/** * Returns true if the passed in user has permission to view the passed in avatar. By definition, any user can view * the system avatars (e.g. avatars with no owner). * * @param user a User * @param avatar an Avatar * @return a boolean indicating whether the passed in user has permission to view the passed in avatar */ protected boolean canViewAvatar(ApplicationUser user, Avatar avatar) { boolean hasPermission = avatarManager.hasPermissionToView(user, avatar.getAvatarType(), avatar.getOwner()); if (!hasPermission) { LOGGER.debug("User '{}' is not allowed to view avatar {}", user, avatar.getId()); } return hasPermission; }
@Override protected Long validateInput(String projectId, Long avatarId, final HttpServletResponse response) throws IOException { if (StringUtils.isBlank(projectId)) { // no project id - send default avatar for project return getAvatarManager().getDefaultAvatarId(Avatar.Type.PROJECT); } else { final Project project = getProjectManager().getProjectObj(Long.parseLong(projectId)); if (project == null) { response.sendError(HttpServletResponse.SC_NOT_FOUND, "Unknown project"); return null; } if (!getAvatarManager().hasPermissionToView(getAuthenticationContext().getUser(), project)) { // no permission to see any avatar for this project response.sendError(HttpServletResponse.SC_FORBIDDEN, "Unknown project"); return null; } if (avatarId == null) { return project.getAvatar().getId(); } } return avatarId; }
private void redirectToExternalAvatar(HttpServletResponse response, String ownerId, AvatarManager.ImageSize size) throws IOException { AvatarService avatarService = ComponentAccessor.getAvatarService(); if (!getAvatarManager().hasPermissionToView(getAuthenticationContext().getUser(), getUserUtil().getUserByKey(ownerId))) { response.sendError(HttpServletResponse.SC_NOT_FOUND); return; } ApplicationUser loggedInUser = getAuthenticationContext().getUser(); URI gravatarURL = avatarService.getAvatarURL(loggedInUser, getUserUtil().getUserByKey(ownerId), size.getSize()); response.sendRedirect(gravatarURL.toString()); }
if (!getAvatarManager().hasPermissionToView(getAuthenticationContext().getUser(), user))