You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rave.apache.org by se...@apache.org on 2011/11/28 22:12:34 UTC
svn commit: r1207613 - in
/incubator/rave/trunk/rave-components/rave-core/src:
main/java/org/apache/rave/portal/security/impl/
main/java/org/apache/rave/portal/service/
test/java/org/apache/rave/portal/security/impl/
Author: secooper
Date: Mon Nov 28 21:12:33 2011
New Revision: 1207613
URL: http://svn.apache.org/viewvc?rev=1207613&view=rev
Log:
RAVE-341 patch to add security features to WidgetComments
Added:
incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluator.java
incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluatorTest.java
Modified:
incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetCommentService.java
Added: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluator.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluator.java?rev=1207613&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluator.java (added)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluator.java Mon Nov 28 21:12:33 2011
@@ -0,0 +1,199 @@
+/*
+ * Copyright 2011 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rave.portal.security.impl;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.rave.portal.model.User;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.rave.portal.model.WidgetComment;
+import org.apache.rave.portal.repository.WidgetCommentRepository;
+import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+/**
+ */
+@Component
+public class DefaultWidgetCommentPermissionEvaluator extends AbstractModelPermissionEvaluator<WidgetComment> {
+
+ private Logger log = LoggerFactory.getLogger(getClass());
+ private WidgetCommentRepository widgetCommentRepository;
+
+ @Autowired
+ public DefaultWidgetCommentPermissionEvaluator(WidgetCommentRepository widgetCommentRepository) {
+ this.widgetCommentRepository = widgetCommentRepository;
+ }
+
+ @Override
+ public Class<WidgetComment> getType() {
+ return WidgetComment.class;
+ }
+
+ /**
+ * Checks to see if the Authentication object has the supplied Permission
+ * on the supplied Page object. This method invokes the private hasPermission
+ * function with the trustedDomainObject parameter set to false since we don't
+ * know if the model being passed in was modified in any way from the
+ * actual entity in the database.
+ *
+ * @param authentication the current Authentication object
+ * @param widgetComment the WidgetComment model object
+ * @param permission the Permission to check
+ * @return true if the Authentication has the proper permission, false otherwise
+ */
+ @Override
+ public boolean hasPermission(Authentication authentication, WidgetComment widgetComment, Permission permission) {
+ return hasPermission(authentication, widgetComment, permission, false);
+ }
+
+ /**
+ * Checks to see if the Authentication object has the supplied Permission
+ * for the Entity represented by the targetId(entityId) and targetType(model class name).
+ * This method invokes the private hasPermission function with the
+ * trustedDomainObject parameter set to true since we must pull the entity
+ * from the database and are guaranteed a trusted domain object,
+ * before performing our permission checks.
+ *
+ * @param authentication the current Authentication object
+ * @param targetId the entityId of the model to check, or a RaveSecurityContext object
+ * @param targetType the class of the model to check
+ * @param permission the Permission to check
+ * @return true if the Authentication has the proper permission, false otherwise
+ */
+ @Override
+ public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Permission permission) {
+ boolean hasPermission = false;
+ if (targetId instanceof RaveSecurityContext) {
+ hasPermission = verifyRaveSecurityContext(authentication, (RaveSecurityContext)targetId, permission);
+ } else {
+ hasPermission = hasPermission(authentication, widgetCommentRepository.get((Long)targetId), permission, true);
+ }
+ return hasPermission;
+ }
+
+ private boolean hasPermission(Authentication authentication, WidgetComment widgetComment, Permission permission, boolean trustedDomainObject) {
+ // this is our container of trusted page objects that can be re-used
+ // in this method so that the same trusted page object doesn't have to
+ // be looked up in the repository multiple times
+ List<WidgetComment> trustedWidgetCommentContainer = new ArrayList<WidgetComment>();
+
+ // first execute the AbstractModelPermissionEvaluator's hasPermission function
+ // to see if it allows permission via it's "higher authority" logic
