001/* 002 * (C) Copyright 2013 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * dmetzler 018 */ 019package org.nuxeo.ecm.restapi.server.jaxrs.usermanager; 020 021import javax.ws.rs.DELETE; 022import javax.ws.rs.GET; 023import javax.ws.rs.PUT; 024import javax.ws.rs.core.Response; 025import javax.ws.rs.core.Response.Status; 026 027import org.nuxeo.ecm.core.api.NuxeoGroup; 028import org.nuxeo.ecm.core.api.NuxeoPrincipal; 029import org.nuxeo.ecm.platform.usermanager.UserManager; 030import org.nuxeo.ecm.webengine.model.exceptions.WebSecurityException; 031import org.nuxeo.ecm.webengine.model.impl.DefaultObject; 032import org.nuxeo.runtime.api.Framework; 033 034/** 035 * Abstract WebObject class that handle retrieve, deletion and update of {@link NuxeoPrincipal} or {@link NuxeoGroup}. 036 * 037 * @since 5.7.3 038 */ 039public abstract class AbstractUMObject<T> extends DefaultObject { 040 041 protected T currentArtifact; 042 043 protected UserManager um; 044 045 @SuppressWarnings("unchecked") 046 @Override 047 protected void initialize(Object... args) { 048 if (args.length < 1) { 049 throw new IllegalArgumentException("UserObject takes at least one parameter"); 050 } 051 um = Framework.getService(UserManager.class); 052 currentArtifact = (T) args[0]; 053 } 054 055 @GET 056 public T doGetArtifact() { 057 return currentArtifact; 058 } 059 060 @PUT 061 public T doUpdateArtifact(T principal) { 062 checkUpdateGuardPreconditions(); 063 return updateArtifact(principal); 064 } 065 066 @DELETE 067 public Response doDeleteArtifact() { 068 checkUpdateGuardPreconditions(); 069 deleteArtifact(); 070 return Response.status(Status.NO_CONTENT).build(); 071 } 072 073 protected void checkUpdateGuardPreconditions() { 074 NuxeoPrincipal principal = (NuxeoPrincipal) getContext().getCoreSession().getPrincipal(); 075 if (!principal.isAdministrator()) { 076 if ((!principal.isMemberOf("powerusers")) || !isAPowerUserEditableArtifact()) { 077 throw new WebSecurityException("User is not allowed to edit users"); 078 } 079 } 080 } 081 082 /** 083 * Check that the current artifact is editable by a power user. Basically this means not an admin user or not an 084 * admin group. 085 * 086 * @return 087 */ 088 protected abstract boolean isAPowerUserEditableArtifact(); 089 090 /** 091 * Updates the current artifact by the one given in parameters in the underlying persistence system. 092 * 093 * @param artifact the artifact that has been retrieved from request. 094 * @return the updated artifact. 095 */ 096 protected abstract T updateArtifact(T artifact); 097 098 /** 099 * Deletes the current artifact in the underlying persistence system. 100 */ 101 protected abstract void deleteArtifact(); 102 103}