rave-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From secoo...@apache.org
Subject svn commit: r1207613 - in /incubator/rave/trunk/rave-components/rave-core/src: main/java/org/apache/rave/portal/security/impl/ main/java/org/apache/rave/portal/service/ test/java/org/apache/rave/portal/security/impl/
Date Mon, 28 Nov 2011 21:12:34 GMT
Author: secooper
Date: Mon Nov 28 21:12:33 2011
New Revision: 1207613

URL: http://svn.apache.org/viewvc?rev=1207613&view=rev
Log:
RAVE-341 patch to add security features to WidgetComments

Added:
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluator.java
    incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluatorTest.java
Modified:
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetCommentService.java

Added: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluator.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluator.java?rev=1207613&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluator.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluator.java
Mon Nov 28 21:12:33 2011
@@ -0,0 +1,199 @@
+/*
+ * Copyright 2011 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rave.portal.security.impl;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.rave.portal.model.User;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.rave.portal.model.WidgetComment;
+import org.apache.rave.portal.repository.WidgetCommentRepository;
+import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+/**
+ */
+@Component
+public class DefaultWidgetCommentPermissionEvaluator extends AbstractModelPermissionEvaluator<WidgetComment>
{
+
+    private Logger log = LoggerFactory.getLogger(getClass());
+    private WidgetCommentRepository widgetCommentRepository;
+    
+    @Autowired
+    public DefaultWidgetCommentPermissionEvaluator(WidgetCommentRepository widgetCommentRepository)
{
+        this.widgetCommentRepository = widgetCommentRepository;
+    }
+    
+    @Override
+    public Class<WidgetComment> getType() {
+        return WidgetComment.class;
+    }
+
+    /**
+     * Checks to see if the Authentication object has the supplied Permission
+     * on the supplied Page object.  This method invokes the private hasPermission
+     * function with the trustedDomainObject parameter set to false since we don't
+     * know if the model being passed in was modified in any way from the 
+     * actual entity in the database.
+     * 
+     * @param authentication the current Authentication object
+     * @param widgetComment the WidgetComment model object
+     * @param permission the Permission to check
+     * @return true if the Authentication has the proper permission, false otherwise
+     */
+    @Override
+    public boolean hasPermission(Authentication authentication, WidgetComment widgetComment,
Permission permission) {      
+        return hasPermission(authentication, widgetComment, permission, false);
+    }    
+
+    /**
+     * Checks to see if the Authentication object has the supplied Permission 
+     * for the Entity represented by the targetId(entityId) and targetType(model class name).
+     * This method invokes the private hasPermission function with the 
+     * trustedDomainObject parameter set to true since we must pull the entity
+     * from the database and are guaranteed a trusted domain object,
+     * before performing our permission checks.
+     * 
+     * @param authentication the current Authentication object
+     * @param targetId the entityId of the model to check, or a RaveSecurityContext object
+     * @param targetType the class of the model to check
+     * @param permission the Permission to check
+     * @return true if the Authentication has the proper permission, false otherwise
+     */
+    @Override
+    public boolean hasPermission(Authentication authentication, Serializable targetId, String
targetType, Permission permission) {
+        boolean hasPermission = false;
+        if (targetId instanceof RaveSecurityContext) {
+            hasPermission = verifyRaveSecurityContext(authentication, (RaveSecurityContext)targetId,
permission);           
+        } else {
+            hasPermission = hasPermission(authentication, widgetCommentRepository.get((Long)targetId),
permission, true);
+        }
+        return hasPermission;
+    }  
+    
+    private boolean hasPermission(Authentication authentication, WidgetComment widgetComment,
Permission permission, boolean trustedDomainObject) {       
+        // this is our container of trusted page objects that can be re-used 
+        // in this method so that the same trusted page object doesn't have to
+        // be looked up in the repository multiple times
+        List<WidgetComment> trustedWidgetCommentContainer = new ArrayList<WidgetComment>();
                          
+        
+        // first execute the AbstractModelPermissionEvaluator's hasPermission function
+        // to see if it allows permission via it's "higher authority" logic             
  
