ome.logic

Class AdminImpl

java.lang.Object

ome.logic.AbstractLevel2Service

ome.logic.AdminImpl

All Implemented Interfaces:

IAdmin, LocalAdmin, ServiceInterface, SelfConfigurableService, org.springframework.context.ApplicationContextAware

@Transactional(readOnly=true)
public class AdminImpl
extends AbstractLevel2Service
implements LocalAdmin, org.springframework.context.ApplicationContextAware

Provides methods for administering user accounts, passwords, as well as methods which require special privileges. Developer note: As can be expected, to perform these privileged the Admin service has access to several resources that should not be generally used while developing services. Misuse could circumvent security or auditing.

Since:

3.0-M3

Author:

Josh Moore, josh.moore at gmx.de

See Also:

SecuritySystem, Permissions

Field Summary

Fields

Modifier and Type	Field and Description
protected ACLVoter	aclVoter
protected LightAdminPrivileges	adminPrivileges
protected ChmodStrategy	chmod
protected OmeroContext	context
protected ChecksumProviderFactory	cpf
protected LdapImpl	ldapUtil
protected org.springframework.mail.MailSender	mailSender
protected static java.lang.String	NSEXPERIMENTERPHOTO
protected SessionFactory	osf
protected PasswordProvider	passwordProvider
protected PasswordUtil	passwordUtil
protected RoleProvider	roleProvider
protected SqlAction	sql
protected org.springframework.mail.SimpleMailMessage	templateMessage

Fields inherited from class ome.logic.AbstractLevel2Service

iQuery, iUpdate, metadata, queryFactory, sec

Constructor Summary

Constructors

Constructor and Description
AdminImpl(SqlAction sql, SessionFactory osf, org.springframework.mail.MailSender mailSender, org.springframework.mail.SimpleMailMessage templateMessage, ACLVoter aclVoter, PasswordProvider passwordProvider, RoleProvider roleProvider, LdapImpl ldapUtil, PasswordUtil passwordUtil, ChmodStrategy chmod, ChecksumProviderFactory cpf, LightAdminPrivileges adminPrivileges)

