Examples with SecurityRule org.xwiki.security.authorization.SecurityRule used on opensource projects

Search in sources :

Example 6 with SecurityRule

use of org.xwiki.security.authorization.SecurityRule in project xwiki-platform by xwiki.

the class DefaultAuthorizationSettlerTest method testSettleRightWithImpliedRights.

@Test
public void testSettleRightWithImpliedRights() throws Exception {
    SecurityRule allowImpliedADT = getMockedSecurityRule("allowImpliedADT", Arrays.asList(userRef), Arrays.asList(anotherGroupRef), Arrays.asList(impliedTestRightsADT), ALLOW);
    SecurityRule denyImpliedADT = getMockedSecurityRule("denyImpliedADT", Arrays.asList(userRef), Arrays.asList(anotherGroupRef), Arrays.asList(impliedTestRightsADT), DENY);
    SecurityRule allowImpliedDAF = getMockedSecurityRule("allowImpliedDAF", Arrays.asList(userRef), Arrays.asList(anotherGroupRef), Arrays.asList(impliedTestRightsDAF), ALLOW);
    SecurityRule denyImpliedDAF = getMockedSecurityRule("denyImpliedDAF", Arrays.asList(userRef), Arrays.asList(anotherGroupRef), Arrays.asList(impliedTestRightsDAF), DENY);
    XWikiSecurityAccess allowAccessADT = defaultAccess.clone();
    allowAccessADT.set(impliedTestRightsADT, ALLOW);
    for (Right right : allTestRights) {
        allowAccessADT.allow(right);
    }
    XWikiSecurityAccess tieADT = defaultAccess.clone();
    tieADT.set(impliedTestRightsADT, ALLOW);
    for (Right right : allTestRights) {
        tieADT.set(right, right.getTieResolutionPolicy());
    }
    XWikiSecurityAccess allowAccessDAF = defaultAccess.clone();
    allowAccessDAF.set(impliedTestRightsDAF, ALLOW);
    for (Right right : allTestRights) {
        allowAccessDAF.allow(right);
    }
    XWikiSecurityAccess denyADTAccess = defaultAccess.clone();
    denyADTAccess.deny(impliedTestRightsADT);
    XWikiSecurityAccess denyDAFAccess = defaultAccess.clone();
    denyDAFAccess.deny(impliedTestRightsDAF);
    XWikiSecurityAccess denyAccessADT = defaultAccess.clone();
    denyAccessADT.set(impliedTestRightsADT, ALLOW);
    for (Right right : allTestRights) {
        denyAccessADT.deny(right);
    }
    XWikiSecurityAccess denyAccessDAF = defaultAccess.clone();
    denyAccessDAF.set(impliedTestRightsDAF, ALLOW);
    for (Right right : allTestRights) {
        denyAccessDAF.deny(right);
    }
    assertAccess("When a right implying others rights is allowed, imply those rights (ADT)", userRef, docRef, allowAccessADT, authorizationSettler.settle(userRef, Arrays.asList(groupRef), getMockedSecurityRuleEntries("allowAccessADT", docRef, Arrays.asList(Arrays.asList(allowImpliedADT)))));
    assertAccess("When a right implying others rights is allowed, imply those rights (DAF)", userRef, docRef, allowAccessDAF, authorizationSettler.settle(userRef, Arrays.asList(groupRef), getMockedSecurityRuleEntries("allowAccessDAF", docRef, Arrays.asList(Arrays.asList(allowImpliedDAF)))));
    assertAccess("When a right implying others rights is denied, do not denied implied rights (ADT)", userRef, docRef, denyADTAccess, authorizationSettler.settle(userRef, Arrays.asList(groupRef), getMockedSecurityRuleEntries("denyAccessADT", docRef, Arrays.asList(Arrays.asList(denyImpliedADT)))));
    assertAccess("When a right implying others rights is denied, do not denied implied rights (DAF)", userRef, docRef, denyDAFAccess, authorizationSettler.settle(userRef, Arrays.asList(groupRef), getMockedSecurityRuleEntries("denyAccessDAF", docRef, Arrays.asList(Arrays.asList(denyImpliedDAF)))));
    SecurityRule allowAllTestRightsUserAndAnotherGroup = getMockedSecurityRule("allowAllTestRightsUserAndAnotherGroup", Arrays.asList(userRef), Arrays.asList(anotherGroupRef), allTestRights, ALLOW);
    SecurityRule denyAllTestRightsUserAndAnotherGroup = getMockedSecurityRule("denyAllTestRightsUserAndAnotherGroup", Arrays.asList(userRef), Arrays.asList(anotherGroupRef), allTestRights, DENY);
    SecurityRule denyAllTestRightsAnotherUserAndGroup = getMockedSecurityRule("denyAllTestRightsAnotherUserAndGroup", Arrays.asList(anotherUserRef), Arrays.asList(groupRef), allTestRights, DENY);
    Deque<SecurityRuleEntry> conflictAllowDenySameTargetADT = getMockedSecurityRuleEntries("conflictAllowDenySameTargetADT", docRef, Arrays.asList(Arrays.asList(allowImpliedADT, denyAllTestRightsUserAndAnotherGroup)));
    Deque<SecurityRuleEntry> conflictAllowDenySameTargetDAF = getMockedSecurityRuleEntries("conflictAllowDenySameTargetDAF", docRef, Arrays.asList(Arrays.asList(allowImpliedDAF, denyAllTestRightsUserAndAnotherGroup)));
    Deque<SecurityRuleEntry> conflictAllowDenyUserGroupADT = getMockedSecurityRuleEntries("conflictAllowDenyUserGroupADT", docRef, Arrays.asList(Arrays.asList(allowImpliedADT, denyAllTestRightsAnotherUserAndGroup)));
    Deque<SecurityRuleEntry> conflictAllowDenyUserGroupDAF = getMockedSecurityRuleEntries("conflictAllowDenyUserGroupDAF", docRef, Arrays.asList(Arrays.asList(allowImpliedDAF, denyAllTestRightsAnotherUserAndGroup)));
    assertAccess("When allowed implied right for user is denied for same user in another rule, use most favorable tie resolution policy (ADT)", userRef, docRef, tieADT, authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenySameTargetADT));
    assertAccess("When allowed implied right for user is denied for same user in another rule, use most favorable tie resolution policy (DAF)", userRef, docRef, allowAccessDAF, authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenySameTargetDAF));
    assertAccess("When allowed implied right for group is denied for same group in another rule, use most favorable tie resolution policy (ADT)", anotherUserRef, docRef, tieADT, authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenySameTargetADT));
    assertAccess("When allowed implied right for group is denied for same group in another rule, use most favorable tie resolution policy (DAF)", anotherUserRef, docRef, allowAccessDAF, authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenySameTargetDAF));
    assertAccess("When allowed implied right for user is denied for its group in another rule, allow it. (ADT)", userRef, docRef, allowAccessADT, authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenyUserGroupADT));
    assertAccess("When allowed implied right for user is denied for its group in another rule, allow it. (DAF)", userRef, docRef, allowAccessDAF, authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenyUserGroupDAF));
    assertAccess("When allowed implied right for group is denied for one of its user in another rule, deny it. (ADT)", anotherUserRef, docRef, denyAccessADT, authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenyUserGroupADT));
    assertAccess("When allowed implied right for group is denied for one of its user in another rule, deny it. (DAF)", anotherUserRef, docRef, denyAccessDAF, authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenyUserGroupDAF));
}
Also used : SecurityRuleEntry(org.xwiki.security.authorization.SecurityRuleEntry) Right(org.xwiki.security.authorization.Right) SecurityRule(org.xwiki.security.authorization.SecurityRule) Test(org.junit.Test)

