diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java index b6677ffba..74edf1748 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java @@ -16,6 +16,7 @@ package li.strolch.privilege.policy; import static java.util.stream.Collectors.toSet; +import static li.strolch.privilege.base.PrivilegeConstants.ROLE_STROLCH_ADMIN; import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate; import static li.strolch.utils.helper.StringHelper.isEmpty; @@ -53,6 +54,11 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege return validateAction(ctx, privilege, restrictable, false); } + protected boolean isStrolchAdminAndIgnoreOrganisation(PrivilegeContext ctx) { + return ctx.hasRole(ROLE_STROLCH_ADMIN); + } + + @Override protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable, boolean assertHasPrivilege) throws AccessDeniedException { @@ -63,8 +69,8 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege // RoleAccessPrivilege policy expects the privilege value to be a role if (!(object instanceof Tuple)) { - String msg = Restrictable.class.getName() + PrivilegeMessages - .getString("Privilege.illegalArgument.nontuple"); //$NON-NLS-1$ + String msg = Restrictable.class.getName() + PrivilegeMessages.getString( + "Privilege.illegalArgument.nontuple"); //$NON-NLS-1$ msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName()); throw new PrivilegeException(msg); } @@ -78,6 +84,9 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege case PrivilegeHandler.PRIVILEGE_SET_USER_PASSWORD: case PrivilegeHandler.PRIVILEGE_REMOVE_USER: { + if (isStrolchAdminAndIgnoreOrganisation(ctx)) + break; + // make sure old user has same organisation User oldUser = tuple.getFirst(); if (oldUser != null) { @@ -97,6 +106,9 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege case PrivilegeHandler.PRIVILEGE_ADD_ROLE_TO_USER: case PrivilegeHandler.PRIVILEGE_REMOVE_ROLE_FROM_USER: { + if (isStrolchAdminAndIgnoreOrganisation(ctx)) + break; + User user = tuple.getFirst(); DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user); if (!assertUserInSameOrganisation(ctx, user, assertHasPrivilege)) @@ -106,8 +118,8 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege } default: - String msg = Restrictable.class.getName() + PrivilegeMessages - .getString("Privilege.userAccessPrivilege.unknownPrivilege"); //$NON-NLS-1$ + String msg = Restrictable.class.getName() + PrivilegeMessages.getString( + "Privilege.userAccessPrivilege.unknownPrivilege"); //$NON-NLS-1$ msg = MessageFormat.format(msg, privilegeName); throw new PrivilegeException(msg); } diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java index 846d990bb..224f36e61 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java @@ -16,6 +16,7 @@ package li.strolch.privilege.policy; import static java.util.stream.Collectors.toSet; +import static li.strolch.privilege.base.PrivilegeConstants.ROLE_STROLCH_ADMIN; import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate; import static li.strolch.utils.helper.StringHelper.isEmpty; @@ -58,6 +59,7 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna return validateAction(ctx, privilege, restrictable, false); } + @Override protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable, boolean assertHasPrivilege) throws AccessDeniedException { @@ -68,8 +70,8 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna // RoleAccessPrivilege policy expects the privilege value to be a role if (!(object instanceof Certificate)) { - String msg = Restrictable.class.getName() + PrivilegeMessages - .getString("Privilege.illegalArgument.noncertificate"); //$NON-NLS-1$ + String msg = Restrictable.class.getName() + PrivilegeMessages.getString( + "Privilege.illegalArgument.noncertificate"); //$NON-NLS-1$ msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName()); throw new PrivilegeException(msg); } @@ -78,13 +80,17 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna Certificate cert = (Certificate) object; // first validate same organisation - if (!assertUserInSameOrganisation(ctx, cert, assertHasPrivilege)) + if (!isStrolchAdminAndIgnoreOrganisation(cert) && !assertUserInSameOrganisation(ctx, cert, assertHasPrivilege)) return false; // now delegate the rest of the validation to the super class return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege); } + protected boolean isStrolchAdminAndIgnoreOrganisation(Certificate cert) { + return cert.hasRole(ROLE_STROLCH_ADMIN); + } + protected boolean assertUserInSameOrganisation(PrivilegeContext ctx, Certificate cert, boolean assertHasPrivilege) { Set userOrgs = getUserOrganisations(ctx.getCertificate()); Set orgs = getUserOrganisations(cert);