Method Summary

Modifier and Type	Method and Description
void	addGroupOwners(ExperimenterGroup group, Experimenter... owner) adds the given users to the owner list for this group.
void	addGroups(Experimenter user, ExperimenterGroup... groups) adds a user to the given groups.
protected void	assertManaged(IObject o)
boolean	canAnnotate(IObject obj) Companion to IAdmin.canUpdate(IObject) but not yet remotely accessible.
boolean	canUpdate(IObject obj) Returns true if the currently logged in user can modify the given IObject.
void	changeExpiredCredentials(java.lang.String name, java.lang.String oldCred, java.lang.String newCred) Used after an ExpiredCredentialException instance is thrown.
void	changeGroup(IObject iObject, java.lang.String groupName) call details.setGroup() on this instance.
void	changeOwner(IObject iObject, java.lang.String omeName) call details.setOwner() on this instance.
void	changePassword(java.lang.String newPassword) change the password for the current user.
void	changePasswordWithOldPassword(java.lang.String oldPassword, java.lang.String newPassword) change the password for the current user by passing the old password.
void	changePermissions(IObject iObject, Permissions perms) the implementation of this method is somewhat tricky in that Permissions changes must be allowed even when other updates are not.
void	changeUserPassword(java.lang.String user, java.lang.String newPassword) change the password for the a given user.
boolean	checkPassword(java.lang.String name, java.lang.String password, boolean readOnly) If ldap plugin turned, creates Ldap accounts and authentication by LDAP available.
Experimenter[]	containedExperimenters(long groupId) fetch all users contained in this group.
ExperimenterGroup[]	containedGroups(long experimenterId) fetch all groups of which the given user is a member.
long	createExperimenter(Experimenter experimenter, ExperimenterGroup defaultGroup, ExperimenterGroup... otherGroups) create and return a new user in the given groups.
long	createExperimenterWithPassword(Experimenter experimenter, java.lang.String password, ExperimenterGroup defaultGroup, ExperimenterGroup... otherGroups) create and return a new user in the given groups with password.
long	createGroup(ExperimenterGroup group) create and return a new group.
long	createRestrictedSystemUser(Experimenter newSystemUser, java.util.List<AdminPrivilege> privileges) Create and return a new system user.
long	createRestrictedSystemUserWithPassword(Experimenter newSystemUser, java.util.List<AdminPrivilege> privileges, java.lang.String password) Create and return a new system user.
long	createSystemUser(Experimenter newSystemUser) create and return a new system user.
long	createUser(Experimenter newUser, java.lang.String defaultGroup) create and return a new user.
void	deleteExperimenter(Experimenter user) removes a user by removing the password information for that user as well as all GroupExperimenterMap instances.
void	deleteGroup(ExperimenterGroup group) removes a group by first removing all users in the group, and then deleting the actual ExperimenterGroup instance.
java.util.List<AdminPrivilege>	getAdminPrivileges(Experimenter user) Gets the light administrator privileges for the given user.
java.util.List<Experimenter>	getAdminsWithPrivileges(java.util.List<AdminPrivilege> privileges) Gets the administrators who have all the given privileges.
java.util.List<AdminPrivilege>	getCurrentAdminPrivileges() Gets the light administrator privileges for the current user.
ExperimenterGroup	getDefaultGroup(long experimenterId) retrieve the default group for the given user id.
EventContext	getEventContext() returns an implementation of EventContext loaded with the security for the current user and thread.
EventContext	getEventContextQuiet() Like IAdmin.getEventContext() but will not reload the context.
Experimenter	getExperimenter(long id) fetch an Experimenter and all related groups.
ExperimenterGroup	getGroup(long id) fetch an ExperimenterGroup and all contained users.
java.util.List<java.lang.Long>	getLeaderOfGroupIds(Experimenter e) Finds the ids for all groups for which the given Experimenter is owner/leader.
java.util.Map<java.lang.String,java.lang.Long>	getLockingIds(java.lang.Class<IObject> type, long id, java.lang.Long groupId) Returns a map from Class (as string) to a count for all entities which point to the given IObject.
java.util.Map<java.lang.String,java.lang.Long>	getLockingIds(IObject object)
java.util.List<java.lang.Long>	getMemberOfGroupIds(Experimenter e) Finds the ids for all groups for which the given Experimenter is a member.
java.util.List<OriginalFile>	getMyUserPhotos() Retrieve the OriginalFile object attached to this user as specified by IAdmin.uploadMyUserPhoto(String, String, byte[]).
Roles	getSecurityRoles() returns the active Roles in use by the server.
java.lang.Class<? extends ServiceInterface>	getServiceInterface()
java.util.List<java.lang.String>	getUserRoles(Experimenter e) Finds the group names for all groups for which the given Experimenter is a member.
ExperimenterGroup	groupProxy(java.lang.Long id) returns a possibly uninitialized proxy for the given group id.
ExperimenterGroup	groupProxy(java.lang.String groupName) returns a possibly uninitialized proxy for the given group name.
void	internalMoveToCommonSpace(IObject obj) Helpers which unconditionally moves the object to the common space.
Experimenter	lookupExperimenter(java.lang.String omeName) look up an Experimenter and all related groups by name.
java.util.List<Experimenter>	lookupExperimenters() Looks up all experimenters present and all related groups.
ExperimenterGroup	lookupGroup(java.lang.String groupName) look up an ExperimenterGroup and all contained users by name.
java.util.List<ExperimenterGroup>	lookupGroups() Looks up all groups present and all related experimenters.
java.lang.String	lookupLdapAuthExperimenter(long id) Looks up experimenters who uses LDAP authentication (has set dn on password table).
java.util.List<java.util.Map<java.lang.String,java.lang.Object>>	lookupLdapAuthExperimenters() Looks up all id of experimenters who uses LDAP authentication (has set dn on password table).
void	moveToCommonSpace(IObject... iObjects) Moves the given objects into the "user" group to make them visible and linkable from all security contexts.
void	removeGroupOwners(ExperimenterGroup group, Experimenter... owner) removes the given users from the owner list for this group.
void	removeGroups(Experimenter user, ExperimenterGroup... groups) Removes an experimenter from the given groups.
void	reportForgottenPassword(java.lang.String name, java.lang.String email) Can be used after repeated AuthenticationException instances are thrown, to request that an email with a temporary password be sent.
void	setAdminPrivileges(Experimenter user, java.util.List<AdminPrivilege> privileges) Sets the set of light administrator privileges for the given user.
void	setApplicationContext(org.springframework.context.ApplicationContext ctx)
void	setDefaultGroup(Experimenter user, ExperimenterGroup group) sets the default group for a given user.
void	setGroupOwner(ExperimenterGroup group, Experimenter owner) adds the user to the owner list for this group.
void	synchronizeLoginCache() uses JMX to refresh the login cache if supported.
void	unsetGroupOwner(ExperimenterGroup group, Experimenter owner) removes the user from the owner list for this group.
void	updateExperimenter(Experimenter experimenter) Updates an experimenter if admin or owner of group.
void	updateExperimenterWithPassword(Experimenter experimenter, java.lang.String password) Updates an experimenter if admin or owner of group.
void	updateGroup(ExperimenterGroup group) Updates an experimenter group if admin or owner of group.
void	updateSelf(Experimenter e) Allows a user to update his/her own information.
long	uploadMyUserPhoto(java.lang.String filename, java.lang.String mimetype, byte[] data) Uploads a photo for the user which will be displayed on his/her profile.
Experimenter	userProxy(java.lang.Long id) returns a possibly uninitialized proxy for the given user id.
Experimenter	userProxy(java.lang.String omeName) returns a possibly uninitialized proxy for the given user name.

