inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-10-08 14:51:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged WEBAPP-API (5.2.1) to 5.2.N (5.2.1)

Browse Source 
136412 cpopa: APPSREPO-66: Capture and transmit permission changes to the client
      - Added AuthorityServicePolicies policies which are invoked when a group is deleted, an authority is added or removed from a group
      - Added PermissionServicePolicies policies which are invoked when a local permissions is granted/removed, permission inheritance is enabled/disabled


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@136420 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Constantin Popa
2017-04-25 14:03:02 +00:00
parent 3094a66ea5
commit ab81943a66
9 changed files with 524 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
config/alfresco/authority-services-context.xml
View File

@@ -12,7 +12,7 @@
<!-- -->
<beans>
<bean id="authorityService" class="org.alfresco.repo.security.authority.AuthorityServiceImpl">
<bean id="authorityService" class="org.alfresco.repo.security.authority.AuthorityServiceImpl" init-method="init">
<property name="personService">
<ref bean="personService" />
</property>
@@ -46,6 +46,9 @@
<set>
</set>
</property>
<property name="policyComponent">
<ref bean="policyComponent"/>
</property>
</bean>
<!-- Authority DAO that stores group information along with user information, -->

4
config/alfresco/policy-context.xml
View File

@@ -68,4 +68,8 @@
<property name="jobLockService" ref="jobLockService"/>
</bean>
<bean id="policyIgnoreUtil" class="org.alfresco.util.PolicyIgnoreUtil">
<property name="tenantService" ref="tenantService"/>
<property name="storesToIgnorePolicies" ref="storesToIgnorePolicies"/>
</bean>
</beans>

5
config/alfresco/public-services-security-context.xml
View File

@@ -105,9 +105,10 @@
<property name="fixedAclUpdater">
<ref bean="fixedAclUpdater"/>
</property>
<property name="policyIgnoreUtil" ref="policyIgnoreUtil"/>
</bean>
<bean id="fixedAclUpdater" class="org.alfresco.repo.domain.permissions.FixedAclUpdater">
<bean id="fixedAclUpdater" class="org.alfresco.repo.domain.permissions.FixedAclUpdater" init-method="init">
<property name="jobLockService" ref="jobLockService"/>
<property name="transactionService" ref="transactionService"/>
<property name="accessControlListDAO" ref="admNodeACLDAO"/>
@@ -115,6 +116,8 @@
<property name="maxItemBatchSize" value="${system.fixedACLsUpdater.maxItemBatchSize}"/>
<property name="numThreads" value="${system.fixedACLsUpdater.numThreads}"/>
<property name="lockTimeToLive" value="${system.fixedACLsUpdater.lockTTL}"/>
<property name="policyComponent" ref="policyComponent"/>
<property name="policyIgnoreUtil" ref="policyIgnoreUtil"/>
</bean>
<!-- =================== -->

35
source/java/org/alfresco/repo/domain/permissions/FixedAclUpdater.java
View File

