Updates to the permission service to find nodes by permission assignment

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@6020 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

config/alfresco/public-services-security-context.xml

@@ -643,6 +643,10 @@
                 org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=ACL_NODE.0.sys:base.ChangePermissions
                 org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=ACL_ALLOW
                 org.alfresco.service.cmr.security.PermissionService.clearPermission=ACL_NODE.0.sys:base.ChangePermissions
+				org.alfresco.service.cmr.security.PermissionService.findNodesByAssignedPermission=ACL_METHOD.ROLE_ADMINISTRATOR
+				org.alfresco.service.cmr.security.PermissionService.findNodesByAssignedPermissionForTheCurrentUser=ACL_ALLOW
+				org.alfresco.service.cmr.security.PermissionService.getAllSetPermissions=ACL_METHOD.ROLE_ADMINISTRATOR
+				org.alfresco.service.cmr.security.PermissionService.getAllSetPermissionsForTheCurrentUser=ACL_ALLOW
             </value>
         </property>
     </bean>
@@ -672,6 +676,7 @@
                 org.alfresco.service.cmr.security.AuthorityService.getShortName=ACL_ALLOW
                 org.alfresco.service.cmr.security.AuthorityService.getName=ACL_ALLOW
                 org.alfresco.service.cmr.security.AuthorityService.authorityExists=ACL_METHOD.ROLE_ADMINISTRATOR
+				org.alfresco.service.cmr.security.AuthorityService.getAuthoritiesForUser=ACL_METHOD.ROLE_ADMINISTRATOR
             </value>
         </property>
     </bean>

source/java/org/alfresco/repo/domain/hibernate/Permission.hbm.xml

@@ -151,6 +151,29 @@
       where
          ace.authority.recipient = :authorityRecipient
    </query>
+	
+   <query name="permission.GetAllAccessControlEntriesForAuthority">
+      select
+         ace, acl, node
+      from  org.alfresco.repo.domain.hibernate.NodeImpl as node     
+	     join   node.accessControlList  as acl 
+	     join   acl.entries             as ace
+      where
+         ace.authority.recipient = :authorityRecipient
+   </query>
+	
+   <query name="permission.FindNodesByPermission">
+      select
+         ace, acl, node
+      from  org.alfresco.repo.domain.hibernate.NodeImpl as node     
+	     join   node.accessControlList  as acl 
+	     join   acl.entries             as ace
+      where
+         ace.authority.recipient = :authorityRecipient and
+	     ace.allowed = :allow and
+	     ace.permission.name = :permissionName and
+	     ace.permission.typeQname = :permissionTypeQname
+   </query>
    
    <query name="permission.patch.GetAccessControlEntriesToChangePermissionOn" >
       select

source/java/org/alfresco/repo/domain/hibernate/PermissionsDaoComponentImpl.java

@@ -26,6 +26,7 @@ package org.alfresco.repo.domain.hibernate;
 
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@@ -36,9 +37,13 @@ import org.alfresco.repo.domain.DbAccessControlList;
 import org.alfresco.repo.domain.DbAuthority;
 import org.alfresco.repo.domain.DbPermission;
 import org.alfresco.repo.domain.DbPermissionKey;
+import org.alfresco.repo.domain.Node;
+import org.alfresco.repo.domain.NodeStatus;
 import org.alfresco.repo.security.permissions.NodePermissionEntry;
 import org.alfresco.repo.security.permissions.PermissionEntry;
 import org.alfresco.repo.security.permissions.PermissionReference;
+import org.alfresco.repo.security.permissions.impl.AccessPermissionImpl;
+import org.alfresco.repo.security.permissions.impl.PermissionReferenceImpl;
 import org.alfresco.repo.security.permissions.impl.PermissionsDaoComponent;
 import org.alfresco.repo.security.permissions.impl.SimpleNodePermissionEntry;
 import org.alfresco.repo.security.permissions.impl.SimplePermissionEntry;
@@ -46,31 +51,40 @@ import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
 import org.alfresco.repo.transaction.TransactionalDao;
 import org.alfresco.service.cmr.repository.InvalidNodeRefException;
 import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.AccessPermission;
 import org.alfresco.service.cmr.security.AccessStatus;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.GUID;
 import org.hibernate.Query;
+import org.hibernate.ScrollMode;
+import org.hibernate.ScrollableResults;
 import org.hibernate.Session;
 import org.springframework.orm.hibernate3.HibernateCallback;
 import org.springframework.orm.hibernate3.support.HibernateDaoSupport;
 
 /**
- * Support for accessing persisted permission information.
+ * Support for accessing persisted permission information. This class maps between persisted objects and the external
- * 
+ * API defined in the PermissionsDAO interface.
- * This class maps between persisted objects and the external API defined in the
- * PermissionsDAO interface.
  * 
  * @author andyh
  */
-public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements PermissionsDaoComponent, TransactionalDao
+public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements PermissionsDaoComponent,
+        TransactionalDao
 {
     private static final boolean INHERIT_PERMISSIONS_DEFAULT = true;
+
     public static final String QUERY_GET_PERMISSION = "permission.GetPermission";
+
     public static final String QUERY_GET_AC_ENTRIES_FOR_AUTHORITY = "permission.GetAccessControlEntriesForAuthority";
+
+    public static final String QUERY_GET_ALL_AC_ENTRIES_FOR_AUTHORITY = "permission.GetAllAccessControlEntriesForAuthority";
+
     public static final String QUERY_GET_AC_ENTRIES_FOR_PERMISSION = "permission.GetAccessControlEntriesForPermission";
-    
+
+    public static final String QUERY_FIND_NODES_BY_PERMISSION = "permission.FindNodesByPermission";
+
     private Map<String, AccessControlListDAO> fProtocolToACLDAO;
-    
+
     private AccessControlListDAO fDefaultACLDAO;
 
