Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
Copyright 2005-2013 The Kuali Foundation Licensed under the Educational Community License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.opensource.org/licenses/ecl2.php Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
 
 package org.kuali.rice.kew.doctype.service.impl;
 
 
 import java.util.*;

Base class which implements default KIM permission checks for various workflow document actions. This implementation can be used as a base class for a DocumentTypePermissionService or DocumentTypeAuthorizer implementation

 
     private static final org.apache.log4j.Logger LOG = org.apache.log4j.Logger.getLogger(DocumentActionsPermissionBase.class);

    
 
     public boolean canInitiate(String principalIdDocumentType documentType) {
         validatePrincipalId(principalId);
         validateDocumentType(documentType);
 
         Map<StringStringpermissionDetails = buildDocumentTypePermissionDetails(documentTypenullnullnull);
                     .permissionDetailsnew HashMap<StringString>());
         }
         return true;
     }

    
 
     public boolean canRoute(String principalIdDocumentRouteHeaderValue document) {
         validatePrincipalId(principalId);
         validateDocument(document);
         String documentId = document.getDocumentId();
         DocumentType documentType = document.getDocumentType();
         String documentStatus = document.getDocRouteStatus();
         String initiatorPrincipalId = document.getInitiatorWorkflowId();
         validateDocumentType(documentType);
         validateDocumentStatus(documentStatus);
         validatePrincipalId(initiatorPrincipalId);
 
             Map<StringStringpermissionDetails = buildDocumentTypePermissionDetails(documentTypedocumentStatusnullnull);
             Map<StringStringroleQualifiers = buildDocumentRoleQualifiers(documentpermissionDetails.get(.));
 
             if (.isDebugEnabled()) {
                 .debug("Permission details values: " + permissionDetails);
                 .debug("Role qualifiers values: " + roleQualifiers);
             }
             if (useKimPermission(..permissionDetailstrue)) {
                 return getPermissionService().isAuthorizedByTemplate(principalId.,
                         .permissionDetailsroleQualifiers);
             }
         }
 
         if (documentType.getInitiatorMustRoutePolicy().getPolicyValue()) {
             return executeInitiatorPolicyCheck(principalIdinitiatorPrincipalIddocumentStatus);
         }
         return true;
     }

    
    protected boolean canSuperUserApproveSingleActionRequest(String principalIdDocumentType documentType,
                                                             Collection<StringrouteNodeNamesString routeStatusCode) {
        validatePrincipalId(principalId);
        validateDocumentType(documentType);
        List<Map<StringString>> permissionDetailList = buildDocumentTypePermissionDetailsForNodes(documentTyperouteNodeNamesrouteStatusCodenull);
        // loop over permission details, only one of them needs to be authorized
        PermissionService permissionService = getPermissionService();
        for (Map<StringStringpermissionDetails : permissionDetailList) {
            if (permissionService.isAuthorizedByTemplate(principalId.,
                    .permissionDetailsnew HashMap<StringString>())) {
                return true;
            }
        }
        return false;
    }

    
    protected boolean canSuperUserApproveDocument(String principalIdDocumentType documentType,
                                                  Collection<StringrouteNodeNamesString routeStatusCode) {
        validatePrincipalId(principalId);
        validateDocumentType(documentType);
        List<Map<StringString>> permissionDetailList = buildDocumentTypePermissionDetailsForNodes(documentTyperouteNodeNamesrouteStatusCodenull);
        // loop over permission details, only one of them needs to be authorized
        PermissionService permissionService = getPermissionService();
        for (Map<StringStringpermissionDetails : permissionDetailList) {
            if (permissionService.isAuthorizedByTemplate(principalId.,
                    .permissionDetailsnew HashMap<StringString>())) {
                return true;
            }
        }
        return false;
    }

    
    protected boolean canSuperUserDisapproveDocument(String principalIdDocumentType documentType,
                                                     Collection<StringrouteNodeNames,String routeStatusCode) {
        validatePrincipalId(principalId);
        validateDocumentType(documentType);
        List<Map<StringString>> permissionDetailList = buildDocumentTypePermissionDetailsForNodes(documentTyperouteNodeNamesrouteStatusCodenull);
        // loop over permission details, only one of them needs to be authorized
        PermissionService permissionService = getPermissionService();
        for (Map<StringStringpermissionDetails : permissionDetailList) {
            if (permissionService.isAuthorizedByTemplate(principalId.,
                    .permissionDetailsnew HashMap<StringString>())) {
                return true;
            }
        }
        return false;
    }

