001/*
002 * (C) Copyright 2013 Nuxeo SA (http://nuxeo.com/) and contributors.
003 *
004 * All rights reserved. This program and the accompanying materials
005 * are made available under the terms of the GNU Lesser General Public License
006 * (LGPL) version 2.1 which accompanies this distribution, and is available at
007 * http://www.gnu.org/licenses/lgpl-2.1.html
008 *
009 * This library is distributed in the hope that it will be useful,
010 * but WITHOUT ANY WARRANTY; without even the implied warranty of
011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
012 * Lesser General Public License for more details.
013 *
014 * Contributors:
015 *     dmetzler
016 */
017package org.nuxeo.ecm.restapi.server.jaxrs.usermanager;
018
019import java.util.List;
020
021import javax.ws.rs.DELETE;
022import javax.ws.rs.POST;
023import javax.ws.rs.core.Response;
024import javax.ws.rs.core.Response.Status;
025
026import org.nuxeo.ecm.core.api.NuxeoException;
027import org.nuxeo.ecm.core.api.NuxeoGroup;
028import org.nuxeo.ecm.core.api.NuxeoPrincipal;
029import org.nuxeo.ecm.platform.usermanager.UserManager;
030import org.nuxeo.ecm.webengine.WebException;
031import org.nuxeo.ecm.webengine.model.WebObject;
032import org.nuxeo.ecm.webengine.model.exceptions.WebSecurityException;
033import org.nuxeo.ecm.webengine.model.impl.DefaultObject;
034import org.nuxeo.runtime.api.Framework;
035
036/**
037 * @since 5.7.3
038 */
039@WebObject(type = "userToGroup")
040public class UserToGroupObject extends DefaultObject {
041
042    private NuxeoGroup group;
043
044    private NuxeoPrincipal principal;
045
046    @Override
047    protected void initialize(Object... args) {
048        if (args.length != 2) {
049            throw new IllegalArgumentException("UserToGroup object takes two parameters");
050        }
051        principal = (NuxeoPrincipal) args[0];
052        group = (NuxeoGroup) args[1];
053    }
054
055    @POST
056    public Response doAddUserToGroup() {
057        try {
058            UserManager um = Framework.getLocalService(UserManager.class);
059            checkPrincipalCanAdministerGroupAndUser(um);
060
061            List<String> groups = principal.getGroups();
062            groups.add(group.getName());
063            principal.setGroups(groups);
064            um.updateUser(principal.getModel());
065            return Response.status(Status.CREATED).entity(um.getPrincipal(principal.getName())).build();
066        } catch (NuxeoException e) {
067            throw WebException.wrap(e);
068        }
069    }
070
071    private void checkPrincipalCanAdministerGroupAndUser(UserManager um) {
072        NuxeoPrincipal currentPrincipal = (NuxeoPrincipal) getContext().getCoreSession().getPrincipal();
073        if (!currentPrincipal.isAdministrator()) {
074            if (!principal.isMemberOf("powerusers") || !UserRootObject.isAPowerUserEditableUser(principal)
075                    || !GroupRootObject.isAPowerUserEditableGroup(group)) {
076                throw new WebSecurityException("Cannot edit user");
077            }
078        }
079
080    }
081
082    @DELETE
083    public Response doRemoveUserFromGroup() {
084        try {
085            UserManager um = Framework.getLocalService(UserManager.class);
086            checkPrincipalCanAdministerGroupAndUser(um);
087            List<String> groups = principal.getGroups();
088            groups.remove(group.getName());
089            principal.setGroups(groups);
090            um.updateUser(principal.getModel());
091            return Response.ok(principal.getName()).build();
092        } catch (NuxeoException e) {
093            throw WebException.wrap(e);
094        }
095    }
096}