rave-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From carlu...@apache.org
Subject svn commit: r1189329 - in /incubator/rave/trunk/rave-components/rave-core/src: main/java/org/apache/rave/portal/security/impl/ main/java/org/apache/rave/portal/service/ main/java/org/apache/rave/portal/service/impl/ test/java/org/apache/rave/portal/sec...
Date Wed, 26 Oct 2011 17:27:58 GMT
Author: carlucci
Date: Wed Oct 26 17:27:58 2011
New Revision: 1189329

URL: http://svn.apache.org/viewvc?rev=1189329&view=rev
Log:
RAVE-306: Region ModelPermissionEvaluator and Service Annotations

Applied patch supplied by Venkat Mahadevan

Added:
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultRegionPermissionEvaluator.java
    incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultRegionPermissionEvaluatorTest.java
Modified:
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/PageService.java
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/RegionService.java
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/impl/DefaultPageService.java

Added: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultRegionPermissionEvaluator.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultRegionPermissionEvaluator.java?rev=1189329&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultRegionPermissionEvaluator.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultRegionPermissionEvaluator.java
Wed Oct 26 17:27:58 2011
@@ -0,0 +1,174 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.rave.portal.security.impl;
+
+import org.apache.rave.portal.model.Region;
+import org.apache.rave.portal.model.User;
+import org.apache.rave.portal.repository.RegionRepository;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+@Component
+public class DefaultRegionPermissionEvaluator extends AbstractModelPermissionEvaluator<Region>{
+    private Logger log = LoggerFactory.getLogger(getClass());
+    private RegionRepository regionRepository;
+
+    @Autowired
+    public DefaultRegionPermissionEvaluator(RegionRepository regionRepository) {
+        this.regionRepository = regionRepository;
+    }
+
+    @Override
+    public Class<Region> getType() {
+        return Region.class;
+    }
+
+    /**
+     * Checks to see if the Authentication object has the supplied Permission
+     * on the supplied Region object.  This method invokes the private hasPermission
+     * function with the trustedDomainObject parameter set to false since we don't
+     * know if the model being passed in was modified in any way from the
+     * actual entity in the database.
+     *
+     * @param authentication the current Authentication object
+     * @param region   the Region model object
+     * @param permission     the Permission to check
+     * @return true if the Authentication has the proper permission, false otherwise
+     */
+    @Override
+    public boolean hasPermission(Authentication authentication, Region region, Permission
permission) {
+        return hasPermission(authentication, region, permission, false);
+    }
+
+    /**
+     * Checks to see if the Authentication object has the supplied Permission
+     * for the Entity represented by the targetId(entityId) and targetType(model class name).
+     * This method invokes the private hasPermission function with the
+     * trustedDomainObject parameter set to true since we must pull the entity
+     * from the database and are guaranteed a trusted domain object,
+     * before performing our permission checks.
+     *
+     * @param authentication the current Authentication object
+     * @param targetId       the entityId of the model to check, or a RaveSecurityContext
object
+     * @param targetType     the class of the model to check
+     * @param permission     the Permission to check
+     * @return true if the Authentication has the proper permission, false otherwise
+     */
+    @Override
+    public boolean hasPermission(Authentication authentication, Serializable targetId, String
targetType, Permission permission) {
+        boolean hasPermission = false;
+        if (targetId instanceof RaveSecurityContext) {
+            hasPermission = verifyRaveSecurityContext(authentication, (RaveSecurityContext)
targetId);
+        } else {
+            hasPermission = hasPermission(authentication, regionRepository.get((Long) targetId),
permission, true);
+        }
+        return hasPermission;
+    }
+
+    private boolean hasPermission(Authentication authentication, Region region, Permission
permission, boolean trustedDomainObject) {
+        // this is our container of trusted region objects that can be re-used
+        // in this method so that the same trusted region object doesn't have to
+        // be looked up in the repository multiple times
+        List<Region> trustedRegionContainer = new ArrayList<Region>();
+
+        // first execute the AbstractModelPermissionEvaluator's hasPermission function
+        // to see if it allows permission via it's "higher authority" logic
+        if (super.hasPermission(authentication, region, permission)) {
+            return true;
+        }
+
+        // perform the security logic depending on the Permission type
+        boolean hasPermission = false;
+
+        switch (permission) {
+            case ADMINISTER:
+                // if you are here, you are not an administrator, so you can't administer
Region
+                break;
+            case CREATE:
+            case DELETE:
+            case READ:
+            case UPDATE:
+                // anyone can create, delete, read, or update a region that they own
+                hasPermission = isRegionOwner(authentication, region, trustedRegionContainer,
trustedDomainObject);
+                break;
+            default:
+                log.warn("unknown permission: " + permission);
+                break;
+        }
+
+        return hasPermission;
+    }
+
+    // returns a trusted Region object, either from the RegionRepository, or the
+    // cached container list
+    private Region getTrustedRegion(long regionId, List<Region> trustedRegionContainer)
{
+        Region region = null;
+        if (trustedRegionContainer.isEmpty()) {
+            region = regionRepository.get(regionId);
+            trustedRegionContainer.add(region);
+        } else {
+            region = trustedRegionContainer.get(0);
+        }
+        return region;
+    }
+
+    // checks to see if the Authentication object principal is the owner of the supplied
region object
+    // if trustedDomainObject is false, pull the entity from the database first to ensure
+    // the model object is trusted and hasn't been modified
+    private boolean isRegionOwner(Authentication authentication, Region region, List<Region>
trustedRegionContainer, boolean trustedDomainObject) {
+        Region trustedRegion = null;
+        if (trustedDomainObject) {
+            trustedRegion = region;
+        } else {
+            trustedRegion = getTrustedRegion(region.getEntityId(), trustedRegionContainer);
+        }
+        return isRegionOwnerByUsername(authentication, trustedRegion.getPage().getOwner().getUsername());
+    }
+
+    private boolean isRegionOwnerByUsername(Authentication authentication, String username)
{
+        return ((User)authentication.getPrincipal()).getUsername().equals(username);
+    }
+
+    private boolean isRegionOwnerById(Authentication authentication, Long userId) {
+        return ((User)authentication.getPrincipal()).getEntityId().equals(userId);
+    }
+
+    private boolean verifyRaveSecurityContext(Authentication authentication, RaveSecurityContext
raveSecurityContext) {
+        Class<?> clazz = null;
+        try {
+           clazz = Class.forName(raveSecurityContext.getType());
+        } catch (ClassNotFoundException ex) {
+            throw new IllegalArgumentException("unknown class specified in RaveSecurityContext:
", ex);
+        }
+
+        // perform the permissions check based on the class supplied to the RaveSecurityContext
object
+        if (User.class == clazz) {
+            return isRegionOwnerById(authentication, (Long) raveSecurityContext.getId());
+        } else {
+            throw new IllegalArgumentException("unknown RaveSecurityContext type: " + raveSecurityContext.getType());
+        }
+    }
+}
\ No newline at end of file

