AuthzSakai2Impl.java

/**********************************************************************************
*
* $Id: AuthzSakai2Impl.java 105077 2012-02-24 22:54:29Z ottenhoff@longsight.com $
*
***********************************************************************************
*
 * Copyright (c) 2005, 2006, 2008 The Sakai Foundation, The MIT Corporation
 *
 * Licensed under the Educational Community License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *       http://www.opensource.org/licenses/ECL-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
*
**********************************************************************************/

package org.sakaiproject.tool.gradebook.facades.sakai2impl;

import java.util.Collection;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import org.sakaiproject.authz.cover.FunctionManager;
import org.sakaiproject.authz.cover.SecurityService;
import org.sakaiproject.site.cover.SiteService;

import org.sakaiproject.section.api.facade.Role;

import org.sakaiproject.tool.gradebook.facades.Authz;
import org.sakaiproject.tool.gradebook.facades.sections.AuthzSectionsImpl;
import org.sakaiproject.user.api.User;
import org.sakaiproject.user.api.UserNotDefinedException;
import org.sakaiproject.user.cover.UserDirectoryService;

/**
 * An implementation of Gradebook-specific authorization needs based
 * on a combination of fine-grained site-scoped Sakai permissions and the
 * shared Section Awareness API. This is a transtional stage between
 * coarse-grained site-and-role-based authz and our hoped-for fine-grained
 * role-determined group-scoped authz.
 */
public class AuthzSakai2Impl extends AuthzSectionsImpl implements Authz {
    private static final Log log = LogFactory.getLog(AuthzSakai2Impl.class);

    public static final String
    	PERMISSION_GRADE_ALL = "gradebook.gradeAll",
    	PERMISSION_GRADE_SECTION = "gradebook.gradeSection",
    	PERMISSION_EDIT_ASSIGNMENTS = "gradebook.editAssignments",
    	PERMISSION_VIEW_OWN_GRADES = "gradebook.viewOwnGrades";

    /**
     * Perform authorization-specific framework initializations for the Gradebook.
     */
    public void init() {
        Collection registered = FunctionManager.getInstance().getRegisteredFunctions("gradebook");
        if(!registered.contains(PERMISSION_GRADE_ALL)) {
            FunctionManager.registerFunction(PERMISSION_GRADE_ALL);
        }

        if(!registered.contains(PERMISSION_GRADE_SECTION)) {
            FunctionManager.registerFunction(PERMISSION_GRADE_SECTION);
        }

        if(!registered.contains(PERMISSION_EDIT_ASSIGNMENTS)) {
            FunctionManager.registerFunction(PERMISSION_EDIT_ASSIGNMENTS);
        }

        if(!registered.contains(PERMISSION_VIEW_OWN_GRADES)) {
            FunctionManager.registerFunction(PERMISSION_VIEW_OWN_GRADES);
        }
    }

	public boolean isUserAbleToGrade(String gradebookUid) {
		return (hasPermission(gradebookUid, PERMISSION_GRADE_ALL) || hasPermission(gradebookUid, PERMISSION_GRADE_SECTION));
	}
	
	public boolean isUserAbleToGrade(String gradebookUid, String userUid) {
	    try {
	        User user = UserDirectoryService.getUser(userUid);
	        return (hasPermission(user, gradebookUid, PERMISSION_GRADE_ALL) || hasPermission(user, gradebookUid, PERMISSION_GRADE_SECTION));
	    } catch (UserNotDefinedException unde) {
	        log.warn("User not found for userUid: " + userUid);
	        return false;
	    }

	}

	public boolean isUserAbleToGradeAll(String gradebookUid) {
		return hasPermission(gradebookUid, PERMISSION_GRADE_ALL);
	}
	
	public boolean isUserAbleToGradeAll(String gradebookUid, String userUid) {
	    try {
	        User user = UserDirectoryService.getUser(userUid);
	        return hasPermission(user, gradebookUid, PERMISSION_GRADE_ALL);
	    } catch (UserNotDefinedException unde) {
	        log.warn("User not found for userUid: " + userUid);
	        return false;
	    }
	}

	/**
	 * When group-scoped permissions are available, this is where
	 * they will go. My current assumption is that the call will look like:
	 *
	 *   return hasPermission(sectionUid, PERMISSION_GRADE_ALL);
	 */
	public boolean isUserAbleToGradeSection(String sectionUid) {
		return getSectionAwareness().isSectionMemberInRole(sectionUid, getAuthn().getUserUid(), Role.TA);
	}

	public boolean isUserAbleToEditAssessments(String gradebookUid) {
		return hasPermission(gradebookUid, PERMISSION_EDIT_ASSIGNMENTS);
	}

	public boolean isUserAbleToViewOwnGrades(String gradebookUid) {
		return hasPermission(gradebookUid, PERMISSION_VIEW_OWN_GRADES);
	}

	private boolean hasPermission(String gradebookUid, String permission) {
		return SecurityService.unlock(permission, SiteService.siteReference(gradebookUid));
	}
	
	private boolean hasPermission(User user, String gradebookUid, String permission) {
	    return SecurityService.unlock(user, permission, SiteService.siteReference(gradebookUid));
	}

}