inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix DM and RM afterInvocationProviders so both DM and RM permissions are not required. First cut of enforcement of create related capabilities. Added explicit abstain for RMVoter (equivalent to no RM entry condition)

Browse Source 
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@15145 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Andrew Hind
2009-07-11 13:47:35 +00:00
parent ab245dbced
commit ccb0df6159
1 changed files with 69 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
View File

@@ -40,6 +40,7 @@ import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.ConfigAttribute;
import net.sf.acegisecurity.ConfigAttributeDefinition;
import net.sf.acegisecurity.afterinvocation.AfterInvocationProvider;
import net.sf.acegisecurity.vote.AccessDecisionVoter;
import org.alfresco.cmis.CMISResultSet;
import org.alfresco.repo.search.SimpleResultSetMetaData;
@@ -87,6 +88,10 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
private int maxPermissionChecks;
private long maxPermissionCheckTimeMillis;
private Set<QName> unfilteredForClassQNames = new HashSet<QName>();
private Set<String> unfilteredFor = null;
/**
* Default constructor
@@ -188,6 +193,15 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
this.maxPermissionCheckTimeMillis = maxPermissionCheckTimeMillis;
}
/**
* Types and aspects for which we will abstain on voting if they are present.
* @param abstainFor
*/
public void setUnfilteredFor(Set<String> unfilteredFor)
{
this.unfilteredFor = unfilteredFor;
}
public void afterPropertiesSet() throws Exception
{
if (permissionService == null)
@@ -202,6 +216,14 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
{
throw new IllegalArgumentException("There must be a node service");
}
if(unfilteredFor != null)
{
for(String qnameString : unfilteredFor)
{
QName qname = QName.resolveToQName(nspr, qnameString);
unfilteredForClassQNames.add(qname);
}
}
}
public Object decide(Authentication authentication, Object object, ConfigAttributeDefinition config, Object returnedObject) throws AccessDeniedException
@@ -343,6 +365,11 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
return null;
}
if(isUnfitered(returnedObject))
{
return returnedObject;
}
List<ConfigAttributeDefintion> supportedDefinitions = extractSupportedDefinitions(config);
if (supportedDefinitions.size() == 0)
@@ -373,9 +400,31 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
return returnedObject;
}
private boolean isUnfitered(NodeRef returnedObject)
{
if(unfilteredForClassQNames.size() > 0)
{
QName typeQName = nodeService.getType(returnedObject);
if(unfilteredForClassQNames.contains(typeQName))
{
return true;
}
Set<QName> aspectQNames = nodeService.getAspects(returnedObject);
for(QName abstain : unfilteredForClassQNames)
{
if(aspectQNames.contains(abstain))
{
return true;
}
}
}
return false;
}
private FileInfo decide(Authentication authentication, Object object, ConfigAttributeDefinition config, FileInfo returnedObject) throws AccessDeniedException
{
// Filter check done later
NodeRef nodeRef = returnedObject.getNodeRef();
// this is virtually equivalent to the noderef
decide(authentication, object, config, nodeRef);
@@ -430,6 +479,11 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
testNodeRef = ((ChildAssociationRef) returnedObject).getParentRef();
}
if(isUnfitered(testNodeRef))
{
continue;
}
if ((testNodeRef != null) && (permissionService.hasPermission(testNodeRef, cad.required.toString()) == AccessStatus.DENIED))
{
throw new AccessDeniedException("Access Denied");
@@ -545,6 +599,11 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
testNodeRef = returnedObject.getChildAssocRef(i).getParentRef();
}
if(isUnfitered(testNodeRef))
{
continue;
}
if (filteringResultSet.getIncluded(i) && (testNodeRef != null) && (permissionService.hasPermission(testNodeRef, cad.required.toString()) == AccessStatus.DENIED))
{
filteringResultSet.setIncluded(i, false);
@@ -686,6 +745,11 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
log.debug("\t" + cad.typeString + " test on " + testNodeRef + " from " + nextObject.getClass().getName());
}
if(isUnfitered(testNodeRef))
{
continue;
}
if (allowed && (testNodeRef != null) && (permissionService.hasPermission(testNodeRef, cad.required.toString()) == AccessStatus.DENIED))
{
allowed = false;
@@ -781,6 +845,11 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
log.debug("\t" + cad.typeString + " test on " + testNodeRef + " from " + current.getClass().getName());
}
if(isUnfitered(testNodeRef))
{
continue;
}
if (incudedSet.get(i) && (testNodeRef != null) && (permissionService.hasPermission(testNodeRef, cad.required.toString()) == AccessStatus.DENIED))
{
incudedSet.set(i, false);