Example 1 with PermissionContext
use of org.alfresco.service.cmr.security.PermissionContext in project alfresco-repository by Alfresco.
the class PermissionServiceImpl method hasPermission.
@Override
@Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class)
public AccessStatus hasPermission(NodeRef passedNodeRef, final PermissionReference permIn) {
// - so we allow it
if (passedNodeRef == null) {
return AccessStatus.ALLOWED;
}
// If the permission is null we deny
if (permIn == null) {
return AccessStatus.DENIED;
}
// Note: if we're directly accessing a frozen state (version) node (ie. in the 'version' store) we need to check permissions for the versioned node (ie. in the 'live' store)
if (isVersionNodeRef(passedNodeRef)) {
passedNodeRef = convertVersionNodeRefToVersionedNodeRef(VersionUtil.convertNodeRef(passedNodeRef));
}
// Allow permissions for nodes that do not exist
if (passedNodeRef == null || !nodeService.exists(passedNodeRef)) {
return AccessStatus.ALLOWED;
}
final NodeRef nodeRef = tenantService.getName(passedNodeRef);
final PermissionReference perm;
if (permIn.equals(OLD_ALL_PERMISSIONS_REFERENCE)) {
perm = getAllPermissionReference();
} else {
perm = permIn;
}
if (AuthenticationUtil.getRunAsUser() == null) {
return AccessStatus.DENIED;
}
if (AuthenticationUtil.isRunAsUserTheSystemUser()) {
return AccessStatus.ALLOWED;
}
// New ACLs
AccessControlListProperties properties = permissionsDaoComponent.getAccessControlListProperties(nodeRef);
if ((properties != null) && (properties.getAclType() != null) && (properties.getAclType() != ACLType.OLD)) {
QName typeQname = nodeService.getType(nodeRef);
Set<QName> aspectQNames = nodeService.getAspects(nodeRef);
PermissionContext context = new PermissionContext(typeQname);
context.getAspects().addAll(aspectQNames);
Authentication auth = AuthenticationUtil.getRunAsAuthentication();
if (auth != null) {
String user = AuthenticationUtil.getRunAsUser();
for (String dynamicAuthority : getDynamicAuthorities(auth, nodeRef, perm)) {
context.addDynamicAuthorityAssignment(user, dynamicAuthority);
}
}
return hasPermission(properties.getId(), context, perm);
}
// Get the current authentications
// Use the smart authentication cache to improve permissions performance
Authentication auth = AuthenticationUtil.getRunAsAuthentication();
final Set<String> authorisations = getAuthorisations(auth, nodeRef, perm);
// If the node does not support the given permission there is no point
// doing the test
Set<PermissionReference> available = AuthenticationUtil.runAs(new RunAsWork<Set<PermissionReference>>() {
public Set<PermissionReference> doWork() throws Exception {
return modelDAO.getAllPermissions(nodeRef);
}
}, AuthenticationUtil.getSystemUserName());
available.add(getAllPermissionReference());
available.add(OLD_ALL_PERMISSIONS_REFERENCE);
final Serializable key = generateKey(authorisations, nodeRef, perm, CacheType.HAS_PERMISSION);
if (!(available.contains(perm))) {
accessCache.put(key, AccessStatus.DENIED);
return AccessStatus.DENIED;
}
if (AuthenticationUtil.isRunAsUserTheSystemUser()) {
return AccessStatus.ALLOWED;
}
return AuthenticationUtil.runAs(new RunAsWork<AccessStatus>() {
public AccessStatus doWork() throws Exception {
AccessStatus status = accessCache.get(key);
if (status != null) {
return status;
}
//
// TODO: Dynamic permissions via evaluators
//
/*
* Does the current authentication have the supplied permission on the given node.
