in src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java [429:497]
private boolean checkRolePermission(Session session, Role role, Permission perm)
throws SecurityException
{
boolean result = false;
List<UserAdminRole> uaRoles = session.getAdminRoles();
if(CollectionUtils.isNotEmpty( uaRoles ))
{
// validate perm and retrieve perm's ou:
PermObj inObj = new PermObj(perm.getObjName());
inObj.setContextId(contextId);
PermObj pObj = permP.read(inObj);
for(UserAdminRole uaRole : uaRoles)
{
if(uaRole.getName().equalsIgnoreCase(SUPER_ADMIN))
{
result = true;
break;
}
Set<String> osPs = uaRole.getOsPSet();
if(CollectionUtils.isNotEmpty( osPs ))
{
// create Set with case insensitive comparator:
Set<String> osPsFinal = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
for(String osP : osPs)
{
// Add osU children to the set:
osPsFinal.add(osP);
Set<String> children = PsoUtil.getInstance().getDescendants( osP, this.contextId );
osPsFinal.addAll(children);
}
// does the admin role have authority over the perm object?
if(osPsFinal.contains(pObj.getOu()))
{
// Get the Role range for admin role:
Set<String> range;
if(uaRole.getName().equalsIgnoreCase(REST_ADMIN))
{
result = true;
break;
}
else if(uaRole.getBeginRange() != null && uaRole.getEndRange() != null && !uaRole.getBeginRange().equalsIgnoreCase(uaRole.getEndRange()))
{
range = RoleUtil.getInstance().getAscendants(uaRole.getBeginRange(), uaRole.getEndRange(), uaRole.isEndInclusive(), this.contextId);
if(uaRole.isBeginInclusive())
{
range.add(uaRole.getBeginRange());
}
if( CollectionUtils.isNotEmpty( range ))
{
// Does admin role have authority over a role contained with the allowable role range?
if(range.contains(role.getName()))
{
result = true;
break;
}
}
}
// Does admin role have authority over the role?
else if(uaRole.getBeginRange() != null && uaRole.getBeginRange().equalsIgnoreCase(role.getName()))
{
result = true;
break;
}
}
}
}
}
return result;
}