mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-07 18:25:23 +00:00
556377ea3b
34474: ALF-13169 Tomcat fails to shutdown
- fix non daemon Timer's
34475: Part 1: Fix for ALF-13244 SOLR Multi-threaded tracking is required for performance - simultaneous document transformations
- multi-threaded transaction and node tracking (off by default at the moment)
- fix index/repo sync check failure if ACLs have been indexed but no transactions
- minimise data sent back from query responses (not all stored fields)
- added SOLR side config for HTTPClient pooling, cache sizing and tracker configuration
- fixed SOLR incremental cache update for merges that end with all deletions in the old index
- fixed unclosed stream in SolrKeyResourceLoader
34478: ALF-13050 - CIFS: Disabling account is not respected
Also contains major rework of logging and exception handling.
34499: Fix for ALF-13150
34526: Fix for ALF-13288
34530: Minor CSS tweaks after changes for ALF-11991
34539: ALF-13176 - Implement Word for Mac 2011 Cifs Shuffle.
34541: ALF-13244 SOLR Multi-threaded tracking is required for performance - simultaneous document transformations
- multi-threaded ACL tracking
- multi-threaded statistics and reporting control
- nodes that can not be indexed have an error record added to the index and do not block indexing the transaction (nodes unindexed due to exceptions can be found by ID query and the exception stored in the index)
- nodes that are not-indexed have a minimal record added to the index for index consistency checking (unindexed nodes can be found by ID query)
34544: Add support for CIFS Level II shared oplocks. ALF-13138, ALF-13110.
Fixed CIFS open for attributes only access preventing oplock on the following file open.
Fixed reporting serialized copies of file access tokens as leaked.
34576: ALF-12767 - CIFS TextEdit - File has been modified outside TextEdit
34577: incorrectly checked in copy of network-protocol-context.xml
34580: ALF-13215: Ensure that permissions for everyone cannot be upgraded on moderated or private site. Fixed inconsistency between permissions shown in properties and in dialog
34582: ALF-13332: Updated modifier link for correct profile
34609: ALF-12740: Update to previous fix (only apply to IE8 and below)
34623: ALF-12767 - CIFS TextEdit - File has been modified outside TextEdit
34636: Fix for ALF-13365 SOLR: Recently modified docs dashlet sorts incorrectly
- respect short property names on sort requests @cm:created and not require the full @{uri...}created
34659: ALF-2550 - added enterprise repo config files.
34715: Fix for __ShowDetails desktop action returned URL is truncated if hostname too long. ALF-13202.
34726: ALF-13293: Webdav: Version history lost after editing content in Finder
34738: ALF-7883: WebDAV: support HEAD method for folder
- Fix by Pavel
34743: Fix for ALF-13244 SOLR Multi-threaded tracking is required for performance - simultaneous document transformations
- batch fetch for nodes in transaction, acls in sets, and acls and readers
- config for batch fetching
- Better reporting for ACL set indexing
34747: ALF-13262: adding missing indexes for new schema's (activiti-schema create) + schema patch for existing schema
34817: Merged V4.0 to V4.0-BUG-FIX
34493: SPANISH: translation updates based on EN r34103
34498: Fixed ALF-12031: WCM: Content cannot be expired: avmExpiredContentTrigger is missing
- Side-effect of ALF-11644: AVM cleanup jobs run when WCM is not installed
- WORKAROUND: Get file 'root\projects\installer\wcm-bootstrap-context.xml' and use that
34525: Fix for ALF-13210:
- removed "unsupported" from bulk filesystem import web pages
34531: Fix for ALF-13117 and ALF-13273
34549: Merged BRANCHES/DEV/BELARUS/HEAD-2012_03_15 to BRANCHES/V4.0:
34528: ALF-12874:
34552: ALF-13322: Fixed doc lib reload loop caused by "#" in folder name
34553: ALF-13311: Ensure images can be linked in TinyMCE create HTML content editor
34556: Minor: removed unused code
34557: Merged DEV to V4.0
34537: ALF-13035: Add "START WITH" parameter to IDENTITY field.
ALF-13034: Add "optional" parameter for statement that drops index that was generated automatically.
34567: ALF-11047: Ensure that Explorer linked files and folders (from outside of sites) display correctly
34578: Fixes: ALF-11744: Dates rendered with the form service date control are rendered on the server, so show server time.
- I've added the timezone to the display format and the ISO8601 date to the as an attribute on the HTML element to allow client side parsing
- Adds client side parsing on the Doc Details page, so times are shown in the timezone of the user's browser.
34583: GERMAN: Translation update, based on EN r34103, Fixes: ALF-13075,
34584: FRENCH: Translation update based on EN r34103, Fixes: ALF-13002, ALF-13003, ALF-13020
34585: ITALIAN: Translation update based on EN r34103
34586: JAPANESE: Translation update based on EN r34103
34587: DUTCH: Translation update based on EN r34103, Fixes: ALF-12575.
34626: Fixes: ALF-13375 - Date rendering bug in search results
34630: Further fix for ALF-13375 that modifies Alfresco.util.formatDate's ISO8601 support for backward compatibility (e.g. passing in non ISO strings).
34635: ALF-12061: Mac support: Document Connection always throws an error
- Case sensitivity fix by Pavel
34653: ALF-12308, ALF-12309, ALF-12554: Stack specific script errors
34655: Fix for ALF-12723 CMIS: Over-riding cm:autoVersionOnUpdateProps in custom model prevents startup
34656: Merged HEAD to BRANCHES/V4.0:
34654: Fixes: ALF-13389: Old element id used when setting event end date.
34657: Translation updates for all languages except JA.
34660: Fix to license driven config files to remove erroneous characters
34669: Merged DEV to V4.0
34663: ALF-12242: User activation issue
InviteHelper.acceptNominatedInvitation() method was changed to enable user account in any case(no matter was it enabled/disabled before)
34681: Merged DEV/THEMIS2 to V4.0
34472: Document List Customization Refactor
- SLingshotSiteModuleEvalutaor now has new <applyForNonSite> param that defaults to false for backward compability
- Slingshot extension points, surf-doclist.get now uses 2 spring beans:
* "resolver.doclib.doclistDataUrl" to get the repo doclist data url
* "resolver.doclib.actionGroup" to get each item/nodes action group id
34692: Fix for ALF-12715 - Incorrect SPP working (mimetype not set on document stored via ADM Remote Store API)
34708: ALF-13239: Merged V3.4-BUG-FIX (3.4.9) to V4.0 (4.0.1)
34707: ALF-13239 Share rule to convert to PNG fails on JPG images
- Issue was showing up in 4.0.1 as a change was made for iPad that introduced an imageOptions.isAutoOrient()
setting. This forced a concatenation of null with " -auto-orient". However there are also crop and resize
options that could also do this even in 3.4
Setting the commandOptions String to "" when null, is fine as this is how property value nulls are handled
later anyway.
34718: JAPANESE: Localisation of Company specific contact information & addition of timezone to form control.
34719: FRENCH: File consistency tweak.
34746: ALF-12903: Create HTML content fix
34754: Merged PATCHES/V4.0.0 to V4.0
34750: Reinstate ${version.label} into version.number property
34810: Merged DEV to V4.0 (with corrections)
34807: ALF-13290 : Mac Support: Error appears after collaborator saves changes to the document
deleteFailedThumbnailChildren method should be run as system user as it may fails with AccesssDenied if collaborator updates document
34876: Fix fo ALF-13503 Add SOLR client API tests to the SystemBuildTest project
- SOLR API tests run embedded with SSL
34984: ALF-13109 - Correction to NTIOCtl.FsCtlCreateOrGetObjectId
35009: Merged BRANCHES/DEV/V3.4-BUG-FIX to BRANCHES/DEV/V4.0-BUG-FIX:
35008: Fix for ALF-12817. Fixed as suggested - new method remove().
35031: Fix for ALF-12309
35032: Fix fo ALF-13535 using CMIS, on-disk tickets cache can grow unbounded
- expire tickets based on inactivity by default
- added job to clean up expired tickets
- all are configurable
35033: Fix fo ALF-13535 using CMIS, on-disk tickets cache can grow unbounded
- avoid NPE for null tickets
35037: Fix for ALF-13505 SOLR tracking readers does not encode all uids correctly
- fixed reader encoding
35049: ALF-13384 - Saving large Word (mac 2011) document via CIFS fails in Mac OS X Lion
35053: Merged V4.0 (V4.0.1) to V4.0-BUG-FIX (4.0.2)
34844: Merged V3.4-BUG-FIX (3.4.9) to V4.0 (4.0.1)
34843: ALF-5830 show_audit.ftl template doesn't work anymore
- Removed L10n messages that are no longer used (should have been removed in 3.4.6 when this issue was fixed)
34847: Merged HEAD to BRANCHES/V4.0:
34804: Fixes: ALF-13309: Issue with over zealous HTML escaping with truncated descriptions in the Calendar Agenda view.
34861: ALF-13497: Merged PATCHES/V4.0.0 to V4.0
34813: ALF-13115: No feedback is given to the user when Approve/Reject is clicked for a task when they followed a link to the task in an email.
- Fix by Pavel, reviewed by Kev
- Now they get a confirmation message followed by a redirect to their dashboard
34862: Fix for ALF-10823 "allowGuestLogin=false" and Share then fills the alfresco error log with "Guest authentication not supported"
Fix for ALF-12678 Errors in log on startup (ts.alfresco.com 4.0)
- improved handling of 500 errors relating to GuestAuthNotSupported when alfresco.authentication.allowGuestLogin=false
34867: Merged DEV to V4.0
34565: ALF-13074: JBPM workflow definitions are not resilient to missing model definitions
WARN messages have been added if JBPM workflow definitions cannot be loaded in the model definitions.
34855: ALF-13074: JBPM workflow definitions are not resilient to missing model definitions
Reimplemented to handle all exceptions during constructing WorkflowInstances WorkflowTasks and WorkflowDefinitions.
34859: ALF-13074: JBPM workflow definitions are not resilient to missing model definitions
Logger messages was changed to correspond the logger pattern.
34893: Translation updates for DE and ES.
34894: Fixes: ALF-13518; Updates Calendar event object's URL to work out of context.
34896: FRENCH: Translates new strings.
34915: Merged DEV to V4.0
34912: ALF-13267: There should not be a web-client-config-custom.xml in alfresco.war
Move "modules\quickr\config\alfresco\extension\web-client-config-custom.xml" to "modules\quickr\config\alfresco\module\org.alfresco.module.quickr\ui\web-client-custom.xml".
34913: ALF-13267: There should not be a web-client-config-custom.xml in alfresco.war
Delete "modules\quickr\config\alfresco\extension\web-client-config-custom.xml".
34916: ALF-13267: Merged V3.4 to V4.0 (and reversed previous duplicate fix)
24828: Merged BRANCHES/DEV/BELARUS/V3.4-2011_01_13 to BRANCHES/V3.4:
24824: ALF-6361: web-client-config-custom.xml doesn't work in /alfresco/tomcat/shared/classes/alfresco/extension
34929: ALF-12242: Issues activating users when more than one member in the authentication chain
- Correction to fix that caused regressions ALF-13494, ALF-13498
- Need to check for the mutability of a user's authentication before trying to enable it
- Also chaining of the authentication enabled attribute should assume true until false found, not the other way around
34930: ALF-12242: Reverted change to this class as it wasn't necessary and wouldn't work!
34932: ALF-13453: Enable XMLConstants.FEATURE_SECURE_PROCESSING feature on Transformer Factory to prevent remote code execution
- Now SecureTransformerFactory should be used as a standard
34965: Merged PATCHES/V4.0.0 to V4.0
34959: ALF-13550: Fix for ALF-13546 SOLR tracking fails for nodes with content and no auditable aspect - NPE as there is no last modification date to use
34960: ALF-13551: Merged BRANCHES/DEV/V4.0-BUG-FIX to PATCHES\V4.0.0
- fix for ALF-13544 When SOLR encounters an error indexing a document, subsequent indexing does not occur
34541: ALF-13244 SOLR Multi-threaded tracking is required for performance - simultaneous document transformations
- nodes that can not be indexed have an error record added to the index and do not block indexing the transaction (nodes unindexed due to exceptions can be found by ID query and the exception stored in the index)
- nodes that are not-indexed have a minimal record added to the index for index consistency checking (unindexed nodes can be found by ID query)
34968: ALF-13453: Reversed XSLTProcessor and XSLTRenderingEngine changes for now as they break http://wiki.alfresco.com/wiki/WCM_Forms_Rendering and model handling via bsf extensions. A more sophisticated approach is required. See bug for more info.
34972: ALF-13340: Upgrade postgres JDBC driver to tested/supported version!
34997: ALF-13453, ALF-13565: Fully reverted revision 34932 as it prevents startup on Weblogic
34998: Merged V4.0-BUG-FIX to V4.0
34992: DUTCH: translation updates based on EN r34861
34993: FRENCH: Translation updates based on r34861
34994: ITALIAN: Translation updates based on r34861
35013: ALF-13561: Not found error after uploading new version
- Fix by Pavel
35034: Fixes ALF-13570: Error loading event info panel.
