001/* 002 * (C) Copyright 2013 Nuxeo SA (http://nuxeo.com/) and contributors. 003 * 004 * All rights reserved. This program and the accompanying materials 005 * are made available under the terms of the GNU Lesser General Public License 006 * (LGPL) version 2.1 which accompanies this distribution, and is available at 007 * http://www.gnu.org/licenses/lgpl-2.1.html 008 * 009 * This library is distributed in the hope that it will be useful, 010 * but WITHOUT ANY WARRANTY; without even the implied warranty of 011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 012 * Lesser General Public License for more details. 013 * 014 * Contributors: 015 * dmetzler 016 */ 017package org.nuxeo.ecm.restapi.server.jaxrs.usermanager; 018 019import javax.ws.rs.DELETE; 020import javax.ws.rs.GET; 021import javax.ws.rs.PUT; 022import javax.ws.rs.core.Response; 023import javax.ws.rs.core.Response.Status; 024 025import org.nuxeo.ecm.core.api.NuxeoException; 026import org.nuxeo.ecm.core.api.NuxeoGroup; 027import org.nuxeo.ecm.core.api.NuxeoPrincipal; 028import org.nuxeo.ecm.platform.usermanager.UserManager; 029import org.nuxeo.ecm.webengine.WebException; 030import org.nuxeo.ecm.webengine.model.exceptions.WebSecurityException; 031import org.nuxeo.ecm.webengine.model.impl.DefaultObject; 032import org.nuxeo.runtime.api.Framework; 033 034/** 035 * Abstract WebObject class that handle retrieve, deletion and update of {@link NuxeoPrincipal} or {@link NuxeoGroup}. 036 * 037 * @since 5.7.3 038 */ 039public abstract class AbstractUMObject<T> extends DefaultObject { 040 041 protected T currentArtifact; 042 043 protected UserManager um; 044 045 @SuppressWarnings("unchecked") 046 @Override 047 protected void initialize(Object... args) { 048 if (args.length < 1) { 049 throw new IllegalArgumentException("UserObject takes at least one parameter"); 050 } 051 um = Framework.getLocalService(UserManager.class); 052 currentArtifact = (T) args[0]; 053 } 054 055 @GET 056 public T doGetArtifact() { 057 return currentArtifact; 058 } 059 060 @PUT 061 public T doUpdateArtifact(T principal) { 062 try { 063 checkUpdateGuardPreconditions(); 064 return updateArtifact(principal); 065 } catch (NuxeoException e) { 066 throw WebException.wrap(e); 067 } 068 } 069 070 @DELETE 071 public Response doDeleteArtifact() { 072 try { 073 checkUpdateGuardPreconditions(); 074 deleteArtifact(); 075 return Response.status(Status.NO_CONTENT).build(); 076 } catch (NuxeoException e) { 077 throw WebException.wrap(e); 078 } 079 } 080 081 protected void checkUpdateGuardPreconditions() { 082 NuxeoPrincipal principal = (NuxeoPrincipal) getContext().getCoreSession().getPrincipal(); 083 if (!principal.isAdministrator()) { 084 if ((!principal.isMemberOf("powerusers")) || !isAPowerUserEditableArtifact()) { 085 086 throw new WebSecurityException("User is not allowed to edit users"); 087 } 088 } 089 } 090 091 /** 092 * Check that the current artifact is editable by a power user. Basically this means not an admin user or not an 093 * admin group. 094 * 095 * @return 096 */ 097 protected abstract boolean isAPowerUserEditableArtifact(); 098 099 /** 100 * Updates the current artifact by the one given in parameters in the underlying persistence system. 101 * 102 * @param artifact the artifact that has been retrieved from request. 103 * @return the updated artifact. 104 */ 105 protected abstract T updateArtifact(T artifact); 106 107 /** 108 * Deletes the current artifact in the underlying persistence system. 109 * 110 */ 111 protected abstract void deleteArtifact(); 112 113}