Examples with WikiPermission org.apache.wiki.auth.permissions.WikiPermission used on opensource projects

Example 1 with WikiPermission

use of org.apache.wiki.auth.permissions.WikiPermission in project jspwiki by apache.

the class PermissionTag method checkPermission.

/**
 *  Checks a single permission.
 *
 *  @param permission
 *  @return true if granted, false if not
 */
private boolean checkPermission(String permission) {
    WikiSession session = m_wikiContext.getWikiSession();
    WikiPage page = m_wikiContext.getPage();
    AuthorizationManager mgr = m_wikiContext.getEngine().getAuthorizationManager();
    boolean gotPermission = false;
    if (CREATE_GROUPS.equals(permission) || CREATE_PAGES.equals(permission) || EDIT_PREFERENCES.equals(permission) || EDIT_PROFILE.equals(permission) || LOGIN.equals(permission)) {
        gotPermission = mgr.checkPermission(session, new WikiPermission(page.getWiki(), permission));
    } else if (VIEW_GROUP.equals(permission) || EDIT_GROUP.equals(permission) || DELETE_GROUP.equals(permission)) {
        Command command = m_wikiContext.getCommand();
        gotPermission = false;
        if (command instanceof GroupCommand && command.getTarget() != null) {
            GroupPrincipal group = (GroupPrincipal) command.getTarget();
            String groupName = group.getName();
            String action = "view";
            if (EDIT_GROUP.equals(permission)) {
                action = "edit";
            } else if (DELETE_GROUP.equals(permission)) {
                action = "delete";
            }
            gotPermission = mgr.checkPermission(session, new GroupPermission(groupName, action));
        }
    } else if (ALL_PERMISSION.equals(permission)) {
        gotPermission = mgr.checkPermission(session, new AllPermission(m_wikiContext.getEngine().getApplicationName()));
    } else if (page != null) {
        // 
        if (EDIT.equals(permission)) {
            WikiPage latest = m_wikiContext.getEngine().getPage(page.getName());
            if (page.getVersion() != WikiProvider.LATEST_VERSION && latest.getVersion() != page.getVersion()) {
                return false;
            }
        }
        Permission p = PermissionFactory.getPagePermission(page, permission);
        gotPermission = mgr.checkPermission(session, p);
    }
    return gotPermission;
}

Example 2 with WikiPermission

use of org.apache.wiki.auth.permissions.WikiPermission in project jspwiki by apache.

the class SecurityVerifier method policyRoleTable.

