Examples of org.rhq.enterprise.server.authz.PermissionException

• org.rhq.enterprise.server.authz.PermissionException
  This exception is thrown when some operation cannot be performed because the user is not authorized to do so. @author John Mazzitelli

     */
    public Subject updateSubject(Subject whoami, Subject subjectToModify) {
        // let a user change his own details
        Set<Permission> globalPermissions = authorizationManager.getExplicitGlobalPermissions(whoami);
        if (!whoami.equals(subjectToModify) && !globalPermissions.contains(Permission.MANAGE_SECURITY)) {
            throw new PermissionException("You [" + whoami.getName() + "] do not have permission to update user ["
                + subjectToModify.getName() + "].");
        }
        if (authorizationManager.isSystemSuperuser(subjectToModify) && !subjectToModify.getFactive()) {
            throw new PermissionException("You cannot disable system user [" + subjectToModify.getName()
                + "] - it must always be active.");
        }

        // Reset the roles, LDAP roles, and owned groups according to the current settings as this method will not
        // update them. To update assigned roles, use the 3-param createSubject() or use RoleManagerLocal.

    public Subject updateSubject(Subject whoami, Subject subjectToModify, String newPassword) {
        // let a user change his own details
        Set<Permission> globalPermissions = authorizationManager.getExplicitGlobalPermissions(whoami);
        boolean isSecurityManager = globalPermissions.contains(Permission.MANAGE_SECURITY);
        if (!whoami.equals(subjectToModify) && !isSecurityManager) {
            throw new PermissionException("You [" + whoami.getName() + "] do not have permission to update user ["
                + subjectToModify.getName() + "].");
        }

        boolean subjectToModifyIsSystemSuperuser = authorizationManager.isSystemSuperuser(subjectToModify);
        if (!subjectToModify.getFactive() && subjectToModifyIsSystemSuperuser) {
            throw new PermissionException("You cannot disable the system user [" + subjectToModify.getName() + "].");
        }

        Subject attachedSubject = getSubjectById(subjectToModify.getId());
        if (attachedSubject == null) {
            throw new IllegalArgumentException("No user exists with id [" + subjectToModify.getId() + "].");
        }
        if (!attachedSubject.getName().equals(subjectToModify.getName())) {
            throw new IllegalArgumentException("You cannot change a user's username.");
        }

        Set<Role> newRoles = subjectToModify.getRoles();
        if (newRoles != null) {
            Set<Role> currentRoles = new HashSet<Role>(roleManager.findRolesBySubject(subjectToModify.getId(),
                PageControl.getUnlimitedInstance()));
            boolean rolesChanged = !(newRoles.containsAll(currentRoles) && currentRoles.containsAll(newRoles));
            if (rolesChanged) {
                int[] newRoleIds = new int[newRoles.size()];
                int i = 0;
                for (Role role : newRoles) {
                    newRoleIds[i++] = role.getId();
                }
                roleManager.setAssignedSubjectRoles(whoami, subjectToModify.getId(), newRoleIds);
            }
        }

        boolean ldapRolesModified = false;
        Set<Role> newLdapRoles = subjectToModify.getLdapRoles();
        if (newLdapRoles == null) {
            newLdapRoles = Collections.emptySet();
        }
        if (newLdapRoles != null) {
            RoleCriteria subjectLdapRolesCriteria = new RoleCriteria();
            subjectLdapRolesCriteria.addFilterLdapSubjectId(subjectToModify.getId());
            subjectLdapRolesCriteria.clearPaging();//disable paging as the code assumes all the results will be returned.

