Examples with DynamicAuthority org.alfresco.repo.security.permissions.DynamicAuthority used on opensource projects

Example 1 with DynamicAuthority

use of org.alfresco.repo.security.permissions.DynamicAuthority in project alfresco-repository by Alfresco.

the class PermissionServiceImpl method getDynamicAuthorities.

protected Set<String> getDynamicAuthorities(Authentication auth, NodeRef nodeRef, PermissionReference required) {
    Set<String> dynAuths = new HashSet<String>(64);
    User user = (User) auth.getPrincipal();
    String username = user.getUsername();
    nodeRef = tenantService.getName(nodeRef);
    if (nodeRef != null) {
        if (dynamicAuthorities != null) {
            for (DynamicAuthority da : dynamicAuthorities) {
                Set<PermissionReference> requiredFor = da.requiredFor();
                if ((requiredFor == null) || (requiredFor.contains(required))) {
                    if (da.hasAuthority(nodeRef, username)) {
                        dynAuths.add(da.getAuthority());
                    }
                }
            }
        }
    }
    return dynAuths;
}

Example 2 with DynamicAuthority

use of org.alfresco.repo.security.permissions.DynamicAuthority in project alfresco-repository by Alfresco.

the class PermissionServiceImpl method hasReadPermission.

/**
 * Optimised read permission evaluation
 * caveats:
 * doesn't take into account dynamic authorities/groups
 * doesn't take into account node types/aspects for permissions
 */
@Override
@Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class)
public AccessStatus hasReadPermission(NodeRef nodeRef) {
    AccessStatus status = AccessStatus.DENIED;
    // - so we allow it
    if (nodeRef == null) {
        return AccessStatus.ALLOWED;
    }
    // Allow permissions for nodes that do not exist
    if (!nodeService.exists(nodeRef)) {
        return AccessStatus.ALLOWED;
    }
    String runAsUser = AuthenticationUtil.getRunAsUser();
    if (runAsUser == null) {
        return AccessStatus.DENIED;
    }
    if (AuthenticationUtil.isRunAsUserTheSystemUser()) {
        return AccessStatus.ALLOWED;
    }
    // any dynamic authorities other than those defined in the default permissions model with full
    // control or read permission force hasPermission check
    Boolean forceHasPermission = (Boolean) AlfrescoTransactionSupport.getResource("forceHasPermission");
    if (forceHasPermission == null) {
        for (DynamicAuthority dynamicAuthority : dynamicAuthorities) {
            String authority = dynamicAuthority.getAuthority();
            Set<PermissionReference> requiredFor = dynamicAuthority.requiredFor();
            if (authority != PermissionService.OWNER_AUTHORITY && authority != PermissionService.ADMINISTRATOR_AUTHORITY && authority != PermissionService.LOCK_OWNER_AUTHORITY && (requiredFor == null || requiredFor.contains(modelDAO.getPermissionReference(null, PermissionService.FULL_CONTROL)) || requiredFor.contains(modelDAO.getPermissionReference(null, PermissionService.READ)))) {
                forceHasPermission = Boolean.TRUE;
                break;
            }
        }
        AlfrescoTransactionSupport.bindResource("forceHasPermission", forceHasPermission);
    }
    if (forceHasPermission == Boolean.TRUE) {
        return hasPermission(nodeRef, PermissionService.READ);
    }
    Long aclID = nodeService.getNodeAclId(nodeRef);
    if (aclID == null) {
        // ACLID is null - need to call default permissions evaluation
        // This will end up calling the old-style ACL code that walks up the ACL tree
        status = hasPermission(nodeRef, getPermissionReference(null, PermissionService.READ));
    } else {
        status = (canRead(aclID) == AccessStatus.ALLOWED || adminRead() == AccessStatus.ALLOWED || ownerRead(runAsUser, nodeRef) == AccessStatus.ALLOWED) ? AccessStatus.ALLOWED : AccessStatus.DENIED;
    }
    return status;
}