📄 permissiondao.java
字号:
/* CRMS, customer relationship management system Copyright (C) 2003 Service To Youth Council This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA For further information contact the SYC ICT department on GPL@syc.net.au 98 Kermode Street North Adelaide South Australia SA 5006 +61 (0)8 8367 0755 *//* * PermissionDAO.java * * Created on 15 May 2003, 11:37 */package crms.dao;import crms.util.*;import crms.vo.*;import org.apache.log4j.Logger;import java.util.*;import java.sql.*;/** Security and access control for objects within CRMS. * * The design allows for user, location and division security provisions. * Sample queries to determine access. Inputs are: * <ul> * <li>StaffMember user = <i>current logged on user attempting access</i> * <li>int power = user.getPower(); * <li>int location = user.getLocation(); * </ul> * * <code> // to determine rights switch (power) { case 5: case 4: // we don't care case 3: // consider divisions case 2: // consider location default: // compare the power levels } AND "Power" <= power * "Power" </code> * * The LDAP tree uses an ou=Sites and ou=Departments to determine possible sites and locations. Within these ou's are ou's that define the * locations. * * @author dmurphy, tnichols */public class PermissionDAO extends AbstractDAO { public static Logger logger = Logger.getLogger(PermissionDAO.class); //private static LDAPDAO ldapDAO = LDAPDAOFactory.getInstance().getLDAPDAO(); /** Creates a new instance of PermissionDAO */ public PermissionDAO() { } public boolean exists(Permission p) { String sql = ""; sql += "SELECT 1 from \"Permissions\"\n"; sql += getWhereClause(p); boolean exists = true; try { exists = entityExists(sql); } catch (Exception ex) { logger.error("Exception executing sql:\n" + sql, ex); throw new RuntimeException(ex); } return exists; } public void setPermission(Permission p) { if (exists(p)) { updatePermission(p); } else { insertPermission(p); } } /** * <p>Generates appropriate SQL for a sub-select that determines whether * entities queried have at least read access. (Otherwise they can not * be shown, even in summary lists).</p> * * <p>Use this method as follows: * <pre> * sql += "select * from \"Call\""; * sql += getPermissionForReadSQL("\Call.CallID\"", EntityType.CALL, user); * </pre> * This SQL will return all calls that are at least readable by the user. * </p> * * @param entityID The SQL "Table"."Column Name" that corresponds to * the entity in the current row that would otherwise be selected. * @param type The type of entity being queried: eg: call, reminder etc. * @param user User ID of the logged in user. This is used to determine * whether read access to the entity can be allowed. * @param filterExists Specifies whether appending query should start with * "AND ..." if filterExists = true or "WHERE ..." if filterExists = false. * * @return SQL String containing nested select query. */ public String getPermissionForReadSQL(String entityID, EntityType type, String user, boolean filterExists) { String sql = ""; if (user.equals(AbstractDAO.SUPER_USER)) { return sql; } LDAPDAO dao = LDAPDAOFactory.getInstance().getLDAPDAO(); StaffMember sm = dao.getUser(user); if (filterExists) { sql += "AND "; } else { sql += "WHERE "; } sql += "EXISTS (\n"; sql += "SELECT 1 from \"Permissions\"\n"; sql += " WHERE \"EntityID\" = " + entityID + "\n"; sql += " AND \"EntityType\" = " + quoteSingle(type.getCode()) + "\n"; sql += " AND \"Read\" = true\n"; String userMatch = ""; userMatch += "(\"ID\" = " + quoteSingle(user) + ")\n"; //userMatch += "OR \"ID\" = 'null'\n"; //userMatch += "AND \"PermissionType\" = " + quoteSingle(PermissionType.PERMISSION_USER.getCode()) + ")\n"; /*String groupMatch = ""; groupMatch += "(\"PermissionType\" = " + quoteSingle(PermissionType.PERMISSION_GROUP.getCode()) + " "; groupMatch += "AND \"ID\" in ("; for (int i=0; i < groups.size(); i++) { String name = (String) groups.get(i); groupMatch += quoteSingle(name); if (groups.size() > 1 && i < groups.size() - 1) { groupMatch += ", "; } } groupMatch += "))\n"; String allMatch = ""; allMatch += "(\"ID\" = 'null' "; allMatch += "AND \"PermissionType\" = " + quoteSingle(PermissionType.PERMISSION_ALL.getCode()) + ")\n"; */ sql += " AND (" + userMatch; //sql += " OR " + groupMatch; //sql += " OR " + allMatch; // power hack sql += " OR " + getPowerMatch(sm); sql += ")\n"; sql += ")"; return sql; } protected String getPowerMatch(StaffMember sm) { String powerMatch = "(\n"; switch (sm.getPower()) { case 0: case 2: // consider location powerMatch += "(\"Location\" = " + quoteSingle(sm.getLocation()); powerMatch += " OR \"Location\" = 'null' OR \"Location\" = null)\n AND "; case 3: case 1: // consider divisions powerMatch += "(\"Division\" = " + quoteSingle(sm.getDepartment()); powerMatch += " OR \"Division\" = 'null' OR \"Division\" = null)\n AND "; case 4: case 5: // we don't care default: } // compare the power levels // when a user is set then we must be at least 1 greater power to read it powerMatch += "( (\"ID\" = '' AND \"Power\" <= " + sm.getPower() + ")\n"; powerMatch += " OR (\"ID\" != '' AND \"Power\" < " + sm.getPower() + ") )\n"; powerMatch += ")\n"; return powerMatch; } /** Special company usage query that determines the users who have data within a company, based on permissions. */ public List getStaffListForCompany(int companyID) { String sql = "SELECT DISTINCT \"ID\" FROM \"Permissions\"\n"; sql += "WHERE "; // \"PermissionType\" = 'user'\n"; sql += " (\n"; sql += " (\"EntityType\" = 'contact' and \"EntityID\" IN (SELECT \"ContactID\" FROM \"Contacts\" WHERE \"CompanyID\" = " + companyID + " and \"Deleted\" = false))\n"; //sql += " OR (\"EntityType\" = 'call' and \"EntityID\" IN (SELECT \"CallID\" FROM \"Call\" WHERE \"CompanyID\" = " + companyID + "))\n"; sql += ")\n"; logger.debug("getStaffListForCompany: " + sql); ArrayList results = new ArrayList(); Connection con = null; ResultSet rs = null; Statement stmt = null; try { con = getFactory().getInstance().getConnection(); stmt = con.createStatement(); rs = stmt.executeQuery(sql); while (rs.next()) { results.add(rs.getString("ID")); } } catch (Exception ex) { System.out.println(sql); throw new RuntimeException(ex); } finally { try { if (rs != null) { rs.close(); } if (stmt != null) { stmt.close(); } if (con != null) { con.close(); } } catch (SQLException ex) { throw new RuntimeException(ex); } } return results; } public String getPermissionForReadSQL(String entityID, EntityType type, String user) { return getPermissionForReadSQL(entityID, type, user, true); } public List getPermissionsForEntity(int entityID, EntityType type, PermissionType permType) { String sql = ""; Permission p = new Permission(); p.setEntityID(entityID); p.setEntityType(type); //p.setPermissionType(permType);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -