Example 1 with AccessControlList
use of org.alfresco.repo.security.permissions.AccessControlList in project records-management by Alfresco.
the class ExtendedPermissionServiceImpl method getWriters.
/**
* @see org.alfresco.repo.security.permissions.impl.ExtendedPermissionService#getWriters(java.lang.Long)
*/
@Override
public Set<String> getWriters(Long aclId) {
AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
if (acl == null) {
return Collections.emptySet();
}
Set<String> aclWriters = writersCache.get((Serializable) acl.getProperties());
if (aclWriters != null) {
return aclWriters;
}
HashSet<String> assigned = new HashSet<String>();
HashSet<String> readers = new HashSet<String>();
for (AccessControlEntry ace : acl.getEntries()) {
assigned.add(ace.getAuthority());
}
for (String authority : assigned) {
UnconditionalAclTest test = new UnconditionalAclTest(getPermissionReference(PermissionService.WRITE));
if (test.evaluate(authority, aclId)) {
readers.add(authority);
}
}
aclWriters = Collections.unmodifiableSet(readers);
writersCache.put((Serializable) acl.getProperties(), aclWriters);
return aclWriters;
}
Also used :
AccessControlList(org.alfresco.repo.security.permissions.AccessControlList)
AccessControlEntry(org.alfresco.repo.security.permissions.AccessControlEntry)
HashSet(java.util.HashSet)
Example 2 with AccessControlList
use of org.alfresco.repo.security.permissions.AccessControlList in project alfresco-repository by Alfresco.
the class PermissionServiceImpl method getReadersDenied.
/**
* @param aclId Long
* @return set of authorities denied permission on the ACL
*/
@Override
@Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class)
public Set<String> getReadersDenied(Long aclId) {
AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
if (acl == null) {
return Collections.emptySet();
}
Set<String> denied = readersDeniedCache.get(aclId);
if (denied != null) {
return denied;
}
denied = new HashSet<String>();
Set<String> assigned = new HashSet<String>();
for (AccessControlEntry ace : acl.getEntries()) {
assigned.add(ace.getAuthority());
}
for (String authority : assigned) {
UnconditionalDeniedAclTest test = new UnconditionalDeniedAclTest(getPermissionReference(PermissionService.READ));
if (test.evaluate(authority, aclId)) {
denied.add(authority);
}
}
readersDeniedCache.put((Serializable) acl.getProperties(), denied);
return denied;
}
Also used :
AccessControlList(org.alfresco.repo.security.permissions.AccessControlList)
AccessControlEntry(org.alfresco.repo.security.permissions.AccessControlEntry)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
Extend(org.alfresco.traitextender.Extend)
Example 3 with AccessControlList
use of org.alfresco.repo.security.permissions.AccessControlList in project alfresco-repository by Alfresco.
the class SitesPermissionCleaner method cleanSitePermissions.
public void cleanSitePermissions(final NodeRef targetNode, SiteInfo containingSite) {
if (!nodeDAO.exists(targetNode)) {
return;
}
// We can calculate the containing site at the start of a recursive call & then reuse it on subsequent calls.
if (containingSite == null) {
containingSite = siteServiceImpl.getSite(targetNode);
}
// Short-circuit at this point if the node is not in a Site.
if (containingSite == null) {
return;
}
// For performance reasons we navigate down the containment hierarchy using the DAOs
// rather than the NodeService. Note: direct use of NodeDAO requires tenantService (ALF-12732).
final Long targetNodeID = nodeDAO.getNodePair(tenantService.getName(targetNode)).getFirst();
final Long targetNodeAclID = nodeDAO.getNodeAclId(targetNodeID);
Acl targetNodeAcl = aclDAO.getAcl(targetNodeAclID);
// Nodes that don't have defining ACLs do not need to be considered.
