use of org.alfresco.service.cmr.security.PermissionService in project acs-community-packaging by Alfresco.
the class BaseNodeCommandProcessor method validateArguments.
/**
* @see org.alfresco.web.app.servlet.command.CommandProcessor#validateArguments(javax.servlet.ServletContext, java.lang.String, java.util.Map, java.lang.String[])
*/
public boolean validateArguments(ServletContext sc, String command, Map<String, String> args, String[] urlElements) {
if (urlElements.length < 3) {
throw new IllegalArgumentException("Not enough URL arguments passed to command servlet.");
}
// get NodeRef to the node with the workflow attached to it
StoreRef storeRef = new StoreRef(urlElements[0], urlElements[1]);
this.targetRef = new NodeRef(storeRef, urlElements[2]);
// get the services we need to execute the workflow command
PermissionService permissionService = Repository.getServiceRegistry(sc).getPermissionService();
// check that the user has at least READ access on the node - else redirect to the login page
return (permissionService.hasPermission(this.targetRef, PermissionService.READ) == AccessStatus.ALLOWED);
}
use of org.alfresco.service.cmr.security.PermissionService in project acs-community-packaging by Alfresco.
the class ScriptCommandProcessor method validateArguments.
/**
* @see org.alfresco.web.app.servlet.command.CommandProcessor#validateArguments(javax.servlet.ServletContext, java.lang.String, java.util.Map, java.lang.String[])
*/
public boolean validateArguments(ServletContext sc, String command, Map<String, String> args, String[] urlElements) {
boolean allowed = false;
String scriptPath = args.get(ARG_SCRIPT_PATH);
if (scriptPath != null) {
// resolve path to a node
this.scriptRef = BaseServlet.resolveNamePath(sc, scriptPath).NodeRef;
// same for the document context path if specified
String docPath = args.get(ARG_CONTEXT_PATH);
if (docPath != null) {
this.docRef = BaseServlet.resolveNamePath(sc, docPath).NodeRef;
}
} else {
if (urlElements.length < 3) {
throw new IllegalArgumentException("Not enough URL arguments passed to command servlet.");
}
// get NodeRef to the node script to execute
StoreRef storeRef = new StoreRef(urlElements[0], urlElements[1]);
this.scriptRef = new NodeRef(storeRef, urlElements[2]);
if (urlElements.length >= 6) {
storeRef = new StoreRef(urlElements[3], urlElements[4]);
this.docRef = new NodeRef(storeRef, urlElements[5]);
}
}
// check we can READ access the nodes specified
PermissionService ps = Repository.getServiceRegistry(sc).getPermissionService();
allowed = (ps.hasPermission(this.scriptRef, PermissionService.READ) == AccessStatus.ALLOWED);
if (this.docRef != null) {
allowed &= (ps.hasPermission(this.docRef, PermissionService.READ) == AccessStatus.ALLOWED);
}
// check to see if user is allowed to execute arbituary javascript
// by default only an admin authority can perform this action
ConfigService configService = Application.getConfigService(sc);
ClientConfigElement configElement = (ClientConfigElement) configService.getGlobalConfig().getConfigElement("client");
boolean allowScriptExecute = configElement.getAllowUserScriptExecute();
AuthorityService authService = Repository.getServiceRegistry(sc).getAuthorityService();
allowed &= (allowScriptExecute || authService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()));
return allowed;
}
use of org.alfresco.service.cmr.security.PermissionService in project acs-community-packaging by Alfresco.
the class Repository method setupBreadcrumbLocation.
/**
* Sets up the breadcrumb location representation for the given node in
* the given list.
*
* @param context FacesContext
* @param navBean NavigationBean instance
* @param location The location list to setup
* @param node The Node being navigated to
*/
public static void setupBreadcrumbLocation(FacesContext context, NavigationBean navBean, List<IBreadcrumbHandler> location, NodeRef node) {
// make the sure the given list is empty
location.clear();
// get required services
NodeService nodeService = Repository.getServiceRegistry(context).getNodeService();
DictionaryService dictionaryService = Repository.getServiceRegistry(context).getDictionaryService();
PermissionService permsService = Repository.getServiceRegistry(context).getPermissionService();
// add the given node to start
String nodeName = Repository.getNameForNode(nodeService, node);
location.add(navBean.new NavigationBreadcrumbHandler(node, nodeName));
// get the given node's parent node
NodeRef parent = nodeService.getPrimaryParent(node).getParentRef();
while (parent != null) {
// check the user can read the parent node
if (permsService.hasPermission(parent, PermissionService.READ) == AccessStatus.ALLOWED) {
// get the grand parent so we can check for the root node
NodeRef grandParent = nodeService.getPrimaryParent(parent).getParentRef();
if (grandParent != null) {
// check that the node is actually a folder type, content can have children!
