CustomizedFileServiceSecurity.java

/*
    This file is part of Cyclos (www.cyclos.org).
    A project of the Social Trade Organisation (www.socialtrade.org).

    Cyclos is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    Cyclos is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with Cyclos; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

 */
package nl.strohalm.cyclos.services.customization;

import java.util.Collections;
import java.util.List;

import nl.strohalm.cyclos.access.AdminSystemPermission;
import nl.strohalm.cyclos.entities.Relationship;
import nl.strohalm.cyclos.entities.customization.files.CustomizedFile;
import nl.strohalm.cyclos.entities.customization.files.CustomizedFileQuery;
import nl.strohalm.cyclos.entities.groups.Group;
import nl.strohalm.cyclos.entities.groups.GroupFilter;
import nl.strohalm.cyclos.exceptions.PermissionDeniedException;
import nl.strohalm.cyclos.services.BaseServiceSecurity;
import nl.strohalm.cyclos.utils.validation.ValidationException;

/**
 * Security implementation for {@link CustomizedFileService}
 * 
 * @author jcomas
 */
public class CustomizedFileServiceSecurity extends BaseServiceSecurity implements CustomizedFileService {

    private CustomizedFileServiceLocal customizedFileService;

    @Override
    public boolean canViewOrManageInGroup(final Group group) {
        return customizedFileService.canViewOrManageInGroup(group);
    }

    @Override
    public boolean canViewOrManageInGroupFilters() {
        return customizedFileService.canViewOrManageInGroupFilters();
    }

    @Override
    public CustomizedFile load(final Long id, final Relationship... fetch) {
        CustomizedFile customizedFile = customizedFileService.load(id, fetch);
        if (!canView(customizedFile)) {
            throw new PermissionDeniedException();
        }
        return customizedFile;
    }

    @Override
    public CustomizedFile save(final CustomizedFile customizedFile) {
        if (!canManage(customizedFile)) {
            throw new PermissionDeniedException();
        }
        return customizedFileService.save(customizedFile);
    }

    @Override
    public CustomizedFile saveForTheme(final CustomizedFile customizedFile) {
        permissionService.permission().admin(AdminSystemPermission.THEMES_SELECT).check();
        return customizedFileService.saveForTheme(customizedFile);
    }

    @Override
    public List<CustomizedFile> search(final CustomizedFileQuery query) {
        if (!applyQueryRestrictions(query)) {
            return Collections.emptyList();
        }
        return customizedFileService.search(query);
    }

    public void setCustomizedFileServiceLocal(final CustomizedFileServiceLocal customizedFileService) {
        this.customizedFileService = customizedFileService;
    }

    @Override
    public void stopCustomizing(final CustomizedFile customizedFile) {
        if (!canManage(customizedFile)) {
            throw new PermissionDeniedException();
        }
        customizedFileService.stopCustomizing(customizedFile);
    }

    @Override
    public void validate(final CustomizedFile customizedFile) throws ValidationException {
        // No permissions required to validate.
        customizedFileService.validate(customizedFile);
    }

    private boolean applyQueryRestrictions(final CustomizedFileQuery query) {
        // Only system can query all customized files - and system shouldn't pass through the security layer
        query.setAll(false);

        if (query.getGroup() != null) {
            return canViewOrManageInGroup(query.getGroup());
        } else if (query.getGroupFilter() != null) {
            return canViewOrManageInGroupFilters();
        } else {
            return customizedFileService.canViewSystemCustomizedFiles();
        }
    }

    /**
     * Auxiliary method that returns true if the logged user can manage (or view) the customized file.
     * @param manage Flag to indicate if manage or view check is required.
     * @param customizedFile
     * @return
     */
    private boolean can(final boolean manage, final CustomizedFile customizedFile) {
        final Group group = fetchService.fetch(customizedFile.getGroup());
        GroupFilter groupFilter = fetchService.fetch(customizedFile.getGroupFilter());
        if (group != null) { // Group's customized file
            return canViewOrManageInGroup(group);
        } else if (groupFilter != null) { // Group filter's customized file
            return canViewOrManageInGroupFilters();
        } else { // System wide customized file
            if (manage) {
                return customizedFileService.canManageSystemCustomizedFiles();
            } else {
                return customizedFileService.canViewSystemCustomizedFiles();
            }
        }
    }

    /**
     * Returns true if the logged user can manage the customized file.
     * @param customizedFile
     * @return
     */
    private boolean canManage(final CustomizedFile customizedFile) {
        return can(true, customizedFile);
    }

    /**
     * Returns true if the logged user can view the customized file.
     * @param customizedFile
     * @return
     */
    private boolean canView(final CustomizedFile customizedFile) {
        return can(false, customizedFile);
    }

}