@Transactional(readOnly=true) public class AdminImpl extends AbstractLevel2Service implements LocalAdmin, org.springframework.context.ApplicationContextAware
SecuritySystem
,
Permissions
Modifier and Type | Field and Description |
---|---|
protected ACLVoter |
aclVoter |
protected ChmodStrategy |
chmod |
protected OmeroContext |
context |
protected ChecksumProviderFactory |
cpf |
protected LdapImpl |
ldapUtil |
protected org.springframework.mail.MailSender |
mailSender |
protected static String |
NSEXPERIMENTERPHOTO |
protected SessionFactory |
osf |
protected PasswordProvider |
passwordProvider |
protected PasswordUtil |
passwordUtil |
protected RoleProvider |
roleProvider |
protected SqlAction |
sql |
protected org.springframework.mail.SimpleMailMessage |
templateMessage |
iQuery, iUpdate, metadata, queryFactory, sec
Constructor and Description |
---|
AdminImpl(SqlAction sql,
SessionFactory osf,
org.springframework.mail.MailSender mailSender,
org.springframework.mail.SimpleMailMessage templateMessage,
ACLVoter aclVoter,
PasswordProvider passwordProvider,
RoleProvider roleProvider,
LdapImpl ldapUtil,
PasswordUtil passwordUtil,
ChmodStrategy chmod,
ChecksumProviderFactory cpf) |
Modifier and Type | Method and Description |
---|---|
void |
addGroupOwners(ExperimenterGroup group,
Experimenter... owner)
adds the given users to the owner list for this group.
|
void |
addGroups(Experimenter user,
ExperimenterGroup... groups)
adds a user to the given groups.
|
protected void |
assertManaged(IObject o) |
boolean |
canAnnotate(IObject obj)
Companion to
IAdmin.canUpdate(IObject) but not yet remotely
accessible. |
boolean |
canUpdate(IObject obj)
Returns true if the currently logged in user can modify the given
IObject . |
void |
changeExpiredCredentials(String name,
String oldCred,
String newCred)
Used after an
ExpiredCredentialException instance is thrown. |
void |
changeGroup(IObject iObject,
String groupName)
call
details.setGroup()
on this instance. |
void |
changeOwner(IObject iObject,
String omeName)
call
details.setOwner()
on this instance. |
void |
changePassword(String newPassword)
change the password for the current user.
|
void |
changePasswordWithOldPassword(String oldPassword,
String newPassword)
change the password for the current user by passing the old password.
|
void |
changePermissions(IObject iObject,
Permissions perms)
the implementation of this method is somewhat tricky in that
Permissions changes must be allowed even when other updates are
not. |
void |
changeUserPassword(String user,
String newPassword)
change the password for the a given user.
|
boolean |
checkPassword(String name,
String password,
boolean readOnly)
If ldap plugin turned, creates Ldap accounts and authentication by LDAP
available.
|
Experimenter[] |
containedExperimenters(long groupId)
fetch all
users contained in this group. |
ExperimenterGroup[] |
containedGroups(long experimenterId)
fetch all
groups of which the given user is a
member. |
long |
createExperimenter(Experimenter experimenter,
ExperimenterGroup defaultGroup,
ExperimenterGroup... otherGroups)
create and return a new user in the given groups.
|
long |
createExperimenterWithPassword(Experimenter experimenter,
String password,
ExperimenterGroup defaultGroup,
ExperimenterGroup... otherGroups)
create and return a new user in the given groups with password.
|
long |
createGroup(ExperimenterGroup group)
create and return a new group.
|
long |
createSystemUser(Experimenter newSystemUser)
create and return a new system user.
|
long |
createUser(Experimenter newUser,
String defaultGroup)
create and return a new user.
