inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

MNT-16852: back port code fix for add children permission support

Browse Source
This commit is contained in:
David Webster
2016-09-26 21:55:35 +01:00
parent 18e4c800ad
commit 5c90f386f4
1 changed files with 267 additions and 266 deletions
Download Patch File Download Diff File Expand all files Collapse all files

533
rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java
View File

@@ -1,266 +1,267 @@
/* /*
* Copyright (C) 2005-2014 Alfresco Software Limited. * Copyright (C) 2005-2014 Alfresco Software Limited.
* *
* This file is part of Alfresco * This file is part of Alfresco
* *
* Alfresco is free software: you can redistribute it and/or modify * Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by * it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or * the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* Alfresco is distributed in the hope that it will be useful, * Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details. * GNU Lesser General Public License for more details.
* *
* You should have received a copy of the GNU Lesser General Public License * You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/ */
package org.alfresco.repo.security.permissions.impl; package org.alfresco.repo.security.permissions.impl;
import java.io.Serializable; import java.io.Serializable;
import java.util.Collections; import java.util.Collections;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set; import java.util.Set;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.repo.cache.SimpleCache; import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.repo.security.permissions.AccessControlEntry; import org.alfresco.repo.security.permissions.AccessControlEntry;
import org.alfresco.repo.security.permissions.AccessControlList; import org.alfresco.repo.security.permissions.AccessControlList;
import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.util.PropertyCheck; import org.alfresco.util.PropertyCheck;
import org.springframework.context.ApplicationEvent; import org.springframework.context.ApplicationEvent;
/** /**
* Extends the core permission service implementation allowing the consideration of the read records * Extends the core permission service implementation allowing the consideration of the read records
* permission. * permission.
* <p> * <p>
* This is required for SOLR support. * This is required for SOLR support.
* *
* @author Roy Wetherall * @author Roy Wetherall
*/ */
public class RMPermissionServiceImpl extends PermissionServiceImpl public class RMPermissionServiceImpl extends PermissionServiceImpl
implements ExtendedPermissionService implements ExtendedPermissionService
{ {
/** Writers simple cache */ /** Writers simple cache */
protected SimpleCache<Serializable, Set<String>> writersCache; protected SimpleCache<Serializable, Set<String>> writersCache;
/** /**
* @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean) * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean)
*/ */
@Override @Override
public void setAnyDenyDenies(boolean anyDenyDenies) public void setAnyDenyDenies(boolean anyDenyDenies)
{ {
super.setAnyDenyDenies(anyDenyDenies); super.setAnyDenyDenies(anyDenyDenies);
writersCache.clear(); writersCache.clear();
} }
/** /**
* @param writersCache the writersCache to set * @param writersCache the writersCache to set
*/ */
public void setWritersCache(SimpleCache<Serializable, Set<String>> writersCache) public void setWritersCache(SimpleCache<Serializable, Set<String>> writersCache)
{ {
this.writersCache = writersCache; this.writersCache = writersCache;
} }
/** /**
* @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#onBootstrap(org.springframework.context.ApplicationEvent) * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#onBootstrap(org.springframework.context.ApplicationEvent)
*/ */
@Override @Override
protected void onBootstrap(ApplicationEvent event) protected void onBootstrap(ApplicationEvent event)
{ {
super.onBootstrap(event); super.onBootstrap(event);
PropertyCheck.mandatory(this, "writersCache", writersCache); PropertyCheck.mandatory(this, "writersCache", writersCache);
} }
/** /**
* Override to deal with the possibility of hard coded permission checks in core code. * Override to deal with the possibility of hard coded permission checks in core code.
* *
* Note: Eventually we need to merge the RM permission model into the core to make this more rebust. * Note: Eventually we need to merge the RM permission model into the core to make this more rebust.
