public ExternalAccessControlManager(
NamespaceRegistry namespaceRegistry,
ExternalSessionImpl session,
ExternalDataSource dataSource) {
this.session = session;
this.workspaceName = session.getWorkspace().getName();
this.aclReadOnly =
dataSource instanceof ExternalDataSource.AccessControllable
|| dataSource instanceof ExternalDataSource.SupportPrivileges;
this.writable = dataSource instanceof ExternalDataSource.Writable;
this.supportPrivileges = dataSource instanceof ExternalDataSource.SupportPrivileges;
this.rootUserName = JahiaUserManagerService.getInstance().getRootUserName();
this.dataSource = dataSource;
this.pathPermissionCache =
Collections.synchronizedMap(
new LRUMap(SettingsBean.getInstance().getAccessManagerPathPermissionCacheMaxSize()));
this.jahiaPrincipal =
new JahiaPrincipal(
session.getUserID(),
session.getRealm(),
session.getUserID().startsWith(JahiaLoginModule.SYSTEM),
JahiaLoginModule.GUEST.equals(session.getUserID()));
try {
registry = new JahiaPrivilegeRegistry(namespaceRegistry);
this.modifyAccessControlPrivilege =
registry.getPrivilege("jcr:modifyAccessControl", workspaceName);
this.writePrivilege = registry.getPrivilege("jcr:write", workspaceName);
} catch (RepositoryException e) {
throw new JahiaRuntimeException(e);
}
}
public boolean canManageNodeTypes(String path) throws RepositoryException {
return hasPrivileges(
path,
new Privilege[] {
registry.getPrivilege(
JCR_NODE_TYPE_MANAGEMENT + "_" + session.getWorkspace().getName(), null)
});
}
// JCR_REMOVE_NODE
public void checkRemoveNode(String path) throws RepositoryException {
if (!hasPrivileges(
path,
new Privilege[] {
registry.getPrivilege(JCR_REMOVE_NODE + "_" + session.getWorkspace().getName(), null)
})) {
throw new AccessDeniedException(path);
}
}
// JCR_ADD_CHILD_NODES
public void checkAddChildNodes(String path) throws RepositoryException {
if (!hasPrivileges(
path,
new Privilege[] {
registry.getPrivilege(JCR_ADD_CHILD_NODES + "_" + session.getWorkspace().getName(), null)
})) {
throw new AccessDeniedException(path);
}
}
public void checkRead(String path) throws RepositoryException {
if (!hasPrivileges(
path,
new Privilege[] {
registry.getPrivilege(JCR_READ + "_" + session.getWorkspace().getName(), null)
})) {
throw new PathNotFoundException(path);
}
}
// JCR_MODIFY_PROPERTIES
public void checkModify(String path) throws RepositoryException {
if (!hasPrivileges(
path,
new Privilege[] {
registry.getPrivilege(
JCR_MODIFY_PROPERTIES + "_" + session.getWorkspace().getName(), null)
})) {
throw new AccessDeniedException(path);
}
}
@Override
public boolean hasPrivileges(final String absPath, final Privilege[] privileges)
throws PathNotFoundException, RepositoryException {
if (supportPrivileges) {
// if the node is created in the same session, return true
for (Item item : session.getNewItems()) {
if (item.getPath().equals(absPath)) {
return true;
}
}
// check privilege names
return hasPrivilegesLegacy(absPath, privileges);
} else {
// check ACLs
Set<String> privs = new HashSet<>();
for (Privilege privilege : privileges) {
privs.add(privilege.getName());
}
String mountPoint = session.getRepository().getStoreProvider().getMountPoint();
Session securitySession =
JCRSessionFactory.getInstance()
.getCurrentSystemSession(session.getWorkspace().getName(), null, null);
PathWrapper pathWrapper =
new ExternalPathWrapperImpl(
StringUtils.equals(absPath, "/") ? mountPoint : mountPoint + absPath,
securitySession);
return AccessManagerUtils.isGranted(
pathWrapper,
privs,
securitySession,
jahiaPrincipal,
workspaceName,
false,
pathPermissionCache,
compiledAcls,
registry);
}
}