|
void |
deleteExperimenter(Experimenter user)
removes a user by removing the password information for that user as well
as all
GroupExperimenterMap instances. |
void |
deleteGroup(ExperimenterGroup group)
removes a group by first removing all users in the group, and then
deleting the actual
ExperimenterGroup instance. |
ExperimenterGroup |
getDefaultGroup(long experimenterId)
retrieve the default
group for the given user
id. |
EventContext |
getEventContext()
returns an implementation of
EventContext loaded with the
security for the current user and thread. |
EventContext |
getEventContextQuiet()
Like
IAdmin.getEventContext() but will not reload the context. |
Experimenter |
getExperimenter(long id)
fetch an
Experimenter and all related
groups . |
ExperimenterGroup |
getGroup(long id)
fetch an
ExperimenterGroup and all contained
users . |
List<Long> |
getLeaderOfGroupIds(Experimenter e)
Finds the ids for all groups for which the given
Experimenter is
owner/leader. |
Map<String,Long> |
getLockingIds(Class<IObject> type,
long id,
Long groupId)
|
Map<String,Long> |
getLockingIds(IObject object) |
List<Long> |
getMemberOfGroupIds(Experimenter e)
Finds the ids for all groups for which the given
Experimenter is
a member. |
List<OriginalFile> |
getMyUserPhotos()
Retrieve the
OriginalFile object attached to this
user as specified by IAdmin.uploadMyUserPhoto(String, String, byte[]) . |
Roles |
getSecurityRoles()
returns the active
Roles in use by the server. |
Class<? extends ServiceInterface> |
getServiceInterface() |
List<String> |
getUserRoles(Experimenter e)
Finds the group names for all groups for which the given
Experimenter is
a member. |
ExperimenterGroup |
groupProxy(Long id)
returns a possibly uninitialized proxy for the given
group id . |
ExperimenterGroup |
groupProxy(String groupName)
returns a possibly uninitialized proxy for the given
group name . |
void |
internalMoveToCommonSpace(IObject obj)
Helpers which unconditionally moves the object to the common space.
|
Experimenter |
lookupExperimenter(String omeName)
look up an
Experimenter and all related
groups by name. |
List<Experimenter> |
lookupExperimenters()
Looks up all
experimenters present and all related
groups . |
ExperimenterGroup |
lookupGroup(String groupName)
look up an
ExperimenterGroup and all contained
users by name. |
List<ExperimenterGroup> |
lookupGroups()
Looks up all
groups present and all related
experimenters . |
String |
lookupLdapAuthExperimenter(long id)
Looks up
experimenters who uses LDAP authentication
(has set dn on password table). |
List<Map<String,Object>> |
lookupLdapAuthExperimenters()
Looks up all id of
experimenters who uses LDAP
authentication (has set dn on password table). |
void |
moveToCommonSpace(IObject... iObjects)
Moves the given objects into the "user" group to make them visible
and linkable from all security contexts.
|
void |
removeGroupOwners(ExperimenterGroup group,
Experimenter... owner)
removes the given users from the owner list for this group.
|
void |
removeGroups(Experimenter user,
ExperimenterGroup... groups)
Removes an experimenter from the given groups.
|
void |
reportForgottenPassword(String name,
String email)
Can be used after repeated
AuthenticationException instances are
thrown, to request that an email with a temporary password be sent. |
void |
setApplicationContext(org.springframework.context.ApplicationContext ctx) |
void |
setDefaultGroup(Experimenter user,
ExperimenterGroup group)
sets the default group for a given user.
|
void |
setGroupOwner(ExperimenterGroup group,
Experimenter owner)
adds the user to the owner list for this group.
|
void |
synchronizeLoginCache()
uses JMX to refresh the login cache if supported.
|
void |
unsetGroupOwner(ExperimenterGroup group,
Experimenter owner)
removes the user from the owner list for this group.
|
void |
updateExperimenter(Experimenter experimenter)
Updates an experimenter if admin or owner of group.
|
void |
updateExperimenterWithPassword(Experimenter experimenter,
String password)
Updates an experimenter if admin or owner of group.
|
void |
updateGroup(ExperimenterGroup group)
Updates an experimenter group if admin or owner of group.
|
void |
updateSelf(Experimenter e)
Allows a user to update his/her own information.
|
long |
uploadMyUserPhoto(String filename,
String mimetype,
byte[] data)
Uploads a photo for the user which will be displayed on his/her profile.
