Index: site-manage-participant-helper/src/java/org/sakaiproject/site/tool/helper/participant/impl/SiteAddParticipantHandler.java =================================================================== --- site-manage-participant-helper/src/java/org/sakaiproject/site/tool/helper/participant/impl/SiteAddParticipantHandler.java (revision 130261) +++ site-manage-participant-helper/src/java/org/sakaiproject/site/tool/helper/participant/impl/SiteAddParticipantHandler.java (working copy) @@ -13,7 +13,6 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.commons.validator.EmailValidator; -import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; import org.sakaiproject.accountvalidator.logic.ValidationLogic; @@ -30,6 +29,7 @@ import org.sakaiproject.site.api.SiteService; import org.sakaiproject.site.util.Participant; import org.sakaiproject.site.util.SiteTypeUtil; +import org.sakaiproject.site.util.SiteParticipantHelper; import org.sakaiproject.sitemanage.api.SiteHelper; import org.sakaiproject.sitemanage.api.UserNotificationProvider; import org.sakaiproject.tool.api.SessionManager; @@ -110,10 +110,6 @@ this.securityService = securityService; } - private boolean isAdmin = false; - private boolean propertiesNotFound = false; - private List allowedRoles = new ArrayList(); - private UserDirectoryService userDirectoryService; public void setUserDirectoryService(UserDirectoryService userDirectoryService) { this.userDirectoryService = userDirectoryService; @@ -269,20 +265,10 @@ try { site = siteService.getSite(siteId); realm = authzGroupService.getAuthzGroup(siteService.siteReference(siteId)); + + // bjones86 - SAK-23257 + roles = SiteParticipantHelper.getAllowedRoles( site.getType(), realm.getRoles() ); - // SAK-23257 - isAdmin = securityService.isSuperUser(); - propertiesNotFound = false; - allowedRoles = Arrays.asList( - ArrayUtils.nullToEmpty( serverConfigurationService.getStrings( "sitemanage.addParticipants.allowedRoles" ) ) ); - if( allowedRoles.isEmpty() ) - propertiesNotFound = true; - if( propertiesNotFound ) - for( Iterator itr = realm.getRoles().iterator(); itr.hasNext(); ) - roles.add( (Role) itr.next() ); - else - roles = getAllowedRoles(); - } catch (IdUnusedException e) { // The siteId we were given was bogus e.printStackTrace(); @@ -295,38 +281,6 @@ } /** - * Get a list of the 'allowed roles' as defined in sakai.properties. - * If the properties are not found, just return all the roles. - * If the user is an admin, return all the roles - * - * @author bjones86 - SAK-23257 - * - * @param state - * @return A list of 'allowed' role objects - */ - private List getAllowedRoles() - { - List retVal = new ArrayList(); - - for( Iterator i = realm.getRoles().iterator(); i.hasNext(); ) - { - Role r = (Role) i.next(); - - // If the user is an admin, or if the properties weren't found, just add the role to the list - if( isAdmin || propertiesNotFound ) - retVal.add( r ); - - // Otherwise, only add the role if it's in the list of allowed roles - else - for( String role : allowedRoles ) - if( role.equalsIgnoreCase( r.getId() ) ) - retVal.add( r ); - } - - return retVal; - } - - /** * get the site title * @return */ @@ -601,16 +555,13 @@ okRoles.add(role); } - // SAK-23257 - if( !propertiesNotFound ) + // SAK-23257 - display an error message if the new role is in the restricted role list + String siteType = site.getType(); + Role r = realmEdit.getRole( role ); + if( !SiteParticipantHelper.getAllowedRoles( siteType, realm.getRoles() ).contains( r ) ) { - Role r = realmEdit.getRole( role ); - if( !getAllowedRoles().contains( r ) ) - { - targettedMessageList.addMessage( new TargettedMessage( "java.roleperm", new Object[] { role }, - TargettedMessage.SEVERITY_ERROR ) ); - continue; - } + targettedMessageList.addMessage( new TargettedMessage( "java.roleperm", new Object[] { role }, TargettedMessage.SEVERITY_ERROR ) ); + continue; } try { Index: site-manage-tool/tool/src/java/org/sakaiproject/site/tool/SiteAction.java =================================================================== --- site-manage-tool/tool/src/java/org/sakaiproject/site/tool/SiteAction.java (revision 130261) +++ site-manage-tool/tool/src/java/org/sakaiproject/site/tool/SiteAction.java (working copy) @@ -51,7 +51,6 @@ import org.apache.commons.io.FileUtils; import org.apache.commons.io.filefilter.WildcardFileFilter; -import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -187,8 +186,6 @@ private org.sakaiproject.user.api.UserDirectoryService userDirectoryService = (org.sakaiproject.user.api.UserDirectoryService) ComponentManager.get( org.sakaiproject.user.api.UserDirectoryService.class ); - private org.sakaiproject.authz.api.SecurityService securityService = (org.sakaiproject.authz.api.SecurityService) ComponentManager.get( - org.sakaiproject.authz.api.SecurityService.class ); private org.sakaiproject.coursemanagement.api.CourseManagementService cms = (org.sakaiproject.coursemanagement.api.CourseManagementService) ComponentManager .get(org.sakaiproject.coursemanagement.api.CourseManagementService.class); @@ -736,11 +733,7 @@ private List prefLocales = new ArrayList(); - private boolean isAdmin = false; - private boolean propertiesNotFound = false; - private List allowedRoles = new ArrayList(); - private static final String VM_ALLOWED_ROLES_DROP_DOWN = "allowedRoles"; - private static final String SAK_PROP_ALLOWED_ROLES_FOR_ADD = "sitemanage.addParticipants.allowedRoles"; + private static final String VM_ALLOWED_ROLES_DROP_DOWN = "allowedRoles"; // state variable for whether any multiple instance tool has been selected private String STATE_MULTIPLE_TOOL_INSTANCE_SELECTED = "state_multiple_tool_instance_selected"; @@ -2195,7 +2188,8 @@ roles = getRoles(state); context.put("roles", roles); - context.put( VM_ALLOWED_ROLES_DROP_DOWN, getAllowedRoles( state ) ); + // SAK-23257 - add the allowed roles to the context for UI rendering + context.put( VM_ALLOWED_ROLES_DROP_DOWN, SiteParticipantHelper.getAllowedRoles( site.getType(), roles ) ); // will have the choice to active/inactive user or not String activeInactiveUser = ServerConfigurationService.getString( @@ -7569,14 +7563,6 @@ int siteTitleMaxLength = ServerConfigurationService.getInt("site.title.maxlength", 25); state.setAttribute(STATE_SITE_TITLE_MAX, siteTitleMaxLength); } - - // SAK-23257 - isAdmin = securityService.isSuperUser(); - propertiesNotFound = false; - allowedRoles = Arrays.asList( - ArrayUtils.nullToEmpty( ServerConfigurationService.getStrings( SAK_PROP_ALLOWED_ROLES_FOR_ADD ) ) ); - if( allowedRoles.isEmpty() ) - propertiesNotFound = true; } // init @@ -7774,17 +7760,16 @@ roles.add(oldRoleId); } - // SAK-23257 - if( !propertiesNotFound ) + // SAK-23257 - display an error message if the new role is in the restricted role list + String siteType = s.getType(); + List allowedRoles = SiteParticipantHelper.getAllowedRoles( siteType, getRoles( state ) ); + for( String roleName : roles ) { - for( String roleName : roles ) + Role r = realmEdit.getRole( roleName ); + if( !allowedRoles.contains( r ) ) { - Role role = realmEdit.getRole( roleName ); - if( !getAllowedRoles( state ).contains( role ) ) - { - addAlert( state, rb.getFormattedMessage( "java.roleperm", new Object[] { roleName } ) ); - return; - } + addAlert( state, rb.getFormattedMessage( "java.roleperm", new Object[] { roleName } ) ); + return; } } @@ -9644,41 +9629,6 @@ } // getRoles /** - * Get a list of the 'allowed roles' as defined in sakai.properties. - * If the properties are not found, just return all the roles. - * If the user is an admin, return all the roles - * - * @author bjones86 - SAK-23257 - * - * @param state - * @return A list of 'allowed' role objects - */ - private List getAllowedRoles( SessionState state ) - { - // Get all the roles available - List roles = getRoles( state ); - List retVal = new ArrayList(); - - // Loop through them - for( Object obj : roles ) - { - Role r = (Role) obj; - - // If the user is an admin, or if the sakai.properties were not found, just add the role to the list - if( isAdmin || propertiesNotFound ) - retVal.add( r ); - - // Otherwise, only add the role if it's in the list of allowed roles - else - for( String role : allowedRoles ) - if( role.equalsIgnoreCase( r.getId() ) ) - retVal.add( r ); - } - - return retVal; - } - - /** * getRoles * */ Index: site-manage-util/util/src/java/org/sakaiproject/site/util/SiteParticipantHelper.java =================================================================== --- site-manage-util/util/src/java/org/sakaiproject/site/util/SiteParticipantHelper.java (revision 130261) +++ site-manage-util/util/src/java/org/sakaiproject/site/util/SiteParticipantHelper.java (working copy) @@ -1,5 +1,7 @@ package org.sakaiproject.site.util; +import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.HashMap; import java.util.HashSet; @@ -10,11 +12,13 @@ import java.util.Vector; import java.util.concurrent.ConcurrentHashMap; +import org.apache.commons.lang.ArrayUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.sakaiproject.authz.api.AuthzGroup; import org.sakaiproject.authz.api.GroupNotDefinedException; import org.sakaiproject.authz.api.Member; +import org.sakaiproject.authz.api.Role; import org.sakaiproject.authz.cover.AuthzGroupService; import org.sakaiproject.component.cover.ComponentManager; import org.sakaiproject.coursemanagement.api.CourseOffering; @@ -46,6 +50,15 @@ private static org.sakaiproject.user.api.ContextualUserDisplayService cus = (org.sakaiproject.user.api.ContextualUserDisplayService) ComponentManager .get(org.sakaiproject.user.api.ContextualUserDisplayService.class); + + private static org.sakaiproject.authz.api.SecurityService securityService = (org.sakaiproject.authz.api.SecurityService) ComponentManager + .get(org.sakaiproject.authz.api.SecurityService.class ); + + private static org.sakaiproject.component.api.ServerConfigurationService scs = (org.sakaiproject.component.api.ServerConfigurationService) ComponentManager + .get(org.sakaiproject.component.api.ServerConfigurationService.class); + + // SAK-23257: restrict the roles available for participants + private static final String SAK_PROP_RESTRICTED_ROLES = "sitemanage.addParticipants.restrictedRoles"; /** * Add participant from provider-defined enrollment set @@ -517,4 +530,55 @@ } } } + + /** + * Get a list of the 'allowed roles', taking into account the current site type + * and the list of restricted roles defined in sakai.properties. + * If the properties are not found, just return all the roles. + * If the user is an admin, return all the roles. + * + * @author bjones86 - SAK-23257 + * + * @param siteType + * the current site's type + * @return A list of 'allowed' role objects for the given site type + */ + public static List getAllowedRoles( String siteType, List allRolesForSiteType ) + { + List retVal = new ArrayList(); + + // Get all the restricted roles for this site type, as well as all restricted roles at the top level (restricted for all site types) + Set restrictedRoles = new HashSet(); + restrictedRoles.addAll( Arrays.asList( ArrayUtils.nullToEmpty( scs.getStrings( SAK_PROP_RESTRICTED_ROLES + "." + siteType ) ) ) ); + restrictedRoles.addAll( Arrays.asList( ArrayUtils.nullToEmpty( scs.getStrings( SAK_PROP_RESTRICTED_ROLES ) ) ) ); + + // Loop through all the roles for this site type + for( Role role : allRolesForSiteType ) + { + // If the user is an admin, or if the properties weren't found (empty set), just add the role to the list + if( securityService.isSuperUser() || restrictedRoles.isEmpty() ) + { + retVal.add( role ); + } + + // Otherwise, only add the role to the list of 'allowed' roles if it's not present in the set of 'restricted' roles + else + { + if( !restrictedRoles.contains( role.getId() ) && !restrictedRoles.contains( role.getId().toLowerCase() ) ) + { + retVal.add( role ); + } + } + } + + return retVal; + } + + public static List getAllowedRoles( String siteType, Set allRolesForSiteType ) + { + List list = new ArrayList(allRolesForSiteType.size()); + list.addAll(allRolesForSiteType); + return getAllowedRoles( siteType, list ); + } + }