inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-10-08 14:51:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged WEBAPP-API (5.2.1) to 5.2.N (5.2.1)

Browse Source 
136412 cpopa: APPSREPO-66: Capture and transmit permission changes to the client
      - Added AuthorityServicePolicies policies which are invoked when a group is deleted, an authority is added or removed from a group
      - Added PermissionServicePolicies policies which are invoked when a local permissions is granted/removed, permission inheritance is enabled/disabled


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@136420 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Constantin Popa
2017-04-25 14:03:02 +00:00
parent 3094a66ea5
commit ab81943a66
9 changed files with 524 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
source/java/org/alfresco/repo/security/permissions/PermissionServicePolicies.java Normal file
View File

@@ -0,0 +1,106 @@
/*
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2017 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%
*/
package org.alfresco.repo.security.permissions;
import org.alfresco.repo.policy.ClassPolicy;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
/**
* Policies for PermissionService
*
* @author cpopa
*
*/
public interface PermissionServicePolicies
{
/**
* Policy invoked when a permission is granted to an authority for a specific node
*/
public interface OnGrantLocalPermission extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onGrantLocalPermission");
/**
* A permission was granted to an authority for a specific node
*
* @param nodeRef the node on which the permission is granted
* @param authority the authority being granted the permission
* @param permission the permission at question
*/
public void onGrantLocalPermission(NodeRef nodeRef, String authority, String permission);
}
/**
* Policy invoked when a permission is revoked from an authority for a specific node
*/
public interface OnRevokeLocalPermission extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onRevokeLocalPermission");
/**
* A permission was revoked from an authority for a specific node
*
* @param nodeRef the node from which the permission is revoked
* @param authority the authority being revoked the permission
* @param permission the permission at question
*/
public void onRevokeLocalPermission(NodeRef nodeRef, String authority, String permission);
}
/**
* Policy invoked when permission inheritance is enabled for a specific node
*/
public interface OnInheritPermissionsEnabled extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onInheritPermissionsEnabled");
/**
* Permission inheritance was enabled
*
* @param nodeRef the node for which the inheritance is enabled
*/
public void onInheritPermissionsEnabled(NodeRef nodeRef);
}
/**
* Policy invoked when permission inheritance is disabled for a specific node (sync or async mode)
*/
public interface OnInheritPermissionsDisabled extends ClassPolicy
{
public static final QName QNAME = QName.createQName(NamespaceService.ALFRESCO_URI, "onInheritPermissionsDisabled");
/**
* Permission inheritance was disabled
*
* @param nodeRef the node for which the inheritance is disabled
* @param async whether the operation has been done in asynchronous mode, thus it may not be finished yet
*/
public void onInheritPermissionsDisabled(NodeRef nodeRef, boolean async);
}
}

