001: /*
002: * Copyright 2007 The Kuali Foundation.
003: *
004: * Licensed under the Educational Community License, Version 1.0 (the "License");
005: * you may not use this file except in compliance with the License.
006: * You may obtain a copy of the License at
007: *
008: * http://www.opensource.org/licenses/ecl1.php
009: *
010: * Unless required by applicable law or agreed to in writing, software
011: * distributed under the License is distributed on an "AS IS" BASIS,
012: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013: * See the License for the specific language governing permissions and
014: * limitations under the License.
015: */
016: package org.kuali.core.document.authorization;
017:
018: import java.util.HashMap;
019: import java.util.List;
020: import java.util.Map;
021:
022: import org.apache.commons.lang.StringUtils;
023: import org.kuali.RiceConstants;
024: import org.kuali.core.authorization.AuthorizationConstants;
025: import org.kuali.core.bo.user.UniversalUser;
026: import org.kuali.core.datadictionary.MaintainableFieldDefinition;
027: import org.kuali.core.datadictionary.MaintainableItemDefinition;
028: import org.kuali.core.datadictionary.MaintainableSectionDefinition;
029: import org.kuali.core.document.Document;
030: import org.kuali.core.document.MaintenanceDocument;
031: import org.kuali.core.workflow.service.KualiWorkflowDocument;
032: import org.kuali.rice.KNSServiceLocator;
033:
034: public class MaintenanceDocumentAuthorizerBase extends
035: DocumentAuthorizerBase implements MaintenanceDocumentAuthorizer {
036:
037: /**
038: * @see org.kuali.core.authorization.MaintenanceDocumentAuthorizer#getFieldAuthorizations(org.kuali.core.document.MaintenanceDocument,
039: * org.kuali.core.bo.user.KualiUser)
040: */
041: public MaintenanceDocumentAuthorizations getFieldAuthorizations(
042: MaintenanceDocument document, UniversalUser user) {
043: // by default, there are no restrictions, only if this method is
044: // overridden by a subclass that adds restrictions
045: return new MaintenanceDocumentAuthorizations();
046: }
047:
048: /**
049: *
050: * @see org.kuali.core.authorization.DocumentAuthorizer#getDocumentActionFlags(org.kuali.core.document.Document,
051: * org.kuali.core.bo.user.KualiUser)
052: */
053: public DocumentActionFlags getDocumentActionFlags(
054: Document document, UniversalUser user) {
055:
056: // run the super, let the common flags be set
057: MaintenanceDocumentActionFlags docActionFlags = new MaintenanceDocumentActionFlags(
058: super .getDocumentActionFlags(document, user));
059:
060: // run the fieldAuthorizations
061: MaintenanceDocument maintDoc = (MaintenanceDocument) document;
062: MaintenanceDocumentAuthorizations docAuths = getFieldAuthorizations(
063: maintDoc, user);
064:
065: // if there are any field restrictions for this user, then we need to turn off the
066: // ability to BlanketApprove, as this person doesnt have access to all the fields, so
067: // they certainly cant blanket approve it.
068: if (docAuths.hasAnyFieldRestrictions()) {
069: docActionFlags.setCanBlanketApprove(false);
070: }
071:
072: KualiWorkflowDocument workflowDocument = document
073: .getDocumentHeader().getWorkflowDocument();
074:
075: // if a user can't initiate a document of this type then they can't copy one, either
076: if (!canCopy(workflowDocument.getDocumentType(), user)) {
077: docActionFlags.setCanCopy(false);
078: } else {
079: docActionFlags
080: .setCanCopy(document.getAllowsCopy()
081: && (!workflowDocument.stateIsInitiated()
082: && !workflowDocument
083: .stateIsEnroute()
084: && !workflowDocument
085: .stateIsException() && !workflowDocument
086: .stateIsSaved()));
087: }
088:
089: return docActionFlags;
090: }
091:
092: /**
093: * @see org.kuali.core.authorization.DocumentAuthorizer#getEditMode(org.kuali.core.document.Document,
094: * org.kuali.core.bo.user.KualiUser)
095: */
096: public Map getEditMode(Document document, UniversalUser user) {
097:
098: // if this is not a MaintenanceDocument, then fail loudly, something is badly wrong
099: if (!MaintenanceDocument.class.isAssignableFrom(document
100: .getClass())) {
101: throw new IllegalArgumentException(
102: "A document was passed into MaintenanceDocumentAuthorizerBase.getEditMode() "
103: + "that is not a MaintenanceDocument descendent. Processing cannot continue.");
