use of javax.jcr.AccessDeniedException in project jackrabbit by apache.
the class NodeImpl method rename.
//-------------------------------------------------------< JackrabbitNode >
/**
* {@inheritDoc}
*/
public void rename(String newName) throws RepositoryException {
// check if this is the root node
if (getDepth() == 0) {
throw new RepositoryException("Cannot rename the root node");
}
Name qName;
try {
qName = sessionContext.getQName(newName);
} catch (NameException e) {
throw new RepositoryException("invalid node name: " + newName, e);
}
NodeImpl parent = (NodeImpl) getParent();
// check for name collisions
NodeImpl existing = null;
try {
existing = parent.getNode(qName);
// check same-name sibling setting of existing node
if (!existing.getDefinition().allowsSameNameSiblings()) {
throw new ItemExistsException("Same name siblings are not allowed: " + existing);
}
} catch (AccessDeniedException ade) {
// FIXME by throwing ItemExistsException we're disclosing too much information
throw new ItemExistsException();
} catch (ItemNotFoundException infe) {
// no name collision, fall through
}
// verify that parent node
// - is checked-out
// - is not protected neither by node type constraints nor by retention/hold
int options = ItemValidator.CHECK_CHECKED_OUT | ItemValidator.CHECK_LOCK | ItemValidator.CHECK_CONSTRAINTS | ItemValidator.CHECK_HOLD | ItemValidator.CHECK_RETENTION;
sessionContext.getItemValidator().checkRemove(parent, options, Permission.NONE);
sessionContext.getItemValidator().checkModify(parent, options, Permission.NONE);
// check constraints
// get applicable definition of renamed target node
NodeTypeImpl nt = (NodeTypeImpl) getPrimaryNodeType();
org.apache.jackrabbit.spi.commons.nodetype.NodeDefinitionImpl newTargetDef;
try {
newTargetDef = parent.getApplicableChildNodeDefinition(qName, nt.getQName());
} catch (RepositoryException re) {
String msg = safeGetJCRPath() + ": no definition found in parent node's node type for renamed node";
log.debug(msg);
throw new ConstraintViolationException(msg, re);
}
// necessarily have identical definitions
if (existing != null && !newTargetDef.allowsSameNameSiblings()) {
throw new ItemExistsException("Same name siblings not allowed: " + existing);
}
// check permissions:
// 1. on the parent node the session must have permission to manipulate the child-entries
AccessManager acMgr = sessionContext.getAccessManager();
if (!acMgr.isGranted(parent.getPrimaryPath(), qName, Permission.MODIFY_CHILD_NODE_COLLECTION)) {
String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
log.debug(msg);
throw new AccessDeniedException(msg);
}
// the primary node type on this node itself.
if (!nt.getName().equals(newTargetDef.getName()) && !(acMgr.isGranted(getPrimaryPath(), Permission.NODE_TYPE_MNGMT))) {
String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
log.debug(msg);
throw new AccessDeniedException(msg);
}
// change definition
onRedefine(newTargetDef.unwrap());
// delegate to parent
parent.renameChildNode(getNodeId(), qName, true);
}
use of javax.jcr.AccessDeniedException in project jackrabbit by apache.
the class ACLProvider method getEffectivePolicies.
/**
* @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
*/
public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions) throws ItemNotFoundException, RepositoryException {
if (absPath == null) {
// TODO: JCR-2774
log.warn("TODO: JCR-2774 - Repository level permissions.");
return new AccessControlPolicy[0];
}
String jcrPath = session.getJCRPath(absPath);
String pName = ISO9075.encode(session.getJCRName(ACLTemplate.P_NODE_PATH));
int ancestorCnt = absPath.getAncestorCount();
// search all ACEs whose rep:nodePath property equals the specified
// absPath or any of it's ancestors
StringBuilder stmt = new StringBuilder("/jcr:root");
stmt.append(acRoot.getPath());
stmt.append("//element(*,");
stmt.append(session.getJCRName(NT_REP_ACE));
stmt.append(")[");
for (int i = 0; i <= ancestorCnt; i++) {
String path = Text.getRelativeParent(jcrPath, i);
if (i > 0) {
stmt.append(" or ");
}
stmt.append("@");
stmt.append(pName);
stmt.append("='");
stmt.append(path.replaceAll("'", "''"));
stmt.append("'");
}
stmt.append("]");
QueryResult result;
try {
QueryManager qm = session.getWorkspace().getQueryManager();
Query q = qm.createQuery(stmt.toString(), Query.XPATH);
result = q.execute();
} catch (RepositoryException e) {
log.error("Unexpected error while searching effective policies. {}", e.getMessage());
throw new UnsupportedOperationException("Retrieve effective policies at absPath '" + jcrPath + "' not supported.", e);
}
/**
* Loop over query results and verify that
* - the corresponding ACE really takes effect on the specified absPath.
