Author: tchemit Date: 2012-08-13 16:05:59 +0200 (Mon, 13 Aug 2012) New Revision: 3608 Url: http://chorem.org/repositories/revision/pollen/3608 Log: refs #746: Improve security model Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java =================================================================== --- trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java 2012-08-13 14:05:40 UTC (rev 3607) +++ trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java 2012-08-13 14:05:59 UTC (rev 3608) @@ -23,10 +23,10 @@ package org.chorem.pollen.services.impl; import com.google.common.base.Preconditions; +import org.apache.commons.lang3.ObjectUtils; import org.apache.commons.lang3.StringUtils; import org.chorem.pollen.PollenTechnicalException; import org.chorem.pollen.PollenUserSecurityContext; -import org.chorem.pollen.bean.PollUri; import org.chorem.pollen.business.persistence.Comment; import org.chorem.pollen.business.persistence.Poll; import org.chorem.pollen.business.persistence.PollAccount; @@ -40,6 +40,7 @@ import java.util.EnumSet; import java.util.Set; +import static org.chorem.pollen.PollenUserSecurityContext.PollenUserSecurityRole; import static org.nuiton.i18n.I18n.n_; /** @@ -66,81 +67,47 @@ Preconditions.checkNotNull(poll); - String pollId = poll.getPollId(); + EnumSet<PollenUserSecurityContext.PollenUserSecurityRole> result = + EnumSet.noneOf(PollenUserSecurityRole.class); - PollAccountDAO dao = getDAO(PollAccount.class); + if (StringUtils.isNotBlank(accountId) || userAccount != null) { - EnumSet<PollenUserSecurityContext.PollenUserSecurityRole> result = EnumSet.noneOf(PollenUserSecurityContext.PollenUserSecurityRole.class); + // there is an accountId or a connected user, can find so user roles - if (StringUtils.isNotBlank(accountId)) { + // try to find an admin/creator of this poll + boolean creator = isPollCreator(poll, accountId, userAccount); - // there is a accountId - if (accountId.equals(poll.getCreator().getAccountId())) { + if (creator) { - // user is creator of poll - result.add(PollenUserSecurityContext.PollenUserSecurityRole.CREATOR); + // user is adminstrator of Pollen, so can acts as creator of poll + // or user is creator of poll linked by his accountId or user + // account email + result.add(PollenUserSecurityRole.CREATOR); } - PollUri pollUri = PollUri.newPollUri(pollId, accountId); - if (poll.isPollFree()) { - // free poll, can only find a existing voter of this poll + // try to match a voter + boolean found = isVoterAccountId(poll, accountId, userAccount); - boolean found = isVoterAccountId(dao, pollUri); - if (found) { - // account is a voter - result.add(PollenUserSecurityContext.PollenUserSecurityRole.VOTER); + // found a voter match + result.add(PollenUserSecurityRole.VOTER); } } else { - boolean found = isRestrictAccountId(dao, pollUri); + // try to match a restricted voter + boolean found = isRestrictAccountId(poll, accountId, userAccount); if (found) { - // account is a participant - result.add(PollenUserSecurityContext.PollenUserSecurityRole.RESTRICTED_VOTER); + // find a restricted voter match + result.add(PollenUserSecurityRole.RESTRICTED_VOTER); } } } - if (userAccount != null) { - - if (userAccount.isAdministrator()) { - - // user is adminstrator of Pollen, so can acts as creator of poll - result.add(PollenUserSecurityContext.PollenUserSecurityRole.CREATOR); - } - - if (poll.isPollFree()) { - - if (!result.contains(PollenUserSecurityContext.PollenUserSecurityRole.VOTER)) { - - // try to find an existing voter from the userAccount - boolean found = isVoterAccountId(dao, pollId, userAccount); - if (found) { - - // account is a voter - result.add(PollenUserSecurityContext.PollenUserSecurityRole.VOTER); - } - - } - } else { - - if (!result.contains(PollenUserSecurityContext.PollenUserSecurityRole.RESTRICTED_VOTER)) { - - // try to find an existing voter from the userAccount - boolean found = isRestrictAccountId(dao, pollId, userAccount); - if (found) { - - // account is a voter - result.add(PollenUserSecurityContext.PollenUserSecurityRole.RESTRICTED_VOTER); - } - } - } - } return result; } @@ -183,8 +150,6 @@ Poll poll = securityContext.getPoll(); - String accountId = securityContext.getAccountId(); - if (securityContext.isCreator()) { // poll admin can always access vote page @@ -203,15 +168,8 @@ return null; } - boolean pollIsFree = poll.isPollFree(); + if (!poll.isPollFree() && !securityContext.isRestrictedVoter()) { - if (pollIsFree && poll.getCreator().getAccountId().equals(accountId)) { - - // on free poll, only the creator (using his creatorId as accountId) can not vote - return n_("pollen.security.error.poll.free.creatorId.can.not.vote"); - } - if (!pollIsFree && !securityContext.isRestrictedVoter()) { - // on none free poll, only restricted user can vote return n_("pollen.security.error.poll.not.free.and.access.not.granted"); } @@ -221,8 +179,6 @@ public boolean isCanVote(PollenUserSecurityContext securityContext) { Poll poll = securityContext.getPoll(); - String accountId = securityContext.getAccountId(); - UserAccount userAccount = securityContext.getUserAccount(); Date now = serviceContext.getCurrentTime(); @@ -232,32 +188,9 @@ return false; } - boolean pollIsFree = poll.isPollFree(); + if (!poll.isPollFree() && !securityContext.isRestrictedVoter()) { - if (pollIsFree && poll.getCreator().getAccountId().equals(accountId)) { - - // on free poll, only the creator (using his creatorId as accountId) can not vote - return false; - } - if (!pollIsFree && !securityContext.isRestrictedVoter()) { - // on none free poll, only restricted user can vote - - if (userAccount != null) { - - // try to find restricted user by user account - PollAccountDAO dao = getDAO(PollAccount.class); - - boolean restrictPollAccountId = isRestrictAccountId( - dao, poll.getPollId(), userAccount); - - if (restrictPollAccountId) { - - // ok admin is also restricted user of this poll - return true; - } - - } return false; } @@ -420,437 +353,84 @@ return result; } - private boolean isVoterAccountId(PollAccountDAO dao, PollUri uri) { - try { + protected boolean isPollCreator(Poll poll, + String accountId, + UserAccount userAccount) { - PollAccount pollAccount = dao.findVoterPollAccountByAccountId( - uri.getPollId(), uri.getAccountId()); - return pollAccount != null; + Preconditions.checkNotNull(poll); + Preconditions.checkState(userAccount != null || + StringUtils.isNotBlank(accountId)); - } catch (TopiaException e) { - throw new PollenTechnicalException( - "Could not check pollAccount existence from poll '" + - uri.getPollId() + "' and account '" + uri.getAccountId() + "'", e); - } - } + boolean result; - private boolean isVoterAccountId(PollAccountDAO dao, String pollId, - UserAccount userAccount) { - try { + if (ObjectUtils.equals(poll.getCreator().getAccountId(), accountId)) { - PollAccount pollAccount = dao.findVoterPollAccountByUserAccount( - pollId, userAccount); - return pollAccount != null; + // creator found by account id + result = true; - } catch (TopiaException e) { - throw new PollenTechnicalException( - "Could not check pollAccount existence from poll '" + - pollId + "' and userAccount '" + userAccount + "'", e); + } else if (userAccount != null) { + + if (userAccount.isAdministrator()) { + + // use is admin of Pollen, so is also poll creator + result = true; + } else { + + // try to link bo user account email + result = ObjectUtils.equals(poll.getCreator().getEmail(), + userAccount.getEmail()); + } + } else { + + // no accountId, nor user connected, can not be a