219
source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java
View File

@@ -25,70 +25,77 @@
*/
package org.alfresco.repo.security.permissions.impl;
import java.io.Serializable;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.providers.dao.User;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.repo.domain.permissions.AclDAO;
import org.alfresco.repo.node.db.traitextender.NodeServiceTrait;
import org.alfresco.repo.domain.permissions.FixedAclUpdater;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.authority.AuthorityServiceImpl;
import org.alfresco.repo.security.permissions.ACLType;
import org.alfresco.repo.security.permissions.AccessControlEntry;
import org.alfresco.repo.security.permissions.AccessControlList;
import org.alfresco.repo.security.permissions.AccessControlListProperties;
import org.alfresco.repo.security.permissions.DynamicAuthority;
import org.alfresco.repo.security.permissions.NodePermissionEntry;
import org.alfresco.repo.security.permissions.PermissionEntry;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.repo.security.permissions.PermissionServiceSPI;
import org.alfresco.repo.security.permissions.impl.traitextender.PermissionServiceExtension;
import org.alfresco.repo.security.permissions.impl.traitextender.PermissionServiceTrait;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.repo.version.Version2Model;
import org.alfresco.repo.version.VersionModel;
import org.alfresco.repo.version.common.VersionUtil;
import org.alfresco.service.cmr.dictionary.DictionaryService;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.OwnableService;
import org.alfresco.service.cmr.security.PermissionContext;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.traitextender.AJExtender;
import org.alfresco.traitextender.Extend;
import org.alfresco.traitextender.ExtendedTrait;
import org.alfresco.traitextender.Extensible;
import org.alfresco.traitextender.AJProxyTrait;
import org.alfresco.traitextender.Trait;
import org.alfresco.util.EqualsHelper;
import org.alfresco.util.Pair;
import org.alfresco.util.PropertyCheck;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.extensions.surf.util.AbstractLifecycleBean;
import static org.apache.commons.lang3.BooleanUtils.toBoolean;
import java.io.Serializable;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.providers.dao.User;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.cache.SimpleCache;
import org.alfresco.repo.domain.permissions.AclDAO;
import org.alfresco.repo.domain.permissions.FixedAclUpdater;
import org.alfresco.repo.policy.ClassPolicyDelegate;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.security.authority.AuthorityServiceImpl;
import org.alfresco.repo.security.permissions.ACLType;
import org.alfresco.repo.security.permissions.AccessControlEntry;
import org.alfresco.repo.security.permissions.AccessControlList;
import org.alfresco.repo.security.permissions.AccessControlListProperties;
import org.alfresco.repo.security.permissions.DynamicAuthority;
import org.alfresco.repo.security.permissions.NodePermissionEntry;
import org.alfresco.repo.security.permissions.PermissionEntry;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.repo.security.permissions.PermissionServicePolicies;
import org.alfresco.repo.security.permissions.PermissionServicePolicies.OnGrantLocalPermission;
import org.alfresco.repo.security.permissions.PermissionServicePolicies.OnInheritPermissionsDisabled;
import org.alfresco.repo.security.permissions.PermissionServicePolicies.OnInheritPermissionsEnabled;
import org.alfresco.repo.security.permissions.PermissionServicePolicies.OnRevokeLocalPermission;
import org.alfresco.repo.security.permissions.PermissionServiceSPI;
import org.alfresco.repo.security.permissions.impl.traitextender.PermissionServiceExtension;
import org.alfresco.repo.security.permissions.impl.traitextender.PermissionServiceTrait;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.repo.version.Version2Model;
import org.alfresco.repo.version.VersionModel;
import org.alfresco.repo.version.common.VersionUtil;
import org.alfresco.service.cmr.dictionary.DictionaryService;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.OwnableService;
import org.alfresco.service.cmr.security.PermissionContext;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.traitextender.AJProxyTrait;
import org.alfresco.traitextender.Extend;
import org.alfresco.traitextender.ExtendedTrait;
import org.alfresco.traitextender.Extensible;
import org.alfresco.traitextender.Trait;
import org.alfresco.util.EqualsHelper;
import org.alfresco.util.Pair;
import org.alfresco.util.PolicyIgnoreUtil;
import org.alfresco.util.PropertyCheck;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.extensions.surf.util.AbstractLifecycleBean;
/**
* The Alfresco implementation of a permissions service against our APIs for the permissions model and permissions
@@ -161,7 +168,14 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
protected boolean anyDenyDenies = false;
private final ExtendedTrait<PermissionServiceTrait> permissionServiceTrait;
private final ExtendedTrait<PermissionServiceTrait> permissionServiceTrait;
private ClassPolicyDelegate<OnGrantLocalPermission> onGrantLocalPermissionDelegate;
private ClassPolicyDelegate<OnRevokeLocalPermission> onRevokeLocalPermissionDelegate;
private ClassPolicyDelegate<OnInheritPermissionsEnabled> onInheritPermissionsEnabledDelegate;