|
Experimenter |
userProxy(Long id)
returns a possibly uninitialized proxy for the given
user id . |
Experimenter |
userProxy(String omeName)
returns a possibly uninitialized proxy for the given
user name . |
getBeanHelper, getExtendedMetadata, getQueryFactory, getSecuritySystem, selfConfigure, setExtendedMetadata, setQueryFactory, setQueryService, setSecuritySystem, setUpdateService
protected final SqlAction sql
protected final SessionFactory osf
protected final org.springframework.mail.MailSender mailSender
protected final org.springframework.mail.SimpleMailMessage templateMessage
protected final ACLVoter aclVoter
protected final PasswordProvider passwordProvider
protected final RoleProvider roleProvider
protected final PasswordUtil passwordUtil
protected final LdapImpl ldapUtil
protected final ChmodStrategy chmod
protected final ChecksumProviderFactory cpf
protected OmeroContext context
protected static final String NSEXPERIMENTERPHOTO
public AdminImpl(SqlAction sql, SessionFactory osf, org.springframework.mail.MailSender mailSender, org.springframework.mail.SimpleMailMessage templateMessage, ACLVoter aclVoter, PasswordProvider passwordProvider, RoleProvider roleProvider, LdapImpl ldapUtil, PasswordUtil passwordUtil, ChmodStrategy chmod, ChecksumProviderFactory cpf)
public void setApplicationContext(org.springframework.context.ApplicationContext ctx) throws org.springframework.beans.BeansException
setApplicationContext
in interface org.springframework.context.ApplicationContextAware
org.springframework.beans.BeansException
public Class<? extends ServiceInterface> getServiceInterface()
getServiceInterface
in interface SelfConfigurableService
public Experimenter userProxy(Long id)
LocalAdmin
user id
. Use of the Experimenter
instance will initialize its values.userProxy
in interface LocalAdmin
id
- the ID of a userpublic Experimenter userProxy(String omeName)
LocalAdmin
user name
. Use of the
Experimenter
instance will initialize its values.userProxy
in interface LocalAdmin
omeName
- the name of a userpublic ExperimenterGroup groupProxy(Long id)
LocalAdmin
group id
. Use of the
Experimenter
instance will initialize its values.groupProxy
in interface LocalAdmin
id
- the ID of a grouppublic ExperimenterGroup groupProxy(String groupName)
LocalAdmin
group name
. Use of the
Experimenter
instance will initialize its values.groupProxy
in interface LocalAdmin
groupName
- the name of a grouppublic List<Long> getLeaderOfGroupIds(Experimenter e)
IAdmin
Experimenter
is
owner/leader.getLeaderOfGroupIds
in interface IAdmin
e
- Non-null, managed (i.e. with id) Experimenter
ExperimenterGroup.getDetails()
,
Details.getOwner()
public List<Long> getMemberOfGroupIds(Experimenter e)
IAdmin
Experimenter
is
a member.getMemberOfGroupIds
in interface IAdmin
e
- Non-null, managed (i.e. with id) Experimenter
ExperimenterGroup.getDetails()
,
Details.getOwner()
public List<String> getUserRoles(Experimenter e)
LocalAdmin
Experimenter
is
a member.getUserRoles
in interface LocalAdmin
e
- Non-null, managed (i.e. with id) Experimenter
ExperimenterGroup.getDetails()
,
Details.getOwner()
public boolean canAnnotate(IObject obj)
LocalAdmin
IAdmin.canUpdate(IObject)
but not yet remotely
accessible.canAnnotate
in interface LocalAdmin
obj
- Not null.public boolean canUpdate(IObject obj)
IAdmin
IObject
. This uses the same logic that would be applied during
a Hibernate flush to the database.public Experimenter getExperimenter(long id)
IAdmin
Experimenter
and all related
groups
.getExperimenter
in interface IAdmin
id
- id of the Experimenterpublic Experimenter lookupExperimenter(String omeName)
IAdmin
Experimenter
and all related
groups
by name.lookupExperimenter
in interface IAdmin
omeName
- Name of the Experimenterpublic List<Experimenter> lookupExperimenters()
IAdmin
experimenters
present and all related
groups
.lookupExperimenters
in interface IAdmin
public List<Map<String,Object>> lookupLdapAuthExperimenters()
IAdmin
experimenters
who uses LDAP
authentication (has set dn on password table).lookupLdapAuthExperimenters
in interface IAdmin
public String lookupLdapAuthExperimenter(long id)
IAdmin
experimenters
who uses LDAP authentication
(has set dn on password table).lookupLdapAuthExperimenter
in interface IAdmin
public ExperimenterGroup getGroup(long id)
IAdmin
ExperimenterGroup
and all contained
users
.public ExperimenterGroup lookupGroup(String groupName)
IAdmin
ExperimenterGroup
and all contained
users
by name.lookupGroup
in interface IAdmin
groupName
- Name of the ExperimenterGrouppublic List<ExperimenterGroup> lookupGroups()
IAdmin
groups
present and all related
experimenters
