Examples with IAuthorizationPrincipal org.apereo.portal.security.IAuthorizationPrincipal used on opensource projects

Example 26 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class UserAccountHelper method updateAccount.

public void updateAccount(IPerson currentUser, PersonForm form) {
    ILocalAccountPerson account;
    // username
    if (form.getId() < 0) {
        account = accountDao.getPerson(form.getUsername());
        if (account == null) {
            /*
                 * Should there be a permissions check to verify
                 * the user is allowed to create new users?
                 */
            account = accountDao.createPerson(form.getUsername());
        }
    } else // otherwise, get the existing account from the database
    {
        account = accountDao.getPerson(form.getId());
    }
    /*
         * SANITY CHECK #1:  Is the user permitted to modify this account?
         * (Presumably this check was already made when the page was rendered,
         * but re-checking alleviates danger from cleverly-crafted HTTP
         * requests.)
         */
    if (!canEditUser(currentUser, account.getName())) {
        throw new RuntimeException("Current user " + currentUser.getName() + " does not have permissions to update person " + account.getName());
    }
    // Used w/ check #2
    EntityIdentifier ei = currentUser.getEntityIdentifier();
    IAuthorizationPrincipal ap = AuthorizationService.instance().newPrincipal(ei.getKey(), ei.getType());
    // update the account attributes to match those specified in the form
    List<Preference> editableAttributes = getEditableUserAttributes(currentUser);
    for (Preference editableAttribute : editableAttributes) {
        String attributeName = editableAttribute.getName();
        /*
             * SANITY CHECK #2:  Should never fail since getEditableUserAttributes should return only
             * editable attribute names, but do this anyway just in case.
             */
        if (!ap.hasPermission("UP_USERS", "EDIT_USER_ATTRIBUTE", attributeName)) {
            throw new RuntimeException("Current user " + currentUser.getName() + " does not have permissions to edit attribute " + attributeName);
        }
        if (form.getAttributes().get(attributeName) == null || form.getAttributes().get(attributeName).isBlank()) {
            account.removeAttribute(attributeName);
        } else {
            account.setAttribute(attributeName, form.getAttributes().get(attributeName).getValue());
        }
    }
    // if a new password has been specified, update the account password
    if (StringUtils.isNotBlank(form.getPassword())) {
        account.setPassword(passwordService.encryptPassword(form.getPassword()));
        account.setLastPasswordChange(new Date());
        account.removeAttribute("loginToken");
    }
    accountDao.updateAccount(account);
    log.info("Account " + account.getName() + " successfully updated");
}

Example 27 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class UpdatePreferencesServlet method addTab.

/**
     * Add a new tab to the layout. The new tab will be appended to the end of the list and named
     * with the BLANK_TAB_NAME variable.
     *
     * @param request
     * @throws IOException
     */
@RequestMapping(method = RequestMethod.POST, params = "action=addTab")
public ModelAndView addTab(HttpServletRequest request, HttpServletResponse response, @RequestParam("widths[]") String[] widths) throws IOException {
    IUserInstance ui = userInstanceManager.getUserInstance(request);
    IPerson per = getPerson(ui, response);
    UserPreferencesManager upm = (UserPreferencesManager) ui.getPreferencesManager();
    IUserLayoutManager ulm = upm.getUserLayoutManager();
    // Verify that the user has permission to add this tab
    final IAuthorizationPrincipal authPrincipal = this.getUserPrincipal(per.getUserName());
    if (!authPrincipal.hasPermission(IPermission.PORTAL_SYSTEM, IPermission.ADD_TAB_ACTIVITY, IPermission.ALL_TARGET)) {
        logger.warn("Attempt to add a tab through the REST API by unauthorized user '" + per.getUserName() + "'");
        response.sendError(HttpServletResponse.SC_FORBIDDEN);
        return new ModelAndView("jsonView", Collections.singletonMap("error", "Add tab disabled"));
    }
    // construct a brand new tab
    String id = "tbd";
    String tabName = request.getParameter("tabName");
    if (StringUtils.isBlank(tabName))
        tabName = DEFAULT_TAB_NAME;
    IUserLayoutFolderDescription newTab = new UserLayoutFolderDescription();
    newTab.setName(tabName);
    newTab.setId(id);
    newTab.setFolderType(IUserLayoutFolderDescription.REGULAR_TYPE);
    newTab.setHidden(false);
    newTab.setUnremovable(false);
    newTab.setImmutable(false);
    // add the tab to the layout
    ulm.addNode(newTab, ulm.getRootFolderId(), null);
    try {
        // save the user's layout
        ulm.saveUserLayout();
    } catch (PortalException e) {
        return handlePersistError(request, response, e);
    }
    // get the id of the newly added tab
    String tabId = newTab.getId();
    for (String width : widths) {
        // create new column element
        IUserLayoutFolderDescription newColumn = new UserLayoutFolderDescription();
        newColumn.setName("Column");
        newColumn.setId("tbd");
        newColumn.setFolderType(IUserLayoutFolderDescription.REGULAR_TYPE);
        newColumn.setHidden(false);
        newColumn.setUnremovable(false);
        newColumn.setImmutable(false);
        // add the column to our layout
        ulm.addNode(newColumn, tabId, null);
        this.stylesheetUserPreferencesService.setLayoutAttribute(request, PreferencesScope.STRUCTURE, newColumn.getId(), "width", width + "%");
        try {
            // This sets the column attribute in memory but doesn't persist it.  Comment says saves changes "prior to persisting"
            Element folder = ulm.getUserLayoutDOM().getElementById(newColumn.getId());
            UserPrefsHandler.setUserPreference(folder, "width", per);
        } catch (Exception e) {
            logger.error("Error saving new column widths", e);
        }
    }
    // this new tab;  use the currently active tabGroup.
    if (request.getParameter(TAB_GROUP_PARAMETER) != null) {
        String tabGroup = request.getParameter(TAB_GROUP_PARAMETER).trim();
        if (logger.isDebugEnabled()) {
            logger.debug(TAB_GROUP_PARAMETER + "=" + tabGroup);
        }
        if (!TAB_GROUP_DEFAULT.equals(tabGroup) && tabGroup.length() != 0) {
            // Persists SSUP values to the database
            this.stylesheetUserPreferencesService.setLayoutAttribute(request, PreferencesScope.STRUCTURE, tabId, TAB_GROUP_PARAMETER, tabGroup);
        }
    }
    try {
        // save the user's layout
        ulm.saveUserLayout();
    } catch (PortalException e) {
        return handlePersistError(request, response, e);
    }
    return new ModelAndView("jsonView", Collections.singletonMap("tabId", tabId));
}

