Source code

001/**
002 * Copyright 2005-2018 The Kuali Foundation
003 *
004 * Licensed under the Educational Community License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.opensource.org/licenses/ecl2.php
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package org.kuali.rice.krad.uif.view;
017
018import org.kuali.rice.kim.api.identity.Person;
019import org.kuali.rice.krad.uif.container.CollectionGroup;
020import org.kuali.rice.krad.uif.container.Group;
021import org.kuali.rice.krad.uif.element.Action;
022import org.kuali.rice.krad.uif.field.DataField;
023import org.kuali.rice.krad.uif.field.Field;
024import org.kuali.rice.krad.uif.widget.Widget;
025
026import java.util.Set;
027
028/**
029 * Performs user based authorization for actions and components contained in a {@link View}
030 *
031 * <p>
032 * Note only user authorization is done by the authorizer class. For non-user based logic, use the
033 * {@link ViewPresentationController}
034 * </p>
035 *
036 * @author Kuali Rice Team (rice.collab@kuali.org)
037 */
038public interface ViewAuthorizer {
039
040    /**
041     * Returns the set of action flags that are authorized for the given user
042     *
043     * <p>
044     * Action flags are created for views to indicate some action or feature should be enabled. These flags can be
045     * used within expressions for configuring the view content.
046     *
047     * For example:
048     * <bean parent="Action" p:methodToCall="save" p:actionLabel="save"
049     * p:render="@{#actionFlags[#Constants.KUALI_ACTION_CAN_SAVE]}"/>
050     * </p>
051     *
052     * <p>
053     * For each action flag, KIM is consulted to determine if a permission exist for the template associated with
054     * the action flag. If so, a check is then made to determine if the user has that permission. If the permission
055     * fails for the user, the action flag is removed from the returned set.
056     * </p>
057     *
058     * <p>
059     * The Set of available action flags should first be exported by the
060     * {@link ViewPresentationController#getActionFlags(View, org.kuali.rice.krad.web.form.UifFormBase)} method. The
061     * set returned from this method will be passed as the method argument here by the framework.
062     * </p>
063     *
064     * @param view - view instance the action flags apply to
065     * @param model - object containing the view data
066     * @param user - user we are authorizing the actions for
067     * @param actions - set of action flags to authorize
068     * @return Set<String> set of action flags that have been authorized, this will be equal to or a subset of the
069     *         actions passed in
070     */
071    public Set<String> getActionFlags(View view, ViewModel model, Person user, Set<String> actions);
072
073    /**
074     * Returns the set of edit modes that are authorized for the given user
075     *
076     * <p>
077     * An edit mode is a string that identifies a set of editable fields within the view. These are generally used
078     * when the entire view is not editable, but only certain fields. A field can be associated with an edit mode in
079     * two ways. The first is by using the edit mode in an expression when setting the field readOnly property.
080     *
081     * For example:
082     * <property name="readOnly" value="@{!#editModes['specialEdit'] and !fullEdit}" />
083     *
084     * The second way is with the
085     * {@link ViewPresentationController#canEditField(View, ViewModel, org.kuali.rice.krad.uif.field.Field, String)}
086     * method which can look at the edit modes map on the view to determine if the given field should be editable.
087     * </p>
088     *
089     * <p>
090     * For each edit mode, KIM is consulted to determine if a permission exist for the 'Use View' template and
091     * the edit mode detail. If so, a check is then made to determine if the user has that permission. If the
092     * permission
093     * fails for the user, the edit mode is removed from the returned set.
094     * </p>
095     *
096     * <p>
097     * The Set of available edit modes should first be exported by the
098     * {@link ViewPresentationController#getEditModes(View, org.kuali.rice.krad.web.form.UifFormBase)} method. The
099     * set returned from this method will be passed as the method argument here by the framework.