35039: ALF-13573: Merged V3.4-BUG-FIX (3.4.9) to V4.0 (4.0.1)
35022: ALF-13451: Allow modules to configure mimetypes
35041: ALF-13466: Error is displayed by approve or reject wcm workflow
- Fixed regression caused by ALF-4098
- Protected calls to new addNewChildrenIfAny() method with isDirectory() checks
35042: GERMAN: Translation updates based on r35029, and fixes ALF-12471.
35043: SPANISH: Translation updates based on r35029, and fixes ALF-12471.
35044: FRENCH: Translation updates based on r35029, and fixes ALF-12471.
35045: ITALIAN: Translation updates based on r35029, and fixes ALF-12471.
35046: JAPANESE: Translation updates based on r35029, and fixes ALF-12471.
35047: DUTCH: Translation updates based on r35029, and fixes ALF-12471.
35090: Remove Kofax. It has been migrated to integrations/kofax
35097: Added new file server cluster tests.
Open for attributes only overlapped with open with oplock.
Open with oplock with break to level II shared oplock.
35099: JLAN Client updates to support level II oplocks, required by new cluster tests.
35100: Various oplock related fixes, including problems opening file on second cluster node. ALF-13109.
35107: remove errant '>'
35116: ALF-13401 - Mac LION Powerpoint CIFS
35162: Removed spurious attempt to force a concurrency exception for getNodePair after a node had actually been deleted. Code would retry 50 times before failing. Reviewed with Derek, its not the node service's job to second guess that there may be a concurrency problem in a client's cache.
35164: Fix for ALF-13641 - Negative cases for date value in propertyNegative cases for date value in property. Today button
35169: ALF-13401, ALF-12393: Added exception translation to AbstractReindexComponent retrying transactions, following change in r35162
35172: ALF-13626: category.put.json.ftl has wrong bracket
35173: ALF-12749 - CIFS: Editing of ppt/pptx files fails (MacOSx specific)
35174: Fix for ALF-13556 - Sorting for custom model fields doesn't work for search results in Share
35176: Fix for ALF-4281 - Script error at 'Email space users' form
35186: Merged BRANCHES/DEV/DAM/V4.0-BUG-FIX-34847 to BRANCHES/DEV/V4.0-BUG-FIX:
34875: Creating new branch from $FROM
34939: Merged BRANCHES/DEV/DAM/V4.0-BUG-FIX-34397 to BRANCHES/DEV/DAM/V4.0-BUG-FIX-34847:
34400: Creating new branch from $FROM
34422: Merged DEV/DAM-0.1 to DEV/DAM/V4.0-BUG-FIX-34397
34085: Allow for generateThumbnailUrl to accept a rendition name parameter.
34086: Changed simpleView view type switch to integer implementation rather than boolean.
34087: Pulled specific rendering code for simple and detail view into separate view renderer objects.
34092: If simpleView was stored as a boolean convert it to an integer for ALF-12952.
34423: Merged DEV/DAM/HEAD-34276 to DEV/DAM/V4.0-BUG-FIX-34397
34307: ALF-12952: Change DocumentList simpleView Nav Switch to an Int Implementation
34957: ALF-12952: Change DocumentList simpleView Nav Switch to an Int Implementation
- Removed ability to specify index on registerViewRenderer
- Added firing of setupAdditionalViewRenderers to make it easier for extensions to register themselves at the appropriate time
35021: ALF-12955: Share Document Library and Repository Browser Should Easily Allow for Additional Views
- Changed viewRenderers to an object implementation with storage/retrieval via named properties or 'keys'
35050: ALF-12955: Share Document Library and Repository Browser Should Easily Allow for Additional Views
- Renamed simpleView preference and option to viewRendererName
- Reintroduced simpleView boolean preference and option as deprecated to allow deletion of old preference
- Renamed viewRendererOrder to viewRendererNames
- Added default viewRendererNames at DocumentList.options level
- Renamed widgets.simpleDetailed to widgets.viewRendererSelect but did NOT change HTML id for backwards compatibility
- Renamed onSimpleDetailed to onViewRendererSelect
- Added deletion of deprecated simpleView preference if it exists
35056: ALF-12955: Share Document Library and Repository Browser Should Easily Allow for Additional Views
- Made viewRenderer methods a proper Alfresco.ViewRenderer object which is more easily extended
- Added name property to ViewRenderer constructor and changed registerViewRenderer to use that as a key
- With more strictly defined ViewRenderers in place, changed select button to iterate over viewRendererNames rather than explicit list
35104: ALF-12955: Share Document Library and Repository Browser Should Easily Allow for Additional Views
- Added markup tag around the document list container
35126: ALF-12955: Share Document Library and Repository Browser Should Easily Allow for Additional Views
- Added markup tag documentListConstructorSetOptions around setOptions after DocumentList object constructor
- Added markup tag documentListViewRendererSelect around view select buttons
- Added markup tag documentListShowFolders around show folders button
- Added markup tag documentListSortSelect around sort selection buttons
- Renamed Alfresco.ViewRenderer to more specific Alfresco.DocumentListViewRenderer and private methods similarly
- Added default for viewRendererName if it's undefined in options
- Added check for availability of renderer specified in user preference, if not use default, and consolidated renderer index lookup
35179: ALF-12955: Share Document Library and Repository Browser Should Easily Allow for Additional Views
- Removed documentListConstructorSetOptions
35194: Temp disable cifs text edit test.
35197: ALF-13097 - IMAP templates have wrong mimetype
35201: Merged V3.4-BUG-FIX to V4.0-BUG-FIX
34462: Merged DEV to V3.4-BUG-FIX
34461: ALF-10759: Advanced search fails for sub-element tags
UITagSelector component which allows Advanced Search to add new tag option to search
34479: Merged V3.4 to V3.4-BUG-FIX (RECORD ONLY)
34477: ALF-13237: Yet another 13th hour Spring Surf Regression
- Can't afford to pull in all the latest surf goodies so overriding PageImpl.class with one corresponding to Surf revision 1034 in WEB-INF/classes, just for 3.4.8
34515: ALF-9855: Alfresco side to support standard Adobe-Japan1 PDF fonts in swftools
- Bitrock binaries provided
34518: ALF-13266: Ubuntu installation fails in non-obvious way when machine lacks sufficient memory
- Fix from Bitrock
- L10N required
34536: Merged DEV to V3.4-BUG-FIX
34529: ALF-13135: Impossible to Add new member on Workspace using email address
NPE fix if AD users don't have e-mail address as a property.
34538: ALF-12812 Saving files with apps on Mac OS X Lion in CIFS doesn't invoke rules (Update rule fires BEFORE, FileFolderInterceptor recalcs HIDDEN and TEMPORARY )
34542: Add support for Level II shared oplock. ALF-13093, ALF-12328.
Fixed CIFS open for attributes only access preventing oplock on the following file open.
34543: Oplock and open for attributes fixes to the repo/AVM filesystems. ALF-13093, ALF-12328.
34579: ALF-13284: Removing obselete files
34603: ALF-10833 Alfresco does not show correct thumbnails for some specific kind of PDFs
- Patched PDFRenderer-0.9.1 to return a null page if there was an error.
The code structure did not lend itself to simply throwing the exception.
- Modified PdfToImageContentTransformer to check for a null page and it then throws an AlfescoRuntimeException
which causes the failover transformer to use the next transformer in the list: PDBBox which is able to
transform the pdf and the image that was missing.
34617: Add missing source Java folder.
34629: ALF-13188: Content IO Channel not closed
34697: ALF-13149: Start up performance suffers if the alf_transaction table grows too large.
34712: ALF-13063: sample settings for DB2
34803: New installer translations from Gloria
34809: ALF-11956: Merged BELARUS/V3.4-BUG-FIX-2012_01_26 to V3.4-BUG-FIX (V3.4.9)
<< In addition to the 2 merged revisions, includes the change for ALF-11972 and test all-widgets.xsd >>
33715: ALF-11956: WCM accessibility
- sandbox name oriented titles were added almost to all action links at 'Browse Website' page view;
- adding titles to image tags functionality was added to ActionLinkRenderer, UIMenu and UISandboxes (this includes arrow icons for 'Web Forms' and 'Modified Items');
- titles were added to XForm Date/Time picker controls (text input and arrow buttons);
- 'Click to edit' functionality via keyboard availability was added to XForms TinyMCE editor control (using 'Tab' key, 'Alt' + 'E' in IE or 'Alt' + 'Shift' + 'E' in FireFox);
- additional i18n properties for Date/Time picker and action link titles were added
34625: ALF-11956: WCM accessibility
Increasing XForms widgets readability by screen reader tools:
- Tiny MCE 3.2.7 buttons;
- required fields;
- inputs labels;
- VGroup, HGroup and Repeating widgets folding icons/buttons and others
ALF-11972: Title attributes for the WCM form element xs:anyURI not included to allow multiple xs:anyURI file picker "Select" buttons to be distinguished by screen readers
- Change defined in JIRA
34846: Translation updates:
- FR: Missing Strings
- DE: Fixes encoding issue
34881: ALF-13512: Merged PATCHES/V3.4.8 to V3.4-BUG-FIX
34829: ALF-12621: Sort order of folders including hyphens ( - ) are different in folder-tree and view on folders (in Share)
- Switched from using JS sort to Java locale-based sort
34845: ALF-12621: Fixed array typing problems in previous checkin
34918: Fix for ALF-13385 Access DENIED api does not seem to work
- changed default behaviour to any-deny-denies
- config to switch back
- needs custom port to 4.0 for SOLR
- unit tests added
34919: Fix for ALF-13385 Access DENIED api does not seem to work
- added property based configuration and default configuration check
34937: ALF-11956: Merged BELARUS/V3.4-BUG-FIX-2012_01_26 to V3.4-BUG-FIX (V3.4.9)
34886: ALF-11956: WCM accessibility
- headings functionality is added. WAI-ARIA markup was used;
- alert for XForms validation errors is added. WAI-ARIA markup was used;
- previous accessibility changes tested and fixed against the new functionality
35003: Merged HEAD to V3.4-BUG-FIX
34673: Changed from time-based module and component names to GUID-based names. Not likely to affect anything.
35057: Fix for ALF-12590 Share - Document library doesn't return subfolders when parent space contains the character "- "
- updated to the latest version of jaxen (which now includes saxpath)
- the problem path is now parsed correctly
35074: ALF-13597: Merged PATCHES/V3.4.6 to V3.4-BUG-FIX
34978: ALF-13489: Index tracker now has ability to distinguish create/update/rename/link/unlink
- Will prevent unnecessary cascading PATH regeneration on remote cluster nodes
- QNames and noderefs of parents in index compared with those in the database
- Experimental - needs testing
34983: ALF-13489: Correction to renamed node detection
34985: ALF-13489: Even more foolproof parent assoc cross-referencing
- Should handle duplicate QNames, etc.
- Renames now just an add and a remove
35075: ALF-13598: Merged PATCHES/V3.4.6 to V3.4-BUG-FIX
34872: Merged DEV (by Pavel) to PATCHES/V3.4.6 (and refactored)
34554: ALF-11777 : Persistent lock is left on document in certain use cases when editing online (spp)
1. From now documents are locked for maximum 24 hours when working through WebDAV/Vti.
2. Session listeners were added for web-client and vti-module to allow handling session expiration event.
3. WebDAVLockService class was implemented. It is used by session listeners to perform session cleaning (forcibly unlock all documents that were persistently locked during http session).
4. LOCK/UNLOCK webdav methods and Get/Checkout/UncheckoutDocumentMethod vti methods where updated to correctly populate session list of locked documents.
34832: ALF-11777 : Persistent lock is left on document in certain use cases when editing online (spp)
1. From now documents are locked for maximum 24 hours when working through WebDAV/Vti.
2. Session listener was added for webdav/vti to allow handling session expiration event.
3. LOCK/UNLOCK webdav methods and Get/Checkout/UncheckoutDocumentMethod vti methods where updated to use shared code to lock/unlock nodes.
34833: ALF-11777 : Persistent lock is left on document in certain use cases when editing online (spp)
1. Remove unnecessary classes after 34554 rev.
34852: ALF-11777 : Persistent lock is left on document in certain use cases when editing online (spp)
1. Some changes after David's review of revisions 34832, 34833.
34874: ALF-11777: Fixed typo
35078: ALF-12785: BaseDownloadContentServlet could co into an infinite loop if asked to seek past the end of a file
35079: ALF-12490 "HTTP Status 500 - 00200935 Exception in Transaction" message error with webform
- ALF-9524 fix assumed there were only switch elements in a form
35086: ALF-13563: Upgrade to Bitrock 8.1.0 to fix password validation issue
35095: ALF-12764: New distributable alfresco-enterprise-ear-3.4.9.zip
- Like war zip, but contains .ear file instead of .wars and also contains WAS shared library
- Means samples and other bits are finally available to non-Tomcat users
35103: Merged DEV to V3.4-BUG-FIX
35098: ALF-12776: if a user requests to join a moderated site, and that request is rejected, the rejection email is sent to the user-id and not the email id.