     /** a uuid identifying this unique instance */
@@ -100,7 +114,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         PermissionsDaoComponentImpl that = (PermissionsDaoComponentImpl) obj;
         return this.uuid.equals(that.uuid);
     }
-    
+
     /**
      * @see #uuid
      */
@@ -110,8 +124,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
     }
 
     /**
-     * Does this <tt>Session</tt> contain any changes which must be
+     * Does this <tt>Session</tt> contain any changes which must be synchronized with the store?
-     * synchronized with the store?
      * 
      * @return true => changes are pending
      */
@@ -126,7 +139,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
             }
         };
         // execute the callback
-        return ((Boolean)getHibernateTemplate().execute(callback)).booleanValue();
+        return ((Boolean) getHibernateTemplate().execute(callback)).booleanValue();
     }
 
     /**
@@ -136,12 +149,12 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
     {
         getSession().flush();
     }
-        
+
     public void setProtocolToACLDAO(Map<String, AccessControlListDAO> map)
     {
         fProtocolToACLDAO = map;
     }
-    
+
     public void setDefaultACLDAO(AccessControlListDAO defaultACLDAO)
     {
         fDefaultACLDAO = defaultACLDAO;
@@ -166,10 +179,8 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         if (acl == null)
         {
             // there isn't an access control list for the node - spoof a null one
-            SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(
+            SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(nodeRef, true, Collections
-                    nodeRef,
+                    .<SimplePermissionEntry> emptySet());
-                    true,
-                    Collections.<SimplePermissionEntry> emptySet());
             npe = snpe;
         }
         else
@@ -179,10 +190,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         // done
         if (logger.isDebugEnabled())
         {
-            logger.debug(
+            logger.debug("Created access control list for node: \n" + "   node: " + nodeRef + "\n" + "   acl: " + npe);
-                    "Created access control list for node: \n" +
-                    "   node: " + nodeRef + "\n" +
-                    "   acl: " + npe);
         }
         return npe;
     }
@@ -190,14 +198,15 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
     /**
      * Get the persisted access control list or create it if required.
      * 
-     * @param nodeRef - the node for which to create the list
+     * @param nodeRef -
-     * @param create - create the object if it is missing
+     *            the node for which to create the list
+     * @param create -
+     *            create the object if it is missing
      * @return Returns the current access control list or null if not found
      */
     private DbAccessControlList getAccessControlList(NodeRef nodeRef, boolean create)
     {
-        DbAccessControlList acl = 
+        DbAccessControlList acl = getACLDAO(nodeRef).getAccessControlList(nodeRef);
-            getACLDAO(nodeRef).getAccessControlList(nodeRef);
         if (acl == null && create)
         {
             acl = createAccessControlList(nodeRef);
@@ -205,32 +214,27 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         // done
         if (logger.isDebugEnabled())
         {
-            logger.debug("Retrieved access control list: \n" +
+            logger.debug("Retrieved access control list: \n" + "   node: " + nodeRef + "\n" + "   list: " + acl);
-                    "   node: " + nodeRef + "\n" +
-                    "   list: " + acl);
         }
         return acl;
     }
-    
+
     /**
-     * Creates an access control list for the node and removes the entry from
+     * Creates an access control list for the node and removes the entry from the nullPermsionCache.
-     * the nullPermsionCache.
      */
     private DbAccessControlList createAccessControlList(NodeRef nodeRef)
     {
         DbAccessControlList acl = new DbAccessControlListImpl();
         acl.setInherits(INHERIT_PERMISSIONS_DEFAULT);
         getHibernateTemplate().save(acl);
-        
+
         // maintain inverse
         getACLDAO(nodeRef).setAccessControlList(nodeRef, acl);
-        
+
         // done
         if (logger.isDebugEnabled())
         {
-            logger.debug("Created Access Control List: \n" +
+            logger.debug("Created Access Control List: \n" + "   node: " + nodeRef + "\n" + "   list: " + acl);
-                    "   node: " + nodeRef + "\n" +
-                    "   list: " + acl);
         }
         return acl;
     }
@@ -241,7 +245,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         try
         {
             acl = getAccessControlList(nodeRef, false);
-    }
+        }
         catch (InvalidNodeRefException e)
         {
             return;
@@ -258,14 +262,13 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
     @SuppressWarnings("unchecked")
     public void deletePermissions(final String authority)
     {
-        // get the authority 
+        // get the authority
         HibernateCallback callback = new HibernateCallback()
         {
             public Object doInHibernate(Session session)
             {
-                Query query = session
+                Query query = session.getNamedQuery(QUERY_GET_AC_ENTRIES_FOR_AUTHORITY).setString("authorityRecipient",
-                        .getNamedQuery(QUERY_GET_AC_ENTRIES_FOR_AUTHORITY)
+                        authority);
-                        .setString("authorityRecipient", authority);
                 return (Integer) HibernateHelper.deleteDbAccessControlEntries(session, query);
             }
         };
@@ -296,16 +299,15 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         // done
         if (logger.isDebugEnabled())
         {
-            logger.debug("Deleted " + deletedCount + "entries for criteria: \n" +
+            logger.debug("Deleted "
-                    "   node: " + nodeRef + "\n" +
+                    + deletedCount + "entries for criteria: \n" + "   node: " + nodeRef + "\n" + "   authority: "
-                    "   authority: " + authority);
+                    + authority);
         }
     }
 
