package com.zimbra.cs.account.accesscontrol;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.DomainAccessManager;
import com.zimbra.cs.account.Entry;
import com.zimbra.cs.account.GuestAccount;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.accesscontrol.Rights;

/* loaded from: input_file:com/zimbra/cs/account/accesscontrol/DomainACLAccessManager.class */
public class DomainACLAccessManager extends DomainAccessManager {
    public DomainACLAccessManager() throws ServiceException {
        RightManager.getInstance();
    }

    @Override // com.zimbra.cs.account.DomainAccessManager, com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(AuthToken authToken, Account account, boolean z) throws ServiceException {
        if (super.canAccessAccount(authToken, account, z)) {
            return true;
        }
        return canDo(authToken, (Entry) account, (Right) Rights.User.R_loginAs, z, false);
    }

    @Override // com.zimbra.cs.account.DomainAccessManager, com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(AuthToken authToken, Account account) throws ServiceException {
        return canAccessAccount(authToken, account, true);
    }

    @Override // com.zimbra.cs.account.DomainAccessManager, com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(Account account, Account account2, boolean z) throws ServiceException {
        if (super.canAccessAccount(account, account2, z)) {
            return true;
        }
        return canDo(account, (Entry) account2, (Right) Rights.User.R_loginAs, z, false);
    }

    @Override // com.zimbra.cs.account.DomainAccessManager, com.zimbra.cs.account.AccessManager
    public boolean canAccessAccount(Account account, Account account2) throws ServiceException {
        return canAccessAccount(account, account2, true);
    }

    public boolean canDo(Account account, Entry entry, Right right, boolean z, boolean z2) {
        if (account == null) {
            try {
                account = GuestAccount.ANONYMOUS_ACCT;
            } catch (ServiceException e) {
                ZimbraLog.account.warn("ACL checking failed: grantee=" + account.getName() + ", target=" + entry.getLabel() + ", right=" + right.getName() + " => denied", e);
                return false;
            }
        }
        if ((entry instanceof Account) && ((Account) entry).getId().equals(account.getId())) {
            return true;
        }
        if (right != Rights.User.R_loginAs && (entry instanceof Account) && canAccessAccount(account, (Account) entry, z)) {
            return true;
        }
        Boolean check = CheckPresetRight.check(account, entry, right, false, null);
        if (check != null) {
            return check.booleanValue();
        }
        Boolean bool = right.getDefault();
        return bool != null ? bool.booleanValue() : z2;
    }

    public boolean canDo(AuthToken authToken, Entry entry, Right right, boolean z, boolean z2) {
        try {
            return canDo(authToken == null ? GuestAccount.ANONYMOUS_ACCT : authToken.isZimbraUser() ? Provisioning.getInstance().get(Provisioning.AccountBy.id, authToken.getAccountId()) : new GuestAccount(authToken), entry, right, z, z2);
        } catch (ServiceException e) {
            ZimbraLog.account.warn("ACL checking failed: grantee=" + authToken.getAccountId() + ", target=" + entry.getLabel() + ", right=" + right.getName() + " => denied", e);
            return false;
        }
    }

    public boolean canDo(String str, Entry entry, Right right, boolean z, boolean z2) {
        Account account = null;
        if (str != null) {
            try {
                account = Provisioning.getInstance().get(Provisioning.AccountBy.name, str);
            } catch (ServiceException e) {
                ZimbraLog.account.warn("ACL checking failed: grantee=" + str + ", target=" + entry.getLabel() + ", right=" + right.getName() + " => denied", e);
                return false;
            }
        }
        if (account == null) {
            account = GuestAccount.ANONYMOUS_ACCT;
        }
        return canDo(account, entry, right, z, z2);
    }
}
