inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-24 17:32:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updates to the permission service to find nodes by permission assignment

Browse Source 
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@6020 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Andrew Hind
2007-06-19 15:08:15 +00:00
parent 0d81c6a30d
commit d8050806af
12 changed files with 1035 additions and 486 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
config/alfresco/public-services-security-context.xml
View File

@@ -643,6 +643,10 @@
org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=ACL_NODE.0.sys:base.ChangePermissions
org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=ACL_ALLOW
org.alfresco.service.cmr.security.PermissionService.clearPermission=ACL_NODE.0.sys:base.ChangePermissions
org.alfresco.service.cmr.security.PermissionService.findNodesByAssignedPermission=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.PermissionService.findNodesByAssignedPermissionForTheCurrentUser=ACL_ALLOW
org.alfresco.service.cmr.security.PermissionService.getAllSetPermissions=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.PermissionService.getAllSetPermissionsForTheCurrentUser=ACL_ALLOW
</value>
</property>
</bean>
@@ -672,6 +676,7 @@
org.alfresco.service.cmr.security.AuthorityService.getShortName=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getName=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.authorityExists=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthorityService.getAuthoritiesForUser=ACL_METHOD.ROLE_ADMINISTRATOR
</value>
</property>
</bean>

23
source/java/org/alfresco/repo/domain/hibernate/Permission.hbm.xml
View File

@@ -152,6 +152,29 @@
ace.authority.recipient = :authorityRecipient
</query>
<query name="permission.GetAllAccessControlEntriesForAuthority">
select
ace, acl, node
from org.alfresco.repo.domain.hibernate.NodeImpl as node
join node.accessControlList as acl
join acl.entries as ace
where
ace.authority.recipient = :authorityRecipient
</query>
<query name="permission.FindNodesByPermission">
select
ace, acl, node
from org.alfresco.repo.domain.hibernate.NodeImpl as node
join node.accessControlList as acl
join acl.entries as ace
where
ace.authority.recipient = :authorityRecipient and
ace.allowed = :allow and
ace.permission.name = :permissionName and
ace.permission.typeQname = :permissionTypeQname
</query>
<query name="permission.patch.GetAccessControlEntriesToChangePermissionOn" >
select
entry

221
source/java/org/alfresco/repo/domain/hibernate/PermissionsDaoComponentImpl.java
View File