if (targetNodeAcl.getAclType() == ACLType.DEFINING) {
AccessControlList targetNodeAccessControlList = aclDAO.getAccessControlList(targetNodeAclID);
List<AccessControlEntry> targetNodeAclEntries = targetNodeAccessControlList.getEntries();
for (AccessControlEntry entry : targetNodeAclEntries) {
String authority = entry.getAuthority();
String thisSiteGroupPrefix = siteServiceImpl.getSiteGroup(containingSite.getShortName(), true);
// If it's a group site permission for a site other than the current site
if (authority.startsWith(PermissionService.GROUP_PREFIX) && // And it's not GROUP_EVERYONE
!authority.startsWith(PermissionService.ALL_AUTHORITIES) && !authority.startsWith(thisSiteGroupPrefix) && // And if the current user has permissions to do it
publicServiceAccessService.hasAccess("PermissionService", "clearPermission", targetNode, authority) == AccessStatus.ALLOWED) {
// Then remove it.
permissionService.clearPermission(targetNode, authority);
}
if (!permissionService.getInheritParentPermissions(targetNode)) {
// The site manager from the new site, where this node was moved to, has to have permission to this node
String siteManagerAuthority = thisSiteGroupPrefix + "_" + SiteModel.SITE_MANAGER;
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Void>() {
public Void doWork() throws Exception {
permissionService.setPermission(targetNode, siteManagerAuthority, SiteModel.SITE_MANAGER, true);
return null;
}
}, AuthenticationUtil.getSystemUserName());
}
}
}
// Recurse
List<NodeIdAndAclId> childNodeIds = nodeDAO.getPrimaryChildrenAcls(targetNodeID);
for (NodeIdAndAclId nextChild : childNodeIds) {
cleanSitePermissions(nodeDAO.getNodePair(nextChild.getId()).getSecond(), containingSite);
}
}
Also used :
AccessControlList(org.alfresco.repo.security.permissions.AccessControlList)
AuthenticationUtil(org.alfresco.repo.security.authentication.AuthenticationUtil)
AccessControlEntry(org.alfresco.repo.security.permissions.AccessControlEntry)
Acl(org.alfresco.repo.domain.permissions.Acl)
NodeIdAndAclId(org.alfresco.repo.domain.node.NodeIdAndAclId)
Example 4 with AccessControlList
use of org.alfresco.repo.security.permissions.AccessControlList in project alfresco-repository by Alfresco.
the class AclDAOImpl method getCopy.
private Long getCopy(Long toCopy, Long toInheritFrom, ACLCopyMode mode) {
AclUpdateEntity aclToCopy;
Long inheritedId;
Acl aclToInheritFrom;
switch(mode) {
case INHERIT:
if (toCopy.equals(toInheritFrom)) {
return getInheritedAccessControlList(toCopy);
} else {
throw new UnsupportedOperationException();
}
case COW:
aclToCopy = aclCrudDAO.getAclForUpdate(toCopy);
aclToCopy.setRequiresVersion(true);
aclToCopy.setAclChangeSetId(getCurrentChangeSetId());
aclCrudDAO.updateAcl(aclToCopy);
inheritedId = getInheritedAccessControlList(toCopy);
if ((inheritedId != null) && (!inheritedId.equals(toCopy))) {
AclUpdateEntity inheritedAcl = aclCrudDAO.getAclForUpdate(inheritedId);
