Search in sources :

Example 1 with PermissionService

use of org.alfresco.service.cmr.security.PermissionService in project acs-community-packaging by Alfresco.

the class BaseNodeCommandProcessor method validateArguments.

/**
 * @see org.alfresco.web.app.servlet.command.CommandProcessor#validateArguments(javax.servlet.ServletContext, java.lang.String, java.util.Map, java.lang.String[])
 */
public boolean validateArguments(ServletContext sc, String command, Map<String, String> args, String[] urlElements) {
    if (urlElements.length < 3) {
        throw new IllegalArgumentException("Not enough URL arguments passed to command servlet.");
    }
    // get NodeRef to the node with the workflow attached to it
    StoreRef storeRef = new StoreRef(urlElements[0], urlElements[1]);
    this.targetRef = new NodeRef(storeRef, urlElements[2]);
    // get the services we need to execute the workflow command
    PermissionService permissionService = Repository.getServiceRegistry(sc).getPermissionService();
    // check that the user has at least READ access on the node - else redirect to the login page
    return (permissionService.hasPermission(this.targetRef, PermissionService.READ) == AccessStatus.ALLOWED);
}
Also used : PermissionService(org.alfresco.service.cmr.security.PermissionService) StoreRef(org.alfresco.service.cmr.repository.StoreRef) NodeRef(org.alfresco.service.cmr.repository.NodeRef)

Example 2 with PermissionService

use of org.alfresco.service.cmr.security.PermissionService in project acs-community-packaging by Alfresco.

the class ScriptCommandProcessor method validateArguments.

/**
 * @see org.alfresco.web.app.servlet.command.CommandProcessor#validateArguments(javax.servlet.ServletContext, java.lang.String, java.util.Map, java.lang.String[])
 */
public boolean validateArguments(ServletContext sc, String command, Map<String, String> args, String[] urlElements) {
    boolean allowed = false;
    String scriptPath = args.get(ARG_SCRIPT_PATH);
    if (scriptPath != null) {
        // resolve path to a node
        this.scriptRef = BaseServlet.resolveNamePath(sc, scriptPath).NodeRef;
        // same for the document context path if specified
        String docPath = args.get(ARG_CONTEXT_PATH);
        if (docPath != null) {
            this.docRef = BaseServlet.resolveNamePath(sc, docPath).NodeRef;
        }
    } else {
        if (urlElements.length < 3) {
            throw new IllegalArgumentException("Not enough URL arguments passed to command servlet.");
        }
        // get NodeRef to the node script to execute
        StoreRef storeRef = new StoreRef(urlElements[0], urlElements[1]);
        this.scriptRef = new NodeRef(storeRef, urlElements[2]);
        if (urlElements.length >= 6) {
            storeRef = new StoreRef(urlElements[3], urlElements[4]);
            this.docRef = new NodeRef(storeRef, urlElements[5]);
        }
    }
    // check we can READ access the nodes specified
    PermissionService ps = Repository.getServiceRegistry(sc).getPermissionService();
    allowed = (ps.hasPermission(this.scriptRef, PermissionService.READ) == AccessStatus.ALLOWED);
    if (this.docRef != null) {
        allowed &= (ps.hasPermission(this.docRef, PermissionService.READ) == AccessStatus.ALLOWED);
    }
    // check to see if user is allowed to execute arbituary javascript
    // by default only an admin authority can perform this action
    ConfigService configService = Application.getConfigService(sc);
    ClientConfigElement configElement = (ClientConfigElement) configService.getGlobalConfig().getConfigElement("client");
    boolean allowScriptExecute = configElement.getAllowUserScriptExecute();
    AuthorityService authService = Repository.getServiceRegistry(sc).getAuthorityService();
    allowed &= (allowScriptExecute || authService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()));
    return allowed;
}
Also used : PermissionService(org.alfresco.service.cmr.security.PermissionService) StoreRef(org.alfresco.service.cmr.repository.StoreRef) NodeRef(org.alfresco.service.cmr.repository.NodeRef) ConfigService(org.springframework.extensions.config.ConfigService) AuthorityService(org.alfresco.service.cmr.security.AuthorityService) ClientConfigElement(org.alfresco.web.config.ClientConfigElement)

Example 3 with PermissionService

use of org.alfresco.service.cmr.security.PermissionService in project acs-community-packaging by Alfresco.

the class Repository method setupBreadcrumbLocation.

