001/* 002 Licensed to the Apache Software Foundation (ASF) under one 003 or more contributor license agreements. See the NOTICE file 004 distributed with this work for additional information 005 regarding copyright ownership. The ASF licenses this file 006 to you under the Apache License, Version 2.0 (the 007 "License"); you may not use this file except in compliance 008 with the License. You may obtain a copy of the License at 009 010 http://www.apache.org/licenses/LICENSE-2.0 011 012 Unless required by applicable law or agreed to in writing, 013 software distributed under the License is distributed on an 014 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 KIND, either express or implied. See the License for the 016 specific language governing permissions and limitations 017 under the License. 018 */ 019package org.apache.wiki.tags; 020 021import org.apache.commons.lang3.StringUtils; 022import org.apache.wiki.api.core.Command; 023import org.apache.wiki.api.core.Page; 024import org.apache.wiki.api.core.Session; 025import org.apache.wiki.api.providers.WikiProvider; 026import org.apache.wiki.auth.AuthorizationManager; 027import org.apache.wiki.auth.GroupPrincipal; 028import org.apache.wiki.auth.permissions.AllPermission; 029import org.apache.wiki.auth.permissions.GroupPermission; 030import org.apache.wiki.auth.permissions.PermissionFactory; 031import org.apache.wiki.auth.permissions.WikiPermission; 032import org.apache.wiki.pages.PageManager; 033import org.apache.wiki.ui.GroupCommand; 034 035import java.security.Permission; 036 037/** 038 * Tells whether the user in the current wiki context possesses a particular 039 * permission. The permission is typically a PagePermission (e.g., "edit", "view", 040 * "delete", "comment", "upload"). It may also be a wiki-wide WikiPermission 041 * ("createPages", "createGroups", "editProfile", "editPreferences", "login") 042 * or the administrator permission ("allPermission"). GroupPermissions 043 * (e.g., "viewGroup", "editGroup", "deleteGroup"). 044 * <p> 045 * Since 2.6, it is possible to list several permissions or use negative permissions, 046 * e.g. 047 * <pre> 048 * <wiki:Permission permission="edit|rename|view"> 049 * You have edit, rename, or view permissions! 050 * </wiki:Permission> 051 * </pre> 052 * 053 * or 054 * 055 * <pre> 056 * <wiki:Permission permission="!upload"> 057 * You do not have permission to upload! 058 * </wiki:Permission> 059 * </pre> 060 * 061 * @since 2.0 062 */ 063public class PermissionTag extends WikiTagBase { 064 065 private static final String ALL_PERMISSION = "allPermission"; 066 private static final String CREATE_GROUPS = "createGroups"; 067 private static final String CREATE_PAGES = "createPages"; 068 private static final String DELETE_GROUP = "deleteGroup"; 069 private static final String EDIT = "edit"; 070 private static final String EDIT_GROUP = "editGroup"; 071 private static final String EDIT_PREFERENCES = "editPreferences"; 072 private static final String EDIT_PROFILE = "editProfile"; 073 private static final String LOGIN = "login"; 074 private static final String VIEW_GROUP = "viewGroup"; 075 076 private static final long serialVersionUID = 3761412993048982325L; 077 078 private String[] m_permissionList; 079 080 /** 081 * Initializes the tag. 082 */ 083 @Override 084 public void initTag() { 085 super.initTag(); 086 m_permissionList = null; 087 } 088 089 /** 090 * Sets the permissions to look for (case sensitive). See above for the format. 091 * 092 * @param permission A list of permissions 093 */ 094 public void setPermission( final String permission ) 095 { 096 m_permissionList = StringUtils.split(permission,'|'); 097 } 098 099 /** 100 * Checks a single permission. 101 * 102 * @param permission permission to check for 103 * @return true if granted, false if not 104 */ 105 private boolean checkPermission( final String permission ) { 106 final Session session = m_wikiContext.getWikiSession(); 107 final Page page = m_wikiContext.getPage(); 108 final AuthorizationManager mgr = m_wikiContext.getEngine().getManager( AuthorizationManager.class ); 109 boolean gotPermission = false; 110 111 if ( CREATE_GROUPS.equals( permission ) || CREATE_PAGES.equals( permission ) || EDIT_PREFERENCES.equals( permission ) || EDIT_PROFILE.equals( permission ) || LOGIN.equals( permission ) ) { 112 gotPermission = mgr.checkPermission( session, new WikiPermission( page.getWiki(), permission ) ); 113 } else if ( VIEW_GROUP.equals( permission ) || EDIT_GROUP.equals( permission ) || DELETE_GROUP.equals( permission ) ) { 114 final Command command = m_wikiContext.getCommand(); 115 gotPermission = false; 116 if ( command instanceof GroupCommand && command.getTarget() != null ) { 117 final GroupPrincipal group = (GroupPrincipal)command.getTarget(); 118 final String groupName = group.getName(); 119 String action = "view"; 120 if( EDIT_GROUP.equals( permission ) ) { 121 action = "edit"; 122 } else if ( DELETE_GROUP.equals( permission ) ) { 123 action = "delete"; 124 } 125 gotPermission = mgr.checkPermission( session, new GroupPermission( groupName, action ) ); 126 } 127 } else if ( ALL_PERMISSION.equals( permission ) ) { 128 gotPermission = mgr.checkPermission( session, new AllPermission( m_wikiContext.getEngine().getApplicationName() ) ); 129 } else if ( page != null ) { 130 // 131 // Edit tag also checks that we're not trying to edit an old version: they cannot be edited. 132 // 133 if( EDIT.equals(permission) ) { 134 final Page latest = m_wikiContext.getEngine().getManager( PageManager.class ).getPage( page.getName() ); 135 if( page.getVersion() != WikiProvider.LATEST_VERSION && latest.getVersion() != page.getVersion() ) { 136 return false; 137 } 138 } 139 140 final Permission p = PermissionFactory.getPagePermission( page, permission ); 141 gotPermission = mgr.checkPermission( session, p ); 142 } 143 144 return gotPermission; 145 } 146 147 /** 148 * Initializes the tag. 149 * @return the result of the tag: SKIP_BODY or EVAL_BODY_CONTINUE 150 */ 151 @Override 152 public final int doWikiStartTag() { 153 for( final String perm : m_permissionList ) { 154 final boolean hasPermission; 155 if( perm.charAt( 0 ) == '!' ) { 156 hasPermission = !checkPermission( perm.substring( 1 ) ); 157 } else { 158 hasPermission = checkPermission( perm ); 159 } 160 161 if( hasPermission ) { 162 return EVAL_BODY_INCLUDE; 163 } 164 } 165 166 return SKIP_BODY; 167 } 168}