KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > com > jcorporate > expresso > core > dbobj > SecuredDBObject


1 /* ====================================================================
2  * The Jcorporate Apache Style Software License, Version 1.2 05-07-2002
3  *
4  * Copyright (c) 1995-2002 Jcorporate Ltd. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  * notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  * notice, this list of conditions and the following disclaimer in
15  * the documentation and/or other materials provided with the
16  * distribution.
17  *
18  * 3. The end-user documentation included with the redistribution,
19  * if any, must include the following acknowledgment:
20  * "This product includes software developed by Jcorporate Ltd.
21  * (http://www.jcorporate.com/)."
22  * Alternately, this acknowledgment may appear in the software itself,
23  * if and wherever such third-party acknowledgments normally appear.
24  *
25  * 4. "Jcorporate" and product names such as "Expresso" must
26  * not be used to endorse or promote products derived from this
27  * software without prior written permission. For written permission,
28  * please contact info@jcorporate.com.
29  *
30  * 5. Products derived from this software may not be called "Expresso",
31  * or other Jcorporate product names; nor may "Expresso" or other
32  * Jcorporate product names appear in their name, without prior
33  * written permission of Jcorporate Ltd.
34  *
35  * 6. No product derived from this software may compete in the same
36  * market space, i.e. framework, without prior written permission
37  * of Jcorporate Ltd. For written permission, please contact
38  * partners@jcorporate.com.
39  *
40  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
41  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
42  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
43  * DISCLAIMED. IN NO EVENT SHALL JCORPORATE LTD OR ITS CONTRIBUTORS
44  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
45  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
46  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
47  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
48  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
49  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
50  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This software consists of voluntary contributions made by many
55  * individuals on behalf of the Jcorporate Ltd. Contributions back
56  * to the project(s) are encouraged when you make modifications.
57  * Please send them to support@jcorporate.com. For more information
58  * on Jcorporate Ltd. and its products, please see
59  * <http://www.jcorporate.com/>.
60  *
61  * Portions of this software are based upon other open source
62  * products and are subject to their respective licenses.
63  */
64
65 package com.jcorporate.expresso.core.dbobj;
66
67 import com.jcorporate.expresso.core.cache.CacheException;
68 import com.jcorporate.expresso.core.cache.CacheManager;
69 import com.jcorporate.expresso.core.cache.CacheSystem;
70 import com.jcorporate.expresso.core.controller.ControllerRequest;
71 import com.jcorporate.expresso.core.dataobjects.Securable;
72 import com.jcorporate.expresso.core.db.DBConnection;
73 import com.jcorporate.expresso.core.db.DBException;
74 import com.jcorporate.expresso.core.i18n.Messages;
75 import com.jcorporate.expresso.core.misc.StringUtil;
76 import com.jcorporate.expresso.core.security.User;
77 import com.jcorporate.expresso.kernel.util.ClassLocator;
78 import com.jcorporate.expresso.kernel.util.FastStringBuffer;
79 import com.jcorporate.expresso.services.dbobj.DBObjSecurity;
80 import com.jcorporate.expresso.services.dbobj.DefaultUserInfo;
81 import com.jcorporate.expresso.services.dbobj.GroupMembers;
82 import com.jcorporate.expresso.services.dbobj.UserGroup;
83 import org.apache.log4j.Logger;
84
85 import java.util.ArrayList JavaDoc;
86 import java.util.Enumeration JavaDoc;
87 import java.util.Iterator JavaDoc;
88 import java.util.Vector JavaDoc;
89
90
91 /**
92  * A database object can be stored in a table (or tables),
93  * can be retrieved, and various other operations
94  * Specific database objects extend this object
95  *
96  * @author Michael Nash
97  */
98 public abstract class SecuredDBObject
99         extends DBObject implements Securable {
100
101     /**
102      * Used in the constructor. If you use the SYSTEM_ACCOUNT, there are no
103      * security checks performed before a Database Object is used. BE CAREFUL
104      * ON USING THIS as it effectively bypasses security!
