1  /*
     2   * Licensed to the Apache Software Foundation (ASF) under one or more
     3   *  contributor license agreements.  The ASF licenses this file to You
     4   * under the Apache License, Version 2.0 (the "License"); you may not
     5   * use this file except in compliance with the License.
     6   * You may obtain a copy of the License at
     7   *
     8   *     http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13   * See the License for the specific language governing permissions and
    14   * limitations under the License.  For additional information regarding
    15   * copyright in this work, please see the NOTICE file in the top level
    16   * directory of this distribution.
    17   */
    18  
    19  package org.apache.roller.weblogger.ui.struts2.util;
    20  
    21  import com.opensymphony.xwork2.ActionInvocation;
    22  import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
    23  import org.apache.commons.logging.Log;
    24  import org.apache.commons.logging.LogFactory;
    25  import org.apache.roller.weblogger.pojos.User;
    26  import org.apache.roller.weblogger.pojos.Weblog;
    27  
    28  
    29  /**
    30   * A struts2 interceptor for configuring specifics of the weblogger ui.
    31   */
         /* 
    P/P   *  Method: void org.apache.roller.weblogger.ui.struts2.util.UISecurityInterceptor()
          */
    32  public class UISecurityInterceptor extends AbstractInterceptor {
    33      
             /* 
    P/P       *  Method: org.apache.roller.weblogger.ui.struts2.util.UISecurityInterceptor__static_init
              * 
              *  Postconditions:
              *    init'ed(log)
              */
    34      private static Log log = LogFactory.getLog(UISecurityInterceptor.class);
    35      
    36      
    37      public String intercept(ActionInvocation invocation) throws Exception {
    38          
                 /* 
    P/P           *  Method: String intercept(ActionInvocation)
                  * 
                  *  Preconditions:
                  *    invocation != null
                  *    log != null
                  * 
                  *  Postconditions:
                  *    init'ed(return_value)
                  * 
                  *  Test Vectors:
                  *    org.apache.roller.weblogger.pojos.User:hasRole(...)@62: {1}, {0}
                  *    org.apache.roller.weblogger.pojos.Weblog:hasUserPermissions(...)@80: {1}, {0}
                  *    requiredWeblogPermissions(...)@78: {-215..-1}, {0..215-1}
                  *    theAction.actionWeblog@41: Inverse{null}, Addr_Set{null}
                  *    theAction.authenticatedUser@41: Inverse{null}, Addr_Set{null}
                  */
    39          log.debug("Entering UISecurityInterceptor");
    40          
    41          final Object action = invocation.getAction();
    42          
    43          // is this one of our own UIAction classes?
    44          if (action instanceof UISecurityEnforced &&
    45                  action instanceof UIAction) {
    46              
    47              log.debug("action is UISecurityEnforced ... enforcing security rules");
    48              
    49              final UISecurityEnforced theAction = (UISecurityEnforced) action;
    50              
    51              // are we requiring an authenticated user?
+   52              if(theAction.isUserRequired()) {
    53                  
    54                  User authenticatedUser = ((UIAction)theAction).getAuthenticatedUser();
    55                  if(authenticatedUser == null) {
    56                      log.debug("DENIED: required user not found");
    57                      return "access-denied";
    58                  }
    59                  
    60                  // are we also enforcing a specific role?
+   61                  if(theAction.requiredUserRole() != null) {
    62                      if(!authenticatedUser.hasRole(theAction.requiredUserRole())) {
    63                          log.debug("DENIED: user does not have role = "+theAction.requiredUserRole());
    64                          return "access-denied";
    65                      }
    66                  }
    67                  
    68                  // are we requiring a valid action weblog?
+   69                  if(theAction.isWeblogRequired()) {
    70                      
    71                      Weblog actionWeblog = ((UIAction)theAction).getActionWeblog();
    72                      if(actionWeblog == null) {
    73                          log.debug("DENIED: required action weblog not found");
    74                          return "access-denied";
    75                      }
    76                      
    77                      // are we also enforcing a specific weblog permission?
    78                      if(theAction.requiredWeblogPermissions() > -1) {
    79                          
    80                          if(!actionWeblog.hasUserPermissions(authenticatedUser,
    81                                  theAction.requiredWeblogPermissions())) {
    82                              log.debug("DENIED: user does not have required weblog permissions = "+
    83                                      theAction.requiredWeblogPermissions());
    84                              return "access-denied";
    85                          }
    86                      }
    87                  }
    88                  
    89              }
    90              
    91          }
    92          
    93          return invocation.invoke();
    94      }
    95      
    96  }