+        if (super.hasPermission(authentication, widgetComment, permission)) {
+            return true;
+        }
+        
+        // perform the security logic depending on the Permission type
+        boolean hasPermission = false;                       
+        switch (permission) { 
+            case ADMINISTER:
+                // if you are here, you are not an administrator, so you can't administer
pages              
+                break;
+            case READ:
+                hasPermission =  true;
+                break;
+            case CREATE:
+                hasPermission = isWidgetCommentOwnerById(authentication, widgetComment.getUser().getEntityId());
+                break;
+            case DELETE:
+            case UPDATE:
+                // anyone can create, delete, read, or update a page that they own      
           
+                hasPermission = isWidgetCommentOwner(authentication, widgetComment, trustedWidgetCommentContainer,
trustedDomainObject);     
+                break;   
+            default:
+                log.warn("unknown permission: " + permission);
+                break;
+        }
+        
+        return hasPermission;
+    }
+    
+    private boolean verifyRaveSecurityContext(Authentication authentication, RaveSecurityContext
raveSecurityContext, Permission permission) {
+        Class<?> clazz = null;
+        try {
+           clazz = Class.forName(raveSecurityContext.getType());
+        } catch (ClassNotFoundException ex) {
+            throw new IllegalArgumentException("unknown class specified in RaveSecurityContext:
", ex);
+        }
+
+        // perform the permissions check based on the class supplied to the RaveSecurityContext
object
+        if (WidgetComment.class == clazz) {
+            
+        // perform the security logic depending on the Permission type
+        boolean hasPermission = false;                       
+        switch (permission) { 
+            case ADMINISTER:
+                // if you are here, you are not an administrator, so you can't administer
pages              
+                break;
+            case READ:
+                hasPermission = true;
+                break;
+            case CREATE:
+            case DELETE:
+            case UPDATE:
+                // anyone can create, delete, read, or update a page that they own      
           
+                hasPermission = isWidgetCommentOwnerById(authentication, (Long)raveSecurityContext.getId());
+                break;   
+            default:
+                log.warn("unknown permission: " + permission);
+                break;
+            }
+
+            return hasPermission;
+        } else {
+            throw new IllegalArgumentException("unknown RaveSecurityContext type: " + raveSecurityContext.getType());
+        }
+    } 
+    
+    
+    // checks to see if the Authentication object principal is the owner of the supplied
widgetComment object 
+    // if trustedDomainObject is false, pull the entity from the database first to ensure
+    // the model object is trusted and hasn't been modified
+    private boolean isWidgetCommentOwner(Authentication authentication, WidgetComment widgetComment,
List<WidgetComment> trustedPageContainer, boolean trustedDomainObject) {        
+        WidgetComment trustedWidgetComment = null;
+        if (trustedDomainObject) {
+            trustedWidgetComment = widgetComment;
+        } else {
+            trustedWidgetComment = getTrustedWidgetComment(widgetComment.getEntityId(), trustedPageContainer);
+        }                  
+        
+        return isWidgetCommentOwnerByUsername(authentication, trustedWidgetComment.getUser().getUsername());
+    }            
+    
+    // returns a trusted Page object, either from the PageRepository, or the
+    // cached container list
+    private WidgetComment getTrustedWidgetComment(long widgetCommentId, List<WidgetComment>
trustedWidgetCommentContainer) {       
+        WidgetComment p = null;
+        if (trustedWidgetCommentContainer.isEmpty()) {           
+            p = widgetCommentRepository.get(widgetCommentId);
+            trustedWidgetCommentContainer.add(p);
+        } else {
+            p = trustedWidgetCommentContainer.get(0);
+        }
+        return p;       
+    }     
+
+    private boolean isWidgetCommentOwnerByUsername(Authentication authentication, String
username) {
+        return ((User)authentication.getPrincipal()).getUsername().equals(username);
+    }
+    private boolean isWidgetCommentOwnerById(Authentication authentication, Long userId)
{
+        return ((User)authentication.getPrincipal()).getEntityId().equals(userId);
+    }
+}

Modified: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetCommentService.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetCommentService.java?rev=1207613&r1=1207612&r2=1207613&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetCommentService.java
(original)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/WidgetCommentService.java
Mon Nov 28 21:12:33 2011
@@ -16,13 +16,18 @@
 package org.apache.rave.portal.service;
 
 import org.apache.rave.portal.model.WidgetComment;
+import org.springframework.security.access.prepost.PostAuthorize;
+import org.springframework.security.access.prepost.PreAuthorize;
 
 public interface WidgetCommentService {
     
+    @PostAuthorize("hasPermission(returnObject, 'read')")
     WidgetComment getWidgetComment(Long id);
     
+    @PreAuthorize("hasPermission(#widgetComment, 'create_or_update')")
     void saveWidgetComment(WidgetComment widgetComment);
     
+    @PreAuthorize("hasPermission(#id, 'org.apache.rave.portal.model.WidgetComment', 'delete')")

     void removeWidgetComment(Long id);
 
 }

Added: incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluatorTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluatorTest.java?rev=1207613&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluatorTest.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultWidgetCommentPermissionEvaluatorTest.java
Mon Nov 28 21:12:33 2011
@@ -0,0 +1,231 @@
+/*
+ * Copyright 2011 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rave.portal.security.impl;
+
+import org.apache.rave.portal.security.util.AuthenticationUtils;
+import org.apache.rave.portal.model.WidgetComment;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
+import java.util.ArrayList;
+import org.springframework.security.core.GrantedAuthority;
+import java.util.List;
+import org.apache.rave.portal.model.User;
+import org.springframework.security.core.Authentication;
+import org.apache.rave.portal.repository.WidgetCommentRepository;
+import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import org.junit.Test;
+import org.junit.Before;
+import static org.junit.Assert.*;
+import static org.easymock.EasyMock.*;
+import static org.hamcrest.CoreMatchers.*;
+
+/**
+ *
+ */
+public class DefaultWidgetCommentPermissionEvaluatorTest {
+    
+    private DefaultWidgetCommentPermissionEvaluator defaultWidgetCommentPermissionEvaluator;
+    private WidgetCommentRepository mockWidgetCommentRepository;
+    private Authentication mockAuthentication;
+    private WidgetComment widgetComment;
+    private User user, user2;    
+    private List<GrantedAuthority> grantedAuthoritiesList;
+    
+    private final Long VALID_COMMENT_ID = 3L;
+    private final Long VALID_USER_ID = 99L;
+    private final Long INVALID_USER_ID = VALID_USER_ID + 1;
+    private final String VALID_USERNAME = "john.doe";
+    private final String VALID_USERNAME2 = "jane.doe";
+    @Before
+    public void setUp() {               
+        mockWidgetCommentRepository = createMock(WidgetCommentRepository.class);
+        mockAuthentication = createMock(Authentication.class);
+        defaultWidgetCommentPermissionEvaluator = new DefaultWidgetCommentPermissionEvaluator(mockWidgetCommentRepository);
+        
+        user = new User();
+        user.setUsername(VALID_USERNAME);
+        user.setEntityId(VALID_USER_ID);
+        user2 = new User();
+        user2.setUsername(VALID_USERNAME2);
+        user2.setEntityId(INVALID_USER_ID);
+        widgetComment = new WidgetComment();
+        widgetComment.setEntityId(VALID_COMMENT_ID);
+        widgetComment.setUser(user);
+        grantedAuthoritiesList = new ArrayList<GrantedAuthority>();
+        grantedAuthoritiesList.add(new GrantedAuthorityImpl("ROLE_USER"));
+    }
+    
+    @Test
+    public void testGetType() throws ClassNotFoundException {            
+        assertThat(defaultWidgetCommentPermissionEvaluator.getType().getName(), is(WidgetComment.class.getName()));
+    }
+    
+    @Test
+    public void verifyNotAdministrator() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(mockAuthentication);
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
null, Permission.ADMINISTER), is(false));
+        verify(mockAuthentication);
+    }
+    
+    
+    @Test
+    public void verifyAdministrator() {
+        List myGrantedAuthoritiesList = new ArrayList();
+        myGrantedAuthoritiesList.addAll(grantedAuthoritiesList);
+        myGrantedAuthoritiesList.add(new GrantedAuthorityImpl(AuthenticationUtils.ROLE_ADMIN));
+        
+        expect(mockAuthentication.getAuthorities()).andReturn(myGrantedAuthoritiesList);
+        replay(mockAuthentication);
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
null, Permission.ADMINISTER), is(true));
+        verify(mockAuthentication);
+    }
+    
+    @Test 
+    public void testOwnerPermissions() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+        expect(mockAuthentication.getPrincipal()).andReturn(user).anyTimes();
+        replay(mockAuthentication);
+        expect(mockWidgetCommentRepository.get(VALID_COMMENT_ID)).andReturn(widgetComment).anyTimes();
+        replay(mockWidgetCommentRepository);
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.ADMINISTER), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.CREATE), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.READ), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.DELETE), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.UPDATE), is(true));
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.CREATE_OR_UPDATE), is(false));
+        verify(mockAuthentication);
+        verify(mockWidgetCommentRepository);
+    }
+    
+    @Test
+    public void testNonOwnerPermissions() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+        expect(mockAuthentication.getPrincipal()).andReturn(user2).anyTimes();
+        replay(mockAuthentication);
