Examples with AllPermission org.apache.wiki.auth.permissions.AllPermission used on opensource projects

Example 1 with AllPermission

use of org.apache.wiki.auth.permissions.AllPermission in project jspwiki by apache.

the class PermissionTag method checkPermission.

/**
 *  Checks a single permission.
 *
 *  @param permission
 *  @return true if granted, false if not
 */
private boolean checkPermission(String permission) {
    WikiSession session = m_wikiContext.getWikiSession();
    WikiPage page = m_wikiContext.getPage();
    AuthorizationManager mgr = m_wikiContext.getEngine().getAuthorizationManager();
    boolean gotPermission = false;
    if (CREATE_GROUPS.equals(permission) || CREATE_PAGES.equals(permission) || EDIT_PREFERENCES.equals(permission) || EDIT_PROFILE.equals(permission) || LOGIN.equals(permission)) {
        gotPermission = mgr.checkPermission(session, new WikiPermission(page.getWiki(), permission));
    } else if (VIEW_GROUP.equals(permission) || EDIT_GROUP.equals(permission) || DELETE_GROUP.equals(permission)) {
        Command command = m_wikiContext.getCommand();
        gotPermission = false;
        if (command instanceof GroupCommand && command.getTarget() != null) {
            GroupPrincipal group = (GroupPrincipal) command.getTarget();
            String groupName = group.getName();
            String action = "view";
            if (EDIT_GROUP.equals(permission)) {
                action = "edit";
            } else if (DELETE_GROUP.equals(permission)) {
                action = "delete";
            }
            gotPermission = mgr.checkPermission(session, new GroupPermission(groupName, action));
        }
    } else if (ALL_PERMISSION.equals(permission)) {
        gotPermission = mgr.checkPermission(session, new AllPermission(m_wikiContext.getEngine().getApplicationName()));
    } else if (page != null) {
        // 
        if (EDIT.equals(permission)) {
            WikiPage latest = m_wikiContext.getEngine().getPage(page.getName());
            if (page.getVersion() != WikiProvider.LATEST_VERSION && latest.getVersion() != page.getVersion()) {
                return false;
            }
        }
        Permission p = PermissionFactory.getPagePermission(page, permission);
        gotPermission = mgr.checkPermission(session, p);
    }
    return gotPermission;
}

Example 2 with AllPermission

use of org.apache.wiki.auth.permissions.AllPermission in project jspwiki by apache.

the class AuthorizationManager method checkPermission.

