org.sakaiproject.authz.impl

Class BaseAuthzGroupService

java.lang.Object

org.sakaiproject.authz.impl.BaseAuthzGroupService

All Implemented Interfaces:

AuthzGroupService, EntityProducer

Direct Known Subclasses:

DbAuthzGroupService

public abstract class BaseAuthzGroupService
extends Object
implements AuthzGroupService

BaseAuthzGroupService is a Sakai azGroup service implementation.

To support the public view feature, an AuthzGroup named TEMPLATE_PUBVIEW must exist, with a role named ROLE_PUBVIEW - all the abilities in this role become the public view abilities for any resource.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static interface	BaseAuthzGroupService.Storage Storage

Field Summary

Fields

Modifier and Type	Field and Description
protected List<AuthzGroupAdvisor>	authzGroupAdvisors
protected GroupProvider	m_provider A provider of additional Abilities for a userId.
protected String	m_relativeAccessPoint The initial portion of a relative access point URL.
protected RoleProvider	m_roleProvider A provider of additional roles for a userId.
protected BaseAuthzGroupService.Storage	m_storage Storage manager for this service.
protected SiteService	siteService

Fields inherited from interface org.sakaiproject.authz.api.AuthzGroupService

ANON_ROLE, APPLICATION_ID, AUTH_ROLE, REFERENCE_ROOT, SECURE_ADD_AUTHZ_GROUP, SECURE_JOIN_AUTHZ_GROUP, SECURE_REMOVE_AUTHZ_GROUP, SECURE_UNJOIN_AUTHZ_GROUP, SECURE_UPDATE_AUTHZ_GROUP, SECURE_UPDATE_OWN_AUTHZ_GROUP, SECURE_VIEW_ALL_AUTHZ_GROUPS

Constructor Summary

Constructors

Constructor and Description
BaseAuthzGroupService()

Method Summary

Modifier and Type	Method and Description
AuthzGroup	addAuthzGroup(String id) Add a new AuthzGroup
AuthzGroup	addAuthzGroup(String id, AuthzGroup other, String userId) Add a new AuthzGroup, as a copy of another AuthzGroup (except for id), and give a user "maintain" access based on the other's definition of "maintain".
void	addAuthzGroupAdvisor(AuthzGroupAdvisor advisor) Registers a AuthzGroupAdvisor with the AuthzGroupService.
protected void	addLiveProperties(BaseAuthzGroup azGroup) Create the live properties for the azGroup.
protected void	addLiveUpdateProperties(BaseAuthzGroup azGroup) Update the live properties for an AuthzGroup for when modified.
protected void	addMemberToGroup(AuthzGroup azGroup, String userId, String roleId, int maxSize) Add member to a group, once id and security checks have been cleared.
boolean	allowAdd(String id) Check permissions for adding an AuthzGroup.
boolean	allowJoinGroup(String authzGroupId) Check permissions for the current user joining a group.
boolean	allowRemove(String id) Check permissions for removing an AuthzGroup.
boolean	allowUnjoinGroup(String authzGroupId) Check permissions for the current user unjoining a group.
boolean	allowUpdate(String id) Check permissions for updating an AuthzGroup.
String	archive(String siteId, Document doc, Stack stack, String archivePath, List attachments) Archive the resources for the given site.
protected String	authzGroupId(String ref) Access the azGroup id extracted from an AuthzGroup reference.
String	authzGroupReference(String id) Access the internal reference which can be used to access the AuthzGroup from within the system.
protected void	completeSave(AuthzGroup azGroup) Complete the saving of the group, once id and security checks have been cleared.
int	countAuthzGroups(String criteria) Count the AuthzGroups that meet specified criteria.
String	decodeRoleFromDummyUser(String dummyUserId) Decodes the dummy user id to provide the original roleId as encoded by encodeDummyUserForRole(String)
void	destroy() Returns to uninitialized state.
String	encodeDummyUserForRole(String roleId) Encode the role id to form the dummy user id that will be used to perform role checks.
protected abstract EntityManager	entityManager()
protected abstract EventTrackingService	eventTrackingService()
protected String	extractEntityId(String reference) Get the realm ID from a reference string.
protected abstract FunctionManager	functionManager()
protected String	getAccessPoint(boolean relative) Access the partial URL that forms the root of resource URLs.
Set<String>	getAdditionalRoles() Gets a set of additional roles that can be added to an authz group.
Set	getAllowedFunctions(String role, Collection azGroups) Get the set of functions that users with this role in these AuthzGroups are allowed to perform.
AuthzGroup	getAuthzGroup(String id) Access an AuthzGroup.
List<AuthzGroupAdvisor>	getAuthzGroupAdvisors() List of the current AuthzGroupAdvisors registered with the AuthzGroupService
Set	getAuthzGroupIds(String providerId) Gets the IDs of the AuthzGroups with the given provider ID.
List	getAuthzGroups(String criteria, PagingPosition page) Access a list of AuthzGroups that meet specified criteria, naturally sorted.
Set	getAuthzGroupsIsAllowed(String userId, String function, Collection azGroups) Get the set of AuthzGroup ids in which this user is allowed to perform this function.
List	getAuthzUserGroupIds(ArrayList authzGroupIds, String userid) Access a list of AuthzGroups which contain a specified userid NOTE: This call is backed by a cache.
Collection<String>	getAuthzUsersInGroups(Set<String> groupIds) Get list of users who are in a set of groups
Entity	getEntity(Reference ref) Access the referenced Entity - the entity will belong to the service.
Collection	getEntityAuthzGroups(Reference ref, String userId) Access a collection of authorization group ids for security on the for the referenced entity - the entity will belong to the service.
String	getEntityDescription(Reference ref) Create an entity description for the entity referenced - the entity will belong to the service.
ResourceProperties	getEntityResourceProperties(Reference ref) Access the resource properties for the referenced entity - the entity will belong to the service.
String	getEntityUrl(Reference ref) Access a URL for the referenced entity - the entity will belong to the service.
HttpAccess	getHttpAccess() Get the HttpAccess object that supports entity access via the access servlet for my entities.
String	getLabel()
Set	getMaintainRoles() Set of all maintain roles
Set	getProviderIds(String authzGroupId) Gets the provider IDs associated with an AuthzGroup.
Map<String,List<String>>	getProviderIDsForRealms(List<String> realmIDs) Get all provider IDs for the realms given.
String	getRoleGroupName(String roleGroupId) Get a nice display name for role group.
String	getRoleName(String roleId) Get a nice display name for role.
Map<String,Integer>	getUserCountIsAllowed(String function, Collection<String> azGroups) Get the number of users per group who are allowed to perform the function in the given AuthzGroups.
String	getUserRole(String userId, String azGroupId) Get the role name for this user in this AuthzGroup, if the user has membership (the membership gives the user a single role).
Map<String,String>	getUserRoles(String userId, Collection<String> azGroupIds) Get all role names for a given user in a set of AuthzGroups.
Set<String>	getUsersIsAllowed(String function, Collection<String> azGroups) Get the set of user ids of users who are allowed to perform the function in the named AuthzGroups.
Set<String[]>	getUsersIsAllowedByGroup(String function, Collection<String> azGroups) Get the set of user ids per group of users who are allowed to perform the function in the named AuthzGroups.
Map	getUsersRole(Collection userIds, String azGroupId) Get the role name for each user in the userIds Collection in this AuthzGroup, for each of these users who have membership (membership gives the user a single role).
void	init() Final initialization, once all dependencies are set.
boolean	isAllowed(String user, String function, Collection azGroups) Test if this user is allowed to perform the function in the named AuthzGroups.
boolean	isAllowed(String user, String function, String azGroupId) Test if this user is allowed to perform the function in the named AuthzGroup.
protected boolean	isAllowedAnon() Is the current user allowed to grant .anon access to the site?
protected boolean	isAllowedAuth() Is the current user allowed to grant .auth access to the site?
boolean	isRoleAssignable(String roleId) Check if the supplied role can be assigned to a user.
void	joinGroup(String authzGroupId, String roleId) Cause the current user to join the given AuthzGroup with this role, using SECURE_UPDATE_OWN_AUTHZ_GROUP security.
void	joinGroup(String authzGroupId, String roleId, int maxSize) Cause the current user to join the given AuthzGroup with this role, using SECURE_UPDATE_OWN_AUTHZ_GROUP security, provided that adding this user would not cause the group to exceed the specified size.
String	merge(String siteId, Element root, String archivePath, String fromSiteId, Map attachmentNames, Map userIdTrans, Set userListAllowImport) Merge the resources from the archive into the given site.
AuthzGroup	newAuthzGroup(String id, AuthzGroup other, String userId) Create a new AuthzGroup, as a copy of another AuthzGroup (except for id), and give a user "maintain" access based on the other's definition of "maintain", but do not store - it can be saved with a save() call
protected abstract BaseAuthzGroupService.Storage	newStorage() Construct storage for this service.
boolean	parseEntityReference(String reference, Reference ref) If the service recognizes the reference as its own, parse it and fill in the Reference
void	refreshUser(String userId) Refresh this user's AuthzGroup external definitions.
void	removeAuthzGroup(AuthzGroup azGroup) Remove this AuthzGroup.
void	removeAuthzGroup(String azGroupId) Remove the AuthzGroup with this id, if it exists (fails quietly if not).
boolean	removeAuthzGroupAdvisor(AuthzGroupAdvisor advisor) Removes an AuthzGroupAdvisor
protected void	removeMemberFromGroup(AuthzGroup azGroup, String userId) Remove member from a group, once id and security checks have been cleared.
protected void	removeSiteSecurity(AuthzGroup azGroup) Update the site security when an AuthzGroup is deleted, if it is a site AuthzGroup.
void	save(AuthzGroup azGroup) Save the changes made to the AuthzGroup.
protected abstract SecurityService	securityService()
protected abstract ServerConfigurationService	serverConfigurationService()
protected abstract SessionManager	sessionManager()
void	setProvider(GroupProvider provider) Configuration: set the azGroup provider helper service.
void	setRoleProvider(RoleProvider provider) Configuration: set the az role provider helper service.
void	setSiteService(SiteService siteService)
protected abstract TimeService	timeService()
void	unjoinGroup(String authzGroupId) Cause the current user to unjoin the given AuthzGroup, using SECURE_UPDATE_OWN_AUTHZ_GROUP security.
protected void	unlock(String lock, String resource) Check security permission.
protected boolean	unlockCheck(String lock, String resource) Check security permission.
protected void	updateSiteSecurity(AuthzGroup azGroup) Update the site security based on the values in the AuthzGroup, if it is a site AuthzGroup.
protected abstract UserDirectoryService	userDirectoryService()
boolean	willArchiveMerge()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

