use of org.apereo.portal.portlet.om.IPortletDefinition in project uPortal by Jasig.
the class PortletRendererImpl method enforceConfigPermission.
/**
* Enforces config mode access control. If requesting user does not have CONFIG permission, and
* the PortletWindow specifies config mode, throws AuthorizationException. Otherwise does
* nothing.
*
* @param httpServletRequest the non-null current HttpServletRequest (for determining requesting
* user)
* @param portletWindow a non-null portlet window that might be in config mode
* @throws AuthorizationException if the user is not permitted to access config mode yet portlet
* window specifies config mode
* @throws java.lang.IllegalArgumentException if the request or window are null
* @since 4.0.13.1, 4.0.14, 4.1.
*/
protected void enforceConfigPermission(final HttpServletRequest httpServletRequest, final IPortletWindow portletWindow) {
Validate.notNull(httpServletRequest, "Servlet request must not be null to determine remote user.");
Validate.notNull(portletWindow, "Portlet window must not be null to determine its mode.");
final PortletMode portletMode = portletWindow.getPortletMode();
if (portletMode != null) {
if (IPortletRenderer.CONFIG.equals(portletMode)) {
final IPerson person = this.personManager.getPerson(httpServletRequest);
final EntityIdentifier ei = person.getEntityIdentifier();
final AuthorizationService authorizationService = AuthorizationService.instance();
final IAuthorizationPrincipal ap = authorizationService.newPrincipal(ei.getKey(), ei.getType());
final IPortletEntity portletEntity = portletWindow.getPortletEntity();
final IPortletDefinition portletDefinition = portletEntity.getPortletDefinition();
if (!ap.canConfigure(portletDefinition.getPortletDefinitionId().getStringId())) {
logger.error("User {} attempted to use portlet {} in {} but lacks permission to use that mode. " + "THIS MAY BE AN ATTEMPT TO EXPLOIT A HISTORICAL SECURITY FLAW. " + "You should probably figure out who this user is and why they are trying to access " + "unauthorized portlet modes.", person.getUserName(), portletDefinition.getFName(), portletMode);
throw new AuthorizationException(person.getUserName() + " does not have permission to render '" + portletDefinition.getFName() + "' in " + portletMode + " PortletMode.");
}
}
}
}
use of org.apereo.portal.portlet.om.IPortletDefinition in project uPortal by Jasig.
the class PortletWorkerFactoryImpl method getPortletFname.
protected String getPortletFname(HttpServletRequest request, IPortletWindowId portletWindowId) {
final IPortletWindow portletWindow = this.portletWindowRegistry.getPortletWindow(request, portletWindowId);
final IPortletEntity portletEntity = portletWindow.getPortletEntity();
final IPortletDefinition portletDefinition = portletEntity.getPortletDefinition();
return portletDefinition.getFName();
}
use of org.apereo.portal.portlet.om.IPortletDefinition in project uPortal by Jasig.
the class PortletAdministrationHelper method removePortletRegistration.
/**
* Delete the portlet with the given portlet ID.
*
* @param person the person removing the portlet
* @param form
*/
public void removePortletRegistration(IPerson person, PortletDefinitionForm form) {
// (They're hierarchical.)
if (!hasLifecyclePermission(person, form.getLifecycleState(), form.getCategories())) {
logger.warn("User '" + person.getUserName() + "' attempted to remove portlet '" + form.getFname() + "' without the proper MANAGE permission");
throw new SecurityException("Not Authorized");
}
IPortletDefinition def = portletDefinitionRegistry.getPortletDefinition(form.getId());
/*
* It's very important to remove portlets via the portletPublishingService
* because that API cleans up details like category memberships and permissions.
*/
portletPublishingService.removePortletDefinition(def, person);
}
use of org.apereo.portal.portlet.om.IPortletDefinition in project uPortal by Jasig.
the class MarketplacePortletDefinition method initRelatedPortlets.
/**
* Initialize related portlets. This must be called lazily so that MarketplacePortletDefinitions
* instantiated as related portlets off of a MarketplacePortletDefinition do not always
* instantiate their related MarketplacePortletDefinitions, ad infinitem.
*/
private void initRelatedPortlets() {
final Set<MarketplacePortletDefinition> allRelatedPortlets = new HashSet<>();
for (PortletCategory parentCategory : this.portletCategoryRegistry.getParentCategories(this)) {
final Set<IPortletDefinition> portletsInCategory = this.portletCategoryRegistry.getAllChildPortlets(parentCategory);
for (IPortletDefinition portletDefinition : portletsInCategory) {
allRelatedPortlets.add(new MarketplacePortletDefinition(portletDefinition, this.marketplaceService, this.portletCategoryRegistry));
}
}
allRelatedPortlets.remove(this);
this.relatedPortlets = allRelatedPortlets;
}
use of org.apereo.portal.portlet.om.IPortletDefinition in project uPortal by Jasig.
the class AuthorizationImpl method canPrincipalConfigure.
@Override
@RequestCache
public boolean canPrincipalConfigure(IAuthorizationPrincipal principal, String portletDefinitionId) throws AuthorizationException {
String owner = IPermission.PORTAL_PUBLISH;
String target = IPermission.PORTLET_PREFIX + portletDefinitionId;
// retrieve the indicated channel from the channel registry store and
// determine its current lifecycle state
IPortletDefinition portlet = this.portletDefinitionRegistry.getPortletDefinition(portletDefinitionId);
if (portlet == null) {
throw new AuthorizationException("Unable to locate portlet " + portletDefinitionId);
}
final String activity = IPermission.PORTLET_MODE_CONFIG;
return doesPrincipalHavePermission(principal, owner, activity, target);
}
Aggregations