@Override public boolean updateRolePermission(Role role, RolePermission rolePermission, RolePermission.Permission permission) { checkCallerAccess(); return role != null && rolePermissionsDao.update(role, rolePermission, permission); }
private void checkCallerAccess() { if (!isEnabled()) { throw new PermissionDeniedException("Dynamic api checker is not enabled, aborting role operation"); } Account caller = getCurrentAccount(); if (caller == null || caller.getRoleId() == null) { throw new PermissionDeniedException("Restricted API called by an invalid user account"); } Role callerRole = findRole(caller.getRoleId()); if (callerRole == null || callerRole.getRoleType() != RoleType.Admin) { throw new PermissionDeniedException("Restricted API called by an user account of non-Admin role type"); } }
/** * Removes roles of the given list that have the type '{@link RoleType#Admin}' if the user calling the method is not a 'root admin'. * The actual removal is executed via {@link #removeRootAdminRoles(List)}. Therefore, if the method is called by a 'root admin', we do nothing here. */ protected void removeRootAdminRolesIfNeeded(List<? extends Role> roles) { Account account = getCurrentAccount(); if (!accountManager.isRootAdmin(account.getId())) { removeRootAdminRoles(roles); } }
@Override public Role findRole(Long id) { if (id == null || id < 1L) { logger.trace(String.format("Role ID is invalid [%s]", id)); return null; } RoleVO role = roleDao.findById(id); if (role == null) { logger.trace(String.format("Role not found [id=%s]", id)); return null; } Account account = getCurrentAccount(); if (!accountManager.isRootAdmin(account.getId()) && RoleType.Admin == role.getRoleType()) { logger.debug(String.format("Role [id=%s, name=%s] is of 'Admin' type and is only visible to 'Root admins'.", id, role.getName())); return null; } return role; }
@Override public List<Role> findRolesByName(String name) { List<? extends Role> roles = null; if (StringUtils.isNotBlank(name)) { roles = roleDao.findAllByName(name); } removeRootAdminRolesIfNeeded(roles); return ListUtils.toListOfInterface(roles); }
@Override public List<Role> findRolesByType(RoleType roleType) { if (roleType == null || RoleType.Admin == roleType && !accountManager.isRootAdmin(getCurrentAccount().getId())) { return Collections.emptyList(); } List<? extends Role> roles = roleDao.findAllByRoleType(roleType); return ListUtils.toListOfInterface(roles); }
@Override public List<Role> listRoles() { List<? extends Role> roles = roleDao.listAll(); removeRootAdminRolesIfNeeded(roles); return ListUtils.toListOfInterface(roles); }
@Override @ActionEvent(eventType = EventTypes.EVENT_ROLE_PERMISSION_UPDATE, eventDescription = "updating Role Permission order") public boolean updateRolePermission(final Role role, final List<RolePermission> newOrder) { checkCallerAccess(); return role != null && newOrder != null && rolePermissionsDao.update(role, newOrder); }
@Override @ActionEvent(eventType = EventTypes.EVENT_ROLE_PERMISSION_CREATE, eventDescription = "creating Role Permission") public RolePermission createRolePermission(final Role role, final Rule rule, final RolePermission.Permission permission, final String description) { checkCallerAccess(); return Transaction.execute(new TransactionCallback<RolePermissionVO>() { @Override public RolePermissionVO doInTransaction(TransactionStatus status) { return rolePermissionsDao.persist(new RolePermissionVO(role.getId(), rule.toString(), permission, description)); } }); }
@Override @ActionEvent(eventType = EventTypes.EVENT_ROLE_PERMISSION_DELETE, eventDescription = "deleting Role Permission") public boolean deleteRolePermission(final RolePermission rolePermission) { checkCallerAccess(); return rolePermission != null && rolePermissionsDao.remove(rolePermission.getId()); }
@Override @ActionEvent(eventType = EventTypes.EVENT_ROLE_CREATE, eventDescription = "creating Role") public Role createRole(final String name, final RoleType roleType, final String description) { checkCallerAccess(); if (roleType == null || roleType == RoleType.Unknown) { throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Invalid role type provided"); } return Transaction.execute(new TransactionCallback<RoleVO>() { @Override public RoleVO doInTransaction(TransactionStatus status) { return roleDao.persist(new RoleVO(name, roleType, description)); } }); }
@Override @ActionEvent(eventType = EventTypes.EVENT_ROLE_UPDATE, eventDescription = "updating Role") public Role updateRole(final Role role, final String name, final RoleType roleType, final String description) { checkCallerAccess(); if (roleType != null && roleType == RoleType.Unknown) { throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Unknown is not a valid role type"); } RoleVO roleVO = (RoleVO)role; if (!Strings.isNullOrEmpty(name)) { roleVO.setName(name); } if (roleType != null) { if (role.getId() <= RoleType.User.getId()) { throw new PermissionDeniedException("The role type of default roles cannot be changed"); } List<? extends Account> accounts = accountDao.findAccountsByRole(role.getId()); if (accounts == null || accounts.isEmpty()) { roleVO.setRoleType(roleType); } else { throw new PermissionDeniedException("Found accounts that have role in use, won't allow to change role type"); } } if (!Strings.isNullOrEmpty(description)) { roleVO.setDescription(description); } roleDao.update(role.getId(), roleVO); return role; }
@Override @ActionEvent(eventType = EventTypes.EVENT_ROLE_DELETE, eventDescription = "deleting Role") public boolean deleteRole(final Role role) { checkCallerAccess(); if (role == null) { return false;