105      */
106     public static final int SYSTEM_ACCOUNT = -1;
107
108     /**
109      * Used in the deprecated constructor. If you use this, there are no
110      * security checks performed before a Database Object is used. BE CAREFUL
111      * ON USING THIS as it effectively bypasses security!
112      */
113     public static final String JavaDoc SYSTEM_ACCOUNT_NAME = "SYSTEM";
114
115     /**
116      * Cache name for the system security
117      */
118     protected static final String JavaDoc CACHE_NAME = SecuredDBObject.class.getName()
119             + ".securityCache";
120
121     /**
122      * Cache Default Expiration Default value of 30 minutes.
123      */
124     protected static final long CACHE_TTY = 60 * 1000 * 30;
125
126     /**
127      * Field constants for add update search and delete functionality.
128      * Designates an add operation
129      */
130     public static final String JavaDoc ADD = "A";
131
132     /**
133      * Designates a Delete Operation
134      */
135     public static final String JavaDoc DELETE = "D";
136
137     /**
138      * Desginates an Search Operation
139      */
140     public static final String JavaDoc SEARCH = "S";
141
142     /**
143      * Designates an Update Operation
144      */
145     public static final String JavaDoc UPDATE = "U";
146
147     /**
148      * all possible manipution functions
149      */
150     public static final String JavaDoc[] ALL_FUNCTIONS = {ADD, DELETE, SEARCH, UPDATE};
151
152     private static Logger log = Logger.getLogger(SecuredDBObject.class);
153
154     //////////////////////////////////////////////
155 // instance data members
156 ///////////////////////////////////////////////////
157
158     /* The uid gives us the Expresso user's id number for the user */
159     /* accessing this DBObject. -1 indicates "SYSTEM" access, e.g. no */
160     /* limitations on security access at all, and should be used only within */
161     /* applications where security is being handled separately */
162     private int uid = SYSTEM_ACCOUNT;
163
164
165     /**
166      * Constructor
167      */
168     public SecuredDBObject()
169             throws DBException {
170         super();
171
172     } /* SecuredDBObject() */
173
174     /**
175      * Constructor that sets the connection on create
176      *
177      * @param newConnection The dbConnection object to associate with this
178      * object
179      */
180     public SecuredDBObject(DBConnection newConnection)
181             throws DBException {
182         this(newConnection, newConnection.getDataContext());
183     } /* SecuredDBObject(DBConnection) */
184
185     /**
186      * <p/>
187      * Constructor that sets a connection as the object is created - typically
188      * this is used when a particular DBConnection is required for the purposes of
189      * maintaining a database transaction. If a specific connection is not used,
190      * there is no way to use commit() and rollback() in the event of failure, as a
191      * different DBConnection might be used for each phase of the transaction.
192      * Critial sections should therefore explicity request a DBConnection from the
193      * connection pool and pass it to each of the DB objects in that section.
194      * </p>
195      * <p>This constructor is neceesary to work with otherDBMap and transaction
196      * capabilities</p>
197      *
198      * @param newConnection The DBConnection to utilize
199      * @param setupTablesContext The data context that contains the setup (and
200      * security) tables for this object
201      * @since Expresso 5.0.1
202      */
203     public SecuredDBObject(DBConnection newConnection, String JavaDoc setupTablesContext)
204             throws DBException {
205         super(newConnection, setupTablesContext);
206     } /* DBObject(DBConnection) */
207
208
209     /**
210      * Constructor that sets user ID and data context from request
211      *
212      * @param request the request from which to set user, context
213      * @throws DBException upon construction error
214      */
215     public SecuredDBObject(ControllerRequest request)
216             throws DBException {
217         this(request.getUid());
218         setDataContext(request.getDataContext());
219     }
220
221
222     /**
223      * New version of "setUser()" to to speak.
224      *
225      * @param newUid Sets the UID for this DBObject. Used for security checks.
226      * @since Expresso 4.0
227      */
228     public void setRequestingUid(int newUid) {
229         uid = newUid;
230     }
231
232     /**
233      * New version of "setUser()", returns the integer UID of the
234      * permissions this dbobject is operating under
235      *
236      * @return The User's UID for which the DBObject is set to. [-1 if it's
237      * the system account]
238      * @since Expresso 4.0
239      */
240     public int getRequestingUid() {
241         return uid;
242     }
243
244
245     /**
246      * Constructor: Specify a DB connection AND user
247      *
248      * @param newUid User ID attempting to use this object.
249      * If this is SecuredDBObject.SYSTEM_ACCOUNT, then
250      * full permissions are granted. Note that you cannot log in
251      * as SecuredDBObject.SYSTEM_ACCOUNT,
252      * t can only be used from within a method.
253      * @throws DBException If the object cannot be created
254      */
255     public SecuredDBObject(int newUid)
256             throws DBException {
257         super();
258         setRequestingUid(newUid);
259     }
260
261
262     /**
263      * Constructor: Specify a DB connection AND user id
264      *
265      * @param theConnection A DBConnection that this object should
266      * use to connect to the database
267      * @param theUser User name attempting to use this object.
268      * If this is "SYSTEM", then
269      * full permissions are granted. Note that you cannot log in
270      * as "SYSTEM", it can only be used from within a method.
271      * @throws DBException If the object cannot be created
272      */
273     public SecuredDBObject(DBConnection theConnection, int theUser)
274             throws DBException {
275         super(theConnection);
276         setRequestingUid(theUser);
277     } /* SecuredDBObject(DBConnection, int) */
278
279
280     /**
281      * For using DBObjects within Controllers. Initializes based
282      * upon the current login user id, locale, and the requested
283      * db context.
284      *
285      * @param request - The controller request handed to you by the framework.
286      * @throws DBException if there's an error constructing the SecuredDBObject
287      */
288     public SecuredDBObject(RequestContext request)
289             throws DBException {
290         // The next line does not work because the expresso DB object makes
291 // class initialisations base on the static subclass type
292 // *PP* Wed Jan 01 19:51:39 GMT 2003
293 // super( request )
294 setRequestingUid(request.getUid());
295         setDataContext(request.getDBName());
296         setLocale(request.getLocale());
297     }
298
299
300     /**
301      * Alternate form of constructor, specifying the db name/context and the
302      * user at once
303      *
304      * @param dbKey db/Context key for the context being requested
305      * @param theUser User id of the user requesting access
306      */
307     public SecuredDBObject(String JavaDoc dbKey, int theUser)
308             throws DBException {
309         super(dbKey);
310         setRequestingUid(theUser);
311     } /* SecuredDBObject(String, int) */
312
313     /**
314      * If the user is allowed to add, invoke the superclass add
315      *
316      * @throws DBException If the user is not permitted to add
317      * or if the add fails
318      */
319     public void add()
320             throws DBException {
321         isAllowed(ADD);
322         super.add();
323     } /* add() */
324
325
326     /**
327      * See if the current user has permission to perform the permissions
328      *
329      * @param requestedFunction (A)dd, (U)pdate, (D)elete, (S)earch
330      * @return boolean: true if the operation is allowed, or false if it is not
331      * @see #isAllowed
332      */
333     public boolean checkAllowed(String JavaDoc requestedFunction)
334             throws DBException {
335         try {
336             isAllowed(requestedFunction);
337         } catch (SecurityException JavaDoc de) {
338             log.debug(de);
339
340             return false;
341         }
342
343         return true;
344     } /* checkAllowed(String) */
345
346
347     /**
348      * Delete a record from the target table
349      *
350      * @throws DBException if delete is not allowed for the current user
351      */
352     public void delete()
353             throws DBException {
354         isAllowed(DELETE);
355         super.delete();
356     } /* delete() */
357
358
359     /**
360      * Just like retrieve, but works with any fields, not just the key field.
361      * Finds only first record matching the criteria
362      *
363      * @return boolean If a matching record is found, else false
364      * @throws DBException if search is not allowed
365      */
366     public boolean find()
367             throws DBException {
368         isAllowed(SEARCH);
369
370         return super.find();
371     } /* find() */
372
373
374     /**
375      * Creates the security caches
376      * Synchronized to provide thread safety since
377      * this is accessing a system-wide object.
378      *
379      * @throws CacheException if there's an error creating the cache or
380      * adding the listeners.