/**
 * Sets up the breadcrumb location representation for the given node in
 * the given list.
 *
 * @param context FacesContext
 * @param navBean NavigationBean instance
 * @param location The location list to setup
 * @param node The Node being navigated to
 */
public static void setupBreadcrumbLocation(FacesContext context, NavigationBean navBean, List<IBreadcrumbHandler> location, NodeRef node) {
    // make the sure the given list is empty
    location.clear();
    // get required services
    NodeService nodeService = Repository.getServiceRegistry(context).getNodeService();
    DictionaryService dictionaryService = Repository.getServiceRegistry(context).getDictionaryService();
    PermissionService permsService = Repository.getServiceRegistry(context).getPermissionService();
    // add the given node to start
    String nodeName = Repository.getNameForNode(nodeService, node);
    location.add(navBean.new NavigationBreadcrumbHandler(node, nodeName));
    // get the given node's parent node
    NodeRef parent = nodeService.getPrimaryParent(node).getParentRef();
    while (parent != null) {
        // check the user can read the parent node
        if (permsService.hasPermission(parent, PermissionService.READ) == AccessStatus.ALLOWED) {
            // get the grand parent so we can check for the root node
            NodeRef grandParent = nodeService.getPrimaryParent(parent).getParentRef();
            if (grandParent != null) {
                // check that the node is actually a folder type, content can have children!
                QName parentType = nodeService.getType(parent);
                if (dictionaryService.isSubClass(parentType, ContentModel.TYPE_FOLDER)) {
                    // if it's a folder add the location to the breadcrumb
                    String parentName = Repository.getNameForNode(nodeService, parent);
                    location.add(0, navBean.new NavigationBreadcrumbHandler(parent, parentName));
                }
            }
            parent = grandParent;
        } else {
            // the user does not have Read permission above this point so stop!
            break;
        }
    }
}
Also used : PermissionService(org.alfresco.service.cmr.security.PermissionService) NodeRef(org.alfresco.service.cmr.repository.NodeRef) DictionaryService(org.alfresco.service.cmr.dictionary.DictionaryService) QName(org.alfresco.service.namespace.QName) NodeService(org.alfresco.service.cmr.repository.NodeService)

Example 4 with PermissionService

use of org.alfresco.service.cmr.security.PermissionService in project acs-community-packaging by Alfresco.

the class BaseServlet method checkAccess.

/**
 * Check the user has the given permission on the given node. If they do not either force a log on if this is a guest
 * user or forward to an error page.
 *
 * @param req
 *           the request
 * @param res
 *           the response
 * @param nodeRef
 *           the node in question
 * @param allowLogIn
 *           Indicates whether guest users without access to the node should be redirected to the log in page. If
 *           <code>false</code>, a status 403 forbidden page is displayed instead.
 * @return <code>true</code>, if the user has access
 * @throws IOException
 *            Signals that an I/O exception has occurred.
 * @throws ServletException
 *            On other errors
 */
public boolean checkAccess(HttpServletRequest req, HttpServletResponse res, NodeRef nodeRef, String permission, boolean allowLogIn) throws IOException, ServletException {
    ServletContext sc = getServletContext();
    ServiceRegistry serviceRegistry = getServiceRegistry(sc);
    PermissionService permissionService = serviceRegistry.getPermissionService();
    // check that the user has the permission
    if (permissionService.hasPermission(nodeRef, permission) == AccessStatus.DENIED) {
        if (logger.isDebugEnabled())
            logger.debug("User does not have " + permission + " permission for NodeRef: " + nodeRef.toString());
        if (allowLogIn && serviceRegistry.getAuthorityService().hasGuestAuthority()) {
            if (logger.isDebugEnabled())
                logger.debug("Redirecting to login page...");
            redirectToLoginPage(req, res, sc);
        } else {
            if (logger.isDebugEnabled())
                logger.debug("Forwarding to error page...");
            Application.handleSystemError(sc, req, res, MSG_ERROR_PERMISSIONS, HttpServletResponse.SC_FORBIDDEN, logger);
        }
        return false;
    }
    return true;
}
Also used : PermissionService(org.alfresco.service.cmr.security.PermissionService) ServletContext(javax.servlet.ServletContext) ServiceRegistry(org.alfresco.service.ServiceRegistry)

Example 5 with PermissionService

use of org.alfresco.service.cmr.security.PermissionService in project acs-community-packaging by Alfresco.

the class ExternalAccessServlet method service.

