@Override
public void performAdditionalStatements(Connection connection) throws SQLException {
// Warn user if BROWSE permissions has changed
Set<String> dbPermissions = new HashSet<String>();
String sql = "SELECT * FROM aclr_permission";
Statement s = connection.createStatement();
ResultSet rs = s.executeQuery(sql);
while (rs.next()) {
dbPermissions.add(rs.getString(1));
}
rs.close();
s.close();
Set<String> confPermissions = new HashSet<String>();
SecurityService securityService = NXCore.getSecurityService();
for (String perm : securityService.getPermissionsToCheck(SecurityConstants.BROWSE)) {
confPermissions.add(perm);
}
if (!dbPermissions.equals(confPermissions)) {
log.error(
"Security permission for BROWSE has changed, you need to rebuild the optimized read acls:"
+ "DROP TABLE aclr_permission; DROP TABLE aclr; then restart.");
}
}
public void checkAccess(NuxeoPrincipal principal, String docAcl) {
try {
JSONObject docAclJson = new JSONObject(docAcl);
JSONArray acl = docAclJson.getJSONObject("fields").getJSONArray("ecm:acl");
String[] principals = SecurityService.getPrincipalsToCheck(principal);
for (int i = 0; i < acl.length(); i++)
for (String name : principals) {
if (name.equals(acl.getString(i))) {
return;
}
}
} catch (JSONException e) {
// throw a securityException
}
throw new SecurityException("Unauthorized access");
}
@Test
public void testReadAclSecurity() {
// Check that all permissions that contain Browse enable to list a
// document using aclOptimization
SecurityService securityService = NXCore.getSecurityService();
String[] browsePermissions = securityService.getPermissionsToCheck(BROWSE);
// Check for test permission contribution
assertTrue(Arrays.asList(browsePermissions).contains("ViewTest"));
List<String> docNames = new ArrayList<String>(browsePermissions.length);
DocumentModel root = session.getRootDocument();
for (String permission : browsePermissions) {
// Create a folder with only the browse permission
String name = "joe-has-" + permission + "-permission";
docNames.add(name);
DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), name, "Folder");
folder = session.createDocument(folder);
ACP acp = folder.getACP();
assertNotNull(acp); // the acp inherited from root is returned
acp = new ACPImpl();
ACL acl = new ACLImpl();
acl.add(new ACE("joe", permission, true));
acp.addACL(acl);
folder.setACP(acp, true);
}
session.save();
CoreSession joeSession = openSessionAs("joe");
try {
DocumentModelList list;
list = joeSession.query("SELECT * FROM Folder");
List<String> names = new ArrayList<String>();
for (DocumentModel doc : list) {
names.add(doc.getName());
}
assertEquals(
"Expecting " + docNames + " got " + names, browsePermissions.length, list.size());
list = joeSession.query("SELECT * FROM Folder WHERE ecm:isProxy = 0");
names.clear();
for (DocumentModel doc : list) {
names.add(doc.getName());
}
assertEquals(
"Expecting " + docNames + " got " + names, browsePermissions.length, list.size());
// Add a new folder to update the read acls
DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), "new-folder", "Folder");
folder = session.createDocument(folder);
ACP acp = folder.getACP();
assertNotNull(acp); // the acp inherited from root is returned
acp = new ACPImpl();
ACL acl = new ACLImpl();
acl.add(new ACE("joe", browsePermissions[0], true));
acl.add(new ACE("bob", browsePermissions[0], true));
acp.addACL(acl);
folder.setACP(acp, true);
session.save();
list = joeSession.query("SELECT * FROM Folder");
assertEquals(browsePermissions.length + 1, list.size());
} finally {
closeSession(joeSession);
}
}