* *
* @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#hasPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String) * @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#hasPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/ */
@Override @Override
public AccessStatus hasPermission(NodeRef nodeRef, String perm) public AccessStatus hasPermission(NodeRef nodeRef, String perm)
{ {
AccessStatus acs = super.hasPermission(nodeRef, perm); AccessStatus acs = super.hasPermission(nodeRef, perm);
if (AccessStatus.DENIED.equals(acs) && if (AccessStatus.DENIED.equals(acs) &&
PermissionService.READ.equals(perm) && PermissionService.READ.equals(perm) &&
nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
{ {
return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS); return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS);
} }
else if (AccessStatus.DENIED.equals(acs) && // Added ADD_CHILDREN check in for MNT-16852.
PermissionService.WRITE.equals(perm) && else if (AccessStatus.DENIED.equals(acs) &&
nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) (PermissionService.WRITE.equals(perm) || PermissionService.ADD_CHILDREN.equals(perm)) &&
{ nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS); {
} return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS);
}
return acs;
} return acs;
}
/**
* @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#canRead(java.lang.Long) /**
*/ * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#canRead(java.lang.Long)
@Override */
protected AccessStatus canRead(Long aclId) @Override
{ protected AccessStatus canRead(Long aclId)
Set<String> authorities = getAuthorisations(); {
Set<String> authorities = getAuthorisations();
// test denied
// test denied
if(anyDenyDenies)
{ if(anyDenyDenies)
{
Set<String> aclReadersDenied = getReadersDenied(aclId);
Set<String> aclReadersDenied = getReadersDenied(aclId);
for(String auth : aclReadersDenied)
{ for(String auth : aclReadersDenied)
if(authorities.contains(auth)) {
{ if(authorities.contains(auth))
return AccessStatus.DENIED; {
} return AccessStatus.DENIED;
} }
}
}
}
// test acl readers
Set<String> aclReaders = getReaders(aclId); // test acl readers
Set<String> aclReaders = getReaders(aclId);
for(String auth : aclReaders)
{ for(String auth : aclReaders)
if(authorities.contains(auth)) {
{ if(authorities.contains(auth))
return AccessStatus.ALLOWED; {
} return AccessStatus.ALLOWED;
} }
}
return AccessStatus.DENIED;
} return AccessStatus.DENIED;
}
/**
* @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#getReaders(java.lang.Long) /**
*/ * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#getReaders(java.lang.Long)
@Override */
public Set<String> getReaders(Long aclId) @Override
{ public Set<String> getReaders(Long aclId)
AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); {
if (acl == null) AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
{ if (acl == null)
return Collections.emptySet(); {
} return Collections.emptySet();
}
Set<String> aclReaders = readersCache.get((Serializable)acl.getProperties());
if (aclReaders != null) Set<String> aclReaders = readersCache.get((Serializable)acl.getProperties());
{ if (aclReaders != null)
return aclReaders; {
} return aclReaders;
}
HashSet<String> assigned = new HashSet<String>();
HashSet<String> readers = new HashSet<String>(); HashSet<String> assigned = new HashSet<String>();
HashSet<String> readers = new HashSet<String>();
for (AccessControlEntry ace : acl.getEntries())
{ for (AccessControlEntry ace : acl.getEntries())
assigned.add(ace.getAuthority()); {
} assigned.add(ace.getAuthority());
}
for (String authority : assigned)
{ for (String authority : assigned)
UnconditionalAclTest test = new UnconditionalAclTest(getPermissionReference(PermissionService.READ)); {
UnconditionalAclTest rmTest = new UnconditionalAclTest(getPermissionReference(RMPermissionModel.READ_RECORDS)); UnconditionalAclTest test = new UnconditionalAclTest(getPermissionReference(PermissionService.READ));
if (test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId)) UnconditionalAclTest rmTest = new UnconditionalAclTest(getPermissionReference(RMPermissionModel.READ_RECORDS));
