/*
* Copyright 2000-2013 Enonic AS
* http://www.enonic.com/license
*/
package com.enonic.cms.core.security;
import java.util.HashMap;
import java.util.Map;
import com.enonic.cms.core.security.group.GroupEntity;
import com.enonic.cms.core.security.user.UserEntity;
import com.enonic.cms.core.security.userstore.UserStoreEntity;
import com.enonic.cms.core.security.userstore.UserStoreKey;
import com.enonic.cms.store.dao.GroupDao;
public abstract class AbstractAccessResolver<TEntity, TAccessType>
{
private final GroupDao groupDao;
private GroupEntity anonymousGroup;
private GroupEntity enterpriseAdminsGroup;
private final Map<UserStoreKey, GroupEntity> authenticatedUsersGroupByUserStoreKey = new HashMap<UserStoreKey, GroupEntity>();
protected AbstractAccessResolver( GroupDao groupDao )
{
this.groupDao = groupDao;
}
protected GroupEntity getAnonymousGroup()
{
if ( anonymousGroup == null )
{
anonymousGroup = groupDao.findBuiltInAnonymous();
}
return anonymousGroup;
}
protected GroupEntity getEnterpriseAdminsGroup()
{
if ( enterpriseAdminsGroup == null )
{
enterpriseAdminsGroup = groupDao.findBuiltInEnterpriseAdministrator();
}
return enterpriseAdminsGroup;
}
protected GroupEntity getAuthenticatedUsersGroup( UserStoreEntity userstore )
{
GroupEntity authenticatedUsersGroup = authenticatedUsersGroupByUserStoreKey.get( userstore.getKey() );
if ( authenticatedUsersGroup == null )
{
authenticatedUsersGroup = groupDao.findBuiltInAuthenticatedUsers( userstore.getKey() );
authenticatedUsersGroupByUserStoreKey.put( userstore.getKey(), authenticatedUsersGroup );
}
return authenticatedUsersGroup;
}
protected boolean doHasAccess( final UserEntity user, final TEntity entity, final TAccessType accessType )
{
if ( user == null )
{
throw new IllegalArgumentException( "Given user cannot be null" );
}
if ( hasAccess( entity, getAnonymousGroup(), accessType, false ) )
{
return true;
}
// if user is anonymous, user does not have any rights since we checked that above
if ( user.isAnonymous() )
{
return false;
}
// deep check if user have access
if ( user.getUserGroup() != null )
{
if ( hasAccess( entity, user.getUserGroup(), accessType, true ) )
{
return true;
}
}
// check "authenticated users" group
if ( user.getUserStore() != null )
{
final GroupEntity authenticatedUsersGroup = getAuthenticatedUsersGroup( user.getUserStore() );
// NB! All users are always implicit member of authenticated users
if ( hasAccess( entity, authenticatedUsersGroup, accessType, true ) )
{
return true;
}
}
// check "enterprise admins" group if user is member of that
if ( user.isMemberOf( getEnterpriseAdminsGroup(), true ) )
{
return true;
}
if ( user.isRoot() )
{
return true;
}
return false;
}
protected abstract boolean hasAccess( TEntity entity, GroupEntity group, TAccessType accessType, boolean checkMemberships );
}