBUTE_KEY,
474 							getFileParametersForMultipartRequest(request, multipartHandler));
475 				}
476 			}
477 		}
478 		catch (ServletException e) {
479 			throw new ValidationException("unable to handle multipart request " + e.getMessage(), e);
480 		}
481 	}
482 
483 	public static long getMaxUploadSize(ActionForm form) {
484 		long max = 0L;
485 		KualiMultipartRequestHandler multipartHandler = new KualiMultipartRequestHandler();
486 		if (form instanceof PojoFormBase) {
487 			max = multipartHandler.calculateMaxUploadSizeToMaxOfList(((PojoFormBase) form).getMaxUploadSizes());
488 		}
489 		if (LOG.isDebugEnabled()) {
490 			LOG.debug("Max File Upload Size: " + max);
491 		}
492 		return max;
493 	}
494 
495 	private static Map getFileParametersForMultipartRequest(HttpServletRequest request,
496 			MultipartRequestHandler multipartHandler) {
497 		Map parameters = new HashMap();
498 		Hashtable elements = multipartHandler.getFileElements();
499 		Enumeration e = elements.keys();
500 		while (e.hasMoreElements()) {
501 			String key = (String) e.nextElement();
502 			parameters.put(key, elements.get(key));
503 		}
504 
505 		if (request instanceof MultipartRequestWrapper) {
506 			request = (HttpServletRequest) ((MultipartRequestWrapper) request).getRequest();
507 			e = request.getParameterNames();
508 			while (e.hasMoreElements()) {
509 				String key = (String) e.nextElement();
510 				parameters.put(key, request.getParameterValues(key));
511 			}
512 		}
513 		else {
514 			LOG.debug("Gathering multipart parameters for unwrapped request");
515 		}
516 		return parameters;
517 	}
518 
519 	// end multipart
520 
521 	public static void registerEditableProperty(PojoFormBase form, String editablePropertyName) {
522 		form.registerEditableProperty(editablePropertyName);
523 	}
524 
525 	public static boolean isDocumentSession(Document document, PojoFormBase docForm) {
526 		boolean sessionDoc = document instanceof org.kuali.rice.krad.document.SessionDocument;
527 		boolean dataDictionarySessionDoc = false;
528 		if (!sessionDoc) {
529 			DataDictionary dataDictionary = KRADServiceLocatorWeb.getDataDictionaryService().getDataDictionary();
530 			if (docForm instanceof KualiMaintenanceForm) {
531 				KualiMaintenanceForm maintenanceForm = (KualiMaintenanceForm) docForm;
532 				if (dataDictionary != null) {
533 					if (maintenanceForm.getDocTypeName() != null) {
534                         MaintenanceDocumentEntry maintenanceDocumentEntry = (MaintenanceDocumentEntry) dataDictionary.getDocumentEntry(maintenanceForm.getDocTypeName());
535 						dataDictionarySessionDoc = maintenanceDocumentEntry.isSessionDocument();
536 					}
537 				}
538 			}
539 			else {
540 				if (document != null && dataDictionary != null) {
541 					KNSDocumentEntry documentEntry = (KNSDocumentEntry) dataDictionary.getDocumentEntry(document.getClass().getName());
542 					dataDictionarySessionDoc = documentEntry.isSessionDocument();
543 				}
544 			}
545 		}
546 		return sessionDoc || dataDictionarySessionDoc;
547 	}
548 
549 	public static boolean isFormSessionDocument(PojoFormBase form) {
550 		Document document = null;
551 		if (KualiDocumentFormBase.class.isAssignableFrom(form.getClass())) {
552 			KualiDocumentFormBase docForm = (KualiDocumentFormBase) form;
553 			document = docForm.getDocument();
554 		}
555 		return isDocumentSession(document, form);
556 	}
557 
558 	public static String KEY_KUALI_FORM_IN_SESSION = "KualiForm";
559 
560 	public static ActionForm getKualiForm(PageContext pageContext) {
561 		return getKualiForm((HttpServletRequest) pageContext.getRequest());
562 	}
563 
564 	public static ActionForm getKualiForm(HttpServletRequest request) {
