use of org.alfresco.traitextender.Extend in project alfresco-repository by Alfresco.
the class PermissionServiceImpl method deletePermission.
/**
* @see #deletePermission(NodeRef, String, PermissionReference)
*/
@Override
@Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class)
public void deletePermission(PermissionEntry permissionEntry) {
NodeRef nodeRef = permissionEntry.getNodeRef();
String authority = permissionEntry.getAuthority();
PermissionReference permission = permissionEntry.getPermissionReference();
deletePermission(nodeRef, authority, permission);
}
use of org.alfresco.traitextender.Extend in project alfresco-repository by Alfresco.
the class PermissionServiceImpl method hasPermission.
@Override
@Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class)
public AccessStatus hasPermission(NodeRef passedNodeRef, final PermissionReference permIn) {
// - so we allow it
if (passedNodeRef == null) {
return AccessStatus.ALLOWED;
}
// If the permission is null we deny
if (permIn == null) {
return AccessStatus.DENIED;
}
// Note: if we're directly accessing a frozen state (version) node (ie. in the 'version' store) we need to check permissions for the versioned node (ie. in the 'live' store)
if (isVersionNodeRef(passedNodeRef)) {
passedNodeRef = convertVersionNodeRefToVersionedNodeRef(VersionUtil.convertNodeRef(passedNodeRef));
}
// Allow permissions for nodes that do not exist
if (passedNodeRef == null || !nodeService.exists(passedNodeRef)) {
return AccessStatus.ALLOWED;
}
final NodeRef nodeRef = tenantService.getName(passedNodeRef);
final PermissionReference perm;
if (permIn.equals(OLD_ALL_PERMISSIONS_REFERENCE)) {
perm = getAllPermissionReference();
} else {
perm = permIn;
}
if (AuthenticationUtil.getRunAsUser() == null) {
return AccessStatus.DENIED;
}
if (AuthenticationUtil.isRunAsUserTheSystemUser()) {
return AccessStatus.ALLOWED;
}
// New ACLs
AccessControlListProperties properties = permissionsDaoComponent.getAccessControlListProperties(nodeRef);
if ((properties != null) && (properties.getAclType() != null) && (properties.getAclType() != ACLType.OLD)) {
QName typeQname = nodeService.getType(nodeRef);
Set<QName> aspectQNames = nodeService.getAspects(nodeRef);
PermissionContext context = new PermissionContext(typeQname);
context.getAspects().addAll(aspectQNames);
Authentication auth = AuthenticationUtil.getRunAsAuthentication();
if (auth != null) {
String user = AuthenticationUtil.getRunAsUser();
for (String dynamicAuthority : getDynamicAuthorities(auth, nodeRef, perm)) {
context.addDynamicAuthorityAssignment(user, dynamicAuthority);
}
}
return hasPermission(properties.getId(), context, perm);
}
// Get the current authentications
// Use the smart authentication cache to improve permissions performance
Authentication auth = AuthenticationUtil.getRunAsAuthentication();
final Set<String> authorisations = getAuthorisations(auth, nodeRef, perm);
// If the node does not support the given permission there is no point
// doing the test
Set<PermissionReference> available = AuthenticationUtil.runAs(new RunAsWork<Set<PermissionReference>>() {
public Set<PermissionReference> doWork() throws Exception {
return modelDAO.getAllPermissions(nodeRef);
}
}, AuthenticationUtil.getSystemUserName());
available.add(getAllPermissionReference());
available.add(OLD_ALL_PERMISSIONS_REFERENCE);
final Serializable key = generateKey(authorisations, nodeRef, perm, CacheType.HAS_PERMISSION);
if (!(available.contains(perm))) {
accessCache.put(key, AccessStatus.DENIED);
return AccessStatus.DENIED;
}
if (AuthenticationUtil.isRunAsUserTheSystemUser()) {
return AccessStatus.ALLOWED;
}
return AuthenticationUtil.runAs(new RunAsWork<AccessStatus>() {
public AccessStatus doWork() throws Exception {
AccessStatus status = accessCache.get(key);
if (status != null) {
return status;
}
//
// TODO: Dynamic permissions via evaluators
//
/*
* Does the current authentication have the supplied permission on the given node.