Example 7 with SecurityRule

use of org.xwiki.security.authorization.SecurityRule in project xwiki-platform by xwiki.

the class DefaultAuthorizationSettlerTest method getMockedSecurityRule.

private SecurityRule getMockedSecurityRule(String name, Iterable<UserSecurityReference> users, Iterable<GroupSecurityReference> groups, Iterable<Right> rights, final RuleState state) {
    final SecurityRule rule = mock(SecurityRule.class, name);
    final List<Matcher<? super UserSecurityReference>> userMatchers = new ArrayList<Matcher<? super UserSecurityReference>>();
    final List<Matcher<? super GroupSecurityReference>> groupMatchers = new ArrayList<Matcher<? super GroupSecurityReference>>();
    final List<Matcher<? super Right>> rightMatchers = new ArrayList<Matcher<? super Right>>();
    for (UserSecurityReference user : users) {
        userMatchers.add(is(user));
    }
    for (GroupSecurityReference group : groups) {
        groupMatchers.add(is(group));
    }
    for (Right right : rights) {
        rightMatchers.add(is(right));
    }
    when(rule.match(argThat(anyOf(userMatchers)))).thenReturn(true);
    when(rule.match(argThat(anyOf(groupMatchers)))).thenReturn(true);
    when(rule.match(argThat(anyOf(rightMatchers)))).thenReturn(true);
    when(rule.match(argThat(not(anyOf(userMatchers))))).thenReturn(false);
    when(rule.match(argThat(not(anyOf(groupMatchers))))).thenReturn(false);
    when(rule.match(argThat(not(anyOf(rightMatchers))))).thenReturn(false);
    when(rule.getState()).thenReturn(state);
    return rule;
}
Also used : Matcher(org.hamcrest.Matcher) ArrayList(java.util.ArrayList) Right(org.xwiki.security.authorization.Right) SecurityRule(org.xwiki.security.authorization.SecurityRule) UserSecurityReference(org.xwiki.security.UserSecurityReference) GroupSecurityReference(org.xwiki.security.GroupSecurityReference)

Example 8 with SecurityRule

use of org.xwiki.security.authorization.SecurityRule in project xwiki-platform by xwiki.

the class DefaultAuthorizationSettlerTest method testSettleInheritancePolicy.