@@ -26,6 +26,7 @@ package org.alfresco.repo.domain.hibernate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
@@ -36,9 +37,13 @@ import org.alfresco.repo.domain.DbAccessControlList;
import org.alfresco.repo.domain.DbAuthority;
import org.alfresco.repo.domain.DbPermission;
import org.alfresco.repo.domain.DbPermissionKey;
import org.alfresco.repo.domain.Node;
import org.alfresco.repo.domain.NodeStatus;
import org.alfresco.repo.security.permissions.NodePermissionEntry;
import org.alfresco.repo.security.permissions.PermissionEntry;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.repo.security.permissions.impl.AccessPermissionImpl;
import org.alfresco.repo.security.permissions.impl.PermissionReferenceImpl;
import org.alfresco.repo.security.permissions.impl.PermissionsDaoComponent;
import org.alfresco.repo.security.permissions.impl.SimpleNodePermissionEntry;
import org.alfresco.repo.security.permissions.impl.SimplePermissionEntry;
@@ -46,29 +51,38 @@ import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
import org.alfresco.repo.transaction.TransactionalDao;
import org.alfresco.service.cmr.repository.InvalidNodeRefException;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.GUID;
import org.hibernate.Query;
import org.hibernate.ScrollMode;
import org.hibernate.ScrollableResults;
import org.hibernate.Session;
import org.springframework.orm.hibernate3.HibernateCallback;
import org.springframework.orm.hibernate3.support.HibernateDaoSupport;
/**
* Support for accessing persisted permission information.
*
* This class maps between persisted objects and the external API defined in the
* PermissionsDAO interface.
* Support for accessing persisted permission information. This class maps between persisted objects and the external
* API defined in the PermissionsDAO interface.
*
* @author andyh
*/
public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements PermissionsDaoComponent, TransactionalDao
public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements PermissionsDaoComponent,
TransactionalDao
{
private static final boolean INHERIT_PERMISSIONS_DEFAULT = true;
public static final String QUERY_GET_PERMISSION = "permission.GetPermission";
public static final String QUERY_GET_AC_ENTRIES_FOR_AUTHORITY = "permission.GetAccessControlEntriesForAuthority";
public static final String QUERY_GET_ALL_AC_ENTRIES_FOR_AUTHORITY = "permission.GetAllAccessControlEntriesForAuthority";
public static final String QUERY_GET_AC_ENTRIES_FOR_PERMISSION = "permission.GetAccessControlEntriesForPermission";
public static final String QUERY_FIND_NODES_BY_PERMISSION = "permission.FindNodesByPermission";
private Map<String, AccessControlListDAO> fProtocolToACLDAO;
private AccessControlListDAO fDefaultACLDAO;
@@ -110,8 +124,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
}
/**
* Does this <tt>Session</tt> contain any changes which must be
* synchronized with the store?
* Does this <tt>Session</tt> contain any changes which must be synchronized with the store?
*
* @return true => changes are pending
*/
@@ -126,7 +139,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
}
};
// execute the callback
return ((Boolean)getHibernateTemplate().execute(callback)).booleanValue();
return ((Boolean) getHibernateTemplate().execute(callback)).booleanValue();
}
/**
@@ -166,10 +179,8 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
if (acl == null)
{
// there isn't an access control list for the node - spoof a null one
SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(
nodeRef,
true,
Collections.<SimplePermissionEntry> emptySet());
SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(nodeRef, true, Collections
.<SimplePermissionEntry> emptySet());
npe = snpe;
}
else
@@ -179,10 +190,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
// done
if (logger.isDebugEnabled())
{
logger.debug(
"Created access control list for node: \n" +
" node: " + nodeRef + "\n" +
" acl: " + npe);
logger.debug("Created access control list for node: \n" + " node: " + nodeRef + "\n" + " acl: " + npe);
}
return npe;
}
@@ -190,14 +198,15 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
/**
* Get the persisted access control list or create it if required.
*
* @param nodeRef - the node for which to create the list
* @param create - create the object if it is missing
* @param nodeRef -
* the node for which to create the list
* @param create -
* create the object if it is missing
* @return Returns the current access control list or null if not found
*/
private DbAccessControlList getAccessControlList(NodeRef nodeRef, boolean create)
{
DbAccessControlList acl =
getACLDAO(nodeRef).getAccessControlList(nodeRef);
DbAccessControlList acl = getACLDAO(nodeRef).getAccessControlList(nodeRef);
if (acl == null && create)
{
acl = createAccessControlList(nodeRef);
@@ -205,16 +214,13 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