Implemented
Correct WorkflowModelModeratedInvitation.WF_PROP_REVIEW_COMMENTS field in configuration for moderatedInvitationReviewTask
Person's email into emailAction PARAM_TO
35114: ALF-12766 Creating Web Content several users - different sandboxes
- To be consistent with ALF-11440 PM comment 18-Dec-2011 and ALF-8787
A Manager should only be able to create a file in a sandbox
if it is NOT locked somewhere else.
- Not much can be done about the error message as the locked path is useful in other
situations and it is not possible to issue a different message on create only
35121: ALF-11956: Merged BELARUS/V3.4-BUG-FIX-2012_04_05 to V3.4-BUG-FIX (V3.4.9)
35109: ALF-11956: WCM accessibility
- Date/Time Pickers are made accessible via the keyboard and readable by JAWS (13, demo version). WAI-ARIA standard is used;
- corrected 'expanded' state determination for Date/Time Pickers;
- Modified Items and Web Forms arrow buttons are made accessible via the keyboard on the Browse Website page;
- some changes per the description of the issue and per the comment of the 23-Feb-12 11:33 AM
35145: ALF-11990: CIFS login with case insensitive username is rejected
- User name normalization moved to before MD4 hash retrieval
35151: Port of oplock related changes from v4.x.
35177: Fix for ALF-11936 - RSS feed from the activities dashlet produces invalid XML
35178: ALF-12631: removeChild requires delete permissions on the child node, even when it is a secondary association
- now it doesn't (thanks to Andy's solution)
- new ACL_PRI_CHILD_ASSOC_ON_CHILD ACL entry only enforces the permission on the child node when it is a primary association
35181: Merged DEV to V3.4-BUG-FIX
35165: ALF-13409: Invite to a site throws an error if an instance of invitation-moderated-workflow is started by a user whose account is subsequently deleted
InvitationServiceImpl listens for person node deletions (it already implements beforeDeleteNode) and cancels invitations within beforeDeleteNode
35182: ALF-12567 Unable to create thumbnails for certain PDF files
- The supplied PDF contains an invalid offset in the xref table. This turns out to be a quite common error resulting in
thousands of Google hits. The offset is set to the string value "4294967295". This number in hex is FFFFFFFF. The value
of an 4 byte int in C or Java with this value is -1. Neither PDFRenderer nor PDFBox have workarounds for this although
lots of other systems do, which is why it is possible to view or edit it in other systems.
Patched both PDFRenderer and PDFBox to handle this common error.
35185: ALF-13033: Friendlier error message when you try to delete non existent content from a sandbox
35191: ALF-13409: Fix build.
35192: Merged V3.4 to V3.4-BUG-FIX
35161: ALF-13624: Merged V4.0-BUG-FIX to V3.4
34474: ALF-13169 Tomcat fails to shut down
- fix non daemon Timers (and punctuation!)
35163: ALF-13656: Merged HEAD to V3.4
31375: Fix for ALF-435 - Unfriendly error occurs when trying to delete renamed category from category page
35189: Italian translations from Gloria
35193: Merged V3.4 to V3.4-BUG-FIX (RECORD ONLY)
35125: Merged V3.4-BUG-FIX to V3.4
35156: Correction to merge in revision 35125 (a reintegrate merge rather than a selective merge)
35202: Merged V3.4-BUG-FIX to V4.0-BUG-FIX (RECORD ONLY)
34532: ALF-13233: Merged HEAD to V3.4-BUG-FIX
32960: ALF-11008 - Support the WebDAV DELETE method in SPP/VTI, with the special response required by SPP for locked documents
34559: ALF-13106: Merged HEAD to V3.4-BUG-FIX
28223: Merged DEV/SWIFT to HEAD (Tika and Poi)
30589: Upate Tika and add Ogg Vorbis support + tests
30673: Upgrade POI and Tika for recent fixes
31009: Bump the Tika version for some recent fixes
31010: Update the test audio files to include more metadata
31011: ALF-6170 Add missing audio model (needed in devcon demo)
31013: Update the MP3 extractor to output audio keys (related to ALF-6170), and refactor the audio extractors to share more common code. Also expands the audio extractor tests to share common code, and test more metadata. (Needed for devcon demo)
31022: Tika update for custom mimetypes enhancement
31023: Add @since tags where known, and do a quick coding standards sweep
31274: ALF-10813 follow-on - make it clearer that we're just creating the one detector, and switch to the new style version
31289: ALF-10803 - Upgrade Tika to add the extra WordPerfect mimetype
31553: ALF-10525 ACP mimetype detection fix, unit tests for it, and a NPE fix
31554: Update Tika to get the fix for TIKA-764
32105: ALF-11574 Upgrade Tika for the fix to TIKA-784, and add the DITA types to the Alfresco mimetype map
32138: Bump the Tika version for the updated TIKA-784 fix, and add an Alfresco side unit test for this case
32153: Update the vorbis jar to one that includes the license info more clearly in META-INF (without needing to read the POM)
32320: ALF-11650 Upgrade Tika for TIKA-789 (MPP Detection), and add tests that show it is now being correctly handled
32363: Update POI and Tika for the new code required to solve ALF-10980 (MPP Open/Change detection)
34560: ALF-13106: Merged V4.0-BUG-FIX to V3.4-BUG-FIX
33330: ALF-12487 In Mimetype Detection, if Tika detects a generic type of text/plain or XML, defer to the Alfresco filename based type (as we already do for octet stream)
33379: Add the TIFF mimetype
33380: Improve the stream to Tika conversion code, following review for THOR-952
33385: Upgrade to the latest Tika and POI, for recent bug fixes
33779: Upgrade Tika for ALF-12714
33782: ALF-12714 Add 3GPP/3GPP2 video, and MP4 Audio mimetypes
33783: Update Tika for more MP4/QuickTime support, and enable MP4 audio metadata extraction + "quick" testing
34561: ALF-13106: Fixed merge errors
34562: ALF-13106: Merged SWIFT to V3.4-BUG-FIX
26546: Have one copy of the Tika Config in spring, rather than several places fetching their own copy of the default one (either explicitly or implicitly).
34563: ALF-13106: Merged HEAD to V3.4-BUG-FIX
32264: Adding "quick" test resources for MS project.
34564: ALF-13106: Fix unit test
34752: GERMAN: Translation updates, based on EN: 34612
34753: SPANISH: Translation updates, based on EN: 34612
34755: FRENCH: Translation updates, based on EN: 34612
34756: ITALIAN: Translation updates, based on EN: 34612
34967: ALF-13552: Merged V4.0 to V3.4-BUG-FIX
34932: ALF-13453: Enable XMLConstants.FEATURE_SECURE_PROCESSING feature on Transformer Factory to prevent remote code execution
- Now SecureTransformerFactory should be used as a standard
34971: ALF-13552: Merged V4.0 to V3.4-BUG-FIX
34968: ALF-13453: Reversed XSLTProcessor and XSLTRenderingEngine changes for now as they break http://wiki.alfresco.com/wiki/WCM_Forms_Rendering and model handling via bsf extensions. A more sophisticated approach is required. See bug for more info.
34982: ALF-13554: Merged V4.0 to V3.4-BUG-FIX
34972: ALF-13340: Upgrade postgres JDBC driver to tested/supported version!
34999: ALF-13552: Merged V4.0 to V3.4-BUG-FIX
34997: ALF-13453, ALF-13565: Fully reverted revision 34932 as it prevents startup on Weblogic
35000: Translation updates for DE, ES, IT. Based on EN r34846.
35015: ALF-13451: Merged V4.0-BUG-FIX to V3.4-BUG-FIX
33864: ALF-10736: JSF - Adding mimetype does not work on 3.4.x
35020: ALF-13451: Merged V4.0-BUG-FIX to V3.4-BUG-FIX
33863: ConfigSource for XMLConfigService which uses a ResourceFinder for wildcard-compatible lookups (UrlConfigSource does not support them)
35029: JAPANESE: Translation updates based on EN r34846
35212: ALF-13409: Deleting a person can now cancel their invitations. Cancelling invitations can delete inactive persons! So prevent infinite looping with a transaction local resource
- Also fix up other invite related unit tests
35217: Merged DEV to V4.0-BUG-FIX
35214: ALF-12745 : AD-LDAP: alfresco hangs when upload user csv file
Disable 'Upload User CSV File' button in Share admin console in case of AD-LDAP
35221: Avoid a NPE if Repository.getPerson() is called when no RunAsUser is active, instead return Null as for users with no defined NodeRef
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@35229 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
1952 lines
66 KiB
Java
1952 lines
66 KiB
Java
/*
|
|
* Copyright (C) 2005-2010 Alfresco Software Limited.
|
|
*
|
|
* This file is part of Alfresco
|
|
*
|
|
* Alfresco is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Alfresco is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
package org.alfresco.repo.domain.permissions;
|
|
|
|
import java.io.Serializable;
|
|
import java.util.ArrayList;
|
|
import java.util.Collections;
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
import java.util.Set;
|
|
|
|
import org.alfresco.error.AlfrescoRuntimeException;
|
|
import org.alfresco.repo.cache.SimpleCache;
|
|
import org.alfresco.repo.domain.node.NodeDAO;
|
|
import org.alfresco.repo.domain.qname.QNameDAO;
|
|
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
|
import org.alfresco.repo.security.permissions.ACEType;
|
|
import org.alfresco.repo.security.permissions.ACLCopyMode;
|
|
import org.alfresco.repo.security.permissions.ACLType;
|
|
import org.alfresco.repo.security.permissions.AccessControlEntry;
|
|
import org.alfresco.repo.security.permissions.AccessControlList;
|
|
import org.alfresco.repo.security.permissions.AccessControlListProperties;
|
|
import org.alfresco.repo.security.permissions.SimpleAccessControlEntry;
|
|
import org.alfresco.repo.security.permissions.SimpleAccessControlList;
|
|
import org.alfresco.repo.security.permissions.SimpleAccessControlListProperties;
|
|
import org.alfresco.repo.security.permissions.impl.AclChange;
|
|
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
|
|
import org.alfresco.repo.tenant.TenantService;
|
|
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
|
|
