MID-4814 OrgTree autz "move" and "make root"

# Conflicts:
#	gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/WebComponentUtil.java

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/orgs/AbstractOrgTabPanel.java

@@ -18,6 +18,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.web.component.util.SelectableBean;
 import org.apache.wicket.ajax.AjaxEventBehavior;
 import org.apache.wicket.ajax.AjaxRequestTarget;
@@ -56,6 +57,7 @@ public abstract class AbstractOrgTabPanel extends BasePanel {
 
     private static final String DOT_CLASS = OrgTreeAssignablePanel.class.getName() + ".";
     private static final String OPERATION_LOAD_ORG_UNIT = DOT_CLASS + "loadOrgUnit";
+    private static final String OPERATION_LOAD_ASSIGNABLE_ITEMS = DOT_CLASS + "loadAssignableOrgs";
 
     private String ID_TABS = "tabs";
     private List<PrismObject<OrgType>> roots;
@@ -169,6 +171,10 @@ private List<PrismObject<OrgType>> loadOrgRoots() {
         List<PrismObject<OrgType>> list = new ArrayList<>();
         try {
             ObjectQuery query = ObjectQueryUtil.createRootOrgQuery(getPageBase().getPrismContext());
+            ObjectFilter assignableItemsFilter = getAssignableItemsFilter();
+            if (assignableItemsFilter != null){
+                query.addFilter(assignableItemsFilter);
+            }
             list = getPageBase().getModelService().searchObjects(OrgType.class, query, null, task, result);
             // Sort org roots by displayOrder, if not set push the org to the end
             list.sort((o1, o2) -> (o1.getRealValue().getDisplayOrder() == null ? Integer.MAX_VALUE : o1.getRealValue().getDisplayOrder())
@@ -190,6 +196,10 @@ private List<PrismObject<OrgType>> loadOrgRoots() {
         return list;
     }
 
+    protected ObjectFilter getAssignableItemsFilter(){
+        return null;
+    }
+
     protected boolean isWarnMessageVisible(){
         return true;
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/orgs/OrgTreeAssignablePanel.java

@@ -18,6 +18,11 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
+import com.evolveum.midpoint.prism.query.ObjectFilter;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
 import org.apache.wicket.Component;
 import org.apache.wicket.ajax.AjaxRequestTarget;
 import org.apache.wicket.markup.html.panel.Panel;
@@ -43,6 +48,7 @@ public class OrgTreeAssignablePanel extends BasePanel<OrgType> implements Popupa
 	public static final String PARAM_ORG_RETURN = "org";
 
 	private static final String DOT_CLASS = OrgTreeAssignablePanel.class.getName() + ".";
+	private static final String OPERATION_LOAD_ASSIGNABLE_ITEMS = DOT_CLASS + "loadAssignableOrgs";
 
 	private static final String ID_ORG_TABS = "orgTabs";
 	private static final String ID_ASSIGN = "assign";
@@ -71,6 +77,11 @@ protected void selectTreeItemPerformed(SelectableBean<OrgType> selected,
 							AjaxRequestTarget target) {
 						onItemSelect(selected, target);
 					}
+
+					@Override
+					protected ObjectFilter getCustomFilter(){
+						return getAssignableItemsFilter();
+					}
 				};
 
 				panel.setOutputMarkupId(true);
@@ -82,6 +93,10 @@ protected boolean isWarnMessageVisible(){
 				return false;
 			}
 
+			@Override
+			protected ObjectFilter getAssignableItemsFilter(){
+				return OrgTreeAssignablePanel.this.getAssignableItemsFilter();
+			}
 		};
 
 		tabbedPanel.setOutputMarkupId(true);
@@ -125,6 +140,20 @@ protected void onItemSelect(SelectableBean<OrgType> selected, AjaxRequestTarget
 
 	}
 
+	private ObjectFilter getAssignableItemsFilter(){
+		if (getAssignmentOwnerObject() == null){
+			return null;
+		}
+		Task task = getPageBase().createSimpleTask(OPERATION_LOAD_ASSIGNABLE_ITEMS);
+		OperationResult result = task.getResult();
+		return WebComponentUtil.getAssignableRolesFilter(getAssignmentOwnerObject().asPrismObject(), OrgType.class,
+				result, task, getPageBase());
+	}
+
+	protected <F extends FocusType> F getAssignmentOwnerObject(){
+		return null;
+	}
+
 	@Override
 	public int getWidth() {
 		return 900;

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/orgs/OrgTreePanel.java

@@ -18,6 +18,7 @@
 import java.io.Serializable;
 import java.util.*;
 
