use of org.apereo.portal.services.AuthorizationService in project uPortal by Jasig.
the class PortletRendererImpl method enforceConfigPermission.
/**
* Enforces config mode access control. If requesting user does not have CONFIG permission, and
* the PortletWindow specifies config mode, throws AuthorizationException. Otherwise does
* nothing.
*
* @param httpServletRequest the non-null current HttpServletRequest (for determining requesting
* user)
* @param portletWindow a non-null portlet window that might be in config mode
* @throws AuthorizationException if the user is not permitted to access config mode yet portlet
* window specifies config mode
* @throws java.lang.IllegalArgumentException if the request or window are null
* @since 4.0.13.1, 4.0.14, 4.1.
*/
protected void enforceConfigPermission(final HttpServletRequest httpServletRequest, final IPortletWindow portletWindow) {
Validate.notNull(httpServletRequest, "Servlet request must not be null to determine remote user.");
Validate.notNull(portletWindow, "Portlet window must not be null to determine its mode.");
final PortletMode portletMode = portletWindow.getPortletMode();
if (portletMode != null) {
if (IPortletRenderer.CONFIG.equals(portletMode)) {
final IPerson person = this.personManager.getPerson(httpServletRequest);
final EntityIdentifier ei = person.getEntityIdentifier();
final AuthorizationService authorizationService = AuthorizationService.instance();
final IAuthorizationPrincipal ap = authorizationService.newPrincipal(ei.getKey(), ei.getType());
final IPortletEntity portletEntity = portletWindow.getPortletEntity();
final IPortletDefinition portletDefinition = portletEntity.getPortletDefinition();
if (!ap.canConfigure(portletDefinition.getPortletDefinitionId().getStringId())) {
logger.error("User {} attempted to use portlet {} in {} but lacks permission to use that mode. " + "THIS MAY BE AN ATTEMPT TO EXPLOIT A HISTORICAL SECURITY FLAW. " + "You should probably figure out who this user is and why they are trying to access " + "unauthorized portlet modes.", person.getUserName(), portletDefinition.getFName(), portletMode);
throw new AuthorizationException(person.getUserName() + " does not have permission to render '" + portletDefinition.getFName() + "' in " + portletMode + " PortletMode.");
}
}
}
}
use of org.apereo.portal.services.AuthorizationService in project uPortal by Jasig.
the class GroupListHelperImpl method getPrincipalForEntity.
public IAuthorizationPrincipal getPrincipalForEntity(JsonEntityBean entity) {
// attempt to determine the entity type class for this principal
Class entityType;
EntityEnum jsonType = entity.getEntityType();
if (jsonType.isGroup()) {
entityType = IEntityGroup.class;
} else {
entityType = jsonType.getClazz();
}
// construct an authorization principal for this JsonEntityBean
AuthorizationService authService = AuthorizationService.instance();
IAuthorizationPrincipal p = authService.newPrincipal(entity.getId(), entityType);
return p;
}
use of org.apereo.portal.services.AuthorizationService in project uPortal by Jasig.
the class EntityService method getPrincipalForEntity.
public IAuthorizationPrincipal getPrincipalForEntity(Entity entity) {
// attempt to determine the entity type class for this principal
Class entityType;
if (entity.getEntityType().equals(EntityEnum.GROUP.toString())) {
entityType = IEntityGroup.class;
} else {
entityType = EntityEnum.getEntityEnum(entity.getEntityType()).getClazz();
}
// construct an authorization principal for this JsonEntityBean
AuthorizationService authService = AuthorizationService.instance();
IAuthorizationPrincipal p = authService.newPrincipal(entity.getId(), entityType);
return p;
}
use of org.apereo.portal.services.AuthorizationService in project uPortal by Jasig.
the class SubscribableTabsRESTController method getSubscriptionList.
@RequestMapping(value = "/subscribableTabs.json", method = RequestMethod.GET)
public ModelAndView getSubscriptionList(HttpServletRequest request) {
Map<String, Object> model = new HashMap<String, Object>();
/** Retrieve the IPerson and IAuthorizationPrincipal for the currently authenticated user */
IUserInstance userInstance = userInstanceManager.getUserInstance(request);
IPerson person = userInstance.getPerson();
AuthorizationService authService = AuthorizationService.instance();
IAuthorizationPrincipal principal = authService.newPrincipal(person.getUserName(), IPerson.class);
/**
* Build a collection of owner IDs for the fragments to which the authenticated user is
* subscribed
*/
// get the list of current subscriptions for this user
List<IUserFragmentSubscription> subscriptions = userFragmentSubscriptionDao.getUserFragmentInfo(person);
// transform it into the set of owners
Set<String> subscribedOwners = new HashSet<String>();
for (IUserFragmentSubscription subscription : subscriptions) {
if (subscription.isActive()) {
subscribedOwners.add(subscription.getFragmentOwner());
}
}
/**
* Iterate through the list of all currently defined DLM fragments and determine if the
* current user has permissions to subscribe to each. Any subscribable fragments will be
* transformed into a JSON-friendly bean and added to the model.