m_storage

protected BaseAuthzGroupService.Storage m_storage

Storage manager for this service.

m_relativeAccessPoint

protected String m_relativeAccessPoint

The initial portion of a relative access point URL.

m_provider

protected GroupProvider m_provider

A provider of additional Abilities for a userId.

m_roleProvider

protected RoleProvider m_roleProvider

A provider of additional roles for a userId.

authzGroupAdvisors

protected List<AuthzGroupAdvisor> authzGroupAdvisors

siteService

protected SiteService siteService

Constructor Detail

BaseAuthzGroupService

public BaseAuthzGroupService()

Method Detail

newStorage

protected abstract BaseAuthzGroupService.Storage newStorage()

Construct storage for this service.

getAccessPoint

protected String getAccessPoint(boolean relative)

Access the partial URL that forms the root of resource URLs.

Parameters:

relative - if true, form within the access path only (i.e. starting with /content)

Returns:

the partial URL that forms the root of resource URLs.

authzGroupId

protected String authzGroupId(String ref)

Access the azGroup id extracted from an AuthzGroup reference.

Parameters:

ref - The azGroup reference string.

Returns:

The the azGroup id extracted from an AuthzGroup reference.

unlockCheck

protected boolean unlockCheck(String lock,
                              String resource)

Check security permission.

Parameters:

lock - The lock id string.

resource - The resource reference string, or null if no resource is involved.

Returns:

true if allowd, false if not

unlock

protected void unlock(String lock,
                      String resource)
               throws AuthzPermissionException

Check security permission.

Parameters:

lock - The lock id string.

resource - The resource reference string, or null if no resource is involved.

Throws:

PermissionException - Thrown if the azGroup does not have access

AuthzPermissionException

addLiveProperties

protected void addLiveProperties(BaseAuthzGroup azGroup)

Create the live properties for the azGroup.

addLiveUpdateProperties

protected void addLiveUpdateProperties(BaseAuthzGroup azGroup)

Update the live properties for an AuthzGroup for when modified.

setProvider

public void setProvider(GroupProvider provider)

Configuration: set the azGroup provider helper service.

Parameters:

provider - the azGroup provider helper service.

setRoleProvider

public void setRoleProvider(RoleProvider provider)

Configuration: set the az role provider helper service.

Parameters:

provider - the az role provider helper service.

serverConfigurationService

protected abstract ServerConfigurationService serverConfigurationService()

Returns:

the ServerConfigurationService collaborator.

entityManager

protected abstract EntityManager entityManager()

Returns:

the EntityManager collaborator.

functionManager

protected abstract FunctionManager functionManager()

Returns:

the FunctionManager collaborator.

securityService

protected abstract SecurityService securityService()

Returns:

the SecurityService collaborator.

timeService

protected abstract TimeService timeService()

Returns:

the TimeService collaborator.

sessionManager

protected abstract SessionManager sessionManager()

Returns:

the SessionManager collaborator.

eventTrackingService

protected abstract EventTrackingService eventTrackingService()

Returns:

the EventTrackingService collaborator.

userDirectoryService

protected abstract UserDirectoryService userDirectoryService()

Returns:

the ServerConfigurationService collaborator.

setSiteService

public void setSiteService(SiteService siteService)

init

public void init()

Final initialization, once all dependencies are set.

destroy

public void destroy()

Returns to uninitialized state.

getProviderIDsForRealms

public Map<String,List<String>> getProviderIDsForRealms(List<String> realmIDs)

Get all provider IDs for the realms given.

Specified by:

getProviderIDsForRealms in interface AuthzGroupService

Parameters:

realmIDs - a List of the realms you want the provider IDs for.