+import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.web.page.admin.users.PageOrgTree;
 import com.evolveum.midpoint.web.session.OrgTreeStateStorage;
 import org.apache.commons.lang3.StringUtils;
@@ -145,6 +146,11 @@ private void initLayout(ModelServiceLocator serviceLocator) {
 			protected List<InlineMenuItem> createInlineMenuItems(OrgType org) {
 				return createTreeChildrenMenu(org);
 			}
+
+			@Override
+			protected ObjectFilter getCustomFilter(){
+				return OrgTreePanel.this.getCustomFilter();
+			}
 		};
 		List<IColumn<SelectableBean<OrgType>, String>> columns = new ArrayList<>();
 
@@ -261,6 +267,10 @@ protected void onModelChanged() {
 		treeContainer.add(tree);
 	}
 
+	protected ObjectFilter getCustomFilter(){
+		return null;
+	}
+
 	private static class TreeStateModel extends AbstractReadOnlyModel<Set<SelectableBean<OrgType>>> {
 		private static final long serialVersionUID = 1L;
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/component/OrgTreeProvider.java

@@ -21,6 +21,7 @@
 import com.evolveum.midpoint.gui.api.util.WebModelServiceUtils;
 import com.evolveum.midpoint.model.api.ModelService;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
 import com.evolveum.midpoint.schema.result.OperationResult;
@@ -112,6 +113,10 @@ public Iterator<? extends SelectableBean<OrgType>> getChildren(SelectableBean<Or
                         .isDirectChildOf(nodeOid)
                         .asc(ObjectType.F_NAME)
                         .build();
+                ObjectFilter customFilter = getCustomFilter();
+                if (customFilter != null){
+                    query.addFilter(customFilter);
+                }
                 Task task = getPageBase().createSimpleTask(LOAD_ORG_UNITS);
                 List<PrismObject<OrgType>> orgs = getModelService().searchObjects(OrgType.class, query, null, task, result);
                 LOGGER.debug("Found {} sub-orgs.", orgs.size());
@@ -138,6 +143,10 @@ public Iterator<? extends SelectableBean<OrgType>> getChildren(SelectableBean<Or
         return children.iterator();
     }
 
+    protected ObjectFilter getCustomFilter(){
+        return null;
+    }
+
     private SelectableBean<OrgType> createObjectWrapper(SelectableBean<OrgType> parent, PrismObject<OrgType> unit) {
         if (unit == null) {
             return null;

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/component/TreeTablePanel.java

@@ -146,20 +146,14 @@ private List<InlineMenuItem> createTreeMenu() {
 	private List<InlineMenuItem> createTreeChildrenMenu(OrgType org) {
 		List<InlineMenuItem> items = new ArrayList<>();
 		try {
-			boolean allowModify = org == null ||
-					// TODO: the modify authorization here is probably wrong.
-					// It is a model autz. UI autz should be here instead?
-					parentPage.isAuthorized(ModelAuthorizationAction.MODIFY.getUrl(),
-							AuthorizationPhaseType.REQUEST, org.asPrismObject(),
-							null, null, null);
 			boolean allowRead = org == null ||
 					// TODO: the authorization URI here is probably wrong.
 					// It is a model autz. UI autz should be here instead?
 					parentPage.isAuthorized(ModelAuthorizationAction.READ.getUrl(),
 							AuthorizationPhaseType.REQUEST, org.asPrismObject(),
 							null, null, null);
 			InlineMenuItem item;
-			if (allowModify) {
+			if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_ORG_MOVE_ACTION_URI)) {
 				item = new InlineMenuItem(createStringResource("TreeTablePanel.move"),
 						new ColumnMenuAction<SelectableBean<OrgType>>() {
 							private static final long serialVersionUID = 1L;
@@ -170,7 +164,8 @@ public void onClick(AjaxRequestTarget target) {
 							}
 						});
 				items.add(item);
-
+			}
+			if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_ORG_MAKE_ROOT_ACTION_URI)) {
 				item = new InlineMenuItem(createStringResource("TreeTablePanel.makeRoot"),
 						new ColumnMenuAction<SelectableBean<OrgType>>() {
 							private static final long serialVersionUID = 1L;
@@ -201,6 +196,12 @@ public void onClick(AjaxRequestTarget target) {
 						});
 				items.add(item);
 			}
+			boolean allowModify = org == null ||
+					// TODO: the modify authorization here is probably wrong.
+					// It is a model autz. UI autz should be here instead?
+					parentPage.isAuthorized(ModelAuthorizationAction.MODIFY.getUrl(),
+							AuthorizationPhaseType.REQUEST, org.asPrismObject(),
+							null, null, null);
 			if (allowModify) {
 				item = new InlineMenuItem(createStringResource("TreeTablePanel.recompute"),
 						new ColumnMenuAction<SelectableBean<OrgType>>() {
@@ -306,10 +307,6 @@ private void selectTreeItemPerformed(SelectableBean<OrgType> selected, AjaxReque
 	}
 
 	private void moveRootPerformed(SelectableBean<OrgType> root, AjaxRequestTarget target) {
-		if (root == null) {
-			root = getTreePanel().getRootFromProvider();
-		}
-
 		final SelectableBean<OrgType> orgToMove = root;
 
