Examples with IAuthorizationPrincipal org.apereo.portal.security.IAuthorizationPrincipal used on opensource projects

Example 41 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class PortalPermissionEvaluator method hasPermission.

@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
    if (authorizationServiceFacade == null) {
        authorizationServiceFacade = AuthorizationServiceFacade.instance();
    }
    final IAuthorizationPrincipal principal = getAuthorizationPrincipal(authentication);
    // if the permission is already an AuthorizableActivity, go ahead and
    // use it
    AuthorizableActivity activity = null;
    if (permission instanceof AuthorizableActivity) {
        activity = (AuthorizableActivity) permission;
    } else // translate it into a permission relevant to the provided target
    if (permission instanceof String && targetId instanceof String) {
        String activityName = (String) permission;
        activity = getViewActivity(activityName, (String) targetId);
    }
    if (activity != null) {
        final boolean hasPermission = principal.hasPermission(activity.getOwnerFname(), activity.getActivityFname(), targetId.toString());
        return hasPermission;
    } else {
        return false;
    }
}

Example 42 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class PortalPermissionEvaluator method hasPermission.

@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
    if (authorizationServiceFacade == null) {
        authorizationServiceFacade = AuthorizationServiceFacade.instance();
    }
    final IAuthorizationPrincipal principal = getAuthorizationPrincipal(authentication);
    String targetId = null;
    if (targetDomainObject instanceof String) {
        // Assume it already represents a valid uPortal permission target
        targetId = (String) targetDomainObject;
    } else if (targetDomainObject instanceof JsonEntityBean) {
        // JsonEntityBean objects now have a targetString member
        targetId = ((JsonEntityBean) targetDomainObject).getTargetString();
    }
    // if the permission is already an AuthorizableActivity, go ahead and
    // use it
    AuthorizableActivity activity = null;
    if (permission instanceof AuthorizableActivity) {
        activity = (AuthorizableActivity) permission;
    } else // translate it into a permission relevant to the provided target
    if (permission instanceof String) {
        String activityName = (String) permission;
        activity = getViewActivity(activityName, (JsonEntityBean) targetDomainObject);
    } else {
        throw new RuntimeException("Unable to determine permission target id for type " + targetDomainObject.getClass());
    }
    logger.trace("In hasPermission() - principal=[{}], owner=[{}], activity=[{}], targetId=[{}] ", principal, activity.getOwnerFname(), activity.getActivityFname(), targetId);
    if (activity != null) {
        final boolean hasPermission = principal.hasPermission(activity.getOwnerFname(), activity.getActivityFname(), targetId);
        return hasPermission;
    } else {
        return false;
    }
}

Example 43 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class MarketplaceService method loadMarketplaceEntriesFor.

/**
 * Load the list of marketplace entries for a user. Will load entries async. This method is
 * primarily intended for seeding data. Most impls should call browseableMarketplaceEntriesFor()
 * instead.
 *
 * <p>Note: Set is immutable since it is potentially shared between threads. If the set needs
 * mutability, be sure to consider the thread safety implications. No protections have been
 * provided against modifying the MarketplaceEntry itself, so be careful when modifying the
 * entities contained in the list.
 *
 * @param user The non-null user
 * @param categories Restricts the output to entries within the specified categories if
 *     non-empty
 * @return a Future that will resolve to a set of MarketplaceEntry objects the requested user
 *     has browse access to.
 * @throws java.lang.IllegalArgumentException if user is null
 * @since 4.2
 */
@Async
public Future<ImmutableSet<MarketplaceEntry>> loadMarketplaceEntriesFor(final IPerson user, final Set<PortletCategory> categories) {
    final IAuthorizationPrincipal principal = AuthorizationPrincipalHelper.principalFromUser(user);
    List<IPortletDefinition> allDisplayablePortletDefinitions = this.portletDefinitionRegistry.getAllPortletDefinitions();
    if (!categories.isEmpty()) {
        // Indicates we plan to restrict portlets displayed in the Portlet
        // Marketplace to those that belong to one or more specified groups.
        Element portletDefinitionsElement = marketplaceCategoryCache.get(categories);
        if (portletDefinitionsElement == null) {
            /*
                 * Collection not in cache -- need to recreate it
                 */
            // Gather the complete collection of allowable categories (specified categories &
            // their descendants)
            final Set<PortletCategory> allSpecifiedAndDecendantCategories = new HashSet<>();
            for (PortletCategory pc : categories) {
                collectSpecifiedAndDescendantCategories(pc, allSpecifiedAndDecendantCategories);
            }
            // Filter portlets that match the criteria
            Set<IPortletDefinition> filteredPortletDefinitions = new HashSet<>();
            for (final IPortletDefinition portletDefinition : allDisplayablePortletDefinitions) {
                final Set<PortletCategory> parents = portletCategoryRegistry.getParentCategories(portletDefinition);
                for (final PortletCategory parent : parents) {
                    if (allSpecifiedAndDecendantCategories.contains(parent)) {
                        filteredPortletDefinitions.add(portletDefinition);
                        break;
                    }
                }
            }
            portletDefinitionsElement = new Element(categories, new ArrayList<>(filteredPortletDefinitions));
            marketplaceCategoryCache.put(portletDefinitionsElement);
        }
        allDisplayablePortletDefinitions = (List<IPortletDefinition>) portletDefinitionsElement.getObjectValue();
    }
    final Set<MarketplaceEntry> visiblePortletDefinitions = new HashSet<>();
    for (final IPortletDefinition portletDefinition : allDisplayablePortletDefinitions) {
        if (mayBrowsePortlet(principal, portletDefinition)) {
            final MarketplacePortletDefinition marketplacePortletDefinition = getOrCreateMarketplacePortletDefinition(portletDefinition);
            final MarketplaceEntry entry = new MarketplaceEntry(marketplacePortletDefinition, user);
            // flag whether this use can add the portlet...
            boolean canAdd = mayAddPortlet(user, portletDefinition);
            entry.setCanAdd(canAdd);
            visiblePortletDefinitions.add(entry);
        }
    }
    logger.trace("These portlet definitions {} are browseable by {}.", visiblePortletDefinitions, user);
    Future<ImmutableSet<MarketplaceEntry>> result = new AsyncResult<>(ImmutableSet.copyOf(visiblePortletDefinitions));
    Element cacheElement = new Element(user.getUserName(), result);
    marketplaceUserPortletDefinitionCache.put(cacheElement);
    return result;
}

