You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2022/12/08 11:15:03 UTC
[isis] branch ISIS-3303 created (now 9cce8147b0)
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a change to branch ISIS-3303
in repository https://gitbox.apache.org/repos/asf/isis.git
at 9cce8147b0 ISIS-3303: reworks UserMemento#isSystem to instead be a check for SudoService#ACCESS_ALL_ROLE
This branch includes the following new commits:
new 9cce8147b0 ISIS-3303: reworks UserMemento#isSystem to instead be a check for SudoService#ACCESS_ALL_ROLE
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[isis] 01/01: ISIS-3303: reworks UserMemento#isSystem to instead be a check for SudoService#ACCESS_ALL_ROLE
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch ISIS-3303
in repository https://gitbox.apache.org/repos/asf/isis.git
commit 9cce8147b08c20321018d13c497446ae752344ca
Author: Dan Haywood <da...@haywood-associates.co.uk>
AuthorDate: Thu Dec 8 11:14:54 2022 +0000
ISIS-3303: reworks UserMemento#isSystem to instead be a check for SudoService#ACCESS_ALL_ROLE
---
.../causeway/applib/services/user/UserMemento.java | 9 ++--
.../causeway/applib/services/user/UserService.java | 4 +-
.../facets/TenantedAuthorizationFacetDefault.java | 51 +++++++++-------------
3 files changed, 28 insertions(+), 36 deletions(-)
diff --git a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java
index caa631138d..0e25168845 100644
--- a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java
+++ b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java
@@ -24,11 +24,11 @@ import java.io.Serializable;
import java.net.URL;
import java.util.List;
import java.util.Locale;
-import java.util.Objects;
import java.util.stream.Stream;
import javax.inject.Named;
+import org.apache.causeway.applib.services.sudo.SudoService;
import org.springframework.context.event.EventListener;
import org.springframework.core.annotation.Order;
import org.springframework.lang.Nullable;
@@ -304,11 +304,12 @@ implements Serializable {
}
/**
- * Whether this {@link UserMemento} represent the <i>system user</i>.
+ * Whether this {@link UserMemento}'s {@link UserMemento#getRoles() roles} contains the {@link SudoService}'s
+ * {@link SudoService#ACCESS_ALL_ROLE ACCESS_ALL_ROLE} role (meaning that security checks are disabled).
*/
@Programmatic
- public boolean isSystem() {
- return Objects.equals(SYSTEM_USER, this);
+ public boolean hasSudoAccessAllRole() {
+ return roles.contains(SudoService.ACCESS_ALL_ROLE);
}
// -- UTILITY
diff --git a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java
index ff01139c70..7b07fc65f4 100644
--- a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java
+++ b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java
@@ -106,9 +106,9 @@ public class UserService {
* Whether the current user is the <i>system user</i> (as obtained from the
* {@link InteractionContext} of the current thread).
*/
- public boolean isCurrentUserWithSystemPrivileges() {
+ public boolean isCurrentUserWithSudoAccessAllRole() {
return currentUser()
- .map(UserMemento::isSystem)
+ .map(UserMemento::hasSudoAccessAllRole)
.orElse(false);
}
diff --git a/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java b/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java
index 511f61fbc4..fd3ebf15f6 100644
--- a/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java
+++ b/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java
@@ -18,6 +18,8 @@
*/
package org.apache.causeway.extensions.secman.integration.facets;
+import lombok.val;
+
import java.util.List;
import javax.inject.Provider;
@@ -27,11 +29,13 @@ import org.apache.causeway.applib.services.user.UserService;
import org.apache.causeway.core.metamodel.facetapi.Facet;
import org.apache.causeway.core.metamodel.facetapi.FacetAbstract;
import org.apache.causeway.core.metamodel.facetapi.FacetHolder;
+import org.apache.causeway.core.metamodel.interactions.InteractionHead;
import org.apache.causeway.core.metamodel.interactions.UsabilityContext;
import org.apache.causeway.core.metamodel.interactions.VisibilityContext;
import org.apache.causeway.extensions.secman.applib.tenancy.spi.ApplicationTenancyEvaluator;
import org.apache.causeway.extensions.secman.applib.user.dom.ApplicationUser;
import org.apache.causeway.extensions.secman.applib.user.dom.ApplicationUserRepository;
+import org.springframework.lang.Nullable;
public class TenantedAuthorizationFacetDefault
extends FacetAbstract
@@ -61,52 +65,33 @@ implements TenantedAuthorizationFacet {
@Override
public String hides(final VisibilityContext ic) {
-
- if(evaluators == null
- || evaluators.isEmpty()
- || userService.isCurrentUserWithSystemPrivileges()) {
- return null;
- }
-
- final Object domainObject = ic.getHead().getOwner().getPojo();
- final String userName = userService.currentUserNameElseNobody();
-
- final ApplicationUser applicationUser = findApplicationUser(userName);
- if (applicationUser == null) {
- // not expected, but best to be safe...
- return "Could not locate application user for " + userName;
- }
-
- for (ApplicationTenancyEvaluator evaluator : evaluators) {
- final String reason = evaluator.hides(domainObject, applicationUser);
- if(reason != null) {
- return reason;
- }
- }
- return null;
+ return evaluate(ApplicationTenancyEvaluator::hides, ic.getHead());
}
-
@Override
public String disables(final UsabilityContext ic) {
+ return evaluate(ApplicationTenancyEvaluator::disables, ic.getHead());
+ }
+ @Nullable
+ private String evaluate(EvaluationDispatcher evaluationDispatcher, InteractionHead head) {
if(evaluators == null
|| evaluators.isEmpty()
- || userService.isCurrentUserWithSystemPrivileges()) {
+ || userService.isCurrentUserWithSudoAccessAllRole()) {
return null;
}
- final Object domainObject = ic.getHead().getOwner().getPojo();
- final String userName = userService.currentUserNameElseNobody();
+ val domainObject = head.getOwner().getPojo();
+ val userName = userService.currentUserNameElseNobody();
- final ApplicationUser applicationUser = findApplicationUser(userName);
+ val applicationUser = findApplicationUser(userName);
if (applicationUser == null) {
// not expected, but best to be safe...
return "Could not locate application user for " + userName;
}
- for (ApplicationTenancyEvaluator evaluator : evaluators) {
- final String reason = evaluator.disables(domainObject, applicationUser);
+ for (val evaluator : evaluators) {
+ final String reason = evaluationDispatcher.dispatch(evaluator, domainObject, applicationUser);
if(reason != null) {
return reason;
}
@@ -114,6 +99,10 @@ implements TenantedAuthorizationFacet {
return null;
}
+ interface EvaluationDispatcher {
+ String dispatch(ApplicationTenancyEvaluator evaluator, Object domainObject, ApplicationUser applicationUser);
+ }
+
/**
* Per {@link #findApplicationUserNoCache(String)},
@@ -132,4 +121,6 @@ implements TenantedAuthorizationFacet {
return applicationUserRepository.findByUsername(userName).orElse(null);
}
+
+
}