This is an automated email from the ASF dual-hosted git repository. danhaywood pushed a commit to branch ISIS-3303 in repository https://gitbox.apache.org/repos/asf/isis.git
commit 9cce8147b08c20321018d13c497446ae752344ca Author: Dan Haywood <d...@haywood-associates.co.uk> AuthorDate: Thu Dec 8 11:14:54 2022 +0000 ISIS-3303: reworks UserMemento#isSystem to instead be a check for SudoService#ACCESS_ALL_ROLE --- .../causeway/applib/services/user/UserMemento.java | 9 ++-- .../causeway/applib/services/user/UserService.java | 4 +- .../facets/TenantedAuthorizationFacetDefault.java | 51 +++++++++------------- 3 files changed, 28 insertions(+), 36 deletions(-) diff --git a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java index caa631138d..0e25168845 100644 --- a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java +++ b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserMemento.java @@ -24,11 +24,11 @@ import java.io.Serializable; import java.net.URL; import java.util.List; import java.util.Locale; -import java.util.Objects; import java.util.stream.Stream; import javax.inject.Named; +import org.apache.causeway.applib.services.sudo.SudoService; import org.springframework.context.event.EventListener; import org.springframework.core.annotation.Order; import org.springframework.lang.Nullable; @@ -304,11 +304,12 @@ implements Serializable { } /** - * Whether this {@link UserMemento} represent the <i>system user</i>. + * Whether this {@link UserMemento}'s {@link UserMemento#getRoles() roles} contains the {@link SudoService}'s + * {@link SudoService#ACCESS_ALL_ROLE ACCESS_ALL_ROLE} role (meaning that security checks are disabled). */ @Programmatic - public boolean isSystem() { - return Objects.equals(SYSTEM_USER, this); + public boolean hasSudoAccessAllRole() { + return roles.contains(SudoService.ACCESS_ALL_ROLE); } // -- UTILITY diff --git a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java index ff01139c70..7b07fc65f4 100644 --- a/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java +++ b/api/applib/src/main/java/org/apache/causeway/applib/services/user/UserService.java @@ -106,9 +106,9 @@ public class UserService { * Whether the current user is the <i>system user</i> (as obtained from the * {@link InteractionContext} of the current thread). */ - public boolean isCurrentUserWithSystemPrivileges() { + public boolean isCurrentUserWithSudoAccessAllRole() { return currentUser() - .map(UserMemento::isSystem) + .map(UserMemento::hasSudoAccessAllRole) .orElse(false); } diff --git a/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java b/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java index 511f61fbc4..fd3ebf15f6 100644 --- a/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java +++ b/extensions/security/secman/integration/src/main/java/org/apache/causeway/extensions/secman/integration/facets/TenantedAuthorizationFacetDefault.java @@ -18,6 +18,8 @@ */ package org.apache.causeway.extensions.secman.integration.facets; +import lombok.val; + import java.util.List; import javax.inject.Provider; @@ -27,11 +29,13 @@ import org.apache.causeway.applib.services.user.UserService; import org.apache.causeway.core.metamodel.facetapi.Facet; import org.apache.causeway.core.metamodel.facetapi.FacetAbstract; import org.apache.causeway.core.metamodel.facetapi.FacetHolder; +import org.apache.causeway.core.metamodel.interactions.InteractionHead; import org.apache.causeway.core.metamodel.interactions.UsabilityContext; import org.apache.causeway.core.metamodel.interactions.VisibilityContext; import org.apache.causeway.extensions.secman.applib.tenancy.spi.ApplicationTenancyEvaluator; import org.apache.causeway.extensions.secman.applib.user.dom.ApplicationUser; import org.apache.causeway.extensions.secman.applib.user.dom.ApplicationUserRepository; +import org.springframework.lang.Nullable; public class TenantedAuthorizationFacetDefault extends FacetAbstract @@ -61,52 +65,33 @@ implements TenantedAuthorizationFacet { @Override public String hides(final VisibilityContext ic) { - - if(evaluators == null - || evaluators.isEmpty() - || userService.isCurrentUserWithSystemPrivileges()) { - return null; - } - - final Object domainObject = ic.getHead().getOwner().getPojo(); - final String userName = userService.currentUserNameElseNobody(); - - final ApplicationUser applicationUser = findApplicationUser(userName); - if (applicationUser == null) { - // not expected, but best to be safe... - return "Could not locate application user for " + userName; - } - - for (ApplicationTenancyEvaluator evaluator : evaluators) { - final String reason = evaluator.hides(domainObject, applicationUser); - if(reason != null) { - return reason; - } - } - return null; + return evaluate(ApplicationTenancyEvaluator::hides, ic.getHead()); } - @Override public String disables(final UsabilityContext ic) { + return evaluate(ApplicationTenancyEvaluator::disables, ic.getHead()); + } + @Nullable + private String evaluate(EvaluationDispatcher evaluationDispatcher, InteractionHead head) { if(evaluators == null || evaluators.isEmpty() - || userService.isCurrentUserWithSystemPrivileges()) { + || userService.isCurrentUserWithSudoAccessAllRole()) { return null; } - final Object domainObject = ic.getHead().getOwner().getPojo(); - final String userName = userService.currentUserNameElseNobody(); + val domainObject = head.getOwner().getPojo(); + val userName = userService.currentUserNameElseNobody(); - final ApplicationUser applicationUser = findApplicationUser(userName); + val applicationUser = findApplicationUser(userName); if (applicationUser == null) { // not expected, but best to be safe... return "Could not locate application user for " + userName; } - for (ApplicationTenancyEvaluator evaluator : evaluators) { - final String reason = evaluator.disables(domainObject, applicationUser); + for (val evaluator : evaluators) { + final String reason = evaluationDispatcher.dispatch(evaluator, domainObject, applicationUser); if(reason != null) { return reason; } @@ -114,6 +99,10 @@ implements TenantedAuthorizationFacet { return null; } + interface EvaluationDispatcher { + String dispatch(ApplicationTenancyEvaluator evaluator, Object domainObject, ApplicationUser applicationUser); + } + /** * Per {@link #findApplicationUserNoCache(String)}, @@ -132,4 +121,6 @@ implements TenantedAuthorizationFacet { return applicationUserRepository.findByUsername(userName).orElse(null); } + + }