    
    public boolean canCancel(String principalIdDocumentRouteHeaderValue document) {
        validatePrincipalId(principalId);
        validateDocument(document);
        String documentId = document.getDocumentId();
        DocumentType documentType = document.getDocumentType();
        String documentStatus = document.getDocRouteStatus();
        String initiatorPrincipalId = document.getInitiatorWorkflowId();
        List<StringrouteNodeNames = document.getCurrentNodeNames();
        validateDocumentType(documentType);
        validateRouteNodeNames(routeNodeNames);
        validateDocumentStatus(documentStatus);
        validatePrincipalId(initiatorPrincipalId);
            List<Map<StringString>> permissionDetailList = buildDocumentTypePermissionDetailsForNodes(documentTyperouteNodeNamesdocumentStatusnull);
            boolean foundAtLeastOnePermission = false;
            // loop over permission details, only one of them needs to be authorized
            for (Map<StringStringpermissionDetails : permissionDetailList) {
                Map<StringStringroleQualifiers = buildDocumentRoleQualifiers(documentpermissionDetails.get(.));
                if (useKimPermission(..permissionDetailstrue)) {
                    foundAtLeastOnePermission = true;
                    if (getPermissionService().isAuthorizedByTemplate(principalId.,
                            .permissionDetailsroleQualifiers)) {
                        return true;
                    }
                }
            }
            // if we found defined KIM permissions, but not of them have authorized this user, return false
            if (foundAtLeastOnePermission) {
                return false;
            }
        }
        if (documentType.getInitiatorMustCancelPolicy().getPolicyValue()) {
            return executeInitiatorPolicyCheck(principalIdinitiatorPrincipalIddocumentStatus);
        } else {
            return true;
        }
    }

    
    public boolean canRecall(String principalIdDocumentRouteHeaderValue document) {
        validatePrincipalId(principalId);
        validateDocument(document);
        String documentId = document.getDocumentId();
        DocumentType documentType = document.getDocumentType();
        String documentStatus = document.getDocRouteStatus();
        String appDocStatus = document.getAppDocStatus();
        String initiatorPrincipalId = document.getInitiatorWorkflowId();
        List<StringrouteNodeNames = document.getCurrentNodeNames();
        validateDocumentType(documentType);
        validateRouteNodeNames(routeNodeNames);
        validateDocumentStatus(documentStatus);
        // no need to validate appdocstatus, this is a free-form application defined value
        // add appDocStatus to the details
        List<Map<StringString>> permissionDetailList = buildDocumentTypePermissionDetailsForNodes(documentTyperouteNodeNamesdocumentStatusnull);
        if (!StringUtils.isBlank(appDocStatus)) {
            for (Map<StringStringdetailspermissionDetailList) {
                details.put(.appDocStatus);
            }
        }
        boolean foundAtLeastOnePermission = false;
        boolean authorizedByPermission = false;
        boolean principalIsInitiator = StringUtils.equals(initiatorPrincipalIdprincipalId);
        // loop over permission details, only one of them needs to be authorized
        for (Map<StringStringpermissionDetails : permissionDetailList) {
            Map<StringStringroleQualifiers = buildDocumentRoleQualifiers(documentpermissionDetails.get(.));
            if (useKimPermission(..permissionDetailsfalse)) {
                    foundAtLeastOnePermission = true;
                    if (getPermissionService().isAuthorizedByTemplate(principalId.,
                            .permissionDetailsroleQualifiers)) {
                        return true;
                    }
                }
            }
        }
        if (foundAtLeastOnePermission) {
            return false;
        }
        // alternative could be to only authorize initiator if the permission is omitted
        // (i.e. exclude initiator if the initiator does not have the recall permission)
        return authorizedByPermission;
    }

    
    public boolean canBlanketApprove(String principalIdDocumentRouteHeaderValue document) {
        validatePrincipalId(principalId);
        validateDocument(document);
        DocumentType documentType = document.getDocumentType();
        String initiatorPrincipalId = document.getInitiatorWorkflowId();
        String documentStatus = document.getDocRouteStatus();
        validateDocumentType(documentType);
        validateDocumentStatus(documentStatus);
        validatePrincipalId(initiatorPrincipalId);
        final Boolean result;
        if (documentType.isBlanketApproveGroupDefined()) {
            boolean initiatorAuthorized = true;
            if (documentType.getInitiatorMustBlanketApprovePolicy().getPolicyValue()) {
                initiatorAuthorized = executeInitiatorPolicyCheck(principalIdinitiatorPrincipalIddocumentStatus);
            }
            result = initiatorAuthorized && documentType.isBlanketApprover(principalId);
        } else {
            Map<StringStringpermissionDetails = buildDocumentTypePermissionDetails(documentTypedocumentStatusnullnull);
            result = getPermissionService().isAuthorizedByTemplate(principalId.,
                    .permissionDetailsnew HashMap<StringString>());
        }
        return result;
    }

