use of org.alfresco.repo.security.permissions.DynamicAuthority in project alfresco-repository by Alfresco.
the class PermissionServiceImpl method getDynamicAuthorities.
protected Set<String> getDynamicAuthorities(Authentication auth, NodeRef nodeRef, PermissionReference required) {
Set<String> dynAuths = new HashSet<String>(64);
User user = (User) auth.getPrincipal();
String username = user.getUsername();
nodeRef = tenantService.getName(nodeRef);
if (nodeRef != null) {
if (dynamicAuthorities != null) {
for (DynamicAuthority da : dynamicAuthorities) {
Set<PermissionReference> requiredFor = da.requiredFor();
if ((requiredFor == null) || (requiredFor.contains(required))) {
if (da.hasAuthority(nodeRef, username)) {
dynAuths.add(da.getAuthority());
}
}
}
}
}
return dynAuths;
}
use of org.alfresco.repo.security.permissions.DynamicAuthority in project alfresco-repository by Alfresco.
the class PermissionServiceImpl method hasReadPermission.
/**
* Optimised read permission evaluation
* caveats:
* doesn't take into account dynamic authorities/groups
* doesn't take into account node types/aspects for permissions
*/
@Override
@Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class)
public AccessStatus hasReadPermission(NodeRef nodeRef) {
AccessStatus status = AccessStatus.DENIED;
// - so we allow it
if (nodeRef == null) {
return AccessStatus.ALLOWED;
}
// Allow permissions for nodes that do not exist
if (!nodeService.exists(nodeRef)) {
return AccessStatus.ALLOWED;
}
String runAsUser = AuthenticationUtil.getRunAsUser();
if (runAsUser == null) {
return AccessStatus.DENIED;
}
if (AuthenticationUtil.isRunAsUserTheSystemUser()) {
return AccessStatus.ALLOWED;
}
// any dynamic authorities other than those defined in the default permissions model with full
// control or read permission force hasPermission check
Boolean forceHasPermission = (Boolean) AlfrescoTransactionSupport.getResource("forceHasPermission");
if (forceHasPermission == null) {
for (DynamicAuthority dynamicAuthority : dynamicAuthorities) {
String authority = dynamicAuthority.getAuthority();
Set<PermissionReference> requiredFor = dynamicAuthority.requiredFor();
if (authority != PermissionService.OWNER_AUTHORITY && authority != PermissionService.ADMINISTRATOR_AUTHORITY && authority != PermissionService.LOCK_OWNER_AUTHORITY && (requiredFor == null || requiredFor.contains(modelDAO.getPermissionReference(null, PermissionService.FULL_CONTROL)) || requiredFor.contains(modelDAO.getPermissionReference(null, PermissionService.READ)))) {
forceHasPermission = Boolean.TRUE;
break;
}
}
AlfrescoTransactionSupport.bindResource("forceHasPermission", forceHasPermission);
}
if (forceHasPermission == Boolean.TRUE) {
return hasPermission(nodeRef, PermissionService.READ);
}
Long aclID = nodeService.getNodeAclId(nodeRef);
if (aclID == null) {
// ACLID is null - need to call default permissions evaluation
// This will end up calling the old-style ACL code that walks up the ACL tree
status = hasPermission(nodeRef, getPermissionReference(null, PermissionService.READ));
} else {
status = (canRead(aclID) == AccessStatus.ALLOWED || adminRead() == AccessStatus.ALLOWED || ownerRead(runAsUser, nodeRef) == AccessStatus.ALLOWED) ? AccessStatus.ALLOWED : AccessStatus.DENIED;
}
return status;
}
Aggregations