            PageList<Role> currentLdapRoles = roleManager.findRolesByCriteria(whoami, subjectLdapRolesCriteria);

            ldapRolesModified = !(currentLdapRoles.containsAll(newLdapRoles) && newLdapRoles
                .containsAll(currentLdapRoles));
        }

        boolean isUserWithPrincipal = isUserWithPrincipal(subjectToModify.getName());
        if (ldapRolesModified) {
            if (!isSecurityManager) {
                throw new PermissionException("You cannot change the LDAP roles assigned to ["
                    + subjectToModify.getName() + "] - only a user with the MANAGE_SECURITY permission can do so.");
            } else if (isUserWithPrincipal) {
                throw new PermissionException("You cannot set LDAP roles on non-LDAP user ["
                    + subjectToModify.getName() + "].");
            }

            // TODO: Update LDAP roles.
        }

     */
    public void changePassword(Subject whoami, String username, String password) {
        // a user can change his/her own password, as can a user with the appropriate permission
        if (!whoami.getName().equals(username)
            && !authorizationManager.hasGlobalPermission(whoami, Permission.MANAGE_SECURITY)) {
            throw new PermissionException("You do not have permission to change the password for user [" + username
                + "]");
        }

        changePasswordInternal(username, password);

    public void deleteUsers(Subject subject, int[] subjectIds) {
        for (Integer doomedSubjectId : subjectIds) {
            Subject doomedSubject = getSubjectById(doomedSubjectId);

            if (subject.getName().equals(doomedSubject.getName())) {
                throw new PermissionException("You cannot remove yourself: " + doomedSubject.getName());
            }

            if (authorizationManager.isSystemSuperuser(doomedSubject)) {
                throw new PermissionException("You cannot delete a system root user - they must always exist");
            }

            Set<Role> roles = doomedSubject.getRoles();
            doomedSubject.setRoles(new HashSet<Role>()); // clean out roles

     *
     * @throws PermissionException if the caller tried to delete a system superuser
     */
    private void deletePrincipal(Subject subject) throws PermissionException {
        if (authorizationManager.isSystemSuperuser(subject)) {
            throw new PermissionException("You cannot delete the principal for the root user [" + subject.getName()
                + "]");
        }

        Query q = entityManager.createNamedQuery(Principal.QUERY_FIND_BY_USERNAME);
        q.setParameter("principal", subject.getName());

                results = ldapManager.findAvailableGroups();
            } else {
                String message = "User '" + getSessionSubject().getName()
                    + "' does not have sufficient permissions to query available LDAP groups.";
                log.debug(message);
                throw new PermissionException(message);
            }
            return SerialUtility.prepare(results, "findAvailableGroups");
        } catch (Throwable t) {
            throw getExceptionToThrowToClient(t);
        }

                results = ldapManager.findAvailableGroupsStatus();
            } else {
                String message = "User '" + getSessionSubject().getName()
                    + "' does not have sufficient permissions to query the status of available LDAP groups request.";
                log.debug(message);
                throw new PermissionException(message);
            }
            return SerialUtility.prepare(results, "findAvailableGroups");
        } catch (Throwable t) {
            throw getExceptionToThrowToClient(t);
        }

                nowGroups = ldapManager.findLdapGroupsByRole(roleId, PageControl.getUnlimitedInstance());
            } else {
                String message = "User '" + getSessionSubject().getName()
                    + "' does not have sufficient permissions to modify LDAP group assignments for roles.";
                log.debug(message);
                throw new PermissionException(message);
            }

        } catch (Throwable t) {
            throw getExceptionToThrowToClient(t);
        }

                allAssignedLdapGroups = ldapManager.findLdapGroupsByRole(roleId, PageControl.getUnlimitedInstance());
            } else {
                String message = "User '" + getSessionSubject().getName()
                    + "' does not have permissions to query LDAP group by role.";
                log.debug(message);
                throw new PermissionException(message);
            }
            return SerialUtility.prepare(allAssignedLdapGroups, "findLdapGroupsAssignedToRole");
        } catch (Throwable t) {
            throw getExceptionToThrowToClient(t);
        }

        try {
            boolean isAllowed = LookupUtil.getAuthorizationManager().hasGlobalPermission(subject,
                Permission.MANAGE_SETTINGS);
            if (!isAllowed) {
                log.error("An unauthorized user [" + subject + "] attempted to upload a plugin");
                throw new PermissionException("You are not authorized to do this");
            }

            // note that this assumes 1 and only 1 file is uploaded
            File file = files.values().iterator().next();
            String newPluginFilename = fileNames.values().iterator().next();