381      */
382     protected synchronized void createSecurityCache() throws CacheException {
383
384 // retest existance of cache after getting sync lock--another thread
385 // might have just finished the job of cache creation
386 synchronized (SecuredDBObject.class) {
387             CacheSystem cs = CacheManager.getCacheSystem(getDataContext());
388             if (cs == null) {
389                 //If cs == null this data context does not have caching installed.
390 return;
391             }
392
393             if (!cs.existsCache(CACHE_NAME)) {
394                 if (log.isDebugEnabled()) {
395                     log.debug("Cache did not exist - creating");
396                 }
397
398                 cs.createCache(CACHE_NAME, false, 1000);
399                 cs.addListener(CACHE_NAME, GroupMembers.class.getName());
400                 cs.addListener(CACHE_NAME, DBObjSecurity.class.getName());
401                 cs.addListener(CACHE_NAME, DefaultUserInfo.class.getName());
402                 cs.addListener(CACHE_NAME, UserGroup.class.getName());
403             }
404         }
405     }
406
407     /**
408      * See if the current user of this DB object is allowed to perform the
409      * requested function, given the function's code.
410      *
411      * @param requestedFunction The code of the requested function. The codes are:
412      * <ol><li>A: Add<li>
413      * <li>S: Search<li>
414      * <li>U: Update<li>
415      * <li>D: Delete<li>
416      * </ol>
417      * @throws DBException If the requested operation is not permitted to this user
418      */
419     public void isAllowed(String JavaDoc requestedFunction)
420             throws SecurityException JavaDoc, DBException {
421         if (log.isDebugEnabled()) {
422             log.debug("Checking permission for function '" +
423                     requestedFunction + "' for user " + uid);
424         }
425         if (uid == 0) {
426             throw new DBException("User not specified. Must have a " +
427                     "valid user id to access database object '" +
428                     getMetaData().getDescription() + "'");
429         }
430         /* User 'SYSTEM' or 'Admin' is always allowed permissions */
431         if (uid == -1 || User.getAdminId(getDataContext()) == uid) {
432             if (log.isDebugEnabled()) {
433                 log.debug("User was SYSTEM - permission granted");
434             }
435
436             return;
437         }
438         try {
439             CacheSystem cs = CacheManager.getCacheSystem(getDataContext());
440             if (cs != null) {
441                 if (!cs.existsCache(CACHE_NAME)) {
442                     createSecurityCache();
443                 }
444             }
445
446             ValidValue sec = null;
447             if (cs != null) {
448                 sec = (ValidValue) cs.getItem(CACHE_NAME,
449                         uid + "|" +
450                         getClass().getName());
451             }
452
453             if (sec == null) {
454                 User u = new User();
455
456                 u.setDataContext(StringUtil.notNull(getDataContext()));
457                 u.setUid(uid);
458                 u.retrieve();
459
460                 Vector JavaDoc groups = u.getGroups();
461
462                 if (log.isDebugEnabled()) {
463                     log.debug("User '" + u.getLoginName() +
464                             "' in db/context '" + getDataContext() +
465                             "' who requested function '" +
466                             requestedFunction + "' on database object '" +
467                             getClass().getName() + "' is in " +
468                             groups.size() + " groups.");
469                 }
470
471                 DBObjSecurity dbSec = new DBObjSecurity();
472                 dbSec.setDataContext(StringUtil.notNull(getDataContext()));
473
474                 if (log.isDebugEnabled()) {
475                     log.debug("User '" + u.getLoginName() +
476                             "' in db/context '" + this.getMappedDataContext() +
477                             "' requested function '" + requestedFunction +
478                             "' on database object '" + getClass().getName() +
479                             "' which is in original db '" +
480                             this.getDataContext() + "'");
481                 }
482
483                 DBObjSecurity oneSec = null;
484                 String JavaDoc oneGroupName = null;
485
486                 FastStringBuffer currentSecurity = new FastStringBuffer(6);
487                 for (Enumeration JavaDoc e = groups.elements(); e.hasMoreElements();) {
488                     oneGroupName = (String JavaDoc) e.nextElement();
489
490                     if (log.isDebugEnabled()) {
491                         log.debug("User '" + u.getLoginName() +
492                                 "' in db/context '" + getDataContext() +