104: }
105:
106: Map editMode = new HashMap();
107:
108: // cast the document as a MaintenanceDocument, and get a handle on the workflowDocument
109: MaintenanceDocument maintenanceDocument = (MaintenanceDocument) document;
110: KualiWorkflowDocument workflowDocument = maintenanceDocument
111: .getDocumentHeader().getWorkflowDocument();
112:
113: // default to view-only, as a safety precaution
114: String editModeKey = AuthorizationConstants.MaintenanceEditMode.VIEW_ONLY;
115:
116: // if the document is cancelled, then its view only
117: if (workflowDocument.stateIsCanceled()) {
118: editModeKey = AuthorizationConstants.MaintenanceEditMode.VIEW_ONLY;
119: }
120:
121: // if the document is being edited, then its full entry, or if the current user is
122: // the system supervisor
123: else if (workflowDocument.stateIsInitiated()
124: || workflowDocument.stateIsSaved()) {
125: if (workflowDocument.userIsInitiator(user)) {
126: editModeKey = AuthorizationConstants.MaintenanceEditMode.FULL_ENTRY;
127:
128: // initiators of documents for new records can view these fields for the documents while they're sitll under the control
129: // of the initiators. If they are always allowed access to the document, then they would be able to view the changes that
130: // were made during routing, which would be a bad idea, as the router may have edited sensitive information enroute
131: if (isDocumentForCreatingNewEntry(maintenanceDocument)) {
132: addAllMaintDocDefinedEditModesToMap(editMode,
133: maintenanceDocument);
134: }
135: }
136: }
137:
138: // if the document is in routing, then we have some special rules
139: else if (workflowDocument.stateIsEnroute()) {
140:
141: // the person who has the approval request in their Actiong List
142: // should be able to modify the document
143: if (workflowDocument.isApprovalRequested()) {
144: editModeKey = AuthorizationConstants.MaintenanceEditMode.APPROVER_EDIT_ENTRY;
145: }
146: }
147:
148: // save the editmode
149: editMode.put(editModeKey, "TRUE");
150: return editMode;
151: }
152:
153: protected void addAllMaintDocDefinedEditModesToMap(Map editModes,
154: MaintenanceDocument maintDoc) {
155: String docTypeName = maintDoc.getDocumentHeader()
156: .getWorkflowDocument().getDocumentType();
157: List<MaintainableSectionDefinition> sectionDefinitions = KNSServiceLocator
158: .getMaintenanceDocumentDictionaryService()
159: .getMaintainableSections(docTypeName);
160:
161: for (MaintainableSectionDefinition sectionDefinition : sectionDefinitions) {
162: for (MaintainableItemDefinition itemDefinition : sectionDefinition
163: .getMaintainableItems()) {
164: if (itemDefinition instanceof MaintainableFieldDefinition) {
165: String displayEditMode = ((MaintainableFieldDefinition) itemDefinition)
166: .getDisplayEditMode();
167: if (StringUtils.isNotBlank(displayEditMode)) {
168: editModes.put(displayEditMode, "TRUE");
169: }
170: }
171: // TODO: what about MaintainableCollectionDefinition?
172: }
173: }
174: }
175:
176: /**
177: * This method returns whether this document is creating a new entry in the maintenible/underlying table
178: *
179: * This method is useful to determine whether all the field-based edit modes should be enabled, which is
180: * useful in determining which fields are encrypted
181: *
182: * This method considers that Constants.MAINTENANCE_NEWWITHEXISTING_ACTION is not a new document because
183: * there is uncertainity how documents with this action will actually be implemented
184: *
185: * @param maintDoc
186: * @param user
187: * @return
188: */
189: protected boolean isDocumentForCreatingNewEntry(
190: MaintenanceDocument maintDoc) {
191: // the rule is as follows: if the maint doc represents a new record AND the user is the same user who initiated the maintenance doc
192: // if the user check is not added, then it would be pointless to do any encryption since I can just pull up a document to view the encrypted values
193:
194: // A maint doc is new when the new maintainable maintenance flag is set to either Constants.MAINTENANCE_NEW_ACTION or Constants.MAINTENANCE_COPY_ACTION
195: String maintAction = maintDoc.getNewMaintainableObject()
196: .getMaintenanceAction();
197: return (RiceConstants.MAINTENANCE_NEW_ACTION
198: .equals(maintAction) || RiceConstants.MAINTENANCE_COPY_ACTION
199: .equals(maintAction));
200: }
201: }
|