@@ -25,6 +25,8 @@
*/
package org.alfresco.repo.domain.permissions;
import static org.apache.commons.lang3.BooleanUtils.toBoolean;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -41,8 +43,13 @@ import org.alfresco.repo.domain.node.NodeDAO.NodeRefQueryCallback;
import org.alfresco.repo.lock.JobLockService;
import org.alfresco.repo.lock.JobLockService.JobLockRefreshCallback;
import org.alfresco.repo.lock.LockAcquisitionException;
import org.alfresco.repo.policy.ClassPolicyDelegate;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.permissions.PermissionServicePolicies;
import org.alfresco.repo.security.permissions.PermissionServicePolicies.OnInheritPermissionsDisabled;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
import org.alfresco.repo.transaction.TransactionListenerAdapter;
import org.alfresco.service.cmr.repository.NodeRef;
@@ -50,6 +57,7 @@ import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.util.Pair;
import org.alfresco.util.PolicyIgnoreUtil;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.BeansException;
@@ -83,6 +91,10 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
private int maxItemBatchSize = 100;
private int numThreads = 4;
private ClassPolicyDelegate<OnInheritPermissionsDisabled> onInheritPermissionsDisabledDelegate;
private PolicyComponent policyComponent;
private PolicyIgnoreUtil policyIgnoreUtil;
public void setNumThreads(int numThreads)
{
this.numThreads = numThreads;
@@ -123,6 +135,21 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
{
this.lockTimeToLive = lockTimeToLive;
this.lockRefreshTime = lockTimeToLive / 2;
}
public void setPolicyComponent(PolicyComponent policyComponent)
{
this.policyComponent = policyComponent;
}
public void setPolicyIgnoreUtil(PolicyIgnoreUtil policyIgnoreUtil)
{
this.policyIgnoreUtil = policyIgnoreUtil;
}
public void init()
{
onInheritPermissionsDisabledDelegate = policyComponent.registerClassPolicy(PermissionServicePolicies.OnInheritPermissionsDisabled.class);
}
private class GetNodesWithAspects
@@ -249,6 +276,14 @@ public class FixedAclUpdater extends TransactionListenerAdapter implements Appli
nodeDAO.removeNodeAspects(nodeId, aspects);
nodeDAO.removeNodeProperties(nodeId, PENDING_FIX_ACL_ASPECT_PROPS);
if (!policyIgnoreUtil.ignorePolicy(nodeRef))
{
boolean transformedToAsyncOperation = toBoolean((Boolean) AlfrescoTransactionSupport.getResource(FixedAclUpdater.FIXED_ACL_ASYNC_REQUIRED_KEY));
OnInheritPermissionsDisabled onInheritPermissionsDisabledPolicy = onInheritPermissionsDisabledDelegate.get(ContentModel.TYPE_BASE);
onInheritPermissionsDisabledPolicy.onInheritPermissionsDisabled(nodeRef, transformedToAsyncOperation);
}
if (log.isDebugEnabled())
{

104
source/java/org/alfresco/repo/security/authority/AuthorityServiceImpl.java
View File

@@ -25,32 +25,39 @@
*/
package org.alfresco.repo.security.authority;
import java.util.AbstractSet;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.query.PagingRequest;
import org.alfresco.query.PagingResults;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.PermissionServiceSPI;
import org.alfresco.repo.security.person.UserNameMatcher;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.util.Pair;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.extensions.surf.util.ParameterCheck;
import static org.alfresco.service.cmr.security.PermissionService.GROUP_PREFIX;
import java.util.AbstractSet;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import org.alfresco.model.ContentModel;
import org.alfresco.query.PagingRequest;
import org.alfresco.query.PagingResults;
import org.alfresco.repo.policy.ClassPolicyDelegate;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authority.AuthorityServicePolicies.OnAuthorityAddedToGroup;
import org.alfresco.repo.security.authority.AuthorityServicePolicies.OnAuthorityRemovedFromGroup;
import org.alfresco.repo.security.authority.AuthorityServicePolicies.OnGroupDeleted;
import org.alfresco.repo.security.permissions.PermissionServiceSPI;
import org.alfresco.repo.security.person.UserNameMatcher;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.util.Pair;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.extensions.surf.util.ParameterCheck;
/**
* The default implementation of the authority service.
@@ -78,7 +85,12 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
private Set<String> guestSet = Collections.singleton(PermissionService.GUEST_AUTHORITY);
private Set<String> allSet = Collections.singleton(PermissionService.ALL_AUTHORITIES);
private Set<String> adminGroups = Collections.emptySet();
private Set<String> guestGroups = Collections.emptySet();
private Set<String> guestGroups = Collections.emptySet();
private ClassPolicyDelegate<OnAuthorityAddedToGroup> onAuthorityAddedToGroups;
private ClassPolicyDelegate<OnAuthorityRemovedFromGroup> onAuthorityRemovedFromGroup;
private ClassPolicyDelegate<OnGroupDeleted> onGroupDeletedDelegate;
private PolicyComponent policyComponent;
public AuthorityServiceImpl()
{
@@ -123,6 +135,18 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
public void setGuestGroups(Set<String> guestGroups)
{
this.guestGroups = guestGroups;
}
public void setPolicyComponent(PolicyComponent policyComponent)
{
this.policyComponent = policyComponent;
}
public void init()
{
onAuthorityAddedToGroups = policyComponent.registerClassPolicy(AuthorityServicePolicies.OnAuthorityAddedToGroup.class);
onAuthorityRemovedFromGroup = policyComponent.registerClassPolicy(AuthorityServicePolicies.OnAuthorityRemovedFromGroup.class);
onGroupDeletedDelegate = policyComponent.registerClassPolicy(AuthorityServicePolicies.OnGroupDeleted.class);
}
@Override
@@ -460,7 +484,13 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
*/
public void addAuthority(Collection<String> parentNames, String childName)
{
authorityDAO.addAuthority(parentNames, childName);
authorityDAO.addAuthority(parentNames, childName);
OnAuthorityAddedToGroup policy = onAuthorityAddedToGroups.get(ContentModel.TYPE_AUTHORITY);
for (String parentGroup : parentNames)
{
policy.onAuthorityAddedToGroup(parentGroup, childName);
}
}
private boolean containsMatch(Set<String> names, String name)
@@ -537,7 +567,18 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
}
}
authorityDAO.deleteAuthority(name);
permissionServiceSPI.deletePermissions(name);
permissionServiceSPI.deletePermissions(name);
if (isGroup(type))
{
OnGroupDeleted onGroupDelete = onGroupDeletedDelegate.get(ContentModel.TYPE_AUTHORITY);
onGroupDelete.onGroupDeleted(name, cascade);
}
}
private boolean isGroup(AuthorityType authorityType)
{
return AuthorityType.GROUP == authorityType || AuthorityType.EVERYONE == authorityType;
}
/**
@@ -583,7 +624,10 @@ public class AuthorityServiceImpl implements AuthorityService, InitializingBean
@Override
public void removeAuthority(String parentName, String childName)
{
authorityDAO.removeAuthority(parentName, childName);
authorityDAO.removeAuthority(parentName, childName);
OnAuthorityRemovedFromGroup policy = onAuthorityRemovedFromGroup.get(ContentModel.TYPE_AUTHORITY);
policy.onAuthorityRemovedFromGroup(parentName, childName);
}
/**