565 		if (request.getAttribute(KEY_KUALI_FORM_IN_SESSION) != null) {
566 			return (ActionForm) request.getAttribute(KEY_KUALI_FORM_IN_SESSION);
567 		}
568 		else {
569 			final HttpSession session = request.getSession(false);
570 			return session != null ? (ActionForm) session.getAttribute(KEY_KUALI_FORM_IN_SESSION) : null;
571 		}
572 	}
573 
574 	public static boolean isPropertyEditable(Set<String> editableProperties, String propertyName) {
575 		if (LOG.isDebugEnabled()) {
576 			LOG.debug("isPropertyEditable(" + propertyName + ")");
577 		}
578 
579 		boolean returnVal = editableProperties == null
580 				|| editableProperties.contains(propertyName)
581 				|| (getIndexOfCoordinateExtension(propertyName) == -1 ? false : editableProperties
582 						.contains(propertyName.substring(0, getIndexOfCoordinateExtension(propertyName))));
583 		if (!returnVal) {
584 			if (LOG.isDebugEnabled()) {
585 				LOG.debug("isPropertyEditable(" + propertyName + ") == false / editableProperties: "
586 						+ editableProperties);
587 			}
588 		}
589 		return returnVal;
590 	}
591 
592 	public static boolean endsWithCoordinates(String parameter) {
593 		return parameter.endsWith(WebUtils.IMAGE_COORDINATE_CLICKED_X_EXTENSION)
594 				|| parameter.endsWith(WebUtils.IMAGE_COORDINATE_CLICKED_Y_EXTENSION);
595 	}
596 
597 	public static int getIndexOfCoordinateExtension(String parameter) {
598 		int indexOfCoordinateExtension = parameter.lastIndexOf(WebUtils.IMAGE_COORDINATE_CLICKED_X_EXTENSION);
599         if (indexOfCoordinateExtension == -1) {
600             indexOfCoordinateExtension = parameter.lastIndexOf(WebUtils.IMAGE_COORDINATE_CLICKED_Y_EXTENSION);
601         }
602 		return indexOfCoordinateExtension;
603 	}
604 
605     public static boolean isInquiryHiddenField(String className, String fieldName, Object formObject, String propertyName) {
606     	boolean isHidden = false;
607     	String hiddenInquiryFields = getKualiConfigurationService().getPropertyValueAsString(className + ".hidden");
608     	if (StringUtils.isEmpty(hiddenInquiryFields)) {
609     		return isHidden;
610     	}
611     	List hiddenFields = Arrays.asList(hiddenInquiryFields.replaceAll(" ", "").split(","));
612     	if (hiddenFields.contains(fieldName.trim())) {
613     		isHidden = true;
614     	}
615     	return isHidden;
616     }
617 
618     public static boolean isHiddenKimObjectType(String type, String configParameter) {
619     	boolean hideType = false;
620     	String hiddenTypes = getKualiConfigurationService().getPropertyValueAsString(configParameter);
621     	if (StringUtils.isEmpty(hiddenTypes)) {
622     		return hideType;
623     	}
624     	List hiddenTypeValues = Arrays.asList(hiddenTypes.replaceAll(" ", "").split(","));
625     	if (hiddenTypeValues.contains(type.trim())) {
626     		hideType = true;
627     	}
628     	return hideType;
629     }
630 
631 	public static String getFullyMaskedValue(String className, String fieldName, Object formObject, String propertyName) {
632 		String displayMaskValue = null;
633 		Object propertyValue = ObjectUtils.getPropertyValue(formObject, propertyName);
634 
635 		DataDictionaryEntryBase entry = (DataDictionaryEntryBase) KRADServiceLocatorWeb.getDataDictionaryService()
636 				.getDataDictionary().getDictionaryObjectEntry(className);
637 		AttributeDefinition a = entry.getAttributeDefinition(fieldName);
638 
639 		AttributeSecurity attributeSecurity = a.getAttributeSecurity();
640 		if (attributeSecurity != null && attributeSecurity.isMask()) {
641 			MaskFormatter maskFormatter = attributeSecurity.getMaskFormatter();
642 			displayMaskValue = maskFormatter.maskValue(propertyValue);
643 
644 		}
645 		return displayMaskValue;
646 	}
647 