// done
if (logger.isDebugEnabled())
{
logger.debug("Retrieved access control list: \n" +
" node: " + nodeRef + "\n" +
" list: " + acl);
logger.debug("Retrieved access control list: \n" + " node: " + nodeRef + "\n" + " list: " + acl);
}
return acl;
}
/**
* Creates an access control list for the node and removes the entry from
* the nullPermsionCache.
* Creates an access control list for the node and removes the entry from the nullPermsionCache.
*/
private DbAccessControlList createAccessControlList(NodeRef nodeRef)
{
@@ -228,9 +234,7 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
// done
if (logger.isDebugEnabled())
{
logger.debug("Created Access Control List: \n" +
" node: " + nodeRef + "\n" +
" list: " + acl);
logger.debug("Created Access Control List: \n" + " node: " + nodeRef + "\n" + " list: " + acl);
}
return acl;
}
@@ -263,9 +267,8 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
{
public Object doInHibernate(Session session)
{
Query query = session
.getNamedQuery(QUERY_GET_AC_ENTRIES_FOR_AUTHORITY)
.setString("authorityRecipient", authority);
Query query = session.getNamedQuery(QUERY_GET_AC_ENTRIES_FOR_AUTHORITY).setString("authorityRecipient",
authority);
return (Integer) HibernateHelper.deleteDbAccessControlEntries(session, query);
}
};
@@ -296,16 +299,15 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
// done
if (logger.isDebugEnabled())
{
logger.debug("Deleted " + deletedCount + "entries for criteria: \n" +
" node: " + nodeRef + "\n" +
" authority: " + authority);
logger.debug("Deleted "
+ deletedCount + "entries for criteria: \n" + " node: " + nodeRef + "\n" + " authority: "
+ authority);
}
}
/**
* Deletes all permission entries (access control list entries) that match
* the given criteria. Note that the access control list for the node is
* not deleted.
* Deletes all permission entries (access control list entries) that match the given criteria. Note that the access
* control list for the node is not deleted.
*/
public void deletePermission(NodeRef nodeRef, String authority, PermissionReference permission)
{
@@ -327,10 +329,9 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
// done
if (logger.isDebugEnabled())
{
logger.debug("Deleted " + deletedCount + "entries for criteria: \n" +
" node: " + nodeRef + "\n" +
" permission: " + permission + "\n" +
" authority: " + authority);
logger.debug("Deleted "
+ deletedCount + "entries for criteria: \n" + " node: " + nodeRef + "\n" + " permission: "
+ permission + "\n" + " authority: " + authority);
}
}
@@ -364,15 +365,15 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
}
/**
* @param nodeRef the node against which to join
* @param authority the authority against which to join
* @param perm the permission against which to join
* @param nodeRef
* the node against which to join
* @param authority
* the authority against which to join
* @param perm
* the permission against which to join
* @return Returns all access control entries that match the criteria
*/
private DbAccessControlEntry getAccessControlEntry(
NodeRef nodeRef,
String authority,
PermissionReference permission)
private DbAccessControlEntry getAccessControlEntry(NodeRef nodeRef, String authority, PermissionReference permission)
{
DbAccessControlList acl = getAccessControlList(nodeRef, false);
DbAccessControlEntry entry = null;
@@ -384,10 +385,9 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
// done
if (logger.isDebugEnabled())
{
logger.debug("" + (entry == null ? "Did not find" : "Found") + " entry for criteria: \n" +
" node: " + nodeRef + "\n" +
" authority: " + authority + "\n" +
" permission: " + permission);
logger.debug(""
+ (entry == null ? "Did not find" : "Found") + " entry for criteria: \n" + " node: " + nodeRef
+ "\n" + " authority: " + authority + "\n" + " permission: " + permission);
}
return entry;
}
@@ -435,11 +435,8 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
public void setPermission(PermissionEntry permissionEntry)
{
setPermission(
permissionEntry.getNodeRef(),
permissionEntry.getAuthority(),
permissionEntry.getPermissionReference(),
permissionEntry.isAllowed());
setPermission(permissionEntry.getNodeRef(), permissionEntry.getAuthority(), permissionEntry
.getPermissionReference(), permissionEntry.isAllowed());
}
public void setPermission(NodePermissionEntry nodePermissionEntry)
@@ -522,30 +519,26 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
private SimpleNodePermissionEntry createSimpleNodePermissionEntry(NodeRef nodeRef)
{
DbAccessControlList acl =
getACLDAO(nodeRef).getAccessControlList(nodeRef);
DbAccessControlList acl = getACLDAO(nodeRef).getAccessControlList(nodeRef);
if (acl == null)
{
// there isn't an access control list for the node - spoof a null one
SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(
nodeRef,
true,
