inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Format code

Browse Source
This commit is contained in:
Mihai Cozma
2016-07-06 11:28:12 +03:00
parent d0e3daba66
commit b35a942fbb
1 changed files with 63 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java
View File

@@ -55,17 +55,15 @@ import org.alfresco.util.PropertyCheck;
import org.springframework.context.ApplicationEvent; import org.springframework.context.ApplicationEvent;
/** /**
* Extends the core permission service implementation allowing the consideration of the read records * Extends the core permission service implementation allowing the consideration of the read records permission.
* permission.
* <p> * <p>
* This is required for SOLR support. * This is required for SOLR support.
* *
* @author Roy Wetherall * @author Roy Wetherall
*/ */
public class ExtendedPermissionServiceImpl extends PermissionServiceImpl public class ExtendedPermissionServiceImpl extends PermissionServiceImpl implements ExtendedPermissionService
implements ExtendedPermissionService
{ {
/** Writers simple cache */ /** Writers simple cache */
protected SimpleCache<Serializable, Set<String>> writersCache; protected SimpleCache<Serializable, Set<String>> writersCache;
/** File plan service */ /** File plan service */
@@ -97,12 +95,12 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
/** /**
* Sets the permission processor registry * Sets the permission processor registry
* *
* @param permissionProcessorRegistry the permissions processor registry * @param permissionProcessorRegistry the permissions processor registry
*/ */
public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry) public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry)
{ {
this.permissionProcessorRegistry = permissionProcessorRegistry; this.permissionProcessorRegistry = permissionProcessorRegistry;
} }
/** /**
* @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean) * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean)
@@ -113,7 +111,7 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
super.setAnyDenyDenies(anyDenyDenies); super.setAnyDenyDenies(anyDenyDenies);
if (writersCache != null) if (writersCache != null)
{ {
writersCache.clear(); writersCache.clear();
} }
} }
@@ -136,43 +134,40 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
} }
/** /**
* Override to deal with the possibility of hard coded permission checks in core code. * Override to deal with the possibility of hard coded permission checks in core code. Note: Eventually we need to
* merge the RM permission model into the core to make this more robust.
* *
* Note: Eventually we need to merge the RM permission model into the core to make this more rebust. * @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#hasPermission(org.alfresco.service.cmr.repository.NodeRef,
* * java.lang.String)
* @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#hasPermission(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
*/ */
@Override @Override
public AccessStatus hasPermission(NodeRef nodeRef, String perm) public AccessStatus hasPermission(NodeRef nodeRef, String perm)
{ {
AccessStatus result = AccessStatus.UNDETERMINED; AccessStatus result = AccessStatus.UNDETERMINED;
if (nodeService.exists(nodeRef)) if (nodeService.exists(nodeRef))
{
// permission pre-processors
List<PermissionPreProcessor> preProcessors = permissionProcessorRegistry.getPermissionPreProcessors();
for (PermissionPreProcessor preProcessor : preProcessors)
{ {
// pre process permission
result = preProcessor.process(nodeRef, perm);
// permission pre-processors // veto if denied
List<PermissionPreProcessor> preProcessors = permissionProcessorRegistry.getPermissionPreProcessors(); if (AccessStatus.DENIED.equals(result)) { return result; }
for (PermissionPreProcessor preProcessor : preProcessors) }
{
// pre process permission
result = preProcessor.process(nodeRef, perm);
// veto if denied // evaluate permission
if (AccessStatus.DENIED.equals(result))
{
return result;
}
}
// evaluate permission
result = hasPermissionImpl(nodeRef, perm); result = hasPermissionImpl(nodeRef, perm);
// permission post-processors // permission post-processors
List<PermissionPostProcessor> postProcessors = permissionProcessorRegistry.getPermissionPostProcessors(); List<PermissionPostProcessor> postProcessors = permissionProcessorRegistry.getPermissionPostProcessors();
for (PermissionPostProcessor postProcessor : postProcessors) for (PermissionPostProcessor postProcessor : postProcessors)
{ {
// post process permission // post process permission
result = postProcessor.process(result, nodeRef, perm); result = postProcessor.process(result, nodeRef, perm);
} }
} }
return result; return result;
} }
@@ -182,13 +177,13 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
* <p> * <p>
* Separation also convenient for unit testing. * Separation also convenient for unit testing.
