in src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java [352:419]
private boolean checkUserRole(Session session, User user, Role role)
throws SecurityException
{
boolean result = false;
List<UserAdminRole> uaRoles = session.getAdminRoles();
if(CollectionUtils.isNotEmpty( uaRoles ))
{
// validate user and retrieve user' ou:
User ue = userP.read(user, false);
for(UserAdminRole uaRole : uaRoles)
{
if(uaRole.getName().equalsIgnoreCase(SUPER_ADMIN))
{
result = true;
break;
}
Set<String> osUs = uaRole.getOsUSet();
if(CollectionUtils.isNotEmpty( osUs ))
{
// create Set with case insensitive comparator:
Set<String> osUsFinal = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
for(String osU : osUs)
{
// Add osU children to the set:
osUsFinal.add(osU);
Set<String> children = UsoUtil.getInstance().getDescendants( osU, this.contextId );
osUsFinal.addAll(children);
}
// does the admin role have authority over the user object?
if(osUsFinal.contains(ue.getOu()))
{
// Get the Role range for admin role:
Set<String> range;
if(uaRole.getName().equalsIgnoreCase(REST_ADMIN))
{
result = true;
break;
}
else if(uaRole.getBeginRange() != null && uaRole.getEndRange() != null && !uaRole.getBeginRange().equalsIgnoreCase(uaRole.getEndRange()))
{
range = RoleUtil.getInstance().getAscendants( uaRole.getBeginRange(), uaRole.getEndRange(),
uaRole.isEndInclusive(), this.contextId );
if(uaRole.isBeginInclusive())
{
range.add(uaRole.getBeginRange());
}
if(CollectionUtils.isNotEmpty( range ))
{
// Does admin role have authority over a role contained with the allowable role range?
if(range.contains(role.getName()))
{
result = true;
break;
}
}
}
// Does admin role have authority over the role?
else if(uaRole.getBeginRange() != null && uaRole.getBeginRange().equalsIgnoreCase(role.getName()))
{
result = true;
break;
}
}
}
}
}
return result;
}