Example 16 with Right
use of org.xwiki.security.authorization.Right in project xwiki-platform by xwiki.
the class XWikiCachingRightService method checkAccess.
@Override
public boolean checkAccess(String action, XWikiDocument doc, XWikiContext context) throws XWikiException {
Right right = actionToRight(action);
EntityReference entityReference = doc.getDocumentReference();
LOGGER.debug("checkAccess for action [{}] on entity [{}].", right, entityReference);
authenticateUser(context);
if (contextualAuthorizationManager.hasAccess(right, entityReference)) {
return true;
}
// delete, since it would prevent most user to do anything.
if (context.getUserReference() == null && !DELETE_ACTION.equals(action) && !LOGIN_ACTION.equals(action)) {
LOGGER.debug("Redirecting unauthenticated user to login, since it have been denied [{}] on [{}].", right, entityReference);
showLogin(context);
}
return false;
}
Also used :
Right(org.xwiki.security.authorization.Right)
EntityReference(org.xwiki.model.reference.EntityReference)
Example 17 with Right
use of org.xwiki.security.authorization.Right in project xwiki-platform by xwiki.
the class CreateActionRequestHandler method loadAvailableTemplateProviders.
/**
* @param spaceReference the space to check if there are available templates for
* @param context the context of the current request
* @param templateClassReference the reference to the template provider class
* @return the available template providers for the passed space, as {@link Document}s
*/
private List<Document> loadAvailableTemplateProviders(SpaceReference spaceReference, DocumentReference templateClassReference, XWikiContext context) {
List<Document> templates = new ArrayList<>();
try {
QueryManager queryManager = Utils.getComponent((Type) QueryManager.class, "secure");
Query query = queryManager.createQuery("from doc.object(XWiki.TemplateProviderClass) as template " + "where doc.fullName not like 'XWiki.TemplateProviderTemplate' " + "order by template.name", Query.XWQL);
// TODO: Extend the above query to include a filter on the type and allowed spaces properties so we can
// remove the java code below, thus improving performance by not loading all the documents, but only the
// documents we need.
List<XWikiDocument> recommendedTemplates = new ArrayList<>();
List<String> templateProviderDocNames = query.execute();
for (String templateProviderName : templateProviderDocNames) {
// get the document and template provider object
DocumentReference reference = getCurrentMixedResolver().resolve(templateProviderName);
// Verify that the current user has the view right on the Template document
if (!getAuthManager().hasAccess(Right.VIEW, reference)) {
continue;
}
XWikiDocument templateDoc = context.getWiki().getDocument(reference, context);
BaseObject templateObject = templateDoc.getXObject(templateClassReference);
// Check the template provider's visibility restrictions.
if (isTemplateProviderAllowedInSpace(templateObject, spaceReference, TP_VISIBILITY_RESTRICTIONS_PROPERTY)) {
List<String> creationRestrictions = getTemplateProviderRestrictions(templateObject, TP_CREATION_RESTRICTIONS_PROPERTY);
if (creationRestrictions.size() > 0 && isTemplateProviderAllowedInSpace(templateObject, spaceReference, TP_CREATION_RESTRICTIONS_PROPERTY)) {
// Consider providers that have creations restrictions matching the current space as
// "recommended" and handle them separately.
recommendedTemplates.add(templateDoc);
} else {
// Other visible providers.
templates.add(new Document(templateDoc, context));
}
}
}
EntityReferenceSerializer<String> localSerializer = Utils.getComponent(EntityReferenceSerializer.TYPE_STRING, LOCAL_SERIALIZER_HINT);
String spaceStringReference = localSerializer.serialize(spaceReference);
// Sort the recommended providers and promote the most specific ones.
recommendedTemplates.sort(Comparator.comparing((XWikiDocument templateProviderDocument) -> {
BaseObject templateProviderObject = templateProviderDocument.getXObject(templateClassReference);
// Look at any set creation restrictions.
