crmsfasecurity.java

Sequoia ERP是一个真正的企业级开源ERP解决方案。它提供的模块包括：电子商务应用(e-commerce), POS系统(point of sales),知识管理,存货与仓库管理

/*
 * Copyright (C) 2006  Open Source Strategies, Inc.
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */
/* Copyright (c) 2005-2006 Open Source Strategies, Inc. */

/*
 *  $Id:$
 *
 *  Copyright (c) 2001-2005 The Open For Business Project - www.ofbiz.org
 *
 *  Permission is hereby granted, free of charge, to any person obtaining a
 *  copy of this software and associated documentation files (the "Software"),
 *  to deal in the Software without restriction, including without limitation
 *  the rights to use, copy, modify, merge, publish, distribute, sublicense,
 *  and/or sell copies of the Software, and to permit persons to whom the
 *  Software is furnished to do so, subject to the following conditions:
 *
 *  The above copyright notice and this permission notice shall be included
 *  in all copies or substantial portions of the Software.
 *
 *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 *  OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 *  MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
 *  IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
 *  CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
 *  OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
 *  THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 */
package com.opensourcestrategies.crmsfa.security;

import java.util.Map;
import java.util.List;
import java.util.Iterator;
import java.sql.Timestamp;

import javolution.util.FastMap;

import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.UtilMisc;
import org.ofbiz.base.util.UtilDateTime;
import org.ofbiz.entity.GenericDelegator;
import org.ofbiz.entity.GenericEntityException;
import org.ofbiz.entity.GenericValue;
import org.ofbiz.entity.condition.EntityCondition;
import org.ofbiz.entity.condition.EntityConditionList;
import org.ofbiz.entity.condition.EntityExpr;
import org.ofbiz.entity.condition.EntityOperator;
import org.ofbiz.entity.util.EntityUtil;
import org.ofbiz.service.DispatchContext;
import org.ofbiz.service.GenericServiceException;
import org.ofbiz.service.LocalDispatcher;
import org.ofbiz.service.ServiceUtil;
import org.ofbiz.security.Security;

import com.opensourcestrategies.crmsfa.cases.UtilCase;
import com.opensourcestrategies.crmsfa.activities.UtilActivity;
import com.opensourcestrategies.crmsfa.opportunities.UtilOpportunity;
import com.opensourcestrategies.crmsfa.party.PartyHelper;

/**
 * Special security methods for the CRM/SFA Application
 *
 * @author     <a href="mailto:leon@opensourcestrategies.com">Leon Torres</a>
 * @author     <a href="mailto:sichen@opensourcestrategies.com">Si Chen</a>
 * @version    $Rev: 106 $
 */

public class CrmsfaSecurity {

    public static final String module = CrmsfaSecurity.class.getName();

    /**
     * This method supplements the standard OFBIZ security model with a security check specified in PartyRelationship.
     * It first does the standard OFBIZ security checks, then sees if an unexpired PartyRelationship exists where partyIdFrom=partyIdFor,
     * partyIdTo=UserLogin.partyId, and whose securityGroupId contains the security permission of module+"_MANAGER" or module+"_OPERATION". 
     * If not, it will check one more time on whether, for any partyIdFrom for which a security permission does exist, there exists
     * a current (unexpired) PartyRelationship where partyIdFrom=partyIdFor, partyIdTo={partyId for which the required permission exists.}
     * If any of these are true, then the permission is true.  Otherwise, or if any entity operation errors occurred, false is returned.
     *
     * @param   security - Security object
     * @param   securityModule - The module to check (e.g., "CRMSFA_ACCOUNT", "PARTYMGR")
     * @param   securityOperation - What operation is being checked (e.g., "_VIEW", "_CREATE", "_UPDATE")
     * @param   userLogin - The userLogin to check permission for
     * @param   partyIdForm - What Account or Party the userLogin has permission to perform the operation on
     */
    public static boolean hasPartyRelationSecurity(Security security, String securityModule, String securityOperation, 
            GenericValue userLogin, String partyIdFor) {

        if ((userLogin == null) || (userLogin.getDelegator() == null)) {
            Debug.logError("userLogin is null or has no associated delegator", module);
            return false;
        }
                
        // check ${securityModule}_MANAGER permission
        if (security.hasEntityPermission(securityModule, "_MANAGER", userLogin)) {
            return true;
        }
        // check ${securityModule}_${securityOperation} permission
        if (security.hasEntityPermission(securityModule, securityOperation, userLogin)) {
            return true;
        }
        // TODO: #3 and #4 in http://jira.undersunconsulting.com/browse/OFBIZ-638
        
        try {
            // now we'll need to do some searching so we should get a delegator from user login
            GenericDelegator delegator = userLogin.getDelegator();
            
