Can check string-based roles

[lgpl/argeo-commons.git] / org.argeo.cms / src / org / argeo / cms / auth / SystemRole.java

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java b/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java
index 9c686a6c6016b2b0328b0b34156fc1063e4f66ee..5d62d9803f08a3eb033cd929949c505bab92f679 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java
@@ -5,22 +5,31 @@ import java.util.Set;
 import javax.security.auth.Subject;
 import javax.xml.namespace.QName;
 
+import org.argeo.api.cms.CmsConstants;
 import org.argeo.cms.internal.auth.ImpliedByPrincipal;
 
 public interface SystemRole {
        QName getName();
 
        default boolean implied(Subject subject, String context) {
+               return implied(getName(), subject, context);
+       }
+
+       static boolean implied(QName name, Subject subject, String context) {
                Set<ImpliedByPrincipal> roles = subject.getPrincipals(ImpliedByPrincipal.class);
                for (ImpliedByPrincipal role : roles) {
                        if (role.isSystemRole()) {
-                               if (role.getRoleName().equals(getName())) {
-                                       if (role.getContext().equalsIgnoreCase(context))
+                               if (role.getRoleName().equals(name)) {
+                                       // !! if context is not specified, it is considered irrelevant
+                                       if (context == null)
+                                               return true;
+                                       if (role.getContext().equalsIgnoreCase(context)
+                                                       || role.getContext().equals(CmsConstants.NODE_BASEDN))
                                                return true;
                                }
                        }
                }
                return false;
-       }
 
+       }
 }