Search in sources :

Example 21 with IPortletDefinition

use of org.apereo.portal.portlet.om.IPortletDefinition in project uPortal by Jasig.

the class PortletRendererImpl method enforceConfigPermission.

/**
     * Enforces config mode access control. If requesting user does not have CONFIG permission, and
     * the PortletWindow specifies config mode, throws AuthorizationException. Otherwise does
     * nothing.
     *
     * @param httpServletRequest the non-null current HttpServletRequest (for determining requesting
     *     user)
     * @param portletWindow a non-null portlet window that might be in config mode
     * @throws AuthorizationException if the user is not permitted to access config mode yet portlet
     *     window specifies config mode
     * @throws java.lang.IllegalArgumentException if the request or window are null
     * @since 4.0.13.1, 4.0.14, 4.1.
     */
protected void enforceConfigPermission(final HttpServletRequest httpServletRequest, final IPortletWindow portletWindow) {
    Validate.notNull(httpServletRequest, "Servlet request must not be null to determine remote user.");
    Validate.notNull(portletWindow, "Portlet window must not be null to determine its mode.");
    final PortletMode portletMode = portletWindow.getPortletMode();
    if (portletMode != null) {
        if (IPortletRenderer.CONFIG.equals(portletMode)) {
            final IPerson person = this.personManager.getPerson(httpServletRequest);
            final EntityIdentifier ei = person.getEntityIdentifier();
            final AuthorizationService authorizationService = AuthorizationService.instance();
            final IAuthorizationPrincipal ap = authorizationService.newPrincipal(ei.getKey(), ei.getType());
            final IPortletEntity portletEntity = portletWindow.getPortletEntity();
            final IPortletDefinition portletDefinition = portletEntity.getPortletDefinition();
            if (!ap.canConfigure(portletDefinition.getPortletDefinitionId().getStringId())) {
                logger.error("User {} attempted to use portlet {} in {} but lacks permission to use that mode.  " + "THIS MAY BE AN ATTEMPT TO EXPLOIT A HISTORICAL SECURITY FLAW.  " + "You should probably figure out who this user is and why they are trying to access " + "unauthorized portlet modes.", person.getUserName(), portletDefinition.getFName(), portletMode);
                throw new AuthorizationException(person.getUserName() + " does not have permission to render '" + portletDefinition.getFName() + "' in " + portletMode + " PortletMode.");
            }
        }
    }
}
Also used : IPerson(org.apereo.portal.security.IPerson) AuthorizationService(org.apereo.portal.services.AuthorizationService) IPortletEntity(org.apereo.portal.portlet.om.IPortletEntity) AuthorizationException(org.apereo.portal.AuthorizationException) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal) EntityIdentifier(org.apereo.portal.EntityIdentifier) PortletMode(javax.portlet.PortletMode) IPortletDefinition(org.apereo.portal.portlet.om.IPortletDefinition)

Example 22 with IPortletDefinition

use of org.apereo.portal.portlet.om.IPortletDefinition in project uPortal by Jasig.

the class PortletWorkerFactoryImpl method getPortletFname.

protected String getPortletFname(HttpServletRequest request, IPortletWindowId portletWindowId) {
    final IPortletWindow portletWindow = this.portletWindowRegistry.getPortletWindow(request, portletWindowId);
    final IPortletEntity portletEntity = portletWindow.getPortletEntity();
    final IPortletDefinition portletDefinition = portletEntity.getPortletDefinition();
    return portletDefinition.getFName();
}
Also used : IPortletEntity(org.apereo.portal.portlet.om.IPortletEntity) IPortletWindow(org.apereo.portal.portlet.om.IPortletWindow) IPortletDefinition(org.apereo.portal.portlet.om.IPortletDefinition)

Example 23 with IPortletDefinition

use of org.apereo.portal.portlet.om.IPortletDefinition in project uPortal by Jasig.

the class PortletAdministrationHelper method removePortletRegistration.

