Using the AuthzGroup Service

Information

This explains basic usage of the Sakai AuthzGroup Service. This service is used to find out things about Authz (permission) groups and the users who have those permissions.

Accessing the AuthzGroupService

  • You can use Spring Framework to inject the service or use the cover
  1. Using Spring to get the service for your class (e.g. YourAppClass) (recommended)
    1. Add the AuthzGroupService bean to the bean for YourAppClass
      <bean id="org.sakaiproject.yourapp.logic.YourAppClass"
      		class="org.sakaiproject.yourapp.logic.impl.YourAppClassImpl">
      	<property name="authzGroupService"
      		ref="org.sakaiproject.authz.api.AuthzGroupService" />
      </bean>
      
    2. Add a variable and setter to YourAppClass to use the service in like so:
      private AuthzGroupService authzGroupService;
      public void setAuthzGroupService(AuthzGroupService authzGroupService) {
      	this.authzGroupService = authzGroupService;
      }
      
  2. Using the Component Manager to get the service
    • Note: This is not the recommended method, you should be using Spring to inject the service
    1. Use the CM cover to get the service
      import org.sakaiproject.component.cover.ComponentManager;
      import org.sakaiproject.authz.api.AuthzGroupService;
      ...
        private AuthzGroupService authzGroupService;
      ...
          authzGroupService = (AuthzGroupService) ComponentManager.get(AuthzGroupService.class);
      

Getting the users associated with a site which have a specific permission

  • Use this to tie data to a specific use of a tool in an area (probably a site or a section)
  1. Use the ToolManager service to get the current context
    • Note: You could also retrieve the context in other ways, this is just the common one
  2. Use the SiteService to get the site reference from the context
    • Note: This could also be a group reference instead of a site reference (in theory)
  3. Create a Collection of the references and pass that to the AuthzGroupService to get the Set of userIds
    • Note: In this case, tool.permission is the permission you registered earlier with the FunctionManager
String currentContext = toolManager.getCurrentPlacement().getContext(); // (1)
String siteRef = siteService.siteReference(context); // (2)
java.util.List azGroups = new java.util.ArrayList(); // (3)
azGroups.add(siteRef);
java.util.Set userIds = authzGroupService.getUsersIsAllowed("tool.permission", azGroups);

Getting the list of sites that a user has a specific permission in

  1. Use the AuthzGroupService to get the set of Ids related to a permission (tool.permission)
  2. Iterate through the Set of Ids
  3. Use the EntityManager to convert the authzGroupIds to Reference objects and then test if the type of object is a site
  4. Get the siteId or context from the Reference or use the SiteService to convert the siteId into a Site object
  5. Get the groupId from the Reference or use the SiteService to get the Group object
java.util.Set authzGroupIds = authzGroupService.getAuthzGroupsIsAllowed(userId, "tool.permission", null); // (1)
java.util.Iterator it = authzGroupIds.iterator(); // (2)
while (it.hasNext()) {
   String authzGroupId = (String) it.next();
   Reference r = entityManager.newReference(authzGroupId); // (3)
   if(r.isKnownType()) {
      if(r.getType().equals(SiteService.APPLICATION_ID)) { // (4)
         // do something since this is a site
         String siteId = r.getId();
         String context = r.getId();
         try {
            Site site = siteService.getSite(siteId);
         } catch (IdUnusedException e) {
            // invalid site Id returned
            throw new RuntimeException("Could not get site from siteId:" + siteId);
         }
      } else if (r.getType().equals(SiteService.GROUP_SUBTYPE)) { // (5)
         // do something since this is a site group
         String groupId = r.getId();
         String context = r.getId();
         Group group = siteService.findGroup(groupId);
         if (group != null) {
            // found a valid group so do something
         }
      }
   }
}
  • Note: The Group is a subgroup within a Site

Setting the permissions for the !site.template (or any template)

  • Note: You have to be careful with this because it will overwrite the current permissions that the user has setup
  1. Setup a constant for the site template string
  2. Use the AuthzGroupService to get the AuthzGroup for SITE_TEMPLATE
  3. Use the AuthzGroupService to check if ag can be updated
  4. Use the AuthzGroup to set the maintain role to have the permission for the tool and the AuthzGroupService to save the group
  5. Log warnings and handle exceptions
private final static String SITE_TEMPLATE = "!site.template"; // (1)
try {
   AuthzGroup ag = authzGroupService.getAuthzGroup(SITE_TEMPLATE); // (2)
   if (authzGroupService.allowUpdate(ag.getId())) { // (3)
      Role r = ag.getRole(ag.getMaintainRole()); // (4)
      r.allowFunction("tool.permission");
      authzGroupService.save(ag);
      log.info("Added Permissions to group:" + SITE_TEMPLATE);
   } else { // (5)
      log.warn("Cannot update authz group: " + SITE_TEMPLATE);
   }
} catch (GroupNotDefinedException e) {
   log.error("Could not find group: " + SITE_TEMPLATE + ", default perms will not be assigned");
} catch (AuthzPermissionException e) {
   log.error("Could not save group: " + SITE_TEMPLATE);
}