{ if (test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId))
readers.add(authority); {
} readers.add(authority);
} }
}
aclReaders = Collections.unmodifiableSet(readers);
readersCache.put((Serializable)acl.getProperties(), aclReaders); aclReaders = Collections.unmodifiableSet(readers);
return aclReaders; readersCache.put((Serializable)acl.getProperties(), aclReaders);
} return aclReaders;
}
/**
* Override with check for RM read /**
* * Override with check for RM read
* @param aclId *
* @return * @param aclId
*/ * @return
private Set<String> getReadersDenied(Long aclId) */
{ private Set<String> getReadersDenied(Long aclId)
AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); {
AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
if (acl == null)
{ if (acl == null)
return Collections.emptySet(); {
} return Collections.emptySet();
Set<String> denied = readersDeniedCache.get(aclId); }
if (denied != null) Set<String> denied = readersDeniedCache.get(aclId);
{ if (denied != null)
return denied; {
} return denied;
denied = new HashSet<String>(); }
Set<String> assigned = new HashSet<String>(); denied = new HashSet<String>();
Set<String> assigned = new HashSet<String>();
for (AccessControlEntry ace : acl.getEntries())
{ for (AccessControlEntry ace : acl.getEntries())
assigned.add(ace.getAuthority()); {
} assigned.add(ace.getAuthority());
}
for(String authority : assigned)
{ for(String authority : assigned)
UnconditionalDeniedAclTest test = new UnconditionalDeniedAclTest(getPermissionReference(PermissionService.READ)); {
UnconditionalDeniedAclTest rmTest = new UnconditionalDeniedAclTest(getPermissionReference(RMPermissionModel.READ_RECORDS)); UnconditionalDeniedAclTest test = new UnconditionalDeniedAclTest(getPermissionReference(PermissionService.READ));
if(test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId)) UnconditionalDeniedAclTest rmTest = new UnconditionalDeniedAclTest(getPermissionReference(RMPermissionModel.READ_RECORDS));
{ if(test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId))
denied.add(authority); {
} denied.add(authority);
} }
}
readersDeniedCache.put((Serializable)acl.getProperties(), denied);
readersDeniedCache.put((Serializable)acl.getProperties(), denied);
return denied;
} return denied;
}
/**
* @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#getWriters(java.lang.Long) /**
*/ * @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#getWriters(java.lang.Long)
public Set<String> getWriters(Long aclId) */
{ public Set<String> getWriters(Long aclId)
AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); {
if (acl == null) AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
{ if (acl == null)
return Collections.emptySet(); {
} return Collections.emptySet();
}
Set<String> aclWriters = writersCache.get((Serializable)acl.getProperties());
if (aclWriters != null) Set<String> aclWriters = writersCache.get((Serializable)acl.getProperties());
{ if (aclWriters != null)
return aclWriters; {
} return aclWriters;
}
HashSet<String> assigned = new HashSet<String>();
HashSet<String> readers = new HashSet<String>(); HashSet<String> assigned = new HashSet<String>();
HashSet<String> readers = new HashSet<String>();
for (AccessControlEntry ace : acl.getEntries())
{ for (AccessControlEntry ace : acl.getEntries())
assigned.add(ace.getAuthority()); {
} assigned.add(ace.getAuthority());
}
for (String authority : assigned)
{ for (String authority : assigned)
UnconditionalAclTest test = new UnconditionalAclTest(getPermissionReference(PermissionService.WRITE)); {
if (test.evaluate(authority, aclId)) UnconditionalAclTest test = new UnconditionalAclTest(getPermissionReference(PermissionService.WRITE));
{ if (test.evaluate(authority, aclId))
readers.add(authority); {
} readers.add(authority);
} }
}
aclWriters = Collections.unmodifiableSet(readers);
writersCache.put((Serializable)acl.getProperties(), aclWriters); aclWriters = Collections.unmodifiableSet(readers);
return aclWriters; writersCache.put((Serializable)acl.getProperties(), aclWriters);
} return aclWriters;
} }
}