+ if (super.hasPermission(authentication, widgetComment, permission)) {
+ return true;
+ }
+
+ // perform the security logic depending on the Permission type
+ boolean hasPermission = false;
+ switch (permission) {
+ case ADMINISTER:
+ // if you are here, you are not an administrator, so you can't administer pages
+ break;
+ case READ:
+ hasPermission = true;
+ break;
+ case CREATE:
+ hasPermission = isWidgetCommentOwnerById(authentication, widgetComment.getUser().getEntityId());
+ break;
+ case DELETE:
+ case UPDATE:
+ // anyone can create, delete, read, or update a page that they own
+ hasPermission = isWidgetCommentOwner(authentication, widgetComment, trustedWidgetCommentContainer, trustedDomainObject);
+ break;
+ default:
+ log.warn("unknown permission: " + permission);
+ break;
+ }
+
+ return hasPermission;
+ }
+
+ private boolean verifyRaveSecurityContext(Authentication authentication, RaveSecurityContext raveSecurityContext, Permission permission) {
+ Class<?> clazz = null;
+ try {
+ clazz = Class.forName(raveSecurityContext.getType());
+ } catch (ClassNotFoundException ex) {
+ throw new IllegalArgumentException("unknown class specified in RaveSecurityContext: ", ex);
+ }
+
+ // perform the permissions check based on the class supplied to the RaveSecurityContext object
+ if (WidgetComment.class == clazz) {
+
+ // perform the security logic depending on the Permission type
+ boolean hasPermission = false;
+ switch (permission) {
+ case ADMINISTER:
+ // if you are here, you are not an administrator, so you can't administer pages
+ break;
+ case READ:
+ hasPermission = true;
+ break;
+ case CREATE:
+ case DELETE:
+ case UPDATE:
+ // anyone can create, delete, read, or update a page that they own
+ hasPermission = isWidgetCommentOwnerById(authentication, (Long)raveSecurityContext.getId());
+ break;
+ default:
+ log.warn("unknown permission: " + permission);
+ break;
+ }
+
+ return hasPermission;
+ } else {
+ throw new IllegalArgumentException("unknown RaveSecurityContext type: " + raveSecurityContext.getType());
+ }
+ }
+
+
+ // checks to see if the Authentication object principal is the owner of the supplied widgetComment object
+ // if trustedDomainObject is false, pull the entity from the database first to ensure
+ // the model object is trusted and hasn't been modified
+ private boolean isWidgetCommentOwner(Authentication authentication, WidgetComment widgetComment, List<WidgetComment> trustedPageContainer, boolean trustedDomainObject) {
+ WidgetComment trustedWidgetComment = null;
+ if (trustedDomainObject) {
+ trustedWidgetComment = widgetComment;
+ } else {
+ trustedWidgetComment = getTrustedWidgetComment(widgetComment.getEntityId(), trustedPageContainer);
+ }
+
+ return isWidgetCommentOwnerByUsername(authentication, trustedWidgetComment.getUser().getUsername());
+ }
+
+ // returns a trusted Page object, either from the PageRepository, or the
+ // cached container list
+ private WidgetComment getTrustedWidgetComment(long widgetCommentId, List<WidgetComment> trustedWidgetCommentContainer) {
+ WidgetComment p = null;
+ if (trustedWidgetCommentContainer.isEmpty()) {
+ p = widgetCommentRepository.get(widgetCommentId);
+ trustedWidgetCommentContainer.add(p);
+ } else {
+ p = trustedWidgetCommentContainer.get(0);
+ }
+ return p;
+ }
+
+ private boolean isWidgetCommentOwnerByUsername(Authentication authentication, String username) {
+ return ((User)authentication.getPrincipal()).getUsername().equals(username);
+ }
+ private boolean isWidgetCommentOwnerById(Authentication authentication, Long userId) {
+ return ((User)authentication.getPrincipal()).getEntityId().equals(userId);
+ }
+}
Modified: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetCommentService.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetCommentService.java?rev=1207613&r1=1207612&r2=1207613&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetCommentService.java (original)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetCommentService.java Mon Nov 28 21:12:33 2011
@@ -16,13 +16,18 @@
package org.apache.rave.portal.service;
import org.apache.rave.portal.model.WidgetComment;
+import org.springframework.security.access.prepost.PostAuthorize;
+import org.springframework.security.access.prepost.PreAuthorize;
public interface WidgetCommentService {
+ @PostAuthorize("hasPermission(returnObject, 'read')")
WidgetComment getWidgetComment(Long id);
+ @PreAuthorize("hasPermission(#widgetComment, 'create_or_update')")
void saveWidgetComment(WidgetComment widgetComment);
+ @PreAuthorize("hasPermission(#id, 'org.apache.rave.portal.model.WidgetComment', 'delete')")