100     * </p>
101     *
102     * @param view - view instance the edit modes apply to
103     * @param model - object containing the view data
104     * @param user - user we are authorizing the actions for
105     * @param editModes - set of edit modes to authorize
106     * @return Set<String> set of edit modes that have been authorized, this will be equal to or a subset of the
107     *         edit mode set passed in
108     */
109    public Set<String> getEditModes(View view, ViewModel model, Person user, Set<String> editModes);
110
111    /**
112     * Determines if the given user is authorized to open the given view
113     *
114     * @param view - view instance to check authorization for
115     * @param model - object containing the view data
116     * @param user - user to authorize
117     * @return boolean true if the user is authorized to open the view, false otherwise
118     */
119    public boolean canOpenView(View view, ViewModel model, Person user);
120
121    /**
122     * Determines if the given user is authorized to edit the given view
123     *
124     * @param view - view instance to check authorization for
125     * @param model - object containing the view data
126     * @param user - user to authorize
127     * @return boolean true if the user is authorized to edit the view, false otherwise
128     */
129    public boolean canEditView(View view, ViewModel model, Person user);
130
131    /**
132     * Checks whether the mask authorization exists for the given property and if so whether the given user has the
133     * ability to unmask the value
134     *
135     * @param view - view instance the field belongs to
136     * @param model - object containing the view data
137     * @param field - field associated for the property and from which the
138     * {@link org.kuali.rice.krad.uif.component.ComponentSecurity} will be retrieved
139     * @param propertyName - name of the property associated with the field
140     * @param user - user we are authorizing
141     * @return boolean true if the value can be unmasked, false if it should be masked
142     */
143    public boolean canUnmaskField(View view, ViewModel model, DataField field, String propertyName, Person user);
144
145    /**
146     * Checks whether the partial mask authorization exists for the given property and if so whether the given user
147     * has the ability to unmask the value
148     *
149     * @param view - view instance the field belongs to
150     * @param model - object containing the view data
151     * @param field - field associated for the property and from which the
152     * {@link org.kuali.rice.krad.uif.component.ComponentSecurity} will be retrieved
153     * @param propertyName - name of the property associated with the field
154     * @param user - user we are authorizing
155     * @return boolean true if the value can be unmasked, false if it should be partially masked
156     */
157    public boolean canPartialUnmaskField(View view, ViewModel model, DataField field, String propertyName, Person user);
158
159    public boolean canEditField(View view, ViewModel model, Field field, String propertyName, Person user);
160
161    public boolean canViewField(View view, ViewModel model, Field field, String propertyName, Person user);
162
163    public boolean canEditGroup(View view, ViewModel model, Group group, String groupId, Person user);
164
165    public boolean canViewGroup(View view, ViewModel model, Group group, String groupId, Person user);
166
167    public boolean canEditWidget(View view, ViewModel model, Widget widget, String widgetId, Person user);
168
169    public boolean canViewWidget(View view, ViewModel model, Widget widget, String widgetId, Person user);
170
171    public boolean canPerformAction(View view, ViewModel model, Action action, String actionEvent,
172            String actionId, Person user);
173
174    public boolean canEditLine(View view, ViewModel model, CollectionGroup collectionGroup,
175            String collectionPropertyName, Object line, Person user);
176
177    public boolean canViewLine(View view, ViewModel model, CollectionGroup collectionGroup,
178            String collectionPropertyName, Object line, Person user);
179
180    public boolean canEditLineField(View view, ViewModel model, CollectionGroup collectionGroup,
181            String collectionPropertyName, Object line, Field field, String propertyName, Person user);
182
183    public boolean canViewLineField(View view, ViewModel model, CollectionGroup collectionGroup,
184            String collectionPropertyName, Object line, Field field, String propertyName, Person user);
185
186    public boolean canPerformLineAction(View view, ViewModel model, CollectionGroup collectionGroup,
187            String collectionPropertyName, Object line, Action action, String actionEvent, String actionId,
188            Person user);
189
190    void setRequestAuthorizationCache(RequestAuthorizationCache requestAuthorizationCache);
191
192}