* *
* @param nodeRef node reference * @param nodeRef node reference
* @param perm permission * @param perm permission
* @return {@link AccessStatus} access status result * @return {@link AccessStatus} access status result
*/ */
protected AccessStatus hasPermissionImpl(NodeRef nodeRef, String perm) protected AccessStatus hasPermissionImpl(NodeRef nodeRef, String perm)
{ {
return super.hasPermission(nodeRef, perm); return super.hasPermission(nodeRef, perm);
} }
/** /**
@@ -201,17 +196,14 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
// test denied // test denied
if(anyDenyDenies) if (anyDenyDenies)
{ {
Set<String> aclReadersDenied = getReadersDenied(aclId); Set<String> aclReadersDenied = getReadersDenied(aclId);
for(String auth : aclReadersDenied) for (String auth : aclReadersDenied)
{ {
if(authorities.contains(auth)) if (authorities.contains(auth)) { return AccessStatus.DENIED; }
{
return AccessStatus.DENIED;
}
} }
} }
@@ -219,12 +211,9 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
// test acl readers // test acl readers
Set<String> aclReaders = getReaders(aclId); Set<String> aclReaders = getReaders(aclId);
for(String auth : aclReaders) for (String auth : aclReaders)
{ {
if(authorities.contains(auth)) if (authorities.contains(auth)) { return AccessStatus.ALLOWED; }
{
return AccessStatus.ALLOWED;
}
} }
return AccessStatus.DENIED; return AccessStatus.DENIED;
@@ -237,16 +226,10 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
public Set<String> getReaders(Long aclId) public Set<String> getReaders(Long aclId)
{ {
AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
if (acl == null) if (acl == null) { return Collections.emptySet(); }
{
return Collections.emptySet();
}
Set<String> aclReaders = readersCache.get((Serializable)acl.getProperties()); Set<String> aclReaders = readersCache.get((Serializable) acl.getProperties());
if (aclReaders != null) if (aclReaders != null) { return aclReaders; }
{
return aclReaders;
}
HashSet<String> assigned = new HashSet<String>(); HashSet<String> assigned = new HashSet<String>();
HashSet<String> readers = new HashSet<String>(); HashSet<String> readers = new HashSet<String>();
@@ -259,7 +242,8 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
for (String authority : assigned) for (String authority : assigned)
{ {
UnconditionalAclTest test = new UnconditionalAclTest(getPermissionReference(PermissionService.READ)); UnconditionalAclTest test = new UnconditionalAclTest(getPermissionReference(PermissionService.READ));
UnconditionalAclTest rmTest = new UnconditionalAclTest(getPermissionReference(RMPermissionModel.READ_RECORDS)); UnconditionalAclTest rmTest = new UnconditionalAclTest(
getPermissionReference(RMPermissionModel.READ_RECORDS));
if (test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId)) if (test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId))
{ {
readers.add(authority); readers.add(authority);
@@ -267,7 +251,7 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
} }
aclReaders = Collections.unmodifiableSet(readers); aclReaders = Collections.unmodifiableSet(readers);
readersCache.put((Serializable)acl.getProperties(), aclReaders); readersCache.put((Serializable) acl.getProperties(), aclReaders);
return aclReaders; return aclReaders;
} }
@@ -281,15 +265,9 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
{ {
AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
if (acl == null) if (acl == null) { return Collections.emptySet(); }
{
return Collections.emptySet();
}
Set<String> denied = readersDeniedCache.get(aclId); Set<String> denied = readersDeniedCache.get(aclId);
if (denied != null) if (denied != null) { return denied; }
{
return denied;
}
denied = new HashSet<String>(); denied = new HashSet<String>();
Set<String> assigned = new HashSet<String>(); Set<String> assigned = new HashSet<String>();
@@ -298,17 +276,19 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
assigned.add(ace.getAuthority()); assigned.add(ace.getAuthority());