    
    public boolean canSave(String principalIdDocumentRouteHeaderValue document) {
        validatePrincipalId(principalId);
        validateDocument(document);
        String documentId = document.getDocumentId();
        DocumentType documentType = document.getDocumentType();
        String documentStatus = document.getDocRouteStatus();
        String initiatorPrincipalId = document.getInitiatorWorkflowId();
        List<StringrouteNodeNames = document.getCurrentNodeNames();
        validateDocumentType(documentType);
        validateRouteNodeNames(routeNodeNames);
        validateDocumentStatus(documentStatus);
        validatePrincipalId(initiatorPrincipalId);
            List<Map<StringString>> permissionDetailList = buildDocumentTypePermissionDetailsForNodes(documentTyperouteNodeNamesdocumentStatusnull);
            boolean foundAtLeastOnePermission = false;
            // loop over permission details, only one of them needs to be authorized
            for (Map<StringStringpermissionDetails : permissionDetailList) {
                Map<StringStringroleQualifiers = buildDocumentRoleQualifiers(documentpermissionDetails.get(.));
                if (useKimPermission(..permissionDetailstrue)) {
                    foundAtLeastOnePermission = true;
                    if (getPermissionService().isAuthorizedByTemplate(principalId.,
                            .permissionDetailsroleQualifiers)) {
                        return true;
                    }
                }
            }
            // if we found defined KIM permissions, but not of them have authorized this user, return false
            if (foundAtLeastOnePermission) {
                return false;
            }
        }
        if (documentType.getInitiatorMustSavePolicy().getPolicyValue()) {
            return executeInitiatorPolicyCheck(principalIdinitiatorPrincipalIddocumentStatus);
        }
        return true;
    }

    
Generates permission details map for KIM permission checks. Details are derived from document type, status, action request code (if non-null) and routeNode name (if non-null). If the document status is not a routed state, "PreRoute" is used. Note that this has to match the required data defined in krim_typ_attr_t for the krim_typ_t with srvc_nm='documentTypeAndNodeOrStatePermissionTypeService'. TODO: See KULRICE-3490, make assembly of permission details dynamic based on db config

Parameters:
documentType the KEW DocumentType
documentStatus the document status
actionRequestCode action request code if applicable
routeNodeName routeNode name if applicable
Returns:
map of permission details for permission check
    protected Map<StringStringbuildDocumentTypePermissionDetails(DocumentType documentTypeString documentStatusString actionRequestCodeString routeNodeName) {
        Map<StringStringdetails = new HashMap<StringString>();
        if (documentType != null) {
            details.put(..documentType.getName());
        }
        if (!StringUtils.isBlank(documentStatus)) {
            details.put(..documentStatus);
        }
        if (..equals(documentStatus) ||
                ..equals(documentStatus)) {
        } else if (!StringUtils.isBlank(routeNodeName)) {
            details.put(.routeNodeName);
        }
        if (!StringUtils.isBlank(actionRequestCode)) {
            details.put(..actionRequestCode);
        }
        return details;
    }

    
This method generates the permission details for the given document with current active route nodes. This method simply invokes buildDocumentTypePermissionDetails(org.kuali.rice.kew.doctype.bo.DocumentType,java.lang.String,java.lang.String,java.lang.String) for each node (or once if no node names are provided).

Parameters:
documentType the DocumentType
routeNodeNames active route nodes for which to generate permission details
documentStatus document status
actionRequestCode action request code if applicable
Returns:
list of permission details maps, one for each route node inspected
                                                                                   Collection<StringrouteNodeNamesString documentStatusString actionRequestCode) {
        List<Map<StringString>> detailList = new ArrayList<Map<StringString>>();
        if (!routeNodeNames.isEmpty()) {
            for (String routeNodeName : routeNodeNames) {
                detailList.add(buildDocumentTypePermissionDetails(documentTypedocumentStatusactionRequestCoderouteNodeName));
            }
        } else {
            detailList.add(buildDocumentTypePermissionDetails(documentTypedocumentStatusactionRequestCodenull));
        }
        return detailList;
    }

    
Generates role qualifiers for authorization check. If the document status is a non-routed status, "PreRoute" is used. The namespaceCode attribute is derived from the KRAD DataDictionary if there is a mapping for the document type.

