001/* 
002    Licensed to the Apache Software Foundation (ASF) under one
003    or more contributor license agreements.  See the NOTICE file
004    distributed with this work for additional information
005    regarding copyright ownership.  The ASF licenses this file
006    to you under the Apache License, Version 2.0 (the
007    "License"); you may not use this file except in compliance
008    with the License.  You may obtain a copy of the License at
009
010       http://www.apache.org/licenses/LICENSE-2.0
011
012    Unless required by applicable law or agreed to in writing,
013    software distributed under the License is distributed on an
014    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015    KIND, either express or implied.  See the License for the
016    specific language governing permissions and limitations
017    under the License.  
018 */
019package org.apache.wiki.tags;
020
021import org.apache.commons.lang3.StringUtils;
022import org.apache.wiki.api.core.Command;
023import org.apache.wiki.api.core.Page;
024import org.apache.wiki.api.core.Session;
025import org.apache.wiki.api.providers.WikiProvider;
026import org.apache.wiki.auth.AuthorizationManager;
027import org.apache.wiki.auth.GroupPrincipal;
028import org.apache.wiki.auth.permissions.AllPermission;
029import org.apache.wiki.auth.permissions.GroupPermission;
030import org.apache.wiki.auth.permissions.PermissionFactory;
031import org.apache.wiki.auth.permissions.WikiPermission;
032import org.apache.wiki.pages.PageManager;
033import org.apache.wiki.ui.GroupCommand;
034
035import java.security.Permission;
036
037/**
038 *  Tells whether the user in the current wiki context possesses a particular
039 *  permission. The permission is typically a PagePermission (e.g., "edit", "view",
040 *  "delete", "comment", "upload"). It may also be a wiki-wide WikiPermission
041 *  ("createPages", "createGroups", "editProfile", "editPreferences", "login")
042 *  or the administrator permission ("allPermission"). GroupPermissions 
043 *  (e.g., "viewGroup", "editGroup", "deleteGroup").
044 *  <p>
045 *  Since 2.6, it is possible to list several permissions or use negative permissions,
046 *  e.g.
047 *  <pre>
048 *     &lt;wiki:Permission permission="edit|rename|view"&gt;
049 *        You have edit, rename, or  view permissions!
050 *     &lt;/wiki:Permission&gt;
051 *  </pre>
052 *  
053 *  or
054 *
055 *  <pre>
056 *     &lt;wiki:Permission permission="!upload"&gt;
057 *        You do not have permission to upload!
058 *     &lt;/wiki:Permission&gt;
059 *  </pre>
060 *  
061 *  @since 2.0
062 */
063public class PermissionTag extends WikiTagBase {
064
065    private static final String ALL_PERMISSION   = "allPermission";
066    private static final String CREATE_GROUPS    = "createGroups";
067    private static final String CREATE_PAGES     = "createPages";
068    private static final String DELETE_GROUP     = "deleteGroup";
069    private static final String EDIT             = "edit";
070    private static final String EDIT_GROUP       = "editGroup";
071    private static final String EDIT_PREFERENCES = "editPreferences";
072    private static final String EDIT_PROFILE     = "editProfile";
073    private static final String LOGIN            = "login";
074    private static final String VIEW_GROUP       = "viewGroup";
075    
076    private static final long serialVersionUID = 3761412993048982325L;
077    
078    private String[] m_permissionList;
079
080    /**
081     * Initializes the tag.
082     */
083    @Override
084    public void initTag() {
085        super.initTag();
086        m_permissionList = null;
087    }
088
089    /**
090     * Sets the permissions to look for (case sensitive).  See above for the format.
091     * 
092     * @param permission A list of permissions
093     */
094    public void setPermission( final String permission )
095    {
096        m_permissionList = StringUtils.split(permission,'|');
097    }
098
099    /**
100     *  Checks a single permission.
101     *  
102     *  @param permission permission to check for
103     *  @return true if granted, false if not
104     */
105    private boolean checkPermission( final String permission ) {
106        final Session session          = m_wikiContext.getWikiSession();
107        final Page page                = m_wikiContext.getPage();
108        final AuthorizationManager mgr = m_wikiContext.getEngine().getManager( AuthorizationManager.class );
109        boolean gotPermission          = false;
110        
111        if ( CREATE_GROUPS.equals( permission ) || CREATE_PAGES.equals( permission ) || EDIT_PREFERENCES.equals( permission ) || EDIT_PROFILE.equals( permission ) || LOGIN.equals( permission ) ) {
112            gotPermission = mgr.checkPermission( session, new WikiPermission( page.getWiki(), permission ) );
113        } else if ( VIEW_GROUP.equals( permission ) || EDIT_GROUP.equals( permission ) || DELETE_GROUP.equals( permission ) )  {
114            final Command command = m_wikiContext.getCommand();
115            gotPermission = false;
116            if ( command instanceof GroupCommand && command.getTarget() != null ) {
117                final GroupPrincipal group = (GroupPrincipal)command.getTarget();
118                final String groupName = group.getName();
119                String action = "view";
120                if( EDIT_GROUP.equals( permission ) ) {
121                    action = "edit";
122                } else if ( DELETE_GROUP.equals( permission ) ) {
123                    action = "delete";
124                }
125                gotPermission = mgr.checkPermission( session, new GroupPermission( groupName, action ) );
126            }
127        } else if ( ALL_PERMISSION.equals( permission ) ) {
128            gotPermission = mgr.checkPermission( session, new AllPermission( m_wikiContext.getEngine().getApplicationName() ) );
129        } else if ( page != null ) {
130            //
131            //  Edit tag also checks that we're not trying to edit an old version: they cannot be edited.
132            //
133            if( EDIT.equals(permission) ) {
134                final Page latest = m_wikiContext.getEngine().getManager( PageManager.class ).getPage( page.getName() );
135                if( page.getVersion() != WikiProvider.LATEST_VERSION && latest.getVersion() != page.getVersion() ) {
136                    return false;
137                }
138            }
139
140            final Permission p = PermissionFactory.getPagePermission( page, permission );
141            gotPermission = mgr.checkPermission( session, p );
142        }
143        
144        return gotPermission;
145    }
146    
147    /**
148     * Initializes the tag.
149     * @return the result of the tag: SKIP_BODY or EVAL_BODY_CONTINUE
150     */
151    @Override
152    public final int doWikiStartTag() {
153        for( final String perm : m_permissionList ) {
154            final boolean hasPermission;
155            if( perm.charAt( 0 ) == '!' ) {
156                hasPermission = !checkPermission( perm.substring( 1 ) );
157            } else {
158                hasPermission = checkPermission( perm );
159            }
160
161            if( hasPermission ) {
162                return EVAL_BODY_INCLUDE;
163            }
164        }
165
166        return SKIP_BODY;
167    }
168}