/**
 * Formats and returns an HTML table containing sample permissions and what
 * roles are allowed to have them. This method will throw an
 * {@link IllegalStateException} if the authorizer is not of type
 * {@link org.apache.wiki.auth.authorize.WebContainerAuthorizer}
 * @return the formatted HTML table containing the result of the tests
 */
public String policyRoleTable() {
    Principal[] roles = m_policyPrincipals;
    String wiki = m_engine.getApplicationName();
    String[] pages = new String[] { "Main", "Index", "GroupTest", "GroupAdmin" };
    String[] pageActions = new String[] { "view", "edit", "modify", "rename", "delete" };
    String[] groups = new String[] { "Admin", "TestGroup", "Foo" };
    String[] groupActions = new String[] { "view", "edit", null, null, "delete" };
    // Calculate column widths
    String colWidth;
    if (pageActions.length > 0 && roles.length > 0) {
        colWidth = (67f / (pageActions.length * roles.length)) + "%";
    } else {
        colWidth = "67%";
    }
    StringBuilder s = new StringBuilder();
    // Write the table header
    s.append("<table class=\"wikitable\" border=\"1\">\n");
    s.append("  <colgroup span=\"1\" width=\"33%\"/>\n");
    s.append("  <colgroup span=\"" + pageActions.length * roles.length + "\" width=\"" + colWidth + "\" align=\"center\"/>\n");
    s.append("  <tr>\n");
    s.append("    <th rowspan=\"2\" valign=\"bottom\">Permission</th>\n");
    for (int i = 0; i < roles.length; i++) {
        s.append("    <th colspan=\"" + pageActions.length + "\" title=\"" + roles[i].getClass().getName() + "\">" + roles[i].getName() + "</th>\n");
    }
    s.append("  </tr>\n");
    // Print a column for each role
    s.append("  <tr>\n");
    for (int i = 0; i < roles.length; i++) {
        for (String pageAction : pageActions) {
            String action = pageAction.substring(0, 1);
            s.append("    <th title=\"" + pageAction + "\">" + action + "</th>\n");
        }
    }
    s.append("  </tr>\n");
    // Write page permission tests first
    for (String page : pages) {
        s.append("  <tr>\n");
        s.append("    <td>PagePermission \"" + wiki + ":" + page + "\"</td>\n");
        for (Principal role : roles) {
            for (String pageAction : pageActions) {
                Permission permission = PermissionFactory.getPagePermission(wiki + ":" + page, pageAction);
                s.append(printPermissionTest(permission, role, 1));
            }
        }
        s.append("  </tr>\n");
    }
    // Now do the group tests
    for (String group : groups) {
        s.append("  <tr>\n");
        s.append("    <td>GroupPermission \"" + wiki + ":" + group + "\"</td>\n");
        for (Principal role : roles) {
            for (String groupAction : groupActions) {
                Permission permission = null;
                if (groupAction != null) {
                    permission = new GroupPermission(wiki + ":" + group, groupAction);
                }
                s.append(printPermissionTest(permission, role, 1));
            }
        }
        s.append("  </tr>\n");
    }
    // Now check the wiki-wide permissions
    String[] wikiPerms = new String[] { "createGroups", "createPages", "login", "editPreferences", "editProfile" };
    for (String wikiPerm : wikiPerms) {
        s.append("  <tr>\n");
        s.append("    <td>WikiPermission \"" + wiki + "\",\"" + wikiPerm + "\"</td>\n");
        for (Principal role : roles) {
            Permission permission = new WikiPermission(wiki, wikiPerm);
            s.append(printPermissionTest(permission, role, pageActions.length));
        }
        s.append("  </tr>\n");
    }
    // Lastly, check for AllPermission
    s.append("  <tr>\n");
    s.append("    <td>AllPermission \"" + wiki + "\"</td>\n");
    for (Principal role : roles) {
        Permission permission = new AllPermission(wiki);
        s.append(printPermissionTest(permission, role, pageActions.length));
    }
    s.append("  </tr>\n");
    // We're done!
    s.append("</table>");
    return s.toString();
}

Example 3 with WikiPermission

use of org.apache.wiki.auth.permissions.WikiPermission in project jspwiki by apache.

the class WikiCommandTest method testTargetedCommand.