import org.alfresco.repo.transaction.TransactionListenerAdapter;
|
|
import org.alfresco.service.cmr.repository.NodeRef;
|
|
import org.alfresco.service.cmr.security.AccessStatus;
|
|
import org.alfresco.service.cmr.security.AuthorityType;
|
|
import org.alfresco.service.namespace.QName;
|
|
import org.alfresco.util.GUID;
|
|
import org.alfresco.util.Pair;
|
|
import org.alfresco.util.ParameterCheck;
|
|
import org.apache.commons.logging.Log;
|
|
import org.apache.commons.logging.LogFactory;
|
|
|
|
/**
|
|
* DAO to manage ACL persistence
|
|
*
|
|
* Note: based on earlier AclDaoComponentImpl
|
|
*
|
|
* @author Andy Hind, janv
|
|
* @since 3.4
|
|
*/
|
|
public class AclDAOImpl implements AclDAO
|
|
{
|
|
private static Log logger = LogFactory.getLog(AclDAOImpl.class);
|
|
|
|
private QNameDAO qnameDAO;
|
|
private AclCrudDAO aclCrudDAO;
|
|
private NodeDAO nodeDAO;
|
|
private TenantService tenantService;
|
|
private SimpleCache<Long, AccessControlList> aclCache;
|
|
private SimpleCache<Serializable, Set<String>> readersCache;
|
|
|
|
private SimpleCache<Serializable, Set<String>> readersDeniedCache;
|
|
|
|
private enum WriteMode
|
|
{
|
|
/**
|
|
* Remove inherited ACEs after that set
|
|
*/
|
|
TRUNCATE_INHERITED,
|
|
/**
|
|
* Add inherited ACEs
|
|
*/
|
|
ADD_INHERITED,
|
|
/**
|
|
* The source of inherited ACEs is changing
|
|
*/
|
|
CHANGE_INHERITED,
|
|
/**
|
|
* Remove all inherited ACEs
|
|
*/
|
|
REMOVE_INHERITED,
|
|
/**
|
|
* Insert inherited ACEs
|
|
*/
|
|
INSERT_INHERITED,
|
|
/**
|
|
* Copy ACLs and update ACEs and inheritance
|
|
*/
|
|
COPY_UPDATE_AND_INHERIT,
|
|
/**
|
|
* Simple copy
|
|
*/
|
|
COPY_ONLY, CREATE_AND_INHERIT;
|
|
}
|
|
|
|
public void setQnameDAO(QNameDAO qnameDAO)
|
|
{
|
|
this.qnameDAO = qnameDAO;
|
|
}
|
|
|
|
public void setTenantService(TenantService tenantService)
|
|
{
|
|
this.tenantService = tenantService;
|
|
}
|
|
|
|
public void setAclCrudDAO(AclCrudDAO aclCrudDAO)
|
|
{
|
|
this.aclCrudDAO = aclCrudDAO;
|
|
}
|
|
|
|
public void setNodeDAO(NodeDAO nodeDAO)
|
|
{
|
|
this.nodeDAO = nodeDAO;
|
|
}
|
|
|
|
/**
|
|
* Set the ACL cache
|
|
*
|
|
* @param aclCache
|
|
*/
|
|
public void setAclCache(SimpleCache<Long, AccessControlList> aclCache)
|
|
{
|
|
this.aclCache = aclCache;
|
|
}
|
|
|
|
/**
|
|
* @param readersCache the readersCache to set
|
|
*/
|
|
public void setReadersCache(SimpleCache<Serializable, Set<String>> readersCache)
|
|
{
|
|
this.readersCache = readersCache;
|
|
}
|
|
|
|
/**
|
|
* @param readersDeniedCache the readersDeniedCache to set
|
|
*/
|
|
public void setReadersDeniedCache(SimpleCache<Serializable, Set<String>> readersDeniedCache)
|
|
{
|
|
this.readersDeniedCache = readersDeniedCache;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public Long createAccessControlList()
|
|
{
|
|
return createAccessControlList(getDefaultProperties()).getId();
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public AccessControlListProperties getDefaultProperties()
|
|
{
|
|
SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties();
|
|
properties.setAclType(ACLType.DEFINING);
|
|
properties.setInherits(true);
|
|
properties.setVersioned(false);
|
|
return properties;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public Acl createAccessControlList(AccessControlListProperties properties)
|
|
{
|
|
if (properties == null)
|
|
{
|
|
throw new IllegalArgumentException("Properties cannot be null");
|
|
}
|
|
|
|
if (properties.getAclType() == null)
|
|
{
|
|
throw new IllegalArgumentException("ACL Type must be defined");
|
|
}
|
|
switch (properties.getAclType())
|
|
{
|
|
case OLD:
|
|
if (properties.isVersioned() == Boolean.TRUE)
|
|
{
|
|
throw new IllegalArgumentException("Old acls can not be versioned");
|
|
}
|
|
break;
|
|
case SHARED:
|
|
throw new IllegalArgumentException("Can not create shared acls direct - use get inherited");
|
|
case DEFINING:
|
|
case LAYERED:
|
|
break;
|
|
case FIXED:
|
|
if (properties.getInherits() == Boolean.TRUE)
|
|
{
|
|
throw new IllegalArgumentException("Fixed ACLs can not inherit");
|
|
}
|
|
case GLOBAL:
|
|
if (properties.getInherits() == Boolean.TRUE)
|
|
{
|
|
throw new IllegalArgumentException("Fixed ACLs can not inherit");
|
|
}
|
|
default:
|
|
break;
|
|
}
|
|
return createAccessControlList(properties, null, null);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public Acl createAccessControlList(AccessControlListProperties properties, List<AccessControlEntry> aces, Long inherited)
|
|
{
|
|
if (properties == null)
|
|
{
|
|
throw new IllegalArgumentException("Properties cannot be null");
|
|
}
|
|
|
|
AclEntity acl = new AclEntity();
|
|
if (properties.getAclId() != null)
|
|
{
|
|
acl.setAclId(properties.getAclId());
|
|
}
|
|
else
|
|
{
|
|
acl.setAclId(GUID.generate());
|
|
}
|
|
acl.setAclType(properties.getAclType());
|
|
acl.setAclVersion(Long.valueOf(1l));
|
|
|
|
switch (properties.getAclType())
|
|
{
|
|
case FIXED:
|
|
case GLOBAL:
|
|
acl.setInherits(Boolean.FALSE);
|
|
case OLD:
|
|
case SHARED:
|
|
case DEFINING:
|
|
case LAYERED:
|
|
default:
|
|
if (properties.getInherits() != null)
|
|
{
|
|
acl.setInherits(properties.getInherits());
|
|
}
|
|
else
|
|
{
|
|
acl.setInherits(Boolean.TRUE);
|
|
}
|
|
break;
|
|
}
|
|
acl.setLatest(Boolean.TRUE);
|
|
|
|
switch (properties.getAclType())
|
|
{
|
|
case OLD:
|
|
acl.setVersioned(Boolean.FALSE);
|
|
break;
|
|
case LAYERED:
|
|
if (properties.isVersioned() != null)
|
|
{
|
|
acl.setVersioned(properties.isVersioned());
|
|
}
|
|
else
|
|
{
|
|
acl.setVersioned(Boolean.TRUE);
|
|
}
|
|
break;
|
|
case FIXED:
|
|
case GLOBAL:
|
|
case SHARED:
|
|
case DEFINING:
|
|
default:
|
|
if (properties.isVersioned() != null)
|
|
{
|
|
acl.setVersioned(properties.isVersioned());
|
|
}
|
|
else
|
|
{
|
|
acl.setVersioned(Boolean.FALSE);
|
|
}
|
|
break;
|
|
}
|
|
|
|
acl.setAclChangeSetId(getCurrentChangeSetId());
|
|
acl.setRequiresVersion(false);
|
|
|
|
Acl createdAcl = (AclEntity)aclCrudDAO.createAcl(acl);
|
|
long created = createdAcl.getId();
|
|
|
|
List<Ace> toAdd = new ArrayList<Ace>();
|
|
List<AccessControlEntry> excluded = new ArrayList<AccessControlEntry>();
|
|
List<AclChange> changes = new ArrayList<AclChange>();
|
|
if ((aces != null) && aces.size() > 0)
|
|
{
|
|
for (AccessControlEntry ace : aces)
|
|
{
|
|
if ((ace.getPosition() != null) && (ace.getPosition() != 0))
|
|
{
|
|
throw new IllegalArgumentException("Invalid position");
|
|
}
|
|
|
|
// Find authority
|
|
Authority authority = aclCrudDAO.getOrCreateAuthority(ace.getAuthority());
|
|
Permission permission = aclCrudDAO.getOrCreatePermission(ace.getPermission());
|
|
|
|
// Find context
|
|
if (ace.getContext() != null)
|
|
{
|
|
throw new UnsupportedOperationException();
|
|
}
|
|
|
|
// Find ACE
|
|
Ace entry = aclCrudDAO.getOrCreateAce(permission, authority, ace.getAceType(), ace.getAccessStatus());
|
|
|
|
// Wire up
|
|
// COW and remove any existing matches
|
|
|
|
SimpleAccessControlEntry exclude = new SimpleAccessControlEntry();
|
|
// match any access status
|
|
exclude.setAceType(ace.getAceType());
|
|
exclude.setAuthority(ace.getAuthority());
|
|
exclude.setPermission(ace.getPermission());
|
|
exclude.setPosition(0);
|
|
|
|
toAdd.add(entry);
|
|
excluded.add(exclude);
|
|
// Will remove from the cache
|
|
}
|
|
}
|
|
Long toInherit = null;
|
|
if (inherited != null)
|
|
{
|
|
toInherit = getInheritedAccessControlList(inherited);
|
|
}
|
|
getWritable(created, toInherit, excluded, toAdd, toInherit, false, changes, WriteMode.CREATE_AND_INHERIT);
|
|
|
|
|
|
return createdAcl;
|
|
}
|
|
|
|
private void getWritable(
|
|
final Long id, final Long parent,
|
|
List<? extends AccessControlEntry> exclude, List<Ace> toAdd,
|
|
Long inheritsFrom, boolean cascade,
|
|
List<AclChange> changes, WriteMode mode)
|
|
{
|
|
List<Ace> inherited = null;
|
|
List<Integer> positions = null;
|
|
|
|
if ((mode == WriteMode.ADD_INHERITED) || (mode == WriteMode.INSERT_INHERITED) || (mode == WriteMode.CHANGE_INHERITED) || (mode == WriteMode.CREATE_AND_INHERIT ))
|
|
{
|
|
inherited = new ArrayList<Ace>();
|
|
positions = new ArrayList<Integer>();
|
|
|
|
// get aces for acl (via acl member)
|
|
List<AclMember> members;
|
|
if(parent != null)
|
|
{
|
|
members = aclCrudDAO.getAclMembersByAcl(parent);
|
|
}
|
|
else
|
|
{
|
|
members = Collections.<AclMember>emptyList();
|
|
}
|
|
|
|
for (AclMember member : members)
|
|
{
|
|
Ace aceEntity = aclCrudDAO.getAce(member.getAceId());
|
|
|
|
if ((mode == WriteMode.INSERT_INHERITED) && (member.getPos() == 0))
|
|
{
|
|
inherited.add(aceEntity);
|
|
positions.add(member.getPos());
|
|
}
|
|
else
|
|
{
|
|
inherited.add(aceEntity);
|
|
positions.add(member.getPos());
|
|
}
|
|
}
|
|
}
|
|
|
|
getWritable(id, parent, exclude, toAdd, inheritsFrom, inherited, positions, cascade, 0, changes, mode, false);
|
|
}
|
|
|
|
/**
|
|
* Make a whole tree of ACLs copy on write if required Includes adding and removing ACEs which can be optimised
|
|
* slightly for copy on write (no need to add and then remove)
|
|
*/
|
|
private void getWritable(
|
|
final Long id, final Long parent,
|
|
List<? extends AccessControlEntry> exclude, List<Ace> toAdd, Long inheritsFrom,
|
|
List<Ace> inherited, List<Integer> positions,
|
|
boolean cascade, int depth, List<AclChange> changes, WriteMode mode, boolean requiresVersion)
|
|
{
|
|
AclChange current = getWritable(id, parent, exclude, toAdd, inheritsFrom, inherited, positions, depth, mode, requiresVersion);
|
|
changes.add(current);
|
|
|
|
boolean cascadeVersion = requiresVersion;
|
|
if (!cascadeVersion)
|
|
{
|
|
cascadeVersion = !current.getBefore().equals(current.getAfter());
|
|
}
|
|
|
|
if (cascade)
|
|
{
|
|
List<Long> inheritors = aclCrudDAO.getAclsThatInheritFromAcl(id);
|
|
for (Long nextId : inheritors)
|
|
{
|
|
// Check for those that inherit themselves to other nodes ...
