| /******************************************************************************* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| *******************************************************************************/ |
| package org.ofbiz.service; |
| |
| import java.io.Serializable; |
| import java.util.List; |
| import java.util.Map; |
| |
| import org.ofbiz.base.util.Debug; |
| import org.ofbiz.base.util.UtilValidate; |
| import org.ofbiz.entity.GenericValue; |
| import org.ofbiz.entity.util.EntityUtil; |
| import org.ofbiz.security.Security; |
| import org.ofbiz.security.authz.Authorization; |
| |
| /** |
| * Service Permission Model Class |
| */ |
| @SuppressWarnings("serial") |
| public class ModelPermission implements Serializable { |
| |
| public static final String module = ModelPermission.class.getName(); |
| |
| public static final int PERMISSION = 1; |
| public static final int ENTITY_PERMISSION = 2; |
| public static final int ROLE_MEMBER = 3; |
| public static final int PERMISSION_SERVICE = 4; |
| |
| public ModelService serviceModel = null; |
| public int permissionType = 0; |
| public String nameOrRole = null; |
| public String action = null; |
| public String permissionServiceName = null; |
| public String permissionResourceDesc = null; |
| public Boolean auth; |
| public String clazz = null; |
| |
| public boolean evalPermission(DispatchContext dctx, Map<String, ? extends Object> context) { |
| GenericValue userLogin = (GenericValue) context.get("userLogin"); |
| Authorization authz = dctx.getAuthorization(); |
| Security security = dctx.getSecurity(); |
| if (userLogin == null) { |
| Debug.logInfo("Secure service requested with no userLogin object", module); |
| return false; |
| } |
| switch (permissionType) { |
| case PERMISSION: |
| return evalAuthzPermission(authz, userLogin, context); |
| case ENTITY_PERMISSION: |
| return evalEntityPermission(security, userLogin); |
| case ROLE_MEMBER: |
| return evalRoleMember(userLogin); |
| case PERMISSION_SERVICE: |
| return evalPermissionService(serviceModel, dctx, context); |
| default: |
| Debug.logWarning("Invalid permission type [" + permissionType + "] for permission named : " + nameOrRole + " on service : " + serviceModel.name, module); |
| return false; |
| } |
| } |
| |
| private boolean evalAuthzPermission(Authorization authz, GenericValue userLogin, Map<String, ? extends Object> context) { |
| if (nameOrRole == null) { |
| Debug.logWarning("Null permission name passed for evaluation", module); |
| return false; |
| } |
| return authz.hasPermission(userLogin.getString("userLoginId"), nameOrRole, context); |
| } |
| |
| private boolean evalEntityPermission(Security security, GenericValue userLogin) { |
| if (nameOrRole == null) { |
| Debug.logWarning("Null permission name passed for evaluation", module); |
| return false; |
| } |
| if (action == null) { |
| Debug.logWarning("Null action passed for evaluation", module); |
| } |
| return security.hasEntityPermission(nameOrRole, action, userLogin); |
| } |
| |
| private boolean evalRoleMember(GenericValue userLogin) { |
| if (nameOrRole == null) { |
| Debug.logWarning("Null role type name passed for evaluation", module); |
| return false; |
| } |
| List<GenericValue> partyRoles = null; |
| /** (jaz) THIS IS NOT SECURE AT ALL |
| try { |
| partyRoles = delegator.findByAnd("PartyRole", "roleTypeId", nameOrRole, "partyId", userLogin.get("partyId")); |
| } catch (GenericEntityException e) { |
| Debug.logError(e, "Unable to lookup PartyRole records", module); |
| } |
| **/ |
| |
| if (UtilValidate.isNotEmpty(partyRoles)) { |
| partyRoles = EntityUtil.filterByDate(partyRoles); |
| if (UtilValidate.isNotEmpty(partyRoles)) { |
| return true; |
| } |
| } |
| return false; |
| } |
| |
| private boolean evalPermissionService(ModelService origService, DispatchContext dctx, Map<String, ? extends Object> context) { |
| ModelService permission; |
| if (permissionServiceName == null) { |
| Debug.logWarning("No ModelService found; no service name specified!", module); |
| return false; |
| } |
| try { |
| permission = dctx.getModelService(permissionServiceName); |
| } catch (GenericServiceException e) { |
| Debug.logError(e, "Failed to get ModelService: " + e.toString(), module); |
| return false; |
| } |
| if (permission == null) { |
| Debug.logError("No ModelService found with the name [" + permissionServiceName + "]", module); |
| return false; |
| } |
| permission.auth = true; |
| Map<String, Object> ctx = permission.makeValid(context, ModelService.IN_PARAM); |
| if (UtilValidate.isNotEmpty(action)) { |
| ctx.put("mainAction", action); |
| } |
| if (UtilValidate.isNotEmpty(permissionResourceDesc)) { |
| ctx.put("resourceDescription", permissionResourceDesc); |
| } else if (origService != null) { |
| ctx.put("resourceDescription", origService.name); |
| } |
| LocalDispatcher dispatcher = dctx.getDispatcher(); |
| Map<String, Object> resp; |
| String failMessage = null; |
| try { |
| resp = dispatcher.runSync(permission.name, ctx, 300, true); |
| failMessage = (String) resp.get("failMessage"); |
| } catch (GenericServiceException e) { |
| Debug.logError(failMessage + e.getMessage(), module); |
| return false; |
| } |
| if (ServiceUtil.isError(resp) || ServiceUtil.isFailure(resp)) { |
| Debug.logError(failMessage, module); |
| return false; |
| } |
| return ((Boolean) resp.get("hasPermission")).booleanValue(); |
| } |
| } |