Package com.broadleafcommerce.customer.service.validation

Class DefaultAccountRoleContextValidator<P extends AccountRole>

  • All Implemented Interfaces:
    AccountRoleContextValidator<P>
    public class DefaultAccountRoleContextValidator<P extends AccountRole>
extends Object
implements AccountRoleContextValidator<P>
    Default validator for use on AccountRole creation/modification/deletion. Verifies the following:
    1. the current context is able to create/modify the role
    2. the permissions specified for a role exist and are accessible from the role's context - a global role can assign only global permissions, while a account-level role can assign global permissions or permissions from the same account
    3. the account ID of a role can never be changed
    4. the name of a role is non-empty and unique within its context
    5. the direct parent of a role exists and is accessible from the role's context - a global role can only assign a global parent, while a account-level role can assign a global parent or parents from the same account
    Author:
    Samarth Dhruva (samarthd), Chris Kittrell (ckittrell)

    • Constructor Detail

      • DefaultAccountRoleContextValidator

        public DefaultAccountRoleContextValidator()

    • Method Detail

      • setAccountRoleService

        @Autowired
@Lazy
public void setAccountRoleService​(AccountRoleService<P> accountRoleService)
        Lazy injection since this validator is itself a service component. This avoids circular dependency exceptions
        Parameters:
        accountRoleService - the role service

      • setAccountPermissionService

        @Autowired
@Lazy
public void setAccountPermissionService​(AccountPermissionService<AccountPermission> accountPermissionService)
        Lazy injection since this validator is itself a service component. This avoids circular dependency exceptions
        Parameters:
        accountPermissionService - the permission service

      • setAuthenticationAttributesConverter

        @Autowired
@Qualifier("authenticationAttributesConverter")
public void setAuthenticationAttributesConverter​(@Nullable
                                                 org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,​Map<String,​Object>> authenticationAttributesConverter)

      • getErrors

        protected org.springframework.validation.Errors getErrors​(@NonNull
                                                          P role)

      • validateCreate

        public void validateCreate​(@NonNull
                           P role,
                           @NonNull
                           @NonNull org.springframework.validation.Errors errors,
                           @Nullable
                           com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
        Description copied from interface: AccountRoleContextValidator
        Validates a create operation is allowed in the current context.
        Specified by:
        validateCreate in interface AccountRoleContextValidator<P extends AccountRole>
        Parameters:
        role - The role to validate
        errors - An errors object bound to the role to be validated
        contextInfo - The current context

      • getCurrentlyAuthenticatedUser

        protected String getCurrentlyAuthenticatedUser()

      • validateNameUniqueInContext

        protected void validateNameUniqueInContext​(@Nullable
                                           String id,
                                           @NonNull
                                           P role,
                                           @NonNull
                                           @NonNull org.springframework.validation.Errors errors,
                                           @Nullable
                                           com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
        While it is perfectly valid for two account-level roles in different accounts to have the same name, we want to avoid having duplicate names from the perspective of a particular account context (to prevent confusion).

        This means that:

        • a account-level role's name must be unique among roles with the same account id and global roles (which would be accessible from any account-context)
        • a global role's name must be unique among all roles in all contexts
        This method first validates that the name is present, then validates its uniqueness.
        Parameters:
        id - the id of the role, explicitly provided as it may be null on the role. May be null as in the case of a create.
        role - the role whose name should be validated for uniqueness in its context
        errors - the errors object bound to the given role on which errors can be
        contextInfo -

      • validatePermissions

        protected void validatePermissions​(@NonNull
                                   P role,
                                   @NonNull
                                   @NonNull org.springframework.validation.Errors errors,
                                   @Nullable
                                   com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)

      • validatePermissionsAssignableToRoleInContext

        protected void validatePermissionsAssignableToRoleInContext​(@NonNull
                                                            P role,
                                                            @NonNull
                                                            @NonNull org.springframework.validation.Errors errors,
                                                            @Nullable
                                                            com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
        Validates that all of the role's assigned permission IDs belong to permissions that are accessible from the role's context.

        This is important, because the create/update/delete operation itself may be occurring in a context different from that of the role itself and thus its context cannot be used. For example, if a role is being created in a specific account from a global context, the permissions accessible from the global context (ex: permissions from other tenants) do not reflect the permissions accessible by the role itself.

        A key element to note is that while a account-level role can be assigned either global permissions or permissions from that account, a global role can only be assigned global permissions. This is to avoid a situation where a account-user is assigned a global role and ends up getting access to permissions from other tenants.

        Parameters:
        role - the role whose permissions need to be checked for context accessibility. The AccountRole.getPermissions() should be pre-validated to not contain any null elements or empty IDs.
        errors - the errors object bound to the given role on which errors can be
        contextInfo - The context of the user's request

      • validateParentRole

        protected void validateParentRole​(@NonNull
                                  P role,
                                  @NonNull
                                  @NonNull org.springframework.validation.Errors errors,
                                  @Nullable
                                  com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
        If the AccountRole.getParentRoleId() is supplied, verifies that it exists and is accessible from the child's context.

        Validations on the full ancestry (ex: cycle validation) are done by AccountRoleValidator.

        Parameters:
        role - the role whose AccountRole.getParentRoleId() needs to be validated
        errors - the errors object bound to the given role on which errors can be
        contextInfo - The context of the user's request

      • isParentRoleAccessible

        protected boolean isParentRoleAccessible​(@NonNull
                                         P role,
                                         @Nullable
                                         com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
        Given a role that has a non-empty AccountRole.getParentRoleId(), validates that the parent exists and is accessible from the child's context.
        Parameters:
        role - the role whose AccountRole.getParentRoleId() needs to be validated
        contextInfo - The context of the user's request
        Returns:
        true if the parent role exists and is accessible by the child, false otherwise

      • validateUpdate

        public void validateUpdate​(@NonNull
                           @NonNull String id,
                           @NonNull
                           P role,
                           @NonNull
                           @NonNull org.springframework.validation.Errors errors,
                           @Nullable
                           com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
        Description copied from interface: AccountRoleContextValidator
        Validates an update operation is allowed in the current context.
        Specified by:
        validateUpdate in interface AccountRoleContextValidator<P extends AccountRole>
        Parameters:
        id - the id of the role being updated, explicitly provided such that it can be used to find the existing record even if AccountRole.getId() is unsupplied in role.
        role - The role to validate
        errors - An errors object bound to the role to be validated
        contextInfo - The current context

      • validateDelete

        public void validateDelete​(@NonNull
                           P role,
                           @NonNull
                           @NonNull org.springframework.validation.Errors errors,
                           @Nullable
                           com.broadleafcommerce.data.tracking.core.context.ContextInfo contextInfo)
        Description copied from interface: AccountRoleContextValidator
        Validates a delete operation is allowed in the current context.
        Specified by:
        validateDelete in interface AccountRoleContextValidator<P extends AccountRole>
        Parameters:
        role - The role being deleted to validate
        errors - An errors object bound to the role to be validated
        contextInfo - The current context

      • prefixWithEntityValidationMessageKey

        protected String prefixWithEntityValidationMessageKey​(@NonNull
                                                      @NonNull String errorCode)

      • getAuthenticationAttributesConverter

        @Nullable
protected org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,​Map<String,​Object>> getAuthenticationAttributesConverter()