Methods inherited from class ome.logic.AbstractLevel2Service

getBeanHelper, getExtendedMetadata, getQueryFactory, getSecuritySystem, selfConfigure, setExtendedMetadata, setQueryFactory, setQueryService, setSecuritySystem, setUpdateService

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

sql

protected final SqlAction sql

osf

protected final SessionFactory osf

mailSender

protected final org.springframework.mail.MailSender mailSender

templateMessage

protected final org.springframework.mail.SimpleMailMessage templateMessage

aclVoter

protected final ACLVoter aclVoter

passwordProvider

protected final PasswordProvider passwordProvider

roleProvider

protected final RoleProvider roleProvider

passwordUtil

protected final PasswordUtil passwordUtil

ldapUtil

protected final LdapImpl ldapUtil

chmod

protected final ChmodStrategy chmod

cpf

protected final ChecksumProviderFactory cpf

adminPrivileges

protected final LightAdminPrivileges adminPrivileges

context

protected OmeroContext context

NSEXPERIMENTERPHOTO

protected static final java.lang.String NSEXPERIMENTERPHOTO

See Also:

Constant Field Values

Constructor Detail

AdminImpl

public AdminImpl(SqlAction sql,
                 SessionFactory osf,
                 org.springframework.mail.MailSender mailSender,
                 org.springframework.mail.SimpleMailMessage templateMessage,
                 ACLVoter aclVoter,
                 PasswordProvider passwordProvider,
                 RoleProvider roleProvider,
                 LdapImpl ldapUtil,
                 PasswordUtil passwordUtil,
                 ChmodStrategy chmod,
                 ChecksumProviderFactory cpf,
                 LightAdminPrivileges adminPrivileges)

Method Detail

setApplicationContext

public void setApplicationContext(org.springframework.context.ApplicationContext ctx)
                           throws org.springframework.beans.BeansException

Specified by:

setApplicationContext in interface org.springframework.context.ApplicationContextAware

Throws:

org.springframework.beans.BeansException

getServiceInterface

public java.lang.Class<? extends ServiceInterface> getServiceInterface()

Specified by:

getServiceInterface in interface SelfConfigurableService

userProxy

public Experimenter userProxy(java.lang.Long id)

Description copied from interface: LocalAdmin

returns a possibly uninitialized proxy for the given user id. Use of the Experimenter instance will initialize its values.

Specified by:

userProxy in interface LocalAdmin

Parameters:

id - the ID of a user

Returns:

the user (may be uninitialized)

userProxy

public Experimenter userProxy(java.lang.String omeName)

Description copied from interface: LocalAdmin

returns a possibly uninitialized proxy for the given user name. Use of the Experimenter instance will initialize its values.

Specified by:

userProxy in interface LocalAdmin

Parameters:

omeName - the name of a user

Returns:

the user (may be uninitialized)

groupProxy

public ExperimenterGroup groupProxy(java.lang.Long id)

Description copied from interface: LocalAdmin

returns a possibly uninitialized proxy for the given group id. Use of the Experimenter instance will initialize its values.

Specified by:

groupProxy in interface LocalAdmin

Parameters:

id - the ID of a group

Returns:

the group (may be uninitialized)

groupProxy

public ExperimenterGroup groupProxy(java.lang.String groupName)

Description copied from interface: LocalAdmin

returns a possibly uninitialized proxy for the given group name. Use of the Experimenter instance will initialize its values.

Specified by:

groupProxy in interface LocalAdmin

Parameters:

groupName - the name of a group

Returns:

the group (may be uninitialized)

getLeaderOfGroupIds

public java.util.List<java.lang.Long> getLeaderOfGroupIds(Experimenter e)

Description copied from interface: IAdmin

Finds the ids for all groups for which the given Experimenter is owner/leader.

Specified by:

getLeaderOfGroupIds in interface IAdmin

Parameters:

e - Non-null, managed (i.e. with id) Experimenter

See Also:

ExperimenterGroup.getDetails(), Details.getOwner()

getMemberOfGroupIds

public java.util.List<java.lang.Long> getMemberOfGroupIds(Experimenter e)

Description copied from interface: IAdmin

Finds the ids for all groups for which the given Experimenter is a member.

Specified by:

getMemberOfGroupIds in interface IAdmin

Parameters:

e - Non-null, managed (i.e. with id) Experimenter

See Also:

ExperimenterGroup.getDetails(), Details.getOwner()

getUserRoles

public java.util.List<java.lang.String> getUserRoles(Experimenter e)

Description copied from interface: LocalAdmin

Finds the group names for all groups for which the given Experimenter is a member.