@Test
public void testSettleInheritancePolicy() throws Exception {
    SecurityRule allowAllTestRightsRulesToXuser = getMockedSecurityRule("allowAllTestRightsRulesToXuser", Arrays.asList(xuserRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, ALLOW);
    SecurityRule denyAllTestRightsRulesToXuser = getMockedSecurityRule("denyAllTestRightsRulesToXuser", Arrays.asList(xuserRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, DENY);
    SecurityRule allowAllTestRightsRulesToUser = getMockedSecurityRule("allowAllTestRightsRulesToUser", Arrays.asList(userRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, ALLOW);
    SecurityRule denyAllTestRightsRulesToUser = getMockedSecurityRule("denyAllTestRightsRulesToUser", Arrays.asList(userRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, DENY);
    SecurityRule allowAllTestRightsRulesToAnotherWikiUser = getMockedSecurityRule("allowAllTestRightsRulesToAnotherWikiUser", Arrays.asList(anotherWikiUserRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, ALLOW);
    SecurityRule denyAllTestRightsRulesToAnotherWikiUser = getMockedSecurityRule("denyAllTestRightsRulesToAnotherWikiUser", Arrays.asList(anotherWikiUserRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, DENY);
    Deque<SecurityRuleEntry> allowThenDenyRulesForXdocSpace = getMockedSecurityRuleEntries("allowThenDenyRulesForXdocSpace", xdocRef, Arrays.asList(Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser), Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser)));
    Deque<SecurityRuleEntry> denyThenAllowRulesForXdocSpace = getMockedSecurityRuleEntries("denyThenAllowRulesForXdocSpace", xdocRef, Arrays.asList(Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser), Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser)));
    Deque<SecurityRuleEntry> allowThenDenyRulesForDocSpace = getMockedSecurityRuleEntries("allowThenDenyRulesForDocSpace", docRef, Arrays.asList(Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser), Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser)));
    Deque<SecurityRuleEntry> denyThenAllowRulesForDocSpace = getMockedSecurityRuleEntries("denyThenAllowRulesForDocSpace", docRef, Arrays.asList(Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser), Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser)));
    Deque<SecurityRuleEntry> allowThenDenyRulesForXDocWiki = getMockedSecurityRuleEntries("allowThenDenyRulesForXDocWiki", xdocRef, Arrays.asList(Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser), Collections.<SecurityRule>emptyList(), Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser)));
    Deque<SecurityRuleEntry> denyThenAllowRulesForXdocWiki = getMockedSecurityRuleEntries("denyThenAllowRulesForXdocWiki", xdocRef, Arrays.asList(Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser), Collections.<SecurityRule>emptyList(), Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser)));
    Deque<SecurityRuleEntry> allowThenDenyRulesForDocWiki = getMockedSecurityRuleEntries("allowThenDenyRulesForDocWiki", docRef, Arrays.asList(Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser), Collections.<SecurityRule>emptyList(), Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser)));
    Deque<SecurityRuleEntry> denyThenAllowRulesForDocWiki = getMockedSecurityRuleEntries("denyThenAllowRulesForDocWiki", docRef, Arrays.asList(Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser), Collections.<SecurityRule>emptyList(), Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser)));
    Deque<SecurityRuleEntry> allowThenDenyRulesForDocXWiki = getMockedSecurityRuleEntries("allowThenDenyRulesForDocXWiki", docRef, Arrays.asList(Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser), Collections.<SecurityRule>emptyList(), Collections.<SecurityRule>emptyList(), Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser)));
    Deque<SecurityRuleEntry> denyThenAllowRulesForDocXWiki = getMockedSecurityRuleEntries("denyThenAllowRulesForDocXWiki", docRef, Arrays.asList(Arrays.asList(denyAllTestRightsRulesToXuser, denyAllTestRightsRulesToUser, denyAllTestRightsRulesToAnotherWikiUser), Collections.<SecurityRule>emptyList(), Collections.<SecurityRule>emptyList(), Arrays.asList(allowAllTestRightsRulesToXuser, allowAllTestRightsRulesToUser, allowAllTestRightsRulesToAnotherWikiUser)));
    XWikiSecurityAccess allowDenyAccess = new XWikiSecurityAccess();
    for (Right right : allTestRights) {
        allowDenyAccess.allow(right);
    }
    XWikiSecurityAccess denyAllowAccess = new XWikiSecurityAccess();
    for (Right right : allTestRights) {
        denyAllowAccess.set(right, right.getInheritanceOverridePolicy() ? DENY : ALLOW);
    }
    assertAccess("When allowed right on doc are denied on space from main wiki for main wiki user, use inheritance policy", xuserRef, xdocRef, allowDenyAccess, authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), allowThenDenyRulesForXdocSpace));
    assertAccess("When denied right on doc are allowed on space from main wiki for main wiki user, use inheritance policy", xuserRef, xdocRef, denyAllowAccess, authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), denyThenAllowRulesForXdocSpace));