inheritedAcl.setRequiresVersion(true);
inheritedAcl.setAclChangeSetId(getCurrentChangeSetId());
aclCrudDAO.updateAcl(inheritedAcl);
}
return toCopy;
case REDIRECT:
if ((toInheritFrom != null) && (toInheritFrom.equals(toCopy))) {
return getInheritedAccessControlList(toInheritFrom);
}
aclToCopy = aclCrudDAO.getAclForUpdate(toCopy);
aclToInheritFrom = null;
if (toInheritFrom != null) {
aclToInheritFrom = aclCrudDAO.getAcl(toInheritFrom);
}
switch(aclToCopy.getAclType()) {
case DEFINING:
// So this needs to make a copy in the same way layered does
case LAYERED:
if (toInheritFrom == null) {
return toCopy;
}
// manages cache clearing beneath
List<AclChange> changes = mergeInheritedAccessControlList(toInheritFrom, toCopy);
for (AclChange change : changes) {
if (change.getBefore().equals(toCopy)) {
return change.getAfter();
}
}
throw new UnsupportedOperationException();
case SHARED:
if (aclToInheritFrom != null) {
return getInheritedAccessControlList(toInheritFrom);
} else {
throw new UnsupportedOperationException();
}
case FIXED:
case GLOBAL:
case OLD:
return toCopy;
default:
throw new UnsupportedOperationException();
}
case COPY:
aclToCopy = aclCrudDAO.getAclForUpdate(toCopy);
aclToInheritFrom = null;
if (toInheritFrom != null) {
aclToInheritFrom = aclCrudDAO.getAcl(toInheritFrom);
}
switch(aclToCopy.getAclType()) {
case DEFINING:
SimpleAccessControlListProperties properties = new SimpleAccessControlListProperties();
properties.setAclType(ACLType.DEFINING);
properties.setInherits(aclToCopy.getInherits());
properties.setVersioned(true);
Long id = createAccessControlList(properties).getId();
AccessControlList indirectAcl = getAccessControlList(toCopy);
for (AccessControlEntry entry : indirectAcl.getEntries()) {
if (entry.getPosition() == 0) {
setAccessControlEntry(id, entry);
}
}
if (aclToInheritFrom != null) {
mergeInheritedAccessControlList(toInheritFrom, id);
}
return id;
case SHARED:
if (aclToInheritFrom != null) {
return getInheritedAccessControlList(toInheritFrom);
} else {
return null;
}
case FIXED:
case GLOBAL:
case LAYERED:
case OLD:
return toCopy;
default:
throw new UnsupportedOperationException();
}
default:
throw new UnsupportedOperationException();
}
}
Also used :
AccessControlList(org.alfresco.repo.security.permissions.AccessControlList)
SimpleAccessControlList(org.alfresco.repo.security.permissions.SimpleAccessControlList)
SimpleAccessControlEntry(org.alfresco.repo.security.permissions.SimpleAccessControlEntry)
AccessControlEntry(org.alfresco.repo.security.permissions.AccessControlEntry)
AclChange(org.alfresco.repo.security.permissions.impl.AclChange)
SimpleAccessControlListProperties(org.alfresco.repo.security.permissions.SimpleAccessControlListProperties)
Example 5 with AccessControlList
use of org.alfresco.repo.security.permissions.AccessControlList in project alfresco-repository by Alfresco.
the class AclDAOImpl method getAccessControlList.