/**
 * Returns <code>true</code> or <code>false</code>, depending on
 * whether a Permission is allowed for the Subject associated with
 * a supplied WikiSession. The access control algorithm works this way:
 * <ol>
 * <li>The {@link org.apache.wiki.auth.acl.Acl} for the page is obtained</li>
 * <li>The Subject associated with the current
 * {@link org.apache.wiki.WikiSession} is obtained</li>
 * <li>If the Subject's Principal set includes the Role Principal that is
 * the administrator group, always allow the Permission</li>
 * <li>For all permissions, check to see if the Permission is allowed according
 * to the default security policy. If it isn't, deny the permission and halt
 * further processing.</li>
 * <li>If there is an Acl, get the list of Principals assigned this
 * Permission in the Acl: these will be role, group or user Principals, or
 * {@link org.apache.wiki.auth.acl.UnresolvedPrincipal}s (see below).
 * Then iterate through the Subject's Principal set and determine whether
 * the user (Subject) possesses any one of these specified Roles or
 * Principals. The matching process delegates to
 * {@link #hasRoleOrPrincipal(WikiSession, Principal)}.
 * </ol>
 * <p>
 * Note that when iterating through the Acl's list of authorized Principals,
 * it is possible that one or more of the Acl's Principal entries are of
 * type <code>UnresolvedPrincipal</code>. This means that the last time
 * the ACL was read, the Principal (user, built-in Role, authorizer Role, or
 * wiki Group) could not be resolved: the Role was not valid, the user
 * wasn't found in the UserDatabase, or the Group wasn't known to (e.g.,
 * cached) in the GroupManager. If an <code>UnresolvedPrincipal</code> is
 * encountered, this method will attempt to resolve it first <em>before</em>
 * checking to see if the Subject possesses this principal, by calling
 * {@link #resolvePrincipal(String)}. If the (re-)resolution does not
 * succeed, the access check for the principal will fail by definition (the
 * Subject should never contain UnresolvedPrincipals).
 * </p>
 * <p>
 * If security not set to JAAS, will return true.
 * </p>
 * @param session the current wiki session
 * @param permission the Permission being checked
 * @see #hasRoleOrPrincipal(WikiSession, Principal)
 * @return the result of the Permission check
 */
public boolean checkPermission(WikiSession session, Permission permission) {
    // 
    if (session == null || permission == null) {
        fireEvent(WikiSecurityEvent.ACCESS_DENIED, null, permission);
        return false;
    }
    Principal user = session.getLoginPrincipal();
    // Always allow the action if user has AllPermission
    Permission allPermission = new AllPermission(m_engine.getApplicationName());
    boolean hasAllPermission = checkStaticPermission(session, allPermission);
    if (hasAllPermission) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // If the user doesn't have *at least* the permission
    // granted by policy, return false.
    boolean hasPolicyPermission = checkStaticPermission(session, permission);
    if (!hasPolicyPermission) {
        fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
        return false;
    }
    // If this isn't a PagePermission, it's allowed
    if (!(permission instanceof PagePermission)) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // 
    // If the page or ACL is null, it's allowed.
    // 
    String pageName = ((PagePermission) permission).getPage();
    WikiPage page = m_engine.getPage(pageName);
    Acl acl = (page == null) ? null : m_engine.getAclManager().getPermissions(page);
    if (page == null || acl == null || acl.isEmpty()) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // 
    // Next, iterate through the Principal objects assigned
    // this permission. If the context's subject possesses
    // any of these, the action is allowed.
    Principal[] aclPrincipals = acl.findPrincipals(permission);
    log.debug("Checking ACL entries...");
    log.debug("Acl for this page is: " + acl);
    log.debug("Checking for principal: " + Arrays.toString(aclPrincipals));
    log.debug("Permission: " + permission);
    for (Principal aclPrincipal : aclPrincipals) {
        // try to resolve it here & correct the Acl
        if (aclPrincipal instanceof UnresolvedPrincipal) {
            AclEntry aclEntry = acl.getEntry(aclPrincipal);
            aclPrincipal = resolvePrincipal(aclPrincipal.getName());
            if (aclEntry != null && !(aclPrincipal instanceof UnresolvedPrincipal)) {
                aclEntry.setPrincipal(aclPrincipal);
            }
        }
        if (hasRoleOrPrincipal(session, aclPrincipal)) {
            fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
            return true;
        }
    }
    fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
    return false;
}

Example 3 with AllPermission

use of org.apache.wiki.auth.permissions.AllPermission in project jspwiki by apache.

the class SecurityVerifier method policyRoleTable.