Collections.<SimplePermissionEntry> emptySet());
SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(nodeRef, true, Collections
.<SimplePermissionEntry> emptySet());
return snpe;
}
else
{
Set<DbAccessControlEntry> entries = acl.getEntries();
SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(
nodeRef,
acl.getInherits(),
SimpleNodePermissionEntry snpe = new SimpleNodePermissionEntry(nodeRef, acl.getInherits(),
createSimplePermissionEntries(nodeRef, entries));
return snpe;
}
}
/**
* @param entries access control entries
* @param entries
* access control entries
* @return Returns a unique set of entries that can be given back to the outside world
*/
private Set<SimplePermissionEntry> createSimplePermissionEntries(NodeRef nodeRef,
@@ -566,18 +559,14 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
return spes;
}
private static SimplePermissionEntry createSimplePermissionEntry(NodeRef nodeRef,
DbAccessControlEntry ace)
private static SimplePermissionEntry createSimplePermissionEntry(NodeRef nodeRef, DbAccessControlEntry ace)
{
if (ace == null)
{
return null;
}
return new SimplePermissionEntry(
nodeRef,
createSimplePermissionReference(ace.getPermission()),
ace.getAuthority().getRecipient(),
ace.isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED);
return new SimplePermissionEntry(nodeRef, createSimplePermissionReference(ace.getPermission()), ace
.getAuthority().getRecipient(), ace.isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED);
}
private static SimplePermissionReference createSimplePermissionReference(DbPermission perm)
@@ -586,14 +575,14 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
{
return null;
}
return new SimplePermissionReference(
perm.getTypeQname(),
perm.getName());
return new SimplePermissionReference(perm.getTypeQname(), perm.getName());
}
/**
* Helper to choose appropriate NodeService for the given NodeRef
* @param nodeRef The NodeRef to dispatch from.
*
* @param nodeRef
* The NodeRef to dispatch from.
* @return The appropriate NodeService.
*/
private AccessControlListDAO getACLDAO(NodeRef nodeRef)
@@ -605,4 +594,80 @@ public class PermissionsDaoComponentImpl extends HibernateDaoSupport implements
}
return ret;
}
@SuppressWarnings("unchecked")
public Map<NodeRef, Set<AccessPermission>> getAllSetPermissions(final String authority)
{
// get the authority
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_GET_ALL_AC_ENTRIES_FOR_AUTHORITY).setString(
"authorityRecipient", authority);
Map<NodeRef, Set<AccessPermission>> result = new HashMap<NodeRef, Set<AccessPermission>>();
ScrollableResults entities = query.scroll(ScrollMode.FORWARD_ONLY);
while (entities.next())
{
DbAccessControlEntry entry = (DbAccessControlEntry) entities.get(0);
// DbAccessControlList acl = (DbAccessControlList) entities.get(1);
Node node = (Node) entities.get(2);
DbPermission dbPermission = entry.getPermission();
PermissionReferenceImpl pr = new PermissionReferenceImpl(dbPermission.getTypeQname(), dbPermission
.getName());
AccessStatus accessStatus = entry.isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED;
AccessPermission ap = new AccessPermissionImpl(pr.toString(), accessStatus, entry.getAuthority()
.getRecipient());
NodeRef nodeRef = node.getNodeRef();
Set<AccessPermission> nodeSet = result.get(nodeRef);
if (nodeSet == null)
{
nodeSet = new HashSet<AccessPermission>();
result.put(nodeRef, nodeSet);
}
nodeSet.add(ap);
}
return result;
}
};
return (Map<NodeRef, Set<AccessPermission>>) getHibernateTemplate().execute(callback);
}
public Set<NodeRef> findNodeByPermission(final String authority, final PermissionReference permission, final boolean allow)
{
// get the authority
HibernateCallback callback = new HibernateCallback()
{
public Object doInHibernate(Session session)
{
Query query = session.getNamedQuery(QUERY_FIND_NODES_BY_PERMISSION).setString(
"authorityRecipient", authority).setBoolean("allow", allow).setString("permissionName", permission.getName()).setString("permissionTypeQname", permission.getQName().toString());
Set<NodeRef> result = new HashSet<NodeRef>();
ScrollableResults entities = query.scroll(ScrollMode.FORWARD_ONLY);
while (entities.next())
{
DbAccessControlEntry entry = (DbAccessControlEntry) entities.get(0);
// DbAccessControlList acl = (DbAccessControlList) entities.get(1);
Node node = (Node) entities.get(2);
DbPermission dbPermission = entry.getPermission();
PermissionReferenceImpl pr = new PermissionReferenceImpl(dbPermission.getTypeQname(), dbPermission
.getName());
AccessStatus accessStatus = entry.isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED;
AccessPermission ap = new AccessPermissionImpl(pr.toString(), accessStatus, entry.getAuthority()
.getRecipient());
NodeRef nodeRef = node.getNodeRef();
result.add(nodeRef);
}
return result;
}
};
return (Set<NodeRef>) getHibernateTemplate().execute(callback);
}
}

7
source/java/org/alfresco/repo/security/authority/AuthorityServiceImpl.java
View File

@@ -126,8 +126,13 @@ public class AuthorityServiceImpl implements AuthorityService
public Set<String> getAuthorities()
{
Set<String> authorities = new HashSet<String>();
String currentUserName = authenticationComponent.getCurrentUserName();
return getAuthoritiesForUser(currentUserName);
}
public Set<String> getAuthoritiesForUser(String currentUserName)
{
Set<String> authorities = new HashSet<String>();
if (adminUsers.contains(currentUserName))
{
authorities.addAll(adminSet);

14
source/java/org/alfresco/repo/security/authority/SimpleAuthorityServiceImpl.java
View File

@@ -233,4 +233,18 @@ public class SimpleAuthorityServiceImpl implements AuthorityService
return false;
}
public Set<String> getAuthoritiesForUser(String currentUserName)
{
Set<String> authorities = new HashSet<String>();
if (adminUsers.contains(currentUserName))
{
authorities.addAll(adminSet);
}
if(AuthorityType.getAuthorityType(currentUserName) != AuthorityType.GUEST)
{
authorities.addAll(allSet);
}
return authorities;
}
}

102
source/java/org/alfresco/repo/security/permissions/impl/AccessPermissionImpl.java Normal file
View File

@@ -0,0 +1,102 @@
/*
* Copyright (C) 2005-2007 Alfresco Software Limited.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* As a special exception to the terms and conditions of version 2.0 of
* the GPL, you may redistribute this Program in connection with Free/Libre
* and Open Source Software ("FLOSS") applications as described in Alfresco's
* FLOSS exception. You should have recieved a copy of the text describing
* the FLOSS exception, and it is also available here:
* http://www.alfresco.com/legal/licensing"
*/
package org.alfresco.repo.security.permissions.impl;
import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityType;
/**
* Standard implementation for access permission info
* @author andyh
*
*/
public class AccessPermissionImpl implements AccessPermission
{
private String permission;
private AccessStatus accessStatus;
private String authority;
private AuthorityType authorityType;
public AccessPermissionImpl(String permission, AccessStatus accessStatus, String authority)
{
this.permission = permission;
this.accessStatus = accessStatus;
this.authority = authority;
this.authorityType = AuthorityType.getAuthorityType(authority);
}
public String getPermission()
{
return permission;
}
public AccessStatus getAccessStatus()
{
return accessStatus;
}
public String getAuthority()
{
return authority;
}
public AuthorityType getAuthorityType()
{
return authorityType;
}
@Override
public String toString()
{
return accessStatus + " " + this.permission + " - " + this.authority + " (" + this.authorityType + ")";
}
@Override
public boolean equals(Object o)
{
if (this == o)
{
return true;
}
if (!(o instanceof AccessPermissionImpl))
{
return false;
}
AccessPermissionImpl other = (AccessPermissionImpl) o;
return this.getPermission().equals(other.getPermission())
&& (this.getAccessStatus() == other.getAccessStatus() && (this.getAccessStatus().equals(other
.getAccessStatus())));
}
@Override
public int hashCode()
{
return ((authority.hashCode() * 37) + permission.hashCode()) * 37 + accessStatus.hashCode();
}
}