QName parentType = nodeService.getType(parent);
if (dictionaryService.isSubClass(parentType, ContentModel.TYPE_FOLDER)) {
// if it's a folder add the location to the breadcrumb
String parentName = Repository.getNameForNode(nodeService, parent);
location.add(0, navBean.new NavigationBreadcrumbHandler(parent, parentName));
}
}
parent = grandParent;
} else {
// the user does not have Read permission above this point so stop!
break;
}
}
}
use of org.alfresco.service.cmr.security.PermissionService in project acs-community-packaging by Alfresco.
the class BaseServlet method checkAccess.
/**
* Check the user has the given permission on the given node. If they do not either force a log on if this is a guest
* user or forward to an error page.
*
* @param req
* the request
* @param res
* the response
* @param nodeRef
* the node in question
* @param allowLogIn
* Indicates whether guest users without access to the node should be redirected to the log in page. If
* <code>false</code>, a status 403 forbidden page is displayed instead.
* @return <code>true</code>, if the user has access
* @throws IOException
* Signals that an I/O exception has occurred.
* @throws ServletException
* On other errors
*/
public boolean checkAccess(HttpServletRequest req, HttpServletResponse res, NodeRef nodeRef, String permission, boolean allowLogIn) throws IOException, ServletException {
ServletContext sc = getServletContext();
ServiceRegistry serviceRegistry = getServiceRegistry(sc);
PermissionService permissionService = serviceRegistry.getPermissionService();
// check that the user has the permission
if (permissionService.hasPermission(nodeRef, permission) == AccessStatus.DENIED) {
if (logger.isDebugEnabled())
logger.debug("User does not have " + permission + " permission for NodeRef: " + nodeRef.toString());
if (allowLogIn && serviceRegistry.getAuthorityService().hasGuestAuthority()) {
if (logger.isDebugEnabled())
logger.debug("Redirecting to login page...");
redirectToLoginPage(req, res, sc);
} else {
if (logger.isDebugEnabled())
logger.debug("Forwarding to error page...");
Application.handleSystemError(sc, req, res, MSG_ERROR_PERMISSIONS, HttpServletResponse.SC_FORBIDDEN, logger);
}
return false;
}
return true;
}
use of org.alfresco.service.cmr.security.PermissionService in project acs-community-packaging by Alfresco.
the class ExternalAccessServlet method service.
/**
* @see javax.servlet.http.HttpServlet#service(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
String uri = req.getRequestURI();
if (logger.isDebugEnabled())
logger.debug("Processing URL: " + uri + (req.getQueryString() != null ? ("?" + req.getQueryString()) : ""));
AuthenticationStatus status = servletAuthenticate(req, res);
if (status == AuthenticationStatus.Failure) {
return;
}
setNoCacheHeaders(res);
uri = uri.substring(req.getContextPath().length());
StringTokenizer t = new StringTokenizer(uri, "/");
int tokenCount = t.countTokens();
if (tokenCount < 2) {
throw new IllegalArgumentException("Externally addressable URL did not contain all required args: " + uri);
}
// skip servlet name
t.nextToken();
String outcome = t.nextToken();
// get rest of the tokens arguments
String[] args = new String[tokenCount - 2];
for (int i = 0; i < tokenCount - 2; i++) {
args[i] = t.nextToken();
}
if (logger.isDebugEnabled())
logger.debug("External outcome found: " + outcome);
// we almost always need this bean reference
FacesContext fc = FacesHelper.getFacesContext(req, res, getServletContext());
BrowseBean browseBean = (BrowseBean) FacesHelper.getManagedBean(fc, "BrowseBean");
// get services we need
ServiceRegistry serviceRegistry = getServiceRegistry(getServletContext());
PermissionService permissionService = serviceRegistry.getPermissionService();
// as we are potentially coming in from an external app reset the view stack
Stack viewStack = (Stack) fc.getExternalContext().getSessionMap().get("_alfViewStack");
if (viewStack != null) {
viewStack.clear();
if (logger.isDebugEnabled())
logger.debug("Cleared view stack");
}
// setup is required for certain outcome requests
if (OUTCOME_DOCDETAILS.equals(outcome)) {
NodeRef nodeRef = null;
if (args[0].equals(WebDAVServlet.WEBDAV_PREFIX)) {
nodeRef = resolveWebDAVPath(fc, args);
} else if (args.length == 3) {
StoreRef storeRef = new StoreRef(args[0], args[1]);
nodeRef = new NodeRef(storeRef, args[2]);
}
if (nodeRef != null) {
// check that the user has at least READ access - else redirect to an error or login page
if (!checkAccess(req, res, nodeRef, PermissionService.READ_CONTENT, true)) {
return;
}
// setup the Document on the browse bean
browseBean.setupContentAction(nodeRef.getId(), true);