Returns:

a Map, where the key is the realm ID, and the value is a List of Strings of provider IDs for that realm

getAuthzGroups

public List getAuthzGroups(String criteria,
                           PagingPosition page)

Access a list of AuthzGroups that meet specified criteria, naturally sorted. NOTE: The group objects returned will not have the associated roles loaded. if you need to save the realm retrieve it with AuthzGroupService.getAuthzGroup(String)

Specified by:

getAuthzGroups in interface AuthzGroupService

Parameters:

criteria - Selection criteria: AuthzGroups returned will match this string somewhere in their id, or provider group id.

page - The PagePosition subset of items to return.

Returns:

The List (AuthzGroup) that meet specified criteria.

getAuthzUserGroupIds

public List getAuthzUserGroupIds(ArrayList authzGroupIds,
                                 String userid)

Access a list of AuthzGroups which contain a specified userid NOTE: This call is backed by a cache.

Specified by:

getAuthzUserGroupIds in interface AuthzGroupService

Parameters:

authzGroupIds - AuthzGroup selection criteria (list of AuthzGroup ids)

userid - Return only groups with userid as a member

Returns:

The List (AuthzGroup) that contain the specified userid

getAuthzUsersInGroups

public Collection<String> getAuthzUsersInGroups(Set<String> groupIds)

Get list of users who are in a set of groups

Specified by:

getAuthzUsersInGroups in interface AuthzGroupService

Parameters:

groupIds - IDs of authZ groups (AuthzGroup selection criteria)

Returns:

list of user IDs who are in a set of groups

countAuthzGroups

public int countAuthzGroups(String criteria)

Count the AuthzGroups that meet specified criteria.

Specified by:

countAuthzGroups in interface AuthzGroupService

Parameters:

criteria - Selection criteria: AuthzGroups returned will match this string somewhere in their id, or provider group id.

Returns:

The count of AuthzGroups that meet specified criteria.

getAuthzGroupIds

public Set getAuthzGroupIds(String providerId)

Gets the IDs of the AuthzGroups with the given provider ID.

Specified by:

getAuthzGroupIds in interface AuthzGroupService

Returns:

The Set of Strings representing authzGroup IDs (such as /site/1234 or /site/1234/group/5678) for all authzGroups with the given providerId.

getProviderIds

public Set getProviderIds(String authzGroupId)

Gets the provider IDs associated with an AuthzGroup.

Specified by:

getProviderIds in interface AuthzGroupService

Returns:

The Set of Strings representing external group IDs, as recognized by the GroupProvider implementation, that are associated with the given groupId. These strings must not be "compound IDs", as defined by the GroupProvider's String[] unpackId(String id) method.

getAuthzGroup

public AuthzGroup getAuthzGroup(String id)
                         throws GroupNotDefinedException

Access an AuthzGroup.

Specified by:

getAuthzGroup in interface AuthzGroupService

Parameters:

id - The id string.

Returns:

The AuthzGroup.

Throws:

GroupNotDefinedException - if not found.

joinGroup

public void joinGroup(String authzGroupId,
                      String roleId)
               throws GroupNotDefinedException,
                      AuthzPermissionException

Cause the current user to join the given AuthzGroup with this role, using SECURE_UPDATE_OWN_AUTHZ_GROUP security.

Specified by:

joinGroup in interface AuthzGroupService

Parameters:

authzGroupId - the id of the AuthzGroup.

roleId - the name of the Role.

Throws:

GroupNotDefinedException - if the authzGroupId or role are not defined.

AuthzPermissionException - if the current user does not have permission to join this AuthzGroup.

joinGroup

public void joinGroup(String authzGroupId,
                      String roleId,
                      int maxSize)
               throws GroupNotDefinedException,
                      AuthzPermissionException,
                      GroupFullException

Cause the current user to join the given AuthzGroup with this role, using SECURE_UPDATE_OWN_AUTHZ_GROUP security, provided that adding this user would not cause the group to exceed the specified size.

Specified by:

joinGroup in interface AuthzGroupService

Parameters:

authzGroupId - the id of the AuthzGroup.

roleId - the name of the Role.

maxSize - the maximum permitted size of the AuthzGroup.

Throws:

GroupNotDefinedException - if the authzGroupId or role are not defined.

AuthzPermissionException - if the current user does not have permission to join this AuthzGroup.

GroupFullException - if adding the current user would cause the AuthzGroup to become larger than maxSize.

unjoinGroup

public void unjoinGroup(String authzGroupId)
                 throws GroupNotDefinedException,
                        AuthzPermissionException

Cause the current user to unjoin the given AuthzGroup, using SECURE_UPDATE_OWN_AUTHZ_GROUP security.

Specified by:

unjoinGroup in interface AuthzGroupService

Parameters:

authzGroupId - the id of the AuthzGroup.

Throws:

GroupNotDefinedException - if the authzGroupId or role are not defined.

AuthzPermissionException - if the current user does not have permission to unjoin this site.

allowJoinGroup

public boolean allowJoinGroup(String authzGroupId)

Check permissions for the current user joining a group.

Specified by:

allowJoinGroup in interface AuthzGroupService

Parameters:

authzGroupId - The AuthzGroup id.

