/*
 * Copyright 2005 the original author or authors.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.wamblee.photos.security;

import java.util.List;
import javax.inject.Inject;
import javax.persistence.DiscriminatorValue;
import javax.persistence.Entity;
import javax.persistence.PostLoad;
import javax.persistence.Transient;

import org.wamblee.inject.InjectorBuilder;
import org.wamblee.photos.model.PhotoEntry;
import org.wamblee.security.authentication.UserAdministration;
import org.wamblee.security.authorization.AuthorizationResult;
import org.wamblee.security.authorization.Operation;
import org.wamblee.security.authorization.ReadOperation;
import org.wamblee.security.authorization.UrlAuthorizationRule;
import org.wamblee.security.authorization.UserCondition;

/**
 * Authorization rule for photos. A user has access to all albums owned by his
 * own group.
 */
@Entity
@DiscriminatorValue("PHOTOS")
public class PhotoAuthorizationRule extends UrlAuthorizationRule {

    @Inject
    @Transient
    private UserAdministration userAdmin;

    /**
     * Constructs the authorization rule.
     */
    public PhotoAuthorizationRule() {
        // Empty.
    }

    public PhotoAuthorizationRule(UserCondition aUserCondition) {
        super(AuthorizationResult.GRANTED, aUserCondition, null, PhotoEntry.class, null);
    }

    @PostLoad
    public void init() {
        InjectorBuilder.getInjector().inject(this);
    }

    /*
     * (non-Javadoc)
     *
     * @see
     * org.wamblee.security.authorization.AuthorizationRule#getSupportedTypes()
     */
    public Class[] getSupportedTypes() {
        return new Class[]{PhotoEntry.class};
    }

    /*
     * (non-Javadoc)
     *
     * @see
     * org.wamblee.security.authorization.AuthorizationRule#isAllowed(java.lang
     * .Object, org.wamblee.security.authorization.Operation,
     * org.wamblee.usermgt.User)
     */
    public AuthorizationResult isAllowed(Object aResource, Operation anOperation, String aUser) {
        if (!(aResource instanceof PhotoEntry)) {
            return AuthorizationResult.UNSUPPORTED_RESOURCE;
        }
        String path = getResourcePath(aResource);
        if (path.equals("/") && anOperation instanceof ReadOperation) {
            return AuthorizationResult.GRANTED;
        }
        List<String> groups = userAdmin.getGroups(aUser);
        for (String group : groups) {
            String allowedPath = "/" + group;
            if (path.startsWith(allowedPath)) {
                return AuthorizationResult.GRANTED;
            }
        }
        return AuthorizationResult.DENIED;
    }

    /**
     * Gets the resource path for a photo entry.
     */
    protected String getResourcePath(Object aResource) {
        return ((PhotoEntry) aResource).getPath();
    }

    /*
     * (non-Javadoc)
     *
     * @see java.lang.Object#toString()
     */
    @Override
    public String toString() {
        return "PhotoAuthorizationRule()";
    }
}