87
source/java/org/alfresco/repo/security/authority/AuthorityServicePolicies.java Normal file
View File

@@ -0,0 +1,87 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2017 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.authority;
import org.alfresco.repo.policy.ClassPolicy;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
/**
* Policies for AuthorityService
*
* @author cpopa
*
*/
public interface AuthorityServicePolicies
{
/**
* Policy invoked when an authority is added to a group
*/
public interface OnAuthorityAddedToGroup extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onAuthorityAddedToGroup");
/**
* An authority is added in a group
*
* @param parentGroup the group into which the authority is added
* @param childAuthority the authority being added to the groups
*/
public void onAuthorityAddedToGroup(String parentGroup, String childAuthority);
}
/**
* Policy invoked when an authority is removed from a group
*/
public interface OnAuthorityRemovedFromGroup extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onAuthorityRemovedFromGroup");
/**
* An authority was removed from a group
*
* @param parentGroup the group from which the authority is removed
* @param childAuthority the authority being removed from the group
*/
public void onAuthorityRemovedFromGroup(String parentGroup, String childAuthority);
}
/**
* Policy invoked when a group is deleted
*/
public interface OnGroupDeleted extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onGroupDeleted");
/**
* A group has been deleted
*
* @param groupName the group being deleted
* @param cascade whether the deletion is cascaded to child authorities
*/
public void onGroupDeleted(String groupName, boolean cascade);
}
}

106
source/java/org/alfresco/repo/security/permissions/PermissionServicePolicies.java Normal file
View File

@@ -0,0 +1,106 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2017 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.permissions;
import org.alfresco.repo.policy.ClassPolicy;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
/**
* Policies for PermissionService
*
* @author cpopa
*
*/
public interface PermissionServicePolicies
{
/**
* Policy invoked when a permission is granted to an authority for a specific node
*/
public interface OnGrantLocalPermission extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onGrantLocalPermission");
/**
* A permission was granted to an authority for a specific node
*
* @param nodeRef the node on which the permission is granted
* @param authority the authority being granted the permission
* @param permission the permission at question
*/
public void onGrantLocalPermission(NodeRef nodeRef, String authority, String permission);
}
/**
* Policy invoked when a permission is revoked from an authority for a specific node
*/
public interface OnRevokeLocalPermission extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onRevokeLocalPermission");
/**
* A permission was revoked from an authority for a specific node
*
* @param nodeRef the node from which the permission is revoked
* @param authority the authority being revoked the permission
* @param permission the permission at question
*/
public void onRevokeLocalPermission(NodeRef nodeRef, String authority, String permission);
}
/**
* Policy invoked when permission inheritance is enabled for a specific node
*/
public interface OnInheritPermissionsEnabled extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onInheritPermissionsEnabled");
/**
* Permission inheritance was enabled
*
* @param nodeRef the node for which the inheritance is enabled
*/
public void onInheritPermissionsEnabled(NodeRef nodeRef);
}
/**
* Policy invoked when permission inheritance is disabled for a specific node (sync or async mode)
*/
public interface OnInheritPermissionsDisabled extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onInheritPermissionsDisabled");
/**
* Permission inheritance was disabled
*
* @param nodeRef the node for which the inheritance is disabled
* @param async whether the operation has been done in asynchronous mode, thus it may not be finished yet
*/
public void onInheritPermissionsDisabled(NodeRef nodeRef, boolean async);
}
}