Specified by:

getUserRoles in interface LocalAdmin

Parameters:

e - Non-null, managed (i.e. with id) Experimenter

Returns:

the groups of which the user is a member

See Also:

ExperimenterGroup.getDetails(), Details.getOwner()

canAnnotate

public boolean canAnnotate(IObject obj)

Description copied from interface: LocalAdmin

Companion to IAdmin.canUpdate(IObject) but not yet remotely accessible.

Specified by:

canAnnotate in interface LocalAdmin

Parameters:

obj - Not null.

Returns:

if the object can be annotated

canUpdate

public boolean canUpdate(IObject obj)

Description copied from interface: IAdmin

Returns true if the currently logged in user can modify the given IObject. This uses the same logic that would be applied during a Hibernate flush to the database.

Specified by:

canUpdate in interface IAdmin

getExperimenter

public Experimenter getExperimenter(long id)

Description copied from interface: IAdmin

fetch an Experimenter and all related groups.

Specified by:

getExperimenter in interface IAdmin

Parameters:

id - id of the Experimenter

Returns:

an Experimenter. Never null.

lookupExperimenter

public Experimenter lookupExperimenter(java.lang.String omeName)

Description copied from interface: IAdmin

look up an Experimenter and all related groups by name.

Specified by:

lookupExperimenter in interface IAdmin

Parameters:

omeName - Name of the Experimenter

Returns:

an Experimenter. Never null.

lookupExperimenters

public java.util.List<Experimenter> lookupExperimenters()

Description copied from interface: IAdmin

Looks up all experimenters present and all related groups.

Specified by:

lookupExperimenters in interface IAdmin

Returns:

all Experimenters. Never null.

lookupLdapAuthExperimenters

public java.util.List<java.util.Map<java.lang.String,java.lang.Object>> lookupLdapAuthExperimenters()

Description copied from interface: IAdmin

Looks up all id of experimenters who uses LDAP authentication (has set dn on password table).

Specified by:

lookupLdapAuthExperimenters in interface IAdmin

Returns:

list of Experimenters. Never null.

lookupLdapAuthExperimenter

public java.lang.String lookupLdapAuthExperimenter(long id)

Description copied from interface: IAdmin

Looks up experimenters who uses LDAP authentication (has set dn on password table).

Specified by:

lookupLdapAuthExperimenter in interface IAdmin

Returns:

Experimenter. Never null.

getGroup

public ExperimenterGroup getGroup(long id)

Description copied from interface: IAdmin

fetch an ExperimenterGroup and all contained users.

Specified by:

getGroup in interface IAdmin

Parameters:

id - id of the ExperimenterGroup

Returns:

an ExperimenterGroup. Never null.

lookupGroup

public ExperimenterGroup lookupGroup(java.lang.String groupName)

Description copied from interface: IAdmin

look up an ExperimenterGroup and all contained users by name.

Specified by:

lookupGroup in interface IAdmin

Parameters:

groupName - Name of the ExperimenterGroup

Returns:

an ExperimenterGroup. Never null.

lookupGroups

public java.util.List<ExperimenterGroup> lookupGroups()

Description copied from interface: IAdmin

Looks up all groups present and all related experimenters. The experimenters' groups are also loaded.

Specified by:

lookupGroups in interface IAdmin

Returns:

all Groups. Never null.

containedExperimenters

public Experimenter[] containedExperimenters(long groupId)

Description copied from interface: IAdmin

fetch all users contained in this group. The returned users will have all fields filled in and all collections unloaded.

Specified by:

containedExperimenters in interface IAdmin

Parameters:

groupId - id of the ExperimenterGroup

Returns:

non-null array of all users in this group.

containedGroups

public ExperimenterGroup[] containedGroups(long experimenterId)

Description copied from interface: IAdmin

fetch all groups of which the given user is a member. The returned groups will have all fields filled in and all collections unloaded.

Specified by:

containedGroups in interface IAdmin

Parameters:

experimenterId - id of the Experimenter. Not null.

Returns:

non-null array of all groups for this user.

synchronizeLoginCache

@Transactional(readOnly=false)
public void synchronizeLoginCache()

Description copied from interface: IAdmin

uses JMX to refresh the login cache if supported. Some backends may not provide refreshing. This may be called internally during some other administrative tasks. The exact implementation of this depends on the application server and the authentication/authorization backend.

Specified by:

synchronizeLoginCache in interface IAdmin

updateSelf

@Transactional(readOnly=false)
public void updateSelf(Experimenter e)

Description copied from interface: IAdmin

Allows a user to update his/her own information. This is limited to the fields on Experimenter, all other fields (groups, etc.) are ignored. The experimenter argument need not have the proper id nor the proper omeName (which is immutable). To change the users default group (which is the only other customizable option), use IAdmin.setDefaultGroup(Experimenter, ExperimenterGroup)

Specified by:

updateSelf in interface IAdmin

Parameters:

e - A data transfer object. Only the fields: firstName, middleName, lastName, email, and institution are checked. Not null.

