CourseManagementAdministrationAuthzAdvisor.java

/**********************************************************************************
 * $URL: https://source.sakaiproject.org/svn/edu-services/trunk/cm-service/cm-impl/hibernate-impl/impl/src/java/org/sakaiproject/coursemanagement/impl/aop/CourseManagementAdministrationAuthzAdvisor.java $
 * $Id: CourseManagementAdministrationAuthzAdvisor.java 105077 2012-02-24 22:54:29Z ottenhoff@longsight.com $
 ***********************************************************************************
 *
 * Copyright (c) 2006, 2008 The Sakai Foundation
 *
 * Licensed under the Educational Community License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *       http://www.opensource.org/licenses/ECL-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 **********************************************************************************/
package org.sakaiproject.coursemanagement.impl.aop;

import java.lang.reflect.Method;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.sakaiproject.authz.api.SecurityService;
import org.sakaiproject.coursemanagement.impl.exception.PermissionException;
import org.springframework.aop.MethodBeforeAdvice;

public class CourseManagementAdministrationAuthzAdvisor implements MethodBeforeAdvice {
	private static final Log log = LogFactory.getLog(CourseManagementAdministrationAuthzAdvisor.class);
	
	SecurityService securityService;
	
	public void setSecurityService(SecurityService securityService) {
		this.securityService = securityService;
	}

	public void before(Method method, Object[] oa, Object obj) throws Throwable {
		if(log.isDebugEnabled()) log.debug("Checking authorization for CM Administration actions");

		// We can't check the standard site- or group- or resource-based authorization for modifying CM data,
		// since CM isn't scoped by sakai references.  So we allow only the super user.
		if(!securityService.isSuperUser()) {
			if(log.isDebugEnabled()) log.debug("Denying access to CM Administration on method " + method);
			throw new PermissionException("Only Sakai super-users (admins) can modify CM data");
		}

		if(log.isDebugEnabled()) log.debug("This user is permitted to use the CM Admin service");
	}
}