Class EntityAccessChecker

  • All Implemented Interfaces:
    OBNotSingleton, OBProvidable

    public class EntityAccessChecker
    extends Object
    implements OBNotSingleton
    This class is responsible for determining the allowed read/write access for a combination of user and Entity. It uses the window-role access information and the window-table relation to determine which tables are readable and writable for a user. If the user has readWrite access to a Window then also the related Table/Entity is writable.

    In addition this class implements the concept of derived readable. Any entity refered to from a readable/writable entity is a derived readable. A user may read (but not write) the following properties from a deriver readable entity: id and identifier properties. Access to any other property or changing a property on a derived readable entity results in a OBSecurityException. Derived readable checks are done when a value is retrieved of an object (@see BaseOBObject#get(String)).

    This class is used from the SecurityChecker which combines all entity security checks.

    Author:
    mtaal
    See Also:
    Entity, Property, SecurityChecker
    • Constructor Detail

      • EntityAccessChecker

        public EntityAccessChecker()
    • Method Detail

      • calculateCachedElements

        public static void calculateCachedElements()
        This method calculates all the information that could be cached in order to improve performance in entityAccessChecker process. The static block only gets called once, when the class itself is initialized.
      • initialize

        public void initialize()
        Reads the windows from the database using the current role of the user. Then it iterates through the windows and tabs to determine which entities are readable/writable for that user. In addition non-readable and derived-readable entities are computed. Besides derived entities from process definition are being computed too.
        See Also:
        ModelProvider
      • hasCorrectAccessLevel

        public static boolean hasCorrectAccessLevel​(String userLevel,
                                                    int accessLevel)
        Checks if a certain user access level and a certain data access level match. Meaning that with a certain user access level it is allowed to view something with a certain data access level.
        Parameters:
        userLevel - the user level as defined in the role of the user
        accessLevel - the data access level defined in the table
        Returns:
        true if access is allowed, false otherwise
      • dump

        public void dump()
        Dumps the readable, writable, derived readable entities. For debugging purposes.
      • isDerivedReadable

        public boolean isDerivedReadable​(Entity entity)
        Parameters:
        entity - the entity to check
        Returns:
        true if the entity is derived readable for this user, otherwise false is returned.
      • isWritable

        public boolean isWritable​(Entity entity)
        Parameters:
        entity - the entity to check
        Returns:
        true if the entity is writable for this user, otherwise false is returned.
      • checkWritable

        public void checkWritable​(Entity entity)
        Checks if an entity is writable for this user. If not then a OBSecurityException is thrown.
        Parameters:
        entity - the entity to check
        Throws:
        OBSecurityException
      • checkReadable

        public void checkReadable​(Entity entity)
        Checks if an entity is readable for this user. If not then a OBSecurityException is thrown.
        Parameters:
        entity - the entity to check
        Throws:
        OBSecurityException
      • checkReadableAccess

        public void checkReadableAccess​(Entity entity)
        Checks if an entity is readable for current user. It is not take into account admin mode.
        Parameters:
        entity - the entity to check
      • checkDerivedAccess

        public void checkDerivedAccess​(Entity entity)
        Checks if an entity is derived for current user. It is not take into account admin mode.
        Parameters:
        entity - the entity to check
      • checkWritableAccess

        public void checkWritableAccess​(Entity entity)
        Checks if an entity is writable for current user. It is not take into account admin mode.
        Parameters:
        entity - the entity to check
      • checkProcessAccess

        public boolean checkProcessAccess​(String processId)
        Checks if a process is accessible for current user. It is not take into account admin mode.
      • getRoleId

        public String getRoleId()
      • setRoleId

        public void setRoleId​(String roleId)
      • getObContext

        public OBContext getObContext()
      • setObContext

        public void setObContext​(OBContext obContext)
      • getReadableEntities

        public Set<Entity> getReadableEntities()
      • getWritableEntities

        public Set<Entity> getWritableEntities()
      • getDerivedReadableEntities

        public Set<Entity> getDerivedReadableEntities()
      • getDerivedEntitiesFromProcess

        public Set<Entity> getDerivedEntitiesFromProcess()