128
source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java
View File

@@ -28,6 +28,7 @@ import java.io.Serializable;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sf.acegisecurity.Authentication;
@@ -52,7 +53,6 @@ import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AccessPermission;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
@@ -280,74 +280,6 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
return accessPermissions;
}
private class AccessPermissionImpl implements AccessPermission
{
private String permission;
private AccessStatus accessStatus;
private String authority;
private AuthorityType authorityType;
AccessPermissionImpl(String permission, AccessStatus accessStatus, String authority)
{
this.permission = permission;
this.accessStatus = accessStatus;
this.authority = authority;
this.authorityType = AuthorityType.getAuthorityType(authority);
}
public String getPermission()
{
return permission;
}
public AccessStatus getAccessStatus()
{
return accessStatus;
}
public String getAuthority()
{
return authority;
}
public AuthorityType getAuthorityType()
{
return authorityType;
}
@Override
public String toString()
{
return accessStatus + " " + this.permission + " - " + this.authority + " (" + this.authorityType + ")";
}
@Override
public boolean equals(Object o)
{
if (this == o)
{
return true;
}
if (!(o instanceof AccessPermissionImpl))
{
return false;
}
AccessPermissionImpl other = (AccessPermissionImpl) o;
return this.getPermission().equals(other.getPermission())
&& (this.getAccessStatus() == other.getAccessStatus() && (this.getAccessStatus().equals(other
.getAccessStatus())));
}
@Override
public int hashCode()
{
return ((authority.hashCode() * 37) + permission.hashCode()) * 37 + accessStatus.hashCode();
}
}
public Set<String> getSettablePermissions(NodeRef nodeRef)
{
Set<PermissionReference> settable = getSettablePermissionReferences(nodeRef);
@@ -495,6 +427,8 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
{
auths.add(authority.getAuthority());
}
if (nodeRef != null)
{
if (dynamicAuthorities != null)
{
for (DynamicAuthority da : dynamicAuthorities)
@@ -505,6 +439,7 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
}
}
}
}
auths.addAll(authorityService.getAuthorities());
return auths;
}
@@ -698,7 +633,8 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
// Set the required node permissions
if (required.equals(getPermissionReference(ALL_PERMISSIONS)))
{
nodeRequirements = modelDAO.getRequiredPermissions(getPermissionReference(PermissionService.FULL_CONTROL), typeQName, aspectQNames,
nodeRequirements = modelDAO.getRequiredPermissions(
getPermissionReference(PermissionService.FULL_CONTROL), typeQName, aspectQNames,
RequiredPermission.On.NODE);
}
else
@@ -1199,4 +1135,56 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
return value;
}
}
public Map<NodeRef, Set<AccessPermission>> getAllSetPermissionsForTheCurrentUser()
{
String currentUser = authenticationComponent.getCurrentUserName();
return getAllSetPermissions(currentUser);
}
public Map<NodeRef, Set<AccessPermission>> getAllSetPermissions(String authority)
{
return permissionsDaoComponent.getAllSetPermissions(authority);
}
public Set<NodeRef> findNodesByAssignedPermissionForTheCurrentUser(String permission, boolean allow, boolean includeContainingAuthorities,
boolean exactPermissionMatch)
{
String currentUser = authenticationComponent.getCurrentUserName();
return findNodesByAssignedPermission(currentUser, permission, allow, includeContainingAuthorities, exactPermissionMatch);
}
public Set<NodeRef> findNodesByAssignedPermission(String authority, String permission, boolean allow,
boolean includeContainingAuthorities, boolean includeContainingPermissions)
{
// TODO: owned nodes and add owner rights ??
// Does not include dynamic permissions (they would have to be done by query - e.g. owership and OWNER rights)
// Does not include ACEGI auth object authorities
Set<String> authorities = new HashSet<String>();
authorities.add(authority);
if (includeContainingAuthorities)
{
authorities.addAll(authorityService.getAuthoritiesForUser(authority));
}
HashSet<NodeRef> answer = new HashSet<NodeRef>();
PermissionReference pr = getPermissionReference(permission);
Set<PermissionReference> permissions = new HashSet<PermissionReference>();
permissions.add(pr);
if (includeContainingPermissions)
{
permissions.addAll(modelDAO.getGrantingPermissions(pr));
}
for (PermissionReference perm : permissions)
{
for (String auth : authorities)
{
answer.addAll(permissionsDaoComponent.findNodeByPermission(auth, perm, allow));
}
}
return answer;
}
}

730
source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java
View File

File diff suppressed because it is too large Load Diff

21
source/java/org/alfresco/repo/security/permissions/impl/PermissionsDaoComponent.java
View File

@@ -24,10 +24,14 @@
*/
package org.alfresco.repo.security.permissions.impl;
import java.util.Map;
import java.util.Set;
import org.alfresco.repo.security.permissions.NodePermissionEntry;
import org.alfresco.repo.security.permissions.PermissionEntry;
import org.alfresco.repo.security.permissions.PermissionReference;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessPermission;
/**
* The API for accessing persisted Alfresco permissions.
@@ -116,4 +120,21 @@ public interface PermissionsDaoComponent
* @return inheritParentPermissions
*/
public boolean getInheritParentPermissions(NodeRef nodeRef);
/**
* Get all the permissions set for the given authority
*
* @param authority
* @return - the permissions set on all nodes for the given authority.
*/
public Map<NodeRef, Set<AccessPermission>> getAllSetPermissions(String authority);
/**
* Find nodes which have the given permisson for the given authority
* @param authority - the authority to match
* @param permission - the permission to match
* @param allow - true to match allow, false to match deny
* @return - the set of matching nodes
*/
public Set<NodeRef> findNodeByPermission(String authority, PermissionReference permission, boolean allow);
}

22
source/java/org/alfresco/repo/security/permissions/noop/PermissionServiceNOOPImpl.java
View File

@@ -24,7 +24,9 @@
*/
package org.alfresco.repo.security.permissions.noop;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.alfresco.repo.security.permissions.NodePermissionEntry;
@@ -224,4 +226,24 @@ public class PermissionServiceNOOPImpl
{
throw new UnsupportedOperationException();
}
public Map<NodeRef, Set<AccessPermission>> getAllSetPermissionsForTheCurrentUser()
{
return Collections.<NodeRef, Set<AccessPermission>>emptyMap();
}
public Map<NodeRef, Set<AccessPermission>> getAllSetPermissions(String authority)
{
return Collections.<NodeRef, Set<AccessPermission>>emptyMap();
}
public Set<NodeRef> findNodesByAssignedPermissionForTheCurrentUser(String permission, boolean allow, boolean includeContainingAuthorities, boolean exactPermissionMatch)
{
return Collections.<NodeRef>emptySet();
}
public Set<NodeRef> findNodesByAssignedPermission(String authority, String permission, boolean allow, boolean includeContainingAuthorities, boolean exactPermissionMatch)
{
return Collections.<NodeRef>emptySet();
}
}