|
|
if (!nextId.equals(id))
|
|
{
|
|
getWritable(nextId, current.getAfter(), exclude, toAdd, current.getAfter(), inherited, positions, cascade, depth + 1, changes, mode, cascadeVersion);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* COW for an individual ACL
|
|
* @return - an AclChange
|
|
*/
|
|
private AclChange getWritable(
|
|
final Long id, final Long parent,
|
|
List<? extends AccessControlEntry> exclude, List<Ace> acesToAdd, Long inheritsFrom,
|
|
List<Ace> inherited, List<Integer> positions, int depth, WriteMode mode, boolean requiresVersion)
|
|
{
|
|
AclUpdateEntity acl = aclCrudDAO.getAclForUpdate(id);
|
|
if (!acl.isLatest())
|
|
{
|
|
aclCache.remove(id);
|
|
readersCache.remove(id);
|
|
readersDeniedCache.remove(id);
|
|
return new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType());
|
|
}
|
|
|
|
List<Long> toAdd = new ArrayList<Long>(0);
|
|
if (acesToAdd != null)
|
|
{
|
|
for (Ace ace : acesToAdd)
|
|
{
|
|
toAdd.add(ace.getId());
|
|
}
|
|
}
|
|
|
|
if (!acl.isVersioned())
|
|
{
|
|
switch (mode)
|
|
{
|
|
case COPY_UPDATE_AND_INHERIT:
|
|
removeAcesFromAcl(id, exclude, depth);
|
|
aclCrudDAO.addAclMembersToAcl(acl.getId(), toAdd, depth);
|
|
break;
|
|
case CHANGE_INHERITED:
|
|
replaceInherited(id, acl, inherited, positions, depth);
|
|
break;
|
|
case ADD_INHERITED:
|
|
addInherited(acl, inherited, positions, depth);
|
|
break;
|
|
case TRUNCATE_INHERITED:
|
|
truncateInherited(id, depth);
|
|
break;
|
|
case INSERT_INHERITED:
|
|
insertInherited(id, acl, inherited, positions, depth);
|
|
break;
|
|
case REMOVE_INHERITED:
|
|
removeInherited(id, depth);
|
|
break;
|
|
case CREATE_AND_INHERIT:
|
|
aclCrudDAO.addAclMembersToAcl(acl.getId(), toAdd, depth);
|
|
addInherited(acl, inherited, positions, depth);
|
|
case COPY_ONLY:
|
|
default:
|
|
break;
|
|
}
|
|
if (inheritsFrom != null)
|
|
{
|
|
acl.setInheritsFrom(inheritsFrom);
|
|
}
|
|
acl.setAclChangeSetId(getCurrentChangeSetId());
|
|
aclCrudDAO.updateAcl(acl);
|
|
aclCache.remove(id);
|
|
readersCache.remove(id);
|
|
readersDeniedCache.remove(id);
|
|
return new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType());
|
|
}
|
|
else if ((acl.getAclChangeSetId() == getCurrentChangeSetId()) && (!requiresVersion) && (!acl.getRequiresVersion()))
|
|
{
|
|
switch (mode)
|
|
{
|
|
case COPY_UPDATE_AND_INHERIT:
|
|
removeAcesFromAcl(id, exclude, depth);
|
|
aclCrudDAO.addAclMembersToAcl(acl.getId(), toAdd, depth);
|
|
break;
|
|
case CHANGE_INHERITED:
|
|
replaceInherited(id, acl, inherited, positions, depth);
|
|
break;
|
|
case ADD_INHERITED:
|
|
addInherited(acl, inherited, positions, depth);
|
|
break;
|
|
case TRUNCATE_INHERITED:
|
|
truncateInherited(id, depth);
|
|
break;
|
|
case INSERT_INHERITED:
|
|
insertInherited(id, acl, inherited, positions, depth);
|
|
break;
|
|
case REMOVE_INHERITED:
|
|
removeInherited(id, depth);
|
|
break;
|
|
case CREATE_AND_INHERIT:
|
|
aclCrudDAO.addAclMembersToAcl(acl.getId(), toAdd, depth);
|
|
addInherited(acl, inherited, positions, depth);
|
|
case COPY_ONLY:
|
|
default:
|
|
break;
|
|
}
|
|
if (inheritsFrom != null)
|
|
{
|
|
acl.setInheritsFrom(inheritsFrom);
|
|
}
|
|
aclCrudDAO.updateAcl(acl);
|
|
aclCache.remove(id);
|
|
readersCache.remove(id);
|
|
readersDeniedCache.remove(id);
|
|
return new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType());
|
|
}
|
|
else
|
|
{
|
|
AclEntity newAcl = new AclEntity();
|
|
newAcl.setAclChangeSetId(getCurrentChangeSetId());
|
|
newAcl.setAclId(acl.getAclId());
|
|
newAcl.setAclType(acl.getAclType());
|
|
newAcl.setAclVersion(acl.getAclVersion() + 1);
|
|
newAcl.setInheritedAcl(-1l);
|
|
newAcl.setInherits(acl.getInherits());
|
|
newAcl.setInheritsFrom((inheritsFrom != null) ? inheritsFrom : acl.getInheritsFrom());
|
|
newAcl.setLatest(Boolean.TRUE);
|
|
newAcl.setVersioned(Boolean.TRUE);
|
|
newAcl.setRequiresVersion(Boolean.FALSE);
|
|
|
|
AclEntity createdAcl = (AclEntity)aclCrudDAO.createAcl(newAcl);
|
|
long created = createdAcl.getId();
|
|
|
|
// Create new membership entries - excluding those in the given pattern
|
|
|
|
// AcePatternMatcher excluder = new AcePatternMatcher(exclude);
|
|
|
|
// get aces for acl (via acl member)
|
|
List<AclMember> members = aclCrudDAO.getAclMembersByAcl(id);
|
|
|
|
if (members.size() > 0)
|
|
{
|
|
List<Pair<Long,Integer>> aceIdsWithDepths = new ArrayList<Pair<Long,Integer>>(members.size());
|
|
|
|
for (AclMember member : members)
|
|
{
|
|
aceIdsWithDepths.add(new Pair<Long, Integer>(member.getAceId(), member.getPos()));
|
|
}
|
|
|
|
// copy acl members to new acl
|
|
aclCrudDAO.addAclMembersToAcl(newAcl.getId(), aceIdsWithDepths);
|
|
}
|
|
|
|
// add new
|
|
|
|
switch (mode)
|
|
{
|
|
case COPY_UPDATE_AND_INHERIT:
|
|
// Done above
|
|
removeAcesFromAcl(newAcl.getId(), exclude, depth);
|
|
aclCrudDAO.addAclMembersToAcl(newAcl.getId(), toAdd, depth);
|
|
break;
|
|
case CHANGE_INHERITED:
|
|
replaceInherited(newAcl.getId(), newAcl, inherited, positions, depth);
|
|
break;
|
|
case ADD_INHERITED:
|
|
addInherited(newAcl, inherited, positions, depth);
|
|
break;
|
|
case TRUNCATE_INHERITED:
|
|
truncateInherited(newAcl.getId(), depth);
|
|
break;
|
|
case INSERT_INHERITED:
|
|
insertInherited(newAcl.getId(), newAcl, inherited, positions, depth);
|
|
break;
|
|
case REMOVE_INHERITED:
|
|
removeInherited(newAcl.getId(), depth);
|
|
break;
|
|
case CREATE_AND_INHERIT:
|
|
aclCrudDAO.addAclMembersToAcl(acl.getId(), toAdd, depth);
|
|
addInherited(acl, inherited, positions, depth);
|
|
case COPY_ONLY:
|
|
default:
|
|
break;
|
|
}
|
|
|
|
// Fix up inherited ACL if required
|
|
if (newAcl.getAclType() == ACLType.SHARED)
|
|
{
|
|
if (parent != null)
|
|
{
|
|
Long writableParentAcl = getWritable(parent, null, null, null, null, null, null, 0, WriteMode.COPY_ONLY, false).getAfter();
|
|
AclUpdateEntity parentAcl = aclCrudDAO.getAclForUpdate(writableParentAcl);
|
|
parentAcl.setInheritedAcl(created);
|
|
aclCrudDAO.updateAcl(parentAcl);
|
|
}
|
|
}
|
|
|
|
// fix up old version
|
|
acl.setLatest(Boolean.FALSE);
|
|
acl.setRequiresVersion(Boolean.FALSE);
|
|
aclCrudDAO.updateAcl(acl);
|
|
aclCache.remove(id);
|
|
readersCache.remove(id);
|
|
readersDeniedCache.remove(id);
|
|
return new AclChangeImpl(id, created, acl.getAclType(), newAcl.getAclType());
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Helper to remove ACEs from an ACL
|
|
*/
|
|
private void removeAcesFromAcl(final Long id, final List<? extends AccessControlEntry> exclude, final int depth)
|
|
{
|
|
if (exclude == null)
|
|
{
|
|
// cascade delete all acl members - no exclusion
|
|
aclCrudDAO.deleteAclMembersByAcl(id);
|
|
}
|
|
else
|
|
{
|
|
AcePatternMatcher excluder = new AcePatternMatcher(exclude);
|
|
|
|
List<Map<String, Object>> results = aclCrudDAO.getAcesAndAuthoritiesByAcl(id);
|
|
List<Long> memberIds = new ArrayList<Long>(results.size());
|
|
|
|
for (Map<String, Object> result : results)
|
|
{
|
|
Long result_aclmemId = (Long) result.get("aclmemId");
|
|
|
|
if ((exclude != null) && excluder.matches(aclCrudDAO, result, depth))
|
|
{
|
|
memberIds.add(result_aclmemId);
|
|
}
|
|
}
|
|
|
|
// delete list of acl members
|
|
aclCrudDAO.deleteAclMembers(memberIds);
|
|
}
|
|
}
|
|
|
|
private void replaceInherited(Long id, Acl acl, List<Ace> inherited, List<Integer> positions, int depth)
|
|
{
|
|
truncateInherited(id, depth);
|
|
addInherited(acl, inherited, positions, depth);
|
|
}
|
|
|
|
private void truncateInherited(final Long id, int depth)
|
|
{
|
|
List<AclMember> members = aclCrudDAO.getAclMembersByAcl(id);
|
|
|
|
List<Long> membersToDelete = new ArrayList<Long>(members.size());
|
|
for (AclMember member : members)
|
|
{
|
|
if (member.getPos() > depth)
|
|
{
|
|
membersToDelete.add(member.getId());
|
|
}
|
|
}
|
|
|
|
if (membersToDelete.size() > 0)
|
|
{
|
|
// delete list of acl members
|
|
aclCrudDAO.deleteAclMembers(membersToDelete);
|
|
}
|
|
}
|
|
|
|
private void removeInherited(final Long id, int depth)
|
|
{
|
|
List<AclMemberEntity> members = aclCrudDAO.getAclMembersByAclForUpdate(id);
|
|
|
|
List<Long> membersToDelete = new ArrayList<Long>(members.size());
|
|
for (AclMemberEntity member : members)
|
|
{
|
|
if (member.getPos() == depth + 1)
|
|
{
|
|
membersToDelete.add(member.getId());
|
|
}
|
|
else if (member.getPos() > (depth + 1))
|
|
{
|
|
member.setPos(member.getPos() - 1);
|
|
aclCrudDAO.updateAclMember(member);
|
|
}
|
|
}
|
|
|
|
if (membersToDelete.size() > 0)
|
|
{
|
|
// delete list of acl members
|
|
aclCrudDAO.deleteAclMembers(membersToDelete);
|
|
}
|
|
}
|
|
|
|
private void addInherited(Acl acl, List<Ace> inherited, List<Integer> positions, int depth)
|
|
{
|
|
if ((inherited != null) && (inherited.size() > 0))
|
|
{
|
|
List<Pair<Long,Integer>> aceIdsWithDepths = new ArrayList<Pair<Long,Integer>>(inherited.size());
|
|
for (int i = 0; i < inherited.size(); i++)
|
|
{
|
|
Ace add = inherited.get(i);
|
|
Integer position = positions.get(i);
|
|
aceIdsWithDepths.add(new Pair<Long, Integer>(add.getId(), position.intValue() + depth + 1));
|
|
}
|
|
aclCrudDAO.addAclMembersToAcl(acl.getId(), aceIdsWithDepths);
|
|
}
|
|
}
|
|
|
|
private void insertInherited(final Long id, AclEntity acl, List<Ace> inherited, List<Integer> positions, int depth)
|
|
{
|
|
// get aces for acl (via acl member)
|
|
List<AclMemberEntity> members = aclCrudDAO.getAclMembersByAclForUpdate(id);
|
|
|
|
for (AclMemberEntity member : members)
|
|
{
|
|
if (member.getPos() > depth)
|
|
{
|
|
member.setPos(member.getPos() + 1);
|
|
aclCrudDAO.updateAclMember(member);
|
|
}
|
|
}
|
|
|
|
addInherited(acl, inherited, positions, depth);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<AclChange> deleteAccessControlEntries(final String authority)
|
|
{
|
|
List<AclChange> acls = new ArrayList<AclChange>();
|
|
|
|
// get authority
|
|
Authority authEntity = aclCrudDAO.getAuthority(authority);
|
|
if (authEntity == null)
|
|
{
|
|
return acls;
|
|
}
|
|
|
|
List<Long> aces = new ArrayList<Long>();
|
|
|
|
List<AclMember> members = aclCrudDAO.getAclMembersByAuthority(authority);
|
|
|
|
boolean leaveAuthority = false;
|
|
if (members.size() > 0)
|
|
{
|
|
List<Long> membersToDelete = new ArrayList<Long>(members.size());
|
|
|
|
// fix up members and extract acls and aces
|
|
for (AclMember member : members)
|
|
{
|
|
// Delete acl entry
|
|
Long aclMemberId = member.getId();
|
|
Long aclId = member.getAclId();
|
|
Long aceId = member.getAceId();
|
|
|
|
boolean hasAnotherTenantNodes = false;
|
|
if (AuthenticationUtil.isMtEnabled())
|
|
{
|
|
// ALF-3563
|
|
|
|
// Retrieve dependent nodes
|
|
List<Long> nodeIds = aclCrudDAO.getADMNodesByAcl(aclId, -1);
|
|
nodeIds.addAll(aclCrudDAO.getAVMNodesByAcl(aclId, -1));
|
|
|
|