*/
final List<SubscribableFragment> jsonFragments = new ArrayList<SubscribableFragment>();
// get the list of fragment definitions from DLM
final List<FragmentDefinition> fragmentDefinitions = configurationLoader.getFragments();
final Locale locale = RequestContextUtils.getLocale(request);
// iterate through the list
for (FragmentDefinition fragmentDefinition : fragmentDefinitions) {
if (isSubscribable(fragmentDefinition, principal)) {
String owner = fragmentDefinition.getOwnerId();
// this fragment
if (principal.hasPermission("UP_FRAGMENT", "FRAGMENT_SUBSCRIBE", owner)) {
// create a JSON fragment bean and add it to our list
boolean subscribed = subscribedOwners.contains(owner);
final String name = getMessage("fragment." + owner + ".name", fragmentDefinition.getName(), locale);
final String description = getMessage("fragment." + owner + ".description", fragmentDefinition.getDescription(), locale);
SubscribableFragment jsonFragment = new SubscribableFragment(name, description, owner, subscribed);
jsonFragments.add(jsonFragment);
}
}
}
model.put("fragments", jsonFragments);
return new ModelAndView("json", model);
}
use of org.apereo.portal.services.AuthorizationService in project uPortal by Jasig.
the class PortletDefinitionImporterExporter method savePortletDefinition.
/**
* Save a portlet definition.
*
* @param definition the portlet definition
* @param publisher the person publishing the portlet
* @param categories the list of categories for the portlet
* @param permissionMap a map of permission name -> list of groups who are granted that
* permission (Note: for now, only grant is supported and only for the FRAMEWORK_OWNER perm
* manager)
*/
private IPortletDefinition savePortletDefinition(IPortletDefinition definition, IPerson publisher, List<PortletCategory> categories, Map<ExternalPermissionDefinition, Set<IGroupMember>> permissionMap) {
boolean newChannel = (definition.getPortletDefinitionId() == null);
// save the channel
definition = portletDefinitionDao.savePortletDefinition(definition);
definition = portletDefinitionDao.getPortletDefinitionByFname(definition.getFName());
final String defId = definition.getPortletDefinitionId().getStringId();
final IEntity portletDefEntity = GroupService.getEntity(defId, IPortletDefinition.class);
//The groups service needs to deal with concurrent modification better.
synchronized (this.groupUpdateLock) {
// Delete existing category memberships for this channel
if (!newChannel) {
for (IEntityGroup group : portletDefEntity.getAncestorGroups()) {
group.removeChild(portletDefEntity);
group.update();
}
}
// For each category ID, add channel to category
for (PortletCategory category : categories) {
final IEntityGroup categoryGroup = GroupService.findGroup(category.getId());
categoryGroup.addChild(portletDefEntity);
categoryGroup.updateMembers();
}
// Set groups
final AuthorizationService authService = AuthorizationService.instance();
final String target = PermissionHelper.permissionTargetIdForPortletDefinition(definition);
// Loop over the affected permission managers...
Map<String, Collection<ExternalPermissionDefinition>> permissionsBySystem = getPermissionsBySystem(permissionMap.keySet());
for (String system : permissionsBySystem.keySet()) {
Collection<ExternalPermissionDefinition> systemPerms = permissionsBySystem.get(system);
// get the permission manager for this system...
final IUpdatingPermissionManager upm = authService.newUpdatingPermissionManager(system);
final List<IPermission> permissions = new ArrayList<>();
// add activity grants for each permission..
for (ExternalPermissionDefinition permissionDef : systemPerms) {
Set<IGroupMember> members = permissionMap.get(permissionDef);
for (final IGroupMember member : members) {
final IAuthorizationPrincipal authPrincipal = authService.newPrincipal(member);
final IPermission permEntity = upm.newPermission(authPrincipal);
permEntity.setType(IPermission.PERMISSION_TYPE_GRANT);
permEntity.setActivity(permissionDef.getActivity());
permEntity.setTarget(target);
permissions.add(permEntity);
}
}
// If modifying the channel, remove the existing permissions before adding the new ones
if (!newChannel) {
for (ExternalPermissionDefinition permissionName : permissionMap.keySet()) {
IPermission[] oldPermissions = upm.getPermissions(permissionName.getActivity(), target);
upm.removePermissions(oldPermissions);
}
}
upm.addPermissions(permissions.toArray(new IPermission[permissions.size()]));
}
}
if (logger.isDebugEnabled()) {
logger.debug("Portlet " + defId + " has been " + (newChannel ? "published" : "modified") + ".");
}
return definition;
}
Aggregations