     /**
-     * Deletes all permission entries (access control list entries) that match
+     * Deletes all permission entries (access control list entries) that match the given criteria. Note that the access
-     * the given criteria.  Note that the access control list for the node is
+     * control list for the node is not deleted.
-     * not deleted.
      */
     public void deletePermission(NodeRef nodeRef, String authority, PermissionReference permission)
     {
@@ -327,10 +329,9 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         // done
         if (logger.isDebugEnabled())
         {
-            logger.debug("Deleted " + deletedCount + "entries for criteria: \n" +
+            logger.debug("Deleted "
-                    "   node: " + nodeRef + "\n" +
+                    + deletedCount + "entries for criteria: \n" + "   node: " + nodeRef + "\n" + "   permission: "
-                    "   permission: " + permission + "\n" +
+                    + permission + "\n" + "   authority: " + authority);
-                    "   authority: " + authority);
         }
     }
 
@@ -362,17 +363,17 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
             }
         }
     }
-    
+
     /**
-     * @param nodeRef the node against which to join
+     * @param nodeRef
-     * @param authority the authority against which to join
+     *            the node against which to join
-     * @param perm the permission against which to join
+     * @param authority
+     *            the authority against which to join
+     * @param perm
+     *            the permission against which to join
      * @return Returns all access control entries that match the criteria
      */
-    private DbAccessControlEntry getAccessControlEntry(
+    private DbAccessControlEntry getAccessControlEntry(NodeRef nodeRef, String authority, PermissionReference permission)
-            NodeRef nodeRef,
-            String authority,
-            PermissionReference permission)
     {
         DbAccessControlList acl = getAccessControlList(nodeRef, false);
         DbAccessControlEntry entry = null;
@@ -384,10 +385,9 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         // done
         if (logger.isDebugEnabled())
         {
-            logger.debug("" + (entry == null ? "Did not find" : "Found") + " entry for criteria: \n" +
+            logger.debug(""
-                    "   node: " + nodeRef + "\n" +
+                    + (entry == null ? "Did not find" : "Found") + " entry for criteria: \n" + "   node: " + nodeRef
-                    "   authority: " + authority + "\n" +
+                    + "\n" + "   authority: " + authority + "\n" + "   permission: " + permission);
-                    "   permission: " + permission);
         }
         return entry;
     }
@@ -419,7 +419,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         final QName qname = permissionRef.getQName();
         final String name = permissionRef.getName();
         Session session = getSession();
-        
+
         DbPermission dbPermission = DbPermissionImpl.find(session, qname, name);
 
         // create if necessary
@@ -435,11 +435,8 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
 
     public void setPermission(PermissionEntry permissionEntry)
     {
-        setPermission(
+        setPermission(permissionEntry.getNodeRef(), permissionEntry.getAuthority(), permissionEntry
-                permissionEntry.getNodeRef(),
+                .getPermissionReference(), permissionEntry.isAllowed());
-                permissionEntry.getAuthority(),
-                permissionEntry.getPermissionReference(),
-                permissionEntry.isAllowed());
     }
 
     public void setPermission(NodePermissionEntry nodePermissionEntry)
@@ -447,7 +444,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         NodeRef nodeRef = nodePermissionEntry.getNodeRef();
 
         // Get the access control list
-        //   Note the logic here requires to know whether it was created or not
+        // Note the logic here requires to know whether it was created or not
         DbAccessControlList acl = getAccessControlList(nodeRef, false);
         if (acl != null)
         {
@@ -495,7 +492,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
             }
         }
     }
-    
+
     public boolean getInheritParentPermissions(NodeRef nodeRef)
     {
         DbAccessControlList acl = null;
@@ -522,33 +519,29 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
 
     private SimpleNodePermissionEntry createSimpleNodePermissionEntry(NodeRef nodeRef)
     {
-        DbAccessControlList acl = 
+        DbAccessControlList acl = getACLDAO(nodeRef).getAccessControlList(nodeRef);
-            getACLDAO(nodeRef).getAccessControlList(nodeRef);
         if (acl == null)
         {
             // there isn't an access control list for the node - spoof a null one
-            SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(
+            SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(nodeRef, true, Collections
-                    nodeRef,
+                    .<SimplePermissionEntry> emptySet());
-                    true,
-                    Collections.<SimplePermissionEntry> emptySet());
             return snpe;
         }
         else
         {
             Set<DbAccessControlEntry> entries = acl.getEntries();
-            SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(
+            SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(nodeRef, acl.getInherits(),
-                    nodeRef,
-                    acl.getInherits(),
                     createSimplePermissionEntries(nodeRef, entries));
             return snpe;
         }
     }
 
     /**
-     * @param entries access control entries
+     * @param entries
+     *            access control entries
      * @return Returns a unique set of entries that can be given back to the outside world
      */
-    private Set<SimplePermissionEntry> createSimplePermissionEntries(NodeRef nodeRef, 
+    private Set<SimplePermissionEntry> createSimplePermissionEntries(NodeRef nodeRef,
             Collection<DbAccessControlEntry> entries)
     {
         if (entries == null)
@@ -566,18 +559,14 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         return spes;
     }
 