Example 44 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class PortletRendererImpl method enforceConfigPermission.

/**
 * Enforces config mode access control. If requesting user does not have CONFIG permission, and
 * the PortletWindow specifies config mode, throws AuthorizationException. Otherwise does
 * nothing.
 *
 * @param httpServletRequest the non-null current HttpServletRequest (for determining requesting
 *     user)
 * @param portletWindow a non-null portlet window that might be in config mode
 * @throws AuthorizationException if the user is not permitted to access config mode yet portlet
 *     window specifies config mode
 * @throws java.lang.IllegalArgumentException if the request or window are null
 * @since 4.0.13.1, 4.0.14, 4.1.
 */
protected void enforceConfigPermission(final HttpServletRequest httpServletRequest, final IPortletWindow portletWindow) {
    Validate.notNull(httpServletRequest, "Servlet request must not be null to determine remote user.");
    Validate.notNull(portletWindow, "Portlet window must not be null to determine its mode.");
    final PortletMode portletMode = portletWindow.getPortletMode();
    if (portletMode != null) {
        if (IPortletRenderer.CONFIG.equals(portletMode)) {
            final IPerson person = this.personManager.getPerson(httpServletRequest);
            final EntityIdentifier ei = person.getEntityIdentifier();
            final AuthorizationServiceFacade authorizationServiceFacade = AuthorizationServiceFacade.instance();
            final IAuthorizationPrincipal ap = authorizationServiceFacade.newPrincipal(ei.getKey(), ei.getType());
            final IPortletEntity portletEntity = portletWindow.getPortletEntity();
            final IPortletDefinition portletDefinition = portletEntity.getPortletDefinition();
            if (!ap.canConfigure(portletDefinition.getPortletDefinitionId().getStringId())) {
                logger.error("User {} attempted to use portlet {} in {} but lacks permission to use that mode.  " + "THIS MAY BE AN ATTEMPT TO EXPLOIT A HISTORICAL SECURITY FLAW.  " + "You should probably figure out who this user is and why they are trying to access " + "unauthorized portlet modes.", person.getUserName(), portletDefinition.getFName(), portletMode);
                throw new AuthorizationException(person.getUserName() + " does not have permission to render '" + portletDefinition.getFName() + "' in " + portletMode + " PortletMode.");
            }
        }
    }
}

Example 45 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class PortletErrorController method hasAdminPrivileges.

/**
 * @return true if the userInstance argument has administrative privileges regarding viewing
 *     error details
 */
protected boolean hasAdminPrivileges(IUserInstance userInstance) {
    EntityIdentifier ei = userInstance.getPerson().getEntityIdentifier();
    IAuthorizationPrincipal ap = AuthorizationServiceFacade.instance().newPrincipal(ei.getKey(), ei.getType());
    return ap.hasPermission(IPermission.ERROR_PORTLET, IPermission.VIEW_ACTIVITY, IPermission.DETAILS_TARGET);
}