493                                 "' who requested function '" +
494                                 requestedFunction +
495                                 "' on database object '" +
496                                 getClass().getName() + "' is in group '" +
497                                 oneGroupName + "'");
498                     }
499
500                     dbSec.clear();
501                     dbSec.setField("GroupName", oneGroupName);
502                     dbSec.setField("DBObjectName", getClass().getName());
503
504                     String JavaDoc newSec = null;
505
506                     for (Iterator JavaDoc esec = dbSec.searchAndRetrieveList().iterator();
507                          esec.hasNext();) {
508                         oneSec = (DBObjSecurity) esec.next();
509                         newSec = oneSec.getField("MethodCode");
510
511                         /* if we already have the permission, don't add it again */
512                         if (currentSecurity.toString().indexOf(newSec) < 0) {
513                             currentSecurity.append(newSec);
514                             if ( currentSecurity.length() >= 4 ) {
515                                 // we have all possible privileges; no need to loop further
516 break;
517                             }
518                         }
519                     }
520                 } /* for each group this user belongs to */
521
522
523                 sec = new ValidValue(uid + "|" + getClass().getName(),
524                         currentSecurity.toString());
525
526                 if (cs != null) {
527                     cs.addItem(CACHE_NAME, sec, CACHE_TTY);
528                 }
529
530                 if (log.isDebugEnabled()) {
531                     log.debug("User '" + u.getLoginName() +
532                             "' in db/context '" + getDataContext() +
533                             "' who requested function '" +
534                             requestedFunction + "' on database object '" +
535                             getClass().getName() +
536                             "'. Security string created from database is '" +
537                             sec.getDescription() + "'");
538                 }
539             } else {
540                 if (log.isDebugEnabled()) {
541                     log.debug("User '" + uid + "' in db/context '" +
542                             getDataContext() + "' who requested function '" +
543                             requestedFunction + "' on database object '" +
544                             getClass().getName() +
545                             "'. Security string from cache is '" +
546                             sec.getDescription() + "'");
547                 }
548             }
549             /* if the appropriate permission character is found, we're done */
550             if (sec.getDescription().indexOf(requestedFunction) != -1) {
551                 return;
552             }
553             if (log.isDebugEnabled()) {
554                 log.debug("User '" + uid + "' in db/context '" + getDataContext() +
555                         "' is denied permission to perform function '" +
556                         requestedFunction + "' on database object '" +
557                         getClass().getName() + "'. Security string is '" +
558                         sec.getDescription() + "', which did not contain '" +
559                         requestedFunction + "'");
560             }
561
562             String JavaDoc permString = null;
563
564             if (requestedFunction.equalsIgnoreCase(ADD)) {
565                 permString = ("Add");
566             } else if (requestedFunction.equalsIgnoreCase(SEARCH)) {
567                 permString = ("Search");
568             } else if (requestedFunction.equalsIgnoreCase(UPDATE)) {
569                 permString = ("Update");
570             } else if (requestedFunction.equalsIgnoreCase(DELETE)) {
571                 permString = ("Delete");
572             } else {
573                 permString = ("perform operation '" +
574                         requestedFunction + "'");
575             }
576
577             String JavaDoc[] args = new String JavaDoc[4];
578             args[0] = "'" + User.getLoginFromId(getRequestingUid(), getDataContext()) + " (" + getRequestingUid() + ")'";
579             args[1] = "'" + permString + "'";
580             args[2] = "'" + getMetaData().getDescription() + "'";
581             args[3] = "'" + getDataContext() + "'";
582
583             throw new SecurityException JavaDoc(Messages.getString("knownUserSecException", args));
584         } catch (CacheException ce) {
585             throw new DBException(ce);
586         }
587     } /* isAllowed(String) */
588
589
590     /**
591      * Retrieve the uid of the 'System Account'
592      *
593      * @return usually -1. May vary depending on the implementation.