-    private static SimplePermissionEntry createSimplePermissionEntry(NodeRef nodeRef, 
+    private static SimplePermissionEntry createSimplePermissionEntry(NodeRef nodeRef, DbAccessControlEntry ace)
-            DbAccessControlEntry ace)
     {
         if (ace == null)
         {
             return null;
         }
-        return new SimplePermissionEntry(
+        return new SimplePermissionEntry(nodeRef, createSimplePermissionReference(ace.getPermission()), ace
-                nodeRef,
+                .getAuthority().getRecipient(), ace.isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED);
-                createSimplePermissionReference(ace.getPermission()),
-                ace.getAuthority().getRecipient(),
-                ace.isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED);
     }
 
     private static SimplePermissionReference createSimplePermissionReference(DbPermission perm)
@@ -586,14 +575,14 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         {
             return null;
         }
-        return new SimplePermissionReference(
+        return new SimplePermissionReference(perm.getTypeQname(), perm.getName());
-                perm.getTypeQname(),
-                perm.getName());
     }
-    
+
     /**
      * Helper to choose appropriate NodeService for the given NodeRef
-     * @param nodeRef The NodeRef to dispatch from.
+     * 
+     * @param nodeRef
+     *            The NodeRef to dispatch from.
      * @return The appropriate NodeService.
      */
     private AccessControlListDAO getACLDAO(NodeRef nodeRef)
@@ -605,4 +594,80 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
         }
         return ret;
     }
+
+    @SuppressWarnings("unchecked")
+    public Map<NodeRef, Set<AccessPermission>> getAllSetPermissions(final String authority)
+    {
+        // get the authority
+        HibernateCallback callback = new HibernateCallback()
+        {
+            public Object doInHibernate(Session session)
+            {
+                Query query = session.getNamedQuery(QUERY_GET_ALL_AC_ENTRIES_FOR_AUTHORITY).setString(
+                        "authorityRecipient", authority);
+
+                Map<NodeRef, Set<AccessPermission>> result = new HashMap<NodeRef, Set<AccessPermission>>();
+
+                ScrollableResults entities = query.scroll(ScrollMode.FORWARD_ONLY);
+                while (entities.next())
+                {
+                    DbAccessControlEntry entry = (DbAccessControlEntry) entities.get(0);
+                    // DbAccessControlList acl = (DbAccessControlList) entities.get(1);
+                    Node node = (Node) entities.get(2);
+                    DbPermission dbPermission = entry.getPermission();
+                    PermissionReferenceImpl pr = new PermissionReferenceImpl(dbPermission.getTypeQname(), dbPermission
+                            .getName());
+                    AccessStatus accessStatus = entry.isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED;
+                    AccessPermission ap = new AccessPermissionImpl(pr.toString(), accessStatus, entry.getAuthority()
+                            .getRecipient());
+                    NodeRef nodeRef = node.getNodeRef();
+                    Set<AccessPermission> nodeSet = result.get(nodeRef);
+                    if (nodeSet == null)
+                    {
+                        nodeSet = new HashSet<AccessPermission>();
+                        result.put(nodeRef, nodeSet);
+                    }
+                    nodeSet.add(ap);
+                }
+
+                return result;
+            }
+        };
+        return (Map<NodeRef, Set<AccessPermission>>) getHibernateTemplate().execute(callback);
+
+    }
+
+    public Set<NodeRef> findNodeByPermission(final String authority, final PermissionReference permission, final boolean allow)
+    {
+        // get the authority
+        HibernateCallback callback = new HibernateCallback()
+        {
+            public Object doInHibernate(Session session)
+            {
+                Query query = session.getNamedQuery(QUERY_FIND_NODES_BY_PERMISSION).setString(
+                        "authorityRecipient", authority).setBoolean("allow", allow).setString("permissionName", permission.getName()).setString("permissionTypeQname", permission.getQName().toString());
+
+                Set<NodeRef> result = new HashSet<NodeRef>();
+
+                ScrollableResults entities = query.scroll(ScrollMode.FORWARD_ONLY);
+                while (entities.next())
+                {
+                    DbAccessControlEntry entry = (DbAccessControlEntry) entities.get(0);
+                    // DbAccessControlList acl = (DbAccessControlList) entities.get(1);
+                    Node node = (Node) entities.get(2);
+                    DbPermission dbPermission = entry.getPermission();
+                    PermissionReferenceImpl pr = new PermissionReferenceImpl(dbPermission.getTypeQname(), dbPermission
+                            .getName());
+                    AccessStatus accessStatus = entry.isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED;
+                    AccessPermission ap = new AccessPermissionImpl(pr.toString(), accessStatus, entry.getAuthority()
+                            .getRecipient());
+                    NodeRef nodeRef = node.getNodeRef();
+                    result.add(nodeRef);
+                }
+
+                return result;
+            }
+        };
+        return (Set<NodeRef>) getHibernateTemplate().execute(callback);
+    }
 }

source/java/org/alfresco/repo/security/authority/AuthorityServiceImpl.java

@@ -126,8 +126,13 @@ public class AuthorityServiceImpl implements AuthorityService
 
     public Set<String> getAuthorities()
     {
-        Set<String> authorities = new HashSet<String>();
         String currentUserName = authenticationComponent.getCurrentUserName();
+        return getAuthoritiesForUser(currentUserName);
+    }
+
+    public Set<String> getAuthoritiesForUser(String currentUserName)
+    {
+        Set<String> authorities = new HashSet<String>();
         if (adminUsers.contains(currentUserName))
         {
             authorities.addAll(adminSet);
@@ -139,7 +144,7 @@ public class AuthorityServiceImpl implements AuthorityService
         authorities.addAll(getContainingAuthorities(null, currentUserName, false));
         return authorities;
     }
-
+    
     public Set<String> getAllAuthorities(AuthorityType type)
     {
         Set<String> authorities = new HashSet<String>();

source/java/org/alfresco/repo/security/authority/SimpleAuthorityServiceImpl.java

@@ -233,4 +233,18 @@ public class SimpleAuthorityServiceImpl implements AuthorityService
         return false;
     }
 