Returns:

true if the user is allowed to join the group, false if not.

allowUnjoinGroup

public boolean allowUnjoinGroup(String authzGroupId)

Check permissions for the current user unjoining a group.

Specified by:

allowUnjoinGroup in interface AuthzGroupService

Parameters:

authzGroupId - The AuthzGroup id.

Returns:

true if the user is allowed to unjoin the group, false if not.

allowUpdate

public boolean allowUpdate(String id)

Check permissions for updating an AuthzGroup.

Specified by:

allowUpdate in interface AuthzGroupService

Parameters:

id - The id.

Returns:

true if the user is allowed to update the AuthzGroup, false if not.

save

public void save(AuthzGroup azGroup)
          throws GroupNotDefinedException,
                 AuthzPermissionException

Save the changes made to the AuthzGroup. The AuthzGroup must already exist, and the user must have permission to update. A side-effect of this call is to refresh current memberships based on the state of the group's associated provider, if any. (For example, to update site memberships based on course enrollment records.) Since there is no other public method that refreshes group memberships, this method may be useful even to clients who don't edit the AuthzGroup directly.

Specified by:

save in interface AuthzGroupService

Parameters:

azGroup - The AuthzGroup to save.

Throws:

GroupNotDefinedException - if the AuthzGroup id is not defined.

AuthzPermissionException - if the current user does not have permission to update the AuthzGroup.

completeSave

protected void completeSave(AuthzGroup azGroup)

Complete the saving of the group, once id and security checks have been cleared.

Parameters:

azGroup -

addMemberToGroup

protected void addMemberToGroup(AuthzGroup azGroup,
                                String userId,
                                String roleId,
                                int maxSize)
                         throws GroupFullException

Add member to a group, once id and security checks have been cleared.

Parameters:

azGroup -

Throws:

GroupFullException

removeMemberFromGroup

protected void removeMemberFromGroup(AuthzGroup azGroup,
                                     String userId)

Remove member from a group, once id and security checks have been cleared.

Parameters:

azGroup -

allowAdd

public boolean allowAdd(String id)

Check permissions for adding an AuthzGroup.

Specified by:

allowAdd in interface AuthzGroupService

Parameters:

id - The authzGroup id.

Returns:

true if the current user is allowed add the AuthzGroup, false if not.

addAuthzGroup

public AuthzGroup addAuthzGroup(String id)
                         throws GroupIdInvalidException,
                                GroupAlreadyDefinedException,
                                AuthzPermissionException

Add a new AuthzGroup

Specified by:

addAuthzGroup in interface AuthzGroupService

Parameters:

id - The AuthzGroup id.

Returns:

The new AuthzGroup.

Throws:

GroupIdInvalidException - if the id is invalid.

GroupAlreadyDefinedException - if the id is already used.

AuthzPermissionException - if the current user does not have permission to add the AuthzGroup.

addAuthzGroup

public AuthzGroup addAuthzGroup(String id,
                                AuthzGroup other,
                                String userId)
                         throws GroupIdInvalidException,
                                GroupAlreadyDefinedException,
                                AuthzPermissionException

Add a new AuthzGroup, as a copy of another AuthzGroup (except for id), and give a user "maintain" access based on the other's definition of "maintain".

Specified by:

addAuthzGroup in interface AuthzGroupService

Parameters:

id - The id.

other - The AuthzGroup to copy into this new AuthzGroup.

userId - Optional user id to get "maintain" access, or null if none.

Returns:

The new AuthzGroup object.

Throws:

GroupIdInvalidException - if the id is invalid.

GroupAlreadyDefinedException - if the id is already used.

AuthzPermissionException - if the current user does not have permission to add the AuthzGroup.

newAuthzGroup

public AuthzGroup newAuthzGroup(String id,
                                AuthzGroup other,
                                String userId)
                         throws GroupAlreadyDefinedException

Create a new AuthzGroup, as a copy of another AuthzGroup (except for id), and give a user "maintain" access based on the other's definition of "maintain", but do not store - it can be saved with a save() call

Specified by:

newAuthzGroup in interface AuthzGroupService

Parameters:

id - The id.

other - The AuthzGroup to copy into this new AuthzGroup (or null if none).

userId - Optional user id to get "maintain" access, or null if none.

Returns:

The new AuthzGroup object.

Throws:

GroupAlreadyDefinedException - if the id is already used.

allowRemove

public boolean allowRemove(String id)

Check permissions for removing an AuthzGroup.

Specified by:

allowRemove in interface AuthzGroupService

Parameters:

id - The AuthzGroup id.

Returns:

true if the user is allowed to remove the AuthzGroup, false if not.

removeAuthzGroup

public void removeAuthzGroup(AuthzGroup azGroup)
                      throws AuthzPermissionException

Remove this AuthzGroup.

Specified by:

removeAuthzGroup in interface AuthzGroupService

Parameters:

azGroup - The AuthzGroup to remove.

