dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #38218
[Branch ~dhis2-devs-core/dhis2/trunk] Rev 19514: add method for checking if current user have access to any of a given list of authorities (+ ALL)...
------------------------------------------------------------
revno: 19514
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Thu 2015-06-25 10:11:32 +0700
message:
add method for checking if current user have access to any of a given list of authorities (+ ALL) to SecurityService, used when exposed as in struts actions
modified:
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java
dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/SecurityService.java
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java 2015-05-28 18:00:11 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java 2015-06-25 03:11:32 +0000
@@ -28,15 +28,6 @@
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-import java.util.Arrays;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Locale;
-import java.util.Map;
-import java.util.Set;
-import java.util.regex.Pattern;
-
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.hisp.dhis.acl.AclService;
@@ -60,6 +51,15 @@
import org.joda.time.DateTime;
import org.springframework.beans.factory.annotation.Autowired;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Pattern;
+
/**
* @author Lars Helge Overland
*/
@@ -119,7 +119,7 @@
@Autowired
private CurrentUserService currentUserService;
-
+
@Autowired
private UserSettingService userSettingService;
@@ -154,7 +154,7 @@
return true;
}
-
+
@Override
public String validateRestore( UserCredentials credentials )
{
@@ -192,16 +192,16 @@
log.warn( "Could not send invite message as user does is null" );
return "no_user_credentials";
}
-
+
if ( credentials.getUsername() != null && userService.getUserCredentialsByUsername( credentials.getUsername() ) != null )
{
log.warn( "Could not send invite message as username is already taken: " + credentials );
return "username_taken";
}
-
+
return validateRestore( credentials );
}
-
+
@Override
public boolean sendRestoreMessage( UserCredentials credentials, String rootPath, RestoreOptions restoreOptions )
{
@@ -214,7 +214,7 @@
{
return false;
}
-
+
RestoreType restoreType = restoreOptions.getRestoreType();
String applicationTitle = (String) systemSettingManager.getSystemSetting( SystemSettingManager.KEY_APPLICATION_TITLE );
@@ -240,7 +240,7 @@
Locale locale = (Locale) userSettingService.getUserSettingValue( user, UserSettingService.KEY_UI_LOCALE, LocaleManager.DHIS_STANDARD_LOCALE );
I18n i18n = i18nManager.getI18n( locale );
- vars.put( "i18n" , i18n );
+ vars.put( "i18n", i18n );
rootPath = rootPath.replace( "http://";, "" ).replace( "https://";, "" );
@@ -251,10 +251,10 @@
VelocityManager vm = new VelocityManager();
String text1 = vm.render( vars, restoreType.getEmailTemplate() + "1" ),
- text2 = vm.render( vars, restoreType.getEmailTemplate() + "2" );
+ text2 = vm.render( vars, restoreType.getEmailTemplate() + "2" );
String subject1 = i18n.getString( restoreType.getEmailSubject() ) + " " + rootPath + " (" + i18n.getString( "message" ).toLowerCase() + " 1 / 2)",
- subject2 = i18n.getString( restoreType.getEmailSubject() ) + " " + rootPath + " (" + i18n.getString( "message" ).toLowerCase() + " 2 / 2)";
+ subject2 = i18n.getString( restoreType.getEmailSubject() ) + " " + rootPath + " (" + i18n.getString( "message" ).toLowerCase() + " 2 / 2)";
// -------------------------------------------------------------------------
// Send emails
@@ -285,7 +285,7 @@
userService.updateUserCredentials( credentials );
- return new String[] { token, code };
+ return new String[]{ token, code };
}
@Override
@@ -335,9 +335,10 @@
* Verifies all parameters needed for account restore and checks validity of the
* user supplied token and code. If the restore cannot be verified a descriptive
* error string is returned.
+ *
* @param credentials the user credentials.
- * @param token the user supplied token.
- * @param code the user supplied code.
+ * @param token the user supplied token.
+ * @param code the user supplied code.
* @param restoreType the restore type.
* @return null if restore is valid, a descriptive error string otherwise.
*/
@@ -378,15 +379,16 @@
/**
* Verifies a user supplied restore code against the stored restore code.
* If the code cannot be verified a descriptive error string is returned.
+ *
* @param credentials the user credentials.
- * @param code the user supplied code.
+ * @param code the user supplied code.
* @return null on success, a descriptive error string otherwise.
*/
private String verifyRestoreCode( UserCredentials credentials, String code )
{
String restoreCode = credentials.getRestoreCode();
- if( code == null )
+ if ( code == null )
{
return "code_parameter_is_null";
}
@@ -398,26 +400,26 @@
boolean validCode = passwordManager.legacyOrCurrentMatches( code, restoreCode, credentials.getUsername() );
- return validCode ? null : "code_does_not_match_restoreCode - code: '"+ code + "' restoreCode: '" + restoreCode + "'" ;
+ return validCode ? null : "code_does_not_match_restoreCode - code: '" + code + "' restoreCode: '" + restoreCode + "'";
}
/**
* Verify the token given for a user invite or password restore operation.
- * <p>
+ * <p/>
* If error, returns one of the following strings:
- *
+ * <p/>
* <ul>
- * <li>credentials_parameter_is_null</li>
- * <li>token_parameter_is_null</li>
- * <li>restore_type_parameter_is_null</li>
- * <li>cannot_parse_restore_options</li>
- * <li>wrong_prefix_for_restore_type</li>
- * <li>could_not_verify_token</li>
- * <li>restore_token_does_not_match_supplied_token</li>
+ * <li>credentials_parameter_is_null</li>
+ * <li>token_parameter_is_null</li>
+ * <li>restore_type_parameter_is_null</li>
+ * <li>cannot_parse_restore_options</li>
+ * <li>wrong_prefix_for_restore_type</li>
+ * <li>could_not_verify_token</li>
+ * <li>restore_token_does_not_match_supplied_token</li>
* </ul>
*
* @param credentials the user credentials.
