| // Copyright (C) 2009 The Android Open Source Project |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| package com.google.gerrit.server.account; |
| |
| import com.google.gerrit.common.data.GroupDescription; |
| import com.google.gerrit.common.data.GroupDescriptions; |
| import com.google.gerrit.common.errors.NoSuchGroupException; |
| import com.google.gerrit.reviewdb.client.Account; |
| import com.google.gerrit.reviewdb.client.AccountGroup; |
| import com.google.gerrit.server.CurrentUser; |
| import com.google.gerrit.server.IdentifiedUser; |
| import com.google.gerrit.server.InternalUser; |
| import com.google.inject.Inject; |
| import com.google.inject.Provider; |
| import com.google.inject.Singleton; |
| |
| /** Access control management for a group of accounts managed in Gerrit. */ |
| public class GroupControl { |
| |
| @Singleton |
| public static class GenericFactory { |
| private final GroupBackend groupBackend; |
| |
| @Inject |
| GenericFactory(final GroupBackend gb) { |
| groupBackend = gb; |
| } |
| |
| public GroupControl controlFor(final CurrentUser who, |
| final AccountGroup.UUID groupId) |
| throws NoSuchGroupException { |
| final GroupDescription.Basic group = groupBackend.get(groupId); |
| if (group == null) { |
| throw new NoSuchGroupException(groupId); |
| } |
| return new GroupControl(who, group); |
| } |
| } |
| |
| public static class Factory { |
| private final GroupCache groupCache; |
| private final Provider<CurrentUser> user; |
| private final GroupBackend groupBackend; |
| |
| @Inject |
| Factory(final GroupCache gc, final Provider<CurrentUser> cu, |
| final GroupBackend gb) { |
| groupCache = gc; |
| user = cu; |
| groupBackend = gb; |
| } |
| |
| public GroupControl controlFor(final AccountGroup.Id groupId) |
| throws NoSuchGroupException { |
| final AccountGroup group = groupCache.get(groupId); |
| if (group == null) { |
| throw new NoSuchGroupException(groupId); |
| } |
| return controlFor(GroupDescriptions.forAccountGroup(group)); |
| } |
| |
| public GroupControl controlFor(final AccountGroup.UUID groupId) |
| throws NoSuchGroupException { |
| final GroupDescription.Basic group = groupBackend.get(groupId); |
| if (group == null) { |
| throw new NoSuchGroupException(groupId); |
| } |
| return controlFor(group); |
| } |
| |
| public GroupControl controlFor(AccountGroup group) { |
| return controlFor(GroupDescriptions.forAccountGroup(group)); |
| } |
| |
| public GroupControl controlFor(GroupDescription.Basic group) { |
| return new GroupControl(user.get(), group); |
| } |
| |
| public GroupControl validateFor(final AccountGroup.Id groupId) |
| throws NoSuchGroupException { |
| final GroupControl c = controlFor(groupId); |
| if (!c.isVisible()) { |
| throw new NoSuchGroupException(groupId); |
| } |
| return c; |
| } |
| |
| public GroupControl validateFor(final AccountGroup.UUID groupUUID) |
| throws NoSuchGroupException { |
| final GroupControl c = controlFor(groupUUID); |
| if (!c.isVisible()) { |
| throw new NoSuchGroupException(groupUUID); |
| } |
| return c; |
| } |
| } |
| |
| private final CurrentUser user; |
| private final GroupDescription.Basic group; |
| private Boolean isOwner; |
| |
| GroupControl(CurrentUser who, GroupDescription.Basic gd) { |
| user = who; |
| group = gd; |
| } |
| |
| public GroupDescription.Basic getGroup() { |
| return group; |
| } |
| |
| public CurrentUser getCurrentUser() { |
| return user; |
| } |
| |
| /** Can this user see this group exists? */ |
| public boolean isVisible() { |
| AccountGroup accountGroup = GroupDescriptions.toAccountGroup(group); |
| /* Check for canAdministrateServer may seem redundant, but allows |
| * for visibility of all groups that are not an internal group to |
| * server administrators. |
| */ |
| return (accountGroup != null && accountGroup.isVisibleToAll()) |
| || user instanceof InternalUser |
| || user.getEffectiveGroups().contains(group.getGroupUUID()) |
| || isOwner() |
| || user.getCapabilities().canAdministrateServer(); |
| } |
| |
| public boolean isOwner() { |
| AccountGroup accountGroup = GroupDescriptions.toAccountGroup(group); |
| if (accountGroup == null) { |
| isOwner = false; |
| } else if (isOwner == null) { |
| AccountGroup.UUID ownerUUID = accountGroup.getOwnerGroupUUID(); |
| isOwner = getCurrentUser().getEffectiveGroups().contains(ownerUUID) |
| || getCurrentUser().getCapabilities().canAdministrateServer(); |
| } |
| return isOwner; |
| } |
| |
| public boolean canAddMember(Account.Id id) { |
| return isOwner(); |
| } |
| |
| public boolean canRemoveMember(Account.Id id) { |
| return isOwner(); |
| } |
| |
| public boolean canSeeMember(Account.Id id) { |
| if (user.isIdentifiedUser() |
| && ((IdentifiedUser) user).getAccountId().equals(id)) { |
| return true; |
| } |
| return canSeeMembers(); |
| } |
| |
| public boolean canAddGroup(AccountGroup.UUID uuid) { |
| return isOwner(); |
| } |
| |
| public boolean canRemoveGroup(AccountGroup.UUID uuid) { |
| return isOwner(); |
| } |
| |
| public boolean canSeeGroup(AccountGroup.UUID uuid) { |
| return canSeeMembers(); |
| } |
| |
| private boolean canSeeMembers() { |
| AccountGroup accountGroup = GroupDescriptions.toAccountGroup(group); |
| return (accountGroup != null && accountGroup.isVisibleToAll()) |
| || isOwner(); |
| } |
| } |