001 /*
002 * Copyright 2011 The Kuali Foundation.
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016 package org.kuali.kfs.sec.document.authorization;
017
018 import java.util.Iterator;
019 import java.util.Map;
020 import java.util.Set;
021
022 import org.kuali.kfs.sec.SecConstants;
023 import org.kuali.kfs.sec.SecKeyConstants;
024 import org.kuali.kfs.sec.businessobject.AccessSecurityRestrictionInfo;
025 import org.kuali.kfs.sec.service.AccessSecurityService;
026 import org.kuali.kfs.sys.KFSConstants;
027 import org.kuali.kfs.sys.businessobject.AccountingLine;
028 import org.kuali.kfs.sys.context.SpringContext;
029 import org.kuali.kfs.sys.document.AccountingDocument;
030 import org.kuali.rice.kim.bo.Person;
031 import org.kuali.rice.kns.bo.BusinessObject;
032 import org.kuali.rice.kns.document.Document;
033 import org.kuali.rice.kns.document.authorization.TransactionalDocumentAuthorizer;
034 import org.kuali.rice.kns.service.ParameterService;
035 import org.kuali.rice.kns.util.GlobalVariables;
036 import org.kuali.rice.kns.util.KNSConstants;
037
038
039 /**
040 * TransactionDocumentAuthorizer that wraps access security checks around another TransactionDocumentAuthorizer configured for the document type
041 */
042 public class SecTransactionalDocumentAuthorizer implements TransactionalDocumentAuthorizer {
043 protected TransactionalDocumentAuthorizer documentAuthorizer;
044
045 public Set<String> getEditModes(Document document, Person user, Set<String> editModes) {
046 return documentAuthorizer.getEditModes(document, user, editModes);
047 }
048
049 public boolean canAddNoteAttachment(Document document, String attachmentTypeCode, Person user) {
050 return documentAuthorizer.canAddNoteAttachment(document, attachmentTypeCode, user);
051 }
052
053 public boolean canDeleteNoteAttachment(Document document, String attachmentTypeCode, String createdBySelfOnly, Person user) {
054 return documentAuthorizer.canDeleteNoteAttachment(document, attachmentTypeCode, createdBySelfOnly, user);
055 }
056
057 public boolean canInitiate(String documentTypeName, Person user) {
058 return documentAuthorizer.canInitiate(documentTypeName, user);
059 }
060
061 /**
062 * If user has open permission then does further checks to verify there are no access security restriction setup that prevents the user from opening the document
063 *
064 * @see org.kuali.rice.kns.document.authorization.DocumentAuthorizer#canOpen(org.kuali.rice.kns.document.Document, org.kuali.rice.kim.bo.Person)
065 */
066 public boolean canOpen(Document document, Person user) {
067 AccessSecurityService securityService = SpringContext.getBean(AccessSecurityService.class);
068
069 boolean canOpen = documentAuthorizer.canOpen(document, user);
070 if (canOpen) {
071 AccessSecurityRestrictionInfo restrictionInfo = new AccessSecurityRestrictionInfo();
072 canOpen = securityService.canViewDocument((AccountingDocument) document, user, restrictionInfo);
073 if (!canOpen) {
074 GlobalVariables.getUserSession().addObject(SecConstants.OPEN_DOCUMENT_SECURITY_ACCESS_DENIED_ERROR_KEY, restrictionInfo);
075 }
076 }
077
078 return canOpen;
079 }
080
081 public boolean canReceiveAdHoc(Document document, Person user, String actionRequestCode) {
082 return documentAuthorizer.canReceiveAdHoc(document, user, actionRequestCode);
083 }
084
085 public boolean canSendAdHocRequests(Document document, String actionRequestCd, Person user) {
086 return documentAuthorizer.canSendAdHocRequests(document, actionRequestCd, user);
087 }
088
089 /**
090 * If user has permission to view notes/attachments then does further checks to verify there are no access security restriction setup that prevents the user from viewing the
091 * notes/attachments
092 *
093 * @see org.kuali.rice.kns.document.authorization.DocumentAuthorizer#canViewNoteAttachment(org.kuali.rice.kns.document.Document, java.lang.String, org.kuali.rice.kim.bo.Person)
094 */
095 public boolean canViewNoteAttachment(Document document, String attachmentTypeCode, Person user) {
096 AccessSecurityService securityService = SpringContext.getBean(AccessSecurityService.class);
097
098 boolean canView = documentAuthorizer.canViewNoteAttachment(document, attachmentTypeCode, user);
099 if (canView) {
100 canView = securityService.canViewDocumentNotesAttachments((AccountingDocument) document, user);
101
102 if (!canView) {
103 GlobalVariables.getMessageMap().putInfo(KFSConstants.GLOBAL_ERRORS, SecKeyConstants.MESSAGE_DOCUMENT_NOTES_RESTRICTED, (String) null);
104 }
105 }
106
107 return canView;
108 }