Throws:

AuthzPermissionException - if the current user does not have permission to remove this AuthzGroup.

removeAuthzGroup

public void removeAuthzGroup(String azGroupId)
                      throws AuthzPermissionException

Remove the AuthzGroup with this id, if it exists (fails quietly if not).

Specified by:

removeAuthzGroup in interface AuthzGroupService

Parameters:

azGroupId - The AuthzGroup id.

Throws:

AuthzPermissionException - if the current user does not have permission to remove this AthzGroup.

authzGroupReference

public String authzGroupReference(String id)

Access the internal reference which can be used to access the AuthzGroup from within the system.

Specified by:

authzGroupReference in interface AuthzGroupService

Parameters:

id - The AuthzGroup id.

Returns:

The the internal reference which can be used to access the AuthzGroup from within the system.

isAllowed

public boolean isAllowed(String user,
                         String function,
                         String azGroupId)

Test if this user is allowed to perform the function in the named AuthzGroup.

Specified by:

isAllowed in interface AuthzGroupService

Parameters:

user - The user id.

function - The function to open.

azGroupId - The AuthzGroup id to consult, if it exists.

Returns:

true if this user is allowed to perform the function in the named AuthzGroup, false if not.

isAllowed

public boolean isAllowed(String user,
                         String function,
                         Collection azGroups)

Test if this user is allowed to perform the function in the named AuthzGroups.

Specified by:

isAllowed in interface AuthzGroupService

Parameters:

user - The user id.

function - The function to open.

azGroups - A collection of AuthzGroup ids to consult.

Returns:

true if this user is allowed to perform the function in the named AuthzGroups, false if not.

getUsersIsAllowed

public Set<String> getUsersIsAllowed(String function,
                                     Collection<String> azGroups)

Get the set of user ids of users who are allowed to perform the function in the named AuthzGroups.

Specified by:

getUsersIsAllowed in interface AuthzGroupService

Parameters:

function - The function to check.

azGroups - A collection of the ids of AuthzGroups to consult.

Returns:

the Set (String) of user ids of users who are allowed to perform the function in the named AuthzGroups.

See Also:

For details on deleted users.

getUsersIsAllowedByGroup

public Set<String[]> getUsersIsAllowedByGroup(String function,
                                              Collection<String> azGroups)

Get the set of user ids per group of users who are allowed to perform the function in the named AuthzGroups. Use this method to get permission-related membership information from a set of groups efficiently, rather than iterating through each group.

Specified by:

getUsersIsAllowedByGroup in interface AuthzGroupService

Parameters:

function - The function to check.

azGroups - A collection of the ids of AuthzGroups to consult; if null, search them all (use with care).

Returns:

A Set of String arrays (userid, realm) with user ids per group who are allowed to perform the function.

See Also:

For details on deleted users.

getUserCountIsAllowed

public Map<String,Integer> getUserCountIsAllowed(String function,
                                                 Collection<String> azGroups)

Get the number of users per group who are allowed to perform the function in the given AuthzGroups. Use this method to get permission-related size information from a set of groups efficiently, rather than iterating through each group.

Specified by:

getUserCountIsAllowed in interface AuthzGroupService

Parameters:

function - The function to check.

azGroups - A collection of the ids of AuthzGroups to search; if null, search them all (use with care).

Returns:

A Map (authzgroupid (String) -> user count (Integer) ) of the number of users who are allowed to perform the function.

See Also:

For details on deleted users.

getAllowedFunctions

public Set getAllowedFunctions(String role,
                               Collection azGroups)

Get the set of functions that users with this role in these AuthzGroups are allowed to perform.

Specified by:

getAllowedFunctions in interface AuthzGroupService

Parameters:

role - The role name.

azGroups - A collection of AuthzGroup ids to consult.

Returns:

the Set (String) of functions that users with this role in these AuthzGroups are allowed to perform

getAuthzGroupsIsAllowed

public Set getAuthzGroupsIsAllowed(String userId,
                                   String function,
                                   Collection azGroups)

Get the set of AuthzGroup ids in which this user is allowed to perform this function.

Specified by:

getAuthzGroupsIsAllowed in interface AuthzGroupService

Parameters:

userId - The user id.

function - The function to check.

azGroups - The Collection of AuthzGroup ids to search; if null, search them all.

Returns:

the Set (String) of AuthzGroup ids in which this user is allowed to perform this function.

getUserRole

public String getUserRole(String userId,
                          String azGroupId)

Get the role name for this user in this AuthzGroup, if the user has membership (the membership gives the user a single role).

Specified by:

getUserRole in interface AuthzGroupService

Parameters:

userId - The user id.

azGroupId - The AuthzGroup id to consult, if it exists.

Returns:

the role name for this user in this AuthzGroup, if the user has active membership, or null if not.

getUserRoles

public Map<String,String> getUserRoles(String userId,
                                       Collection<String> azGroupIds)

Get all role names for a given user in a set of AuthzGroups.