if (nodeIds.size() > 0)
|
|
{
|
|
for (Long nodeId : nodeIds)
|
|
{
|
|
Pair<Long, NodeRef> nodePair = nodeDAO.getNodePair(nodeId);
|
|
if (nodePair == null)
|
|
{
|
|
logger.warn("Node does not exist: " + nodeId);
|
|
continue;
|
|
}
|
|
NodeRef nodeRef = nodePair.getSecond();
|
|
|
|
try
|
|
{
|
|
// Throws AlfrescoRuntimeException in case of domain mismatch
|
|
tenantService.checkDomain(nodeRef.getStoreRef().getIdentifier());
|
|
}
|
|
catch (AlfrescoRuntimeException e)
|
|
{
|
|
hasAnotherTenantNodes = true;
|
|
leaveAuthority = true;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!hasAnotherTenantNodes)
|
|
{
|
|
aclCache.remove(aclId);
|
|
readersCache.remove(aclId);
|
|
readersDeniedCache.remove(aclId);
|
|
|
|
Acl list = aclCrudDAO.getAcl(aclId);
|
|
acls.add(new AclChangeImpl(aclId, aclId, list.getAclType(), list.getAclType()));
|
|
membersToDelete.add(aclMemberId);
|
|
aces.add((Long)aceId);
|
|
}
|
|
}
|
|
|
|
// delete list of acl members
|
|
aclCrudDAO.deleteAclMembers(membersToDelete);
|
|
}
|
|
|
|
if (!leaveAuthority)
|
|
{
|
|
// remove ACEs
|
|
aclCrudDAO.deleteAces(aces);
|
|
|
|
// Tidy up any unreferenced ACEs
|
|
|
|
// get aces by authority
|
|
List<Ace> unreferenced = aclCrudDAO.getAcesByAuthority(authEntity.getId());
|
|
|
|
if (unreferenced.size() > 0)
|
|
{
|
|
List<Long> unrefencedAcesToDelete = new ArrayList<Long>(unreferenced.size());
|
|
for (Ace ace : unreferenced)
|
|
{
|
|
unrefencedAcesToDelete.add(ace.getId());
|
|
}
|
|
aclCrudDAO.deleteAces(unrefencedAcesToDelete);
|
|
}
|
|
|
|
// remove authority
|
|
if (authEntity != null)
|
|
{
|
|
aclCrudDAO.deleteAuthority(authEntity.getId());
|
|
}
|
|
}
|
|
|
|
return acls;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public void deleteAclForNode(long aclId, boolean isAVMNode)
|
|
{
|
|
Acl dbAcl = getAcl(aclId);
|
|
if (dbAcl.getAclType() == ACLType.DEFINING)
|
|
{
|
|
// delete acl members & acl
|
|
aclCrudDAO.deleteAclMembersByAcl(aclId);
|
|
aclCrudDAO.deleteAcl(aclId);
|
|
|
|
aclCache.remove(aclId);
|
|
readersCache.remove(aclId);
|
|
readersDeniedCache.remove(aclId);
|
|
}
|
|
if (dbAcl.getAclType() == ACLType.SHARED)
|
|
{
|
|
// check unused
|
|
Long defining = dbAcl.getInheritsFrom();
|
|
if (aclCrudDAO.getAcl(defining) == null)
|
|
{
|
|
if (! isAVMNode)
|
|
{
|
|
// ADM
|
|
if (getADMNodesByAcl(aclId, 1).size() == 0)
|
|
{
|
|
// delete acl members & acl
|
|
aclCrudDAO.deleteAclMembersByAcl(aclId);
|
|
aclCrudDAO.deleteAcl(aclId);
|
|
|
|
aclCache.remove(aclId);
|
|
readersCache.remove(aclId);
|
|
readersDeniedCache.remove(aclId);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// TODO: AVM
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<AclChange> deleteAccessControlList(final Long id)
|
|
{
|
|
if (logger.isDebugEnabled())
|
|
{
|
|
// debug only
|
|
int maxForDebug = 11;
|
|
List<Long> nodeIds = getADMNodesByAcl(id, maxForDebug);
|
|
|
|
for (Long nodeId : nodeIds)
|
|
{
|
|
logger.debug("deleteAccessControlList: Found nodeId=" + nodeId + ", aclId=" + id);
|
|
}
|
|
}
|
|
|
|
List<AclChange> acls = new ArrayList<AclChange>();
|
|
|
|
final AclUpdateEntity acl = aclCrudDAO.getAclForUpdate(id);
|
|
if (!acl.isLatest())
|
|
{
|
|
throw new UnsupportedOperationException("Old ACL versions can not be updated");
|
|
}
|
|
if (acl.getAclType() == ACLType.SHARED)
|
|
{
|
|
throw new UnsupportedOperationException("Delete is not supported for shared acls - they are deleted with the defining acl");
|
|
}
|
|
|
|
if ((acl.getAclType() == ACLType.DEFINING) || (acl.getAclType() == ACLType.LAYERED))
|
|
{
|
|
if ((acl.getInheritedAcl() != null) && (acl.getInheritedAcl() != -1))
|
|
{
|
|
final Acl inherited = aclCrudDAO.getAcl(acl.getInheritedAcl());
|
|
|
|
// Will remove from the cache
|
|
getWritable(inherited.getId(), acl.getInheritsFrom(), null, null, null, true, acls, WriteMode.REMOVE_INHERITED);
|
|
Acl unusedInherited = null;
|
|
for (AclChange change : acls)
|
|
{
|
|
if (change.getBefore()!= null && change.getBefore().equals(inherited.getId()))
|
|
{
|
|
unusedInherited = aclCrudDAO.getAcl(change.getAfter());
|
|
}
|
|
}
|
|
|
|
final Long newId = unusedInherited.getId();
|
|
List<Long> inheritors = aclCrudDAO.getAclsThatInheritFromAcl(newId);
|
|
for (Long nextId : inheritors)
|
|
{
|
|
// Will remove from the cache
|
|
getWritable(nextId, acl.getInheritsFrom(), null, null, acl.getInheritsFrom(), true, acls, WriteMode.REMOVE_INHERITED);
|
|
}
|
|
|
|
// delete acl members
|
|
aclCrudDAO.deleteAclMembersByAcl(newId);
|
|
|
|
// delete 'unusedInherited' acl
|
|
aclCrudDAO.deleteAcl(unusedInherited.getId());
|
|
|
|
if (inherited.isVersioned())
|
|
{
|
|
AclUpdateEntity inheritedForUpdate = aclCrudDAO.getAclForUpdate(inherited.getId());
|
|
if (inheritedForUpdate != null)
|
|
{
|
|
inheritedForUpdate.setLatest(Boolean.FALSE);
|
|
aclCrudDAO.updateAcl(inheritedForUpdate);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// delete 'inherited' acl
|
|
aclCrudDAO.deleteAcl(inherited.getId());
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
List<Long> inheritors = aclCrudDAO.getAclsThatInheritFromAcl(id);
|
|
for (Long nextId : inheritors)
|
|
{
|
|
// Will remove from the cache
|
|
getWritable(nextId, acl.getInheritsFrom(), null, null, null, true, acls, WriteMode.REMOVE_INHERITED);
|
|
}
|
|
}
|
|
|
|
// delete
|
|
if (acl.isVersioned())
|
|
{
|
|
acl.setLatest(Boolean.FALSE);
|
|
acl.setAclChangeSetId(getCurrentChangeSetId());
|
|
aclCrudDAO.updateAcl(acl);
|
|
}
|
|
else
|
|
{
|
|
// delete acl members & acl
|
|
aclCrudDAO.deleteAclMembersByAcl(id);
|
|
aclCrudDAO.deleteAcl(acl.getId());
|
|
}
|
|
|
|
// remove the deleted acl from the cache
|
|
aclCache.remove(id);
|
|
readersCache.remove(id);
|
|
readersDeniedCache.remove(id);
|
|
acls.add(new AclChangeImpl(id, null, acl.getAclType(), null));
|
|
return acls;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<AclChange> deleteLocalAccessControlEntries(Long id)
|
|
{
|
|
List<AclChange> changes = new ArrayList<AclChange>();
|
|
SimpleAccessControlEntry pattern = new SimpleAccessControlEntry();
|
|
pattern.setPosition(Integer.valueOf(0));
|
|
// Will remove from the cache
|
|
getWritable(id, null, Collections.singletonList(pattern), null, null, true, changes, WriteMode.COPY_UPDATE_AND_INHERIT);
|
|
return changes;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<AclChange> deleteInheritedAccessControlEntries(Long id)
|
|
{
|
|
List<AclChange> changes = new ArrayList<AclChange>();
|
|
SimpleAccessControlEntry pattern = new SimpleAccessControlEntry();
|
|
pattern.setPosition(Integer.valueOf(-1));
|
|
// Will remove from the cache
|
|
getWritable(id, null, Collections.singletonList(pattern), null, null, true, changes, WriteMode.COPY_UPDATE_AND_INHERIT);
|
|
return changes;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<AclChange> deleteAccessControlEntries(Long id, AccessControlEntry pattern)
|
|
{
|
|
List<AclChange> changes = new ArrayList<AclChange>();
|
|
// Will remove from the cache
|
|
getWritable(id, null, Collections.singletonList(pattern), null, null, true, changes, WriteMode.COPY_UPDATE_AND_INHERIT);
|
|
return changes;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public Acl getAcl(Long id)
|
|
{
|
|
return aclCrudDAO.getAcl(id);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public AccessControlListProperties getAccessControlListProperties(Long id)
|
|
{
|
|
ParameterCheck.mandatory("id", id); // Prevent unboxing failures
|
|
return aclCrudDAO.getAcl(id);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public AccessControlList getAccessControlList(Long id)
|
|
{
|
|
AccessControlList acl = aclCache.get(id);
|
|
if (acl == null)
|
|
{
|
|
acl = getAccessControlListImpl(id);
|
|
aclCache.put(id, acl);
|
|
}
|
|
else
|
|
{
|
|
// System.out.println("Used cache for "+id);
|
|
}
|
|
return acl;
|
|
}
|
|
|
|
/**
|
|
* @return the access control list
|
|
*/
|
|
private AccessControlList getAccessControlListImpl(final Long id)
|
|
{
|
|
SimpleAccessControlList acl = new SimpleAccessControlList();
|
|
AccessControlListProperties properties = getAccessControlListProperties(id);
|
|
if (properties == null)
|
|
{
|
|
return null;
|
|
}
|
|
|
|
acl.setProperties(properties);
|
|
|
|
List<Map<String, Object>> results = aclCrudDAO.getAcesAndAuthoritiesByAcl(id);
|
|
|
|
List<AccessControlEntry> entries = new ArrayList<AccessControlEntry>(results.size());
|
|
for (Map<String, Object> result : results)
|
|
// for (AclMemberEntity member : members)
|
|
{
|
|
Boolean aceIsAllowed = (Boolean) result.get("allowed");
|
|
Integer aceType = (Integer) result.get("applies");
|
|
String authority = (String) result.get("authority");
|
|
Long permissionId = (Long) result.get("permissionId");
|
|
Integer position = (Integer) result.get("pos");
|
|
//Long result_aclmemId = (Long) result.get("aclmemId"); // not used here
|
|
|
|
SimpleAccessControlEntry sacEntry = new SimpleAccessControlEntry();
|
|
sacEntry.setAccessStatus(aceIsAllowed ? AccessStatus.ALLOWED : AccessStatus.DENIED);
|
|
sacEntry.setAceType(ACEType.getACETypeFromId(aceType));
|
|
sacEntry.setAuthority(authority);
|
|
// if (entry.getContext() != null)
|
|
// {
|
|
// SimpleAccessControlEntryContext context = new SimpleAccessControlEntryContext();
|
|
// context.setClassContext(entry.getContext().getClassContext());
|
|
// context.setKVPContext(entry.getContext().getKvpContext());
|
|
// context.setPropertyContext(entry.getContext().getPropertyContext());
|
|
// sacEntry.setContext(context);
|
|
// }
|
|
Permission perm = aclCrudDAO.getPermission(permissionId);
|
|
QName permTypeQName = qnameDAO.getQName(perm.getTypeQNameId()).getSecond(); // Has an ID so must exist
|
|
SimplePermissionReference permissionRefernce = SimplePermissionReference.getPermissionReference(permTypeQName, perm.getName());
|
|
sacEntry.setPermission(permissionRefernce);
|
|
sacEntry.setPosition(position);
|
|
entries.add(sacEntry);
|
|
}
|
|
|
|
Collections.sort(entries);
|
|
acl.setEntries(entries);
|
|
|
|
return acl;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public Long getInheritedAccessControlList(Long id)
|
|
{
|
|
aclCache.remove(id);
|
|
AclUpdateEntity acl = aclCrudDAO.getAclForUpdate(id);
|
|
if (acl.getAclType() == ACLType.OLD)
|
|
{
|
|
return null;
|
|
}
|
|
if ((acl.getInheritedAcl() != null) && (acl.getInheritedAcl() != -1))
|
|
{
|
|
return acl.getInheritedAcl();
|
|
}
|
|
|
|
Long inheritedAclId = null;
|
|
|
|
if ((acl.getAclType() == ACLType.DEFINING) || (acl.getAclType() == ACLType.LAYERED))
|
|
{
|
|
List<AclChange> changes = new ArrayList<AclChange>();
|
|
// created shared acl
|
|
SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties();
|
|
properties.setAclType(ACLType.SHARED);
|
|
