Source code

001/**
002 * Copyright 2005-2018 The Kuali Foundation
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package org.kuali.rice.krad.inquiry;
017
018import org.kuali.rice.kim.api.KimConstants;
019import org.kuali.rice.kim.api.identity.Person;
020import org.kuali.rice.krad.uif.view.View;
021import org.kuali.rice.krad.uif.view.ViewAuthorizerBase;
022import org.kuali.rice.krad.uif.view.ViewModel;
023import org.kuali.rice.krad.util.GlobalVariables;
024import org.kuali.rice.krad.util.KRADConstants;
025import org.kuali.rice.krad.web.form.InquiryForm;
026
027/**
028 * Implementation of {@link org.kuali.rice.krad.uif.view.ViewAuthorizer} for
029 * {@link org.kuali.rice.krad.uif.view.InquiryView} instances
030 *
031 * @author Kuali Rice Team (rice.collab@kuali.org)
032 */
033public class InquiryViewAuthorizerBase extends ViewAuthorizerBase {
034    private static final long serialVersionUID = 5853518191618440332L;
035
036
037    /**
038     * Augmenting the base Open View check with an additional check against the KR-NS / Inquire Into Records
039     * permission template.
040     *
041     * This check will fail if the user is not allowed by *either* the View
042     *
043     * @see org.kuali.rice.krad.uif.view.ViewAuthorizerBase#canOpenView(org.kuali.rice.krad.uif.view.View, org.kuali.rice.krad.uif.view.ViewModel, org.kuali.rice.kim.api.identity.Person)
044     */
045    @Override
046    public boolean canOpenView(View view, ViewModel model, Person user) {
047        boolean canOpenViewPerViewId = super.canOpenView(view, model, user);
048        // if the user is blocked out of the view by it's ID, we'll respect that and stop access here
049        if ( !canOpenViewPerViewId ) {
050            return false;
051        }
052
053        // If we get here - then the view permission is not blocking access - so we check the KNS inquiry permission
054        if ( model instanceof InquiryForm ) {
055            InquiryForm inquiryForm = (InquiryForm) model;
056            if ( inquiryForm.getDataObject() != null ) {
057                // but - we only block if a permission which handles this data object exists
058                // at some level
059                if ( permissionExistsByTemplate(inquiryForm.getDataObject(),
060                        KRADConstants.KNS_NAMESPACE,
061                        KimConstants.PermissionTemplateNames.INQUIRE_INTO_RECORDS ) ) {
062
063                    if ( !isAuthorizedByTemplate( inquiryForm.getDataObject(),
064                            KRADConstants.KNS_NAMESPACE,
065                            KimConstants.PermissionTemplateNames.INQUIRE_INTO_RECORDS,
066                            GlobalVariables.getUserSession().getPrincipalId() ) ) {
067                        return false;
068                    }
069                }
070            }
071        }
072
073        return true;
074    }
075}