mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-06-30 18:15:39 +00:00
2e62d4fb29
30342: Dev branch for Site performance issues (including rework of AuthorityService.getAuthorities() to use a 'lazy' set and DM indexing rework)
ALF-9899 Huge share site migration, add group to site and user access site related performance issue.
ALF-9208 Performance issue, during load tests /share/page/user/user-sites is showing to be the most expensive.
ALF-9692 Performance: General performance of Alfresco degrades when there are 1000s of sites present
- ancestor-preloading
- hasAuthority
- huge site test
30370: - Save changed to do with adding childAuthorityCache to AuthorityDAOImpl
- Increase aspectsTransactionalCache size as it blows up
30387: Experimental solution to 'cascading reindex' performance problem
- Now only Lucene container documents for a single subtree are reprocessed on addition / removal of a secondary child association
- No need to delete and re-evaluate ALL the paths to all the nodes in the subtree - just the paths within the subtree
- Lucene deltas now store the IDs of ANCESTORs to mask out as well as documents to reindex
- Merge handles deletion of these efficiently
- Node service cycle checks changed from getPaths to recursive cycleCheck method
- Adding a group to 60,000 sites might not require all paths to all sites to be re-evaluated on every change!
30389: Missed files from last checkin
30390: Optimizations / fixes to Alan's test!
30393: Bug fix - wasn't adding new documents into the index!
30397: Fixed a problem with bulk loading trying to bulk load zero parent associations
Also tweaked reindex calls
30399: Correction - don't cascade below containers during path cascading
30400: Another optimization - no need to trigger node bulk loading during path cascading - pass false for the preload flag
30404: Further optimizations
- On creation of a secondary child association, make a decision on whether it is cheaper to cascade reindex the parent or the child, based on the number of parent associations to the child
- Assumes that if there are more than 5 parent associations, it's cheaper to cascade reindex the parent
- Add a new authority to a zone (containing 60,000 authorities) - cascade reindex the authority, not the zone
- Add a group (in 60,000 sites) to a site - cascade reindex the site, not the group
- Caching of child associations already traversed during cascade reindexing
- Site creation time much reduced!
30407: Logic fix: Use 'delete only nodes' behaviour on DM index filtering and merging, now we are managing container deletions separately
30408: Small correction related to last change.
30409: Correction to deletion reindex behaviour (no need to regenerate masked out containers)
- Site CRUD operations now all sub-second with 60,000 sites!
30410: Stop the heartbeat from trying to load and count all site groups
- Too expensive, as we might have 60,000 sites, each with 4 groups
- Now just counts the groups in the default zone (the UI visible ones)
30411: Increased lucene parameters to allow for 'path explosion'
- 9 million lucene documents in my index after creating 60,000 Share sites (most of them probably paths) resulting in sluggish index write performance
- Set lucene.indexer.mergerTargetIndexCount=8 (142 documents in smallest index)
- Increased lucene.indexer.maxDocsForInMemoryMerge, lucene.indexer.maxDocsForInMemoryIndex
30412: Test fixes
30413: Revert 'parent association batch loading' changes (as it was a bad idea and is no longer necessary!)
- Retain a few caching bug fixes however
30416: Moved UserAuthoritySet (lazy load authority set) from PermissionServiceImpl to AuthorityServiceImpl
30418: - Remove 'new' hasAuthority from authorityService so it is back to where we started.
- SiteServiceHugeTest minor changes
30421: Prevent creation of a duplicate root node on updating the root
- Use the ANCESTOR field rather than ISCONTAINER to detect a node document, as the root node is both a container and a node!
30447: Pulled new indexing behaviour into ADMLuceneIndexerImpl and restored old behaviour to AVMLuceneIndexerImpl to restore normal AVM behaviour
30448: - Cache in PermissionServiceImpl cleared if an authority container has an association added or removed
Supports the generateKey method which includes the username
Supports changes in group structures
- Moved logic to do with ROLE_GUEST from PermissionServiceImpl to AuthorityServiceImpl
30465: - Tidy up tests in SiteServiceTestHuge
30532: - Added getContainingAuthoritiesInZone to AuthorityService
- Dave Changed PeopleService.getContainerGroups to only return groups in the DEFAULT zone
- Fixed RM code to use getAuthoritiesForUser method with just the username again.
30558: Build fixes
- Fixed cycleCheck to throw a CyclicChildRelationshipException
- More tidy up of AVM / ADM indexer split
- Properly control when path generation is cascaded (not required on a full reindex or a tracker transaction)
- Support indexing of a 'fake root' parent. Ouch my head hurts!
30588: Build fixes
- StringIndexOutOfBoundsException in NodeMonitor
- Corrections to 'node only' delete behaviour
- Use the PATH field to detect non-leaf nodes (it's the only stored field with which we can recognize the root)
- Moved DOD5015Test.testVitalRecords() to the end - the only way I could work out how to get the full TestCase to run
30600: More build fixes
- Broadcast ALL node deletions to indexer (even those from cascade deletion of primary associations)
- Allows indexer to wipe out all affected documents from the delta even if some have already been flushed under different parents by an intricate DOD unit test!
- Pause FTS in DOD5015Test to prevent intermittent test failures (FTS can temporarily leave deleted documents in the index until it catches up)
- More tidy up of ADMLuceneIndexerImpl
- flushPending optimized and some unnecessary member variables removed
- correction to cascade deletion behaviour (leave behind containers of unaffected secondary references)
- unused MOVE action removed
- further legacy logic moved into AVMLuceneIndexerImpl
30620: More build fixes
- Cope with a node morphing from a 'leaf' to a container during its lifetime
- Container documents now created lazily in index as and when necessary
- Blank out 'nth sibling' field of synthesized paths
- ADMLuceneTest now passes!
- TaggingServiceImplTest also passes - more special treatment for categories
30627: Multi tenancy fixes
30629: Possible build fix - retrying transaction in ReplicationServiceIntegrationTest.tearDown()
30632: Build fix - lazy container generation after a move
30636: Build fix: authority comparisons are case sensitive, even when that authority corresponds to a user (PermissionServiceTest.testPermissionCase())
30638: Run SiteServiceTestHuge form a cmd line
set SITE_CPATH=%TOMCAT_HOME%/lib/*;%TOMCAT_HOME%/endorsed/*;%TOMCAT_HOME%/webapps/alfresco/WEB-INF/lib/*;\
%TOMCAT_HOME%/webapps/alfresco/WEB-INF/classes;%TOMCAT_HOME%/shared/classes;
java -Xmx2048m -XX:MaxPermSize=512M -classpath %SITE_CPATH% org.alfresco.repo.site.SiteServiceTestHuge ...
Usage: -Daction=usersOnly
-Dfrom=<fromSiteId> -Dto=<toSiteId>
-Dfrom=<fromSiteId> -Dto=<toSiteId> -Daction=sites -Drestart=<restartAtSiteId>
-Dfrom=<fromSiteId> -Dto=<toSiteId> -Daction=groups -Drestart=<restartAtSiteId>
30639: Minor changes to commented out command line code for SiteServiceTestHuge
30643: Round of improvements to MySites dashlet relating to huge DB testing:
- 10,000 site database, user is a member of ~2000 sites
- Improvements to site.lib.ftl and related SiteService methods
- To return MySites dashlet for the user, order of magnitude improvement from 7562ms to 618ms in the profiler (now ~350ms in the browser)
30644: Fixed performance regression - too much opening and closing of the delta reader and writer
30661: More reader opening / closing
30668: Performance improvements to Site Finder and My Sites in user profile page.
- faster to bring back lists and site memberships (used by the Site Finder)
- related further improvements to APIs used by this and My Sites on dashboard
30713: Configuration for MySites dashlet maximum list size
30725: Merged V3.4-BUG-FIX to DEV/ALAN/SITE_PERF
30708: ALF-10040: Added missing ReferenceCountingReadOnlyIndexReaderFactory wrapper to IndexInfo.getMainIndexReferenceCountingReadOnlyIndexReader() to make it consistent with IndexInfo.getMainIndexReferenceCountingReadOnlyIndexReader(String, Set<String>, boolean) and allow SingleFieldSelectors to make it through from LeafScorer to the path caches! Affects ALL Lucene queries that run OUTSIDE of a transaction.
30729: Use getAuthoritiesForUser rather than getContainingAuthorities if possible.
SiteServiceTestHuge: command line version
30733: Performance improves to user dashboard relating to User Calendar
- converted web-tier calendar dashlet to Ajax client-side rendering - faster user experience and also less load on the web-tier
- improvements to query from Andy
- maximum sites/list size to query now configurable (default 100 instead of previously 1000)
30743: Restore site CRUD performance from cold caches
- Introduced NodeService.getAllRootNodes(), returning all nodes in a store with the root aspect, backed by a transactional cache and invalidated at key points
- Means indexing doesn't have to load all parent nodes just to check for 'fake roots'
- Site CRUD performance now back to sub-second with 60,000 nodes
30747: Improvement to previous checkin - prevent cross cluster invalidation of every store root when a single store drops out of the cache
30748: User dashboard finally loading within seconds with 60,000 sites, 60 groups, 100 users (thanks mostly to Kev's UI changes)
- post-process IBatis mapped statements with MySQL dialect to apply fetchSize=Integer.MIN_VALUE to all _Limited statements
- Means we can stream first 10,000 site groups without the MySQL JDBC driver reading all 240,000 into memory
- New NodeService getChildAssocs method with a maxResults argument (makes use of the above)
- Perfected getContainingAuthoritiesInZone implementation, adding a cutoff parameter, allowing only the first 1000 site memberships to be returned quickly and caches to be warmed for ACL evaluations
- New cache of first 10,000 groups in APP.SHARE zone
- Cache sizes tuned for 60,000 site scenario
- Site service warms caches on bootstrap
- PreferencesService applies ASPECT_IGNORE_INHERITED_RULES to person node to prevent the rule service trying to crawl the group hierarchy on a preference save
- WorkflowServiceImpl.getPooledTasks only looks in APP.DEFAULT zone (thus avoiding site group noise)
30749: Fix compilation errors
30761: Minor change to SiteServiceTestHuge
30762: Derek code review: Reworked fetchSize specification for select_ChildAssocsOfParent_Limited statement for MySQL
- Now fetchSize stated explicitly in a MySQL specific config file resolved by the HierarchicalResourceLoader
- No need for any Java-based post processing
30763: Build fix: don't add a user into its own authorities (until specifically asked to)
30767: Build fix
- IBatis / MySQL needs a streaming result statement to be run in an isolation transaction (because it doesn't release PreparedStatements until the end)
30771: Backed out previous change which was fundamentally flawed
- Resolved underlying problem which was that the select_ChildAssocsOfParent_Limited SQL string needs to be unique in order to not cause confusion in the prepared statement cache
30772: Backed out previous change which was fundamentally flawed
- Resolved underlying problem which was that the select_ChildAssocsOfParent_Limited SQL string needs to be unique in order to not cause confusion in the prepared statement cache
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@30797 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
513 lines
17 KiB
Java
513 lines
17 KiB
Java
/*
|
|
* Copyright (C) 2005-2010 Alfresco Software Limited.
|
|
*
|
|
* This file is part of Alfresco
|
|
*
|
|
* Alfresco is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Alfresco is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
package org.alfresco.repo.avm.locking;
|
|
|
|
import java.util.HashMap;
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
import java.util.Set;
|
|
|
|
import org.alfresco.model.WCMAppModel;
|
|
import org.alfresco.repo.domain.avm.AVMLockDAO;
|
|
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
|
import org.alfresco.service.cmr.attributes.AttributeService;
|
|
import org.alfresco.service.cmr.attributes.DuplicateAttributeException;
|
|
import org.alfresco.service.cmr.avm.AVMBadArgumentException;
|
|
import org.alfresco.service.cmr.avm.locking.AVMLockingException;
|
|
import org.alfresco.service.cmr.avm.locking.AVMLockingService;
|
|
import org.alfresco.service.cmr.repository.NodeRef;
|
|
import org.alfresco.service.cmr.repository.NodeService;
|
|
import org.alfresco.service.cmr.repository.StoreRef;
|
|
import org.alfresco.service.cmr.search.ResultSet;
|
|
import org.alfresco.service.cmr.search.SearchService;
|
|
import org.alfresco.service.cmr.security.AuthorityService;
|
|
import org.alfresco.service.cmr.security.AuthorityType;
|
|
import org.alfresco.service.cmr.security.PersonService;
|
|
import org.alfresco.service.namespace.NamespaceService;
|
|
import org.alfresco.util.ParameterCheck;
|
|
import org.alfresco.wcm.util.WCMUtil;
|
|
import org.apache.commons.logging.Log;
|
|
import org.apache.commons.logging.LogFactory;
|
|
|
|
/**
|
|
* Implementation of the lock service.
|
|
*
|
|
* @author Derek Hulley, janv
|
|
*/
|
|
public class AVMLockingServiceImpl implements AVMLockingService
|
|
{
|
|
public static final String KEY_AVM_LOCKS = ".avm_locks";
|
|
public static final String KEY_LOCK_OWNER = "lock-owner";
|
|
|
|
private static final String ROLE_CONTENT_MANAGER = "ContentManager";
|
|
|
|
private static final Log logger = LogFactory.getLog(AVMLockingServiceImpl.class);
|
|
|
|
private String webProjectStore;
|
|
private SearchService searchService;
|
|
private AttributeService attributeService;
|
|
private AuthorityService authorityService;
|
|
private PersonService personService;
|
|
private NodeService nodeService;
|
|
|
|
private AVMLockDAO avmLockDAO;
|
|
|
|
/**
|
|
* @param webProjectStore The webProjectStore to set
|
|
*/
|
|
public void setWebProjectStore(String webProjectStore)
|
|
{
|
|
this.webProjectStore = webProjectStore;
|
|
}
|
|
|
|
/**
|
|
* @param attributeService the service to persist attributes
|
|
*/
|
|
public void setAttributeService(AttributeService attributeService)
|
|
{
|
|
this.attributeService = attributeService;
|
|
}
|
|
|
|
/**
|
|
* @param authorityService the service to check validity of usernames
|
|
*/
|
|
public void setAuthorityService(AuthorityService authorityService)
|
|
{
|
|
this.authorityService = authorityService;
|
|
}
|
|
|
|
/**
|
|
* @param personService checks validity of person names
|
|
*/
|
|
public void setPersonService(PersonService personService)
|
|
{
|
|
this.personService = personService;
|
|
}
|
|
|
|
public void setSearchService(SearchService searchService)
|
|
{
|
|
this.searchService = searchService;
|
|
}
|
|
|
|
public void setNodeService(NodeService nodeService)
|
|
{
|
|
this.nodeService = nodeService;
|
|
}
|
|
|
|
public void setAvmLockDAO(AVMLockDAO avmLockDAO)
|
|
{
|
|
this.avmLockDAO = avmLockDAO;
|
|
}
|
|
|
|
/**
|
|
* Appends the lock owner to the lock data.
|
|
*/
|
|
private HashMap<String, String> createLockAttributes(String lockOwner, Map<String, String> lockData)
|
|
{
|
|
HashMap<String, String> lockAttributes = new HashMap<String, String>(lockData);
|
|
lockAttributes.put(KEY_LOCK_OWNER, lockOwner);
|
|
return lockAttributes;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public void lock(String avmStore, String path, String lockOwner, Map<String, String> lockData)
|
|
{
|
|
ParameterCheck.mandatoryString("avmStore", avmStore);
|
|
ParameterCheck.mandatoryString("path", path);
|
|
ParameterCheck.mandatoryString("lockOwner", lockOwner);
|
|
path = AVMLockingServiceImpl.normalizePath(path);
|
|
|
|
if (!authorityService.authorityExists(lockOwner) &&
|
|
!personService.personExists(lockOwner))
|
|
{
|
|
throw new AVMBadArgumentException("Not an Authority: " + lockOwner);
|
|
}
|
|
|
|
LockState lockState = getLockState(avmStore, path, lockOwner);
|
|
switch (lockState)
|
|
{
|
|
case LOCK_NOT_OWNER:
|
|
throw new AVMLockingException("avmlockservice.locked", path, lockOwner);
|
|
case NO_LOCK:
|
|
// Lock it, assuming that the lock doesn't exist (concurrency-safe).