properties.setInherits(Boolean.TRUE);
|
|
properties.setVersioned(acl.isVersioned());
|
|
Long sharedId = createAccessControlList(properties, null, null).getId();
|
|
getWritable(sharedId, id, null, null, id, true, changes, WriteMode.ADD_INHERITED);
|
|
acl.setInheritedAcl(sharedId);
|
|
inheritedAclId = sharedId;
|
|
}
|
|
else
|
|
{
|
|
acl.setInheritedAcl(acl.getId());
|
|
inheritedAclId = acl.getId();
|
|
}
|
|
|
|
// Does not cause the change set to change
|
|
//acl.setAclChangeSetId(getCurrentChangeSetId());
|
|
aclCrudDAO.updateAcl(acl);
|
|
return inheritedAclId;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<AclChange> mergeInheritedAccessControlList(Long inherited, Long target)
|
|
{
|
|
// TODO: For now we do a replace - we could do an insert if both inherit from the same acl
|
|
|
|
List<AclChange> changes = new ArrayList<AclChange>();
|
|
|
|
Acl targetAcl = aclCrudDAO.getAcl(target);
|
|
|
|
Acl inheritedAcl = null;
|
|
if (inherited != null)
|
|
{
|
|
inheritedAcl = aclCrudDAO.getAcl(inherited);
|
|
}
|
|
else
|
|
{
|
|
// Assume we are just resetting it to inherit as before
|
|
if (targetAcl.getInheritsFrom() != null)
|
|
{
|
|
inheritedAcl = aclCrudDAO.getAcl(targetAcl.getInheritsFrom());
|
|
if (inheritedAcl == null)
|
|
{
|
|
// TODO: Try previous versions
|
|
throw new IllegalStateException("No old inheritance definition to use");
|
|
}
|
|
else
|
|
{
|
|
// find the latest version of the acl
|
|
if (!inheritedAcl.isLatest())
|
|
{
|
|
final String searchAclId = inheritedAcl.getAclId();
|
|
|
|
Long actualInheritor = (Long)aclCrudDAO.getLatestAclByGuid(searchAclId);
|
|
|
|
inheritedAcl = aclCrudDAO.getAcl(actualInheritor);
|
|
if (inheritedAcl == null)
|
|
{
|
|
// TODO: Try previous versions
|
|
throw new IllegalStateException("No ACL found");
|
|
}
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// There is no inheritance to set
|
|
return changes;
|
|
}
|
|
}
|
|
|
|
// recursion test
|
|
// if inherited already inherits from the target
|
|
|
|
Acl test = inheritedAcl;
|
|
while (test != null)
|
|
{
|
|
if (test.getId()!= null && test.getId().equals(target))
|
|
{
|
|
throw new IllegalStateException("Cyclical ACL detected");
|
|
}
|
|
Long parent = test.getInheritsFrom();
|
|
if ((parent == null) || (parent == -1l))
|
|
{
|
|
test = null;
|
|
}
|
|
else
|
|
{
|
|
test = aclCrudDAO.getAcl(test.getInheritsFrom());
|
|
}
|
|
}
|
|
|
|
if ((targetAcl.getAclType() != ACLType.DEFINING) && (targetAcl.getAclType() != ACLType.LAYERED))
|
|
{
|
|
throw new IllegalArgumentException("Only defining ACLs can have their inheritance set");
|
|
}
|
|
|
|
if (!targetAcl.getInherits())
|
|
{
|
|
return changes;
|
|
}
|
|
|
|
Long actualInheritedId = inheritedAcl.getId();
|
|
|
|
if ((inheritedAcl.getAclType() == ACLType.DEFINING) || (inheritedAcl.getAclType() == ACLType.LAYERED))
|
|
{
|
|
actualInheritedId = getInheritedAccessControlList(actualInheritedId);
|
|
}
|
|
// Will remove from the cache
|
|
getWritable(target, actualInheritedId, null, null, actualInheritedId, true, changes, WriteMode.CHANGE_INHERITED);
|
|
|
|
return changes;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<AclChange> setAccessControlEntry(final Long id, final AccessControlEntry ace)
|
|
{
|
|
Acl target = aclCrudDAO.getAcl(id);
|
|
if (target.getAclType() == ACLType.SHARED)
|
|
{
|
|
throw new IllegalArgumentException("Shared ACLs are immutable");
|
|
}
|
|
|
|
List<AclChange> changes = new ArrayList<AclChange>();
|
|
|
|
if ((ace.getPosition() != null) && (ace.getPosition() != 0))
|
|
{
|
|
throw new IllegalArgumentException("Invalid position");
|
|
}
|
|
|
|
// Find authority
|
|
Authority authority = aclCrudDAO.getOrCreateAuthority(ace.getAuthority());
|
|
Permission permission = aclCrudDAO.getOrCreatePermission(ace.getPermission());
|
|
|
|
// Find context
|
|
if (ace.getContext() != null)
|
|
{
|
|
throw new UnsupportedOperationException();
|
|
}
|
|
|
|
// Find ACE
|
|
Ace entry = aclCrudDAO.getOrCreateAce(permission, authority, ace.getAceType(), ace.getAccessStatus());
|
|
|
|
// Wire up
|
|
// COW and remove any existing matches
|
|
|
|
SimpleAccessControlEntry exclude = new SimpleAccessControlEntry();
|
|
// match any access status
|
|
exclude.setAceType(ace.getAceType());
|
|
exclude.setAuthority(ace.getAuthority());
|
|
exclude.setPermission(ace.getPermission());
|
|
exclude.setPosition(0);
|
|
List<Ace> toAdd = new ArrayList<Ace>(1);
|
|
toAdd.add(entry);
|
|
// Will remove from the cache
|
|
getWritable(id, null, Collections.singletonList(exclude), toAdd, null, true, changes, WriteMode.COPY_UPDATE_AND_INHERIT);
|
|
|
|
return changes;
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<AclChange> enableInheritance(Long id, Long parent)
|
|
{
|
|
List<AclChange> changes = new ArrayList<AclChange>();
|
|
|
|
AclUpdateEntity acl = aclCrudDAO.getAclForUpdate(id);
|
|
|
|
switch (acl.getAclType())
|
|
{
|
|
case FIXED:
|
|
case GLOBAL:
|
|
throw new IllegalArgumentException("Fixed and global permissions can not inherit");
|
|
case OLD:
|
|
acl.setInherits(Boolean.TRUE);
|
|
acl.setAclChangeSetId(getCurrentChangeSetId());
|
|
aclCrudDAO.updateAcl(acl);
|
|
aclCache.remove(id);
|
|
readersCache.remove(id);
|
|
readersDeniedCache.remove(id);
|
|
changes.add(new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType()));
|
|
return changes;
|
|
case SHARED:
|
|
// TODO support a list of children and casacade if given
|
|
throw new IllegalArgumentException(
|
|
"Shared acls should be replace by creating a definig ACL, wiring it up for inhertitance, and then applying inheritance to any children. It can not be done by magic ");
|
|
case DEFINING:
|
|
case LAYERED:
|
|
default:
|
|
if (!acl.getInherits())
|
|
{
|
|
// Will remove from the cache
|
|
getWritable(id, null, null, null, null, false, changes, WriteMode.COPY_ONLY);
|
|
acl = aclCrudDAO.getAclForUpdate(changes.get(0).getAfter());
|
|
acl.setInherits(Boolean.TRUE);
|
|
acl.setAclChangeSetId(getCurrentChangeSetId());
|
|
aclCrudDAO.updateAcl(acl);
|
|
}
|
|
else
|
|
{
|
|
// Will remove from the cache
|
|
getWritable(id, null, null, null, null, false, changes, WriteMode.COPY_ONLY);
|
|
}
|
|
|
|
List<AclChange> merged = mergeInheritedAccessControlList(parent, changes.get(0).getAfter());
|
|
changes.addAll(merged);
|
|
return changes;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<AclChange> disableInheritance(Long id, boolean setInheritedOnAcl)
|
|
{
|
|
aclCache.remove(id);
|
|
AclUpdateEntity acl = aclCrudDAO.getAclForUpdate(id);
|
|
List<AclChange> changes = new ArrayList<AclChange>(1);
|
|
switch (acl.getAclType())
|
|
{
|
|
case FIXED:
|
|
case GLOBAL:
|
|
return Collections.<AclChange> singletonList(new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType()));
|
|
case OLD:
|
|
acl.setInherits(Boolean.FALSE);
|
|
acl.setAclChangeSetId(getCurrentChangeSetId());
|
|
aclCrudDAO.updateAcl(acl);
|
|
aclCache.remove(id);
|
|
readersCache.remove(id);
|
|
readersDeniedCache.remove(id);
|
|
changes.add(new AclChangeImpl(id, id, acl.getAclType(), acl.getAclType()));
|
|
return changes;
|
|
case SHARED:
|
|
// TODO support a list of children and casacade if given
|
|
throw new IllegalArgumentException("Shared ACL must inherit");
|
|
case DEFINING:
|
|
case LAYERED:
|
|
default:
|
|
return disableInheritanceImpl(id, setInheritedOnAcl, acl);
|
|
}
|
|
}
|
|
|
|
private Long getCopy(Long toCopy, Long toInheritFrom, ACLCopyMode mode)
|
|
{
|
|
AclUpdateEntity aclToCopy;
|
|
Long inheritedId;
|
|
Acl aclToInheritFrom;
|
|
switch (mode)
|
|
{
|
|
case INHERIT:
|
|
if (toCopy.equals(toInheritFrom))
|
|
{
|
|
return getInheritedAccessControlList(toCopy);
|
|
}
|
|
else
|
|
{
|
|
throw new UnsupportedOperationException();
|
|
}
|
|
case COW:
|
|
aclToCopy = aclCrudDAO.getAclForUpdate(toCopy);
|
|
aclToCopy.setRequiresVersion(true);
|
|
aclToCopy.setAclChangeSetId(getCurrentChangeSetId());
|
|
aclCrudDAO.updateAcl(aclToCopy);
|
|
aclCache.remove(toCopy);
|
|
readersCache.remove(toCopy);
|
|
readersDeniedCache.remove(toCopy);
|
|
inheritedId = getInheritedAccessControlList(toCopy);
|
|
if ((inheritedId != null) && (!inheritedId.equals(toCopy)))
|
|
{
|
|
AclUpdateEntity inheritedAcl = aclCrudDAO.getAclForUpdate(inheritedId);
|
|
inheritedAcl.setRequiresVersion(true);
|
|
inheritedAcl.setAclChangeSetId(getCurrentChangeSetId());
|
|
aclCrudDAO.updateAcl(inheritedAcl);
|
|
aclCache.remove(inheritedId);
|
|
readersCache.remove(inheritedId);
|
|
readersDeniedCache.remove(inheritedId);
|
|
}
|
|
return toCopy;
|
|
case REDIRECT:
|
|
if ((toInheritFrom != null) && (toInheritFrom.equals(toCopy)))
|
|
{
|
|
return getInheritedAccessControlList(toInheritFrom);
|
|
}
|
|
aclToCopy = aclCrudDAO.getAclForUpdate(toCopy);
|
|
aclToInheritFrom = null;
|
|
if (toInheritFrom != null)
|
|
{
|
|
aclToInheritFrom = aclCrudDAO.getAcl(toInheritFrom);
|
|
}
|
|
|
|
switch (aclToCopy.getAclType())
|
|
{
|
|
case DEFINING:
|
|
// This is not called on the redirecting node as only LAYERED change permissions when redirected
|
|
// So this needs to make a copy in the same way layered does
|
|
case LAYERED:
|
|
if (toInheritFrom == null)
|
|
{
|
|
return toCopy;
|
|
}
|
|
// manages cache clearing beneath
|
|
List<AclChange> changes = mergeInheritedAccessControlList(toInheritFrom, toCopy);
|
|
for (AclChange change : changes)
|
|
{
|
|
if (change.getBefore().equals(toCopy))
|
|
{
|
|
return change.getAfter();
|
|
}
|
|
}
|
|
throw new UnsupportedOperationException();
|
|
case SHARED:
|
|
if (aclToInheritFrom != null)
|
|
{
|
|
return getInheritedAccessControlList(toInheritFrom);
|
|
}
|
|
else
|
|
{
|
|
throw new UnsupportedOperationException();
|
|
}
|
|
case FIXED:
|
|
case GLOBAL:
|
|
case OLD:
|
|
return toCopy;
|
|
default:
|
|
throw new UnsupportedOperationException();
|
|
}
|
|
case COPY:
|
|
aclToCopy = aclCrudDAO.getAclForUpdate(toCopy);
|
|
aclToInheritFrom = null;
|
|
if (toInheritFrom != null)
|
|
{
|
|
aclToInheritFrom = aclCrudDAO.getAcl(toInheritFrom);
|
|
}
|
|
|
|
switch (aclToCopy.getAclType())
|
|
{
|
|
case DEFINING:
|
|
SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties();
|
|
properties.setAclType(ACLType.DEFINING);
|
|
properties.setInherits(aclToCopy.getInherits());
|
|
properties.setVersioned(true);
|
|
|
|
Long id = createAccessControlList(properties).getId();
|
|
|
|
AccessControlList indirectAcl = getAccessControlList(toCopy);
|
|
for (AccessControlEntry entry : indirectAcl.getEntries())
|
|
{
|
|
if (entry.getPosition() == 0)
|
|
{
|
|
setAccessControlEntry(id, entry);
|
|
}
|
|
}
|
|
if (aclToInheritFrom != null)
|
|
{
|
|
mergeInheritedAccessControlList(toInheritFrom, id);
|
|
}
|
|
return id;
|
|
case SHARED:
|
|
if (aclToInheritFrom != null)
|
|
{
|
|
return getInheritedAccessControlList(toInheritFrom);