@Test
public void testTargetedCommand() {
    // Get view command
    Command a = WikiCommand.CREATE_GROUP;
    // Combine with wiki; make sure it's not equal to old command
    Command b = a.targetedCommand(wiki);
    Assert.assertNotSame(a, b);
    Assert.assertEquals(a.getRequestContext(), b.getRequestContext());
    Assert.assertEquals(a.getJSP(), b.getJSP());
    Assert.assertEquals(a.getURLPattern(), b.getURLPattern());
    Assert.assertEquals(a.getContentTemplate(), b.getContentTemplate());
    Assert.assertNotNull(b.getTarget());
    Assert.assertNotNull(b.requiredPermission());
    Assert.assertEquals(new WikiPermission(wiki, "createGroups"), b.requiredPermission());
    Assert.assertEquals(wiki, b.getTarget());
    // Do the same with other commands
    a = WikiCommand.ERROR;
    b = a.targetedCommand(wiki);
    Assert.assertNotSame(a, b);
    Assert.assertNotNull(b.getTarget());
    Assert.assertNull(b.requiredPermission());
    Assert.assertEquals(wiki, b.getTarget());
    a = WikiCommand.FIND;
    b = a.targetedCommand(wiki);
    Assert.assertNotSame(a, b);
    Assert.assertNotNull(b.getTarget());
    Assert.assertNull(b.requiredPermission());
    Assert.assertEquals(wiki, b.getTarget());
    a = WikiCommand.INSTALL;
    b = a.targetedCommand(wiki);
    Assert.assertNotSame(a, b);
    Assert.assertNotNull(b.getTarget());
    Assert.assertNull(b.requiredPermission());
    Assert.assertEquals(wiki, b.getTarget());
    a = WikiCommand.LOGIN;
    b = a.targetedCommand(wiki);
    Assert.assertNotSame(a, b);
    Assert.assertNotNull(b.getTarget());
    Assert.assertNotNull(b.requiredPermission());
    Assert.assertEquals(new WikiPermission(wiki, "login"), b.requiredPermission());
    Assert.assertEquals(wiki, b.getTarget());
    a = WikiCommand.LOGOUT;
    b = a.targetedCommand(wiki);
    Assert.assertNotSame(a, b);
    Assert.assertNotNull(b.getTarget());
    Assert.assertNotNull(b.requiredPermission());
    Assert.assertEquals(new WikiPermission(wiki, "login"), b.requiredPermission());
    Assert.assertEquals(wiki, b.getTarget());
    a = WikiCommand.PREFS;
    b = a.targetedCommand(wiki);
    Assert.assertNotSame(a, b);
    Assert.assertNotNull(b.getTarget());
    Assert.assertNotNull(b.requiredPermission());
    Assert.assertEquals(new WikiPermission(wiki, "editProfile"), b.requiredPermission());
    Assert.assertEquals(wiki, b.getTarget());
}

Example 4 with WikiPermission

use of org.apache.wiki.auth.permissions.WikiPermission in project jspwiki by apache.

the class UserManager method setUserProfile.