Modified: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/PageService.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/PageService.java?rev=1189329&r1=1189328&r2=1189329&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/PageService.java
(original)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/PageService.java
Wed Oct 26 17:27:58 2011
@@ -115,14 +115,14 @@ public interface PageService {
      *
      * @param regionWidgetId the id of the moved RegionWidget
      * @param newPosition the new index of the RegionWidget within the target region (0 based
index)
-     * @param toRegion the id of the Region to move the RegionWidget to
-     * @param fromRegion the id of the Region where the RegionWidget currently resides
+     * @param toRegionId the id of the Region to move the RegionWidget to
+     * @param fromRegionId the id of the Region where the RegionWidget currently resides
      * @return the updated RegionWidget
-     * 
-     * TODO: add a second hasPermission clause for toRegion once the RegionPermissionEvaluator
has been created
      */
-    @PreAuthorize("hasPermission(#regionWidgetId, 'org.apache.rave.portal.model.RegionWidget',
'update')")
-    RegionWidget moveRegionWidget(long regionWidgetId, int newPosition, long toRegion, long
fromRegion);
+    @PreAuthorize("hasPermission(#regionWidgetId, 'org.apache.rave.portal.model.RegionWidget',
'update') and " +
+                  "hasPermission(#toRegionId, 'org.apache.rave.portal.model.Region', 'update')
and " +
+                  "hasPermission(#fromRegionId, 'org.apache.rave.portal.model.Region', 'update')")
+    RegionWidget moveRegionWidget(long regionWidgetId, int newPosition, long toRegionId,
long fromRegionId);
 
     /**
      * Moves a RegionWidget from one page to another
@@ -173,7 +173,8 @@ public interface PageService {
      *                        -1 if you want this to be the first page
      * @return the updated Page object containing its new render sequence
      */
-    @PreAuthorize("hasPermission(#pageId, 'org.apache.rave.portal.model.Page', 'update')")

+    @PreAuthorize("hasPermission(#pageId, 'org.apache.rave.portal.model.Page', 'update')
and " +
+                  "hasPermission(#moveAfterPageId, 'org.apache.rave.portal.model.Page', 'update')")
     Page movePage(long pageId, long moveAfterPageId);
     