*/
QName typeQname = nodeService.getType(nodeRef);
Set<QName> aspectQNames = nodeService.getAspects(nodeRef);
NodeTest nt = new NodeTest(perm, typeQname, aspectQNames);
boolean result = nt.evaluate(authorisations, nodeRef);
if (log.isDebugEnabled()) {
log.debug("Permission <" + perm + "> is " + (result ? "allowed" : "denied") + " for " + AuthenticationUtil.getRunAsUser() + " on node " + nodeService.getPath(nodeRef));
}
status = result ? AccessStatus.ALLOWED : AccessStatus.DENIED;
accessCache.put(key, status);
return status;
}
}, AuthenticationUtil.getSystemUserName());
}
Also used :
Serializable(java.io.Serializable)
Set(java.util.Set)
HashSet(java.util.HashSet)
LinkedHashSet(java.util.LinkedHashSet)
QName(org.alfresco.service.namespace.QName)
AccessControlListProperties(org.alfresco.repo.security.permissions.AccessControlListProperties)
PermissionContext(org.alfresco.service.cmr.security.PermissionContext)
AccessStatus(org.alfresco.service.cmr.security.AccessStatus)
NodeRef(org.alfresco.service.cmr.repository.NodeRef)
Authentication(net.sf.acegisecurity.Authentication)
PermissionReference(org.alfresco.repo.security.permissions.PermissionReference)
Extend(org.alfresco.traitextender.Extend)
Example 2 with PermissionContext
use of org.alfresco.service.cmr.security.PermissionContext in project alfresco-repository by Alfresco.
the class PermissionServiceTest method testInheritPermissions.
public void testInheritPermissions() {
runAs(AuthenticationUtil.getAdminUserName());
NodeRef n1 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{namespace}one"), ContentModel.TYPE_FOLDER).getChildRef();
NodeRef n2 = nodeService.createNode(n1, ContentModel.ASSOC_CONTAINS, QName.createQName("{namespace}two"), ContentModel.TYPE_FOLDER).getChildRef();
Long aclID = nodeService.getNodeAclId(n1);
PermissionContext context = new PermissionContext(QName.createQName("{namespace}one"));
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(aclID, context, PermissionService.ALL_PERMISSIONS));
runAs("andy");
// Pass null aclid
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(null, context, PermissionService.ALL_PERMISSIONS));
context.setStoreAcl(3455l);
// Gets further but should now fail
assertEquals(AccessStatus.DENIED, permissionService.hasPermission(null, context, PermissionService.ALL_PERMISSIONS));
assertFalse(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_CHILDREN)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_CONTENT)) == AccessStatus.ALLOWED);
runAs("lemur");
assertFalse(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_CHILDREN)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_CONTENT)) == AccessStatus.ALLOWED);
permissionService.setPermission(new SimplePermissionEntry(rootNodeRef, getPermission(PermissionService.READ), "andy", AccessStatus.ALLOWED));
permissionService.setPermission(new SimplePermissionEntry(n1, getPermission(PermissionService.READ), "andy", AccessStatus.ALLOWED));
runAs("andy");
assertTrue(permissionService.hasPermission(n2, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED);
assertTrue(permissionService.hasPermission(n2, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
assertTrue(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CHILDREN)) == AccessStatus.ALLOWED);
assertTrue(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CONTENT)) == AccessStatus.ALLOWED);
runAs("lemur");
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CHILDREN)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CONTENT)) == AccessStatus.ALLOWED);
permissionService.setInheritParentPermissions(n2, false);
runAs("andy");
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CHILDREN)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CONTENT)) == AccessStatus.ALLOWED);
runAs("lemur");
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CHILDREN)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CONTENT)) == AccessStatus.ALLOWED);
permissionService.setInheritParentPermissions(n2, true);
runAs("andy");
assertTrue(permissionService.hasPermission(n2, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED);
assertTrue(permissionService.hasPermission(n2, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
assertTrue(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CHILDREN)) == AccessStatus.ALLOWED);
assertTrue(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CONTENT)) == AccessStatus.ALLOWED);
runAs("lemur");
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CHILDREN)) == AccessStatus.ALLOWED);
assertFalse(permissionService.hasPermission(n2, getPermission(PermissionService.READ_CONTENT)) == AccessStatus.ALLOWED);
}
Also used :
NodeRef(org.alfresco.service.cmr.repository.NodeRef)
PermissionContext(org.alfresco.service.cmr.security.PermissionContext)
Aggregations
NodeRef (org.alfresco.service.cmr.repository.NodeRef)2
PermissionContext (org.alfresco.service.cmr.security.PermissionContext)2
Serializable (java.io.Serializable)1
HashSet (java.util.HashSet)1
LinkedHashSet (java.util.LinkedHashSet)1
Set (java.util.Set)1
Authentication (net.sf.acegisecurity.Authentication)1
AccessControlListProperties (org.alfresco.repo.security.permissions.AccessControlListProperties)1
PermissionReference (org.alfresco.repo.security.permissions.PermissionReference)1
AccessStatus (org.alfresco.service.cmr.security.AccessStatus)1
QName (org.alfresco.service.namespace.QName)1
Extend (org.alfresco.traitextender.Extend)1