void removeWidgetComment(Long id);
}
Added: incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluatorTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluatorTest.java?rev=1207613&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluatorTest.java (added)
+++ incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluatorTest.java Mon Nov 28 21:12:33 2011
@@ -0,0 +1,231 @@
+/*
+ * Copyright 2011 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rave.portal.security.impl;
+
+import org.apache.rave.portal.security.util.AuthenticationUtils;
+import org.apache.rave.portal.model.WidgetComment;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
+import java.util.ArrayList;
+import org.springframework.security.core.GrantedAuthority;
+import java.util.List;
+import org.apache.rave.portal.model.User;
+import org.springframework.security.core.Authentication;
+import org.apache.rave.portal.repository.WidgetCommentRepository;
+import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import org.junit.Test;
+import org.junit.Before;
+import static org.junit.Assert.*;
+import static org.easymock.EasyMock.*;
+import static org.hamcrest.CoreMatchers.*;
+
+/**
+ *
+ */
+public class DefaultWidgetCommentPermissionEvaluatorTest {
+
+ private DefaultWidgetCommentPermissionEvaluator defaultWidgetCommentPermissionEvaluator;
+ private WidgetCommentRepository mockWidgetCommentRepository;
+ private Authentication mockAuthentication;
+ private WidgetComment widgetComment;
+ private User user, user2;
+ private List<GrantedAuthority> grantedAuthoritiesList;
+
+ private final Long VALID_COMMENT_ID = 3L;
+ private final Long VALID_USER_ID = 99L;
+ private final Long INVALID_USER_ID = VALID_USER_ID + 1;
+ private final String VALID_USERNAME = "john.doe";
+ private final String VALID_USERNAME2 = "jane.doe";
+ @Before
+ public void setUp() {
+ mockWidgetCommentRepository = createMock(WidgetCommentRepository.class);
+ mockAuthentication = createMock(Authentication.class);
+ defaultWidgetCommentPermissionEvaluator = new DefaultWidgetCommentPermissionEvaluator(mockWidgetCommentRepository);
+
+ user = new User();
+ user.setUsername(VALID_USERNAME);
+ user.setEntityId(VALID_USER_ID);
+ user2 = new User();
+ user2.setUsername(VALID_USERNAME2);
+ user2.setEntityId(INVALID_USER_ID);
+ widgetComment = new WidgetComment();
+ widgetComment.setEntityId(VALID_COMMENT_ID);
+ widgetComment.setUser(user);
+ grantedAuthoritiesList = new ArrayList<GrantedAuthority>();
+ grantedAuthoritiesList.add(new GrantedAuthorityImpl("ROLE_USER"));
+ }
+
+ @Test
+ public void testGetType() throws ClassNotFoundException {
+ assertThat(defaultWidgetCommentPermissionEvaluator.getType().getName(), is(WidgetComment.class.getName()));
+ }
+
+ @Test
+ public void verifyNotAdministrator() {
+ expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+ replay(mockAuthentication);
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, null, Permission.ADMINISTER), is(false));
+ verify(mockAuthentication);
+ }
+
+
+ @Test
+ public void verifyAdministrator() {
+ List myGrantedAuthoritiesList = new ArrayList();
+ myGrantedAuthoritiesList.addAll(grantedAuthoritiesList);
+ myGrantedAuthoritiesList.add(new GrantedAuthorityImpl(AuthenticationUtils.ROLE_ADMIN));
+
+ expect(mockAuthentication.getAuthorities()).andReturn(myGrantedAuthoritiesList);
+ replay(mockAuthentication);
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, null, Permission.ADMINISTER), is(true));
+ verify(mockAuthentication);
+ }
+
+ @Test
+ public void testOwnerPermissions() {
+ expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+ expect(mockAuthentication.getPrincipal()).andReturn(user).anyTimes();
+ replay(mockAuthentication);
+ expect(mockWidgetCommentRepository.get(VALID_COMMENT_ID)).andReturn(widgetComment).anyTimes();
+ replay(mockWidgetCommentRepository);
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.ADMINISTER), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.CREATE), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.READ), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.DELETE), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.UPDATE), is(true));
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.CREATE_OR_UPDATE), is(false));
+ verify(mockAuthentication);
+ verify(mockWidgetCommentRepository);
+ }
+
+ @Test
+ public void testNonOwnerPermissions() {
+ expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+ expect(mockAuthentication.getPrincipal()).andReturn(user2).anyTimes();
+ replay(mockAuthentication);
