001/*
002 * (C) Copyright 2013 Nuxeo SA (http://nuxeo.com/) and contributors.
003 *
004 * All rights reserved. This program and the accompanying materials
005 * are made available under the terms of the GNU Lesser General Public License
006 * (LGPL) version 2.1 which accompanies this distribution, and is available at
007 * http://www.gnu.org/licenses/lgpl-2.1.html
008 *
009 * This library is distributed in the hope that it will be useful,
010 * but WITHOUT ANY WARRANTY; without even the implied warranty of
011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
012 * Lesser General Public License for more details.
013 *
014 * Contributors:
015 *     dmetzler
016 */
017package org.nuxeo.ecm.restapi.server.jaxrs.usermanager;
018
019import javax.ws.rs.DELETE;
020import javax.ws.rs.GET;
021import javax.ws.rs.PUT;
022import javax.ws.rs.core.Response;
023import javax.ws.rs.core.Response.Status;
024
025import org.nuxeo.ecm.core.api.NuxeoException;
026import org.nuxeo.ecm.core.api.NuxeoGroup;
027import org.nuxeo.ecm.core.api.NuxeoPrincipal;
028import org.nuxeo.ecm.platform.usermanager.UserManager;
029import org.nuxeo.ecm.webengine.WebException;
030import org.nuxeo.ecm.webengine.model.exceptions.WebSecurityException;
031import org.nuxeo.ecm.webengine.model.impl.DefaultObject;
032import org.nuxeo.runtime.api.Framework;
033
034/**
035 * Abstract WebObject class that handle retrieve, deletion and update of {@link NuxeoPrincipal} or {@link NuxeoGroup}.
036 *
037 * @since 5.7.3
038 */
039public abstract class AbstractUMObject<T> extends DefaultObject {
040
041    protected T currentArtifact;
042
043    protected UserManager um;
044
045    @SuppressWarnings("unchecked")
046    @Override
047    protected void initialize(Object... args) {
048        if (args.length < 1) {
049            throw new IllegalArgumentException("UserObject takes at least one parameter");
050        }
051        um = Framework.getLocalService(UserManager.class);
052        currentArtifact = (T) args[0];
053    }
054
055    @GET
056    public T doGetArtifact() {
057        return currentArtifact;
058    }
059
060    @PUT
061    public T doUpdateArtifact(T principal) {
062        try {
063            checkUpdateGuardPreconditions();
064            return updateArtifact(principal);
065        } catch (NuxeoException e) {
066            throw WebException.wrap(e);
067        }
068    }
069
070    @DELETE
071    public Response doDeleteArtifact() {
072        try {
073            checkUpdateGuardPreconditions();
074            deleteArtifact();
075            return Response.status(Status.NO_CONTENT).build();
076        } catch (NuxeoException e) {
077            throw WebException.wrap(e);
078        }
079    }
080
081    protected void checkUpdateGuardPreconditions() {
082        NuxeoPrincipal principal = (NuxeoPrincipal) getContext().getCoreSession().getPrincipal();
083        if (!principal.isAdministrator()) {
084            if ((!principal.isMemberOf("powerusers")) || !isAPowerUserEditableArtifact()) {
085
086                throw new WebSecurityException("User is not allowed to edit users");
087            }
088        }
089    }
090
091    /**
092     * Check that the current artifact is editable by a power user. Basically this means not an admin user or not an
093     * admin group.
094     *
095     * @return
096     */
097    protected abstract boolean isAPowerUserEditableArtifact();
098
099    /**
100     * Updates the current artifact by the one given in parameters in the underlying persistence system.
101     *
102     * @param artifact the artifact that has been retrieved from request.
103     * @return the updated artifact.
104     */
105    protected abstract T updateArtifact(T artifact);
106
107    /**
108     * Deletes the current artifact in the underlying persistence system.
109     *
110     */
111    protected abstract void deleteArtifact();
112
113}