648 	public static String getPartiallyMaskedValue(String className, String fieldName, Object formObject,
649 			String propertyName) {
650 		String displayMaskValue = null;
651 		Object propertyValue = ObjectUtils.getPropertyValue(formObject, propertyName);
652 
653 		DataDictionaryEntryBase entry = (DataDictionaryEntryBase) KRADServiceLocatorWeb.getDataDictionaryService()
654 				.getDataDictionary().getDictionaryObjectEntry(className);
655 		AttributeDefinition a = entry.getAttributeDefinition(fieldName);
656 
657 		AttributeSecurity attributeSecurity = a.getAttributeSecurity();
658 		if (attributeSecurity != null && attributeSecurity.isPartialMask()) {
659 			MaskFormatter partialMaskFormatter = attributeSecurity.getPartialMaskFormatter();
660 			displayMaskValue = partialMaskFormatter.maskValue(propertyValue);
661 
662 		}
663 		return displayMaskValue;
664 	}
665 
666 	public static boolean canFullyUnmaskField(String businessObjectClassName, String fieldName, KualiForm form) {
667 		Class businessObjClass = null;
668 		try {
669 			businessObjClass = Class.forName(businessObjectClassName);
670 		}
671 		catch (Exception e) {
672 			throw new RuntimeException("Unable to resolve class name: " + businessObjectClassName);
673 		}
674 		if (form instanceof KualiDocumentFormBase) {
675 			return KNSServiceLocator.getBusinessObjectAuthorizationService().canFullyUnmaskField(
676 					GlobalVariables.getUserSession().getPerson(), businessObjClass, fieldName,
677 					((KualiDocumentFormBase) form).getDocument());
678 		}
679 		else {
680 			return KNSServiceLocator.getBusinessObjectAuthorizationService().canFullyUnmaskField(
681 					GlobalVariables.getUserSession().getPerson(), businessObjClass, fieldName, null);
682 		}
683 	}
684 
685 	public static boolean canPartiallyUnmaskField(String businessObjectClassName, String fieldName, KualiForm form) {
686 		Class businessObjClass = null;
687 		try {
688 			businessObjClass = Class.forName(businessObjectClassName);
689 		}
690 		catch (Exception e) {
691 			throw new RuntimeException("Unable to resolve class name: " + businessObjectClassName);
692 		}
693 		if (form instanceof KualiDocumentFormBase) {
694 			return KNSServiceLocator.getBusinessObjectAuthorizationService().canPartiallyUnmaskField(
695 					GlobalVariables.getUserSession().getPerson(), businessObjClass, fieldName,
696 					((KualiDocumentFormBase) form).getDocument());
697 		}
698 		else {
699 			return KNSServiceLocator.getBusinessObjectAuthorizationService().canPartiallyUnmaskField(
700 					GlobalVariables.getUserSession().getPerson(), businessObjClass, fieldName, null);
701 		}
702 	}
703 
704 	public static boolean canAddNoteAttachment(Document document) {
705 		boolean canViewNoteAttachment = false;
706 		DocumentAuthorizer documentAuthorizer = KNSServiceLocator.getDocumentHelperService().getDocumentAuthorizer(
707 				document);
708 		canViewNoteAttachment = documentAuthorizer.canAddNoteAttachment(document, null, GlobalVariables
709 				.getUserSession().getPerson());
710 		return canViewNoteAttachment;
711 	}
712 
713 	public static boolean canViewNoteAttachment(Document document, String attachmentTypeCode) {
714 		boolean canViewNoteAttachment = false;
715 		DocumentAuthorizer documentAuthorizer = KNSServiceLocator.getDocumentHelperService().getDocumentAuthorizer(
716 				document);
717 		canViewNoteAttachment = documentAuthorizer.canViewNoteAttachment(document, attachmentTypeCode, GlobalVariables
718 				.getUserSession().getPerson());
719 		return canViewNoteAttachment;
720 	}
721 
722 	public static boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode,
723 			String authorUniversalIdentifier) {
724 		boolean canDeleteNoteAttachment = false;