. The experimenters' groups are also
loaded.lookupGroups
in interface IAdmin
public Experimenter[] containedExperimenters(long groupId)
IAdmin
users
contained in this group. The
returned users will have all fields filled in and all collections
unloaded.containedExperimenters
in interface IAdmin
groupId
- id of the ExperimenterGroupusers
in this group.public ExperimenterGroup[] containedGroups(long experimenterId)
IAdmin
groups
of which the given user is a
member. The returned groups will have all fields filled in and all
collections unloaded.containedGroups
in interface IAdmin
experimenterId
- id of the Experimenter. Not null.groups
for this
user.@Transactional(readOnly=false) public void synchronizeLoginCache()
IAdmin
synchronizeLoginCache
in interface IAdmin
@Transactional(readOnly=false) public void updateSelf(Experimenter e)
IAdmin
IAdmin.setDefaultGroup(Experimenter, ExperimenterGroup)
updateSelf
in interface IAdmin
e
- A data transfer object. Only the fields: firstName,
middleName, lastName, email, and institution are checked. Not
null.IAdmin.setDefaultGroup(Experimenter, ExperimenterGroup)
public List<OriginalFile> getMyUserPhotos()
IAdmin
OriginalFile
object attached to this
user as specified by IAdmin.uploadMyUserPhoto(String, String, byte[])
.
The return value is order by the most recently modified file first.getMyUserPhotos
in interface IAdmin
@Transactional(readOnly=false) public long uploadMyUserPhoto(String filename, String mimetype, byte[] data)
IAdmin
OriginalFile
object
with the given format, and attached to the user's Experimenter
object via an FileAnnotation
with
the namespace: "openmicroscopy.org/omero/experimenter/photo" (NSEXPERIMENTERPHOTO).
If such an OriginalFile
instance already exists,
it will be overwritten. If more than one photo is present, the oldest
version will be modified (i.e. the highest updateEvent id).
Note: as outlined in ticket:1794, this photo will be placed in the "user"
group and therefore will be visible to everyone on the system.uploadMyUserPhoto
in interface IAdmin
filename
- Not null. String name which will be used.mimetype
- Not null. Format.value string. 'image/jpeg' and 'image/png' are common values.data
- Not null. Data from the image. This will be written to disk.@Transactional(readOnly=false) public void updateExperimenter(Experimenter experimenter)
IAdmin
IAdmin.updateSelf(Experimenter)
if the current user
matches the given experimenter.updateExperimenter
in interface IAdmin
experimenter
- the Experimenter to update.@Transactional(readOnly=false) public void updateExperimenterWithPassword(Experimenter experimenter, String password)
IAdmin
updateExperimenterWithPassword
in interface IAdmin
experimenter
- the Experimenter to update.password
- Not-null. Must pass validation in the security sub-system.@Transactional(readOnly=false) public void updateGroup(ExperimenterGroup group)
IAdmin
updateGroup
in interface IAdmin
group
- the ExperimenterGroup to update.@Transactional(readOnly=false) public long createUser(Experimenter newUser, String defaultGroup)
IAdmin
createUser
in interface IAdmin
newUser
- a new Experimenter
instancedefaultGroup
- group name of the default group for this userExperimenter
@Transactional(readOnly=false) public long createSystemUser(Experimenter newSystemUser)
IAdmin
createSystemUser
in interface IAdmin
newSystemUser
- a new Experimenter
instanceExperimenter
@Transactional(readOnly=false) public long createExperimenter(Experimenter experimenter, ExperimenterGroup defaultGroup, ExperimenterGroup... otherGroups)
IAdmin
createExperimenter
in interface IAdmin
experimenter
- A new Experimenter
instance. Not null.defaultGroup
- Instance of ExperimenterGroup
. Not null.otherGroups
- Array of ExperimenterGroup
instances. Can be null.Experimenter
Not null.@Transactional(readOnly=false) public long createExperimenterWithPassword(Experimenter experimenter, String password, ExperimenterGroup defaultGroup, ExperimenterGroup... otherGroups)
IAdmin
createExperimenterWithPassword
in interface IAdmin
experimenter
- A new Experimenter
instance. Not null.password
- Not-null. Must pass validation in the security sub-system.defaultGroup
- Instance of ExperimenterGroup
. Not null.otherGroups
- Array of ExperimenterGroup
instances. Can be null.Experimenter
Not null.@Transactional(readOnly=false) public long createGroup(ExperimenterGroup group)
IAdmin
Details.setPermissions(Permissions)
method should be called on the instance which is passed. The given
Permissions
will become the default for all objects created while
logged into this group, possibly modified by the user's umask settings.
