public void process(Authorizable authorizable, Session session, Modification change)
throws Exception {
LOGGER.debug("Starting MessageAuthorizablePostProcessor process");
if (authorizable != null && authorizable.getID() != null && !authorizable.isGroup()) {
PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(session);
String path =
PersonalUtils.getHomeFolder(authorizable) + "/" + MessageConstants.FOLDER_MESSAGES;
LOGGER.debug("Getting/creating message store node: {}", path);
Node messageStore = JcrUtils.deepGetOrCreateNode(session, path);
messageStore.setProperty(
JcrResourceConstants.SLING_RESOURCE_TYPE_PROPERTY,
MessageConstants.SAKAI_MESSAGESTORE_RT);
// ACL's are managed by the Personal User Post processor.
Principal anon =
new Principal() {
public String getName() {
return UserConstants.ANON_USERID;
}
};
Principal everyone = principalManager.getEveryone();
// The user can do everything on this node.
replaceAccessControlEntry(
session, path, authorizable.getPrincipal(), new String[] {JCR_ALL}, null, null, null);
// explicitly deny anon and everyone, this is private space.
String[] deniedPrivs = new String[] {JCR_READ, JCR_WRITE};
replaceAccessControlEntry(session, path, anon, null, deniedPrivs, null, null);
replaceAccessControlEntry(session, path, everyone, null, deniedPrivs, null, null);
}
}
/**
* Adds ACE so that everyone can read access control. This allows Jackrabbit's default collectAcls
* to work without change. Otherwise, you have to be an admin to call acMgr.getEffectivePolicies.
*/
protected void updateRootAcl(SessionImpl systemSession, ACLEditor editor)
throws RepositoryException {
String rootPath = session.getRootNode().getPath();
AccessControlPolicy[] acls = editor.getPolicies(rootPath);
if (acls.length > 0) {
PrincipalManager pMgr = systemSession.getPrincipalManager();
AccessControlManager acMgr = session.getAccessControlManager();
Principal everyone = pMgr.getEveryone();
Privilege[] privs =
new Privilege[] {
acMgr.privilegeFromName(Privilege.JCR_READ),
acMgr.privilegeFromName(Privilege.JCR_READ_ACCESS_CONTROL)
};
AccessControlList acList = (AccessControlList) acls[0];
AccessControlEntry[] acEntries = acList.getAccessControlEntries();
for (AccessControlEntry acEntry : acEntries) {
if (acEntry.getPrincipal().equals(everyone)) {
acList.removeAccessControlEntry(acEntry);
}
}
acList.addAccessControlEntry(everyone, privs);
editor.setPolicy(rootPath, acList);
session.save();
}
}
/**
* Set-up minimal permissions for the workspace:
*
* <ul>
* <li>'adminstrators' principal -> all privileges
* <li>'everyone' -> read privilege
* </ul>
*
* @param session to the workspace to set-up initial ACL to
* @param editor for the specified session.
* @throws RepositoryException If an error occurs.
*/
private static void initRootACL(SessionImpl session, AccessControlEditor editor)
throws RepositoryException {
try {
log.debug("Install initial ACL:...");
String rootPath = session.getRootNode().getPath();
AccessControlPolicy[] acls = editor.editAccessControlPolicies(rootPath);
if (acls.length > 0) {
ACLTemplate acl = (ACLTemplate) acls[0];
PrincipalManager pMgr = session.getPrincipalManager();
AccessControlManager acMgr = session.getAccessControlManager();
String pName = SecurityConstants.ADMINISTRATORS_NAME;
if (pMgr.hasPrincipal(pName)) {
Principal administrators = pMgr.getPrincipal(pName);
log.debug("... Privilege.ALL for administrators.");
Privilege[] privs = new Privilege[] {acMgr.privilegeFromName(Privilege.JCR_ALL)};
acl.addAccessControlEntry(administrators, privs);
} else {
log.info(
"Administrators principal group is missing -> omitting initialization of default permissions.");
}
Principal everyone = pMgr.getEveryone();
log.debug("... Privilege.READ for everyone.");
Privilege[] privs = new Privilege[] {acMgr.privilegeFromName(Privilege.JCR_READ)};
acl.addAccessControlEntry(everyone, privs);
editor.setPolicy(rootPath, acl);
session.save();
} else {
log.info(
"No applicable ACL available for the root node -> skip initialization of the root node's ACL.");
}
} catch (RepositoryException e) {
log.error(
"Failed to set-up minimal access control for root node of workspace "
+ session.getWorkspace().getName());
session.getRootNode().refresh(false);
}
}