|
|
try
|
|
{
|
|
HashMap<String, String> lockAttributes = createLockAttributes(lockOwner, lockData);
|
|
attributeService.createAttribute(
|
|
lockAttributes,
|
|
KEY_AVM_LOCKS, avmStore, path);
|
|
}
|
|
catch (DuplicateAttributeException e)
|
|
{
|
|
String currentLockOwner = getLockOwner(avmStore, path);
|
|
// Should trigger a retry, hence we pass the exception out
|
|
throw new AVMLockingException(e, "avmlockservice.locked", path, currentLockOwner);
|
|
}
|
|
break;
|
|
case LOCK_OWNER:
|
|
// Nothing to do
|
|
break;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public boolean modifyLock(
|
|
String avmStore, String path, String lockOwner,
|
|
String newAvmStore, String newPath,
|
|
Map<String, String> lockData)
|
|
{
|
|
ParameterCheck.mandatoryString("avmStore", avmStore);
|
|
ParameterCheck.mandatoryString("path", path);
|
|
ParameterCheck.mandatoryString("lockOwner", lockOwner);
|
|
ParameterCheck.mandatoryString("newAvmStore", newAvmStore);
|
|
ParameterCheck.mandatoryString("newPath", newPath);
|
|
path = AVMLockingServiceImpl.normalizePath(path);
|
|
newPath = AVMLockingServiceImpl.normalizePath(newPath);
|
|
|
|
LockState currentLockState = getLockState(avmStore, path, lockOwner);
|
|
switch (currentLockState)
|
|
{
|
|
case LOCK_NOT_OWNER:
|
|
case LOCK_OWNER:
|
|
// Remove the lock first
|
|
attributeService.removeAttribute(KEY_AVM_LOCKS, avmStore, path);
|
|
HashMap<String, String> lockAttributes = createLockAttributes(lockOwner, lockData);
|
|
attributeService.setAttribute(
|
|
lockAttributes,
|
|
KEY_AVM_LOCKS, newAvmStore, newPath);
|
|
return true;
|
|
case NO_LOCK:
|
|
// Do nothing
|
|
return false;
|
|
default:
|
|
throw new IllegalStateException("Unexpected enum constant");
|
|
}
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public String getLockOwner(String avmStore, String path)
|
|
{
|
|
ParameterCheck.mandatoryString("path", path);
|
|
path = AVMLockingServiceImpl.normalizePath(path);
|
|
|
|
Map<String, String> lockAttributes = getLockData(avmStore, path);
|
|
if (lockAttributes == null)
|
|
{
|
|
return null;
|
|
}
|
|
else if (!lockAttributes.containsKey(KEY_LOCK_OWNER))
|
|
{
|
|
logger.warn("AVM lock does not have a lock owner: " + avmStore + "-" + path);
|
|
return null;
|
|
}
|
|
return lockAttributes.get(KEY_LOCK_OWNER);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@SuppressWarnings("unchecked")
|
|
public Map<String, String> getLockData(String avmStore, String path)
|
|
{
|
|
ParameterCheck.mandatoryString("avmStore", avmStore);
|
|
ParameterCheck.mandatoryString("path", path);
|
|
path = AVMLockingServiceImpl.normalizePath(path);
|
|
|
|
Map<String, String> lockAttributes = (Map<String, String>) attributeService.getAttribute(
|
|
KEY_AVM_LOCKS, avmStore, path);
|
|
return lockAttributes;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public LockState getLockState(String avmStore, String path, String lockOwner)
|
|
{
|
|
ParameterCheck.mandatoryString("avmStore", avmStore);
|
|
ParameterCheck.mandatoryString("lockOwner", lockOwner);
|
|
path = AVMLockingServiceImpl.normalizePath(path);
|
|
|
|
String currentLockOwner = getLockOwner(avmStore, path);
|
|
if (currentLockOwner == null)
|
|
{
|
|
return LockState.NO_LOCK;
|
|
}
|
|
else if (currentLockOwner.equals(lockOwner))
|
|
{
|
|
return LockState.LOCK_OWNER;
|
|
}
|
|
else
|
|
{
|
|
return LockState.LOCK_NOT_OWNER;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public void removeLock(String avmStore, String path)
|
|
