Class DefaultAccountRoleContextValidator<P extends AccountRole>
- java.lang.Object
-
- com.broadleafcommerce.customer.service.validation.DefaultAccountRoleContextValidator<P>
-
- All Implemented Interfaces:
AccountRoleContextValidator<P>
public class DefaultAccountRoleContextValidator<P extends AccountRole> extends Object implements AccountRoleContextValidator<P>
Default validator for use onAccountRole
creation/modification/deletion. Verifies the following:- the current context is able to create/modify the role
- the permissions specified for a role exist and are accessible from the role's context - a global role can assign only global permissions, while a account-level role can assign global permissions or permissions from the same account
- the account ID of a role can never be changed
- the name of a role is non-empty and unique within its context
- the direct parent of a role exists and is accessible from the role's context - a global role can only assign a global parent, while a account-level role can assign a global parent or parents from the same account
- Author:
- Samarth Dhruva (samarthd), Chris Kittrell (ckittrell)
-
-
Constructor Summary
Constructors Constructor Description DefaultAccountRoleContextValidator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected AccountPermissionService<AccountPermission>
getAccountPermissionService()
protected AccountRoleService<P>
getAccountRoleService()
protected org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,Map<String,Object>>
getAuthenticationAttributesConverter()
protected String
getCurrentlyAuthenticatedUser()
protected org.springframework.validation.Errors
getErrors(P role)
protected boolean
isParentRoleAccessible(P role, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Given a role that has a non-emptyAccountRole.getParentRoleId()
, validates that the parent exists and is accessible from the child's context.protected String
prefixWithEntityValidationMessageKey(@NonNull String errorCode)
void
setAccountPermissionService(AccountPermissionService<AccountPermission> accountPermissionService)
Lazy injection since this validator is itself a service component.void
setAccountRoleService(AccountRoleService<P> accountRoleService)
Lazy injection since this validator is itself a service component.void
setAuthenticationAttributesConverter(org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,Map<String,Object>> authenticationAttributesConverter)
void
validateCreate(P role, @NonNull org.springframework.validation.Errors errors, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Validates a create operation is allowed in the current context.org.springframework.validation.Errors
validateCreate(P role, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Validates a create operation is allowed in the current context.void
validateDelete(P role, @NonNull org.springframework.validation.Errors errors, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Validates a delete operation is allowed in the current context.org.springframework.validation.Errors
validateDelete(P role, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Validates a delete operation is allowed in the current context.protected void
validateNameUniqueInContext(String id, P role, @NonNull org.springframework.validation.Errors errors, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
While it is perfectly valid for two account-level roles in different accounts to have the same name, we want to avoid having duplicate names from the perspective of a particular account context (to prevent confusion).protected void
validateParentRole(P role, @NonNull org.springframework.validation.Errors errors, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
If theAccountRole.getParentRoleId()
is supplied, verifies that it exists and is accessible from the child's context.protected void
validatePermissions(P role, @NonNull org.springframework.validation.Errors errors, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
protected void
validatePermissionsAssignableToRoleInContext(P role, @NonNull org.springframework.validation.Errors errors, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Validates that all of the role's assigned permission IDs belong to permissions that are accessible from the role's context.void
validateUpdate(@NonNull String id, P role, @NonNull org.springframework.validation.Errors errors, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Validates an update operation is allowed in the current context.org.springframework.validation.Errors
validateUpdate(@NonNull String id, P role, com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Validates an update operation is allowed in the current context.
-
-
-
Method Detail
-
setAccountRoleService
@Autowired @Lazy public void setAccountRoleService(AccountRoleService<P> accountRoleService)
Lazy injection since this validator is itself a service component. This avoids circular dependency exceptions- Parameters:
accountRoleService
- the role service
-
setAccountPermissionService
@Autowired @Lazy public void setAccountPermissionService(AccountPermissionService<AccountPermission> accountPermissionService)
Lazy injection since this validator is itself a service component. This avoids circular dependency exceptions- Parameters:
accountPermissionService
- the permission service
-
setAuthenticationAttributesConverter
@Autowired @Qualifier("authenticationAttributesConverter") public void setAuthenticationAttributesConverter(@Nullable org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,Map<String,Object>> authenticationAttributesConverter)
-
validateCreate
public org.springframework.validation.Errors validateCreate(@NonNull P role, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Description copied from interface:AccountRoleContextValidator
Validates a create operation is allowed in the current context.- Specified by:
validateCreate
in interfaceAccountRoleContextValidator<P extends AccountRole>
- Parameters:
role
- The role to validatecontextInfo
- The current context- Returns:
- An
Errors
object bound to a {code role} - See Also:
AccountRoleContextValidator.validateCreate(AccountRole, Errors, ContextInfo)
-
getErrors
protected org.springframework.validation.Errors getErrors(@NonNull P role)
-
validateUpdate
public org.springframework.validation.Errors validateUpdate(@NonNull @NonNull String id, @NonNull P role, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Description copied from interface:AccountRoleContextValidator
Validates an update operation is allowed in the current context.- Specified by:
validateUpdate
in interfaceAccountRoleContextValidator<P extends AccountRole>
- Parameters:
id
- the id of the role being updated, explicitly provided such that it can be used to find the existing record even ifAccountRole.getId()
is unsupplied inrole
.role