private ClassPolicyDelegate<OnInheritPermissionsDisabled> onInheritPermissionsDisabledDelegate;
private PolicyIgnoreUtil policyIgnoreUtil;
/**
* Standard spring construction.
@@ -322,6 +336,11 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
public void setPolicyComponent(PolicyComponent policyComponent)
{
this.policyComponent = policyComponent;
}
public void setPolicyIgnoreUtil(PolicyIgnoreUtil policyIgnoreUtil)
{
this.policyIgnoreUtil = policyIgnoreUtil;
}
/**
@@ -385,7 +404,12 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "onMoveNode"), ContentModel.TYPE_BASE, new JavaBehaviour(this, "onMoveNode"));
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "onCreateChildAssociation"), ContentModel.TYPE_AUTHORITY_CONTAINER, new JavaBehaviour(this, "onCreateChildAssociation"));
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "beforeDeleteChildAssociation"), ContentModel.TYPE_AUTHORITY_CONTAINER, new JavaBehaviour(this, "beforeDeleteChildAssociation"));
policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "beforeDeleteChildAssociation"), ContentModel.TYPE_AUTHORITY_CONTAINER, new JavaBehaviour(this, "beforeDeleteChildAssociation"));
onGrantLocalPermissionDelegate = policyComponent.registerClassPolicy(PermissionServicePolicies.OnGrantLocalPermission.class);
onRevokeLocalPermissionDelegate = policyComponent.registerClassPolicy(PermissionServicePolicies.OnRevokeLocalPermission.class);
onInheritPermissionsEnabledDelegate = policyComponent.registerClassPolicy(PermissionServicePolicies.OnInheritPermissionsEnabled.class);
onInheritPermissionsDisabledDelegate = policyComponent.registerClassPolicy(PermissionServicePolicies.OnInheritPermissionsDisabled.class);
}
//
@@ -978,7 +1002,9 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
public void deletePermissions(NodeRef nodeRef)
{
permissionsDaoComponent.deletePermissions(tenantService.getName(nodeRef));
accessCache.clear();
accessCache.clear();
invokeUpdateLocalPermissionsPolicy(nodeRef, null, null, false);
}
@Override
@@ -1005,7 +1031,26 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
protected void deletePermission(NodeRef nodeRef, String authority, PermissionReference perm)
{
permissionsDaoComponent.deletePermission(tenantService.getName(nodeRef), authority, perm);
accessCache.clear();
accessCache.clear();
invokeUpdateLocalPermissionsPolicy(nodeRef, authority, perm.getName(), false);
}
private void invokeUpdateLocalPermissionsPolicy(NodeRef nodeRef, String authority, String permission, boolean grantPermission)
{
if (!policyIgnoreUtil.ignorePolicy(nodeRef))
{
if (grantPermission)
{
OnGrantLocalPermission grantPermPolicy = onGrantLocalPermissionDelegate.get(nodeService.getType(nodeRef));
grantPermPolicy.onGrantLocalPermission(nodeRef, authority, permission);
}
else
{
OnRevokeLocalPermission revokePermPolicy = onRevokeLocalPermissionDelegate.get(nodeService.getType(nodeRef));
revokePermPolicy.onRevokeLocalPermission(nodeRef, authority, permission);
}
}
}
@Override
@@ -1019,7 +1064,9 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
protected void setPermission(NodeRef nodeRef, String authority, PermissionReference perm, boolean allow)
{
permissionsDaoComponent.setPermission(tenantService.getName(nodeRef), authority, perm, allow);
accessCache.clear();
accessCache.clear();
invokeUpdateLocalPermissionsPolicy(nodeRef, authority, perm.getName(), allow);
}
@Override
@@ -1046,7 +1093,9 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
{
NodeRef actualRef = tenantService.getName(nodeRef);
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
accessCache.clear();
accessCache.clear();
invokeOnPermissionsInheritedPolicy(nodeRef, inheritParentPermissions, false);
}
@Override
@@ -1060,20 +1109,40 @@ public class PermissionServiceImpl extends AbstractLifecycleBean implements Perm
AlfrescoTransactionSupport.bindResource(FixedAclUpdater.FIXED_ACL_ASYNC_CALL_KEY, true);
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
//check if asynchronous call was required
Boolean asyncCallRequired = (Boolean) AlfrescoTransactionSupport.getResource(FixedAclUpdater.FIXED_ACL_ASYNC_REQUIRED_KEY);
if (asyncCallRequired != null && asyncCallRequired)
boolean asyncCallRequired = toBoolean((Boolean) AlfrescoTransactionSupport.getResource(FixedAclUpdater.FIXED_ACL_ASYNC_REQUIRED_KEY));
if (asyncCallRequired)
{
//after transaction is committed FixedAclUpdater will be started in a new thread to process pending nodes
AlfrescoTransactionSupport.bindListener(fixedAclUpdater);
}
AlfrescoTransactionSupport.bindListener(fixedAclUpdater);
}
invokeOnPermissionsInheritedPolicy(nodeRef, inheritParentPermissions, asyncCallRequired);
}
else
{
//regular method call
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
invokeOnPermissionsInheritedPolicy(nodeRef, inheritParentPermissions, false);
}
accessCache.clear();
}
private void invokeOnPermissionsInheritedPolicy(NodeRef nodeRef, final boolean inheritParentPermissions, boolean async)
{
if (!policyIgnoreUtil.ignorePolicy(nodeRef))
{
if (inheritParentPermissions)
{
OnInheritPermissionsEnabled onInheritEnabledPolicy = onInheritPermissionsEnabledDelegate.get(ContentModel.TYPE_BASE);
onInheritEnabledPolicy.onInheritPermissionsEnabled(nodeRef);
}
else
{
OnInheritPermissionsDisabled onInheritDisabledPolicy = onInheritPermissionsDisabledDelegate.get(ContentModel.TYPE_BASE);
onInheritDisabledPolicy.onInheritPermissionsDisabled(nodeRef, async);
}
}
}
/**