/**
 * <p>
 * Saves the {@link org.apache.wiki.auth.user.UserProfile}for the user in
 * a wiki session. This method verifies that a user profile to be saved
 * doesn't collide with existing profiles; that is, the login name
 * or full name is already used by another profile. If the profile
 * collides, a <code>DuplicateUserException</code> is thrown. After saving
 * the profile, the user database changes are committed, and the user's
 * credential set is refreshed; if custom authentication is used, this means
 * the user will be automatically be logged in.
 * </p>
 * <p>
 * When the user's profile is saved successfully, this method fires a
 * {@link WikiSecurityEvent#PROFILE_SAVE} event with the WikiSession as the
 * source and the UserProfile as target. For existing profiles, if the
 * user's full name changes, this method also fires a "name changed"
 * event ({@link WikiSecurityEvent#PROFILE_NAME_CHANGED}) with the
 * WikiSession as the source and an array containing the old and new
 * UserProfiles, respectively. The <code>NAME_CHANGED</code> event allows
 * the GroupManager and PageManager can change group memberships and
 * ACLs if needed.
 * </p>
 * <p>
 * Note that WikiSessions normally attach event listeners to the
 * UserManager, so changes to the profile will automatically cause the
 * correct Principals to be reloaded into the current WikiSession's Subject.
 * </p>
 * @param session the wiki session, which may not be <code>null</code>
 * @param profile the user profile, which may not be <code>null</code>
 * @throws DuplicateUserException if the proposed profile's login name or full name collides with another
 * @throws WikiException if the save fails for some reason. If the current user does not have
 * permission to save the profile, this will be a {@link org.apache.wiki.auth.WikiSecurityException};
 * if if the user profile must be approved before it can be saved, it will be a
 * {@link org.apache.wiki.workflow.DecisionRequiredException}. All other WikiException
 * indicate a condition that is not normal is probably due to mis-configuration
 */
public void setUserProfile(WikiSession session, UserProfile profile) throws DuplicateUserException, WikiException {
    // Verify user is allowed to save profile!
    final Permission p = new WikiPermission(m_engine.getApplicationName(), WikiPermission.EDIT_PROFILE_ACTION);
    if (!m_engine.getAuthorizationManager().checkPermission(session, p)) {
        throw new WikiSecurityException("You are not allowed to save wiki profiles.");
    }
    // Check if profile is new, and see if container allows creation
    final boolean newProfile = profile.isNew();
    // Check if another user profile already has the fullname or loginname
    final UserProfile oldProfile = getUserProfile(session);
    final boolean nameChanged = (oldProfile == null || oldProfile.getFullname() == null) ? false : !(oldProfile.getFullname().equals(profile.getFullname()) && oldProfile.getLoginName().equals(profile.getLoginName()));
    UserProfile otherProfile;
    try {
        otherProfile = getUserDatabase().findByLoginName(profile.getLoginName());
        if (otherProfile != null && !otherProfile.equals(oldProfile)) {
            throw new DuplicateUserException("security.error.login.taken", profile.getLoginName());
        }
    } catch (final NoSuchPrincipalException e) {
    }
    try {
        otherProfile = getUserDatabase().findByFullName(profile.getFullname());
        if (otherProfile != null && !otherProfile.equals(oldProfile)) {
            throw new DuplicateUserException("security.error.fullname.taken", profile.getFullname());
        }
    } catch (final NoSuchPrincipalException e) {
    }
    // For new accounts, create approval workflow for user profile save.
    if (newProfile && oldProfile != null && oldProfile.isNew()) {
        final WorkflowBuilder builder = WorkflowBuilder.getBuilder(m_engine);
        final Principal submitter = session.getUserPrincipal();
        final Task completionTask = new SaveUserProfileTask(m_engine, session.getLocale());
        // Add user profile attribute as Facts for the approver (if required)
        final boolean hasEmail = profile.getEmail() != null;
        final Fact[] facts = new Fact[hasEmail ? 4 : 3];
        facts[0] = new Fact(PREFS_FULL_NAME, profile.getFullname());
        facts[1] = new Fact(PREFS_LOGIN_NAME, profile.getLoginName());
        facts[2] = new Fact(FACT_SUBMITTER, submitter.getName());
        if (hasEmail) {
            facts[3] = new Fact(PREFS_EMAIL, profile.getEmail());
        }
        final Workflow workflow = builder.buildApprovalWorkflow(submitter, SAVE_APPROVER, null, SAVE_DECISION_MESSAGE_KEY, facts, completionTask, null);
        workflow.setAttribute(SAVED_PROFILE, profile);
        m_engine.getWorkflowManager().start(workflow);
        final boolean approvalRequired = workflow.getCurrentStep() instanceof Decision;
        // If the profile requires approval, redirect user to message page
        if (approvalRequired) {
            throw new DecisionRequiredException("This profile must be approved before it becomes active");
        }
        try {
            final AuthenticationManager mgr = m_engine.getAuthenticationManager();
            if (newProfile && !mgr.isContainerAuthenticated()) {
                mgr.login(session, null, profile.getLoginName(), profile.getPassword());
            }
        } catch (final WikiException e) {
            throw new WikiSecurityException(e.getMessage(), e);
        }
        // Alert all listeners that the profile changed...
        // ...this will cause credentials to be reloaded in the wiki session
        fireEvent(WikiSecurityEvent.PROFILE_SAVE, session, profile);
    } else // For existing accounts, just save the profile
    {
        // If login name changed, rename it first
        if (nameChanged && oldProfile != null && !oldProfile.getLoginName().equals(profile.getLoginName())) {
            getUserDatabase().rename(oldProfile.getLoginName(), profile.getLoginName());
        }
        // Now, save the profile (userdatabase will take care of timestamps for us)
        getUserDatabase().save(profile);
        if (nameChanged) {
            // Fire an event if the login name or full name changed
            final UserProfile[] profiles = new UserProfile[] { oldProfile, profile };
            fireEvent(WikiSecurityEvent.PROFILE_NAME_CHANGED, session, profiles);
        } else {
            // Fire an event that says we have new a new profile (new principals)
            fireEvent(WikiSecurityEvent.PROFILE_SAVE, session, profile);
        }
    }
}