+    public Set<String> getAuthoritiesForUser(String currentUserName)
+    {
+        Set<String> authorities = new HashSet<String>();
+        if (adminUsers.contains(currentUserName))
+        {
+            authorities.addAll(adminSet);
+        }
+        if(AuthorityType.getAuthorityType(currentUserName) != AuthorityType.GUEST)
+        {
+           authorities.addAll(allSet);
+        }
+        return authorities;
+    }
+
 }

source/java/org/alfresco/repo/security/permissions/impl/AccessPermissionImpl.java

@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2005-2007 Alfresco Software Limited.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+ * As a special exception to the terms and conditions of version 2.0 of 
+ * the GPL, you may redistribute this Program in connection with Free/Libre 
+ * and Open Source Software ("FLOSS") applications as described in Alfresco's 
+ * FLOSS exception.  You should have recieved a copy of the text describing 
+ * the FLOSS exception, and it is also available here: 
+ * http://www.alfresco.com/legal/licensing"
+ */
+package org.alfresco.repo.security.permissions.impl;
+
+import org.alfresco.service.cmr.security.AccessPermission;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.AuthorityType;
+
+/**
+ * Standard implementation for access permission info
+ * @author andyh
+ *
+ */
+public class AccessPermissionImpl implements AccessPermission
+{
+    private String permission;
+
+    private AccessStatus accessStatus;
+
+    private String authority;
+
+    private AuthorityType authorityType;
+
+    public AccessPermissionImpl(String permission, AccessStatus accessStatus, String authority)
+    {
+        this.permission = permission;
+        this.accessStatus = accessStatus;
+        this.authority = authority;
+        this.authorityType = AuthorityType.getAuthorityType(authority);
+    }
+
+    public String getPermission()
+    {
+        return permission;
+    }
+
+    public AccessStatus getAccessStatus()
+    {
+        return accessStatus;
+    }
+
+    public String getAuthority()
+    {
+        return authority;
+    }
+
+    public AuthorityType getAuthorityType()
+    {
+        return authorityType;
+    }
+
+    @Override
+    public String toString()
+    {
+        return accessStatus + " " + this.permission + " - " + this.authority + " (" + this.authorityType + ")";
+    }
+
+    @Override
+    public boolean equals(Object o)
+    {
+        if (this == o)
+        {
+            return true;
+        }
+        if (!(o instanceof AccessPermissionImpl))
+        {
+            return false;
+        }
+        AccessPermissionImpl other = (AccessPermissionImpl) o;
+        return this.getPermission().equals(other.getPermission())
+                && (this.getAccessStatus() == other.getAccessStatus() && (this.getAccessStatus().equals(other
+                        .getAccessStatus())));
+    }
+
+    @Override
+    public int hashCode()
+    {
+        return ((authority.hashCode() * 37) + permission.hashCode()) * 37 + accessStatus.hashCode();
+    }
+}

source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java

@@ -28,6 +28,7 @@ import java.io.Serializable;
 import java.util.HashSet;
 import java.util.LinkedHashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 import net.sf.acegisecurity.Authentication;
@@ -52,7 +53,6 @@ import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.security.AccessPermission;
 import org.alfresco.service.cmr.security.AccessStatus;
 import org.alfresco.service.cmr.security.AuthorityService;
-import org.alfresco.service.cmr.security.AuthorityType;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
@@ -280,74 +280,6 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
         return accessPermissions;
     }
 
