From dc7cf591c44af4f5b81c2d2eaa1f96f5358c0425 Mon Sep 17 00:00:00 2001
From: Brian Leathem <bleathem@gmail.com>
Date: Fri, 18 Mar 2011 19:47:21 -0700
Subject: [PATCH] SEAMFACES-33 Added a system event listener to enforce
 @ViewConfig view restrictions

---
 .../security/ViewMetaRestrictEnforcer.java    | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 impl/src/main/java/org/jboss/seam/faces/security/ViewMetaRestrictEnforcer.java

diff --git a/impl/src/main/java/org/jboss/seam/faces/security/ViewMetaRestrictEnforcer.java b/impl/src/main/java/org/jboss/seam/faces/security/ViewMetaRestrictEnforcer.java
new file mode 100644
index 0000000..76e22f7
--- /dev/null
+++ b/impl/src/main/java/org/jboss/seam/faces/security/ViewMetaRestrictEnforcer.java
@@ -0,0 +1,53 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package org.jboss.seam.faces.security;
+
+import javax.enterprise.event.Observes;
+import javax.faces.event.AbortProcessingException;
+import javax.faces.event.PostConstructViewMapEvent;
+import javax.inject.Inject;
+import org.jboss.logging.Logger;
+import org.jboss.seam.faces.transaction.TransactionPhaseListener;
+import org.jboss.seam.faces.viewmeta.ViewMetaStore;
+import org.jboss.seam.solder.el.Expressions;
+
+/**
+ *
+ * @author bleathem
+ */
+public class ViewMetaRestrictEnforcer
+{
+    private static final Logger log = Logger.getLogger(TransactionPhaseListener.class);
+
+   @Inject
+   private ViewMetaStore metaStore;
+   @Inject
+   private Expressions expressions;
+
+   public void enforce (@Observes PostConstructViewMapEvent event)
+   {
+      log.info("PostConstructViewMapEvent");
+      Restrict annotation = metaStore.getDataForCurrentViewId(Restrict.class);
+      if (annotation == null)
+      {
+         log.info("Annotation is null");
+         return;
+      }
+      log.info("Evaluating Annotation");
+      String el = annotation.value();
+      Boolean allowed = expressions.evaluateMethodExpression(el, Boolean.class);
+      if (allowed)
+      {
+          log.info("Access allowed");
+          return;
+      }
+      else
+      {
+          log.info("Access denied");
+          throw new AbortProcessingException("Access denied");
+      }
+   }
+}