@Override public Role findRole(Long id) { if (id == null || id < 1L) { logger.trace(String.format("Role ID is invalid [%s]", id)); return null; } RoleVO role = roleDao.findById(id); if (role == null) { logger.trace(String.format("Role not found [id=%s]", id)); return null; } Account account = getCurrentAccount(); if (!accountManager.isRootAdmin(account.getId()) && RoleType.Admin == role.getRoleType()) { logger.debug(String.format("Role [id=%s, name=%s] is of 'Admin' type and is only visible to 'Root admins'.", id, role.getName())); return null; } return role; }
@Override public List<Role> findRolesByType(RoleType roleType) { if (roleType == null || RoleType.Admin == roleType && !accountManager.isRootAdmin(getCurrentAccount().getId())) { return Collections.emptyList(); } List<? extends Role> roles = roleDao.findAllByRoleType(roleType); return ListUtils.toListOfInterface(roles); }
/** * Removes roles of the given list that have the type '{@link RoleType#Admin}' if the user calling the method is not a 'root admin'. * The actual removal is executed via {@link #removeRootAdminRoles(List)}. Therefore, if the method is called by a 'root admin', we do nothing here. */ protected void removeRootAdminRolesIfNeeded(List<? extends Role> roles) { Account account = getCurrentAccount(); if (!accountManager.isRootAdmin(account.getId())) { removeRootAdminRoles(roles); } }
private void checkCallerAccess() { if (!isEnabled()) { throw new PermissionDeniedException("Dynamic api checker is not enabled, aborting role operation"); } Account caller = getCurrentAccount(); if (caller == null || caller.getRoleId() == null) { throw new PermissionDeniedException("Restricted API called by an invalid user account"); } Role callerRole = findRole(caller.getRoleId()); if (callerRole == null || callerRole.getRoleType() != RoleType.Admin) { throw new PermissionDeniedException("Restricted API called by an user account of non-Admin role type"); } }