If no permissions is set, the default will be Permissions.USER_PRIVATE
,
i.e. a group in which no user can see the other group member's data.createGroup
in interface IAdmin
group
- a new ExperimenterGroup
instance. Not null.ExperimenterGroup
@Transactional(readOnly=false) public void addGroups(Experimenter user, ExperimenterGroup... groups)
IAdmin
@Transactional(readOnly=false) public void removeGroups(Experimenter user, ExperimenterGroup... groups)
IAdmin
removeGroups
in interface IAdmin
user
- A currently managed entity. Not null.groups
- Groups from which the user will be removed. Not null.@Transactional(readOnly=false) public void setDefaultGroup(Experimenter user, ExperimenterGroup group)
IAdmin
setDefaultGroup
in interface IAdmin
user
- A currently managed Experimenter
. Not null.group
- The group which should be set as default group for this user.
Not null.@Transactional(readOnly=false) public void setGroupOwner(ExperimenterGroup group, Experimenter owner)
IAdmin
setGroupOwner
in interface IAdmin
group
- A currently managed ExperimenterGroup
. Not null.owner
- A currently managed Experimenter
. Not null.@Transactional(readOnly=false) public void unsetGroupOwner(ExperimenterGroup group, Experimenter owner)
IAdmin
unsetGroupOwner
in interface IAdmin
group
- A currently managed ExperimenterGroup
. Not null.owner
- A currently managed Experimenter
. Not null.@Transactional(readOnly=false) public void addGroupOwners(ExperimenterGroup group, Experimenter... owner)
IAdmin
addGroupOwners
in interface IAdmin
group
- A currently managed ExperimenterGroup
. Not null.owner
- A set of currently managed Experimenter
s. Not null.@Transactional(readOnly=false) public void removeGroupOwners(ExperimenterGroup group, Experimenter... owner)
IAdmin
removeGroupOwners
in interface IAdmin
group
- A currently managed ExperimenterGroup
. Not null.owner
- A set of currently managed Experimenter
s. Not null.public ExperimenterGroup getDefaultGroup(long experimenterId)
IAdmin
group
for the given user
id.getDefaultGroup
in interface IAdmin
experimenterId
- of the Experimenter. Not null.ExperimenterGroup
. If no default group is
found, an exception will be thrown.@Transactional(readOnly=false) public void deleteExperimenter(Experimenter user)
IAdmin
GroupExperimenterMap
instances.deleteExperimenter
in interface IAdmin
user
- Experimenter to be deleted. Not null.@Transactional(readOnly=false) public void deleteGroup(ExperimenterGroup group)
IAdmin
ExperimenterGroup
instance.deleteGroup
in interface IAdmin
group
- ExperimenterGroup
to be deleted. Not null.@Transactional(readOnly=false) public void changeOwner(IObject iObject, String omeName)
IAdmin
details.setOwner()
on this instance. It is valid for the instance to be
unloaded
(or constructed with an
unloading-constructor.)changeOwner
in interface IAdmin
iObject
- An entity or an unloaded reference to an entity. Not null.omeName
- The user name who should gain ownership of this entity. Not
null.@Transactional(readOnly=false) public void changeGroup(IObject iObject, String groupName)
IAdmin
details.setGroup()
on this instance. It is valid for the instance to be
unloaded
(or constructed with an
unloading-constructor.)changeGroup
in interface IAdmin
iObject
- An entity or an unloaded reference to an entity. Not null.groupName
- The group name who should gain ownership of this entity. Not
null.@Transactional(readOnly=false) public void changePermissions(IObject iObject, Permissions perms)
Permissions
changes must be allowed even when other updates are
not. Therefore, we must manually check if the object belongs to this user
or is admin (before the call to
SecuritySystem.runAsAdmin(AdminAction)
This logic is duplicated in
BasicSecuritySystem.checkManagedDetails(IObject, ome.model.internal.Details)
.
