Beispiel #1
0
 protected void checkNegativeAcl(ACP acp) {
   if (negativeAclAllowed) {
     return;
   }
   if (acp == null) {
     return;
   }
   for (ACL acl : acp.getACLs()) {
     if (acl.getName().equals(ACL.INHERITED_ACL)) {
       continue;
     }
     for (ACE ace : acl.getACEs()) {
       if (ace.isGranted()) {
         continue;
       }
       String permission = ace.getPermission();
       if (permission.equals(SecurityConstants.EVERYTHING)
           && ace.getUsername().equals(SecurityConstants.EVERYONE)) {
         continue;
       }
       // allow Write, as we're sure it doesn't include Read/Browse
       if (permission.equals(SecurityConstants.WRITE)) {
         continue;
       }
       throw new IllegalArgumentException("Negative ACL not allowed: " + ace);
     }
   }
 }
Beispiel #2
0
 protected static void addACLRow(List<ACLRow> aclrows, String name, ACE ace) {
   // XXX should prefix user/group
   String user = ace.getUsername();
   if (user == null) {
     // JCR implementation logs null and skips it
     return;
   }
   String group = null; // XXX all in user for now
   aclrows.add(
       new ACLRow(aclrows.size(), name, ace.isGranted(), ace.getPermission(), user, group));
 }
Beispiel #3
0
  @Test
  public void shouldStoreOnlyEffectiveACEs() throws Exception {
    buildAndIndexTree();

    DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
    Assert.assertEquals(10, docs.totalSize());

    CoreSession restrictedSession = getRestrictedSession("toto");
    try {
      docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
      Assert.assertEquals(0, docs.totalSize());

      DocumentRef ref = new PathRef("/folder0");
      ACP acp = new ACPImpl();
      ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      acl.add(ACE.builder("toto", SecurityConstants.READ).build());
      acp.addACL(acl);
      session.setACP(ref, acp, true);

      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();

      startTransaction();
      docs =
          ess.query(
              new NxQueryBuilder(restrictedSession)
                  .nxql("select * from Document order by dc:title"));
      Assert.assertEquals(10, docs.totalSize());

      acp = new ACPImpl();
      acl = ACPImpl.newACL(ACL.LOCAL_ACL);
      // make the ACE archived
      Date now = new Date();
      Calendar begin = new GregorianCalendar();
      begin.setTimeInMillis(now.toInstant().minus(10, ChronoUnit.DAYS).toEpochMilli());
      Calendar end = new GregorianCalendar();
      end.setTimeInMillis(now.toInstant().minus(2, ChronoUnit.DAYS).toEpochMilli());
      acl.add(ACE.builder("toto", SecurityConstants.READ).begin(begin).end(end).build());
      acp.addACL(acl);
      session.setACP(ref, acp, true);

      TransactionHelper.commitOrRollbackTransaction();
      waitForCompletion();

      startTransaction();
      docs =
          ess.query(
              new NxQueryBuilder(restrictedSession)
                  .nxql("select * from Document order by dc:title"));
      Assert.assertEquals(0, docs.totalSize());
    } finally {
      restrictedSession.close();
    }
  }
 protected void resetPermissions(DocumentModel doc, String userName) {
   ACP acp = session.getACP(doc.getRef());
   ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL);
   Iterator<ACE> localACLIt = localACL.iterator();
   while (localACLIt.hasNext()) {
     ACE ace = localACLIt.next();
     if (userName.equals(ace.getUsername())) {
       localACLIt.remove();
     }
   }
   session.setACP(doc.getRef(), acp, true);
   session.save();
 }
 protected void resetPermissions(DocumentRef docRef, String userName) {
   ACP acp = session.getACP(docRef);
   ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL);
   Iterator<ACE> localACLIt = localACL.iterator();
   while (localACLIt.hasNext()) {
     ACE ace = localACLIt.next();
     if (userName.equals(ace.getUsername())) {
       localACLIt.remove();
     }
   }
   session.setACP(docRef, acp, true);
   TransactionHelper.commitOrRollbackTransaction();
   TransactionHelper.startTransaction();
 }
Beispiel #6
0
 /** Key to distinguish ACEs */
 protected static String getACEkey(ACE ace) {
   // TODO separate user/group
   return ace.getUsername() + '|' + ace.getPermission();
 }