/*
 * Copyright 2005 the original author or authors.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */ 

package org.wamblee.photos.authorizationrules;

import java.util.Set;

import org.wamblee.persistence.AbstractPersistent;
import org.wamblee.photos.model.PhotoEntry;
import org.wamblee.security.authorization.AuthorizationResult;
import org.wamblee.security.authorization.AuthorizationRule;
import org.wamblee.security.authorization.Operation;
import org.wamblee.security.authorization.ReadOperation;
import org.wamblee.usermgt.Group;
import org.wamblee.usermgt.User;

/**
 * Authorization rule for photos. A user has access to all albums owned by his own group.  
 */
public class PhotoAuthorizationRule extends AbstractPersistent implements AuthorizationRule {
    
    /**
     * Constructs the authorization rule. 
     *
     */
    public PhotoAuthorizationRule() {
       // Empty.
    }
    
    /* (non-Javadoc)
     * @see org.wamblee.security.authorization.AuthorizationRule#getSupportedTypes()
     */
    public Class[] getSupportedTypes() {
        return new Class[] { PhotoEntry.class }; 
    }
   
    /* (non-Javadoc)
     * @see org.wamblee.security.authorization.AuthorizationRule#isAllowed(java.lang.Object, org.wamblee.security.authorization.Operation, org.wamblee.usermgt.User)
     */
    public AuthorizationResult isAllowed(Object aResource, Operation anOperation, User aUser) {
        if ( !(aResource instanceof PhotoEntry) ) { 
            return AuthorizationResult.UNSUPPORTED_RESOURCE; 
        }
        String path = getResourcePath(aResource); 
        if ( path.equals("/") && anOperation instanceof ReadOperation ) { 
            return AuthorizationResult.GRANTED; 
        }

        Set<Group> groups = aUser.getGroups();
        for (Group group: groups) { 
            String allowedPath = "/" + group.getName(); 
            if ( path.startsWith(allowedPath) ) {
                return AuthorizationResult.GRANTED; 
            }
        }
        return AuthorizationResult.DENIED; 
    }
   
    /**
     * Gets the resource path for a photo entry. 
     */
    private String getResourcePath(Object aResource) {
        return ((PhotoEntry)aResource).getPath();
    }

    /* (non-Javadoc)
     * @see java.lang.Object#toString()
     */
    @Override
    public String toString() {
        return "PhotoAuthorizationRule()";
    }
}