-    private class AccessPermissionImpl implements AccessPermission
-    {
-        private String permission;
-
-        private AccessStatus accessStatus;
-
-        private String authority;
-
-        private AuthorityType authorityType;
-
-        AccessPermissionImpl(String permission, AccessStatus accessStatus, String authority)
-        {
-            this.permission = permission;
-            this.accessStatus = accessStatus;
-            this.authority = authority;
-            this.authorityType = AuthorityType.getAuthorityType(authority);
-        }
-
-        public String getPermission()
-        {
-            return permission;
-        }
-
-        public AccessStatus getAccessStatus()
-        {
-            return accessStatus;
-        }
-
-        public String getAuthority()
-        {
-            return authority;
-        }
-
-        public AuthorityType getAuthorityType()
-        {
-            return authorityType;
-        }
-
-        @Override
-        public String toString()
-        {
-            return accessStatus + " " + this.permission + " - " + this.authority + " (" + this.authorityType + ")";
-        }
-
-        @Override
-        public boolean equals(Object o)
-        {
-            if (this == o)
-            {
-                return true;
-            }
-            if (!(o instanceof AccessPermissionImpl))
-            {
-                return false;
-            }
-            AccessPermissionImpl other = (AccessPermissionImpl) o;
-            return this.getPermission().equals(other.getPermission())
-                    && (this.getAccessStatus() == other.getAccessStatus() && (this.getAccessStatus().equals(other
-                            .getAccessStatus())));
-        }
-
-        @Override
-        public int hashCode()
-        {
-            return ((authority.hashCode() * 37) + permission.hashCode()) * 37 + accessStatus.hashCode();
-        }
-    }
-
     public Set<String> getSettablePermissions(NodeRef nodeRef)
     {
         Set<PermissionReference> settable = getSettablePermissionReferences(nodeRef);
@@ -495,13 +427,16 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
         {
             auths.add(authority.getAuthority());
         }
-        if (dynamicAuthorities != null)
+        if (nodeRef != null)
         {
-            for (DynamicAuthority da : dynamicAuthorities)
+            if (dynamicAuthorities != null)
             {
-                if (da.hasAuthority(nodeRef, user.getUsername()))
+                for (DynamicAuthority da : dynamicAuthorities)
                 {
-                    auths.add(da.getAuthority());
+                    if (da.hasAuthority(nodeRef, user.getUsername()))
+                    {
+                        auths.add(da.getAuthority());
+                    }
                 }
             }
         }
@@ -698,7 +633,8 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
             // Set the required node permissions
             if (required.equals(getPermissionReference(ALL_PERMISSIONS)))
             {
-                nodeRequirements = modelDAO.getRequiredPermissions(getPermissionReference(PermissionService.FULL_CONTROL), typeQName, aspectQNames,
+                nodeRequirements = modelDAO.getRequiredPermissions(
+                        getPermissionReference(PermissionService.FULL_CONTROL), typeQName, aspectQNames,
                         RequiredPermission.On.NODE);
             }
             else
@@ -1199,4 +1135,56 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
             return value;
         }
     }
+
+    public Map<NodeRef, Set<AccessPermission>> getAllSetPermissionsForTheCurrentUser()
+    {
+        String currentUser = authenticationComponent.getCurrentUserName();
+        return getAllSetPermissions(currentUser);
+    }
+
+    public Map<NodeRef, Set<AccessPermission>> getAllSetPermissions(String authority)
+    {
+        return permissionsDaoComponent.getAllSetPermissions(authority);
+    }
+
+    public Set<NodeRef> findNodesByAssignedPermissionForTheCurrentUser(String permission, boolean allow, boolean includeContainingAuthorities,
+            boolean exactPermissionMatch)
+    {
+        String currentUser = authenticationComponent.getCurrentUserName();
+        return findNodesByAssignedPermission(currentUser, permission, allow, includeContainingAuthorities, exactPermissionMatch);
+    }
+
+    public Set<NodeRef> findNodesByAssignedPermission(String authority, String permission, boolean allow,
+            boolean includeContainingAuthorities, boolean includeContainingPermissions)
+    {
+        // TODO: owned nodes and add owner rights ??
+        // Does not include dynamic permissions (they would have to be done by query - e.g. owership and OWNER rights)
+        // Does not include ACEGI auth object authorities
+        Set<String> authorities = new HashSet<String>();
+        authorities.add(authority);
+        if (includeContainingAuthorities)
+        {
+            authorities.addAll(authorityService.getAuthoritiesForUser(authority));
+        }
+
+        HashSet<NodeRef> answer = new HashSet<NodeRef>();
+
+        PermissionReference pr = getPermissionReference(permission);
+        Set<PermissionReference> permissions = new HashSet<PermissionReference>();
+        permissions.add(pr);
+
+        if (includeContainingPermissions)
+        {
+            permissions.addAll(modelDAO.getGrantingPermissions(pr));
+        }
+
+        for (PermissionReference perm : permissions)
+        {
+            for (String auth : authorities)
+            {
+                answer.addAll(permissionsDaoComponent.findNodeByPermission(auth, perm, allow));
+            }
+        }
+        return answer;
+    }
 }

source/java/org/alfresco/repo/security/permissions/impl/PermissionsDaoComponent.java

@@ -24,10 +24,14 @@
  */
 package org.alfresco.repo.security.permissions.impl;
 
+import java.util.Map;
+import java.util.Set;
+
 import org.alfresco.repo.security.permissions.NodePermissionEntry;
 import org.alfresco.repo.security.permissions.PermissionEntry;
 import org.alfresco.repo.security.permissions.PermissionReference;
 import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.AccessPermission;
 
 /**
  * The API for accessing persisted Alfresco permissions.
@@ -116,4 +120,21 @@ public interface PermissionsDaoComponent
      * @return inheritParentPermissions
      */
     public boolean getInheritParentPermissions(NodeRef nodeRef);
+
+    /** 
+     * Get all the permissions set for the given authority
+     * 
+     * @param authority
+     * @return - the permissions set on all nodes for the given authority.
+     */
+    public Map<NodeRef, Set<AccessPermission>> getAllSetPermissions(String authority);
+
+    /**
+     * Find nodes which have the given permisson for the given authority
+     * @param authority - the authority to match
+     * @param permission - the permission to match
+     * @param allow - true to match allow, false to match deny
+     * @return - the set of matching nodes
+     */
+    public Set<NodeRef> findNodeByPermission(String authority, PermissionReference permission, boolean allow);
 }

source/java/org/alfresco/repo/security/permissions/noop/PermissionServiceNOOPImpl.java

@@ -24,7 +24,9 @@
  */
 package org.alfresco.repo.security.permissions.noop;
 