Example 28 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class PersonLookupHelperImpl method searchForPeople.

/* (non-Javadoc)
     * @see org.apereo.portal.portlets.lookup.IPersonLookupHelper#searchForPeople(org.apereo.portal.security.IPerson, java.util.Map)
     */
public List<IPersonAttributes> searchForPeople(final IPerson searcher, final Map<String, Object> query) {
    // get the IAuthorizationPrincipal for the searching user
    final IAuthorizationPrincipal principal = getPrincipalForUser(searcher);
    // build a set of all possible user attributes the current user has
    // permission to view
    final Set<String> permittedAttributes = getPermittedAttributes(principal);
    // remove any query attributes that the user does not have permission
    // to view
    final Map<String, Object> inUseQuery = new HashMap<>();
    for (Map.Entry<String, Object> queryEntry : query.entrySet()) {
        final String attr = queryEntry.getKey();
        if (permittedAttributes.contains(attr)) {
            inUseQuery.put(attr, queryEntry.getValue());
        } else {
            this.logger.warn("User '" + searcher.getName() + "' attempted searching on attribute '" + attr + "' which is not allowed in the current configuration. The attribute will be ignored.");
        }
    }
    // ensure the query has at least one search attribute defined
    if (inUseQuery.keySet().size() == 0) {
        throw new IllegalArgumentException("Search query is empty");
    }
    // get the set of people matching the search query
    final Set<IPersonAttributes> people = this.personAttributeDao.getPeople(inUseQuery);
    if (people == null) {
        return Collections.emptyList();
    }
    // To improve efficiency and not do as many permission checks or person directory searches,
    // if we have too many results and all people in the returned set of personAttributes have
    // a displayName, pre-sort the set and limit it to maxResults. The typical use case is that
    // LDAP returns results that have the displayName populated.  Note that a disadvantage of this
    // approach is that the smaller result set may have entries that permissions prevent the
    // current users from viewing the person and thus reduce the number of final results, but
    // that is rare (typical use case is users can't view administrative internal accounts or the
    // system account, none of which tend to be in LDAP).  We could retain a few more than maxResults
    // to offset that chance, but IMHO not worth the cost of extra external queries.
    List<IPersonAttributes> peopleList = new ArrayList<>(people);
    if (peopleList.size() > maxResults && allListItemsHaveDisplayName(peopleList)) {
        logger.debug("All items contained displayName; pre-sorting list of size {} and truncating to", peopleList.size(), maxResults);
        // sort the list by display name
        Collections.sort(peopleList, new DisplayNameComparator());
        peopleList = peopleList.subList(0, maxResults);
    }
    // Construct a new representation of the persons limited to attributes the searcher
    // has permissions to view.  Will change order of the list.
    List<IPersonAttributes> list = getVisiblePersons(principal, permittedAttributes, peopleList);
    // Sort the list by display name
    Collections.sort(list, new DisplayNameComparator());
    // limit the list to a maximum number of returned results
    if (list.size() > maxResults) {
        list = list.subList(0, maxResults);
    }
    return list;
}

Example 29 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class GroupAdministrationHelper method canEditGroup.

public boolean canEditGroup(IPerson currentUser, String target) {
    EntityIdentifier ei = currentUser.getEntityIdentifier();
    IAuthorizationPrincipal ap = AuthorizationService.instance().newPrincipal(ei.getKey(), ei.getType());
    return (ap.hasPermission(IPermission.PORTAL_GROUPS, IPermission.EDIT_GROUP_ACTIVITY, target));
}

Example 30 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class EntityService method getPrincipalForEntity.

public IAuthorizationPrincipal getPrincipalForEntity(Entity entity) {
    // attempt to determine the entity type class for this principal
    Class entityType;
    if (entity.getEntityType().equals(EntityEnum.GROUP.toString())) {
        entityType = IEntityGroup.class;
    } else {
        entityType = EntityEnum.getEntityEnum(entity.getEntityType()).getClazz();
    }
    // construct an authorization principal for this JsonEntityBean
    AuthorizationService authService = AuthorizationService.instance();
    IAuthorizationPrincipal p = authService.newPrincipal(entity.getId(), entityType);
    return p;
}