    assertAccess("When allowed right on doc are denied on space from local wiki for main wiki user, use inheritance policy", xuserRef, docRef, allowDenyAccess, authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), allowThenDenyRulesForDocSpace));
    assertAccess("When denied right on doc are allowed on space from local wiki for main wiki user, use inheritance policy", xuserRef, docRef, denyAllowAccess, authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), denyThenAllowRulesForDocSpace));
    assertAccess("When allowed right on doc are denied on space from local wiki for local wiki user, use inheritance policy", userRef, docRef, allowDenyAccess, authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(), allowThenDenyRulesForDocSpace));
    assertAccess("When denied right on doc are allowed on space from local wiki for local wiki user, use inheritance policy", userRef, docRef, denyAllowAccess, authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(), denyThenAllowRulesForDocSpace));
    assertAccess("When allowed right on doc are denied on space from local wiki for another wiki user, use inheritance policy", anotherWikiUserRef, docRef, allowDenyAccess, authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(), allowThenDenyRulesForDocSpace));
    assertAccess("When denied right on doc are allowed on space from local wiki for another wiki user, use inheritance policy", anotherWikiUserRef, docRef, denyAllowAccess, authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(), denyThenAllowRulesForDocSpace));
    // 
    assertAccess("When allowed right on doc are denied on wiki from main wiki for main wiki user, use inheritance policy", xuserRef, xdocRef, allowDenyAccess, authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), allowThenDenyRulesForXDocWiki));
    assertAccess("When denied right on doc are allowed on wiki from main wiki for main wiki user, use inheritance policy", xuserRef, xdocRef, denyAllowAccess, authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), denyThenAllowRulesForXdocWiki));
    assertAccess("When allowed right on doc are denied on wiki from local wiki for main wiki user, use inheritance policy", xuserRef, docRef, allowDenyAccess, authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), allowThenDenyRulesForDocWiki));
    assertAccess("When denied right on doc are allowed on wiki from local wiki for main wiki user, use inheritance policy", xuserRef, docRef, denyAllowAccess, authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), denyThenAllowRulesForDocWiki));
    assertAccess("When allowed right on doc are denied on wiki from local wiki for local wiki user, use inheritance policy", userRef, docRef, allowDenyAccess, authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(), allowThenDenyRulesForDocWiki));
    assertAccess("When denied right on doc are allowed on wiki from local wiki for local wiki user, use inheritance policy", userRef, docRef, denyAllowAccess, authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(), denyThenAllowRulesForDocWiki));
    assertAccess("When allowed right on doc are denied on wiki from local wiki for another wiki user, use inheritance policy", anotherWikiUserRef, docRef, allowDenyAccess, authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(), allowThenDenyRulesForDocWiki));
    assertAccess("When denied right on doc are allowed on wiki from local wiki for another wiki user, use inheritance policy", anotherWikiUserRef, docRef, denyAllowAccess, authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(), denyThenAllowRulesForDocWiki));
    // 
    assertAccess("When allowed right on doc are denied on main wiki from local wiki for local wiki user, use inheritance policy", userRef, docRef, allowDenyAccess, authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(), allowThenDenyRulesForDocXWiki));
    assertAccess("When denied right on doc are allowed on main wiki from local wiki for local wiki user, use inheritance policy", userRef, docRef, denyAllowAccess, authorizationSettler.settle(userRef, Collections.<GroupSecurityReference>emptyList(), denyThenAllowRulesForDocXWiki));
    assertAccess("When allowed right on doc are denied on main wiki from local wiki for another wiki user, use inheritance policy", anotherWikiUserRef, docRef, allowDenyAccess, authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(), allowThenDenyRulesForDocXWiki));
    assertAccess("When denied right on doc are allowed on main wiki from local wiki for another wiki user, use inheritance policy", anotherWikiUserRef, docRef, denyAllowAccess, authorizationSettler.settle(anotherWikiUserRef, Collections.<GroupSecurityReference>emptyList(), denyThenAllowRulesForDocXWiki));
}
Also used : SecurityRuleEntry(org.xwiki.security.authorization.SecurityRuleEntry) Right(org.xwiki.security.authorization.Right) SecurityRule(org.xwiki.security.authorization.SecurityRule) GroupSecurityReference(org.xwiki.security.GroupSecurityReference) Test(org.junit.Test)

