001/* 002 * (C) Copyright 2013 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * dmetzler 018 */ 019package org.nuxeo.ecm.restapi.server.jaxrs.usermanager; 020 021import javax.ws.rs.DELETE; 022import javax.ws.rs.GET; 023import javax.ws.rs.PUT; 024import javax.ws.rs.core.Response; 025import javax.ws.rs.core.Response.Status; 026 027import org.nuxeo.ecm.core.api.NuxeoGroup; 028import org.nuxeo.ecm.core.api.NuxeoPrincipal; 029import org.nuxeo.ecm.platform.usermanager.UserManager; 030import org.nuxeo.ecm.webengine.model.exceptions.WebSecurityException; 031import org.nuxeo.ecm.webengine.model.impl.DefaultObject; 032import org.nuxeo.runtime.api.Framework; 033 034/** 035 * Abstract WebObject class that handle retrieve, deletion and update of {@link NuxeoPrincipal} or {@link NuxeoGroup}. 036 * 037 * @since 5.7.3 038 */ 039public abstract class AbstractUMObject<T> extends DefaultObject { 040 041 protected T currentArtifact; 042 043 protected UserManager um; 044 045 @SuppressWarnings("unchecked") 046 @Override 047 protected void initialize(Object... args) { 048 if (args.length < 1) { 049 throw new IllegalArgumentException("UserObject takes at least one parameter"); 050 } 051 um = Framework.getService(UserManager.class); 052 currentArtifact = (T) args[0]; 053 } 054 055 @GET 056 public T doGetArtifact() { 057 return currentArtifact; 058 } 059 060 @PUT 061 public T doUpdateArtifact(T artifact) { 062 // check that the current artifact can be updated 063 checkUpdateGuardPreconditions(); 064 // check that the new artifact can be updated 065 checkUpdateGuardPreconditions(artifact); 066 return updateArtifact(artifact); 067 } 068 069 @DELETE 070 public Response doDeleteArtifact() { 071 checkUpdateGuardPreconditions(); 072 deleteArtifact(); 073 return Response.status(Status.NO_CONTENT).build(); 074 } 075 076 protected void checkUpdateGuardPreconditions() { 077 checkUpdateGuardPreconditions(currentArtifact); 078 } 079 080 protected void checkUpdateGuardPreconditions(T artifact) { 081 NuxeoPrincipal principal = getContext().getCoreSession().getPrincipal(); 082 if (!principal.isAdministrator()) { 083 if ((!principal.isMemberOf("powerusers")) || !isAPowerUserEditableArtifact(artifact)) { 084 throw new WebSecurityException("User is not allowed to edit users"); 085 } 086 } 087 } 088 089 /** 090 * Check that the current artifact is editable by a power user. Basically this means not an admin user or not an 091 * admin group. 092 * 093 * @deprecated since 11.1, use {@link #isAPowerUserEditableArtifact(Object)} instead. 094 */ 095 @Deprecated 096 protected boolean isAPowerUserEditableArtifact() { 097 return isAPowerUserEditableArtifact(currentArtifact); 098 } 099 100 /** 101 * Check the given artifact is editable by a power user. Basically this means not an admin user or not an admin 102 * group. 103 */ 104 protected boolean isAPowerUserEditableArtifact(T artifact) { 105 throw new UnsupportedOperationException(); 106 } 107 108 /** 109 * Updates the current artifact by the one given in parameters in the underlying persistence system. 110 * 111 * @param artifact the artifact that has been retrieved from request. 112 * @return the updated artifact. 113 */ 114 protected abstract T updateArtifact(T artifact); 115 116 /** 117 * Deletes the current artifact in the underlying persistence system. 118 */ 119 protected abstract void deleteArtifact(); 120 121}