/**
     * Delete the portlet with the given portlet ID.
     *
     * @param person the person removing the portlet
     * @param form
     */
public void removePortletRegistration(IPerson person, PortletDefinitionForm form) {
    // (They're hierarchical.)
    if (!hasLifecyclePermission(person, form.getLifecycleState(), form.getCategories())) {
        logger.warn("User '" + person.getUserName() + "' attempted to remove portlet '" + form.getFname() + "' without the proper MANAGE permission");
        throw new SecurityException("Not Authorized");
    }
    IPortletDefinition def = portletDefinitionRegistry.getPortletDefinition(form.getId());
    /*
         * It's very important to remove portlets via the portletPublishingService
         * because that API cleans up details like category memberships and permissions.
         */
    portletPublishingService.removePortletDefinition(def, person);
}
Also used : IPortletDefinition(org.apereo.portal.portlet.om.IPortletDefinition)

Example 24 with IPortletDefinition

use of org.apereo.portal.portlet.om.IPortletDefinition in project uPortal by Jasig.

the class MarketplacePortletDefinition method initRelatedPortlets.

/**
     * Initialize related portlets. This must be called lazily so that MarketplacePortletDefinitions
     * instantiated as related portlets off of a MarketplacePortletDefinition do not always
     * instantiate their related MarketplacePortletDefinitions, ad infinitem.
     */
private void initRelatedPortlets() {
    final Set<MarketplacePortletDefinition> allRelatedPortlets = new HashSet<>();
    for (PortletCategory parentCategory : this.portletCategoryRegistry.getParentCategories(this)) {
        final Set<IPortletDefinition> portletsInCategory = this.portletCategoryRegistry.getAllChildPortlets(parentCategory);
        for (IPortletDefinition portletDefinition : portletsInCategory) {
            allRelatedPortlets.add(new MarketplacePortletDefinition(portletDefinition, this.marketplaceService, this.portletCategoryRegistry));
        }
    }
    allRelatedPortlets.remove(this);
    this.relatedPortlets = allRelatedPortlets;
}
Also used : HashSet(java.util.HashSet) PortletCategory(org.apereo.portal.portlet.om.PortletCategory) IPortletDefinition(org.apereo.portal.portlet.om.IPortletDefinition)

Example 25 with IPortletDefinition

use of org.apereo.portal.portlet.om.IPortletDefinition in project uPortal by Jasig.

the class AuthorizationImpl method canPrincipalConfigure.

@Override
@RequestCache
public boolean canPrincipalConfigure(IAuthorizationPrincipal principal, String portletDefinitionId) throws AuthorizationException {
    String owner = IPermission.PORTAL_PUBLISH;
    String target = IPermission.PORTLET_PREFIX + portletDefinitionId;
    // retrieve the indicated channel from the channel registry store and
    // determine its current lifecycle state
    IPortletDefinition portlet = this.portletDefinitionRegistry.getPortletDefinition(portletDefinitionId);
    if (portlet == null) {
        throw new AuthorizationException("Unable to locate portlet " + portletDefinitionId);
    }
    final String activity = IPermission.PORTLET_MODE_CONFIG;
    return doesPrincipalHavePermission(principal, owner, activity, target);
}
Also used : AuthorizationException(org.apereo.portal.AuthorizationException) IPortletDefinition(org.apereo.portal.portlet.om.IPortletDefinition) RequestCache(org.apereo.portal.concurrency.caching.RequestCache)

Aggregations

IPortletDefinition (org.apereo.portal.portlet.om.IPortletDefinition)103 IPortletEntity (org.apereo.portal.portlet.om.IPortletEntity)24 IPortletWindow (org.apereo.portal.portlet.om.IPortletWindow)23 IAuthorizationPrincipal (org.apereo.portal.security.IAuthorizationPrincipal)17 ArrayList (java.util.ArrayList)14 IPortletDefinitionId (org.apereo.portal.portlet.om.IPortletDefinitionId)14 HashSet (java.util.HashSet)13 IPerson (org.apereo.portal.security.IPerson)13 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)13 PortletCategory (org.apereo.portal.portlet.om.PortletCategory)12 EntityIdentifier (org.apereo.portal.EntityIdentifier)10 IUserLayoutManager (org.apereo.portal.layout.IUserLayoutManager)9 IPortletWindowId (org.apereo.portal.portlet.om.IPortletWindowId)9 HashMap (java.util.HashMap)8 HttpServletRequest (javax.servlet.http.HttpServletRequest)8 IUserInstance (org.apereo.portal.user.IUserInstance)7 Locale (java.util.Locale)6 PortletDefinition (org.apache.pluto.container.om.portlet.PortletDefinition)6 PortalException (org.apereo.portal.PortalException)6 IPortletPreference (org.apereo.portal.portlet.om.IPortletPreference)6