} }
for(String authority : assigned) for (String authority : assigned)
{ {
UnconditionalDeniedAclTest test = new UnconditionalDeniedAclTest(getPermissionReference(PermissionService.READ)); UnconditionalDeniedAclTest test = new UnconditionalDeniedAclTest(
UnconditionalDeniedAclTest rmTest = new UnconditionalDeniedAclTest(getPermissionReference(RMPermissionModel.READ_RECORDS)); getPermissionReference(PermissionService.READ));
if(test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId)) UnconditionalDeniedAclTest rmTest = new UnconditionalDeniedAclTest(
getPermissionReference(RMPermissionModel.READ_RECORDS));
if (test.evaluate(authority, aclId) || rmTest.evaluate(authority, aclId))
{ {
denied.add(authority); denied.add(authority);
} }
} }
readersDeniedCache.put((Serializable)acl.getProperties(), denied); readersDeniedCache.put((Serializable) acl.getProperties(), denied);
return denied; return denied;
} }
@@ -319,16 +299,10 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
public Set<String> getWriters(Long aclId) public Set<String> getWriters(Long aclId)
{ {
AccessControlList acl = aclDaoComponent.getAccessControlList(aclId); AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
if (acl == null) if (acl == null) { return Collections.emptySet(); }
{
return Collections.emptySet();
}
Set<String> aclWriters = writersCache.get((Serializable)acl.getProperties()); Set<String> aclWriters = writersCache.get((Serializable) acl.getProperties());
if (aclWriters != null) if (aclWriters != null) { return aclWriters; }
{
return aclWriters;
}
HashSet<String> assigned = new HashSet<String>(); HashSet<String> assigned = new HashSet<String>();
HashSet<String> readers = new HashSet<String>(); HashSet<String> readers = new HashSet<String>();
@@ -348,20 +322,23 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
} }
aclWriters = Collections.unmodifiableSet(readers); aclWriters = Collections.unmodifiableSet(readers);
writersCache.put((Serializable)acl.getProperties(), aclWriters); writersCache.put((Serializable) acl.getProperties(), aclWriters);
return aclWriters; return aclWriters;
} }
/** /**
* @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setInheritParentPermissions(org.alfresco.service.cmr.repository.NodeRef, boolean) * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setInheritParentPermissions(org.alfresco.service.cmr.repository.NodeRef,
* boolean)
*/ */
@Override @Override
public void setInheritParentPermissions(final NodeRef nodeRef, boolean inheritParentPermissions) public void setInheritParentPermissions(final NodeRef nodeRef, boolean inheritParentPermissions)
{ {
final String adminRole = getAdminRole(nodeRef); final String adminRole = getAdminRole(nodeRef);
if (nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT) && isNotBlank(adminRole) && !inheritParentPermissions) if (nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT) && isNotBlank(adminRole)
&& !inheritParentPermissions)
{ {
setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS, true); setPermission(nodeRef, ExtendedReaderDynamicAuthority.EXTENDED_READER, RMPermissionModel.READ_RECORDS,
true);
setPermission(nodeRef, ExtendedWriterDynamicAuthority.EXTENDED_WRITER, RMPermissionModel.FILING, true); setPermission(nodeRef, ExtendedWriterDynamicAuthority.EXTENDED_WRITER, RMPermissionModel.FILING, true);
setPermission(nodeRef, adminRole, RMPermissionModel.FILING, true); setPermission(nodeRef, adminRole, RMPermissionModel.FILING, true);
} }
@@ -374,7 +351,8 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
NodeRef filePlan = getFilePlanService().getFilePlan(nodeRef); NodeRef filePlan = getFilePlanService().getFilePlan(nodeRef);
if (filePlan != null) if (filePlan != null)
{ {
adminRole = authorityService.getName(AuthorityType.GROUP, FilePlanRoleService.ROLE_ADMIN + filePlan.getId()); adminRole = authorityService.getName(AuthorityType.GROUP,
FilePlanRoleService.ROLE_ADMIN + filePlan.getId());
} }
return adminRole; return adminRole;
} }