{
|
|
ParameterCheck.mandatoryString("avmStore", avmStore);
|
|
ParameterCheck.mandatoryString("path", path);
|
|
path = AVMLockingServiceImpl.normalizePath(path);
|
|
|
|
attributeService.removeAttribute(KEY_AVM_LOCKS, avmStore, path);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public void removeLocks(String avmStore)
|
|
{
|
|
ParameterCheck.mandatoryString("avmStore", avmStore);
|
|
|
|
attributeService.removeAttributes(KEY_AVM_LOCKS, avmStore);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public void removeLocks(String avmStore, String dirPath, final Map<String, String> lockDataToMatch)
|
|
{
|
|
ParameterCheck.mandatoryString("avmStore", avmStore);
|
|
ParameterCheck.mandatory("lockDataToMatch", lockDataToMatch);
|
|
|
|
final String dirPathStart;
|
|
if (dirPath == null)
|
|
{
|
|
dirPathStart = null;
|
|
}
|
|
else
|
|
{
|
|
dirPath = normalizePath(dirPath);
|
|
if (! dirPath.endsWith("/"))
|
|
{
|
|
dirPath = dirPath + '/';
|
|
}
|
|
|
|
dirPathStart = dirPath;
|
|
}
|
|
|
|
// optimised to delete with single DB query
|
|
avmLockDAO.removeLocks(avmStore, dirPathStart, lockDataToMatch);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public void removeLocks(String avmStore, final Map<String, String> lockDataToMatch)
|
|
{
|
|
removeLocks(avmStore, null, lockDataToMatch);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public boolean hasAccess(String webProject, String avmPath, String lockOwner)
|
|
{
|
|
if (personService.getPerson(lockOwner) == null && !authorityService.authorityExists(lockOwner))
|
|
{
|
|
return false;
|
|
}
|
|
if (authorityService.isAdminAuthority(lockOwner))
|
|
{
|
|
return true;
|
|
}
|
|
StoreRef storeRef = new StoreRef(this.webProjectStore);
|
|
ResultSet results = searchService.query(
|
|
storeRef,
|
|
SearchService.LANGUAGE_LUCENE,
|
|
"@wca\\:avmstore:\"" + webProject + '"');
|
|
try
|
|
{
|
|
if (results.getNodeRefs().size() == 1)
|
|
{
|
|
return hasAccess(webProject, results.getNodeRefs().get(0), avmPath, lockOwner);
|
|
}
|
|
return false;
|
|
}
|
|
finally
|
|
{
|
|
results.close();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
public boolean hasAccess(NodeRef webProjectRef, String avmPath, String lockOwner)
|
|
{
|
|
if (personService.getPerson(lockOwner) == null &&
|
|
!authorityService.authorityExists(lockOwner))
|
|
{
|
|
return false;
|
|
}
|
|
if (authorityService.isAdminAuthority(lockOwner))
|
|
{
|
|
return true;
|
|
}
|
|
String webProject = (String)nodeService.getProperty(webProjectRef, WCMAppModel.PROP_AVMSTORE);
|
|
return hasAccess(webProject, webProjectRef, avmPath, lockOwner);
|
|
}
|
|
|
|
private boolean hasAccess(String webProject, NodeRef webProjectRef, String avmPath, String lockOwner)
|
|
{
|
|
String[] storePath = avmPath.split(":");
|
|
if (storePath.length != 2)
|
|
{
|
|
throw new AVMBadArgumentException("Malformed AVM Path : " + avmPath);
|
|
}
|
|
|
|
if (logger.isDebugEnabled())
|
|
logger.debug(
|
|
"Testing lock access on path: " + avmPath +
|
|
" for user: " + lockOwner + " in webproject: " + webProject);
|
|
|
|
// check if a lock exists at all for this path in the specified webproject id
|
|
String path = normalizePath(storePath[1]);
|
|
|
|
Map<String, String> lockData = getLockData(webProject, path);
|
|
|
|
if (lockData == null)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug(" GRANTED: No lock found.");
|
|
return true;
|
|
}
|
|
|
|
String currentLockOwner = lockData.get(KEY_LOCK_OWNER);
|
|