* - the corresponding ACL can be read by the editing session.
*/
Set<AccessControlPolicy> acls = new LinkedHashSet<AccessControlPolicy>();
for (NodeIterator it = result.getNodes(); it.hasNext(); ) {
Node aceNode = it.nextNode();
String accessControlledNodePath = Text.getRelativeParent(aceNode.getPath(), 2);
Path acPath = session.getQPath(accessControlledNodePath);
AccessControlPolicy[] policies = editor.getPolicies(accessControlledNodePath);
if (policies.length > 0) {
ACLTemplate acl = (ACLTemplate) policies[0];
for (AccessControlEntry ace : acl.getAccessControlEntries()) {
ACLTemplate.Entry entry = (ACLTemplate.Entry) ace;
if (entry.matches(jcrPath)) {
if (permissions.grants(acPath, Permission.READ_AC)) {
acls.add(new UnmodifiableAccessControlList(acl));
break;
} else {
throw new AccessDeniedException("Access denied at " + accessControlledNodePath);
}
}
}
}
}
return acls.toArray(new AccessControlPolicy[acls.size()]);
}
use of javax.jcr.AccessDeniedException in project jackrabbit by apache.
the class RSessionAccessControlTest method testWorkspaceMoveNode.
public void testWorkspaceMoveNode() throws Exception {
Node n = (Node) readOnlySession.getItem(testNodePath);
String destPath = testRootNode.getPath() + "/" + nodeName2;
try {
readOnlySession.getWorkspace().move(n.getPath(), destPath);
fail("A read only session must not be allowed to move a node");
} catch (AccessDeniedException e) {
// expected
log.debug(e.getMessage());
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class AccessControlManagerImplTest method testHasRepoPrivilegesNoAccessToPrincipals.
@Test
public void testHasRepoPrivilegesNoAccessToPrincipals() throws Exception {
AbstractAccessControlManager testAcMgr = getTestAccessControlManager();
// the test-session doesn't have sufficient permissions to read privilege set for admin session.
try {
testAcMgr.getPrivileges(null, getPrincipals(adminSession));
fail("testSession doesn't have sufficient permission to read access control information");
} catch (AccessDeniedException e) {
// success
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class VersionManagementTest method testRemoveVersion3.
/**
* @since oak (DIFF: jr required jcr:versionManagement privilege on the version store)
*/
@Test
public void testRemoveVersion3() throws Exception {
Node n = createVersionableNode(superuser.getNode(path));
Version v = n.checkin();
n.checkout();
n.checkin();
testSession.refresh(false);
assertFalse(testAcMgr.hasPrivileges(n.getPath(), versionPrivileges));
AccessControlList acl = allow(SYSTEM, versionPrivileges);
try {
Node testNode = testSession.getNode(n.getPath());
testNode.getVersionHistory().removeVersion(v.getName());
fail("Missing jcr:versionManagement privilege -> remove a version must fail.");
} catch (AccessDeniedException e) {
// success
} finally {
// revert privilege modification (manually remove the ACE added)
for (AccessControlEntry entry : acl.getAccessControlEntries()) {
if (entry.getPrincipal().equals(testUser.getPrincipal())) {
acl.removeAccessControlEntry(entry);
}
}
acMgr.setPolicy(SYSTEM, acl);
superuser.save();
}
}
Aggregations