Search in sources :

Example 26 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class UserAccountHelper method updateAccount.

public void updateAccount(IPerson currentUser, PersonForm form) {
    ILocalAccountPerson account;
    // username
    if (form.getId() < 0) {
        account = accountDao.getPerson(form.getUsername());
        if (account == null) {
            /*
                 * Should there be a permissions check to verify
                 * the user is allowed to create new users?
                 */
            account = accountDao.createPerson(form.getUsername());
        }
    } else // otherwise, get the existing account from the database
    {
        account = accountDao.getPerson(form.getId());
    }
    /*
         * SANITY CHECK #1:  Is the user permitted to modify this account?
         * (Presumably this check was already made when the page was rendered,
         * but re-checking alleviates danger from cleverly-crafted HTTP
         * requests.)
         */
    if (!canEditUser(currentUser, account.getName())) {
        throw new RuntimeException("Current user " + currentUser.getName() + " does not have permissions to update person " + account.getName());
    }
    // Used w/ check #2
    EntityIdentifier ei = currentUser.getEntityIdentifier();
    IAuthorizationPrincipal ap = AuthorizationService.instance().newPrincipal(ei.getKey(), ei.getType());
    // update the account attributes to match those specified in the form
    List<Preference> editableAttributes = getEditableUserAttributes(currentUser);
    for (Preference editableAttribute : editableAttributes) {
        String attributeName = editableAttribute.getName();
        /*
             * SANITY CHECK #2:  Should never fail since getEditableUserAttributes should return only
             * editable attribute names, but do this anyway just in case.
             */
        if (!ap.hasPermission("UP_USERS", "EDIT_USER_ATTRIBUTE", attributeName)) {
            throw new RuntimeException("Current user " + currentUser.getName() + " does not have permissions to edit attribute " + attributeName);
        }
        if (form.getAttributes().get(attributeName) == null || form.getAttributes().get(attributeName).isBlank()) {
            account.removeAttribute(attributeName);
        } else {
            account.setAttribute(attributeName, form.getAttributes().get(attributeName).getValue());
        }
    }
    // if a new password has been specified, update the account password
    if (StringUtils.isNotBlank(form.getPassword())) {
        account.setPassword(passwordService.encryptPassword(form.getPassword()));
        account.setLastPasswordChange(new Date());
        account.removeAttribute("loginToken");
    }
    accountDao.updateAccount(account);
    log.info("Account " + account.getName() + " successfully updated");
}
Also used : Preference(org.apereo.portal.portletpublishing.xml.Preference) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal) EntityIdentifier(org.apereo.portal.EntityIdentifier) ILocalAccountPerson(org.apereo.portal.persondir.ILocalAccountPerson) Date(java.util.Date)

Example 27 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class UpdatePreferencesServlet method addTab.