creator + result = false; } + return result; } - private boolean isRestrictAccountId(PollAccountDAO dao, PollUri uri) { - try { + protected boolean isVoterAccountId(Poll poll, + String accountId, + UserAccount userAccount) { - PollAccount result = - dao.findRestrictedPollAccountByAccountId(uri.getPollId(), - uri.getAccountId()); + String pollId = poll.getPollId(); - return result != null; + try { + PollAccountDAO dao = getDAO(PollAccount.class); + PollAccount pollAccount = + dao.findVoterPollAccount(pollId, + accountId, + userAccount); + return pollAccount != null; + } catch (TopiaException e) { throw new PollenTechnicalException( - "Could not check pollAccount existence from poll '" + - uri.getPollId() + "' and account '" + uri.getAccountId() + "'", e); + "Could not check voter pollAccount existence from poll '" + + pollId + "'", e); } } - private boolean isRestrictAccountId(PollAccountDAO dao, - String pollId, - UserAccount userAccount) { + protected boolean isRestrictAccountId(Poll poll, + String accountId, + UserAccount userAccount) { + + String pollId = poll.getPollId(); try { + PollAccountDAO dao = getDAO(PollAccount.class); + PollAccount result = - dao.findRestrictedPollAccountByEmail(pollId, userAccount.getEmail()); + dao.findRestrictedPollAccount(pollId, + accountId, + userAccount); return result != null; } catch (TopiaException e) { throw new PollenTechnicalException( - "Could not check pollAccount existence from poll '" + - pollId + "' and account '" + userAccount.getEmail() + "'", e); + "Could not check restricted voter pollAccount existence " + + "from poll '" + pollId + "'", e); } } -// public void removeAccountIdWhenConnected(PollUrl url, -// UserAccount userAccount) { -// if (userAccount != null) { -// -// // remove accountId from url -// url.getPollUri().setAccountId(null); -// } -// } -// -// public static final Set<PollenUserSecurityRole> NONE_FREE_ACCOUNT_ID_ROLES = Sets.newHashSet( -// PollenUserSecurityRole.RESTRICTED_VOTER, -// PollenUserSecurityRole.CREATOR -// ); -// -// public boolean isPollAdmin(Poll poll, UserAccount pollenUserAccount) { -// boolean result = pollenUserAccount != null && pollenUserAccount.isAdministrator() || -// isPollCreator(poll, null, pollenUserAccount); -// return result; -// } -// -// public boolean isPollCreator(Poll poll, String accountId, -// UserAccount pollenUserAccount) { -// -// PollAccount creator = poll.getCreator(); -// -// boolean result = creator.getAccountId().equals(accountId); -// if (!result) { -// -// if (pollenUserAccount != null) { -// -// // try to match userAccount -// result = pollenUserAccount.equals(creator.getUserAccount()); -// } -// } -// return result; -// } -// -// public boolean isCanClosePoll(Poll poll, PollenUserSecurityRole accountIdRole) { -// -// boolean result = !poll.isClosed(); -// -// if (result) { -// -// // poll can be closed, check user can do action -// result = accountIdRole == PollenUserSecurityRole.CREATOR; -// } -// -// return result; -// } -// -// public PollenUserSecurityRole getAccountIdRole(Poll poll, String accountId) { -// -// Preconditions.checkNotNull(poll); -// -// PollenUserSecurityRole result = PollenUserSecurityRole.UNDEFINED; -// -// if (StringUtils.isNotBlank(accountId)) { -// -// if (accountId.equals(poll.getCreator().getAccountId())) { -// -// result = PollenUserSecurityRole.CREATOR; -// } else { -// -// PollAccountDAO dao = getDAO(PollAccount.class); -// -// PollUri pollUri = PollUri.newPollUri(poll.getPollId(), accountId); -// -// if (poll.getPollType() == PollType.FREE) { -// -// // -// -// boolean found = isVoterAccountId(dao, pollUri); -// -// if (found) { -// result = PollenUserSecurityRole.VOTER; -// } -// } else { -// -// boolean found = isRestrictAccountId(dao, pollUri); -// -// if (found) { -// result = PollenUserSecurityRole.RESTRICTED_VOTER; -// } -// } -// } -// } -// return result; -// } - -// public boolean isCanAccessResult(Poll poll, -// String accountId, -// SecurityService.PollenUserSecurityRole accountIdRole, -// UserAccount userAccount) { -// -// if (isPollCreator(poll, accountId, userAccount)) { -// accountIdRole = PollenUserSecurityRole.CREATOR; -// } -// -// String errorMessage = isCanAccessResult(poll, accountIdRole); -// return errorMessage == null; -// } -// -// public String isCanAccessResult(Poll poll, -// SecurityService.PollenUserSecurityRole accountIdRole) { -// -// // check now poll results can be displayed -// -// boolean publicResults = poll.isPublicResults(); -// boolean continuousResults = poll.isContinuousResults(); -// -// if (!continuousResults && !poll.isClosed()) { -// -// // results are not continuous and poll is not closed -// return n_("pollen.security.error.poll.not.closed.and.results.not.continuous"); -// } -// -// if (!publicResults && -// accountIdRole != SecurityService.PollenUserSecurityRole.CREATOR) { -// -// // poll results are private, only poll admin can see results -// return n_("pollen.security.error.poll.result.private.and.access.not.granted"); -// } -// -// boolean pollIsFree = PollType.FREE == poll.getPollType(); -// -// if (publicResults && -// !pollIsFree && -// !SecurityService.NONE_FREE_ACCOUNT_ID_ROLES.contains(accountIdRole)) { -// -// // on none free poll, only creator or restricted user can have it -// return n_("pollen.security.error.poll.not.free.and.access.not.granted"); -// } -// return null; -// } -// -// public String isCanAccessResult(Poll poll) { -// -// // check now poll results can be displayed -// -// boolean publicResults = poll.isPublicResults(); -// boolean continuousResults = poll.isContinuousResults(); -// -// if (!continuousResults && !poll.isClosed()) { -// -// // results are not continuous and poll is not closed -// return n_("pollen.security.error.poll.not.closed.and.results.not.continuous"); -// } -// -// if (!publicResults) { -// -// // poll results are private, only poll admin can see results -// return n_("pollen.security.error.poll.result.private.and.access.not.granted"); -// } -// -// return null; -// } - -// public String isCanAccessVote(Poll poll, -// String accountId, -// PollenUserSecurityRole accountIdRole, -// UserAccount userAccount) { -// -// if (PollenUserSecurityRole.CREATOR == accountIdRole) { -// -// // poll admin can always access vote page -// return null; -// } -// -// if (userAccount != null && userAccount.isAdministrator()) { -// // pollen admin can always access vote page -// return null; -// } -// -// if (poll.isPublicResults()) { -// -// // with public results, everybody can access to vote page (but -// // can not vote for a non free poll) -// return null; -// } -// -// boolean pollIsFree = PollType.FREE == poll.getPollType(); -// -// if (pollIsFree && poll.getCreator().getAccountId().equals(accountId)) { -// -// // on free poll, only the creator (using his creatorId as accountId) can not vote -// return n_("pollen.security.error.poll.free.creatorId.can.not.vote"); -// } -// if (!pollIsFree && PollenUserSecurityRole.RESTRICTED_VOTER != accountIdRole) { -// -// // on none free poll, only restricted user can vote -// return n_("pollen.security.error.poll.not.free.and.access.not.granted"); -// } -// return null; -// } - -// public boolean isCanVote(Poll poll, -// String accountId, -// PollenUserSecurityRole accountIdRole, -// UserAccount userAccount) { -// -// Date now = serviceContext.getCurrentTime(); -// -// if (!poll.isRunning(now)) { -// -// // poll is not running, can not vote -// return false; -// } -// -// boolean pollIsFree = poll.isPollFree(); -// -// if (pollIsFree && poll.getCreator().getAccountId().equals(accountId)) { -// -// // on free poll, only the creator (using his creatorId as accountId) can not vote -// return false; -// } -// if (!pollIsFree && PollenUserSecurityRole.RESTRICTED_VOTER != accountIdRole) { -// -// // on none free poll, only restricted user can vote -// -// if (userAccount != null) { -// -// // try to find restricted user by user account -// PollAccountDAO dao = getDAO(PollAccount.class); -// -// boolean restrictPollAccountId = isRestrictAccountId(dao, poll.getPollId(), userAccount); -// -// if (restrictPollAccountId) { -// -// // ok admin is also restricted user of this poll -// return true; -// } -// -// } -// return false; -// } -// -// // ok can vote -// return true; -// } - -// public boolean isCanModifyVote(Poll poll, String voteId, -// String accountId, -// UserAccount userConnected) { -// -// Date now = serviceContext.getCurrentTime(); -// -// if (!poll.isRunning(now)) { -// -// // poll is not running can not modify anything -// return false; -// } -// -// if (poll.isAnonymous()) { -// -// // poll is anonymous, no vote can be modify -// return false; -// } -// -// Vote vote = poll.getVoteByTopiaId(voteId); -// -// if (vote == null) { -// -// // vote not found, can not modify it -// return false; -// } -// -// PollAccount votePollAccount = vote.getPollAccount(); -// -// if (votePollAccount.getAccountId().equals(accountId)) { -// -// // accountId is voteAccountId, can modifiy the vote -// return true; -// } -// -// if (userConnected != null) { -// -// if (userConnected.equals(votePollAccount.getUserAccount())) { -// -// // user conntected is the voter -// return true; -// } -// } -// -// // can not modify vote in other cases -// return false; -// } - -// public boolean isCanDeleteVote(Poll poll, -// String voteId, -// String accountId, -// PollenUserSecurityRole accountIdRole, -// UserAccount userConnected) { -// -// Date now = serviceContext.getCurrentTime(); -// -// if (!poll.isRunning(now)) { -// -// // poll is not running can not remove anything -// return false; -// } -// -// if (poll.isAnonymous()) { -// -// // poll is anonymous, no vote can be delete (?) FIXME Check this -// return false; -// } -// -// -// Vote vote = poll.getVoteByTopiaId(voteId); -// -// if (vote == null) { -// -// // vote not found, can not delete it -// return false; -// } -// -// if (accountIdRole == PollenUserSecurityRole.CREATOR) { -// -// // poll admin can delete any vote -// return true; -// } -// -// PollAccount votePollAccount = vote.getPollAccount(); -// -// if (votePollAccount.getAccountId().equals(accountId)) { -// -// // owner of vote (linked by accountId) can delete his own vote -// return true; -// } -// -// if (userConnected != null) { -// -// if (userConnected.equals(votePollAccount.getUserAccount())) { -// -// // owner of vote (linked by userAccount) can delete his own vote -// return true; -// } -// } -// -// // can not modify vote in other cases -// return false; -// } - -// public boolean isCanDeleteComment(Comment comment, -// String accountId, -// PollenUserSecurityRole accountIdRole, -// UserAccount userAccount) { -// -// if (accountIdRole == PollenUserSecurityRole.CREATOR) { -// -// // poll admin can always delete comments -// return true; -// } -// -// PollAccount commentAccount = comment.getPollAccount(); -// -// if (commentAccount.getAccountId().equals(accountId)) { -// -// // owner of comment (linked by accountId) can delete his comment -// return true; -// } -// -// if (userAccount != null) { -// -// if (userAccount.equals(commentAccount.getUserAccount())) { -// // owner of comment (linked by userAccount) can delete his comment -// return true; -// } -// } -// return false; -// } }
participants (1)
-
tchemit@users.chorem.org