Using the AuthzGroup Service

Information

This explains basic usage of the Sakai AuthzGroup Service. This service is used to find out things about Authz (permission) groups and the users who have those permissions.

Trunk javadocs:
- AuthzGroupService : http://nightly2.sakaiproject.org/javadoc/org/sakaiproject/authz/api/AuthzGroupService.html
- AuthzGroup: http://nightly2.sakaiproject.org/javadoc/org/sakaiproject/authz/api/AuthzGroup.html
Trunk source location: https://source.sakaiproject.org/svn/authz/trunk/

Accessing the AuthzGroupService

You can use Spring Framework to inject the service or use the cover

Using Spring to get the service for your class (e.g. YourAppClass) (recommended)
1. Add the AuthzGroupService bean to the bean for YourAppClass
  <bean id="org.sakaiproject.yourapp.logic.YourAppClass" class="org.sakaiproject.yourapp.logic.impl.YourAppClassImpl"> <property name="authzGroupService" ref="org.sakaiproject.authz.api.AuthzGroupService" /> </bean>
2. Add a variable and setter to YourAppClass to use the service in like so:
  private AuthzGroupService authzGroupService; public void setAuthzGroupService(AuthzGroupService authzGroupService) { this.authzGroupService = authzGroupService; }
Using the Component Manager to get the service
- Note: This is not the recommended method, you should be using Spring to inject the service
1. Use the CM cover to get the service
  import org.sakaiproject.component.cover.ComponentManager; import org.sakaiproject.authz.api.AuthzGroupService; ... private AuthzGroupService authzGroupService; ... authzGroupService = (AuthzGroupService) ComponentManager.get(AuthzGroupService.class);

Getting the users associated with a site which have a specific permission

Use this to tie data to a specific use of a tool in an area (probably a site or a section)

Use the ToolManager service to get the current context
- Note: You could also retrieve the context in other ways, this is just the common one
Use the SiteService to get the site reference from the context
- Note: This could also be a group reference instead of a site reference (in theory)
Create a Collection of the references and pass that to the AuthzGroupService to get the Set of userIds
- Note: In this case, tool.permission is the permission you registered earlier with the FunctionManager


String currentContext = toolManager.getCurrentPlacement().getContext(); // (1)
String siteRef = siteService.siteReference(context); // (2)
java.util.List azGroups = new java.util.ArrayList(); // (3)
azGroups.add(siteRef);
java.util.Set userIds = authzGroupService.getUsersIsAllowed("tool.permission", azGroups);

Getting the list of sites that a user has a specific permission in

Use the AuthzGroupService to get the set of Ids related to a permission (tool.permission)
Iterate through the Set of Ids
Use the EntityManager to convert the authzGroupIds to Reference objects and then test if the type of object is a site
Get the siteId or context from the Reference or use the SiteService to convert the siteId into a Site object
Get the groupId from the Reference or use the SiteService to get the Group object


java.util.Set authzGroupIds = authzGroupService.getAuthzGroupsIsAllowed(userId, "tool.permission", null); // (1)
java.util.Iterator it = authzGroupIds.iterator(); // (2)
while (it.hasNext()) {
   String authzGroupId = (String) it.next();
   Reference r = entityManager.newReference(authzGroupId); // (3)
   if(r.isKnownType()) {
      if(r.getType().equals(SiteService.APPLICATION_ID)) { // (4)
         // do something since this is a site
         String siteId = r.getId();
         String context = r.getId();
         try {
            Site site = siteService.getSite(siteId);
         } catch (IdUnusedException e) {
            // invalid site Id returned
            throw new RuntimeException("Could not get site from siteId:" + siteId);
         }
      } else if (r.getType().equals(SiteService.GROUP_SUBTYPE)) { // (5)
         // do something since this is a site group
         String groupId = r.getId();
         String context = r.getId();
         Group group = siteService.findGroup(groupId);
         if (group != null) {
            // found a valid group so do something
         }
      }
   }
}

Note: The Group is a subgroup within a Site

Setting the permissions for the !site.template (or any template)

Note: You have to be careful with this because it will overwrite the current permissions that the user has setup

Setup a constant for the site template string
Use the AuthzGroupService to get the AuthzGroup for SITE_TEMPLATE
Use the AuthzGroupService to check if ag can be updated
Use the AuthzGroup to set the maintain role to have the permission for the tool and the AuthzGroupService to save the group
Log warnings and handle exceptions


private final static String SITE_TEMPLATE = "!site.template"; // (1)
try {
   AuthzGroup ag = authzGroupService.getAuthzGroup(SITE_TEMPLATE); // (2)
   if (authzGroupService.allowUpdate(ag.getId())) { // (3)
      Role r = ag.getRole(ag.getMaintainRole()); // (4)
      r.allowFunction("tool.permission");
      authzGroupService.save(ag);
      log.info("Added Permissions to group:" + SITE_TEMPLATE);
   } else { // (5)
      log.warn("Cannot update authz group: " + SITE_TEMPLATE);
   }
} catch (GroupNotDefinedException e) {
   log.error("Could not find group: " + SITE_TEMPLATE + ", default perms will not be assigned");
} catch (AuthzPermissionException e) {
   log.error("Could not save group: " + SITE_TEMPLATE);
}