private boolean checkAllowed()

in core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java [103:137]

• 29 lines of code
• 7 McCabe index (conditional complexity)

    private boolean checkAllowed(CMSSecurityConfigInstance securityConfig, SlingHttpServletRequest slingRequest) {
        log.trace("Filtering requests to host {}", slingRequest.getServerName());
        String uri = slingRequest.getRequestURI();
        boolean allowed = false;
        if (securityConfig.isUriAllowed(uri)) {
            log.trace("Allowing request to uri {} based on allow patterns", uri);
            allowed = true;
        }

        PublishableResource publishableResource = Optional
                .ofNullable(CMSUtils.findPublishableParent(slingRequest.getResource()))
                .map(r -> r.adaptTo(PublishableResource.class)).orElse(null);

        if (publishableResource != null && publishableResource.isPublished()) {
            log.trace("Resource is published");
            allowed = true;
        }

        // the uri isn't allowed automatically, so check user permissions
        if (!allowed) {
            log.trace("Request to {} not public, checking user permissions", uri);
            // check to see if the user is a member of the specified group
            if (StringUtils.isNotBlank(securityConfig.getGroupName())) {
                allowed = checkGroupMembership(securityConfig, slingRequest);
            } else {
                // just check to make sure the user is logged in
                if (!"anonymous".equals(slingRequest.getResourceResolver().getUserID())) {
                    allowed = true;
                }
            }
        } else {
            log.trace("Request to {} allowed", uri);
        }
        return allowed;
    }