See Also:

IAdmin.setDefaultGroup(Experimenter, ExperimenterGroup)

getMyUserPhotos

public java.util.List<OriginalFile> getMyUserPhotos()

Description copied from interface: IAdmin

Retrieve the OriginalFile object attached to this user as specified by IAdmin.uploadMyUserPhoto(String, String, byte[]). The return value is order by the most recently modified file first.

Specified by:

getMyUserPhotos in interface IAdmin

Returns:

file objects. Possibly empty.

uploadMyUserPhoto

@Transactional(readOnly=false)
public long uploadMyUserPhoto(java.lang.String filename,
                                                             java.lang.String mimetype,
                                                             byte[] data)

Description copied from interface: IAdmin

Uploads a photo for the user which will be displayed on his/her profile. This photo will be saved as an OriginalFile object with the given format, and attached to the user's Experimenter object via an FileAnnotation with the namespace: "openmicroscopy.org/omero/experimenter/photo" (NSEXPERIMENTERPHOTO). If such an OriginalFile instance already exists, it will be overwritten. If more than one photo is present, the oldest version will be modified (i.e. the highest updateEvent id). Note: as outlined in ticket:1794, this photo will be placed in the "user" group and therefore will be visible to everyone on the system.

Specified by:

uploadMyUserPhoto in interface IAdmin

Parameters:

filename - Not null. String name which will be used.

mimetype - Not null. Format.value string. 'image/jpeg' and 'image/png' are common values.

data - Not null. Data from the image. This will be written to disk.

Returns:

the id of the overwritten or newly created user photo OriginalFile object.

updateExperimenter

@Transactional(readOnly=false)
public void updateExperimenter(Experimenter experimenter)

Description copied from interface: IAdmin

Updates an experimenter if admin or owner of group. Only string fields on the object are taken into account. The root and guest experimenters may not be renamed. Before a SecurityViolation would be thrown, however, this method will pass to IAdmin.updateSelf(Experimenter) if the current user matches the given experimenter.

Specified by:

updateExperimenter in interface IAdmin

Parameters:

experimenter - the Experimenter to update.

updateExperimenterWithPassword

@Transactional(readOnly=false)
public void updateExperimenterWithPassword(Experimenter experimenter,
                                                                          java.lang.String password)

Description copied from interface: IAdmin

Updates an experimenter if admin or owner of group. Only string fields on the object are taken into account. The root and guest experimenters may not be renamed.

Specified by:

updateExperimenterWithPassword in interface IAdmin

Parameters:

experimenter - the Experimenter to update.

password - Not-null. Must pass validation in the security sub-system.

updateGroup

@Transactional(readOnly=false)
public void updateGroup(ExperimenterGroup group)

Description copied from interface: IAdmin

Updates an experimenter group if admin or owner of group. Only string fields on the object are taken into account. The root, system and guest groups may not be renamed, nor may the user's current group.

Specified by:

updateGroup in interface IAdmin

Parameters:

group - the ExperimenterGroup to update.

createUser

@Transactional(readOnly=false)
public long createUser(Experimenter newUser,
                                                      java.lang.String defaultGroup)

Description copied from interface: IAdmin

create and return a new user. This user will be created with the default group specified.

Specified by:

createUser in interface IAdmin

Parameters:

newUser - a new Experimenter instance

defaultGroup - group name of the default group for this user

Returns:

id of the newly created Experimenter

createSystemUser

@Transactional(readOnly=false)
public long createSystemUser(Experimenter newSystemUser)

Description copied from interface: IAdmin

create and return a new system user. This user will be created with the "System" (administration) group as default and will also be in the "user" group.

Specified by:

createSystemUser in interface IAdmin

Parameters:

newSystemUser - a new Experimenter instance

Returns:

id of the newly created Experimenter

createRestrictedSystemUser

@Transactional(readOnly=false)
public long createRestrictedSystemUser(Experimenter newSystemUser,
                                                                      java.util.List<AdminPrivilege> privileges)

Description copied from interface: IAdmin

Create and return a new system user. This user will be created with the "System" (administration) group as default and will also be in the "user" group.

Specified by:

createRestrictedSystemUser in interface IAdmin

Parameters:

newSystemUser - a new Experimenter instance

privileges - the privileges to set for the user

Returns:

id of the newly created Experimenter

createRestrictedSystemUserWithPassword

@Transactional(readOnly=false)
public long createRestrictedSystemUserWithPassword(Experimenter newSystemUser,
                                                                                  java.util.List<AdminPrivilege> privileges,
                                                                                  java.lang.String password)

Description copied from interface: IAdmin

Create and return a new system user. This user will be created with the "System" (administration) group as default and will also be in the "user" group.