+        expect(mockWidgetCommentRepository.get(VALID_COMMENT_ID)).andReturn(widgetComment).anyTimes();
+        replay(mockWidgetCommentRepository);
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.ADMINISTER), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.CREATE), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.READ), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.DELETE), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.UPDATE), is(false));
+        
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
widgetComment, Permission.CREATE_OR_UPDATE), is(false));
+        verify(mockAuthentication);
+        verify(mockWidgetCommentRepository);
+    }
+    
+    @Test
+    public void testOwnerPermissionsById() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+        expect(mockAuthentication.getPrincipal()).andReturn(user).anyTimes();
+        replay(mockAuthentication);
+        expect(mockWidgetCommentRepository.get(VALID_COMMENT_ID)).andReturn(widgetComment).anyTimes();
+        replay(mockWidgetCommentRepository);
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.ADMINISTER), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.CREATE), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.READ), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.DELETE), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.UPDATE), is(true));
+        
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.CREATE_OR_UPDATE), is(false));
+        verify(mockAuthentication);
+        verify(mockWidgetCommentRepository);
+    }
+    
+    @Test
+    public void testNonOwnerPermissionsById() {
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+        expect(mockAuthentication.getPrincipal()).andReturn(user2).anyTimes();
+        replay(mockAuthentication);
+        expect(mockWidgetCommentRepository.get(VALID_COMMENT_ID)).andReturn(widgetComment).anyTimes();
+        replay(mockWidgetCommentRepository);
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.ADMINISTER), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.CREATE), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.READ), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.DELETE), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.UPDATE), is(false));
+        
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
VALID_COMMENT_ID, WidgetComment.class.getName(), Permission.CREATE_OR_UPDATE), is(false));
+        verify(mockAuthentication);
+        verify(mockWidgetCommentRepository);
+    }
+    
+    @Test
+    public void testOwnerPremissionBySecurityContext() {
+        RaveSecurityContext raveSecurityContext = new RaveSecurityContext(VALID_USER_ID,
WidgetComment.class.getName());
+        
+        expect(mockAuthentication.getPrincipal()).andReturn(user).anyTimes();
+        replay(mockAuthentication);
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.ADMINISTER), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.CREATE), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.READ), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.DELETE), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.UPDATE), is(true));
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.CREATE_OR_UPDATE), is(false));
+        verify(mockAuthentication);
+    }
+    
+    @Test
+    public void testNonOwnerPremissionBySecurityContext() {
+        RaveSecurityContext raveSecurityContext = new RaveSecurityContext(INVALID_USER_ID,
WidgetComment.class.getName());
+        
+        expect(mockAuthentication.getPrincipal()).andReturn(user).anyTimes();
+        replay(mockAuthentication);
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.ADMINISTER), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.CREATE), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.READ), is(true));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.DELETE), is(false));
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.UPDATE), is(false));
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
raveSecurityContext, WidgetComment.class.getName(), Permission.CREATE_OR_UPDATE), is(false));
+        verify(mockAuthentication);
+    }
+    
+    @Test
+    public void testCreationPremission() {
+        //Widget.entityId is not set in this case
+        
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+        expect(mockAuthentication.getPrincipal()).andReturn(user).anyTimes();
+        replay(mockAuthentication);
+        
+        WidgetComment localWidgetComment = new WidgetComment();
+        User localUser = new User();
+        localUser.setEntityId(VALID_USER_ID);
+        localWidgetComment.setUser(localUser);
+        expect(mockWidgetCommentRepository.get(VALID_COMMENT_ID)).andReturn(localWidgetComment).anyTimes();
+        replay(mockWidgetCommentRepository);
+        
+        assertThat(defaultWidgetCommentPermissionEvaluator.hasPermission(mockAuthentication,
localWidgetComment, Permission.CREATE), is(true));
+        
+        verify(mockAuthentication);
+        verify(mockWidgetCommentRepository);
+    }
+}
\ No newline at end of file



Mime
View raw message