Parameters:
document the document instance
routeNodeName name of the applicable routenode
Returns:
map of role qualifiers
    protected Map<StringStringbuildDocumentRoleQualifiers(DocumentRouteHeaderValue documentString routeNodeName) {
        Map<StringStringqualifiers = new HashMap<StringString>();
        qualifiers.put(..document.getDocumentId());
        if (!StringUtils.isBlank(document.getDocRouteStatus())) {
            qualifiers.put(.document.getDocRouteStatus());
            }
            else {
                qualifiers.put(..routeNodeName);
            }
        }
        qualifiers.put(.document.getDocumentType().getName());
        DocumentEntry documentEntry = KRADServiceLocatorWeb.getDataDictionaryService().getDataDictionary().getDocumentEntry(document.getDocumentType().getName());
        if (documentEntry != null) {
            Class<? extends DocumentdocumentClass = documentEntry.getDocumentClass();
            String namespaceCode;
            if (MaintenanceDocument.class.isAssignableFrom(documentClass)) {
                MaintenanceDocumentEntry maintenanceDocumentEntry = (MaintenanceDocumentEntrydocumentEntry;
                namespaceCode = KRADUtils.getNamespaceCode(maintenanceDocumentEntry.getDataObjectClass());
            }
            else {
                namespaceCode = KRADUtils.getNamespaceCode(documentClass);
            }
            qualifiers.put(..namespaceCode);
        }
        return qualifiers;
    }

    
Returns whether to invoke KIM to perform permission checks. First consults the org.kuali.rice.kew.api.KewApiConstants.KIM_PRIORITY_ON_DOC_TYP_PERMS_IND system parameter to determine whether we should check for permission existence. If this parameter is unset or is true, we proceed to invoke org.kuali.rice.kim.api.permission.PermissionService.isPermissionDefinedByTemplate(java.lang.String,java.lang.String,java.util.Map) to determine whether the given permission is defined anywhere in the system.

Parameters:
namespace namespace of permission we are querying
permissionTemplateName template name of permissions we are querying
permissionDetails details of permissions we are querying
checkKimPriorityInd whether to consult the org.kuali.rice.kew.api.KewApiConstants.KIM_PRIORITY_ON_DOC_TYP_PERMS_IND parameter to determine whether the check for permission definition
Returns:
whether there are any permissions defined for the given permission template, or false if we are checking the kim priority indicator and the KewApiConstants@KIM_PRIORITY_ON_DOC_TYP_PERMS_IND system parameter is disabled.
    protected boolean useKimPermission(String namespaceString permissionTemplateNameMap<StringStringpermissionDetailsboolean checkKimPriorityInd) {
        Boolean b = true;
        if (checkKimPriorityInd) {
        }
        if (b == null || b) {
            return getPermissionService().isPermissionDefinedByTemplate(namespacepermissionTemplateName,
                    permissionDetails);
        }
        return false;
    }
    private boolean executeInitiatorPolicyCheck(String principalIdString initiatorPrincipalIdString documentStatus) {
        return principalId.equals(initiatorPrincipalId) || !(..equals(documentStatus) || ..equals(documentStatus));
    }

    
Validates principal id parameter

Parameters:
principalId the principal id
Throw:
IllegalArgumentException if the principal is not valid (null or empty)
    protected void validatePrincipalId(String principalId) {
        if (StringUtils.isBlank(principalId)) {
            throw new IllegalArgumentException("Invalid principal ID, value was empty");
        }
    }

    
Validates document parameter

Parameters:
document the document
Throw:
IllegalArgumentException if the document is null
    protected void validateDocument(DocumentRouteHeaderValue document) {
        if (document== null) {
            throw new IllegalArgumentException("document cannot be null");
        }
    }

    
Validates documenttype parameter

Parameters:
documentType the document type
Throw:
IllegalArgumentException if the documenttype is null
    protected void validateDocumentType(DocumentType documentType) {
        if (documentType == null) {
            throw new IllegalArgumentException("DocumentType cannot be null");
        }
    }

    
Validates routeNodeNames parameter

Parameters:
routeNodeNames the routeNode names
Throw:
IllegalArgumentException if any routeNode name is empty or null
    protected void validateRouteNodeNames(List<StringrouteNodeNames) {
        if (routeNodeNames.isEmpty()) {
            return;
            //throw new IllegalArgumentException("List of route node names was empty.");
        }
        for (String routeNodeName : routeNodeNames) {
            if (StringUtils.isBlank(routeNodeName)) {
                throw new IllegalArgumentException("List of route node names contained an invalid route node name, value was empty");
            }
        }
    }

    
Validates documentStatus parameter

Parameters:
documentStatus the document status
Throw:
IllegalArgumentException if document status is empty or null, or an invalid value
    protected void validateDocumentStatus(String documentStatus) {
        if (StringUtils.isBlank(documentStatus)) {
            throw new IllegalArgumentException("Invalid document status, value was empty");
        }
        if (!..containsKey(documentStatus)) {
            throw new IllegalArgumentException("Invalid document status was given, value was: " + documentStatus);
        }
    }
    // convenenience method to look up KIM PermissionService
        return KimApiServiceLocator.getPermissionService();
    }
New to GrepCode? Check out our FAQ X