Specified by:

createRestrictedSystemUserWithPassword in interface IAdmin

Parameters:

newSystemUser - a new Experimenter instance

privileges - the privileges to set for the user

password - the password to set for the user

Returns:

id of the newly created Experimenter

createExperimenter

@Transactional(readOnly=false)
public long createExperimenter(Experimenter experimenter,
                                                              ExperimenterGroup defaultGroup,
                                                              ExperimenterGroup... otherGroups)

Description copied from interface: IAdmin

create and return a new user in the given groups.

Specified by:

createExperimenter in interface IAdmin

Parameters:

experimenter - A new Experimenter instance. Not null.

defaultGroup - Instance of ExperimenterGroup. Not null.

otherGroups - Array of ExperimenterGroup instances. Can be null.

Returns:

id of the newly created Experimenter Not null.

createExperimenterWithPassword

@Transactional(readOnly=false)
public long createExperimenterWithPassword(Experimenter experimenter,
                                                                          java.lang.String password,
                                                                          ExperimenterGroup defaultGroup,
                                                                          ExperimenterGroup... otherGroups)

Description copied from interface: IAdmin

create and return a new user in the given groups with password.

Specified by:

createExperimenterWithPassword in interface IAdmin

Parameters:

experimenter - A new Experimenter instance. Not null.

password - Not-null. Must pass validation in the security sub-system.

defaultGroup - Instance of ExperimenterGroup. Not null.

otherGroups - Array of ExperimenterGroup instances. Can be null.

Returns:

id of the newly created Experimenter Not null.

createGroup

@Transactional(readOnly=false)
public long createGroup(ExperimenterGroup group)

Description copied from interface: IAdmin

create and return a new group. The Details.setPermissions(Permissions) method should be called on the instance which is passed. The given Permissions will become the default for all objects created while logged into this group, possibly modified by the user's umask settings. If no permissions is set, the default will be Permissions.USER_PRIVATE, i.e. a group in which no user can see the other group member's data.

Specified by:

createGroup in interface IAdmin

Parameters:

group - a new ExperimenterGroup instance. Not null.

Returns:

id of the newly created ExperimenterGroup

See Also:

ticket:1434"

addGroups

@Transactional(readOnly=false)
public void addGroups(Experimenter user,
                                                     ExperimenterGroup... groups)

Description copied from interface: IAdmin

adds a user to the given groups.

Specified by:

addGroups in interface IAdmin

Parameters:

user - A currently managed entity. Not null.

groups - Groups to which the user will be added. Not null.

removeGroups

@Transactional(readOnly=false)
public void removeGroups(Experimenter user,
                                                        ExperimenterGroup... groups)

Description copied from interface: IAdmin

Removes an experimenter from the given groups.

• The root experimenter is required to be in both the user and system groups.
• An experimenter may not remove themself from the user or system group.
• An experimenter may not be a member of only the user group, some other group is also required as the default group.
• An experimenter must remain a member of some group.

Specified by:

removeGroups in interface IAdmin

Parameters:

user - A currently managed entity. Not null.

groups - Groups from which the user will be removed. Not null.

setDefaultGroup

@Transactional(readOnly=false)
public void setDefaultGroup(Experimenter user,
                                                           ExperimenterGroup group)

Description copied from interface: IAdmin

sets the default group for a given user.

Specified by:

setDefaultGroup in interface IAdmin

Parameters:

user - A currently managed Experimenter. Not null.

group - The group which should be set as default group for this user. Not null.

setGroupOwner

@Transactional(readOnly=false)
public void setGroupOwner(ExperimenterGroup group,
                                                         Experimenter owner)

Description copied from interface: IAdmin

adds the user to the owner list for this group. Since Beta4.2 (ticket:1434) multiple users can be the "owner" of a group.

Specified by:

setGroupOwner in interface IAdmin

Parameters:

group - A currently managed ExperimenterGroup. Not null.

owner - A currently managed Experimenter. Not null.

unsetGroupOwner

@Transactional(readOnly=false)
public void unsetGroupOwner(ExperimenterGroup group,
                                                           Experimenter owner)

Description copied from interface: IAdmin

removes the user from the owner list for this group. Since Beta4.2 (ticket:1434) multiple users can be the "owner" of a group.

Specified by:

unsetGroupOwner in interface IAdmin

Parameters:

group - A currently managed ExperimenterGroup. Not null.

owner - A currently managed Experimenter. Not null.

addGroupOwners

@Transactional(readOnly=false)
public void addGroupOwners(ExperimenterGroup group,
                                                          Experimenter... owner)

Description copied from interface: IAdmin

adds the given users to the owner list for this group.

Specified by:

addGroupOwners in interface IAdmin

Parameters:

group - A currently managed ExperimenterGroup. Not null.

owner - A set of currently managed Experimenters. Not null.

removeGroupOwners

@Transactional(readOnly=false)
public void removeGroupOwners(ExperimenterGroup group,
                                                             Experimenter... owner)

Description copied from interface: IAdmin

removes the given users from the owner list for this group.