219
source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java
View File

@@ -25,70 +25,77 @@
*/
package org.alfresco.repo.security.permissions.impl;
import java.io.Serializable;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.providers.dao.User;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.repo.domain.permissions.AclDAO;
import org.alfresco.repo.node.db.traitextender.NodeServiceTrait;
import org.alfresco.repo.domain.permissions.FixedAclUpdater;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.authority.AuthorityServiceImpl;
import org.alfresco.repo.security.permissions.ACLType;
import org.alfresco.repo.security.permissions.AccessControlEntry;
import org.alfresco.repo.security.permissions.AccessControlList;
import org.alfresco.repo.security.permissions.AccessControlListProperties;
import org.alfresco.repo.security.permissions.DynamicAuthority;
import org.alfresco.repo.security.permissions.NodePermissionEntry;
import org.alfresco.repo.security.permissions.PermissionEntry;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.repo.security.permissions.PermissionServiceSPI;
import org.alfresco.repo.security.permissions.impl.traitextender.PermissionServiceExtension;
import org.alfresco.repo.security.permissions.impl.traitextender.PermissionServiceTrait;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.repo.version.Version2Model;
import org.alfresco.repo.version.VersionModel;
import org.alfresco.repo.version.common.VersionUtil;
import org.alfresco.service.cmr.dictionary.DictionaryService;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.OwnableService;
import org.alfresco.service.cmr.security.PermissionContext;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.traitextender.AJExtender;
import org.alfresco.traitextender.Extend;
import org.alfresco.traitextender.ExtendedTrait;
import org.alfresco.traitextender.Extensible;
import org.alfresco.traitextender.AJProxyTrait;
import org.alfresco.traitextender.Trait;
import org.alfresco.util.EqualsHelper;
import org.alfresco.util.Pair;
import org.alfresco.util.PropertyCheck;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.extensions.surf.util.AbstractLifecycleBean;
import static org.apache.commons.lang3.BooleanUtils.toBoolean;
import java.io.Serializable;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.providers.dao.User;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.repo.domain.permissions.AclDAO;
import org.alfresco.repo.domain.permissions.FixedAclUpdater;
import org.alfresco.repo.policy.ClassPolicyDelegate;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.authority.AuthorityServiceImpl;
import org.alfresco.repo.security.permissions.ACLType;
import org.alfresco.repo.security.permissions.AccessControlEntry;
import org.alfresco.repo.security.permissions.AccessControlList;
import org.alfresco.repo.security.permissions.AccessControlListProperties;
import org.alfresco.repo.security.permissions.DynamicAuthority;
import org.alfresco.repo.security.permissions.NodePermissionEntry;
import org.alfresco.repo.security.permissions.PermissionEntry;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.repo.security.permissions.PermissionServicePolicies;
import org.alfresco.repo.security.permissions.PermissionServicePolicies.OnGrantLocalPermission;
import org.alfresco.repo.security.permissions.PermissionServicePolicies.OnInheritPermissionsDisabled;
import org.alfresco.repo.security.permissions.PermissionServicePolicies.OnInheritPermissionsEnabled;
import org.alfresco.repo.security.permissions.PermissionServicePolicies.OnRevokeLocalPermission;
import org.alfresco.repo.security.permissions.PermissionServiceSPI;
import org.alfresco.repo.security.permissions.impl.traitextender.PermissionServiceExtension;
import org.alfresco.repo.security.permissions.impl.traitextender.PermissionServiceTrait;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.repo.version.Version2Model;
import org.alfresco.repo.version.VersionModel;
import org.alfresco.repo.version.common.VersionUtil;