6
source/java/org/alfresco/service/cmr/security/AuthorityService.java
View File

@@ -75,6 +75,12 @@ public interface AuthorityService
@Auditable
public Set<String> getAuthorities();
/**
* Get the authorities for the given user
*/
@Auditable(parameters = {"userName"})
public Set<String> getAuthoritiesForUser(String userName);
/**
* Get all authorities by type.
*

144
source/java/org/alfresco/service/cmr/security/PermissionService.java
View File

@@ -24,43 +24,67 @@
*/
package org.alfresco.service.cmr.security;
import java.util.Map;
import java.util.Set;
import org.alfresco.service.Auditable;
import org.alfresco.service.PublicService;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.QName;
import org.apache.axis.wsdl.symbolTable.Parameters;
/**
* The public API for a permission service
*
* The implementation may be changed in the application configuration
* The public API for a permission service The implementation may be changed in the application configuration
*
* @author Andy Hind
*/
@PublicService
public interface PermissionService
{
/**
* Prefixes used for authorities of type role. This is intended for external roles, e.g. those set by ACEGI
* implementations It is only used for admin at the moment - which is done outside the usual permission assignments
* at the moment. It could be a dynamic authority.
*/
public static final String ROLE_PREFIX = "ROLE_";
/**
* Prefix used for authorities of type group.
*/
public static final String GROUP_PREFIX = "GROUP_";
/**
* The group that contains everyone except guest.
*/
public static final String ALL_AUTHORITIES = "GROUP_EVERYONE";
/**
* The dynamic authority used for ownership
*/
public static final String OWNER_AUTHORITY = "ROLE_OWNER";
/**
* The dynamic authority used for the ownership of locks.
*/
public static final String LOCK_OWNER_AUTHORITY = "ROLE_LOCK_OWNER";
/**
* The admin authority - currently a role.
*/
public static final String ADMINISTRATOR_AUTHORITY = "ROLE_ADMINISTRATOR";
/**
* The guest authority
*/
public static final String GUEST_AUTHORITY = "guest";
/**
* The permission for all - not defined in the model. Repsected in the code.
*/
public static final String ALL_PERMISSIONS = "All";
// Constants for permissions/permission groups defined in the standard permission model.
public static final String FULL_CONTROL = "FullControl";
public static final String READ = "Read";
@@ -150,25 +174,23 @@ public interface PermissionService
public String getAllPermission();
/**
* Get all the AccessPermissions that are granted/denied to the current
* authentication for the given node
* Get all the AccessPermissions that are granted/denied to the current authentication for the given node
*
* @param nodeRef -
* the reference to the node
* @return the set of allowed permissions
*/
@Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef"})
@Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef" })
public Set<AccessPermission> getPermissions(NodeRef nodeRef);
/**
* Get all the AccessPermissions that are set for anyone for the
* given node
* Get all the AccessPermissions that are set for anyone for the given node
*
* @param nodeRef -
* the reference to the node
* @return the set of allowed permissions
*/
@Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef"})
@Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef" })
public Set<AccessPermission> getAllSetPermissions(NodeRef nodeRef);
/**
@@ -177,27 +199,27 @@ public interface PermissionService
* @param nodeRef
* @return
*/
@Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef"})
@Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef" })
public Set<String> getSettablePermissions(NodeRef nodeRef);
/**
* Get the permissions that can be set for a given type
*
* @param nodeRef
* @return
* @param type
* @return - set of permissions
*/
@Auditable(parameters = {"type"})
@Auditable(parameters = { "type" })
public Set<String> getSettablePermissions(QName type);
/**
* Check that the given authentication has a particular permission for the
* given node. (The default behaviour is to inherit permissions)
* Check that the given authentication has a particular permission for the given node. (The default behaviour is to
* inherit permissions)
*
* @param nodeRef
* @param permission
* @return
* @return - access status
*/
@Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef", "permission"})
@Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef", "permission" })
public AccessStatus hasPermission(NodeRef nodeRef, String permission);
/**
@@ -205,22 +227,21 @@ public interface PermissionService
*
* @param nodeRef
*/
@Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef"})
@Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef" })
public void deletePermissions(NodeRef nodeRef);
/**
