use of javax.jcr.AccessDeniedException in project jackrabbit by apache.
the class NodeImpl method getOrCreateProperty.
/**
* @param name
* @param type
* @param multiValued
* @param exactTypeMatch
* @param status
* @return
* @throws ConstraintViolationException if no applicable property definition
* could be found
* @throws RepositoryException if another error occurs
*/
protected synchronized PropertyImpl getOrCreateProperty(Name name, int type, boolean multiValued, boolean exactTypeMatch, BitSet status) throws ConstraintViolationException, RepositoryException {
status.clear();
if (isNew() && !hasProperty(name)) {
// this is a new node and the property does not exist yet
// -> no need to check item manager
PropertyDefinitionImpl def = getApplicablePropertyDefinition(name, type, multiValued, exactTypeMatch);
PropertyImpl prop = createChildProperty(name, type, def);
status.set(CREATED);
return prop;
}
/*
* Please note, that this implementation does not win a price for beauty
* or speed. It's never a good idea to use exceptions for semantical
* control flow.
* However, compared to the previous version, this one is thread save
* and makes the test/get block atomic in respect to transactional
* commits. the test/set can still fail.
*
* Old Version:
NodeState thisState = (NodeState) state;
if (thisState.hasPropertyName(name)) {
/**
* the following call will throw ItemNotFoundException if the
* current session doesn't have read access
/
return getProperty(name);
}
[...create block...]
*/
PropertyId propId = new PropertyId(getNodeId(), name);
try {
return (PropertyImpl) itemMgr.getItem(propId);
} catch (AccessDeniedException ade) {
throw new ItemNotFoundException(name.toString());
} catch (ItemNotFoundException e) {
// does not exist yet or has been removed transiently:
// find definition for the specified property and (re-)create property
PropertyDefinitionImpl def = getApplicablePropertyDefinition(name, type, multiValued, exactTypeMatch);
PropertyImpl prop;
if (stateMgr.hasTransientItemStateInAttic(propId)) {
// remove from attic
try {
stateMgr.disposeTransientItemStateInAttic(stateMgr.getAttic().getItemState(propId));
} catch (ItemStateException ise) {
// shouldn't happen because we checked if it is in the attic
throw new RepositoryException(ise);
}
prop = (PropertyImpl) itemMgr.getItem(propId);
PropertyState state = (PropertyState) prop.getOrCreateTransientItemState();
state.setMultiValued(multiValued);
state.setType(type);
getNodeState().addPropertyName(name);
} else {
prop = createChildProperty(name, type, def);
}
status.set(CREATED);
return prop;
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit by apache.
the class NodeImpl method rename.
//-------------------------------------------------------< JackrabbitNode >
/**
* {@inheritDoc}
*/
public void rename(String newName) throws RepositoryException {
// check if this is the root node
if (getDepth() == 0) {
throw new RepositoryException("Cannot rename the root node");
}
Name qName;
try {
qName = sessionContext.getQName(newName);
} catch (NameException e) {
throw new RepositoryException("invalid node name: " + newName, e);
}
NodeImpl parent = (NodeImpl) getParent();
// check for name collisions
NodeImpl existing = null;
try {
existing = parent.getNode(qName);
// check same-name sibling setting of existing node
if (!existing.getDefinition().allowsSameNameSiblings()) {
throw new ItemExistsException("Same name siblings are not allowed: " + existing);
}
} catch (AccessDeniedException ade) {
// FIXME by throwing ItemExistsException we're disclosing too much information
throw new ItemExistsException();
} catch (ItemNotFoundException infe) {
// no name collision, fall through
}
// verify that parent node
// - is checked-out
// - is not protected neither by node type constraints nor by retention/hold
int options = ItemValidator.CHECK_CHECKED_OUT | ItemValidator.CHECK_LOCK | ItemValidator.CHECK_CONSTRAINTS | ItemValidator.CHECK_HOLD | ItemValidator.CHECK_RETENTION;
sessionContext.getItemValidator().checkRemove(parent, options, Permission.NONE);
sessionContext.getItemValidator().checkModify(parent, options, Permission.NONE);
// check constraints
// get applicable definition of renamed target node
NodeTypeImpl nt = (NodeTypeImpl) getPrimaryNodeType();
org.apache.jackrabbit.spi.commons.nodetype.NodeDefinitionImpl newTargetDef;
try {
newTargetDef = parent.getApplicableChildNodeDefinition(qName, nt.getQName());
} catch (RepositoryException re) {
String msg = safeGetJCRPath() + ": no definition found in parent node's node type for renamed node";
log.debug(msg);
throw new ConstraintViolationException(msg, re);
}
// necessarily have identical definitions
if (existing != null && !newTargetDef.allowsSameNameSiblings()) {
throw new ItemExistsException("Same name siblings not allowed: " + existing);
}
// check permissions:
// 1. on the parent node the session must have permission to manipulate the child-entries
AccessManager acMgr = sessionContext.getAccessManager();
if (!acMgr.isGranted(parent.getPrimaryPath(), qName, Permission.MODIFY_CHILD_NODE_COLLECTION)) {
String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
log.debug(msg);
throw new AccessDeniedException(msg);
}
// the primary node type on this node itself.