List<String> restrictions = getTemplateProviderRestrictions(templateProviderObject, TP_CREATION_RESTRICTIONS_PROPERTY);
// Return the longest (max) matching restriction reference size as being the most specific.
return restrictions.stream().filter(restriction -> matchesRestriction(spaceStringReference, restriction)).mapToInt(restriction -> {
SpaceReferenceResolver<String> spaceResolver = Utils.getComponent(SpaceReferenceResolver.TYPE_STRING);
SpaceReference restrictionSpaceReference = spaceResolver.resolve(restriction);
// The specificity score.
int specificity = restrictionSpaceReference.getReversedReferenceChain().size();
return specificity;
}).max().orElse(0);
}).reversed());
this.recommendedTemplateProviders = recommendedTemplates.stream().map(recommendedTemplate -> new Document(recommendedTemplate, context)).collect(Collectors.toList());
// Give priority to the providers that that specify creation restrictions
templates.addAll(0, recommendedTemplateProviders);
} catch (Exception e) {
LOGGER.warn("There was an error getting the available templates for space {0}", spaceReference, e);
}
return templates;
}
Also used :
XWiki(com.xpn.xwiki.XWiki)
XWikiException(com.xpn.xwiki.XWikiException)
Right(org.xwiki.security.authorization.Right)
Query(org.xwiki.query.Query)
EntityReference(org.xwiki.model.reference.EntityReference)
LoggerFactory(org.slf4j.LoggerFactory)
SpaceReference(org.xwiki.model.reference.SpaceReference)
StringUtils(org.apache.commons.lang3.StringUtils)
ArrayList(java.util.ArrayList)
ContextualAuthorizationManager(org.xwiki.security.authorization.ContextualAuthorizationManager)
DocumentReferenceResolver(org.xwiki.model.reference.DocumentReferenceResolver)
Map(java.util.Map)
VelocityManager(org.xwiki.velocity.VelocityManager)
ScriptContextManager(org.xwiki.script.ScriptContextManager)
EntityType(org.xwiki.model.EntityType)
EntityReferenceSerializer(org.xwiki.model.reference.EntityReferenceSerializer)
Logger(org.slf4j.Logger)
BaseObject(com.xpn.xwiki.objects.BaseObject)
SpaceReferenceResolver(org.xwiki.model.reference.SpaceReferenceResolver)
QueryManager(org.xwiki.query.QueryManager)
Collectors(java.util.stream.Collectors)
VelocityContext(org.apache.velocity.VelocityContext)
Document(com.xpn.xwiki.api.Document)
ScriptContext(javax.script.ScriptContext)
EntityReferenceResolver(org.xwiki.model.reference.EntityReferenceResolver)
List(java.util.List)
Type(java.lang.reflect.Type)
DocumentReference(org.xwiki.model.reference.DocumentReference)
XWikiContext(com.xpn.xwiki.XWikiContext)
XWikiDocument(com.xpn.xwiki.doc.XWikiDocument)
Comparator(java.util.Comparator)
Query(org.xwiki.query.Query)
SpaceReference(org.xwiki.model.reference.SpaceReference)
ArrayList(java.util.ArrayList)
Document(com.xpn.xwiki.api.Document)
XWikiDocument(com.xpn.xwiki.doc.XWikiDocument)
XWikiException(com.xpn.xwiki.XWikiException)
BaseObject(com.xpn.xwiki.objects.BaseObject)
XWikiDocument(com.xpn.xwiki.doc.XWikiDocument)
QueryManager(org.xwiki.query.QueryManager)
DocumentReference(org.xwiki.model.reference.DocumentReference)
Aggregations
Right (org.xwiki.security.authorization.Right)17
SecurityRule (org.xwiki.security.authorization.SecurityRule)6
Test (org.junit.Test)5
GroupSecurityReference (org.xwiki.security.GroupSecurityReference)4
ArrayList (java.util.ArrayList)3
DocumentReference (org.xwiki.model.reference.DocumentReference)3
EntityReference (org.xwiki.model.reference.EntityReference)3
SecurityRuleEntry (org.xwiki.security.authorization.SecurityRuleEntry)3
EntityType (org.xwiki.model.EntityType)2
WikiReference (org.xwiki.model.reference.WikiReference)2
UserSecurityReference (org.xwiki.security.UserSecurityReference)2
XWiki (com.xpn.xwiki.XWiki)1
XWikiContext (com.xpn.xwiki.XWikiContext)1
XWikiException (com.xpn.xwiki.XWikiException)1
Document (com.xpn.xwiki.api.Document)1
XWikiDocument (com.xpn.xwiki.doc.XWikiDocument)1
BaseObject (com.xpn.xwiki.objects.BaseObject)1
Type (java.lang.reflect.Type)1
Comparator (java.util.Comparator)1
List (java.util.List)1
