inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feature/MNT-16881_PermissionHierarchyCheck' into 'master'

Browse Source 
MNT-16881 Check permission hierarchy using PermissionModel.

See merge request !28
This commit is contained in:
Tom Page
2017-01-25 15:17:34 +00:00
parent 827da44cb3 43f7864d70
commit 3ac2ffc1ae
4 changed files with 131 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/permission/RecordsManagementPermissionPostProcessor.java
View File

@@ -31,6 +31,8 @@ import java.util.List;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.repo.security.permissions.impl.model.PermissionModel;
import org.alfresco.repo.security.permissions.processor.impl.PermissionPostProcessorBaseImpl;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
@@ -39,47 +41,81 @@ import org.alfresco.service.cmr.security.PermissionService;
/**
* Records management permission post processor.
*
*
* @author Roy Wetherall
* @since 2.4.a
*/
public class RecordsManagementPermissionPostProcessor extends PermissionPostProcessorBaseImpl
public class RecordsManagementPermissionPostProcessor extends PermissionPostProcessorBaseImpl
{
/** node service */
private NodeService nodeService;
public void setNodeService(NodeService nodeService) {this.nodeService=nodeService;}
/** permission service */
private PermissionService permissionService;
public void setPermissionService(PermissionService permissionService) {this.permissionService=permissionService;}
/**
* @see org.alfresco.repo.security.permissions.processor.PermissionPostProcessor#process(org.alfresco.service.cmr.security.AccessStatus, org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/
@Override
public AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm,
List configuredReadPermissions, List configuredFilePermissions)
{
AccessStatus result = accessStatus;
if (AccessStatus.DENIED.equals(accessStatus) &&
/** node service */
private NodeService nodeService;
public void setNodeService(NodeService nodeService) {this.nodeService=nodeService;}
/** permission service */
private PermissionService permissionService;
public void setPermissionService(PermissionService permissionService) {this.permissionService=permissionService;}
/** The permission model DAO. */
private PermissionModel permissionModel;
public void setPermissionModel(PermissionModel permissionModel) {this.permissionModel=permissionModel;}
/**
* @see org.alfresco.repo.security.permissions.processor.PermissionPostProcessor#process(org.alfresco.service.cmr.security.AccessStatus, org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/
@Override
public AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm,
List<String> configuredReadPermissions, List<String> configuredFilePermissions)
{
AccessStatus result = accessStatus;
if (AccessStatus.DENIED.equals(accessStatus) &&
nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
{
// if read denied on rm artifact
if (PermissionService.READ.equals(perm) || configuredReadPermissions.contains(perm))
{
// check for read record
result = permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS);
}
// if write deinied on rm artificat
else if (PermissionService.WRITE.equals(perm) || configuredFilePermissions.contains(perm))
{
// check for file record
result = permissionService.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS);
}
}
return result;
}
{
// if read denied on rm artifact
if (PermissionService.READ.equals(perm) || isPermissionContained(perm, configuredReadPermissions))
{
// check for read record
result = permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS);
}
// if write denied on rm artifact
else if (PermissionService.WRITE.equals(perm) || isPermissionContained(perm, configuredFilePermissions))
{
// check for file record
result = permissionService.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS);
}
}
return result;
}
/**
* Check if a given permission is implied by a list of permission groups.
*
* @param perm The name of the permission in question.
* @param configuredPermissions The list of permission group names.
* @return true if the permission is contained or implied by the list of permissions.
*/
private boolean isPermissionContained(String perm, List<String> configuredPermissions)
{
// Check if the permission is explicitly in the list
if (configuredPermissions.contains(perm))
{
return true;
}
// Check if the permission is implied by one from the list.
for (String configuredPermission : configuredPermissions)
{
// TODO: Here we are assuming the permission name is unique across all contexts (but I think we're doing that in the properties file anyway).
PermissionReference permissionReference = permissionModel.getPermissionReference(null, configuredPermission);
for (PermissionReference granteePermission : permissionModel.getGranteePermissions(permissionReference))
{
if (granteePermission.getName().equals(perm))
{
return true;
}
}
}
return false;
}
}

2
rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/processor/PermissionPostProcessor.java
View File

@@ -52,5 +52,5 @@ public interface PermissionPostProcessor
* @return {@link AccessStatus}
*/
AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm,
List configuredReadPermissions, List configuredFilePermissions);
List<String> configuredReadPermissions, List<String> configuredFilePermissions);
}