594      */
595     public int getSystemUid() {
596         return SecuredDBObject.SYSTEM_ACCOUNT;
597     }
598
599     /**
600      * Get a particular record from the database into this object's fields
601      * Assumes that the key fields are set to the key of the object to
602      * be retrieved
603      *
604      * @throws DBException if search is not allowed or if no record is found
605      */
606     public void retrieve()
607             throws DBException {
608         isAllowed(SEARCH);
609         super.retrieve();
610     } /* retrieve() */
611
612
613     /**
614      * Find a set of keys of all of the objects that match the current
615      * search critieria in the fields
616      * Assumes that the fields are populated with search criteria instead
617      * of data
618      * NOTE: Criteria in 'text' type colums is ignored (SQL Server limitation)
619      *
620      * @throws DBException if search is not allowed for the current user
621      */
622     public synchronized void search()
623             throws DBException {
624         isAllowed(SEARCH);
625         super.search();
626     } /* search() */
627
628
629     /**
630      * Find a set of records of all of the objects that match the current
631      * search critieria in the fields
632      * and retrieve the list of all records that match this criteria
633      * NOTE: Criteria in 'text' type colums is ignored (SQL Server limitation)
634      *
635      * @return An ArrayList containing all of the objects matching the criteria
636      * @throws DBException if search is not allowed for the current user
637      * @since Expresso 4.0
638      */
639     public synchronized ArrayList JavaDoc searchAndRetrieveList()
640             throws DBException {
641         isAllowed(SEARCH);
642         return super.searchAndRetrieveList();
643     }
644
645
646     /**
647      * Find a set of records of all of the objects that match the current
648      * search critieria in the fields
649      * and retrieve the list of all records that match this criteria
650      * NOTE: Criteria in 'text' type colums is ignored (SQL Server limitation)
651      *
652      * @param sortKeys A list of field names, seperated by pipes,
653      * that determine the order
654      * in which the records retrieved are sorted
655      * @return java.util.ArrayList of DBObjects found.
656      * @throws DBException if search is not allowed for the current user
657      * @since Expreso 4.0
658      */
659     public synchronized ArrayList JavaDoc searchAndRetrieveList(String JavaDoc sortKeys)
660             throws DBException {
661         isAllowed(SEARCH);
662         return super.searchAndRetrieveList(sortKeys);
663     } /* searchAndRetrieve(String) */
664
665     /**
666      * Update the database with the new info
667      *
668      * @throws DBException if update is not allowed for the current user
669      */
670     public void update()
671             throws DBException {
672         isAllowed(UPDATE);
673         super.update();
674     } /* update() */
675
676
677     /**
678      * Convenience method to get a local language string from within any
679      * SecuredDBObject by using the user's language perferences automatically
680      *
681      * @param stringCode The string code in the MessagesBundle to retrieve
682      * @param args The i18n formatting arguments which equals the standard arguments
683      * for a normal Java i18n APi
684      * @return The properly formatted string.
685      * @throws DBException if there's an error recovering the message string.
686      */
687     protected String JavaDoc getString(String JavaDoc stringCode, Object JavaDoc[] args)
688             throws DBException {
689         return Messages.getString(getJDBCMetaData().getSchema(), getLocale(), stringCode, args);
690     } /* getString(String, Object[]) */
691
692
693     /**
694      * Convenience factory method to create a SecuredDBObject object from it's name
695      *
696      * @param className The classname to instantiate of this DBObject.
697      * @return The fully constructed SecuredDBObject
698      * @throws DBException if there's an error constructing the DBOBject
699      */
700     public static SecuredDBObject instantiate(String JavaDoc className)
701             throws DBException {
702         StringUtil.assertNotBlank(className,
703                 "DBObject class name may not be blank or null here");
704
705         try {
706             Class JavaDoc c = ClassLocator.loadClass(className);
707
708             return (SecuredDBObject) c.newInstance();
709         } catch (ClassNotFoundException JavaDoc cn) {
710             throw new DBException("DBObject object '" + className +
711                     "' not found", cn);
712         } catch (InstantiationException JavaDoc ie) {
713             throw new DBException("DBObject object '" + className +
714                     "' cannot be instantiated", ie);
715         } catch (IllegalAccessException JavaDoc iae) {
716             throw new DBException("llegal access loading " +
717                     "DBObject object '" + className +
718                     "' doesn't have a public default constructor",
719                     iae);
720         }
721     } /* instantiate(String) */
722
723     /**
724      * Convenience method of the above with no arguments
725      *
726      * @param stringCode The string code to retrieve from the MessagesBundle.