725 		DocumentAuthorizer documentAuthorizer = KNSServiceLocator.getDocumentHelperService().getDocumentAuthorizer(
726 				document);
727 		canDeleteNoteAttachment = documentAuthorizer.canDeleteNoteAttachment(document, attachmentTypeCode, "false",
728 				GlobalVariables.getUserSession().getPerson());
729 		if (canDeleteNoteAttachment) {
730 			return canDeleteNoteAttachment;
731 		}
732 		else {
733 			canDeleteNoteAttachment = documentAuthorizer.canDeleteNoteAttachment(document, attachmentTypeCode, "true",
734 					GlobalVariables.getUserSession().getPerson());
735 			if (canDeleteNoteAttachment
736 					&& !authorUniversalIdentifier.equals(GlobalVariables.getUserSession().getPerson().getPrincipalId())) {
737 				canDeleteNoteAttachment = false;
738 			}
739 		}
740 		return canDeleteNoteAttachment;
741 	}
742 
743 	public static void reuseErrorMapFromPreviousRequest(KualiDocumentFormBase kualiDocumentFormBase) {
744 		if (kualiDocumentFormBase.getMessageMapFromPreviousRequest() == null) {
745 			LOG.error("Error map from previous request is null!");
746 			return;
747 		}
748 		MessageMap errorMapFromGlobalVariables = GlobalVariables.getMessageMap();
749 		if (kualiDocumentFormBase.getMessageMapFromPreviousRequest() == errorMapFromGlobalVariables) {
750 			// if we've switched them already, then return early and do nothing
751 			return;
752 		}
753 		if (!errorMapFromGlobalVariables.hasNoErrors()) {
754 			throw new RuntimeException("Cannot replace error map because it is not empty");
755 		}
756 		GlobalVariables.setMessageMap(kualiDocumentFormBase.getMessageMapFromPreviousRequest());
757 		GlobalVariables.getMessageMap().clearErrorPath();
758 	}
759 
760 	/**
761 	 * Excapes out HTML to prevent XSS attacks, and replaces the following
762 	 * strings to allow for a limited set of HTML tags
763 	 * 
764 	 * <li>[X] and [/X], where X represents any 1 or 2 letter string may be used
765 	 * to specify the equivalent tag in HTML (i.e. &lt;X&gt; and &lt;/X&gt;) <li>
766 	 * [font COLOR], where COLOR represents any valid html color (i.e. color
767 	 * name or hexcode preceeded by #) will be filtered into &lt;font
768 	 * color="COLOR"/&gt; <li>[/font] will be filtered into &lt;/font&gt; <li>
769 	 * [table CLASS], where CLASS gives the style class to use, will be filter
770 	 * into &lt;table class="CLASS"/&gt; <li>[/table] will be filtered into
771 	 * &lt;/table&gt; <li>[td CLASS], where CLASS gives the style class to use,
772 	 * will be filter into &lt;td class="CLASS"/&gt;
773 	 * 
774 	 * @param inputString
775 	 * @return
776 	 */
777 	public static String filterHtmlAndReplaceRiceMarkup(String inputString) {
778 		String outputString = StringEscapeUtils.escapeHtml(inputString);
779 		// string has been escaped of all <, >, and & (and other characters)
780 
781         Map<String, String> findAndReplacePatterns = new LinkedHashMap<String, String>();
782 
783         // now replace our rice custom markup into html
784 
785         // DON'T ALLOW THE SCRIPT TAG OR ARBITRARY IMAGES/URLS/ETC. THROUGH
786 
787         //strip out instances where javascript precedes a URL
788         findAndReplacePatterns.put("\\[a ((javascript|JAVASCRIPT|JavaScript).+)\\]", "");
789         //turn passed a href value into appropriate tag
790         findAndReplacePatterns.put("\\[a (.+)\\]", "<a href=\"$1\">");
791         findAndReplacePatterns.put("\\[/a\\]", "</a>");
792         
793 		// filter any one character tags
794 		findAndReplacePatterns.put("\\[([A-Za-z])\\]", "<$1>");
795 		findAndReplacePatterns.put("\\[/([A-Za-z])\\]", "</$1>");
796 		// filter any two character tags
797 		findAndReplacePatterns.put("\\[([A-Za-z]{2})\\]", "<$1>");
798 		findAndReplacePatterns.put("\\[/([A-Za-z]{2})\\]", "</$1>");