}
// perform the appropriate JSF navigation outcome
NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();
navigationHandler.handleNavigation(fc, null, "dialog:" + OUTCOME_DOCDETAILS);
} else if (OUTCOME_SPACEDETAILS.equals(outcome)) {
NodeRef nodeRef = null;
if (args[0].equals(WebDAVServlet.WEBDAV_PREFIX)) {
nodeRef = resolveWebDAVPath(fc, args);
} else if (args.length == 3) {
StoreRef storeRef = new StoreRef(args[0], args[1]);
nodeRef = new NodeRef(storeRef, args[2]);
}
if (nodeRef != null) {
// check that the user has at least READ access - else redirect to an error or login page
if (!checkAccess(req, res, nodeRef, PermissionService.READ_CONTENT, true)) {
return;
}
// setup the Space on the browse bean
browseBean.setupSpaceAction(nodeRef.getId(), true);
}
// perform the appropriate JSF navigation outcome
NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();
navigationHandler.handleNavigation(fc, null, "dialog:" + OUTCOME_SPACEDETAILS);
} else if (OUTCOME_BROWSE.equals(outcome)) {
NodeRef nodeRef = null;
if (args.length != 0 && args[0].equals(WebDAVServlet.WEBDAV_PREFIX)) {
nodeRef = resolveWebDAVPath(fc, args);
} else if (args.length >= 3) {
int offset = 0;
offset = args.length - 3;
StoreRef storeRef = new StoreRef(args[0 + offset], args[1 + offset]);
nodeRef = new NodeRef(storeRef, args[2 + offset]);
}
if (nodeRef != null) {
// check that the user has at least READ access - else redirect to an error or login page
if (!checkAccess(req, res, nodeRef, PermissionService.READ_CONTENT, true)) {
return;
}
// this call sets up the current node Id, and updates or initialises the
// breadcrumb component with the selected node as appropriate.
browseBean.updateUILocation(nodeRef);
// force a "late" refresh of the BrowseBean to handle external servlet access URL
browseBean.externalAccessRefresh();
// check for view mode first argument
if (args[0].equals(ARG_TEMPLATE)) {
browseBean.setDashboardView(true);
}
// the above calls into BrowseBean setup the NavigationHandler automatically
} else {
// perform the appropriate JSF navigation outcome
NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();
navigationHandler.handleNavigation(fc, null, outcome);
}
} else if (OUTCOME_MYALFRESCO.equals(outcome)) {
// setup the Dashboard Manager ready for the page we want to display
if (req.getParameter(ARG_PAGE) != null) {
DashboardManager manager = (DashboardManager) FacesHelper.getManagedBean(fc, DashboardManager.BEAN_NAME);
manager.getPageConfig().setCurrentPage(req.getParameter(ARG_PAGE));
}
// perform the appropriate JSF navigation outcome
NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();
navigationHandler.handleNavigation(fc, null, outcome);
} else if (OUTCOME_DIALOG.equals(outcome) || OUTCOME_WIZARD.equals(outcome)) {
if (args.length != 0) {
if (args.length > 1) {
String currentNodeId = null;
if (args[1].equals(WebDAVServlet.WEBDAV_PREFIX)) {
// Drop the first argument
String[] args2 = new String[args.length - 1];
for (int i = 1; i < args.length; i++) {
args2[i - 1] = args[i];
if (logger.isDebugEnabled()) {
logger.debug("Added segment " + args2[i - 1]);
}
}
NodeRef nodeRef = resolveWebDAVPath(fc, args2);
currentNodeId = nodeRef.getId();
} else {
currentNodeId = args[1];
}
if (logger.isDebugEnabled()) {
logger.debug("currentNodeId: " + currentNodeId);
}
// if a GUID was passed, use it to init the NavigationBean current context
NavigationBean navigator = (NavigationBean) FacesHelper.getManagedBean(fc, NavigationBean.BEAN_NAME);
navigator.setCurrentNodeId(currentNodeId);
browseBean.setupSpaceAction(currentNodeId, true);
// setup the Document on the browse bean
// avoid java.lang.NullPointerException
// at org.alfresco.web.bean.content.InviteContentUsersWizard.getPermissionsForType(InviteContentUsersWizard.java:49)
// at org.alfresco.web.bean.wizard.BaseInviteUsersWizard.getRoles(BaseInviteUsersWizard.java:562)
browseBean.setupContentAction(currentNodeId, true);
}
NavigationHandler navigationHandler = fc.getApplication().getNavigationHandler();
navigationHandler.handleNavigation(fc, null, outcome + ':' + args[0]);
}
} else if (OUTCOME_LOGOUT.equals(outcome)) {
// special case for logout
// invalidate ticket and clear the Security context for this thread
Application.logOut(fc);
res.sendRedirect(req.getContextPath() + FACES_SERVLET + Application.getLoginPage(getServletContext()));
return;
}
// perform the forward to the page processed by the Faces servlet
String viewId = fc.getViewRoot().getViewId();
ViewSequenceUtils.nextViewSequence(fc);
getServletContext().getRequestDispatcher(FACES_SERVLET + viewId).forward(req, res);
}
Aggregations