String currentLockStore = lockData.get(WCMUtil.LOCK_KEY_STORE_NAME);
|
|
|
|
|
|
// locks are ignored in a workflow store
|
|
if (storePath[0].contains("--workflow"))
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug(" GRANTED: Workflow store path.");
|
|
return true;
|
|
}
|
|
|
|
// locks are specific to a store - no access if the stores are different
|
|
if (! ((currentLockStore != null) && (currentLockStore.equals(storePath[0]))))
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug(" DENIED: Store on path and lock (" + currentLockStore + ") do not match.");
|
|
return false;
|
|
}
|
|
|
|
// check for content manager role - we allow access to all managers within the same store
|
|
// TODO as part of WCM refactor, consolidate with WebProject.getWebProjectUserRole
|
|
StringBuilder query = new StringBuilder(128);
|
|
query.append("+PARENT:\"").append(webProjectRef).append("\" ");
|
|
query.append("+TYPE:\"").append(WCMAppModel.TYPE_WEBUSER).append("\" ");
|
|
query.append("+@").append(NamespaceService.WCMAPP_MODEL_PREFIX).append("\\:username:\"");
|
|
query.append(lockOwner);
|
|
query.append("\"");
|
|
ResultSet resultSet = searchService.query(
|
|
new StoreRef(this.webProjectStore),
|
|
SearchService.LANGUAGE_LUCENE,
|
|
query.toString());
|
|
List<NodeRef> nodes = resultSet.getNodeRefs();
|
|
resultSet.close();
|
|
|
|
if (nodes.size() == 1)
|
|
{
|
|
String userrole = (String)nodeService.getProperty(nodes.get(0), WCMAppModel.PROP_WEBUSERROLE);
|
|
if (ROLE_CONTENT_MANAGER.equals(userrole))
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
{
|
|
logger.debug("GRANTED: Store match and user is ContentManager role in webproject.");
|
|
}
|
|
return true;
|
|
}
|
|
}
|
|
else if (nodes.size() == 0)
|
|
{
|
|
logger.warn("hasAccess: user role not found for " + lockOwner);
|
|
}
|
|
else
|
|
{
|
|
logger.warn("hasAccess: more than one user role found for " + lockOwner);
|
|
}
|
|
|
|
// finally check the owner of the lock against the specified authority
|
|
if (AuthorityType.getAuthorityType(currentLockOwner) == AuthorityType.EVERYONE)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug(" GRANTED: Authority EVERYONE matched lock owner.");
|
|
return true;
|
|
}
|
|
|
|
if (checkAgainstAuthority(lockOwner, currentLockOwner))
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
logger.debug(" GRANTED: User matched as lock owner.");
|
|
return true;
|
|
}
|
|
|
|
if (logger.isDebugEnabled())
|
|
logger.debug(" DENIED: User did not match as lock owner.");
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Helper function that checks the transitive closure of authorities for user.
|
|
*/
|
|
private boolean checkAgainstAuthority(String user, String authority)
|
|
{
|
|
if (user.equalsIgnoreCase(authority))
|
|
{
|
|
return true;
|
|
}
|
|
return authorityService.getAuthoritiesForUser(user).contains(authority);
|
|
}
|
|
|
|
/**
|
|
* Utility to get relative paths into canonical lock form
|
|
*
|
|
* - remove first forward slash
|
|
* - multiple forward slashes collapsed into single foward slash
|
|
*
|
|
* @param path The incoming path.
|
|
* @return The normalized path.
|
|
*/
|
|
public static String normalizePath(String path)
|
|
{
|
|
path = path.toLowerCase(); // note: enables optimised removal of locks (based on path dir start)
|
|
|
|
while (path.startsWith("/"))
|
|
{
|
|
path = path.substring(1);
|
|
}
|
|
while (path.endsWith("/"))
|
|
{
|
|
path = path.substring(0, path.length() - 1);
|
|
}
|
|
return path.replaceAll("/+", "/");
|
|
}
|
|
}
|