import org.alfresco.service.cmr.dictionary.DictionaryService;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.OwnableService;
import org.alfresco.service.cmr.security.PermissionContext;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.traitextender.AJProxyTrait;
import org.alfresco.traitextender.Extend;
import org.alfresco.traitextender.ExtendedTrait;
import org.alfresco.traitextender.Extensible;
import org.alfresco.traitextender.Trait;
import org.alfresco.util.EqualsHelper;
import org.alfresco.util.Pair;
import org.alfresco.util.PolicyIgnoreUtil;
import org.alfresco.util.PropertyCheck;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.extensions.surf.util.AbstractLifecycleBean;
/**
* The Alfresco implementation of a permissions service against our APIs for the permissions model and permissions
@@ -161,7 +168,14 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
protected boolean anyDenyDenies = false;
private final ExtendedTrait<PermissionServiceTrait> permissionServiceTrait;
private final ExtendedTrait<PermissionServiceTrait> permissionServiceTrait;
private ClassPolicyDelegate<OnGrantLocalPermission> onGrantLocalPermissionDelegate;
private ClassPolicyDelegate<OnRevokeLocalPermission> onRevokeLocalPermissionDelegate;
private ClassPolicyDelegate<OnInheritPermissionsEnabled> onInheritPermissionsEnabledDelegate;
private ClassPolicyDelegate<OnInheritPermissionsDisabled> onInheritPermissionsDisabledDelegate;
private PolicyIgnoreUtil policyIgnoreUtil;
/**
* Standard spring construction.
@@ -322,6 +336,11 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
public void setPolicyComponent(PolicyComponent policyComponent)
{
this.policyComponent = policyComponent;
}
public void setPolicyIgnoreUtil(PolicyIgnoreUtil policyIgnoreUtil)
{
this.policyIgnoreUtil = policyIgnoreUtil;
}
/**
@@ -385,7 +404,12 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "onMoveNode"), ContentModel.TYPE_BASE, new JavaBehaviour(this, "onMoveNode"));
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "onCreateChildAssociation"), ContentModel.TYPE_AUTHORITY_CONTAINER, new JavaBehaviour(this, "onCreateChildAssociation"));
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "beforeDeleteChildAssociation"), ContentModel.TYPE_AUTHORITY_CONTAINER, new JavaBehaviour(this, "beforeDeleteChildAssociation"));
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "beforeDeleteChildAssociation"), ContentModel.TYPE_AUTHORITY_CONTAINER, new JavaBehaviour(this, "beforeDeleteChildAssociation"));
onGrantLocalPermissionDelegate = policyComponent.registerClassPolicy(PermissionServicePolicies.OnGrantLocalPermission.class);
onRevokeLocalPermissionDelegate = policyComponent.registerClassPolicy(PermissionServicePolicies.OnRevokeLocalPermission.class);
onInheritPermissionsEnabledDelegate = policyComponent.registerClassPolicy(PermissionServicePolicies.OnInheritPermissionsEnabled.class);
onInheritPermissionsDisabledDelegate = policyComponent.registerClassPolicy(PermissionServicePolicies.OnInheritPermissionsDisabled.class);
}
//
@@ -978,7 +1002,9 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
public void deletePermissions(NodeRef nodeRef)
{
permissionsDaoComponent.deletePermissions(tenantService.getName(nodeRef));
accessCache.clear();
accessCache.clear();
invokeUpdateLocalPermissionsPolicy(nodeRef, null, null, false);
}
@Override
@@ -1005,7 +1031,26 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
protected void deletePermission(NodeRef nodeRef, String authority, PermissionReference perm)
{
permissionsDaoComponent.deletePermission(tenantService.getName(nodeRef), authority, perm);
accessCache.clear();
accessCache.clear();
invokeUpdateLocalPermissionsPolicy(nodeRef, authority, perm.getName(), false);
}
private void invokeUpdateLocalPermissionsPolicy(NodeRef nodeRef, String authority, String permission, boolean grantPermission)
{
if (!policyIgnoreUtil.ignorePolicy(nodeRef))
{
if (grantPermission)
{
OnGrantLocalPermission grantPermPolicy = onGrantLocalPermissionDelegate.get(nodeService.getType(nodeRef));