727      * @return The formatted message string
728      * @throws DBException if there's an error retrieving the text
729      */
730     protected String JavaDoc getString(String JavaDoc stringCode)
731             throws DBException {
732         Object JavaDoc[] args = {};
733
734         return getString(stringCode, args);
735     } /* getString(String) */
736
737
738     /**
739      * Convenience method of the above without array arguments
740      *
741      * @param arg1 Formatting Argument #1
742      * @param stringCode The string code to retrieve from the MessagesBundle.
743      * @return The formatted message string
744      * @throws DBException if there's an error retrieving the text
745      */
746     protected String JavaDoc getString(String JavaDoc stringCode, String JavaDoc arg1)
747             throws DBException {
748         Object JavaDoc[] args = {arg1};
749
750         return getString(stringCode, args);
751     }
752
753     /**
754      * Convenience method of the above without array arguments
755      *
756      * @param stringCode The string code to retrieve from the MessagesBundle.
757      * @param arg1 Formatting Argument #1
758      * @param arg2 Formatting Argument #2
759      * @return The formatted message string
760      * @throws DBException if there's an error retrieving the text
761      */
762     protected String JavaDoc getString(String JavaDoc stringCode, String JavaDoc arg1, String JavaDoc arg2)
763             throws DBException {
764         Object JavaDoc[] args = {arg1, arg2};
765
766         return getString(stringCode, args);
767     }
768
769     /**
770      * Convenience method of the above without array arguments
771      *
772      * @param stringCode The string code to retrieve from the MessagesBundle.
773      * @param arg1 Formatting Argument #1
774      * @param arg2 Formatting Argument #2
775      * @param arg3 Formatting Argument #3
776      * @return The formatted message string
777      * @throws DBException if there's an error retrieving the text
778      */
779     protected String JavaDoc getString(String JavaDoc stringCode, String JavaDoc arg1, String JavaDoc arg2,
780                                String JavaDoc arg3)
781             throws DBException {
782         Object JavaDoc[] args = {arg1, arg2, arg3};
783
784         return getString(stringCode, args);
785     }
786
787     /**
788      * Convenience method of the above without array arguments
789      *
790      * @param stringCode The string code to retrieve from the MessagesBundle.
791      * @param arg1 Formatting Argument #1
792      * @param arg2 Formatting Argument #2
793      * @param arg3 Formatting Argument #3
794      * @param arg4 Formatting Argument #4
795      * @return The formatted message string
796      * @throws DBException if there's an error retrieving the text
797      */
798     protected String JavaDoc getString(String JavaDoc stringCode, String JavaDoc arg1, String JavaDoc arg2,
799                                String JavaDoc arg3, String JavaDoc arg4)
800             throws DBException {
801         Object JavaDoc[] args = {arg1, arg2, arg3, arg4};
802
803         return getString(stringCode, args);
804     }
805
806     /**
807      * this method should make sure that the 'returnObj'
808      * object is properly initialized with copied UID and data context as this (parent) object
809      *
810      * @param returnObj the object to copy the attributes into.