            // validate that partyIdFor is in our system in a proper role 
            String roleTypeIdFor = PartyHelper.getFirstValidRoleTypeId(partyIdFor, PartyHelper.CLIENT_PARTY_ROLES, delegator);
            if (roleTypeIdFor == null) {
                Debug.logError("Failed to check permission for partyId [" + partyIdFor 
                        + "] because that party does not have a valid role. I.e., it is not an Account, Contact, Lead, etc.", module);
                return false;
            }

            // Now get a list of all the parties for whom the userLogin's partyId has the required securityModule+"_MANAGER" or securityModule+securityOperation permission 
            // due to a grant by PartyRelationship.securityGroupId 
            EntityCondition filterByDateCondition = EntityUtil.getFilterByDateExpr();
            EntityConditionList operationConditon = new EntityConditionList(
                    UtilMisc.toList(new EntityExpr("permissionId", EntityOperator.EQUALS, securityModule+"_MANAGER"), 
                                    new EntityExpr("permissionId", EntityOperator.EQUALS, securityModule+securityOperation)), 
                    EntityOperator.OR);
            EntityConditionList searchConditions = new EntityConditionList(
                    UtilMisc.toList(new EntityExpr("partyIdTo", EntityOperator.EQUALS, userLogin.getString("partyId")), 
                                    operationConditon, 
                                    filterByDateCondition), 
                    EntityOperator.AND);
            List permittedRelationships = delegator.findByCondition("PartyRelationshipAndPermission", searchConditions, null, null);
            
            // do any of these explicitly state a permission for partyIdFor?  If so, then we're done
            List directPermittedRelationships = EntityUtil.filterByAnd(permittedRelationships, UtilMisc.toMap("partyIdFrom", partyIdFor));
            if ((directPermittedRelationships != null) && (directPermittedRelationships.size() > 0)) {
                if (Debug.verboseOn()) {
                    Debug.logVerbose(userLogin + " has direct permitted relationship for " + partyIdFor, module);    
                }
                return true;
            }
            
            // if not, then there is one more thing to check: for all the permitted relationships, were there any which are in turn related
            // to the partyIdFor through another current (non-expired) PartyRelationship?  Note that here we had to break with convention because
            // of the way PartyRelationship for CONTACT is written (ie, CONTACT_REL_INV is opposite of ASSIGNED_TO, etc.  See comments in CRMSFADemoData.xml
            for (Iterator pRi = permittedRelationships.iterator(); pRi.hasNext(); ) { 
                GenericValue permittedRelationship = (GenericValue) pRi.next(); 
                EntityConditionList indirectConditions = new EntityConditionList(
                        UtilMisc.toList(new EntityExpr("partyIdFrom", EntityOperator.EQUALS, partyIdFor), 
                                        new EntityExpr("partyIdTo", EntityOperator.EQUALS, permittedRelationship.getString("partyIdFrom")), 
                                        filterByDateCondition), 
                        EntityOperator.AND); 
                List indirectPermittedRelationships = delegator.findByCondition("PartyRelationship", indirectConditions, null, null); 
                if ((indirectPermittedRelationships != null) && (indirectPermittedRelationships.size() > 0)) {
                    if (Debug.verboseOn()) {
                        Debug.logVerbose(userLogin + " has indirect permitted relationship for " + partyIdFor, module);    
                    }
                    return true;
                }
            }
    
        } catch (GenericEntityException ex) {
            Debug.logError("Unable to determine security from party relationship due to error " + ex.getMessage(), module);
            return false;
        }

        Debug.logWarning("Checked UserLogin [" + userLogin + "] for permission to perform [" + securityModule + "] + [" + securityOperation + "] on partyId = [" + partyIdFor + "], but permission was denied", module);
        return false;
    }

    /**
     * Checks if a userLogin has permission to perform an operation on an opportunity.
     * The userLogin must pass CRMSFA_OPP_${securityOperation} for all associated accounts and contacts.
     */
    public static boolean hasOpportunityPermission(Security security, String securityOperation, GenericValue userLogin, String salesOpportunityId) {

        GenericDelegator delegator = userLogin.getDelegator();
        try {
            // check for existance first
            GenericValue opportunity = delegator.findByPrimaryKeyCache("SalesOpportunity", UtilMisc.toMap("salesOpportunityId", salesOpportunityId));
            if (opportunity == null) {
                return false;
            }

            // check for closed opportunities for actions that are not _VIEW