/**
 * Formats and returns an HTML table containing sample permissions and what
 * roles are allowed to have them. This method will throw an
 * {@link IllegalStateException} if the authorizer is not of type
 * {@link org.apache.wiki.auth.authorize.WebContainerAuthorizer}
 * @return the formatted HTML table containing the result of the tests
 */
public String policyRoleTable() {
    Principal[] roles = m_policyPrincipals;
    String wiki = m_engine.getApplicationName();
    String[] pages = new String[] { "Main", "Index", "GroupTest", "GroupAdmin" };
    String[] pageActions = new String[] { "view", "edit", "modify", "rename", "delete" };
    String[] groups = new String[] { "Admin", "TestGroup", "Foo" };
    String[] groupActions = new String[] { "view", "edit", null, null, "delete" };
    // Calculate column widths
    String colWidth;
    if (pageActions.length > 0 && roles.length > 0) {
        colWidth = (67f / (pageActions.length * roles.length)) + "%";
    } else {
        colWidth = "67%";
    }
    StringBuilder s = new StringBuilder();
    // Write the table header
    s.append("<table class=\"wikitable\" border=\"1\">\n");
    s.append("  <colgroup span=\"1\" width=\"33%\"/>\n");
    s.append("  <colgroup span=\"" + pageActions.length * roles.length + "\" width=\"" + colWidth + "\" align=\"center\"/>\n");
    s.append("  <tr>\n");
    s.append("    <th rowspan=\"2\" valign=\"bottom\">Permission</th>\n");
    for (int i = 0; i < roles.length; i++) {
        s.append("    <th colspan=\"" + pageActions.length + "\" title=\"" + roles[i].getClass().getName() + "\">" + roles[i].getName() + "</th>\n");
    }
    s.append("  </tr>\n");
    // Print a column for each role
    s.append("  <tr>\n");
    for (int i = 0; i < roles.length; i++) {
        for (String pageAction : pageActions) {
            String action = pageAction.substring(0, 1);
            s.append("    <th title=\"" + pageAction + "\">" + action + "</th>\n");
        }
    }
    s.append("  </tr>\n");
    // Write page permission tests first
    for (String page : pages) {
        s.append("  <tr>\n");
        s.append("    <td>PagePermission \"" + wiki + ":" + page + "\"</td>\n");
        for (Principal role : roles) {
            for (String pageAction : pageActions) {
                Permission permission = PermissionFactory.getPagePermission(wiki + ":" + page, pageAction);
                s.append(printPermissionTest(permission, role, 1));
            }
        }
        s.append("  </tr>\n");
    }
    // Now do the group tests
    for (String group : groups) {
        s.append("  <tr>\n");
        s.append("    <td>GroupPermission \"" + wiki + ":" + group + "\"</td>\n");
        for (Principal role : roles) {
            for (String groupAction : groupActions) {
                Permission permission = null;
                if (groupAction != null) {
                    permission = new GroupPermission(wiki + ":" + group, groupAction);
                }
                s.append(printPermissionTest(permission, role, 1));
            }
        }
        s.append("  </tr>\n");
    }
    // Now check the wiki-wide permissions
    String[] wikiPerms = new String[] { "createGroups", "createPages", "login", "editPreferences", "editProfile" };
    for (String wikiPerm : wikiPerms) {
        s.append("  <tr>\n");
        s.append("    <td>WikiPermission \"" + wiki + "\",\"" + wikiPerm + "\"</td>\n");
        for (Principal role : roles) {
            Permission permission = new WikiPermission(wiki, wikiPerm);
            s.append(printPermissionTest(permission, role, pageActions.length));
        }
        s.append("  </tr>\n");
    }
    // Lastly, check for AllPermission
    s.append("  <tr>\n");
    s.append("    <td>AllPermission \"" + wiki + "\"</td>\n");
    for (Principal role : roles) {
        Permission permission = new AllPermission(wiki);
        s.append(printPermissionTest(permission, role, pageActions.length));
    }
    s.append("  </tr>\n");
    // We're done!
    s.append("</table>");
    return s.toString();
}

Example 4 with AllPermission

use of org.apache.wiki.auth.permissions.AllPermission in project jspwiki by apache.

the class WikiContext method requiredPermission.

/**
 * Returns the permission required to successfully execute this context.
 * For example, the a wiki context of VIEW for a certain page means that
 * the PagePermission "view" is required for the page. In some cases, no
 * particular permission is required, in which case a dummy permission will
 * be returned ({@link java.util.PropertyPermission}<code> "os.name",
 * "read"</code>). This method is guaranteed to always return a valid,
 * non-null permission.
 * @return the permission
 * @since 2.4
 */
public Permission requiredPermission() {
    // This is a filthy rotten hack -- absolutely putrid
    if (WikiCommand.INSTALL.equals(m_command)) {
        // See if admin users exists
        boolean adminExists = false;
        try {
            UserManager userMgr = m_engine.getUserManager();
            UserDatabase userDb = userMgr.getUserDatabase();
            userDb.findByLoginName(Installer.ADMIN_ID);
            adminExists = true;
        } catch (NoSuchPrincipalException e) {
            return DUMMY_PERMISSION;
        }
        if (adminExists) {
            return new AllPermission(m_engine.getApplicationName());
        }
    }
    // method returns null, but until then we will use this hack
    if (m_command.requiredPermission() == null) {
        return DUMMY_PERMISSION;
    }
    return m_command.requiredPermission();
}

Example 5 with AllPermission

use of org.apache.wiki.auth.permissions.AllPermission in project jspwiki by apache.

the class AuthorizationManagerTest method testAdminView2.

@Test
public void testAdminView2() throws Exception {
    m_engine.saveText("TestDefaultPage", "Foo [{ALLOW view FooBar}]");
    WikiSession session = WikiSessionTest.adminSession(m_engine);
    Assert.assertTrue("Alice has AllPermission", m_auth.checkPermission(session, new AllPermission(m_engine.getApplicationName())));
    Assert.assertTrue("Alice cannot read", m_auth.checkPermission(session, new PagePermission("TestDefaultPage", "view")));
}