Specified by:

getUserRoles in interface AuthzGroupService

Parameters:

userId - The user ID of the person to search for.

azGroupIds - A collection of AuthzGroup IDs to narrow the search (may be empty or null to search all).

Returns:

A Map (AuthzGroup ID -> role name) for every AuthzGroup where the user is a member, filtered to the set of AuthzGroups in azGroupIds (if non-null and non-empty).

getUsersRole

public Map getUsersRole(Collection userIds,
                        String azGroupId)

Get the role name for each user in the userIds Collection in this AuthzGroup, for each of these users who have membership (membership gives the user a single role).

Specified by:

getUsersRole in interface AuthzGroupService

Parameters:

userIds - The user ids as a Collection of String.

azGroupId - The AuthzGroup id to consult, if it exists.

Returns:

A Map (userId (String) -> role name (String)) of role names for each user who have active membership; if the user does not, it will not be in the Map.

encodeDummyUserForRole

public String encodeDummyUserForRole(String roleId)
                              throws IllegalArgumentException

Encode the role id to form the dummy user id that will be used to perform role checks. We check role access by performing an authz check against a dummy so that we don't have to load all of the roles and iterate through them and also to take advantage of caching.

Specified by:

encodeDummyUserForRole in interface AuthzGroupService

Parameters:

roleId - the string id of the role to encode

Returns:

a dummy user id which will pass authz checks for this role

Throws:

IllegalArgumentException - if no roleId is provided

decodeRoleFromDummyUser

public String decodeRoleFromDummyUser(String dummyUserId)
                               throws IllegalArgumentException

Decodes the dummy user id to provide the original roleId as encoded by encodeDummyUserForRole(String)

Specified by:

decodeRoleFromDummyUser in interface AuthzGroupService

Parameters:

dummyUserId - the string id of the dummy user to decode

Returns:

the decoded role, will return null if it could not be decoded.

Throws:

IllegalArgumentException - if no dummy user id is provided.

See Also:

AuthzGroupService.encodeDummyUserForRole(String)

refreshUser

public void refreshUser(String userId)

Refresh this user's AuthzGroup external definitions.

Specified by:

refreshUser in interface AuthzGroupService

Parameters:

userId - The user id.

updateSiteSecurity

protected void updateSiteSecurity(AuthzGroup azGroup)

Update the site security based on the values in the AuthzGroup, if it is a site AuthzGroup.

Parameters:

azGroup - The AuthzGroup.

removeSiteSecurity

protected void removeSiteSecurity(AuthzGroup azGroup)

Update the site security when an AuthzGroup is deleted, if it is a site AuthzGroup.

Parameters:

azGroup - The AuthzGroup.

getLabel

public String getLabel()

Specified by:

getLabel in interface EntityProducer

Returns:

a short string identifying the resources kept here, good for a file name or label.

willArchiveMerge

public boolean willArchiveMerge()

Specified by:

willArchiveMerge in interface EntityProducer

Returns:

true if the service wants to be part of archive / merge, false if not.

getHttpAccess

public HttpAccess getHttpAccess()

Get the HttpAccess object that supports entity access via the access servlet for my entities.

Specified by:

getHttpAccess in interface EntityProducer

Returns:

The HttpAccess object for my entities, or null if I do not support access.

parseEntityReference

public boolean parseEntityReference(String reference,
                                    Reference ref)

If the service recognizes the reference as its own, parse it and fill in the Reference

Specified by:

parseEntityReference in interface EntityProducer

Parameters:

reference - The reference string to examine.

ref - The Reference object to set with the results of the parse from a recognized reference.

Returns:

true if the reference belonged to the service, false if not.

extractEntityId

protected String extractEntityId(String reference)

Get the realm ID from a reference string.

Parameters:

reference - The reference to a realm. eg/realm//site/mercury

Returns:

The ID of the realm or null if it's not a realm reference.

getEntityDescription

public String getEntityDescription(Reference ref)

Create an entity description for the entity referenced - the entity will belong to the service.

Specified by:

getEntityDescription in interface EntityProducer

Parameters:

ref - The entity reference.

Returns:

The entity description, or null if one cannot be made.

getEntityResourceProperties

public ResourceProperties getEntityResourceProperties(Reference ref)

Access the resource properties for the referenced entity - the entity will belong to the service.

Specified by:

getEntityResourceProperties in interface EntityProducer

Parameters:

ref - The entity reference.

Returns:

The ResourceProperties object for the entity, or null if it has none.

getEntity

public Entity getEntity(Reference ref)

Access the referenced Entity - the entity will belong to the service.

Specified by:

getEntity in interface EntityProducer

Parameters:

ref - The entity reference.

Returns:

The Entity, or null if not found.

getEntityAuthzGroups

public Collection getEntityAuthzGroups(Reference ref,
                                       String userId)

Access a collection of authorization group ids for security on the for the referenced entity - the entity will belong to the service.

Specified by:

getEntityAuthzGroups in interface EntityProducer

Parameters:

ref - The entity reference.

userId - The userId for a user-specific set of groups, or null for the generic set.