811      * @throws DBException upon error
812      */
813     public void copyAttributes(DBObject returnObj) throws DBException {
814         super.copyAttributes(returnObj);
815         if (returnObj instanceof SecuredDBObject) {
816             ((SecuredDBObject) returnObj).setRequestingUid(getRequestingUid());
817         }
818     }
819
820     /**
821      * Security check on count
822      *
823      * @return the count
824      * @throws com.jcorporate.expresso.core.db.DBException
825      * or security exception
826      * if search permissions is not allowed
827      */
828     public synchronized int count() throws com.jcorporate.expresso.core.db.DBException {
829         isAllowed(SEARCH);
830         return super.count();
831     }
832
833     /**
834      * Security check on deleteAll
835      */
836     public synchronized void deleteAll() throws com.jcorporate.expresso.core.db.DBException {
837         isAllowed(DELETE);
838         super.deleteAll();
839     }
840
841     /**
842      * determine if getRequestingUid has rights to read this kind of object
843      * (not just this particular object, but ALL INSTANCES of this kind of object)
844      *
845      * @return true if getRequestingUid has rights to read this row
846      * @throws DBException upon database communication error
847      */
848     public boolean canRequesterRead() throws DBException {
849         boolean result = false;
850
851         int userId = this.getRequestingUid();
852
853         if (userId == SYSTEM_ACCOUNT) {
854             return true;
855         }
856
857         User user = new User();
858         user.setUid(userId);
859         user.setDataContext(this.getDataContext());
860
861         if (!user.find()) {
862             throw new DBException("cannot find requesting user with ID: " + getRequestingUid());
863         }
864
865         if (user.isAdmin()) {
866             return true;
867         }
868
869         try {
870             this.isAllowed(SEARCH);
871             result = true;
872         } catch (Exception JavaDoc e) {
873             result = false;
874         }
875
876         return result;
877     }
878
879     /**
880      * determine if getRequestingUid has rights to add this kind of object
881      * (not just this particular object, but ALL INSTANCES of this kind of object)
882      *
883      * @return true if requesting id has permission to add
884      * @throws DBException upon database communication error
885      */
886     public boolean canRequesterAdd() throws DBException {
887         boolean result = false;
888
889         int userId = this.getRequestingUid();
890
891         if (userId == SYSTEM_ACCOUNT) {
892             return true;
893         }
894
895         User user = new User();
896         user.setUid(userId);
897         user.setDataContext(this.getDataContext());
898
899         if (!user.find()) {
900             throw new DBException("cannot find requesting user with ID: " + getRequestingUid());
901         }
902
903         if (user.getLoginName().equals(User.ADMIN_USER)) {
904             return true;
905         }
906
907         try {
908             this.isAllowed(ADD);
909             result = true;
910         } catch (Exception JavaDoc e) {
911             result = false;
912         }
913
914         return result;
915     }
916
917     /**
918      * determine if getRequestingUid has rights to delete this kind of object
919      * (not just this particular object, but ALL INSTANCES of this kind of object)
920      *
921      * @return true if requesting id has permission to delete
922      * @throws DBException upon database communication error
923      */
924     public boolean canRequesterDelete() throws DBException {
925         boolean result = false;
926
927         int userId = this.getRequestingUid();
928
929         if (userId == SYSTEM_ACCOUNT) {
930             return true;
931         }
932
933         User user = new User();
934         user.setUid(userId);
935         user.setDataContext(this.getDataContext());
936
937         if (!user.find()) {
938             throw new DBException("cannot find requesting user with ID: " + getRequestingUid());
939         }
940
941         if (user.getLoginName().equals(User.ADMIN_USER)) {
942             return true;
943         }
944
945         try {
946             this.isAllowed(DELETE);
947             result = true;
948         } catch (Exception JavaDoc e) {
949             result = false;
950         }
951
952         return result;
953     }
954
955     /**
956      * determine if getRequestingUid has rights to update this kind of object
957      * (not just this particular object, but ALL INSTANCES of this kind of object)
958      *
959      * @return true if requesting id has permission to update
960      * @throws DBException upon database communication error
961      */
962     public boolean canRequesterUpdate() throws DBException {
963         boolean result = false;
964
965         int userId = this.getRequestingUid();
966
967         if (userId == SYSTEM_ACCOUNT) {
968             return true;
969         }
970
971         User user = new User();
972         user.setUid(userId);
973         user.setDataContext(this.getDataContext());
974
975         if (!user.find()) {
976             throw new DBException("cannot find requesting user with ID: " + getRequestingUid());
977         }
978
979         if (user.getLoginName().equals(User.ADMIN_USER)) {
980             return true;
981         }
982
983         try {
984             this.isAllowed(UPDATE);
985             result = true;
986         } catch (Exception JavaDoc e) {
987             result = false;
988         }
989
990         return result;
991     }
992
993 } /* SecuredDBObject */
994
Popular Tags