+import java.util.Collections;
 import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
 
 import org.alfresco.repo.security.permissions.NodePermissionEntry;
@@ -224,4 +226,24 @@ public class PermissionServiceNOOPImpl
     {
         throw new UnsupportedOperationException();
     }
+
+    public Map<NodeRef, Set<AccessPermission>> getAllSetPermissionsForTheCurrentUser()
+    {
+        return Collections.<NodeRef, Set<AccessPermission>>emptyMap();
+    }
+
+    public Map<NodeRef, Set<AccessPermission>> getAllSetPermissions(String authority)
+    {
+        return Collections.<NodeRef, Set<AccessPermission>>emptyMap();
+    }
+
+    public Set<NodeRef> findNodesByAssignedPermissionForTheCurrentUser(String permission, boolean allow, boolean includeContainingAuthorities, boolean exactPermissionMatch)
+    {
+        return Collections.<NodeRef>emptySet();
+    }
+
+    public Set<NodeRef> findNodesByAssignedPermission(String authority, String permission, boolean allow, boolean includeContainingAuthorities, boolean exactPermissionMatch)
+    {
+        return Collections.<NodeRef>emptySet();
+    }
 }

source/java/org/alfresco/service/cmr/security/AuthorityService.java

@@ -75,6 +75,12 @@ public interface AuthorityService
     @Auditable
     public Set<String> getAuthorities();
 
+    /**
+     * Get the authorities for the given user
+     */
+    @Auditable(parameters = {"userName"})
+    public Set<String> getAuthoritiesForUser(String userName);
+    
     /**
      * Get all authorities by type.
      * 

source/java/org/alfresco/service/cmr/security/PermissionService.java

@@ -24,43 +24,67 @@
  */
 package org.alfresco.service.cmr.security;
 
+import java.util.Map;
 import java.util.Set;
 
 import org.alfresco.service.Auditable;
 import org.alfresco.service.PublicService;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.namespace.QName;
+import org.apache.axis.wsdl.symbolTable.Parameters;
 
 /**
- * The public API for a permission service
+ * The public API for a permission service The implementation may be changed in the application configuration
- * 
- * The implementation may be changed in the application configuration
  * 
  * @author Andy Hind
  */
 @PublicService
 public interface PermissionService
 {
+    /**
+     * Prefixes used for authorities of type role. This is intended for external roles, e.g. those set by ACEGI
+     * implementations It is only used for admin at the moment - which is done outside the usual permission assignments
+     * at the moment. It could be a dynamic authority.
+     */
     public static final String ROLE_PREFIX = "ROLE_";
-    
+
+    /**
+     * Prefix used for authorities of type group.
+     */
     public static final String GROUP_PREFIX = "GROUP_";
-    
+
-    
+    /**
-    
+     * The group that contains everyone except guest.
+     */
     public static final String ALL_AUTHORITIES = "GROUP_EVERYONE";
 
+    /**
+     * The dynamic authority used for ownership
+     */
     public static final String OWNER_AUTHORITY = "ROLE_OWNER";
-    
+
+    /**
+     * The dynamic authority used for the ownership of locks.
+     */
     public static final String LOCK_OWNER_AUTHORITY = "ROLE_LOCK_OWNER";
-    
+
+    /**
+     * The admin authority - currently a role.
+     */
     public static final String ADMINISTRATOR_AUTHORITY = "ROLE_ADMINISTRATOR";
 
+    /**
+     * The guest authority
+     */
     public static final String GUEST_AUTHORITY = "guest";
-    
+
-    
+    /**
-    
+     * The permission for all - not defined in the model. Repsected in the code.
+     */
     public static final String ALL_PERMISSIONS = "All";
-    
+
+    // Constants for permissions/permission groups defined in the standard permission model.
+
     public static final String FULL_CONTROL = "FullControl";
 
     public static final String READ = "Read";
@@ -114,15 +138,15 @@ public interface PermissionService
     public static final String EDITOR = "Editor";
 
     public static final String CONSUMER = "Consumer";
-    
+
     public static final String LOCK = "Lock";
-    
+
     public static final String UNLOCK = "Unlock";
-    
+
     public static final String CHECK_OUT = "CheckOut";
-    
+
     public static final String CHECK_IN = "CheckIn";
-    
+
     public static final String CANCEL_CHECK_OUT = "CancelCheckOut";
 
     /**
@@ -150,25 +174,23 @@ public interface PermissionService
     public String getAllPermission();
 
     /**
-     * Get all the AccessPermissions that are granted/denied to the current
+     * Get all the AccessPermissions that are granted/denied to the current authentication for the given node
-     * authentication for the given node
      * 
      * @param nodeRef -
      *            the reference to the node
      * @return the set of allowed permissions
      */
-    @Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef"})
+    @Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef" })
     public Set<AccessPermission> getPermissions(NodeRef nodeRef);
 
     /**
-     * Get all the AccessPermissions that are set for anyone for the
+     * Get all the AccessPermissions that are set for anyone for the given node
-     * given node
      * 
      * @param nodeRef -
      *            the reference to the node
      * @return the set of allowed permissions
      */
-    @Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef"})
+    @Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef" })
     public Set<AccessPermission> getAllSetPermissions(NodeRef nodeRef);
 
     /**
@@ -177,27 +199,27 @@ public interface PermissionService
      * @param nodeRef
      * @return
      */
-    @Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef"})
+    @Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef" })
     public Set<String> getSettablePermissions(NodeRef nodeRef);
 