As of OMERO 4.2 (ticket:1434), this method has special handling for an
instance of ExperimenterGroup
and limited capabilities
for changing any other object type (ticket:1776).
For groups, the permission changes will be propagated to all the
contained objects. For other objects, changes may not override group
settings.changePermissions
in interface IAdmin
iObject
- An entity or an unloaded reference to an entity. Not null.perms
- The permissions value for this entity. Not null.IAdmin.changePermissions(IObject, Permissions)
,
ticket:293,
ticket:1434@Transactional(readOnly=false) public void moveToCommonSpace(IObject... iObjects)
IAdmin
moveToCommonSpace
in interface IAdmin
public void internalMoveToCommonSpace(IObject obj)
uploadMyUserPhoto(String, String, byte[])
internalMoveToCommonSpace
in interface LocalAdmin
obj
- a model object, linked to the current session; never null
public Map<String,Long> getLockingIds(Class<IObject> type, long id, Long groupId)
LocalAdmin
Class
(as string) to a count for all entities
which point to the given IObject
. The String "*" is mapped to
the sum of all the locks.getLockingIds
in interface LocalAdmin
type
- the name of a model classid
- the ID of an instance of klass
groupId
- the ID of a group to omit from the results, may be null
@Transactional(readOnly=false) public void reportForgottenPassword(String name, String email) throws AuthenticationException
IAdmin
AuthenticationException
instances are
thrown, to request that an email with a temporary password be sent. The
given email must match the email for the user listed under the name
argument.
Does not require a session to be active.reportForgottenPassword
in interface IAdmin
AuthenticationException
- when name and email do not match@Transactional(readOnly=false) public void changeExpiredCredentials(String name, String oldCred, String newCred) throws AuthenticationException
IAdmin
ExpiredCredentialException
instance is thrown.
Does not requirechangeExpiredCredentials
in interface IAdmin
AuthenticationException
@Transactional(readOnly=false) public void changePassword(String newPassword)
IAdmin
Warning:This method requires the user to be authenticated
with a password and not with a one-time session id. To avoid this
problem, use IAdmin.changePasswordWithOldPassword(String, String)
.
changePassword
in interface IAdmin
newPassword
- Possibly null to allow logging in with no password.@Transactional(readOnly=false) public void changePasswordWithOldPassword(String oldPassword, String newPassword)
IAdmin
changePasswordWithOldPassword
in interface IAdmin
oldPassword
- Not-null. Must pass validation in the security sub-system.newPassword
- Possibly null to allow logging in with no password.@Transactional(readOnly=false) public void changeUserPassword(String user, String newPassword)
IAdmin
changeUserPassword
in interface IAdmin
newPassword
- Not-null. Might must pass validation in the security
sub-system.public boolean checkPassword(String name, String password, boolean readOnly)
checkPassword
in interface LocalAdmin
name
- the name of a userpassword
- the user's passwordreadOnly
- if the password check should be transactionally read-onlypublic Roles getSecurityRoles()
IAdmin
Roles
in use by the server.getSecurityRoles
in interface IAdmin
Roles
instance.public EventContext getEventContext()
IAdmin
EventContext
loaded with the
security for the current user and thread. If called remotely, not all
values of EventContext
will be sensible.getEventContext
in interface IAdmin
EventContext
instancepublic EventContext getEventContextQuiet()
LocalAdmin
IAdmin.getEventContext()
but will not reload the context.
This also has the result that values from the current call context
will be applied as simply the session context.getEventContextQuiet
in interface LocalAdmin
protected void assertManaged(IObject o)
Version: 5.2.4-ice35-b23
Copyright © 2016 The University of Dundee & Open Microscopy Environment. All Rights Reserved.