/**
 * @see javax.servlet.http.HttpServlet#service(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
 */
protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
    String uri = req.getRequestURI();
    if (logger.isDebugEnabled())
        logger.debug("Processing URL: " + uri + (req.getQueryString() != null ? ("?" + req.getQueryString()) : ""));
    AuthenticationStatus status = servletAuthenticate(req, res);
    if (status == AuthenticationStatus.Failure) {
        return;
    }
    setNoCacheHeaders(res);
    uri = uri.substring(req.getContextPath().length());
    StringTokenizer t = new StringTokenizer(uri, "/");
    int tokenCount = t.countTokens();
    if (tokenCount < 2) {
        throw new IllegalArgumentException("Externally addressable URL did not contain all required args: " + uri);
    }
    // skip servlet name
    t.nextToken();
    String outcome = t.nextToken();
    // get rest of the tokens arguments
    String[] args = new String[tokenCount - 2];
    for (int i = 0; i < tokenCount - 2; i++) {
        args[i] = t.nextToken();
    }
    if (logger.isDebugEnabled())
        logger.debug("External outcome found: " + outcome);
    // we almost always need this bean reference
    FacesContext fc = FacesHelper.getFacesContext(req, res, getServletContext());
    BrowseBean browseBean = (BrowseBean) FacesHelper.getManagedBean(fc, "BrowseBean");
    // get services we need
    ServiceRegistry serviceRegistry = getServiceRegistry(getServletContext());
    PermissionService permissionService = serviceRegistry.getPermissionService();
    // as we are potentially coming in from an external app reset the view stack
    Stack viewStack = (Stack) fc.getExternalContext().getSessionMap().get("_alfViewStack");
    if (viewStack != null) {
        viewStack.clear();
        if (logger.isDebugEnabled())
            logger.debug("Cleared view stack");
    }
    // setup is required for certain outcome requests
    if (OUTCOME_DOCDETAILS.equals(outcome)) {
        NodeRef nodeRef = null;
        if (args[0].equals(WebDAVServlet.WEBDAV_PREFIX)) {
            nodeRef = resolveWebDAVPath(fc, args);
        } else if (args.length == 3) {
            StoreRef storeRef = new StoreRef(args[0], args[1]);
            nodeRef = new NodeRef(storeRef, args[2]);
        }
        if (nodeRef != null) {
            // check that the user has at least READ access - else redirect to an error or login page
            if (!checkAccess(req, res, nodeRef, PermissionService.READ_CONTENT, true)) {
                return;
            }
            // setup the Document on the browse bean
            browseBean.setupContentAction(nodeRef.getId(), true);
        }
        // perform the appropriate JSF navigation outcome
        NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();
        navigationHandler.handleNavigation(fc, null, "dialog:" + OUTCOME_DOCDETAILS);
    } else if (OUTCOME_SPACEDETAILS.equals(outcome)) {
        NodeRef nodeRef = null;
        if (args[0].equals(WebDAVServlet.WEBDAV_PREFIX)) {
            nodeRef = resolveWebDAVPath(fc, args);
        } else if (args.length == 3) {
            StoreRef storeRef = new StoreRef(args[0], args[1]);
            nodeRef = new NodeRef(storeRef, args[2]);
        }
        if (nodeRef != null) {
            // check that the user has at least READ access - else redirect to an error or login page
            if (!checkAccess(req, res, nodeRef, PermissionService.READ_CONTENT, true)) {
                return;
            }
            // setup the Space on the browse bean
            browseBean.setupSpaceAction(nodeRef.getId(), true);
        }
        // perform the appropriate JSF navigation outcome
        NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();
        navigationHandler.handleNavigation(fc, null, "dialog:" + OUTCOME_SPACEDETAILS);
    } else if (OUTCOME_BROWSE.equals(outcome)) {
        NodeRef nodeRef = null;
        if (args.length != 0 && args[0].equals(WebDAVServlet.WEBDAV_PREFIX)) {
            nodeRef = resolveWebDAVPath(fc, args);
        } else if (args.length >= 3) {
            int offset = 0;
            offset = args.length - 3;
            StoreRef storeRef = new StoreRef(args[0 + offset], args[1 + offset]);
            nodeRef = new NodeRef(storeRef, args[2 + offset]);
        }
        if (nodeRef != null) {
            // check that the user has at least READ access - else redirect to an error or login page
            if (!checkAccess(req, res, nodeRef, PermissionService.READ_CONTENT, true)) {
                return;
            }
            // this call sets up the current node Id, and updates or initialises the
            // breadcrumb component with the selected node as appropriate.
            browseBean.updateUILocation(nodeRef);
            // force a "late" refresh of the BrowseBean to handle external servlet access URL
            browseBean.externalAccessRefresh();
            // check for view mode first argument
            if (args[0].equals(ARG_TEMPLATE)) {
                browseBean.setDashboardView(true);