Specified by:

removeGroupOwners in interface IAdmin

Parameters:

group - A currently managed ExperimenterGroup. Not null.

owner - A set of currently managed Experimenters. Not null.

getDefaultGroup

public ExperimenterGroup getDefaultGroup(long experimenterId)

Description copied from interface: IAdmin

retrieve the default group for the given user id.

Specified by:

getDefaultGroup in interface IAdmin

Parameters:

experimenterId - of the Experimenter. Not null.

Returns:

non-null ExperimenterGroup. If no default group is found, an exception will be thrown.

deleteExperimenter

@Transactional(readOnly=false)
public void deleteExperimenter(Experimenter user)

Description copied from interface: IAdmin

removes a user by removing the password information for that user as well as all GroupExperimenterMap instances.

Specified by:

deleteExperimenter in interface IAdmin

Parameters:

user - Experimenter to be deleted. Not null.

deleteGroup

@Transactional(readOnly=false)
public void deleteGroup(ExperimenterGroup group)

Description copied from interface: IAdmin

removes a group by first removing all users in the group, and then deleting the actual ExperimenterGroup instance.

Specified by:

deleteGroup in interface IAdmin

Parameters:

group - ExperimenterGroup to be deleted. Not null.

changeOwner

@Transactional(readOnly=false)
public void changeOwner(IObject iObject,
                                                       java.lang.String omeName)

Description copied from interface: IAdmin

call details.setOwner() on this instance. It is valid for the instance to be unloaded (or constructed with an unloading-constructor.)

Specified by:

changeOwner in interface IAdmin

Parameters:

iObject - An entity or an unloaded reference to an entity. Not null.

omeName - The user name who should gain ownership of this entity. Not null.

changeGroup

@Transactional(readOnly=false)
public void changeGroup(IObject iObject,
                                                       java.lang.String groupName)

Description copied from interface: IAdmin

call details.setGroup() on this instance. It is valid for the instance to be unloaded (or constructed with an unloading-constructor.)

Specified by:

changeGroup in interface IAdmin

Parameters:

iObject - An entity or an unloaded reference to an entity. Not null.

groupName - The group name who should gain ownership of this entity. Not null.

changePermissions

@Transactional(readOnly=false)
public void changePermissions(IObject iObject,
                                                             Permissions perms)

the implementation of this method is somewhat tricky in that Permissions changes must be allowed even when other updates are not. Therefore, we must manually check if the object belongs to this user or is admin (before the call to SecuritySystem.runAsAdmin(AdminAction) This logic is duplicated in BasicSecuritySystem.checkManagedDetails(IObject, ome.model.internal.Details). As of OMERO 4.2 (ticket:1434), this method has special handling for an instance of ExperimenterGroup and limited capabilities for changing any other object type (ticket:1776). For groups, the permission changes will be propagated to all the contained objects. For other objects, changes may not override group settings.

Specified by:

changePermissions in interface IAdmin

Parameters:

iObject - An entity or an unloaded reference to an entity. Not null.

perms - The permissions value for this entity. Not null.

See Also:

IAdmin.changePermissions(IObject, Permissions), ticket:293, ticket:1434

moveToCommonSpace

@Transactional(readOnly=false)
public void moveToCommonSpace(IObject... iObjects)

Description copied from interface: IAdmin

Moves the given objects into the "user" group to make them visible and linkable from all security contexts.

Specified by:

moveToCommonSpace in interface IAdmin

See Also:

ticket 1794

internalMoveToCommonSpace

public void internalMoveToCommonSpace(IObject obj)

Helpers which unconditionally moves the object to the common space. This can be used by other methods like uploadMyUserPhoto(String, String, byte[])

Specified by:

internalMoveToCommonSpace in interface LocalAdmin

Parameters:

obj - a model object, linked to the current session; never null

getLockingIds

public java.util.Map<java.lang.String,java.lang.Long> getLockingIds(IObject object)

getLockingIds

public java.util.Map<java.lang.String,java.lang.Long> getLockingIds(java.lang.Class<IObject> type,
                                                                    long id,
                                                                    java.lang.Long groupId)

Description copied from interface: LocalAdmin

Returns a map from Class (as string) to a count for all entities which point to the given IObject. The String "*" is mapped to the sum of all the locks.

Specified by:

getLockingIds in interface LocalAdmin

Parameters:

type - the name of a model class

id - the ID of an instance of klass

groupId - the ID of a group to omit from the results, may be null

Returns:

the classes and counts of the objects that point to the given object

reportForgottenPassword

@Transactional(readOnly=false)
public void reportForgottenPassword(java.lang.String name,
                                                                   java.lang.String email)
                                                            throws AuthenticationException

Description copied from interface: IAdmin

Can be used after repeated AuthenticationException instances are thrown, to request that an email with a temporary password be sent. The given email must match the email for the user listed under the name argument. Does not require a session to be active.

