Secure.java

package controllers;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

import javax.jcr.ItemNotFoundException;
import javax.jcr.RepositoryException;

import models.Recipe;
import models.User;

import org.jcrom.JcrMappingException;

import play.mvc.Before;
import play.mvc.Controller;

public class Secure extends Controller {

    private static final String CONNECTED = "connected";
    private static final String LOGGED = "logged";

    @Before
    static void checkSecure() throws JcrMappingException, ItemNotFoundException, RepositoryException {
        Authenticated authenticated = getActionAnnotation(Secure.Authenticated.class);
        Admin admin = getActionAnnotation(Secure.Admin.class);
        if (authenticated != null || admin != null) {
            if (session.contains(LOGGED)) {
                // The user is authenticated,
                // add User object to the renderArgs scope
                User user = User.findById(session.get(LOGGED));
                renderArgs.put(CONNECTED, user);
            } else {
                // The user is not authenticated,
                // redirect to the login form
                Application.login();
            }
        }

        if (admin != null) {
            // The action method is annotated with @Admin,
            // check the permission
            if (!renderArgs.get(CONNECTED, User.class).admin) {
                // The connected user is not admin;
                forbidden("You must be admin to see this page");
            }
        }

        renderArgs.put(CONNECTED, connectedUser());
    }

    @Target({ ElementType.METHOD, ElementType.TYPE })
    @Retention(RetentionPolicy.RUNTIME)
    public @interface Admin {
    }

    @Target({ ElementType.METHOD, ElementType.TYPE })
    @Retention(RetentionPolicy.RUNTIME)
    public @interface Authenticated {
    }

    // ~~~~~~~~~~~~ Some utils

    static void connect(User user) {
        session.put(LOGGED, user.uuid);
    }

    static User connectedUser() {
        String userId = session.get(LOGGED);
        User user = null;
        try {
            if (userId != null) {
                user = User.findById(userId);
            }
        } catch (Exception ex) {
            session.clear();
        }
        return user;
    }

    static boolean checkRecipeAccess(Recipe recipe) {
        User connected = connectedUser();
        return (recipe.isPublic() || (connected != null && (connected.admin || recipe.isOwner(connected.uuid))));
    }

}