You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by da...@apache.org on 2022/12/08 11:15:04 UTC
[isis] 01/01: ISIS-3303: reworks UserMemento#isSystem to instead be a check for SudoService#ACCESS_ALL_ROLE
This is an automated email from the ASF dual-hosted git repository.
danhaywood pushed a commit to branch ISIS-3303
in repository https://gitbox.apache.org/repos/asf/isis.git
commit 9cce8147b08c20321018d13c497446ae752344ca
Author: Dan Haywood <da...@haywood-associates.co.uk>
AuthorDate: Thu Dec 8 11:14:54 2022 +0000
ISIS-3303: reworks UserMemento#isSystem to instead be a check for SudoService#ACCESS_ALL_ROLE
---
.../causeway/applib/services/user/UserMemento.java | 9 ++--
.../causeway/applib/services/user/UserService.java | 4 +-
.../facets/TenantedAuthorizationFacetDefault.java | 51 +++++++++-------------
3 files changed, 28 insertions(+), 36 deletions(-)
diff --git a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java
index caa631138d..0e25168845 100644
--- a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java
+++ b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java
@@ -24,11 +24,11 @@ import java.io.Serializable;
import java.net.URL;
import java.util.List;
import java.util.Locale;
-import java.util.Objects;
import java.util.stream.Stream;
import javax.inject.Named;
+import org.apache.causeway.applib.services.sudo.SudoService;
import org.springframework.context.event.EventListener;
import org.springframework.core.annotation.Order;
import org.springframework.lang.Nullable;
@@ -304,11 +304,12 @@ implements Serializable {
}
/**
- * Whether this {@link UserMemento} represent the <i>system user</i>.
+ * Whether this {@link UserMemento}'s {@link UserMemento#getRoles() roles} contains the {@link SudoService}'s
+ * {@link SudoService#ACCESS_ALL_ROLE ACCESS_ALL_ROLE} role (meaning that security checks are disabled).
*/
@Programmatic
- public boolean isSystem() {
- return Objects.equals(SYSTEM_USER, this);
+ public boolean hasSudoAccessAllRole() {
+ return roles.contains(SudoService.ACCESS_ALL_ROLE);
}
// -- UTILITY
diff --git a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java
index ff01139c70..7b07fc65f4 100644
--- a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java
+++ b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java
@@ -106,9 +106,9 @@ public class UserService {
* Whether the current user is the <i>system user</i> (as obtained from the
* {@link InteractionContext} of the current thread).
*/
- public boolean isCurrentUserWithSystemPrivileges() {
+ public boolean isCurrentUserWithSudoAccessAllRole() {
return currentUser()
- .map(UserMemento::isSystem)
+ .map(UserMemento::hasSudoAccessAllRole)
.orElse(false);
}
diff --git a/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java b/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java
index 511f61fbc4..fd3ebf15f6 100644
--- a/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java
+++ b/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java
@@ -18,6 +18,8 @@
*/
package org.apache.causeway.extensions.secman.integration.facets;
+import lombok.val;
+
import java.util.List;
import javax.inject.Provider;
@@ -27,11 +29,13 @@ import org.apache.causeway.applib.services.user.UserService;
import org.apache.causeway.core.metamodel.facetapi.Facet;
import org.apache.causeway.core.metamodel.facetapi.FacetAbstract;
import org.apache.causeway.core.metamodel.facetapi.FacetHolder;
+import org.apache.causeway.core.metamodel.interactions.InteractionHead;
import org.apache.causeway.core.metamodel.interactions.UsabilityContext;
import org.apache.causeway.core.metamodel.interactions.VisibilityContext;
import org.apache.causeway.extensions.secman.applib.tenancy.spi.ApplicationTenancyEvaluator;
import org.apache.causeway.extensions.secman.applib.user.dom.ApplicationUser;
import org.apache.causeway.extensions.secman.applib.user.dom.ApplicationUserRepository;
+import org.springframework.lang.Nullable;
public class TenantedAuthorizationFacetDefault
extends FacetAbstract
@@ -61,52 +65,33 @@ implements TenantedAuthorizationFacet {
@Override
public String hides(final VisibilityContext ic) {
-
- if(evaluators == null
- || evaluators.isEmpty()
- || userService.isCurrentUserWithSystemPrivileges()) {
- return null;
- }
-
- final Object domainObject = ic.getHead().getOwner().getPojo();
- final String userName = userService.currentUserNameElseNobody();
-
- final ApplicationUser applicationUser = findApplicationUser(userName);
- if (applicationUser == null) {
- // not expected, but best to be safe...
- return "Could not locate application user for " + userName;
- }
-
- for (ApplicationTenancyEvaluator evaluator : evaluators) {
- final String reason = evaluator.hides(domainObject, applicationUser);
- if(reason != null) {
- return reason;
- }
- }
- return null;
+ return evaluate(ApplicationTenancyEvaluator::hides, ic.getHead());
}
-
@Override
public String disables(final UsabilityContext ic) {
+ return evaluate(ApplicationTenancyEvaluator::disables, ic.getHead());
+ }
+ @Nullable
+ private String evaluate(EvaluationDispatcher evaluationDispatcher, InteractionHead head) {
if(evaluators == null
|| evaluators.isEmpty()
- || userService.isCurrentUserWithSystemPrivileges()) {
+ || userService.isCurrentUserWithSudoAccessAllRole()) {
return null;
}
- final Object domainObject = ic.getHead().getOwner().getPojo();
- final String userName = userService.currentUserNameElseNobody();
+ val domainObject = head.getOwner().getPojo();
+ val userName = userService.currentUserNameElseNobody();
- final ApplicationUser applicationUser = findApplicationUser(userName);
+ val applicationUser = findApplicationUser(userName);
if (applicationUser == null) {
// not expected, but best to be safe...
return "Could not locate application user for " + userName;
}
- for (ApplicationTenancyEvaluator evaluator : evaluators) {
- final String reason = evaluator.disables(domainObject, applicationUser);
+ for (val evaluator : evaluators) {
+ final String reason = evaluationDispatcher.dispatch(evaluator, domainObject, applicationUser);
if(reason != null) {
return reason;
}
@@ -114,6 +99,10 @@ implements TenantedAuthorizationFacet {
return null;
}
+ interface EvaluationDispatcher {
+ String dispatch(ApplicationTenancyEvaluator evaluator, Object domainObject, ApplicationUser applicationUser);
+ }
+
/**
* Per {@link #findApplicationUserNoCache(String)},
@@ -132,4 +121,6 @@ implements TenantedAuthorizationFacet {
return applicationUserRepository.findByUsername(userName).orElse(null);
}
+
+
}