 		OrgTreeAssignablePanel orgAssignablePanel = new OrgTreeAssignablePanel(
@@ -320,6 +317,12 @@ private void moveRootPerformed(SelectableBean<OrgType> root, AjaxRequestTarget t
 			protected void onItemSelect(SelectableBean<OrgType> selected, AjaxRequestTarget target) {
 				moveConfirmPerformed(orgToMove, selected, target);
 			}
+
+			@Override
+			protected OrgType getAssignmentOwnerObject(){
+				return root.getValue();
+			}
+
 		};
 
 		parentPage.showMainPopup(orgAssignablePanel, target);

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageAssignmentShoppingKart.java

@@ -16,10 +16,12 @@
 package com.evolveum.midpoint.web.page.self;
 
 import com.evolveum.midpoint.gui.api.model.LoadableModel;
+import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
 import com.evolveum.midpoint.model.api.ModelInteractionService;
 import com.evolveum.midpoint.model.api.RoleSelectionSpecification;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.query.*;
+import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
@@ -513,25 +515,10 @@ private void addViewTypeFilter(ObjectQuery query) {
     }
 
     private ObjectFilter getAssignableRolesFilter() {
-        ObjectFilter filter = null;
-        LOGGER.debug("Loading roles which the current user has right to assign");
         Task task = createSimpleTask(OPERATION_LOAD_ASSIGNABLE_ROLES);
         OperationResult result = task.getResult();
-        try {
-            ModelInteractionService mis = getModelInteractionService();
-            RoleSelectionSpecification roleSpec =
-                    mis.getAssignableRoleSpecification(getTargetUser().asPrismObject(), task, result);
-            filter = roleSpec.getFilter();
-        } catch (Exception ex) {
-            LoggingUtils.logUnexpectedException(LOGGER, "Couldn't load available roles", ex);
-            result.recordFatalError("Couldn't load available roles", ex);
-        } finally {
-            result.recomputeStatus();
-        }
-        if (!result.isSuccess() && !result.isHandledError()) {
-            showResult(result);
-        }
-        return filter;
+        return WebComponentUtil.getAssignableRolesFilter(getTargetUser().asPrismObject(), AbstractRoleType.class,
+                result, task, PageAssignmentShoppingKart.this);
     }
 
     private ObjectQuery addOrgMembersFilter(String oid, ObjectQuery query) {

repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java

@@ -437,7 +437,13 @@ public class AuthorizationConstants {
 	//ui authorization for CSV export button (will be applied everywhere over mp)
 	public static final QName AUTZ_UI_ADMIN_CSV_EXPORT_ACTION_QNAME = new QName(NS_AUTHORIZATION_UI, "adminCSVexport");
 	public static final String AUTZ_UI_ADMIN_CSV_EXPORT_ACTION_URI = QNameUtil.qNameToUri(AUTZ_UI_ADMIN_CSV_EXPORT_ACTION_QNAME);
-
+
+	public static final QName AUTZ_UI_ADMIN_ORG_MAKE_ROOT_ACTION_QNAME = new QName(NS_AUTHORIZATION_UI, "adminOrgMakeRoot");
+	public static final String AUTZ_UI_ADMIN_ORG_MAKE_ROOT_ACTION_URI = QNameUtil.qNameToUri(AUTZ_UI_ADMIN_ORG_MAKE_ROOT_ACTION_QNAME);
+
+	public static final QName AUTZ_UI_ADMIN_ORG_MOVE_ACTION_QNAME = new QName(NS_AUTHORIZATION_UI, "adminOrgMove");
+	public static final String AUTZ_UI_ADMIN_ORG_MOVE_ACTION_URI = QNameUtil.qNameToUri(AUTZ_UI_ADMIN_ORG_MOVE_ACTION_QNAME);
+
 	/**
 	 * Those are the items that midPoint logic controls directly. They have exception from execution-phase
 	 * authorization enforcement. Their modification in execution phase is always allowed. If it was not