Returns:

The entity's collection of authorization group ids, or null if this cannot be done.

getEntityUrl

public String getEntityUrl(Reference ref)

Access a URL for the referenced entity - the entity will belong to the service.

Specified by:

getEntityUrl in interface EntityProducer

Parameters:

ref - The entity reference.

Returns:

The entity's URL, or null if it does not have one.

archive

public String archive(String siteId,
                      Document doc,
                      Stack stack,
                      String archivePath,
                      List attachments)

Archive the resources for the given site.

Specified by:

archive in interface EntityProducer

Parameters:

siteId - the id of the site.

doc - The document to contain the xml.

stack - The stack of elements, the top of which will be the containing element of the "service.name" element.

archivePath - The path to the folder where we are writing auxilary files.

attachments - This should be an empty List into which the implementation will put any attachments that are needed to support the archived content. Implementation will may use List.contains(Object) so choice of implementation should reflect this.

Returns:

A log of status messages from the archive.

merge

public String merge(String siteId,
                    Element root,
                    String archivePath,
                    String fromSiteId,
                    Map attachmentNames,
                    Map userIdTrans,
                    Set userListAllowImport)

Merge the resources from the archive into the given site.

Specified by:

merge in interface EntityProducer

Parameters:

siteId - The id of the site getting imported into.

root - The XML DOM tree of content to merge.

archivePath - The path to the folder where we are reading auxilary files.

fromSiteId - The site id from which these items were archived.

attachmentNames - An empty map should be supplied and during the merge and any attachments that are renamed will be put into this map the key is the old attachment name (as found in the DOM) and the value is the new attachment name.

userIdTrans - A map supplied by the called containing keys of old user IDs and values of new user IDs that the content should be attributed to.

userListAllowImport - A list of user IDs for which the content should be imported. An importer should ignore content if the user ID of the creator isn't in this set.

Returns:

A log of status messages from the merge.

addAuthzGroupAdvisor

public void addAuthzGroupAdvisor(AuthzGroupAdvisor advisor)

Description copied from interface: AuthzGroupService

Registers a AuthzGroupAdvisor with the AuthzGroupService. Each advisor will be called during save(AuthzGroup).

Specified by:

addAuthzGroupAdvisor in interface AuthzGroupService

Parameters:

advisor - The AuthzGroupAdvisor to add

removeAuthzGroupAdvisor

public boolean removeAuthzGroupAdvisor(AuthzGroupAdvisor advisor)

Description copied from interface: AuthzGroupService

Removes an AuthzGroupAdvisor

Specified by:

removeAuthzGroupAdvisor in interface AuthzGroupService

Parameters:

advisor - The AuthzGroupAdvisor to remove

Returns:

Whether a AuthzGroupAdvisor was previously registered and hence removed

getAuthzGroupAdvisors

public List<AuthzGroupAdvisor> getAuthzGroupAdvisors()

Description copied from interface: AuthzGroupService

List of the current AuthzGroupAdvisors registered with the AuthzGroupService

Specified by:

getAuthzGroupAdvisors in interface AuthzGroupService

Returns:

List containing the currently registered AuthzGroupAdvisors

getMaintainRoles

public Set getMaintainRoles()

Description copied from interface: AuthzGroupService

Set of all maintain roles

Specified by:

getMaintainRoles in interface AuthzGroupService

Returns:

String Set containing all maintain roles.

getAdditionalRoles

public Set<String> getAdditionalRoles()

Gets a set of additional roles that can be added to an authz group. These roles shouldn't be assigned to members but users are part of the role through some other means (eg being a member of staff).

Specified by:

getAdditionalRoles in interface AuthzGroupService

Returns:

The set of role IDs that can be used, if no additional roles can be granted it should return an empty set.

isRoleAssignable

public boolean isRoleAssignable(String roleId)

Check if the supplied role can be assigned to a user.

Specified by:

isRoleAssignable in interface AuthzGroupService

Parameters:

roleId - The role ID to check.

Returns:

true if the role can be assigned to a user.

getRoleName

public String getRoleName(String roleId)

Get a nice display name for role.

Specified by:

getRoleName in interface AuthzGroupService

Parameters:

roleId - The role ID to check (eg .auth)

Returns:

A display name for the role, if there is no better name the original roleId should be returned.

getRoleGroupName

public String getRoleGroupName(String roleGroupId)

Get a nice display name for role group.

Specified by:

getRoleGroupName in interface AuthzGroupService

Parameters:

roleGroupId - The role group ID to check. Empty for generic name.

Returns:

A display name for the role group, if there is no better name the original roleGroupId should be returned.

isAllowedAnon

protected boolean isAllowedAnon()

Is the current user allowed to grant .anon access to the site?

Returns:

true if .anon can be granted.

isAllowedAuth

protected boolean isAllowedAuth()

Is the current user allowed to grant .auth access to the site?

Returns:

true if .auth can be granted.