     /**

Modified: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/RegionService.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/RegionService.java?rev=1189329&r1=1189328&r2=1189329&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/RegionService.java
(original)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/RegionService.java
Wed Oct 26 17:27:58 2011
@@ -1,31 +1,32 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.rave.portal.service;
-
-import org.apache.rave.portal.model.Region;
-
-public interface RegionService {
-
-	 /**
-	  * Register a new region
-	  * @param region the region object to register
-	  */
-	 void registerNewRegion(Region region);
-	 
-}
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.rave.portal.service;
+
+import org.apache.rave.portal.model.Region;
+import org.springframework.security.access.prepost.PreAuthorize;
+
+public interface RegionService {
+
+     /**
+      * Register a new region
+      * @param region the region object to register
+      */
+     @PreAuthorize("hasPermission(#region.regionId, 'org.apache.rave.portal.model.Region',
'create')")
+     void registerNewRegion(Region region);
+}

Modified: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/impl/DefaultPageService.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/impl/DefaultPageService.java?rev=1189329&r1=1189328&r2=1189329&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/impl/DefaultPageService.java
(original)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/impl/DefaultPageService.java
Wed Oct 26 17:27:58 2011
@@ -120,12 +120,12 @@ public class DefaultPageService implemen
     
     @Override
     @Transactional
-    public RegionWidget moveRegionWidget(long regionWidgetId, int newPosition, long toRegion,
long fromRegion) {
-        Region target = getFromRepository(toRegion, regionRepository);
-        if (toRegion == fromRegion) {
+    public RegionWidget moveRegionWidget(long regionWidgetId, int newPosition, long toRegionId,
long fromRegionId) {
+        Region target = getFromRepository(toRegionId, regionRepository);
+        if (toRegionId == fromRegionId) {
             moveWithinRegion(regionWidgetId, newPosition, target);
         } else {
-            moveBetweenRegions(regionWidgetId, newPosition, fromRegion, target);
+            moveBetweenRegions(regionWidgetId, newPosition, fromRegionId, target);
         }
         target = regionRepository.save(target);
         return findRegionWidgetById(regionWidgetId, target.getRegionWidgets());