if (!nt.getName().equals(newTargetDef.getName()) && !(acMgr.isGranted(getPrimaryPath(), Permission.NODE_TYPE_MNGMT))) {
String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
log.debug(msg);
throw new AccessDeniedException(msg);
}
// change definition
onRedefine(newTargetDef.unwrap());
// delegate to parent
parent.renameChildNode(getNodeId(), qName, true);
}
use of javax.jcr.AccessDeniedException in project jackrabbit by apache.
the class ACLProvider method getEffectivePolicies.
/**
* @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
*/
public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions) throws ItemNotFoundException, RepositoryException {
if (absPath == null) {
// TODO: JCR-2774
log.warn("TODO: JCR-2774 - Repository level permissions.");
return new AccessControlPolicy[0];
}
String jcrPath = session.getJCRPath(absPath);
String pName = ISO9075.encode(session.getJCRName(ACLTemplate.P_NODE_PATH));
int ancestorCnt = absPath.getAncestorCount();
// search all ACEs whose rep:nodePath property equals the specified
// absPath or any of it's ancestors
StringBuilder stmt = new StringBuilder("/jcr:root");
stmt.append(acRoot.getPath());
stmt.append("//element(*,");
stmt.append(session.getJCRName(NT_REP_ACE));
stmt.append(")[");
for (int i = 0; i <= ancestorCnt; i++) {
String path = Text.getRelativeParent(jcrPath, i);
if (i > 0) {
stmt.append(" or ");
}
stmt.append("@");
stmt.append(pName);
stmt.append("='");
stmt.append(path.replaceAll("'", "''"));
stmt.append("'");
}
stmt.append("]");
QueryResult result;
try {
QueryManager qm = session.getWorkspace().getQueryManager();
Query q = qm.createQuery(stmt.toString(), Query.XPATH);
result = q.execute();
} catch (RepositoryException e) {
log.error("Unexpected error while searching effective policies. {}", e.getMessage());
throw new UnsupportedOperationException("Retrieve effective policies at absPath '" + jcrPath + "' not supported.", e);
}
/**
* Loop over query results and verify that
* - the corresponding ACE really takes effect on the specified absPath.
* - the corresponding ACL can be read by the editing session.
*/
Set<AccessControlPolicy> acls = new LinkedHashSet<AccessControlPolicy>();
for (NodeIterator it = result.getNodes(); it.hasNext(); ) {
Node aceNode = it.nextNode();
String accessControlledNodePath = Text.getRelativeParent(aceNode.getPath(), 2);
Path acPath = session.getQPath(accessControlledNodePath);
AccessControlPolicy[] policies = editor.getPolicies(accessControlledNodePath);
if (policies.length > 0) {
ACLTemplate acl = (ACLTemplate) policies[0];
for (AccessControlEntry ace : acl.getAccessControlEntries()) {
ACLTemplate.Entry entry = (ACLTemplate.Entry) ace;
if (entry.matches(jcrPath)) {
if (permissions.grants(acPath, Permission.READ_AC)) {
acls.add(new UnmodifiableAccessControlList(acl));
break;
} else {
throw new AccessDeniedException("Access denied at " + accessControlledNodePath);
}
}
}
}
}
return acls.toArray(new AccessControlPolicy[acls.size()]);
}
use of javax.jcr.AccessDeniedException in project jackrabbit by apache.
the class RSessionAccessControlTest method testWorkspaceMoveNode.
public void testWorkspaceMoveNode() throws Exception {
Node n = (Node) readOnlySession.getItem(testNodePath);
String destPath = testRootNode.getPath() + "/" + nodeName2;
try {
readOnlySession.getWorkspace().move(n.getPath(), destPath);
fail("A read only session must not be allowed to move a node");
} catch (AccessDeniedException e) {
// expected
log.debug(e.getMessage());
}
}
use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.
the class AccessControlManagerImplTest method testHasRepoPrivilegesNoAccessToPrincipals.
@Test
public void testHasRepoPrivilegesNoAccessToPrincipals() throws Exception {
AbstractAccessControlManager testAcMgr = getTestAccessControlManager();
// the test-session doesn't have sufficient permissions to read privilege set for admin session.
try {
testAcMgr.getPrivileges(null, getPrincipals(adminSession));
fail("testSession doesn't have sufficient permission to read access control information");
} catch (AccessDeniedException e) {
// success
}
}
Aggregations