Examples with NodeIdAndAclId org.alfresco.repo.domain.node.NodeIdAndAclId used on opensource projects

Example 1 with NodeIdAndAclId

use of org.alfresco.repo.domain.node.NodeIdAndAclId in project alfresco-repository by Alfresco.

the class ADMAccessControlListDAO method fixOldDmAcls.

private CounterSet fixOldDmAcls(Long nodeId, Long existingNodeAclId, Long inheritedAclId, boolean isRoot) {
    CounterSet result = new CounterSet();
    // If existingNodeAclId is not null and equal to inheritedAclId then we know we have hit a shared ACL we have bulk set
    // - just carry on in this case - we do not need to get the acl
    Long newDefiningAcl = null;
    if ((existingNodeAclId != null) && (existingNodeAclId.equals(inheritedAclId))) {
    // nothing to do except move into the children
    } else {
        AccessControlList existing = null;
        if (existingNodeAclId != null) {
            existing = aclDaoComponent.getAccessControlList(existingNodeAclId);
        }
        if (existing != null) {
            if (existing.getProperties().getAclType() == ACLType.OLD) {
                result.increment(ACLType.DEFINING);
                SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties(aclDaoComponent.getDefaultProperties());
                properties.setInherits(existing.getProperties().getInherits());
                Long actuallyInherited = null;
                if (existing.getProperties().getInherits()) {
                    if (inheritedAclId != null) {
                        actuallyInherited = inheritedAclId;
                    }
                }
                Acl newAcl = aclDaoComponent.createAccessControlList(properties, existing.getEntries(), actuallyInherited);
                newDefiningAcl = newAcl.getId();
                nodeDAO.setNodeAclId(nodeId, newDefiningAcl);
            } else if (existing.getProperties().getAclType() == ACLType.SHARED) {
            // nothing to do just cascade into the children - we most likely did a bulk set above.
            // TODO: Check shared ACL set is correct
            } else {
                // Check inheritance is correct
                return result;
            }
        } else {
            // Set default ACL on roots with no settings
            if (isRoot) {
                result.increment(ACLType.DEFINING);
                AccessControlListProperties properties = aclDaoComponent.getDefaultProperties();
                Acl newAcl = aclDaoComponent.createAccessControlList(properties);
                newDefiningAcl = newAcl.getId();
                nodeDAO.setNodeAclId(nodeId, newDefiningAcl);
            } else {
                // Unset - simple inherit
                nodeDAO.setNodeAclId(nodeId, inheritedAclId);
            }
        }
    }
    Long toInherit = null;
    List<NodeIdAndAclId> children = nodeDAO.getPrimaryChildrenAcls(nodeId);
    if (children.size() > 0) {
        // Only make inherited if required
        if (newDefiningAcl == null) {
            toInherit = inheritedAclId;
        } else {
            toInherit = aclDaoComponent.getInheritedAccessControlList(newDefiningAcl);
        }
    }
    if (children.size() > 0) {
        nodeDAO.setPrimaryChildrenSharedAclId(nodeId, null, toInherit);
    }
    for (NodeIdAndAclId child : children) {
        CounterSet update = fixOldDmAcls(child.getId(), child.getAclId(), toInherit, false);
        result.add(update);
    }
    return result;
}

Example 2 with NodeIdAndAclId

use of org.alfresco.repo.domain.node.NodeIdAndAclId in project alfresco-repository by Alfresco.

the class SitesPermissionCleaner method cleanSitePermissions.

public void cleanSitePermissions(final NodeRef targetNode, SiteInfo containingSite) {
    if (!nodeDAO.exists(targetNode)) {
        return;
    }
    // We can calculate the containing site at the start of a recursive call & then reuse it on subsequent calls.
    if (containingSite == null) {
        containingSite = siteServiceImpl.getSite(targetNode);
    }
    // Short-circuit at this point if the node is not in a Site.
    if (containingSite == null) {
        return;
    }
    // For performance reasons we navigate down the containment hierarchy using the DAOs
    // rather than the NodeService. Note: direct use of NodeDAO requires tenantService (ALF-12732).
    final Long targetNodeID = nodeDAO.getNodePair(tenantService.getName(targetNode)).getFirst();
    final Long targetNodeAclID = nodeDAO.getNodeAclId(targetNodeID);
    Acl targetNodeAcl = aclDAO.getAcl(targetNodeAclID);
    // Nodes that don't have defining ACLs do not need to be considered.
    if (targetNodeAcl.getAclType() == ACLType.DEFINING) {
        AccessControlList targetNodeAccessControlList = aclDAO.getAccessControlList(targetNodeAclID);
        List<AccessControlEntry> targetNodeAclEntries = targetNodeAccessControlList.getEntries();
        for (AccessControlEntry entry : targetNodeAclEntries) {
            String authority = entry.getAuthority();
            String thisSiteGroupPrefix = siteServiceImpl.getSiteGroup(containingSite.getShortName(), true);
            // If it's a group site permission for a site other than the current site
            if (authority.startsWith(PermissionService.GROUP_PREFIX) && // And it's not GROUP_EVERYONE
            !authority.startsWith(PermissionService.ALL_AUTHORITIES) && !authority.startsWith(thisSiteGroupPrefix) && // And if the current user has permissions to do it
            publicServiceAccessService.hasAccess("PermissionService", "clearPermission", targetNode, authority) == AccessStatus.ALLOWED) {
                // Then remove it.
                permissionService.clearPermission(targetNode, authority);
            }
            if (!permissionService.getInheritParentPermissions(targetNode)) {
                // The site manager from the new site, where this node was moved to, has to have permission to this node
                String siteManagerAuthority = thisSiteGroupPrefix + "_" + SiteModel.SITE_MANAGER;
                AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Void>() {

                    public Void doWork() throws Exception {
                        permissionService.setPermission(targetNode, siteManagerAuthority, SiteModel.SITE_MANAGER, true);
                        return null;
                    }
                }, AuthenticationUtil.getSystemUserName());
            }
        }
    }
    // Recurse
    List<NodeIdAndAclId> childNodeIds = nodeDAO.getPrimaryChildrenAcls(targetNodeID);
    for (NodeIdAndAclId nextChild : childNodeIds) {
        cleanSitePermissions(nodeDAO.getNodePair(nextChild.getId()).getSecond(), containingSite);
    }
}