SettingResource.java

package org.exoplatform.settings.rest;

import io.swagger.annotations.*;
import org.apache.commons.lang.StringUtils;
import org.exoplatform.commons.api.settings.SettingService;
import org.exoplatform.commons.api.settings.SettingValue;
import org.exoplatform.commons.api.settings.data.Context;
import org.exoplatform.commons.api.settings.data.Scope;
import org.exoplatform.portal.config.UserACL;
import org.exoplatform.services.rest.resource.ResourceContainer;
import org.exoplatform.services.security.ConversationState;

import javax.annotation.security.RolesAllowed;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;

@Path("/v1/settings")
@Api(tags = "/v1/settings", value = "/v1/settings", description = "Managing settings")
public class SettingResource implements ResourceContainer {

  private SettingService settingService;

  private UserACL userACL;

  public SettingResource(SettingService settingService, UserACL userACL) {
    this.settingService = settingService;
    this.userACL = userACL;
  }

  @Path("/{context}/{scope}/{settingKey}")
  @GET
  @Produces(MediaType.APPLICATION_JSON)
  @RolesAllowed("users")
  @ApiOperation(value = "Gets a specific setting value",
          httpMethod = "GET",
          response = Response.class,
          notes = "This returns the requested setting value in the following cases: <br/><ul><li>the authenticated user is the super user</li><li>the requested setting is a setting of the authenticated user (Context=USER)</li></ul>")
  @ApiResponses(value = {
          @ApiResponse(code = 200, message = "Request fulfilled"),
          @ApiResponse (code = 400, message = "Invalid query input"),
          @ApiResponse (code = 401, message = "User does not have permissions to get it"),
          @ApiResponse (code = 404, message = "Setting does not exist"),
          @ApiResponse (code = 500, message = "Internal server error")})
  public Response getSetting(@ApiParam(value = "Context - Format 'contextName,contextId' where 'contextId' is optional. Example: GLOBAL or USER,john", required = true) @PathParam("context") String contextParams,
                             @ApiParam(value = "Scope - Format 'scopeName,scopeId' where 'scopeId' is optional. Example: GLOBAL or APPLICATION,wiki or SPACE,marketing", required = true) @PathParam("scope") String scopeParams,
                             @ApiParam(value = "Setting key", required = true) @PathParam("settingKey") String settingKey) {
    if(StringUtils.isEmpty(contextParams) || StringUtils.isEmpty(scopeParams) || StringUtils.isEmpty(settingKey)) {
      return Response.status(Response.Status.BAD_REQUEST).entity("Context, scope and setting key are mandatory").build();
    }

    Context context = extractContext(contextParams);

    // only the user can get its own settings
    if (!hasPermissions(context)) {
      return Response.status(Response.Status.UNAUTHORIZED).build();
    }

    Scope scope = extractScope(scopeParams);

    SettingValue<?> settingValue = settingService.get(context, scope, settingKey);

    if(settingValue == null) {
      return Response.status(Response.Status.NOT_FOUND).build();
    }

    SettingEntity settingEntity = new SettingEntity(context, scope, settingKey, settingValue.getValue().toString());

    return Response.ok(settingEntity, MediaType.APPLICATION_JSON).build();
  }

  @Path("/{context}/{scope}/{settingKey}")
  @PUT
  @Consumes(MediaType.APPLICATION_JSON)
  @RolesAllowed("users")
  @ApiOperation(value = "Sets a specific setting value",
          httpMethod = "PUT",
          response = Response.class,
          notes = "This creates or updates the given setting value in the following cases: <br/><ul><li>the authenticated user is the super user</li><li>the given setting is a setting of the authenticated user (Context=USER)</li></ul>")
  @ApiResponses(value = {
          @ApiResponse(code = 200, message = "Request fulfilled"),
          @ApiResponse (code = 400, message = "Invalid query input"),
          @ApiResponse (code = 401, message = "User does not have permissions to update it"),
          @ApiResponse (code = 500, message = "Internal server error")})
  public Response setSetting(@ApiParam(value = "Context - Format 'contextName,contextId' where 'contextId' is optional. Example: GLOBAL or USER,john", required = true) @PathParam("context") String contextParams,
                             @ApiParam(value = "Scope - Format 'scopeName,scopeId' where 'scopeId' is optional. Example: GLOBAL or APPLICATION,wiki or SPACE,marketing", required = true) @PathParam("scope") String scopeParams,
                             @ApiParam(value = "Setting key", required = true) @PathParam("settingKey") String settingKey,
                             @ApiParam(value = "Setting value", required = true) SettingValueEntity settingValue) {
    if(StringUtils.isEmpty(contextParams) || StringUtils.isEmpty(scopeParams) || StringUtils.isEmpty(settingKey) || settingValue == null) {
      return Response.status(Response.Status.BAD_REQUEST).entity("Context, scope and setting key and value are mandatory").build();
    }

    Context context = extractContext(contextParams);

    // only the user can update its own settings
    if (!hasPermissions(context)) {
      return Response.status(Response.Status.UNAUTHORIZED).build();
    }

    Scope scope = extractScope(scopeParams);

    settingService.set(context, scope, settingKey, SettingValue.create(settingValue.getValue()));

    return Response.ok().build();
  }

  /**
   * Check if user has permissions to read/write settings.
   * An user can read/write its own settings only.
   * The super user can do anything.
   * @param context The context of the setting
   * @return true if the operation is authorized for the current user
   */
  private boolean hasPermissions(Context context) {
    String currentUser = ConversationState.getCurrent().getIdentity().getUserId();
    if(currentUser != null) {
      return (context.getName().toUpperCase().equals(Context.USER.getName())
              && (context.getId() == null || currentUser.equals(context.getId())))
                || (currentUser.equals(userACL.getSuperUser()));
    }
    return false;
  }

  /**
   * Extract Scope object from REST input param. The input param has the following pattern : {scopeName},{scopeId}
   * The scopeId is optional.
   * Examples :
   * * APPLICATION,wiki
   * * SPACE,marketing
   * * GLOBAL
   * @param scopeParams REST input param for scope
   * @return The Scope object
   */
  private Scope extractScope(String scopeParams) {
    String scopeName = scopeParams;
    String scopeId = null;
    int scopeIndex = scopeParams.indexOf(",");
    if(scopeIndex > 0) {
      scopeName = scopeParams.substring(0, scopeIndex);
      scopeId = scopeParams.substring(scopeIndex + 1);
    }
    return new Scope(scopeName, scopeId);
  }

  /**
   * Extract Context object from REST input param. The input param has the following pattern : {contextName},{contextId}
   * The contextId is optional.
   * Examples :
   * * USER,john
   * * GLOBAL
   * @param contextParams REST input param for context
   * @return The Context object
   */
  private Context extractContext(String contextParams) {
    String contextName = contextParams;
    String contextId = null;
    int contextIndex = contextParams.indexOf(",");
    if(contextIndex > 0) {
      contextName = contextParams.substring(0, contextIndex);
      contextId = contextParams.substring(contextIndex + 1);
    }
    if(contextName.equals("GLOBAL")) {
      return Context.GLOBAL;
    }
    return new Context(contextName, contextId);
  }
}