109
110 /**
111 * If there are line restrictions and the initiator override flag is turned on, we need to disable the copy and error correct buttons since those would result in documents
112 * displaying the restricted lines
113 *
114 * @see org.kuali.rice.kns.document.authorization.DocumentAuthorizer#getDocumentActions(org.kuali.rice.kns.document.Document, org.kuali.rice.kim.bo.Person, java.util.Set)
115 */
116 public Set<String> getDocumentActions(Document document, Person user, Set<String> documentActions) {
117 Set<String> documentActionsToReturn = documentAuthorizer.getDocumentActions(document, user, documentActions);
118
119 AccessSecurityService securityService = SpringContext.getBean(AccessSecurityService.class);
120
121 boolean alwaysAllowInitiatorAccess = SpringContext.getBean(ParameterService.class).getIndicatorParameter(SecConstants.ACCESS_SECURITY_NAMESPACE_CODE, SecConstants.ALL_PARAMETER_DETAIL_COMPONENT, SecConstants.SecurityParameterNames.ALWAYS_ALLOW_INITIATOR_LINE_ACCESS_IND);
122 if (alwaysAllowInitiatorAccess) {
123 // determine if any lines are view restricted
124 boolean hasViewRestrictions = false;
125
126 AccountingDocument accountingDocument = (AccountingDocument) document;
127 for (Iterator iterator = accountingDocument.getSourceAccountingLines().iterator(); iterator.hasNext();) {
128 AccountingLine line = (AccountingLine) iterator.next();
129 if (!securityService.canViewDocumentAccountingLine(accountingDocument, line, user)) {
130 hasViewRestrictions = true;
131 break;
132 }
133 }
134
135 if (!hasViewRestrictions) {
136 for (Iterator iterator = accountingDocument.getTargetAccountingLines().iterator(); iterator.hasNext();) {
137 AccountingLine line = (AccountingLine) iterator.next();
138 if (!securityService.canViewDocumentAccountingLine(accountingDocument, line, user)) {
139 hasViewRestrictions = true;
140 break;
141 }
142 }
143 }
144
145 // if we have restrictions then disable copy and error correction
146 if (hasViewRestrictions) {
147 if (documentActionsToReturn.contains(KNSConstants.KUALI_ACTION_CAN_COPY)) {
148 documentActionsToReturn.remove(KNSConstants.KUALI_ACTION_CAN_COPY);
149 GlobalVariables.getMessageMap().putInfo(KFSConstants.GLOBAL_ERRORS, SecKeyConstants.MESSAGE_DOCUMENT_COPY_RESTRICTED, (String) null);
150 }
151
152 if (documentActionsToReturn.contains(KFSConstants.KFS_ACTION_CAN_ERROR_CORRECT)) {
153 documentActionsToReturn.remove(KFSConstants.KFS_ACTION_CAN_ERROR_CORRECT);
154 GlobalVariables.getMessageMap().putInfo(KFSConstants.GLOBAL_ERRORS, SecKeyConstants.MESSAGE_DOCUMENT_ERROR_CORRECT_RESTRICTED, (String) null);
155 }
156 }
157 }
158
159 return documentActionsToReturn;
160 }
161
162 public Map<String, String> getCollectionItemPermissionDetails(BusinessObject collectionItemBusinessObject) {
163 return documentAuthorizer.getCollectionItemPermissionDetails(collectionItemBusinessObject);
164 }
165
166 public Map<String, String> getCollectionItemRoleQualifications(BusinessObject collectionItemBusinessObject) {
167 return documentAuthorizer.getCollectionItemRoleQualifications(collectionItemBusinessObject);
168 }
169
170 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId) {
171 return documentAuthorizer.isAuthorized(businessObject, namespaceCode, permissionName, principalId);
172 }
173
174 public boolean isAuthorized(BusinessObject businessObject, String namespaceCode, String permissionName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
175 return documentAuthorizer.isAuthorized(businessObject, namespaceCode, permissionName, principalId, additionalPermissionDetails, additionalRoleQualifiers);
176 }
177
178 public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId) {
179 return documentAuthorizer.isAuthorizedByTemplate(businessObject, namespaceCode, permissionTemplateName, principalId);
180 }
181
182 public boolean isAuthorizedByTemplate(BusinessObject businessObject, String namespaceCode, String permissionTemplateName, String principalId, Map<String, String> additionalPermissionDetails, Map<String, String> additionalRoleQualifiers) {
183 return documentAuthorizer.isAuthorizedByTemplate(businessObject, namespaceCode, permissionTemplateName, principalId, additionalPermissionDetails, additionalRoleQualifiers);
184 }
185
186 /**
187 * Sets the documentAuthorizer attribute value.
188 *
189 * @param documentAuthorizer The documentAuthorizer to set.
190 */
191 public void setDocumentAuthorizer(TransactionalDocumentAuthorizer documentAuthorizer) {
192 this.documentAuthorizer = documentAuthorizer;
193 }
194
195 }