            }
        // the above calls into BrowseBean setup the NavigationHandler automatically
        } else {
            // perform the appropriate JSF navigation outcome
            NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();
            navigationHandler.handleNavigation(fc, null, outcome);
        }
    } else if (OUTCOME_MYALFRESCO.equals(outcome)) {
        // setup the Dashboard Manager ready for the page we want to display
        if (req.getParameter(ARG_PAGE) != null) {
            DashboardManager manager = (DashboardManager) FacesHelper.getManagedBean(fc, DashboardManager.BEAN_NAME);
            manager.getPageConfig().setCurrentPage(req.getParameter(ARG_PAGE));
        }
        // perform the appropriate JSF navigation outcome
        NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();
        navigationHandler.handleNavigation(fc, null, outcome);
    } else if (OUTCOME_DIALOG.equals(outcome) || OUTCOME_WIZARD.equals(outcome)) {
        if (args.length != 0) {
            if (args.length > 1) {
                String currentNodeId = null;
                if (args[1].equals(WebDAVServlet.WEBDAV_PREFIX)) {
                    // Drop the first argument
                    String[] args2 = new String[args.length - 1];
                    for (int i = 1; i < args.length; i++) {
                        args2[i - 1] = args[i];
                        if (logger.isDebugEnabled()) {
                            logger.debug("Added segment " + args2[i - 1]);
                        }
                    }
                    NodeRef nodeRef = resolveWebDAVPath(fc, args2);
                    currentNodeId = nodeRef.getId();
                } else {
                    currentNodeId = args[1];
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("currentNodeId: " + currentNodeId);
                }
                // if a GUID was passed, use it to init the NavigationBean current context
                NavigationBean navigator = (NavigationBean) FacesHelper.getManagedBean(fc, NavigationBean.BEAN_NAME);
                navigator.setCurrentNodeId(currentNodeId);
                browseBean.setupSpaceAction(currentNodeId, true);
                // setup the Document on the browse bean
                // avoid java.lang.NullPointerException
                // at org.alfresco.web.bean.content.InviteContentUsersWizard.getPermissionsForType(InviteContentUsersWizard.java:49)
                // at org.alfresco.web.bean.wizard.BaseInviteUsersWizard.getRoles(BaseInviteUsersWizard.java:562)
                browseBean.setupContentAction(currentNodeId, true);
            }
            NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();
            navigationHandler.handleNavigation(fc, null, outcome + ':' + args[0]);
        }
    } else if (OUTCOME_LOGOUT.equals(outcome)) {
        // special case for logout
        // invalidate ticket and clear the Security context for this thread
        Application.logOut(fc);
        res.sendRedirect(req.getContextPath() + FACES_SERVLET + Application.getLoginPage(getServletContext()));
        return;
    }
    // perform the forward to the page processed by the Faces servlet
    String viewId = fc.getViewRoot().getViewId();
    ViewSequenceUtils.nextViewSequence(fc);
    getServletContext().getRequestDispatcher(FACES_SERVLET + viewId).forward(req, res);
}
Also used : FacesContext(javax.faces.context.FacesContext) StoreRef(org.alfresco.service.cmr.repository.StoreRef) BrowseBean(org.alfresco.web.bean.BrowseBean) AlfrescoNavigationHandler(org.alfresco.web.app.AlfrescoNavigationHandler) NavigationHandler(javax.faces.application.NavigationHandler) Stack(java.util.Stack) PermissionService(org.alfresco.service.cmr.security.PermissionService) NodeRef(org.alfresco.service.cmr.repository.NodeRef) StringTokenizer(java.util.StringTokenizer) DashboardManager(org.alfresco.web.bean.dashboard.DashboardManager) NavigationBean(org.alfresco.web.bean.NavigationBean) ServiceRegistry(org.alfresco.service.ServiceRegistry)

Aggregations

PermissionService (org.alfresco.service.cmr.security.PermissionService)14 NodeRef (org.alfresco.service.cmr.repository.NodeRef)9 NodeService (org.alfresco.service.cmr.repository.NodeService)7 StoreRef (org.alfresco.service.cmr.repository.StoreRef)5 ServiceRegistry (org.alfresco.service.ServiceRegistry)4 StringTokenizer (java.util.StringTokenizer)3 QName (org.alfresco.service.namespace.QName)3 InputStream (java.io.InputStream)2 FileFolderService (org.alfresco.service.cmr.model.FileFolderService)2 ChildAssociationRef (org.alfresco.service.cmr.repository.ChildAssociationRef)2 ContentService (org.alfresco.service.cmr.repository.ContentService)2 Path (org.alfresco.service.cmr.repository.Path)2 UINodePath (org.alfresco.web.ui.repo.component.UINodePath)2 Before (org.junit.Before)2 BufferedInputStream (java.io.BufferedInputStream)1 IOException (java.io.IOException)1 Serializable (java.io.Serializable)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 SocketException (java.net.SocketException)1 URL (java.net.URL)1