ProjectPermitsFilter.java

/*******************************************************************************
 * Copyright (c) 2010-2014 SAP AG and others.
 * All rights reserved. This program and the accompanying materials
 * are made available under the terms of the Eclipse Public License v1.0
 * which accompanies this distribution, and is available at
 * http://www.eclipse.org/legal/epl-v10.html
 *
 * Contributors:
 *     SAP AG - initial API and implementation
 *******************************************************************************/
package org.eclipse.skalli.view.internal.filter;

import java.io.IOException;
import java.security.AccessControlException;
import java.text.MessageFormat;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.eclipse.skalli.model.Project;
import org.eclipse.skalli.services.permit.Permit;
import org.eclipse.skalli.services.permit.Permits;
import org.eclipse.skalli.view.Consts;

/**
 * Filter that checks project related permits, e.g. that only project members or users with explicit PUT permit
 * are allowed to edit a project.
 * <p>
 * This filter reads the following attributes:
 * <ul>
 * <li>"{@value Consts#ATTRIBUTE_USERID}" - the identifier of the logged in user; if not defined: anonymous user.</li>
 * <li>"{@value Consts#ATTRIBUTE_PROJECT}" - the project, or <code>null</code> in case the project is to be created.</li>
 * </ul>
 * Furthermore, it reads the "{@value Consts#PARAM_ACTION}" query parameter.
 * <p>
 * This filter sets the following attributes:
 * <ul>
 * <li>"{@value Consts#ATTRIBUTE_PROJECTADMIN}" - <code>true</code>, if the logged in user is project administrator,
 * <code>false</code> otherwise.</li>
 * </ul>
 */
public class ProjectPermitsFilter implements Filter {

    @Override
    public void destroy() {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest httpRequest = (HttpServletRequest) request;

        // retrieve userId and project instance from previous filters in chain
        String userId = (String) request.getAttribute(Consts.ATTRIBUTE_USERID);
        Project project = (Project) request.getAttribute(Consts.ATTRIBUTE_PROJECT);
        boolean isAnonymousUser = BooleanUtils.toBoolean((Boolean)request.getAttribute(Consts.ATTRIBUTE_ANONYMOUS_USER));
        boolean isProjectAdmin = BooleanUtils.toBoolean((Boolean)request.getAttribute(Consts.ATTRIBUTE_PROJECTADMIN));

        String servletPath = httpRequest.getServletPath();
        String pathInfo = httpRequest.getPathInfo();

        if (servletPath.startsWith(Consts.URL_PROJECTS)) {
            // handle access to project detail page
            if (project != null && !Permits.hasProjectPermit(Permit.ALLOW, Permit.ACTION_GET, project)) {
                AccessControlException e = new AccessControlException(MessageFormat.format(
                        "User ''{0}'' is not authorized to view project ''{1}''", userId,
                        project.getProjectId()));
                FilterUtil.handleACException(httpRequest, response, e);
                return;
            }
            // handle URL starting with /projects
            String actionValue = request.getParameter(Consts.PARAM_ACTION);
            if (project != null && Consts.PARAM_VALUE_EDIT.equals(actionValue)) {
                // handle /projects/{projectId}?action=edit
                if (!isProjectAdmin) {
                    AccessControlException e = new AccessControlException(MessageFormat.format(
                            "User ''{0}'' is not authorized to edit project ''{1}''", userId,
                            project.getProjectId()));
                    FilterUtil.handleACException(httpRequest, response, e);
                    return;
                }
            } else if (project == null && StringUtils.isNotBlank(pathInfo)) {
                // handle /projects/{projectId} with unknown projectId => project creation dialog
                if (isAnonymousUser) {
                    AccessControlException e = new AccessControlException(
                            "Anonymous users are not authorized to create new projects");
                    FilterUtil.handleACException(httpRequest, response, e);
                    return;
                }
            }
        } else {
            // handle all other URLs not starting with /projects
            if (isAnonymousUser) {
                AccessControlException e = new AccessControlException(
                        "Anonymous users are not authorized to view this page");
                FilterUtil.handleACException(request, response, e);
                return;
            }
            if (StringUtils.isNotBlank(pathInfo)) {
                if (project == null) {
                    FilterException e = new FilterException(MessageFormat.format(
                            "No project instance available although servlet path is {0}.",
                            servletPath));
                    FilterUtil.handleException(request, response, e);
                    return;
                } else if (!isProjectAdmin) {
                    AccessControlException e = new AccessControlException(
                            "User is not authorized to view this page");
                    FilterUtil.handleACException(request, response, e);
                    return;
                }
            }
        }

        // proceed along the chain
        chain.doFilter(request, response);
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
    }

}