Example 9 with SecurityRule

use of org.xwiki.security.authorization.SecurityRule in project xwiki-platform by xwiki.

the class DefaultAuthorizationSettler method settle.

@Override
protected XWikiSecurityAccess settle(UserSecurityReference user, Collection<GroupSecurityReference> groups, SecurityRuleEntry entry, Policies policies) {
    Set<Right> enabledRights = Right.getEnabledRights(entry.getReference().getSecurityType());
    Set<Right> fromUser = new RightSet();
    Set<Right> allowed = new RightSet();
    XWikiSecurityAccess access = new XWikiSecurityAccess();
    // Evaluate rules from current entity
    for (Right right : enabledRights) {
        for (SecurityRule rule : entry.getRules()) {
            if (rule.match(right)) {
                if (rule.getState() == ALLOW) {
                    allowed.add(right);
                }
                resolveLevel(right, user, groups, rule, access, policies, fromUser);
                if (access.get(right) == ALLOW) {
                    implyRights(right, access, enabledRights, policies, fromUser);
                }
            }
        }
    }
    // The same behavior as the old implementation. I.e., an allow means implicit deny for everyone else.
    for (Right right : allowed) {
        if (access.get(right) == UNDETERMINED) {
            access.deny(right);
        }
    }
    return access;
}
Also used : RightSet(org.xwiki.security.authorization.RightSet) Right(org.xwiki.security.authorization.Right) SecurityRule(org.xwiki.security.authorization.SecurityRule)