799 		// filter the font tag
800 		findAndReplacePatterns.put("\\[font (#[0-9A-Fa-f]{1,6}|[A-Za-z]+)\\]", "<font color=\"$1\">");
801 		findAndReplacePatterns.put("\\[/font\\]", "</font>");
802 		// filter the table tag
803 		findAndReplacePatterns.put("\\[table\\]", "<table>");
804 		findAndReplacePatterns.put("\\[table ([A-Za-z]+)\\]", "<table class=\"$1\">");
805 		findAndReplacePatterns.put("\\[/table\\]", "</table>");
806 		// fiter td with class
807 		findAndReplacePatterns.put("\\[td ([A-Za-z]+)\\]", "<td class=\"$1\">");
808 
809 		for (String findPattern : findAndReplacePatterns.keySet()) {
810 			Pattern p = Pattern.compile(findPattern);
811 			Matcher m = p.matcher(outputString);
812 			if (m.find()) {
813 				String replacePattern = findAndReplacePatterns.get(findPattern);
814 				outputString = m.replaceAll(replacePattern);
815 			}
816 		}
817 
818 		return outputString;
819 	}
820 
821     /**
822 	 * Determines and returns the URL for question button images; looks first
823 	 * for a property "application.custom.image.url", and if that is missing,
824 	 * uses the image url returned by getDefaultButtonImageUrl()
825 	 * 
826 	 * @param imageName
827 	 *            the name of the image to find a button for
828 	 * @return the URL where question button images are located
829 	 */
830 	public static String getButtonImageUrl(String imageName) {
831 		String buttonImageUrl = getKualiConfigurationService().getPropertyValueAsString(
832                 WebUtils.APPLICATION_IMAGE_URL_PROPERTY_PREFIX + "." + imageName);
833 		if (StringUtils.isBlank(buttonImageUrl)) {
834 			buttonImageUrl = getDefaultButtonImageUrl(imageName);
835 		}
836 		return buttonImageUrl;
837 	}
838 
839     public static String getAttachmentImageForUrl(String contentType) {
840         String image = getKualiConfigurationService().getPropertyValueAsString(KRADConstants.ATTACHMENT_IMAGE_PREFIX + contentType);
841         if (StringUtils.isEmpty(image)) {
842             return getKualiConfigurationService().getPropertyValueAsString(KRADConstants.ATTACHMENT_IMAGE_DEFAULT);
843         }
844         return image;
845     }
846 
847 	/**
848 	 * Generates a default button image URL, in the form of:
849 	 * ${kr.externalizable.images.url}buttonsmall_${imageName}.gif
850 	 * 
851 	 * @param imageName
852 	 *            the image name to generate a default button name for
853 	 * @return the default button image url
854 	 */
855 	public static String getDefaultButtonImageUrl(String imageName) {
856 		return getKualiConfigurationService().getPropertyValueAsString(WebUtils.DEFAULT_IMAGE_URL_PROPERTY_NAME)
857 				+ "buttonsmall_" + imageName + ".gif";
858 	}
859 
860     /**
861 	 * @return an implementation of the KualiConfigurationService
862 	 */
863 	public static ConfigurationService getKualiConfigurationService() {
864 		if (configurationService == null) {
865 			configurationService = CoreApiServiceLocator.getKualiConfigurationService();
866 		}
867 		return configurationService;
868 	}
869 	
870     /**
871      * Takes a string an converts the whitespace which would be ignored in an
872      * HTML document into HTML elements so the whitespace is preserved
873      * 
874      * @param startingString The string to preserve whitespace in
875      * @return A string whose whitespace has been converted to HTML elements to preserve the whitespace in an HTML document
876      */
877     public static String preserveWhitespace(String startingString) {
878     	String convertedString = startingString.replaceAll("\n", "<br />");
879     	convertedString = convertedString.replaceAll("  ", "&nbsp;&nbsp;").replaceAll("(&nbsp; | &nbsp;)", "&nbsp;&nbsp;");
880     	return convertedString;
881     }
882     