- The role to validatecontextInfo
- The current context- Returns:
- An
Errors
object bound to a {code role} - See Also:
AccountRoleContextValidator.validateUpdate(String, AccountRole, Errors, ContextInfo)
-
validateDelete
public org.springframework.validation.Errors validateDelete(@NonNull P role, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Description copied from interface:AccountRoleContextValidator
Validates a delete operation is allowed in the current context.- Specified by:
validateDelete
in interfaceAccountRoleContextValidator<P extends AccountRole>
- Parameters:
role
- the role being deleted to validatecontextInfo
- The current context- Returns:
- An
Errors
object bound to a {code role} - See Also:
AccountRoleContextValidator.validateDelete(AccountRole, Errors, ContextInfo)
-
validateCreate
public void validateCreate(@NonNull P role, @NonNull @NonNull org.springframework.validation.Errors errors, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Description copied from interface:AccountRoleContextValidator
Validates a create operation is allowed in the current context.- Specified by:
validateCreate
in interfaceAccountRoleContextValidator<P extends AccountRole>
- Parameters:
role
- The role to validateerrors
- An errors object bound to therole
to be validatedcontextInfo
- The current context
-
getCurrentlyAuthenticatedUser
protected String getCurrentlyAuthenticatedUser()
-
validateNameUniqueInContext
protected void validateNameUniqueInContext(@Nullable String id, @NonNull P role, @NonNull @NonNull org.springframework.validation.Errors errors, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
While it is perfectly valid for two account-level roles in different accounts to have the same name, we want to avoid having duplicate names from the perspective of a particular account context (to prevent confusion).This means that:
- a account-level role's name must be unique among roles with the same account id and global roles (which would be accessible from any account-context)
- a global role's name must be unique among all roles in all contexts
- Parameters:
id
- the id of therole
, explicitly provided as it may be null on therole
. May be null as in the case of a create.role
- the role whose name should be validated for uniqueness in its contexterrors
- the errors object bound to the givenrole
on which errors can becontextInfo
-
-
validatePermissions
protected void validatePermissions(@NonNull P role, @NonNull @NonNull org.springframework.validation.Errors errors, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
-
validatePermissionsAssignableToRoleInContext
protected void validatePermissionsAssignableToRoleInContext(@NonNull P role, @NonNull @NonNull org.springframework.validation.Errors errors, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Validates that all of the role's assigned permission IDs belong to permissions that are accessible from the role's context.This is important, because the create/update/delete operation itself may be occurring in a context different from that of the role itself and thus its context cannot be used. For example, if a role is being created in a specific account from a global context, the permissions accessible from the global context (ex: permissions from other tenants) do not reflect the permissions accessible by the role itself.
A key element to note is that while a account-level role can be assigned either global permissions or permissions from that account, a global role can only be assigned global permissions. This is to avoid a situation where a account-user is assigned a global role and ends up getting access to permissions from other tenants.
- Parameters:
role
- the role whose permissions need to be checked for context accessibility. TheAccountRole.getPermissions()
should be pre-validated to not contain any null elements or empty IDs.errors
- the errors object bound to the givenrole
on which errors can becontextInfo
- The context of the user's request
-
validateParentRole
protected void validateParentRole(@NonNull P role, @NonNull @NonNull org.springframework.validation.Errors errors, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
If theAccountRole.getParentRoleId()
is supplied, verifies that it exists and is accessible from the child's context.Validations on the full ancestry (ex: cycle validation) are done by
AccountRoleValidator
.- Parameters:
role
- the role whoseAccountRole.getParentRoleId()
needs to be validatederrors
- the errors object bound to the givenrole
on which errors can becontextInfo
- The context of the user's request
-
isParentRoleAccessible
protected boolean isParentRoleAccessible(@NonNull P role, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Given a role that has a non-emptyAccountRole.getParentRoleId()
, validates that the parent exists and is accessible from the child's context.- Parameters:
role
- the role whoseAccountRole.getParentRoleId()
needs to be validatedcontextInfo
- The context of the user's request- Returns:
true
if the parent role exists and is accessible by the child,false
otherwise
-
validateUpdate
public void validateUpdate(@NonNull @NonNull String id, @NonNull P role, @NonNull @NonNull org.springframework.validation.Errors errors, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Description copied from interface:AccountRoleContextValidator
Validates an update operation is allowed in the current context.- Specified by:
validateUpdate
in interfaceAccountRoleContextValidator<P extends AccountRole>
- Parameters:
id
- the id of the role being updated, explicitly provided such that it can be used to find the existing record even ifAccountRole.getId()
is unsupplied inrole
.role
- The role to validateerrors
- An errors object bound to therole
to be validatedcontextInfo
- The current context
-
validateDelete
public void validateDelete(@NonNull P role, @NonNull @NonNull org.springframework.validation.Errors errors, @Nullable com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
Description copied from interface:AccountRoleContextValidator
Validates a delete operation is allowed in the current context.- Specified by:
validateDelete
in interfaceAccountRoleContextValidator<P extends AccountRole>
- Parameters:
role
- The role being deleted to validateerrors
- An errors object bound to therole
to be validatedcontextInfo
- The current context
-
prefixWithEntityValidationMessageKey
protected String prefixWithEntityValidationMessageKey(@NonNull @NonNull String errorCode)
-
getAuthenticationAttributesConverter
@Nullable protected org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,Map<String,Object>> getAuthenticationAttributesConverter()
-
getAccountRoleService
protected AccountRoleService<P> getAccountRoleService()
-
getAccountPermissionService
protected AccountPermissionService<AccountPermission> getAccountPermissionService()
-
-