grantPermPolicy.onGrantLocalPermission(nodeRef, authority, permission);
}
else
{
OnRevokeLocalPermission revokePermPolicy = onRevokeLocalPermissionDelegate.get(nodeService.getType(nodeRef));
revokePermPolicy.onRevokeLocalPermission(nodeRef, authority, permission);
}
}
}
@Override
@@ -1019,7 +1064,9 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
protected void setPermission(NodeRef nodeRef, String authority, PermissionReference perm, boolean allow)
{
permissionsDaoComponent.setPermission(tenantService.getName(nodeRef), authority, perm, allow);
accessCache.clear();
accessCache.clear();
invokeUpdateLocalPermissionsPolicy(nodeRef, authority, perm.getName(), allow);
}
@Override
@@ -1046,7 +1093,9 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
{
NodeRef actualRef = tenantService.getName(nodeRef);
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
accessCache.clear();
accessCache.clear();
invokeOnPermissionsInheritedPolicy(nodeRef, inheritParentPermissions, false);
}
@Override
@@ -1060,20 +1109,40 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
AlfrescoTransactionSupport.bindResource(FixedAclUpdater.FIXED_ACL_ASYNC_CALL_KEY, true);
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
//check if asynchronous call was required
Boolean asyncCallRequired = (Boolean) AlfrescoTransactionSupport.getResource(FixedAclUpdater.FIXED_ACL_ASYNC_REQUIRED_KEY);
if (asyncCallRequired != null && asyncCallRequired)
boolean asyncCallRequired = toBoolean((Boolean) AlfrescoTransactionSupport.getResource(FixedAclUpdater.FIXED_ACL_ASYNC_REQUIRED_KEY));
if (asyncCallRequired)
{
//after transaction is committed FixedAclUpdater will be started in a new thread to process pending nodes
AlfrescoTransactionSupport.bindListener(fixedAclUpdater);
}
AlfrescoTransactionSupport.bindListener(fixedAclUpdater);
}
invokeOnPermissionsInheritedPolicy(nodeRef, inheritParentPermissions, asyncCallRequired);
}
else
{
//regular method call
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
invokeOnPermissionsInheritedPolicy(nodeRef, inheritParentPermissions, false);
}
accessCache.clear();
}
private void invokeOnPermissionsInheritedPolicy(NodeRef nodeRef, final boolean inheritParentPermissions, boolean async)
{
if (!policyIgnoreUtil.ignorePolicy(nodeRef))
{
if (inheritParentPermissions)
{
OnInheritPermissionsEnabled onInheritEnabledPolicy = onInheritPermissionsEnabledDelegate.get(ContentModel.TYPE_BASE);
onInheritEnabledPolicy.onInheritPermissionsEnabled(nodeRef);
}
else
{
OnInheritPermissionsDisabled onInheritDisabledPolicy = onInheritPermissionsDisabledDelegate.get(ContentModel.TYPE_BASE);
onInheritDisabledPolicy.onInheritPermissionsDisabled(nodeRef, async);
}
}
}
/**

66
source/java/org/alfresco/util/PolicyIgnoreUtil.java Normal file
View File

@@ -0,0 +1,66 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2017 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.util;
import java.util.Collections;
import java.util.Set;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.service.cmr.repository.NodeRef;
/**
* Utility class which checks whether a node is in a store on which policies should not be applied(e.g. archive://SpacesStore)
*
* @author cpopa
*
*/
public class PolicyIgnoreUtil
{
private TenantService tenantService;
private Set<String> storesToIgnorePolicies = Collections.emptySet();
public void setStoresToIgnorePolicies(Set<String> storesToIgnorePolicies)
{
this.storesToIgnorePolicies = storesToIgnorePolicies;
}
public void setTenantService(TenantService tenantService)
{
this.tenantService = tenantService;
}
/**
* Checks whether the node is in a store on which policies should not be applied.
*
* @param nodeRef
* node to check if the policy can be run or not
* @return true if the nodeRef is part of a store which should be ignored when invoking policies(e.g. archive://SpacesStore)
*/
public boolean ignorePolicy(NodeRef nodeRef)
{
return (storesToIgnorePolicies.contains(tenantService.getBaseName(nodeRef.getStoreRef()).toString()));
}
}