883     public static String getKimGroupDisplayName(String groupId) {
884     	if(StringUtils.isBlank(groupId)) {
885     		throw new IllegalArgumentException("Group ID must have a value");
886     	}
887     	return KimApiServiceLocator.getGroupService().getGroup(groupId).getName();
888     }
889     
890     public static String getPrincipalDisplayName(String principalId) {
891     	if(StringUtils.isBlank(principalId)) {
892     		throw new IllegalArgumentException("Principal ID must have a value");
893     	}
894         if (KimApiServiceLocator.getIdentityService().getDefaultNamesForPrincipalId(principalId) == null){
895             return "";
896         }
897         else {
898     	    return KimApiServiceLocator.getIdentityService().getDefaultNamesForPrincipalId(principalId).getDefaultName().getCompositeName();
899         }
900     }
901 
902     /**
903      * Takes an {@link org.kuali.rice.kew.api.action.ActionRequest} with a recipient type of
904      * {@link org.kuali.rice.kew.api.action.RecipientType#ROLE} and returns the display name for the role.
905      *
906      * @param actionRequest the action request
907      * @return the display name for the role
908      * @throws IllegalArgumentException if the action request is null, or the recipient type is not ROLE
909      */
910     public static String getRoleDisplayName(ActionRequest actionRequest) {
911         String result;
912 
913         if(actionRequest == null) {
914             throw new IllegalArgumentException("actionRequest must be non-null");
915         }
916         if (RecipientType.ROLE != actionRequest.getRecipientType()) {
917             throw new IllegalArgumentException("actionRequest recipient must be a Role");
918         }
919 
920         Role role = KimApiServiceLocator.getRoleService().getRole(actionRequest.getRoleName());
921 
922         if (role != null) {
923             result = role.getName();
924         } else if (!StringUtils.isBlank(actionRequest.getQualifiedRoleNameLabel())) {
925             result = actionRequest.getQualifiedRoleNameLabel();
926         } else {
927             result = actionRequest.getRoleName();
928         }
929 
930         return result;
931     }
932 
933     /**
934      * Returns an absolute URL which is a combination of a base part plus path,
935      * or in the case that the path is already an absolute URL, the path alone
936      * @param base the url base path
937      * @param path the path to append to base
938      * @return an absolute URL representing the combination of base+path, or path alone if it is already absolute
939      */
940     public static String toAbsoluteURL(String base, String path) {
941         boolean abs = false;
942         if (StringUtils.isBlank(path)) {
943             path = "";
944         } else {
945             for (String scheme: SCHEMES) {
946                 if (path.startsWith(scheme)) {
947                     abs = true;
948                     break;
949                 }
950             }
951         }
952         if (abs) {
953             return path;
954         }
955         return base + path;
956     }
957     
958     public static String sanitizeBackLocation(String backLocation) {
959         if(StringUtils.isBlank(backLocation)) {
960             return backLocation;
961         }
962         Pattern pattern = Pattern.compile(ConfigContext.getCurrentContextConfig().getProperty(KRADConstants.BACK_LOCATION_ALLOWED_REGEX));
963         if(pattern.matcher(backLocation).matches()) {
964             return backLocation;
965         } else {
966             return ConfigContext.getCurrentContextConfig().getProperty(KRADConstants.BACK_LOCATION_DEFAULT_URL);
967         }
968     }
969 
970 }