ScheduledPaymentServiceSecurity.java

/*
    This file is part of Cyclos (www.cyclos.org).
    A project of the Social Trade Organisation (www.socialtrade.org).

    Cyclos is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    Cyclos is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with Cyclos; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

 */
package nl.strohalm.cyclos.services.transactions;

import java.util.Collections;
import java.util.List;

import nl.strohalm.cyclos.access.AdminMemberPermission;
import nl.strohalm.cyclos.access.AdminSystemPermission;
import nl.strohalm.cyclos.access.BrokerPermission;
import nl.strohalm.cyclos.access.MemberPermission;
import nl.strohalm.cyclos.access.OperatorPermission;
import nl.strohalm.cyclos.entities.Relationship;
import nl.strohalm.cyclos.entities.accounts.Account;
import nl.strohalm.cyclos.entities.accounts.AccountOwner;
import nl.strohalm.cyclos.entities.accounts.AccountType;
import nl.strohalm.cyclos.entities.accounts.transactions.ScheduledPayment;
import nl.strohalm.cyclos.entities.accounts.transactions.ScheduledPaymentQuery;
import nl.strohalm.cyclos.entities.accounts.transactions.Transfer;
import nl.strohalm.cyclos.exceptions.PermissionDeniedException;
import nl.strohalm.cyclos.services.BaseServiceSecurity;
import nl.strohalm.cyclos.services.accounts.AccountDTO;
import nl.strohalm.cyclos.services.accounts.AccountServiceLocal;
import nl.strohalm.cyclos.utils.access.LoggedUser;
import nl.strohalm.cyclos.webservices.model.ScheduledPaymentVO;

/**
 * Security implementation for {@link ScheduledPaymentService}
 * 
 * @author jcomas
 */
public class ScheduledPaymentServiceSecurity extends BaseServiceSecurity implements ScheduledPaymentService {

    private ScheduledPaymentServiceLocal scheduledPaymentService;
    private PaymentServiceLocal          paymentService;
    private AccountServiceLocal          accountService;

    @Override
    public ScheduledPayment block(final ScheduledPayment scheduledPayment) {
        if (!canBlock(scheduledPayment)) {
            throw new PermissionDeniedException();
        }
        return scheduledPaymentService.block(scheduledPayment);
    }

    @Override
    public boolean canBlock(final ScheduledPayment scheduledPayment) {
        // Nothing to be checked, as only checks for an action for the logged user
        return scheduledPaymentService.canBlock(scheduledPayment);
    }

    @Override
    public boolean canCancel(final ScheduledPayment scheduledPayment) {
        // Nothing to be checked, as only checks for an action for the logged user
        return scheduledPaymentService.canCancel(scheduledPayment);
    }

    @Override
    public ScheduledPayment cancel(final ScheduledPayment scheduledPayment) {
        if (!canCancel(scheduledPayment)) {
            throw new PermissionDeniedException();
        }
        return scheduledPaymentService.cancel(scheduledPayment);
    }

    @Override
    public boolean canPayNow(final Transfer transfer) {
        // Nothing to check.
        return scheduledPaymentService.canPayNow(transfer);
    }

    @Override
    public boolean canUnblock(final ScheduledPayment scheduledPayment) {
        // Nothing to be checked, as only checks for an action for the logged user
        return scheduledPaymentService.canUnblock(scheduledPayment);
    }

    @Override
    public ScheduledPaymentVO getScheduledPaymentVO(final Long scheduledPaymentId) {
        ScheduledPayment scheduledPayment = load(scheduledPaymentId);
        checkView(scheduledPayment);
        return scheduledPaymentService.getScheduledPaymentVO(scheduledPaymentId);
    }

    @Override
    public ScheduledPayment load(final Long id, final Relationship... fetch) {
        ScheduledPayment scheduledPayment = scheduledPaymentService.load(id, fetch);

        checkView(scheduledPayment);
        return scheduledPayment;
    }

    @Override
    public Transfer processTransfer(final Transfer transfer) {
        if (!paymentService.canMakePayment(transfer.getFromOwner(), transfer.getToOwner(), transfer.getType())) {
            throw new PermissionDeniedException();
        }
        return scheduledPaymentService.processTransfer(transfer);
    }

    @Override
    public List<ScheduledPayment> search(final ScheduledPaymentQuery query) {
        if (!applyQueryRestrictions(query)) {
            return Collections.emptyList();
        }
        return scheduledPaymentService.search(query);
    }

    public void setAccountServiceLocal(final AccountServiceLocal accountService) {
        this.accountService = accountService;
    }

    public void setPaymentServiceLocal(final PaymentServiceLocal paymentService) {
        this.paymentService = paymentService;
    }

    public void setScheduledPaymentServiceLocal(final ScheduledPaymentServiceLocal scheduledPaymentService) {
        this.scheduledPaymentService = scheduledPaymentService;
    }

    @Override
    public ScheduledPayment unblock(final ScheduledPayment scheduledPayment) {
        if (!canUnblock(scheduledPayment)) {
            throw new PermissionDeniedException();
        }
        return scheduledPaymentService.unblock(scheduledPayment);
    }

    private boolean applyQueryRestrictions(final ScheduledPaymentQuery query) {

        if (!permissionService.permission().admin(AdminSystemPermission.ACCOUNTS_SCHEDULED_INFORMATION, AdminMemberPermission.ACCOUNTS_SCHEDULED_INFORMATION)
                .broker(BrokerPermission.ACCOUNTS_SCHEDULED_INFORMATION)
                .member(MemberPermission.ACCOUNT_SCHEDULED_INFORMATION)
                .operator(OperatorPermission.ACCOUNT_SCHEDULED_INFORMATION).hasPermission()) {
            return false;
        }

        if (!canAccessAccount(query.getOwner(), query.getAccountType())) {
            return false;
        }

        // Must only filter by a managed member
        if (query.getMember() != null) {
            if (LoggedUser.isAdministrator() || LoggedUser.isBroker()) {
                if (!permissionService.manages(query.getMember())) {
                    return false;
                }
            } else if ((LoggedUser.isMember() || LoggedUser.isOperator()) && !LoggedUser.member().equals(query.getOwner())) {
                return false;
            }
        }
        return true;
    }

    private boolean canAccessAccount(final AccountOwner owner, final AccountType type) {
        if (type == null && owner != null) {
            return accountService.canViewAccountsOf(owner);
        } else if (type != null && owner != null) {
            Account account = accountService.getAccount(new AccountDTO(owner, type));
            return accountService.canView(account);
        }
        return false;
    }

    private void checkView(final ScheduledPayment scheduledPayment) {
        permissionService.permission()
                .admin(AdminSystemPermission.ACCOUNTS_SCHEDULED_INFORMATION, AdminMemberPermission.ACCOUNTS_SCHEDULED_INFORMATION)
                .broker(BrokerPermission.ACCOUNTS_SCHEDULED_INFORMATION)
                .member(MemberPermission.ACCOUNT_SCHEDULED_INFORMATION)
                .operator(OperatorPermission.ACCOUNT_SCHEDULED_INFORMATION)
                .check();

        if (!paymentService.isVisible(scheduledPayment)) {
            throw new PermissionDeniedException();
        }
    }

}