/**
     * Add a new tab to the layout. The new tab will be appended to the end of the list and named
     * with the BLANK_TAB_NAME variable.
     *
     * @param request
     * @throws IOException
     */
@RequestMapping(method = RequestMethod.POST, params = "action=addTab")
public ModelAndView addTab(HttpServletRequest request, HttpServletResponse response, @RequestParam("widths[]") String[] widths) throws IOException {
    IUserInstance ui = userInstanceManager.getUserInstance(request);
    IPerson per = getPerson(ui, response);
    UserPreferencesManager upm = (UserPreferencesManager) ui.getPreferencesManager();
    IUserLayoutManager ulm = upm.getUserLayoutManager();
    // Verify that the user has permission to add this tab
    final IAuthorizationPrincipal authPrincipal = this.getUserPrincipal(per.getUserName());
    if (!authPrincipal.hasPermission(IPermission.PORTAL_SYSTEM, IPermission.ADD_TAB_ACTIVITY, IPermission.ALL_TARGET)) {
        logger.warn("Attempt to add a tab through the REST API by unauthorized user '" + per.getUserName() + "'");
        response.sendError(HttpServletResponse.SC_FORBIDDEN);
        return new ModelAndView("jsonView", Collections.singletonMap("error", "Add tab disabled"));
    }
    // construct a brand new tab
    String id = "tbd";
    String tabName = request.getParameter("tabName");
    if (StringUtils.isBlank(tabName))
        tabName = DEFAULT_TAB_NAME;
    IUserLayoutFolderDescription newTab = new UserLayoutFolderDescription();
    newTab.setName(tabName);
    newTab.setId(id);
    newTab.setFolderType(IUserLayoutFolderDescription.REGULAR_TYPE);
    newTab.setHidden(false);
    newTab.setUnremovable(false);
    newTab.setImmutable(false);
    // add the tab to the layout
    ulm.addNode(newTab, ulm.getRootFolderId(), null);
    try {
        // save the user's layout
        ulm.saveUserLayout();
    } catch (PortalException e) {
        return handlePersistError(request, response, e);
    }
    // get the id of the newly added tab
    String tabId = newTab.getId();
    for (String width : widths) {
        // create new column element
        IUserLayoutFolderDescription newColumn = new UserLayoutFolderDescription();
        newColumn.setName("Column");
        newColumn.setId("tbd");
        newColumn.setFolderType(IUserLayoutFolderDescription.REGULAR_TYPE);
        newColumn.setHidden(false);
        newColumn.setUnremovable(false);
        newColumn.setImmutable(false);
        // add the column to our layout
        ulm.addNode(newColumn, tabId, null);
        this.stylesheetUserPreferencesService.setLayoutAttribute(request, PreferencesScope.STRUCTURE, newColumn.getId(), "width", width + "%");
        try {
            // This sets the column attribute in memory but doesn't persist it.  Comment says saves changes "prior to persisting"
            Element folder = ulm.getUserLayoutDOM().getElementById(newColumn.getId());
            UserPrefsHandler.setUserPreference(folder, "width", per);
        } catch (Exception e) {
            logger.error("Error saving new column widths", e);
        }
    }
    // this new tab;  use the currently active tabGroup.
    if (request.getParameter(TAB_GROUP_PARAMETER) != null) {
        String tabGroup = request.getParameter(TAB_GROUP_PARAMETER).trim();
        if (logger.isDebugEnabled()) {
            logger.debug(TAB_GROUP_PARAMETER + "=" + tabGroup);
        }
        if (!TAB_GROUP_DEFAULT.equals(tabGroup) && tabGroup.length() != 0) {
            // Persists SSUP values to the database
            this.stylesheetUserPreferencesService.setLayoutAttribute(request, PreferencesScope.STRUCTURE, tabId, TAB_GROUP_PARAMETER, tabGroup);
        }
    }
    try {
        // save the user's layout
        ulm.saveUserLayout();
    } catch (PortalException e) {
        return handlePersistError(request, response, e);
    }
    return new ModelAndView("jsonView", Collections.singletonMap("tabId", tabId));
}
Also used : IUserInstance(org.apereo.portal.user.IUserInstance) IPerson(org.apereo.portal.security.IPerson) Element(org.w3c.dom.Element) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal) ModelAndView(org.springframework.web.servlet.ModelAndView) IUserLayoutFolderDescription(org.apereo.portal.layout.node.IUserLayoutFolderDescription) UserLayoutFolderDescription(org.apereo.portal.layout.node.UserLayoutFolderDescription) PortalException(org.apereo.portal.PortalException) IUserLayoutManager(org.apereo.portal.layout.IUserLayoutManager) UserPreferencesManager(org.apereo.portal.UserPreferencesManager) IUserLayoutFolderDescription(org.apereo.portal.layout.node.IUserLayoutFolderDescription) XPathExpressionException(javax.xml.xpath.XPathExpressionException) InvocationTargetException(java.lang.reflect.InvocationTargetException) PortalException(org.apereo.portal.PortalException) IOException(java.io.IOException) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 28 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class PersonLookupHelperImpl method searchForPeople.

/* (non-Javadoc)
     * @see org.apereo.portal.portlets.lookup.IPersonLookupHelper#searchForPeople(org.apereo.portal.security.IPerson, java.util.Map)
     */
public List<IPersonAttributes> searchForPeople(final IPerson searcher, final Map<String, Object> query) {
    // get the IAuthorizationPrincipal for the searching user
    final IAuthorizationPrincipal principal = getPrincipalForUser(searcher);
    // build a set of all possible user attributes the current user has
    // permission to view
    final Set<String> permittedAttributes = getPermittedAttributes(principal);
    // remove any query attributes that the user does not have permission
    // to view
    final Map<String, Object> inUseQuery = new HashMap<>();
    for (Map.Entry<String, Object> queryEntry : query.entrySet()) {
        final String attr = queryEntry.getKey();
        if (permittedAttributes.contains(attr)) {
            inUseQuery.put(attr, queryEntry.getValue());
        } else {
            this.logger.warn("User '" + searcher.getName() + "' attempted searching on attribute '" + attr + "' which is not allowed in the current configuration. The attribute will be ignored.");
        }
    }
    // ensure the query has at least one search attribute defined
    if (inUseQuery.keySet().size() == 0) {
        throw new IllegalArgumentException("Search query is empty");
    }
    // get the set of people matching the search query
    final Set<IPersonAttributes> people = this.personAttributeDao.getPeople(inUseQuery);
    if (people == null) {
        return Collections.emptyList();
    }
    // To improve efficiency and not do as many permission checks or person directory searches,
    // if we have too many results and all people in the returned set of personAttributes have
    // a displayName, pre-sort the set and limit it to maxResults. The typical use case is that
    // LDAP returns results that have the displayName populated.  Note that a disadvantage of this
    // approach is that the smaller result set may have entries that permissions prevent the
    // current users from viewing the person and thus reduce the number of final results, but
    // that is rare (typical use case is users can't view administrative internal accounts or the
    // system account, none of which tend to be in LDAP).  We could retain a few more than maxResults
    // to offset that chance, but IMHO not worth the cost of extra external queries.
    List<IPersonAttributes> peopleList = new ArrayList<>(people);
    if (peopleList.size() > maxResults && allListItemsHaveDisplayName(peopleList)) {
        logger.debug("All items contained displayName; pre-sorting list of size {} and truncating to", peopleList.size(), maxResults);
        // sort the list by display name
        Collections.sort(peopleList, new DisplayNameComparator());
        peopleList = peopleList.subList(0, maxResults);
    }
    // Construct a new representation of the persons limited to attributes the searcher
    // has permissions to view.  Will change order of the list.
    List<IPersonAttributes> list = getVisiblePersons(principal, permittedAttributes, peopleList);
    // Sort the list by display name
    Collections.sort(list, new DisplayNameComparator());
    // limit the list to a maximum number of returned results
    if (list.size() > maxResults) {
        list = list.subList(0, maxResults);
    }
    return list;
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) DisplayNameComparator(org.apereo.portal.portlets.search.DisplayNameComparator) IPersonAttributes(org.jasig.services.persondir.IPersonAttributes) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal) HashMap(java.util.HashMap) Map(java.util.Map)

Example 29 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class GroupAdministrationHelper method canEditGroup.

public boolean canEditGroup(IPerson currentUser, String target) {
    EntityIdentifier ei = currentUser.getEntityIdentifier();
    IAuthorizationPrincipal ap = AuthorizationService.instance().newPrincipal(ei.getKey(), ei.getType());
    return (ap.hasPermission(IPermission.PORTAL_GROUPS, IPermission.EDIT_GROUP_ACTIVITY, target));
}
Also used : IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal) EntityIdentifier(org.apereo.portal.EntityIdentifier)

Example 30 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class EntityService method getPrincipalForEntity.

public IAuthorizationPrincipal getPrincipalForEntity(Entity entity) {
    // attempt to determine the entity type class for this principal
    Class entityType;
    if (entity.getEntityType().equals(EntityEnum.GROUP.toString())) {
        entityType = IEntityGroup.class;
    } else {
        entityType = EntityEnum.getEntityEnum(entity.getEntityType()).getClazz();
    }
    // construct an authorization principal for this JsonEntityBean
    AuthorizationService authService = AuthorizationService.instance();
    IAuthorizationPrincipal p = authService.newPrincipal(entity.getId(), entityType);
    return p;
}
Also used : AuthorizationService(org.apereo.portal.services.AuthorizationService) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal)

Aggregations

IAuthorizationPrincipal (org.apereo.portal.security.IAuthorizationPrincipal)83 EntityIdentifier (org.apereo.portal.EntityIdentifier)31 IPerson (org.apereo.portal.security.IPerson)21 ArrayList (java.util.ArrayList)17 IPortletDefinition (org.apereo.portal.portlet.om.IPortletDefinition)17 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)15 IEntityGroup (org.apereo.portal.groups.IEntityGroup)14 IPermission (org.apereo.portal.security.IPermission)13 IGroupMember (org.apereo.portal.groups.IGroupMember)12 HashSet (java.util.HashSet)11 AuthorizationService (org.apereo.portal.services.AuthorizationService)9 ModelAndView (org.springframework.web.servlet.ModelAndView)9 JsonEntityBean (org.apereo.portal.layout.dlm.remoting.JsonEntityBean)8 PortletCategory (org.apereo.portal.portlet.om.PortletCategory)7 EntityEnum (org.apereo.portal.portlets.groupselector.EntityEnum)7 HashMap (java.util.HashMap)5 Locale (java.util.Locale)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 AuthorizationException (org.apereo.portal.AuthorizationException)4 MarketplaceEntry (org.apereo.portal.rest.layout.MarketplaceEntry)4