- * @param token the token.
+ * @param token the token.
* @param restoreType type of restore operation.
* @return null if success, otherwise error string.
*/
@@ -470,7 +472,7 @@
{
return true;
}
-
+
return INVITE_USERNAME_PATTERN.matcher( username ).matches();
}
@@ -501,8 +503,8 @@
public boolean canView( String type )
{
boolean requireAddToView = (Boolean) systemSettingManager.getSystemSetting( SystemSettingManager.KEY_REQUIRE_ADD_TO_VIEW, false );
-
- return !requireAddToView || ( canCreatePrivate( type ) || canCreatePublic( type ) );
+
+ return !requireAddToView || (canCreatePrivate( type ) || canCreatePublic( type ));
}
@Override
@@ -548,4 +550,25 @@
return !aclService.isShareable( identifiableObject.getClass() )
|| aclService.canManage( currentUserService.getCurrentUser(), identifiableObject );
}
+
+ @Override
+ public boolean hasAnyAuthority( String... authorities )
+ {
+ UserCredentials userCredentials = currentUserService.getCurrentUser().getUserCredentials();
+
+ if ( userCredentials.isAuthorized( "ALL" ) )
+ {
+ return true;
+ }
+
+ for ( String authority : authorities )
+ {
+ if ( userCredentials.isAuthorized( authority ) )
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
}
=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/SecurityService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/SecurityService.java 2015-03-18 18:51:30 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/SecurityService.java 2015-06-25 03:11:32 +0000
@@ -45,32 +45,32 @@
* @return true if the invitation was sent, otherwise false.
*/
boolean prepareUserForInvite( User user );
-
+
/**
* Indicates whether a restore/invite is allowed for the given user. The
* requirements are:</p>
- *
+ * <p/>
* <ul>
* <li>email_not_configured_for_system</li>
* <li>no_user_credentials</li>
* <li>user_does_not_have_valid_email</li>
* <li>user_has_critical_authorities</li>
* </ul>
- *
+ *
* @param credentials the user credentials.
* @return a string if restore cannot be performed, null otherwise.
*/
String validateRestore( UserCredentials credentials );
-
+
/**
* Indicates whether an invite is allowed for the given user. Delegates to
* validateRestore( UserCredentials ). The requirements are.
- *
+ * <p/>
* <ul>
* <li>no_user_credentials</li>
* <li>username_taken</li>
* </ul>
- *
+ *
* @param credentials the user credentials.
* @return a string if invite cannot be performed, null otherwise.
*/
@@ -79,16 +79,16 @@
/**
* Invokes the initRestore method and dispatches email messages with
* restore information to the user.
- * <p>
+ * <p/>
* In the case of inviting a user to finish setting up an account,
* the user account must already be configured with the profile desired
* for the user (e.g., locale, organisation unit(s), role(s), etc.)
*
- * @param credentials the credentials for the user to send restore message.
- * @param rootPath the root path of the request.
+ * @param credentials the credentials for the user to send restore message.
+ * @param rootPath the root path of the request.
* @param restoreOptions restore options, including type of restore.
* @return false if any of the arguments are null or if the user credentials
- * identified by the user name does not exist, true otherwise.
+ * identified by the user name does not exist, true otherwise.
*/
boolean sendRestoreMessage( UserCredentials credentials, String rootPath, RestoreOptions restoreOptions );
@@ -98,10 +98,10 @@
* restoreExpiry property with a date time some interval from now depending
* on the restore type. Changes are persisted.
*
- * @param credentials the user credentials.
+ * @param credentials the user credentials.
* @param restoreOptions restore options, including type of restore.
* @return an array where index 0 is the clear-text token and index 1 the
- * clear-text code.
+ * clear-text code.
*/
String[] initRestore( UserCredentials credentials, RestoreOptions restoreOptions );
@@ -121,8 +121,8 @@
* the expiry date time of the credentials.
*
* @param credentials the user credentials.
- * @param token the token.
- * @param code the code.
+ * @param token the token.
+ * @param code the code.
* @param newPassword the proposed new password.
* @param restoreType type of restore operation (e.g. pw recovery, invite).
* @return true or false.
@@ -136,8 +136,8 @@
* the credentials.
*
* @param credentials the user credentials.
- * @param token the token.
- * @param code the code.
+ * @param token the token.
+ * @param code the code.
* @param restoreType type of restore operation (e.g. pw recovery, invite).
* @return true or false.
*/
@@ -149,10 +149,10 @@
* user credentials identified by the given user name.
*
* @param credentials the user credentials.
- * @param token the token.
+ * @param token the token.
* @return error message if any of the arguments are null or if the user
- * credentials identified by the user name does not exist, null if
- * the arguments are valid.
+ * credentials identified by the user name does not exist, null if
+ * the arguments are valid.
*/
String verifyToken( UserCredentials credentials, String token, RestoreType restoreType );
@@ -160,12 +160,12 @@
* Indicates whether the given username is an invite. The username is
* considered an invite if it is null or matches the invite username pattern
* of invite-<email>-<uid>.
- *
+ *
* @param username the username.
* @return true if the username represents an account invitation.
*/
boolean isInviteUsername( String username );
-
+
/**
* Checks whether current user has read access to object.
*
@@ -246,4 +246,6 @@
* @return true of false depending on outcome of manage check
*/
boolean canManage( IdentifiableObject identifiableObject );
+
+ boolean hasAnyAuthority( String... authorities );
}
