package org.openslx.bwlp.sat.permissions;
import java.sql.SQLException;
import org.openslx.bwlp.sat.database.mappers.DbImage;
import org.openslx.bwlp.sat.database.mappers.DbOrganization;
import org.openslx.bwlp.sat.database.models.LocalOrganization;
import org.openslx.bwlp.sat.database.models.LocalUser;
import org.openslx.bwlp.sat.permissions.PermCheck.Permission;
import org.openslx.bwlp.thrift.iface.AuthorizationError;
import org.openslx.bwlp.thrift.iface.ImageDetailsRead;
import org.openslx.bwlp.thrift.iface.ImageVersionDetails;
import org.openslx.bwlp.thrift.iface.Role;
import org.openslx.bwlp.thrift.iface.TAuthorizationException;
import org.openslx.bwlp.thrift.iface.TInternalServerError;
import org.openslx.bwlp.thrift.iface.TNotFoundException;
import org.openslx.bwlp.thrift.iface.UserInfo;
public class User {
public static boolean isTutor(UserInfo user) {
return user.role == Role.TUTOR;
}
public static boolean isStudent(UserInfo user) {
return user.role == Role.STUDENT;
}
/**
* Check if given user is a local super user.
*
* @param user
* @return
*/
public static boolean isSuperUser(UserInfo user) {
LocalUser localData = LocalData.getLocalUser(user);
return localData != null && localData.isSuperUser;
}
/**
* Check if given user is allowed to login to this satellite.
*
* @param user user to check login permission for
* @return true if user is allowed to login to this satellite
*/
public static boolean canLogin(UserInfo user) {
LocalUser localData = LocalData.getLocalUser(user);
if (localData != null)
return localData.canLogin; // User locally known, use user-specific permission
LocalOrganization local = LocalData.getLocalOrganization(user.organizationId);
// User unknown, check per-organization login permission
if (local == null)
return false;
if (local.canLogin)
return true;
// Special case: If user is not allowed to login, check if there are no allowed
// organizations yet. If so, automatically allow the organization of this user.
try {
if (DbOrganization.getLoginAllowedOrganizations().isEmpty()) {
DbOrganization.setCanLogin(user.organizationId, true);
return true;
}
} catch (SQLException e) {
// Ignore
}
return false;
}
/**
* Checks whether the given user is allowed to create new images.
* Throws {@link TAuthorizationException} if permission is not granted.
*
* @param user {@link UserInfo} instance representing the user in question
*/
public static void canCreateImageOrFail(UserInfo user) throws TAuthorizationException {
if (!isTutor(user))
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to create new image");
}
/**
* Is given user allowed to edit/update the image identified by the given
* image base id? Throws {@link TAuthorizationException} if permission is
* not granted.
*
* @param user
* @param imageBaseId
* @throws TNotFoundException
* @throws TInternalServerError
* @throws TAuthorizationException
*/
public static void canEditBaseImageOrFail(UserInfo user, String imageBaseId) throws TInternalServerError,
TNotFoundException, TAuthorizationException {
if (!isTutor(user) || !PermCheck.hasImageBasePermission(user, imageBaseId, Permission.EDIT)) {
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to edit this image");
}
}
/**
* Is given user allowed to edit/update the image identified by the given
* image version id? Throws {@link TAuthorizationException} if permission is
* not granted.
*
* @param user
* @param imageVersionId
* @throws TNotFoundException
* @throws TInternalServerError
* @throws TAuthorizationException
*/
public static void canEditImageVersionOrFail(UserInfo user, String imageVersionId)
throws TInternalServerError, TNotFoundException, TAuthorizationException {
try {
canEditBaseImageOrFail(user, DbImage.getBaseIdForVersionId(imageVersionId));
} catch (SQLException e) {
throw new TInternalServerError();
}
}
/**
* Is given user allowed to delete the image identified by the given
* image version id? Throws {@link TAuthorizationException} if permission is
* not granted.
*
* @param user
* @param imageVersionId
* @throws TAuthorizationException
* @throws TNotFoundException
* @throws TInternalServerError
*/
public static void canDeleteImageVersionOrFail(UserInfo user, String imageVersionId)
throws TInternalServerError, TNotFoundException, TAuthorizationException {
ImageDetailsRead imageDetails;
try {
imageDetails = DbImage.getImageDetails(user, DbImage.getBaseIdForVersionId(imageVersionId));
} catch (SQLException e) {
throw new TInternalServerError();
}
// User owns the base image - allow
if (imageDetails.ownerId.equals(user.userId))
return;
// User is image admin - allow
if (PermCheck.canActionImage(user, Permission.ADMIN, imageDetails.userPermissions,
imageDetails.defaultPermissions))
return;
// User uploaded the image version in question - allow
for (ImageVersionDetails version : imageDetails.versions) {
if (version.uploaderId.equals(user.userId))
return;
}
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to delete this image version");
}
/**
* Checks whether the given user is allowed to create new lectures.
* Throws {@link TAuthorizationException} if permission is not granted.
*
* @param user {@link UserInfo} instance representing the user in question
*/
public static void canCreateLectureOrFail(UserInfo user) throws TAuthorizationException {
if (!isTutor(user))
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to create new lecture");
}
/**
* Checks whether the given user can edit the image identified by the given
* image base id
*
* @param user
* @param imageBaseId
* @return
* @throws TInternalServerError
* @throws TNotFoundException
*/
public static boolean canEditImagePermissions(UserInfo user, String imageBaseId)
throws TInternalServerError, TNotFoundException {
return isTutor(user) && PermCheck.hasImageBasePermission(user, imageBaseId, Permission.ADMIN);
}
/**
* Checks whether the given user can edit the image identified by the given
* image base id.
* Throws {@link TAuthorizationException} if permission is not granted.
*
* @param user
* @param imageBaseId
* @throws TInternalServerError
* @throws TNotFoundException
*/
public static void canEditImagePermissionsOrFail(UserInfo user, String imageBaseId)
throws TAuthorizationException, TInternalServerError, TNotFoundException {
if (!canEditImagePermissions(user, imageBaseId))
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to edit this image's permissions");
}
public static void canChangeImageOwnerOrFail(UserInfo user, String imageBaseId)
throws TAuthorizationException, TInternalServerError, TNotFoundException {
// TODO: Who should be allowed to change the owner? Any admin, or just the owner?
// Currently it's every admin, but this is open for discussion
if (!isTutor(user) || PermCheck.hasImageBasePermission(user, imageBaseId, Permission.ADMIN)) {
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to change image owner");
}
}
public static void canEditLectureOrFail(UserInfo user, String lectureId) throws TInternalServerError,
TNotFoundException, TAuthorizationException {
if (!isTutor(user) || !PermCheck.hasLecturePermission(user, lectureId, Permission.EDIT)) {
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to edit this image");
}
}
public static void canListImagesOrFail(UserInfo user) throws TAuthorizationException {
if (!isTutor(user))
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to see list of images");
}
public static void canSeeImageDetailsOrFail(UserInfo user) throws TAuthorizationException {
if (!isTutor(user))
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to see image details");
}
public static void canSeeLectureDetailsOrFail(UserInfo user) throws TAuthorizationException {
if (!isTutor(user))
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to see lecture details");
}
public static void canDeleteLectureOrFail(UserInfo user, String lectureId)
throws TAuthorizationException, TInternalServerError, TNotFoundException {
if (!isTutor(user) || !PermCheck.hasLecturePermission(user, lectureId, Permission.ADMIN)) {
throw new TAuthorizationException(AuthorizationError.NO_PERMISSION,
"No permission to delete this lecture");
}
}
}