Example 10 with SecurityRule

use of org.xwiki.security.authorization.SecurityRule in project xwiki-platform by xwiki.

the class DefaultSecurityEntryReader method getImpliedRules.

/**
 * Get rules implied by wiki owners, document creators, and global rights documents.
 * @param documentReference reference to the document requested.
 * @param document the document requested.
 * @param isGlobalRightsReference true when the document is a document which host global rights.
 * @param isGlobalRightRequested true when the request concern global rights.
 * @return a list of implied security rules, or an empty list of there none.
 * @throws AuthorizationException if anything goes wrong.
 */
private List<SecurityRule> getImpliedRules(DocumentReference documentReference, XWikiDocument document, boolean isGlobalRightsReference, boolean isGlobalRightRequested) throws AuthorizationException {
    List<SecurityRule> rules = new ArrayList<SecurityRule>();
    if (isGlobalRightsReference) {
        if (isGlobalRightRequested) {
            WikiReference documentWiki = documentReference.getWikiReference();
            DocumentReference owner = getWikiOwner(documentWiki);
            if (owner != null) {
                XWikiContext context = getXWikiContext();
                // Allow global rights to wiki owner
                if (context.isMainWiki(documentWiki.getName())) {
                    rules.add(new XWikiSecurityRule(MAINWIKIOWNER_RIGHTS, RuleState.ALLOW, Collections.singleton(owner), null));
                } else {
                    rules.add(new XWikiSecurityRule(OWNER_RIGHTS, RuleState.ALLOW, Collections.singleton(owner), null));
                }
            }
        } else {
            // Deny local edit right on documents hosting global rights for anyone but admins.
            rules.add(DENY_EDIT);
        }
    }
    if (!isGlobalRightRequested && document != null) {
        DocumentReference creator = document.getCreatorReference();
        // Allow local rights to document creator (unless it is a public creator)
        if (creator != null && !XWikiConstants.GUEST_USER.equals(creator.getName())) {
            rules.add(new XWikiSecurityRule(CREATOR_RIGHTS, RuleState.ALLOW, Collections.singleton(creator), null));
        }
    }
    return rules;
}
Also used : ArrayList(java.util.ArrayList) XWikiContext(com.xpn.xwiki.XWikiContext) SecurityRule(org.xwiki.security.authorization.SecurityRule) WikiReference(org.xwiki.model.reference.WikiReference) DocumentReference(org.xwiki.model.reference.DocumentReference)

Aggregations

SecurityRule (org.xwiki.security.authorization.SecurityRule)10 Right (org.xwiki.security.authorization.Right)6 GroupSecurityReference (org.xwiki.security.GroupSecurityReference)5 Test (org.junit.Test)4 SecurityRuleEntry (org.xwiki.security.authorization.SecurityRuleEntry)4 UserSecurityReference (org.xwiki.security.UserSecurityReference)3 ArrayList (java.util.ArrayList)2 SecurityReference (org.xwiki.security.SecurityReference)2 XWikiContext (com.xpn.xwiki.XWikiContext)1 XWikiDocument (com.xpn.xwiki.doc.XWikiDocument)1 BaseObject (com.xpn.xwiki.objects.BaseObject)1 ArrayDeque (java.util.ArrayDeque)1 Matcher (org.hamcrest.Matcher)1 DocumentReference (org.xwiki.model.reference.DocumentReference)1 WikiReference (org.xwiki.model.reference.WikiReference)1 RightMap (org.xwiki.security.authorization.RightMap)1 RightSet (org.xwiki.security.authorization.RightSet)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial