use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.
the class UserAccountHelper method updateAccount.
public void updateAccount(IPerson currentUser, PersonForm form) {
ILocalAccountPerson account;
// username
if (form.getId() < 0) {
account = accountDao.getPerson(form.getUsername());
if (account == null) {
/*
* Should there be a permissions check to verify
* the user is allowed to create new users?
*/
account = accountDao.createPerson(form.getUsername());
}
} else // otherwise, get the existing account from the database
{
account = accountDao.getPerson(form.getId());
}
/*
* SANITY CHECK #1: Is the user permitted to modify this account?
* (Presumably this check was already made when the page was rendered,
* but re-checking alleviates danger from cleverly-crafted HTTP
* requests.)
*/
if (!canEditUser(currentUser, account.getName())) {
throw new RuntimeException("Current user " + currentUser.getName() + " does not have permissions to update person " + account.getName());
}
// Used w/ check #2
EntityIdentifier ei = currentUser.getEntityIdentifier();
IAuthorizationPrincipal ap = AuthorizationService.instance().newPrincipal(ei.getKey(), ei.getType());
// update the account attributes to match those specified in the form
List<Preference> editableAttributes = getEditableUserAttributes(currentUser);
for (Preference editableAttribute : editableAttributes) {
String attributeName = editableAttribute.getName();
/*
* SANITY CHECK #2: Should never fail since getEditableUserAttributes should return only
* editable attribute names, but do this anyway just in case.
*/
if (!ap.hasPermission("UP_USERS", "EDIT_USER_ATTRIBUTE", attributeName)) {
throw new RuntimeException("Current user " + currentUser.getName() + " does not have permissions to edit attribute " + attributeName);
}
if (form.getAttributes().get(attributeName) == null || form.getAttributes().get(attributeName).isBlank()) {
account.removeAttribute(attributeName);
} else {
account.setAttribute(attributeName, form.getAttributes().get(attributeName).getValue());
}
}
// if a new password has been specified, update the account password
if (StringUtils.isNotBlank(form.getPassword())) {
account.setPassword(passwordService.encryptPassword(form.getPassword()));
account.setLastPasswordChange(new Date());
account.removeAttribute("loginToken");
}
accountDao.updateAccount(account);
log.info("Account " + account.getName() + " successfully updated");
}
use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.
the class UpdatePreferencesServlet method addTab.
/**
* Add a new tab to the layout. The new tab will be appended to the end of the list and named
* with the BLANK_TAB_NAME variable.
*
* @param request
* @throws IOException
*/
@RequestMapping(method = RequestMethod.POST, params = "action=addTab")
public ModelAndView addTab(HttpServletRequest request, HttpServletResponse response, @RequestParam("widths[]") String[] widths) throws IOException {
IUserInstance ui = userInstanceManager.getUserInstance(request);
IPerson per = getPerson(ui, response);
UserPreferencesManager upm = (UserPreferencesManager) ui.getPreferencesManager();
IUserLayoutManager ulm = upm.getUserLayoutManager();
// Verify that the user has permission to add this tab
final IAuthorizationPrincipal authPrincipal = this.getUserPrincipal(per.getUserName());
if (!authPrincipal.hasPermission(IPermission.PORTAL_SYSTEM, IPermission.ADD_TAB_ACTIVITY, IPermission.ALL_TARGET)) {
logger.warn("Attempt to add a tab through the REST API by unauthorized user '" + per.getUserName() + "'");
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return new ModelAndView("jsonView", Collections.singletonMap("error", "Add tab disabled"));
}
// construct a brand new tab
String id = "tbd";
String tabName = request.getParameter("tabName");
if (StringUtils.isBlank(tabName))
tabName = DEFAULT_TAB_NAME;
IUserLayoutFolderDescription newTab = new UserLayoutFolderDescription();
newTab.setName(tabName);
newTab.setId(id);
newTab.setFolderType(IUserLayoutFolderDescription.REGULAR_TYPE);
newTab.setHidden(false);
newTab.setUnremovable(false);
newTab.setImmutable(false);
// add the tab to the layout
ulm.addNode(newTab, ulm.getRootFolderId(), null);
try {
// save the user's layout
ulm.saveUserLayout();
} catch (PortalException e) {
return handlePersistError(request, response, e);
}
// get the id of the newly added tab
String tabId = newTab.getId();
for (String width : widths) {
// create new column element
IUserLayoutFolderDescription newColumn = new UserLayoutFolderDescription();
newColumn.setName("Column");
newColumn.setId("tbd");
newColumn.setFolderType(IUserLayoutFolderDescription.REGULAR_TYPE);
newColumn.setHidden(false);
newColumn.setUnremovable(false);
newColumn.setImmutable(false);
// add the column to our layout
ulm.addNode(newColumn, tabId, null);
this.stylesheetUserPreferencesService.setLayoutAttribute(request, PreferencesScope.STRUCTURE, newColumn.getId(), "width", width + "%");
try {
// This sets the column attribute in memory but doesn't persist it. Comment says saves changes "prior to persisting"
Element folder = ulm.getUserLayoutDOM().getElementById(newColumn.getId());
UserPrefsHandler.setUserPreference(folder, "width", per);
} catch (Exception e) {
logger.error("Error saving new column widths", e);
}
}
// this new tab; use the currently active tabGroup.
if (request.getParameter(TAB_GROUP_PARAMETER) != null) {
String tabGroup = request.getParameter(TAB_GROUP_PARAMETER).trim();
if (logger.isDebugEnabled()) {
logger.debug(TAB_GROUP_PARAMETER + "=" + tabGroup);
}
if (!TAB_GROUP_DEFAULT.equals(tabGroup) && tabGroup.length() != 0) {
// Persists SSUP values to the database
this.stylesheetUserPreferencesService.setLayoutAttribute(request, PreferencesScope.STRUCTURE, tabId, TAB_GROUP_PARAMETER, tabGroup);
}
}
try {
// save the user's layout
ulm.saveUserLayout();
} catch (PortalException e) {
return handlePersistError(request, response, e);
}
return new ModelAndView("jsonView", Collections.singletonMap("tabId", tabId));
}
use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.
the class PersonLookupHelperImpl method searchForPeople.
/* (non-Javadoc)
* @see org.apereo.portal.portlets.lookup.IPersonLookupHelper#searchForPeople(org.apereo.portal.security.IPerson, java.util.Map)
*/
public List<IPersonAttributes> searchForPeople(final IPerson searcher, final Map<String, Object> query) {
// get the IAuthorizationPrincipal for the searching user
final IAuthorizationPrincipal principal = getPrincipalForUser(searcher);
// build a set of all possible user attributes the current user has
// permission to view
final Set<String> permittedAttributes = getPermittedAttributes(principal);
// remove any query attributes that the user does not have permission
// to view
final Map<String, Object> inUseQuery = new HashMap<>();
for (Map.Entry<String, Object> queryEntry : query.entrySet()) {
final String attr = queryEntry.getKey();
if (permittedAttributes.contains(attr)) {
inUseQuery.put(attr, queryEntry.getValue());
} else {
this.logger.warn("User '" + searcher.getName() + "' attempted searching on attribute '" + attr + "' which is not allowed in the current configuration. The attribute will be ignored.");
}
}
// ensure the query has at least one search attribute defined
if (inUseQuery.keySet().size() == 0) {
throw new IllegalArgumentException("Search query is empty");
}
// get the set of people matching the search query
final Set<IPersonAttributes> people = this.personAttributeDao.getPeople(inUseQuery);
if (people == null) {
return Collections.emptyList();
}
// To improve efficiency and not do as many permission checks or person directory searches,
// if we have too many results and all people in the returned set of personAttributes have
// a displayName, pre-sort the set and limit it to maxResults. The typical use case is that
// LDAP returns results that have the displayName populated. Note that a disadvantage of this
// approach is that the smaller result set may have entries that permissions prevent the
// current users from viewing the person and thus reduce the number of final results, but
// that is rare (typical use case is users can't view administrative internal accounts or the
// system account, none of which tend to be in LDAP). We could retain a few more than maxResults
// to offset that chance, but IMHO not worth the cost of extra external queries.
List<IPersonAttributes> peopleList = new ArrayList<>(people);
if (peopleList.size() > maxResults && allListItemsHaveDisplayName(peopleList)) {
logger.debug("All items contained displayName; pre-sorting list of size {} and truncating to", peopleList.size(), maxResults);
// sort the list by display name
Collections.sort(peopleList, new DisplayNameComparator());
peopleList = peopleList.subList(0, maxResults);
}
// Construct a new representation of the persons limited to attributes the searcher
// has permissions to view. Will change order of the list.
List<IPersonAttributes> list = getVisiblePersons(principal, permittedAttributes, peopleList);
// Sort the list by display name
Collections.sort(list, new DisplayNameComparator());
// limit the list to a maximum number of returned results
if (list.size() > maxResults) {
list = list.subList(0, maxResults);
}
return list;
}
use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.
the class GroupAdministrationHelper method canEditGroup.
public boolean canEditGroup(IPerson currentUser, String target) {
EntityIdentifier ei = currentUser.getEntityIdentifier();
IAuthorizationPrincipal ap = AuthorizationService.instance().newPrincipal(ei.getKey(), ei.getType());
return (ap.hasPermission(IPermission.PORTAL_GROUPS, IPermission.EDIT_GROUP_ACTIVITY, target));
}
use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.
the class EntityService method getPrincipalForEntity.
public IAuthorizationPrincipal getPrincipalForEntity(Entity entity) {
// attempt to determine the entity type class for this principal
Class entityType;
if (entity.getEntityType().equals(EntityEnum.GROUP.toString())) {
entityType = IEntityGroup.class;
} else {
entityType = EntityEnum.getEntityEnum(entity.getEntityType()).getClazz();
}
// construct an authorization principal for this JsonEntityBean
AuthorizationService authService = AuthorizationService.instance();
IAuthorizationPrincipal p = authService.newPrincipal(entity.getId(), entityType);
return p;
}
Aggregations