     /**
      * Get the permissions that can be set for a given type
      * 
-     * @param nodeRef
+     * @param type
-     * @return
+     * @return - set of permissions
      */
-    @Auditable(parameters = {"type"})
+    @Auditable(parameters = { "type" })
     public Set<String> getSettablePermissions(QName type);
 
     /**
-     * Check that the given authentication has a particular permission for the
+     * Check that the given authentication has a particular permission for the given node. (The default behaviour is to
-     * given node. (The default behaviour is to inherit permissions)
+     * inherit permissions)
      * 
      * @param nodeRef
      * @param permission
-     * @return
+     * @return - access status
      */
-    @Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef", "permission"})
+    @Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef", "permission" })
     public AccessStatus hasPermission(NodeRef nodeRef, String permission);
 
     /**
@@ -205,34 +227,36 @@ public interface PermissionService
      * 
      * @param nodeRef
      */
-    @Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef"})
+    @Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef" })
     public void deletePermissions(NodeRef nodeRef);
 
     /**
      * Delete all permission for the given authority.
      * 
      * @param nodeRef
-     * @param authority (if null then this will match all authorities)
+     * @param authority
+     *            (if null then this will match all authorities)
      */
-    @Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef", "authority"})
+    @Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef", "authority" })
     public void clearPermission(NodeRef nodeRef, String authority);
-    
+
     /**
-     * Find and delete a access control entry by node, authentication and permission.
+     * Find and delete a access control entry by node, authentication and permission. It is possible to delete
-     * 
-     * It is possible to delete 
      * <ol>
      * <li> a specific permission;
-     * <li> all permissions for an authority (if the permission is null); 
+     * <li> all permissions for an authority (if the permission is null);
-     * <li> entries for all authorities that have a specific permission (if the authority is null); and 
+     * <li> entries for all authorities that have a specific permission (if the authority is null); and
      * <li> all permissions set for the node (if both the permission and authority are null).
-     * </ol> 
+     * </ol>
      * 
-     * @param nodeRef the node that the entry applies to
+     * @param nodeRef
-     * @param authority the authority recipient (if null then this will match all authorities)
+     *            the node that the entry applies to
-     * @param permission the entry permission (if null then this will match all permissions)
+     * @param authority
+     *            the authority recipient (if null then this will match all authorities)
+     * @param permission
+     *            the entry permission (if null then this will match all permissions)
      */
-    @Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef", "authority", "permission"})
+    @Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef", "authority", "permission" })
     public void deletePermission(NodeRef nodeRef, String authority, String permission);
 
     /**
@@ -243,7 +267,7 @@ public interface PermissionService
      * @param permission
      * @param allow
      */
-    @Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef", "authority", "permission", "allow"})
+    @Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef", "authority", "permission", "allow" })
     public void setPermission(NodeRef nodeRef, String authority, String permission, boolean allow);
 
     /**
@@ -252,15 +276,67 @@ public interface PermissionService
      * @param nodeRef
      * @param inheritParentPermissions
      */
-    @Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef", "inheritParentPermissions"})
+    @Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef", "inheritParentPermissions" })
     public void setInheritParentPermissions(NodeRef nodeRef, boolean inheritParentPermissions);
-    
+
     /**
      * Return the global inheritance behaviour for permissions on a node.
      * 
      * @param nodeRef
      * @return inheritParentPermissions
      */
-    @Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef"})
+    @Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef" })
     public boolean getInheritParentPermissions(NodeRef nodeRef);
-}
+
+    /**
+     * Get all permissions set for the current user.
+     * 
+     * @return - A map of noderefs to permissions set
+     */
+    @Auditable
+    public Map<NodeRef, Set<AccessPermission>> getAllSetPermissionsForTheCurrentUser();
+
+    /**
+     * Get all the permissions set for the given authority
+     * 
+     * @param authority
+     * @return - A map of noderefs to permissions set
+     */
+    @Auditable(parameters = { "authority" })
+    public Map<NodeRef, Set<AccessPermission>> getAllSetPermissions(String authority);
+
+    /**
+     * Find all the nodes where the current user has explicitly been assigned the specified permission.
+     * 
+     * @param permission -
+     *            the permission to find
+     * @param allow
+     *            -search for allow (true) or deny
+     * @param includeContainingAuthorities -
+     *            include permissions for authorities that contain the current user in the list
+     * @param includeContainingPermissions -
+     *            true; do an exact match: false; search for any permission that woudl imply the one given
+     * @return - the set of nodes where the user is assigned the permission
+     */
+    @Auditable(parameters = { "permission", "allow", "includeContainingAuthorities", "includeContainingPermissions" })
+    public Set<NodeRef> findNodesByAssignedPermissionForTheCurrentUser(String permission, boolean allow, boolean includeContainingAuthorities,
+            boolean includeContainingPermissions);
+
+    /**
+     * Find all the nodes where the current user has explicitly been assigned the specified permission.
+     * 
+     * @param permission -
+     *            the permission to find
+     * @param allow
+     *            -search for allow (true) or deny
+     * @param includeContainingAuthorities -
+     *            include permissions for authorities that contain the current user in the list
+     * @param exactPermissionMatch -
+     *            true; do an exact match: false; search for any permission that woudl imply the one given
+     * @return - the set of nodes where the user is assigned the permission
+     */
+    @Auditable(parameters = { "authority", "permission", "allow", "includeContainingAuthorities",
+            "exactPermissionMatch" })
+    public Set<NodeRef> findNodesByAssignedPermission(String authority, String permission, boolean allow,
+            boolean includeContainingAuthorities, boolean exactPermissionMatch);
+}