|
|
}
|
|
else
|
|
{
|
|
return null;
|
|
}
|
|
case FIXED:
|
|
case GLOBAL:
|
|
case LAYERED:
|
|
case OLD:
|
|
return toCopy;
|
|
default:
|
|
throw new UnsupportedOperationException();
|
|
}
|
|
default:
|
|
throw new UnsupportedOperationException();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public Acl getAclCopy(Long toCopy, Long toInheritFrom, ACLCopyMode mode)
|
|
{
|
|
return getAclEntityCopy(toCopy, toInheritFrom, mode);
|
|
}
|
|
|
|
private Acl getAclEntityCopy(Long toCopy, Long toInheritFrom, ACLCopyMode mode)
|
|
{
|
|
Long id = getCopy(toCopy, toInheritFrom, mode);
|
|
if (id == null)
|
|
{
|
|
return null;
|
|
}
|
|
return aclCrudDAO.getAcl(id);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<Long> getAVMNodesByAcl(long aclEntityId, int maxResults)
|
|
{
|
|
return aclCrudDAO.getAVMNodesByAcl(aclEntityId, maxResults);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public List<Long> getADMNodesByAcl(long aclEntityId, int maxResults)
|
|
{
|
|
return aclCrudDAO.getADMNodesByAcl(aclEntityId, maxResults);
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public Acl createLayeredAcl(Long indirectedAcl)
|
|
{
|
|
SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties();
|
|
properties.setAclType(ACLType.LAYERED);
|
|
|
|
Acl acl = createAccessControlList(properties);
|
|
long id = acl.getId();
|
|
|
|
if (indirectedAcl != null)
|
|
{
|
|
mergeInheritedAccessControlList(indirectedAcl, id);
|
|
}
|
|
return acl;
|
|
}
|
|
|
|
private List<AclChange> disableInheritanceImpl(Long id, boolean setInheritedOnAcl, AclEntity aclIn)
|
|
{
|
|
List<AclChange> changes = new ArrayList<AclChange>();
|
|
|
|
if (!aclIn.getInherits())
|
|
{
|
|
return Collections.<AclChange> emptyList();
|
|
}
|
|
|
|
// Manages caching
|
|
getWritable(id, null, null, null, null, false, changes, WriteMode.COPY_ONLY);
|
|
AclUpdateEntity acl = aclCrudDAO.getAclForUpdate(changes.get(0).getAfter());
|
|
final Long inheritsFrom = acl.getInheritsFrom();
|
|
acl.setInherits(Boolean.FALSE);
|
|
acl.setAclChangeSetId(getCurrentChangeSetId());
|
|
aclCrudDAO.updateAcl(acl);
|
|
|
|
// Keep inherits from so we can reinstate if required
|
|
// acl.setInheritsFrom(-1l);
|
|
|
|
// Manages caching
|
|
getWritable(acl.getId(), null, null, null, null, true, changes, WriteMode.TRUNCATE_INHERITED);
|
|
|
|
// set Inherited - TODO: UNTESTED
|
|
|
|
if ((inheritsFrom != null) && (inheritsFrom != -1) && setInheritedOnAcl)
|
|
{
|
|
// get aces for acl (via acl member)
|
|
List<AclMember> members = aclCrudDAO.getAclMembersByAcl(inheritsFrom);
|
|
|
|
for (AclMember member : members)
|
|
{
|
|
// TODO optimise
|
|
Ace ace = aclCrudDAO.getAce(member.getAceId());
|
|
Authority authority = aclCrudDAO.getAuthority(ace.getAuthorityId());
|
|
|
|
SimpleAccessControlEntry entry = new SimpleAccessControlEntry();
|
|
entry.setAccessStatus(ace.isAllowed() ? AccessStatus.ALLOWED : AccessStatus.DENIED);
|
|
entry.setAceType(ace.getAceType());
|
|
entry.setAuthority(authority.getAuthority());
|
|
|
|
/* NOTE: currently unused - intended for possible future enhancement
|
|
if (ace.getContextId() != null)
|
|
{
|
|
AceContext aceContext = aclCrudDAO.getAceContext(ace.getContextId());
|
|
|
|
SimpleAccessControlEntryContext context = new SimpleAccessControlEntryContext();
|
|
context.setClassContext(aceContext.getClassContext());
|
|
context.setKVPContext(aceContext.getKvpContext());
|
|
context.setPropertyContext(aceContext.getPropertyContext());
|
|
entry.setContext(context);
|
|
}
|
|
*/
|
|
|
|
Permission perm = aclCrudDAO.getPermission(ace.getPermissionId());
|
|
QName permTypeQName = qnameDAO.getQName(perm.getTypeQNameId()).getSecond(); // Has an ID so must exist
|
|
SimplePermissionReference permissionRefernce = SimplePermissionReference.getPermissionReference(permTypeQName, perm.getName());
|
|
entry.setPermission(permissionRefernce);
|
|
entry.setPosition(Integer.valueOf(0));
|
|
|
|
setAccessControlEntry(id, entry);
|
|
}
|
|
}
|
|
return changes;
|
|
}
|
|
|
|
private static final String RESOURCE_KEY_ACL_CHANGE_SET_ID = "acl.change.set.id";
|
|
|
|
private UpdateChangeSetListener updateChangeSetListener = new UpdateChangeSetListener();
|
|
/**
|
|
* Wrapper to update the current changeset to get the change time correct
|
|
*
|
|
* @author Derek Hulley
|
|
* @since 4.0
|
|
*/
|
|
private class UpdateChangeSetListener extends TransactionListenerAdapter
|
|
{
|
|
@Override
|
|
public void beforeCommit(boolean readOnly)
|
|
{
|
|
if (readOnly)
|
|
{
|
|
return;
|
|
}
|
|
Long changeSetId = (Long) AlfrescoTransactionSupport.getResource(RESOURCE_KEY_ACL_CHANGE_SET_ID);
|
|
if (changeSetId == null)
|
|
{
|
|
// There has not been a change
|
|
return;
|
|
}
|
|
// Update it
|
|
long commitTimeMs = System.currentTimeMillis();
|
|
aclCrudDAO.updateAclChangeSet(changeSetId, commitTimeMs);
|
|
}
|
|
}
|
|
/**
|
|
* Support to get the current ACL change set and bind this to the transaction. So we only make one new version of an
|
|
* ACL per change set. If something is in the current change set we can update it.
|
|
*/
|
|
private long getCurrentChangeSetId()
|
|
{
|
|
Long changeSetId = (Long) AlfrescoTransactionSupport.getResource(RESOURCE_KEY_ACL_CHANGE_SET_ID);
|
|
if (changeSetId == null)
|
|
{
|
|
changeSetId = aclCrudDAO.createAclChangeSet();
|
|
|
|
// bind the ID and the listener
|
|
AlfrescoTransactionSupport.bindResource(RESOURCE_KEY_ACL_CHANGE_SET_ID, changeSetId);
|
|
AlfrescoTransactionSupport.bindListener(updateChangeSetListener);
|
|
if (logger.isDebugEnabled())
|
|
{
|
|
logger.debug("New change set = " + changeSetId);
|
|
}
|
|
}
|
|
return changeSetId;
|
|
}
|
|
|
|
private static class AcePatternMatcher
|
|
{
|
|
private List<? extends AccessControlEntry> patterns;
|
|
|
|
AcePatternMatcher(List<? extends AccessControlEntry> patterns)
|
|
{
|
|
this.patterns = patterns;
|
|
}
|
|
|
|
boolean matches(AclCrudDAO aclCrudDAO, Map<String, Object> result, int position)
|
|
{
|
|
if (patterns == null)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
for (AccessControlEntry pattern : patterns)
|
|
{
|
|
if (checkPattern(aclCrudDAO, result, position, pattern))
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
private boolean checkPattern(AclCrudDAO aclCrudDAO, Map<String, Object> result, int position, AccessControlEntry pattern)
|
|
{
|
|
Boolean result_aceIsAllowed = (Boolean) result.get("allowed");
|
|
Integer result_aceType = (Integer) result.get("applies");
|
|
String result_authority = (String) result.get("authority");
|
|
Long result_permissionId = (Long) result.get("permissionId");
|
|
Integer result_position = (Integer) result.get("pos");
|
|
//Long result_aclmemId = (Long) result.get("aclmemId"); // not used
|
|
|
|
if (pattern.getAccessStatus() != null)
|
|
{
|
|
if (pattern.getAccessStatus() != (result_aceIsAllowed ? AccessStatus.ALLOWED : AccessStatus.DENIED))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
|
|
if (pattern.getAceType() != null)
|
|
{
|
|
if (pattern.getAceType() != ACEType.getACETypeFromId(result_aceType))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
|
|
if (pattern.getAuthority() != null)
|
|
{
|
|
if ((pattern.getAuthorityType() != AuthorityType.WILDCARD) && !pattern.getAuthority().equals(result_authority))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
|
|
if (pattern.getContext() != null)
|
|
{
|
|
throw new IllegalArgumentException("Context not yet supported");
|
|
}
|
|
|
|
if (pattern.getPermission() != null)
|
|
{
|
|
Long permId = aclCrudDAO.getPermission(pattern.getPermission()).getId();
|
|
if (!permId.equals(result_permissionId))
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
|
|
if (pattern.getPosition() != null)
|
|
{
|
|
if (pattern.getPosition().intValue() >= 0)
|
|
{
|
|
if (result_position != position)
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
else if (pattern.getPosition().intValue() == -1)
|
|
{
|
|
if (result_position <= position)
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
}
|
|
|
|
static class AclChangeImpl implements AclChange
|
|
{
|
|
private Long before;
|
|
private Long after;
|
|
private ACLType typeBefore;
|
|
private ACLType typeAfter;
|
|
|
|
public AclChangeImpl(Long before, Long after, ACLType typeBefore, ACLType typeAfter)
|
|
{
|
|
this.before = before;
|
|
this.after = after;
|
|
this.typeAfter = typeAfter;
|
|
this.typeBefore = typeBefore;
|
|
}
|
|
|
|
public Long getAfter()
|
|
{
|
|
return after;
|
|
}
|
|
|
|
public Long getBefore()
|
|
{
|
|
return before;
|
|
}
|
|
|
|
/**
|
|
* @param after
|
|
*/
|
|
public void setAfter(Long after)
|
|
{
|
|
this.after = after;
|
|
}
|
|
|
|
/**
|
|
* @param before
|
|
*/
|
|
public void setBefore(Long before)
|
|
{
|
|
this.before = before;
|
|
}
|
|
|
|
public ACLType getTypeAfter()
|
|
{
|
|
return typeAfter;
|
|
}
|
|
|
|
/**
|
|
* @param typeAfter
|
|
*/
|
|
public void setTypeAfter(ACLType typeAfter)
|
|
{
|
|
this.typeAfter = typeAfter;
|
|
}
|
|
|
|
public ACLType getTypeBefore()
|
|
{
|
|
return typeBefore;
|
|
}
|
|
|
|
/**
|
|
* @param typeBefore
|
|
*/
|
|
public void setTypeBefore(ACLType typeBefore)
|
|
{
|
|
this.typeBefore = typeBefore;
|
|
}
|
|
|
|
@Override
|
|
public String toString()
|
|
{
|
|
StringBuilder builder = new StringBuilder();
|
|
builder.append("(").append(getBefore()).append(",").append(getTypeBefore()).append(")");
|
|
builder.append(" - > ");
|
|
builder.append("(").append(getAfter()).append(",").append(getTypeAfter()).append(")");
|
|
return builder.toString();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public void renameAuthority(String before, String after)
|
|
{
|
|
aclCrudDAO.renameAuthority(before, after);
|
|
aclCache.clear();
|
|
}
|
|
|
|
/**
|
|
* {@inheritDoc}
|
|
*/
|
|
@Override
|
|
public void fixSharedAcl(Long shared, Long defining)
|
|
{
|
|
if (defining == null)
|
|
{
|
|
throw new IllegalArgumentException("Null defining acl");
|
|
}
|
|
|
|
if (shared == null)
|
|
{
|
|
throw new IllegalArgumentException("Null shared acl");
|
|
}
|
|
List<AclChange> changes = new ArrayList<AclChange>();
|
|
getWritable(shared, defining, null, null, defining, true, changes, WriteMode.CHANGE_INHERITED);
|
|
}
|
|
|
|
/* (non-Javadoc)
|
|
* @see org.alfresco.repo.domain.permissions.AclDAO#getMaxChangeSetCommitTime()
|
|
*/
|
|
@Override
|
|
public Long getMaxChangeSetCommitTime()
|
|
{
|
|
return aclCrudDAO.getMaxChangeSetCommitTime();
|
|
}
|
|
|
|
/* (non-Javadoc)
|
|
* @see org.alfresco.repo.domain.permissions.AclDAO#getMaxChangeSetIdByCommitTime(long)
|
|
*/
|
|
@Override
|
|
public Long getMaxChangeSetIdByCommitTime(long maxCommitTime)
|
|
{
|
|
return aclCrudDAO.getMaxChangeSetIdByCommitTime(maxCommitTime);
|
|
}
|
|
}
|