Added: incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultRegionPermissionEvaluatorTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultRegionPermissionEvaluatorTest.java?rev=1189329&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultRegionPermissionEvaluatorTest.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultRegionPermissionEvaluatorTest.java
Wed Oct 26 17:27:58 2011
@@ -0,0 +1,328 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.rave.portal.security.impl;
+
+import org.apache.rave.portal.model.Page;
+import org.apache.rave.portal.model.Region;
+import org.apache.rave.portal.model.User;
+import org.apache.rave.portal.repository.RegionRepository;
+import org.apache.rave.portal.security.ModelPermissionEvaluator;
+import org.apache.rave.portal.security.util.AuthenticationUtils;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.easymock.EasyMock.*;
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertThat;
+
+public class DefaultRegionPermissionEvaluatorTest {
+    private DefaultRegionPermissionEvaluator defaultRegionPermissionEvaluator;
+    private RegionRepository mockRegionRepository;
+    private Page page;
+    private Region region, region2;
+    private User user, user2;
+    private Authentication mockAuthentication;
+    private List<GrantedAuthority> grantedAuthoritiesList;
+
+    private final Long VALID_REGION_ID = 1L;
+    private final Long VALID_PAGE_ID = 3L;
+    private final Long VALID_USER_ID = 99L;
+    private final String VALID_USERNAME = "john.doe";
+    private final String VALID_USERNAME2 = "jane.doe";
+
+    @Before
+    public void setUp() {
+        mockRegionRepository = createMock(RegionRepository.class);
+        defaultRegionPermissionEvaluator = new DefaultRegionPermissionEvaluator(mockRegionRepository);
+        mockAuthentication = createMock(Authentication.class);
+
+        user = new User();
+        user.setUsername(VALID_USERNAME);
+        user.setEntityId(VALID_USER_ID);
+        user2 = new User();
+        user2.setUsername(VALID_USERNAME2);
+        page = new Page();
+        page.setEntityId(VALID_PAGE_ID);
+        page.setOwner(user);
+        region = new Region();
+        region.setEntityId(VALID_REGION_ID);
+        region.setPage(page);
+        grantedAuthoritiesList = new ArrayList<GrantedAuthority>();
+        grantedAuthoritiesList.add(new GrantedAuthorityImpl("ROLE_USER"));
+    }
+
+    @Test
+    public void testGetType() throws ClassNotFoundException {
+        assertThat(defaultRegionPermissionEvaluator.getType().getName(), is(Region.class.getName()));
+    }
+
+    @Test
+    public void testHasPermission_3args_administer() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(mockAuthentication);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, region,
ModelPermissionEvaluator.Permission.ADMINISTER), is(false));
+        verify(mockAuthentication);
+    }
+
+    @Test
+    public void testHasPermission_3args_administer_hasAdminRole() {
+        grantedAuthoritiesList.add(new GrantedAuthorityImpl(AuthenticationUtils.ROLE_ADMIN));
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(mockAuthentication);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, region,
ModelPermissionEvaluator.Permission.ADMINISTER), is(true));
+        verify(mockAuthentication);
+    }
+
+    @Test
+    public void testHasPermission_3args_create_isRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, region,
ModelPermissionEvaluator.Permission.CREATE), is(true));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_3args_create_isNotRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, region,
ModelPermissionEvaluator.Permission.CREATE), is(false));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_3args_delete_isRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, region,
ModelPermissionEvaluator.Permission.DELETE), is(true));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_3args_delete_isNotRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, region,
ModelPermissionEvaluator.Permission.DELETE), is(false));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_3args_update_isRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, region,
ModelPermissionEvaluator.Permission.UPDATE), is(true));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_3args_update_isNotRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, region,
ModelPermissionEvaluator.Permission.UPDATE), is(false));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_3args_read_isRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, region,
ModelPermissionEvaluator.Permission.READ), is(true));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_3args_read_isNotRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, region,
ModelPermissionEvaluator.Permission.READ), is(false));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_4args_administer() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(mockAuthentication);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, VALID_REGION_ID,
Region.class.getName(), ModelPermissionEvaluator.Permission.ADMINISTER), is(false));
+        verify(mockAuthentication);
+    }
+
+    @Test
+    public void testHasPermission_4args_create_isRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, VALID_REGION_ID,
Region.class.getName(), ModelPermissionEvaluator.Permission.CREATE), is(true));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_4args_create_isNotRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, VALID_REGION_ID,
Region.class.getName(), ModelPermissionEvaluator.Permission.CREATE), is(false));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_4args_delete_isRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, VALID_REGION_ID,
Region.class.getName(), ModelPermissionEvaluator.Permission.CREATE), is(true));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_4args_delete_isNotRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, VALID_REGION_ID,
Region.class.getName(), ModelPermissionEvaluator.Permission.CREATE), is(false));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_4args_read_isRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, VALID_REGION_ID,
Region.class.getName(), ModelPermissionEvaluator.Permission.CREATE), is(true));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_4args_read_isNotRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, VALID_REGION_ID,
Region.class.getName(), ModelPermissionEvaluator.Permission.CREATE), is(false));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_4args_update_isRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, VALID_REGION_ID,
Region.class.getName(), ModelPermissionEvaluator.Permission.CREATE), is(true));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_4args_update_isNotRegionOwner() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockRegionRepository.get(VALID_REGION_ID)).andReturn(region);
+        replay(mockAuthentication);
+        replay(mockRegionRepository);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, VALID_REGION_ID,
Region.class.getName(), ModelPermissionEvaluator.Permission.CREATE), is(false));
+        verify(mockAuthentication);
+        verify(mockRegionRepository);
+    }
+
+    @Test
+    public void testHasPermission_4args_update_isRegionOwner_withRaveSecurityContextObject()
{
+        RaveSecurityContext raveSecurityContext = new RaveSecurityContext(VALID_USER_ID,
"org.apache.rave.portal.model.User");
+
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        replay(mockAuthentication);
+        assertThat(defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext,
Region.class.getName(), ModelPermissionEvaluator.Permission.UPDATE), is(true));
+        verify(mockAuthentication);
+    }
+
+    @Test(expected=IllegalArgumentException.class)
+    public void testHasPermission_4args_update_isRegionOwner_withInvalidRaveSecurityContextType()
{
+        RaveSecurityContext raveSecurityContext = new RaveSecurityContext(VALID_USER_ID,
"java.lang.String");
+
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        replay(mockAuthentication);
+        defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext,
Region.class.getName(), ModelPermissionEvaluator.Permission.UPDATE);
+        verify(mockAuthentication);
+    }
+
+    @Test(expected=IllegalArgumentException.class)
+    public void testHasPermission_4args_update_isRegionOwner_withUnknownRaveSecurityContextType()
{
+        RaveSecurityContext raveSecurityContext = new RaveSecurityContext(VALID_USER_ID,
"foo.bar.DummyClass");
+
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        replay(mockAuthentication);
+        defaultRegionPermissionEvaluator.hasPermission(mockAuthentication, raveSecurityContext,
Region.class.getName(), ModelPermissionEvaluator.Permission.UPDATE);
+        verify(mockAuthentication);
+    }
+
+}



Mime
View raw message