+ expect(mockWidgetCommentRepository.get(VALID_COMMENT_ID)).andReturn(widgetComment).anyTimes();
+ replay(mockWidgetCommentRepository);
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.ADMINISTER), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.CREATE), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.READ), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.DELETE), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.UPDATE), is(false));
+
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, widgetComment, Permission.CREATE_OR_UPDATE), is(false));
+ verify(mockAuthentication);
+ verify(mockWidgetCommentRepository);
+ }
+
+ @Test
+ public void testOwnerPermissionsById() {
+ expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+ expect(mockAuthentication.getPrincipal()).andReturn(user).anyTimes();
+ replay(mockAuthentication);
+ expect(mockWidgetCommentRepository.get(VALID_COMMENT_ID)).andReturn(widgetComment).anyTimes();
+ replay(mockWidgetCommentRepository);
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.ADMINISTER), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.CREATE), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.READ), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.DELETE), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.UPDATE), is(true));
+
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.CREATE_OR_UPDATE), is(false));
+ verify(mockAuthentication);
+ verify(mockWidgetCommentRepository);
+ }
+
+ @Test
+ public void testNonOwnerPermissionsById() {
+ expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+ expect(mockAuthentication.getPrincipal()).andReturn(user2).anyTimes();
+ replay(mockAuthentication);
+ expect(mockWidgetCommentRepository.get(VALID_COMMENT_ID)).andReturn(widgetComment).anyTimes();
+ replay(mockWidgetCommentRepository);
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.ADMINISTER), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.CREATE), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.READ), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.DELETE), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.UPDATE), is(false));
+
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.CREATE_OR_UPDATE), is(false));
+ verify(mockAuthentication);
+ verify(mockWidgetCommentRepository);
+ }
+
+ @Test
+ public void testOwnerPremissionBySecurityContext() {
+ RaveSecurityContext raveSecurityContext = new RaveSecurityContext(VALID_USER_ID, WidgetComment.class.getName());
+
+ expect(mockAuthentication.getPrincipal()).andReturn(user).anyTimes();
+ replay(mockAuthentication);
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.ADMINISTER), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.CREATE), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.READ), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.DELETE), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.UPDATE), is(true));
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.CREATE_OR_UPDATE), is(false));
+ verify(mockAuthentication);
+ }
+
+ @Test
+ public void testNonOwnerPremissionBySecurityContext() {
+ RaveSecurityContext raveSecurityContext = new RaveSecurityContext(INVALID_USER_ID, WidgetComment.class.getName());
+
+ expect(mockAuthentication.getPrincipal()).andReturn(user).anyTimes();
+ replay(mockAuthentication);
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.ADMINISTER), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.CREATE), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.READ), is(true));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.DELETE), is(false));
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.UPDATE), is(false));
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext, WidgetComment.class.getName(), Permission.CREATE_OR_UPDATE), is(false));
+ verify(mockAuthentication);
+ }
+
+ @Test
+ public void testCreationPremission() {
+ //Widget.entityId is not set in this case
+
+ expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+ expect(mockAuthentication.getPrincipal()).andReturn(user).anyTimes();
+ replay(mockAuthentication);
+
+ WidgetComment localWidgetComment = new WidgetComment();
+ User localUser = new User();
+ localUser.setEntityId(VALID_USER_ID);
+ localWidgetComment.setUser(localUser);
+ expect(mockWidgetCommentRepository.get(VALID_COMMENT_ID)).andReturn(localWidgetComment).anyTimes();
+ replay(mockWidgetCommentRepository);
+
+ assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication, localWidgetComment, Permission.CREATE), is(true));
+
+ verify(mockAuthentication);
+ verify(mockWidgetCommentRepository);
+ }
+}
\ No newline at end of file