*/
QName typeQname = nodeService.getType(nodeRef);
Set<QName> aspectQNames = nodeService.getAspects(nodeRef);
NodeTest nt = new NodeTest(perm, typeQname, aspectQNames);
boolean result = nt.evaluate(authorisations, nodeRef);
if (log.isDebugEnabled()) {
log.debug("Permission <" + perm + "> is " + (result ? "allowed" : "denied") + " for " + AuthenticationUtil.getRunAsUser() + " on node " + nodeService.getPath(nodeRef));
}
status = result ? AccessStatus.ALLOWED : AccessStatus.DENIED;
accessCache.put(key, status);
return status;
}
}, AuthenticationUtil.getSystemUserName());
}
use of org.alfresco.traitextender.Extend in project alfresco-repository by Alfresco.
the class PermissionServiceImpl method getAllSetPermissions.
@Override
@Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class)
public Set<AccessPermission> getAllSetPermissions(NodeRef nodeRef) {
HashSet<AccessPermission> accessPermissions = new HashSet<AccessPermission>();
NodePermissionEntry nodePremissionEntry = getSetPermissions(nodeRef);
for (PermissionEntry pe : nodePremissionEntry.getPermissionEntries()) {
accessPermissions.add(new AccessPermissionImpl(getPermission(pe.getPermissionReference()), pe.getAccessStatus(), pe.getAuthority(), pe.getPosition()));
}
return accessPermissions;
}
use of org.alfresco.traitextender.Extend in project alfresco-repository by Alfresco.
the class PermissionServiceImpl method setInheritParentPermissions.
@Override
@Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class)
public void setInheritParentPermissions(NodeRef nodeRef, final boolean inheritParentPermissions, boolean asyncCall) {
final NodeRef actualRef = tenantService.getName(nodeRef);
if (asyncCall) {
// use transaction resource to determine later on in ADMAccessControlListDAO.setFixedAcl if asynchronous call may be required
AlfrescoTransactionSupport.bindResource(FixedAclUpdater.FIXED_ACL_ASYNC_CALL_KEY, true);
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
// check if asynchronous call was required
boolean asyncCallRequired = toBoolean((Boolean) AlfrescoTransactionSupport.getResource(FixedAclUpdater.FIXED_ACL_ASYNC_REQUIRED_KEY));
if (asyncCallRequired) {
// after transaction is committed FixedAclUpdater will be started in a new thread to process pending nodes
AlfrescoTransactionSupport.bindListener(fixedAclUpdater);
}
invokeOnPermissionsInheritedPolicy(nodeRef, inheritParentPermissions, asyncCallRequired);
} else {
// regular method call
permissionsDaoComponent.setInheritParentPermissions(actualRef, inheritParentPermissions);
invokeOnPermissionsInheritedPolicy(nodeRef, inheritParentPermissions, false);
}
accessCache.clear();
}
use of org.alfresco.traitextender.Extend in project alfresco-repository by Alfresco.
the class PermissionServiceImpl method getReadersDenied.
/**
* @param aclId Long
* @return set of authorities denied permission on the ACL
*/
@Override
@Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class)
public Set<String> getReadersDenied(Long aclId) {
AccessControlList acl = aclDaoComponent.getAccessControlList(aclId);
if (acl == null) {
return Collections.emptySet();
}
Set<String> denied = readersDeniedCache.get(aclId);
if (denied != null) {
return denied;
}
denied = new HashSet<String>();
Set<String> assigned = new HashSet<String>();
for (AccessControlEntry ace : acl.getEntries()) {
assigned.add(ace.getAuthority());
}
for (String authority : assigned) {
UnconditionalDeniedAclTest test = new UnconditionalDeniedAclTest(getPermissionReference(PermissionService.READ));
if (test.evaluate(authority, aclId)) {
denied.add(authority);
}
}
readersDeniedCache.put((Serializable) acl.getProperties(), denied);
return denied;
}
Aggregations