use of com.zimbra.cs.account.AccessManager in project zm-mailbox by Zimbra.
the class RightCommand method validateGrant.
private static void validateGrant(Account authedAcct, TargetType targetType, Entry targetEntry, GranteeType granteeType, NamedEntry granteeEntry, String secret, Right right, RightModifier rightModifier, boolean revoking) throws ServiceException {
/*
* check grantee if the right is an admin right, or if the right is an
* user right with can_delegate modifier
*/
if (!right.isUserRight() || RightModifier.RM_CAN_DELEGATE == rightModifier) {
/*
* check if the grantee is an admin account or admin group
*
* If this is revoking, skip this check, just let the revoke through.
* The grantee could have been taken away the admin privilege.
*/
if (!revoking) {
boolean isCDARight = CrossDomain.validateCrossDomainAdminGrant(right, granteeType);
if (!isCDARight && !RightBearer.isValidGranteeForAdminRights(granteeType, granteeEntry)) {
throw ServiceException.INVALID_REQUEST("grantee for admin right or " + "for user right with the canDelegate modifier must be a " + "delegated admin account or admin group, it cannot be a " + "global admin account or a regular user account.", null);
}
}
/*
* check if the grantee type can be used for an admin right
*/
if (!granteeType.allowedForAdminRights()) {
throw ServiceException.INVALID_REQUEST("grantee type " + granteeType.getCode() + " is not allowed for admin right", null);
}
}
// first the "normal" checking
if (!right.grantableOnTargetType(targetType)) {
throw ServiceException.INVALID_REQUEST("right " + right.getName() + " cannot be granted on a " + targetType.getCode() + " entry. " + "It can only be granted on target types: " + right.reportGrantableTargetTypes(), null);
}
/*
* then the ugly special group target checking
*/
if (targetType.isGroup() && !CheckRight.allowGroupTarget(right)) {
throw ServiceException.INVALID_REQUEST("group target is not supported for right: " + right.getName(), null);
}
/*
* check if the right modifier is applicable on the target and right
*/
if (RightModifier.RM_SUBDOMAIN == rightModifier) {
// can only be granted on domain targets
if (targetType != TargetType.domain) {
throw ServiceException.INVALID_REQUEST("right modifier " + RightModifier.RM_SUBDOMAIN.getModifier() + " can only be granted on domain targets", null);
}
if (!right.allowSubDomainModifier()) {
throw ServiceException.INVALID_REQUEST("right modifier " + RightModifier.RM_SUBDOMAIN.getModifier() + " is not allowed for the right: " + right.getName(), null);
}
} else if (RightModifier.RM_DISINHERIT_SUB_GROUPS == rightModifier) {
// can only be granted on group targets
if (targetType != TargetType.dl) {
throw ServiceException.INVALID_REQUEST("right modifier " + RightModifier.RM_DISINHERIT_SUB_GROUPS.getModifier() + " can only be granted on group targets", null);
}
if (!right.allowDisinheritSubGroupsModifier()) {
throw ServiceException.INVALID_REQUEST("right modifier " + RightModifier.RM_DISINHERIT_SUB_GROUPS.getModifier() + " is not allowed for the right: " + right.getName(), null);
}
}
/*
* check if the authed account can grant this right on this target
*
* A grantor can only delegate the whole or part of his delegable rights
* (rights with t he canDelegate modifier) on the same target or a subset
* of targets on which the grantor's own rights were granted.
*
* Once that check is passed, the admin can grant the right to any grantees
* (e.g. to a group, or for user rights to pub, all, guest, ...).
*
* The same rule applies when and admin is granting an user right.
* e.g. if and admin is granting the invite right on a domain, the
* admin must have effective +invite right on the domain.
*
* Only a global admin can grant/revoke rights for external group grantees.
*
* if authedAcct==null, the call site is either LdapProvisioning or internal code,
* treat it as a system admin and skip this check.
*/
if (authedAcct != null) {
AccessManager am = AccessManager.getInstance();
if (granteeType == GranteeType.GT_EXT_GROUP) {
// must be system admin
if (!AccessControlUtil.isGlobalAdmin(authedAcct)) {
throw ServiceException.PERM_DENIED("only global admins can grant to external group");
}
} else {
boolean canGrant = am.canPerform(authedAcct, targetEntry, right, true, null, true, null);
if (!canGrant) {
throw ServiceException.PERM_DENIED(String.format("insufficient right to %s '%s' right", (revoking ? "revoke" : "grant"), right.getName()));
}
ParticallyDenied.checkPartiallyDenied(authedAcct, targetType, targetEntry, right);
}
}
if (secret != null && !granteeType.allowSecret()) {
throw ServiceException.PERM_DENIED("password is not allowed for grantee type " + granteeType.getCode());
}
}
Aggregations