* Delete all permission for the given authority.
*
* @param nodeRef
* @param authority (if null then this will match all authorities)
* @param authority
* (if null then this will match all authorities)
*/
@Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef", "authority"})
@Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef", "authority" })
public void clearPermission(NodeRef nodeRef, String authority);
/**
* Find and delete a access control entry by node, authentication and permission.
*
* It is possible to delete
* Find and delete a access control entry by node, authentication and permission. It is possible to delete
* <ol>
* <li> a specific permission;
* <li> all permissions for an authority (if the permission is null);
@@ -228,11 +249,14 @@ public interface PermissionService
* <li> all permissions set for the node (if both the permission and authority are null).
* </ol>
*
* @param nodeRef the node that the entry applies to
* @param authority the authority recipient (if null then this will match all authorities)
* @param permission the entry permission (if null then this will match all permissions)
* @param nodeRef
* the node that the entry applies to
* @param authority
* the authority recipient (if null then this will match all authorities)
* @param permission
* the entry permission (if null then this will match all permissions)
*/
@Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef", "authority", "permission"})
@Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef", "authority", "permission" })
public void deletePermission(NodeRef nodeRef, String authority, String permission);
/**
@@ -243,7 +267,7 @@ public interface PermissionService
* @param permission
* @param allow
*/
@Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef", "authority", "permission", "allow"})
@Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef", "authority", "permission", "allow" })
public void setPermission(NodeRef nodeRef, String authority, String permission, boolean allow);
/**
@@ -252,7 +276,7 @@ public interface PermissionService
* @param nodeRef
* @param inheritParentPermissions
*/
@Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef", "inheritParentPermissions"})
@Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef", "inheritParentPermissions" })
public void setInheritParentPermissions(NodeRef nodeRef, boolean inheritParentPermissions);
/**
@@ -261,6 +285,58 @@ public interface PermissionService
* @param nodeRef
* @return inheritParentPermissions
*/
@Auditable(key = Auditable.Key.ARG_0, parameters = {"nodeRef"})
@Auditable(key = Auditable.Key.ARG_0, parameters = { "nodeRef" })
public boolean getInheritParentPermissions(NodeRef nodeRef);
/**
* Get all permissions set for the current user.
*
* @return - A map of noderefs to permissions set
*/
@Auditable
public Map<NodeRef, Set<AccessPermission>> getAllSetPermissionsForTheCurrentUser();
/**
* Get all the permissions set for the given authority
*
* @param authority
* @return - A map of noderefs to permissions set
*/
@Auditable(parameters = { "authority" })
public Map<NodeRef, Set<AccessPermission>> getAllSetPermissions(String authority);
/**
* Find all the nodes where the current user has explicitly been assigned the specified permission.
*
* @param permission -
* the permission to find
* @param allow
* -search for allow (true) or deny
* @param includeContainingAuthorities -
* include permissions for authorities that contain the current user in the list
* @param includeContainingPermissions -
* true; do an exact match: false; search for any permission that woudl imply the one given
* @return - the set of nodes where the user is assigned the permission
*/
@Auditable(parameters = { "permission", "allow", "includeContainingAuthorities", "includeContainingPermissions" })
public Set<NodeRef> findNodesByAssignedPermissionForTheCurrentUser(String permission, boolean allow, boolean includeContainingAuthorities,
boolean includeContainingPermissions);
/**
* Find all the nodes where the current user has explicitly been assigned the specified permission.
*
* @param permission -
* the permission to find
* @param allow
* -search for allow (true) or deny
* @param includeContainingAuthorities -
* include permissions for authorities that contain the current user in the list
* @param exactPermissionMatch -
* true; do an exact match: false; search for any permission that woudl imply the one given
* @return - the set of nodes where the user is assigned the permission
*/
@Auditable(parameters = { "authority", "permission", "allow", "includeContainingAuthorities",
"exactPermissionMatch" })
public Set<NodeRef> findNodesByAssignedPermission(String authority, String permission, boolean allow,
boolean includeContainingAuthorities, boolean exactPermissionMatch);
}