Specified by:

reportForgottenPassword in interface IAdmin

Throws:

AuthenticationException - when name and email do not match

changeExpiredCredentials

@Transactional(readOnly=false)
public void changeExpiredCredentials(java.lang.String name,
                                                                    java.lang.String oldCred,
                                                                    java.lang.String newCred)
                                                             throws AuthenticationException

Description copied from interface: IAdmin

Used after an ExpiredCredentialException instance is thrown. Does not require

Specified by:

changeExpiredCredentials in interface IAdmin

Throws:

AuthenticationException

changePassword

@Transactional(readOnly=false)
public void changePassword(java.lang.String newPassword)

Description copied from interface: IAdmin

change the password for the current user.

Warning:This method requires the user to be authenticated with a password and not with a one-time session id. To avoid this problem, use IAdmin.changePasswordWithOldPassword(String, String).

Specified by:

changePassword in interface IAdmin

Parameters:

newPassword - Possibly null to allow logging in with no password.

See Also:

ticket:911, ticket:3201

changePasswordWithOldPassword

@Transactional(readOnly=false)
public void changePasswordWithOldPassword(java.lang.String oldPassword,
                                                                         java.lang.String newPassword)

Description copied from interface: IAdmin

change the password for the current user by passing the old password.

Specified by:

changePasswordWithOldPassword in interface IAdmin

Parameters:

oldPassword - Not-null. Must pass validation in the security sub-system.

newPassword - Possibly null to allow logging in with no password.

changeUserPassword

@Transactional(readOnly=false)
public void changeUserPassword(java.lang.String user,
                                                              java.lang.String newPassword)

Description copied from interface: IAdmin

change the password for the a given user.

Specified by:

changeUserPassword in interface IAdmin

newPassword - Not-null. Might must pass validation in the security sub-system.

checkPassword

public boolean checkPassword(java.lang.String name,
                             java.lang.String password,
                             boolean readOnly)

If ldap plugin turned, creates Ldap accounts and authentication by LDAP available.

Specified by:

checkPassword in interface LocalAdmin

Parameters:

name - the name of a user

password - the user's password

readOnly - if the password check should be transactionally read-only

Returns:

if the user's password is correct

See Also:

Trac ticket #4626

getAdminsWithPrivileges

public java.util.List<Experimenter> getAdminsWithPrivileges(java.util.List<AdminPrivilege> privileges)

Description copied from interface: IAdmin

Gets the administrators who have all the given privileges. Consistent with the results from IAdmin.getAdminPrivileges(Experimenter).

Specified by:

getAdminsWithPrivileges in interface IAdmin

Parameters:

privileges - the required privileges

Returns:

the light administrators who have those privileges

getCurrentAdminPrivileges

public java.util.List<AdminPrivilege> getCurrentAdminPrivileges()

Description copied from interface: IAdmin

Gets the light administrator privileges for the current user.

Specified by:

getCurrentAdminPrivileges in interface IAdmin

Returns:

the current user's light administrator privileges

getAdminPrivileges

public java.util.List<AdminPrivilege> getAdminPrivileges(Experimenter user)

Description copied from interface: IAdmin

Gets the light administrator privileges for the given user.

Specified by:

getAdminPrivileges in interface IAdmin

Parameters:

user - the user whose privileges are being queried

Returns:

the user's light administrator privileges

setAdminPrivileges

@Transactional(readOnly=false)
public void setAdminPrivileges(Experimenter user,
                                                              java.util.List<AdminPrivilege> privileges)

Description copied from interface: IAdmin

Sets the set of light administrator privileges for the given user.

Specified by:

setAdminPrivileges in interface IAdmin

Parameters:

user - the user whose privileges are to be set

privileges - the privileges to set for the user

getSecurityRoles

public Roles getSecurityRoles()

Description copied from interface: IAdmin

returns the active Roles in use by the server.

Specified by:

getSecurityRoles in interface IAdmin

Returns:

Non-null, immutable Roles instance.

getEventContext

public EventContext getEventContext()

Description copied from interface: IAdmin

returns an implementation of EventContext loaded with the security for the current user and thread. If called remotely, not all values of EventContext will be sensible.

Specified by:

getEventContext in interface IAdmin

Returns:

Non-null, immutable EventContext instance

getEventContextQuiet

public EventContext getEventContextQuiet()

Description copied from interface: LocalAdmin

Like IAdmin.getEventContext() but will not reload the context. This also has the result that values from the current call context will be applied as simply the session context.

Specified by:

getEventContextQuiet in interface LocalAdmin

Returns:

the current event context

assertManaged

protected void assertManaged(IObject o)