/**
* {@inheritDoc}
*/
@Override
public AccessControlList getAccessControlList(Long id) {
// Used the cached properties as our cache key
AccessControlListProperties properties = getAccessControlListProperties(id);
if (properties == null) {
return null;
}
AccessControlList aclCached = aclCache.get((Serializable) properties);
if (aclCached != null) {
return aclCached;
}
SimpleAccessControlList acl = new SimpleAccessControlList();
acl.setProperties(properties);
List<Map<String, Object>> results = aclCrudDAO.getAcesAndAuthoritiesByAcl(id);
List<AccessControlEntry> entries = new ArrayList<AccessControlEntry>(results.size());
for (Map<String, Object> result : results) // for (AclMemberEntity member : members)
{
Boolean aceIsAllowed = (Boolean) result.get("allowed");
Integer aceType = (Integer) result.get("applies");
String authority = (String) result.get("authority");
Long permissionId = (Long) result.get("permissionId");
Integer position = (Integer) result.get("pos");
// Long result_aclmemId = (Long) result.get("aclmemId"); // not used here
SimpleAccessControlEntry sacEntry = new SimpleAccessControlEntry();
sacEntry.setAccessStatus(aceIsAllowed ? AccessStatus.ALLOWED : AccessStatus.DENIED);
sacEntry.setAceType(ACEType.getACETypeFromId(aceType));
sacEntry.setAuthority(authority);
// if (entry.getContext() != null)
// {
// SimpleAccessControlEntryContext context = new SimpleAccessControlEntryContext();
// context.setClassContext(entry.getContext().getClassContext());
// context.setKVPContext(entry.getContext().getKvpContext());
// context.setPropertyContext(entry.getContext().getPropertyContext());
// sacEntry.setContext(context);
// }
Permission perm = aclCrudDAO.getPermission(permissionId);
// Has an ID so must exist
QName permTypeQName = qnameDAO.getQName(perm.getTypeQNameId()).getSecond();
SimplePermissionReference permissionRefernce = SimplePermissionReference.getPermissionReference(permTypeQName, perm.getName());
sacEntry.setPermission(permissionRefernce);
sacEntry.setPosition(position);
entries.add(sacEntry);
}
Collections.sort(entries);
acl.setEntries(entries);
// Cache it for next time
aclCache.put((Serializable) properties, acl);
return acl;
}
Also used :
AccessControlList(org.alfresco.repo.security.permissions.AccessControlList)
SimpleAccessControlList(org.alfresco.repo.security.permissions.SimpleAccessControlList)
SimpleAccessControlList(org.alfresco.repo.security.permissions.SimpleAccessControlList)
QName(org.alfresco.service.namespace.QName)
ArrayList(java.util.ArrayList)
AccessControlListProperties(org.alfresco.repo.security.permissions.AccessControlListProperties)
SimpleAccessControlListProperties(org.alfresco.repo.security.permissions.SimpleAccessControlListProperties)
SimpleAccessControlEntry(org.alfresco.repo.security.permissions.SimpleAccessControlEntry)
AccessControlEntry(org.alfresco.repo.security.permissions.AccessControlEntry)
SimpleAccessControlEntry(org.alfresco.repo.security.permissions.SimpleAccessControlEntry)
SimplePermissionReference(org.alfresco.repo.security.permissions.impl.SimplePermissionReference)
Map(java.util.Map)
Aggregations
AccessControlList (org.alfresco.repo.security.permissions.AccessControlList)12
AccessControlEntry (org.alfresco.repo.security.permissions.AccessControlEntry)10
HashSet (java.util.HashSet)5
SimpleAccessControlEntry (org.alfresco.repo.security.permissions.SimpleAccessControlEntry)5
SimpleAccessControlListProperties (org.alfresco.repo.security.permissions.SimpleAccessControlListProperties)4
ArrayList (java.util.ArrayList)3
AccessControlListProperties (org.alfresco.repo.security.permissions.AccessControlListProperties)3
LinkedHashSet (java.util.LinkedHashSet)2
NodeIdAndAclId (org.alfresco.repo.domain.node.NodeIdAndAclId)2
SimpleAccessControlList (org.alfresco.repo.security.permissions.SimpleAccessControlList)2
SimpleNodePermissionEntry (org.alfresco.repo.security.permissions.impl.SimpleNodePermissionEntry)2
SimplePermissionEntry (org.alfresco.repo.security.permissions.impl.SimplePermissionEntry)2
Extend (org.alfresco.traitextender.Extend)2
Map (java.util.Map)1
Acl (org.alfresco.repo.domain.permissions.Acl)1
AuthenticationUtil (org.alfresco.repo.security.authentication.AuthenticationUtil)1
AclChange (org.alfresco.repo.security.permissions.impl.AclChange)1
SimplePermissionReference (org.alfresco.repo.security.permissions.impl.SimplePermissionReference)1
QName (org.alfresco.service.namespace.QName)1
