public void process(Authorizable authorizable, Session session, Modification change)
throws Exception {
LOGGER.debug("Starting MessageAuthorizablePostProcessor process");
if (authorizable != null && authorizable.getID() != null && !authorizable.isGroup()) {
PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(session);
String path =
PersonalUtils.getHomeFolder(authorizable) + "/" + MessageConstants.FOLDER_MESSAGES;
LOGGER.debug("Getting/creating message store node: {}", path);
Node messageStore = JcrUtils.deepGetOrCreateNode(session, path);
messageStore.setProperty(
JcrResourceConstants.SLING_RESOURCE_TYPE_PROPERTY,
MessageConstants.SAKAI_MESSAGESTORE_RT);
// ACL's are managed by the Personal User Post processor.
Principal anon =
new Principal() {
public String getName() {
return UserConstants.ANON_USERID;
}
};
Principal everyone = principalManager.getEveryone();
// The user can do everything on this node.
replaceAccessControlEntry(
session, path, authorizable.getPrincipal(), new String[] {JCR_ALL}, null, null, null);
// explicitly deny anon and everyone, this is private space.
String[] deniedPrivs = new String[] {JCR_READ, JCR_WRITE};
replaceAccessControlEntry(session, path, anon, null, deniedPrivs, null, null);
replaceAccessControlEntry(session, path, everyone, null, deniedPrivs, null, null);
}
}
/**
* KERN-1026 changed the results of this to be the authz's that are members of the managers group
* associated to a group rather than the group managers associated to the group.
*
* <p><del>Get the managers for a group. These should be stored in the {@link
* UserConstants#PROP_GROUP_MANAGERS}.</del>
*
* @param request
* @param group
* @param writer
* @throws RepositoryException
* @throws JSONException
*/
protected TreeMap<String, Authorizable> getManagers(
SlingHttpServletRequest request, Group group, Comparator<String> comparator)
throws RepositoryException, JSONException {
TreeMap<String, Authorizable> map = new TreeMap<String, Authorizable>(comparator);
// KERN-949 will probably change this.
// note above was made before this was changed to retrieving members of the managers
// group and may not apply.
Session session = request.getResourceResolver().adaptTo(Session.class);
UserManager um = AccessControlUtil.getUserManager(session);
Value[] managersGroup = group.getProperty(UserConstants.PROP_MANAGERS_GROUP);
if (managersGroup != null && managersGroup.length == 1) {
String mgrGroupName = managersGroup[0].getString();
Group mgrGroup = (Group) um.getAuthorizable(mgrGroupName);
Iterator<Authorizable> members = mgrGroup.getMembers();
while (members.hasNext()) {
Authorizable member = members.next();
String prinName = member.getPrincipal().getName();
Authorizable mau = um.getAuthorizable(prinName);
String name = getName(mau);
map.put(name, mau);
}
}
return map;
}
protected void addMember(
Session session, String filePath, Authorizable authorizable, String memberType)
throws RepositoryException {
Principal principal = authorizable.getPrincipal();
// Add (or re-use) a members node for the new viewer or manager.
String memberPath = getMemberNodePath(filePath, authorizable);
Node memberNode = JcrUtils.deepGetOrCreateNode(session, memberPath);
memberNode.setProperty(SLING_RESOURCE_TYPE_PROPERTY, POOLED_CONTENT_USER_RT);
memberNode.setProperty(memberType, new String[] {principal.getName()});
// Update the member's access to the pooled content.
refreshMemberAccess(session, filePath, principal, memberNode);
}
/**
* Remove a User or Group from the list of viewers or the list of managers. Currently, the node
* which points to the user/group remains in place, and only the specified membership property is
* deleted. Note that a single user/group can be on both lists, and so their access rights might
* not actually change as a result of being removed from a single list.
*
* @param session
* @param filePath
* @param authorizable
* @param memberType
* @throws RepositoryException
*/
protected void removeMember(
Session session, String filePath, Authorizable authorizable, String memberType)
throws RepositoryException {
String memberPath = getMemberNodePath(filePath, authorizable);
// Is there actually such a member?
if (session.itemExists(memberPath)) {
Node memberNode = session.getNode(memberPath);
if (memberNode.hasProperty(memberType)) {
// Remove the property.
memberNode.setProperty(memberType, (Value[]) null);
// Update ACEs that refer to this member.
Principal principal = authorizable.getPrincipal();
refreshMemberAccess(session, filePath, principal, memberNode);
}
}
}
/**
* Add an ACL entry at a path for the authorizable.
*
* @param path
* @param authorizable
* @param session
* @param writePrivilageGranted
* @throws RepositoryException
*/
public static void addEntry(
String path, Authorizable authorizable, Session session, String... privilegeSpec)
throws RepositoryException {
String principalName = authorizable.getPrincipal().getName();
List<String> grantedPrivilegeNames = new ArrayList<String>();
List<String> deniedPrivilegeNames = new ArrayList<String>();
for (String spec : privilegeSpec) {
if (spec.startsWith(GRANTED)) {
grantedPrivilegeNames.add(spec.substring(GRANTED.length()));
} else if (spec.startsWith(DENIED)) {
deniedPrivilegeNames.add(spec.substring(DENIED.length()));
}
}
AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
AccessControlList updatedAcl = null;
AccessControlPolicyIterator applicablePolicies =
accessControlManager.getApplicablePolicies(path);
while (applicablePolicies.hasNext()) {
AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy();
if (policy instanceof AccessControlList) {
updatedAcl = (AccessControlList) policy;
break;
}
}
if (updatedAcl == null) {
throw new RepositoryException("Unable to find an access conrol policy to update.");
}
StringBuilder oldPrivileges = null;
StringBuilder newPrivileges = null;
if (LOGGER.isInfoEnabled()) {
oldPrivileges = new StringBuilder();
newPrivileges = new StringBuilder();
}
// keep track of the existing Aces for the target principal
AccessControlEntry[] accessControlEntries = updatedAcl.getAccessControlEntries();
List<AccessControlEntry> oldAces = new ArrayList<AccessControlEntry>();
for (AccessControlEntry ace : accessControlEntries) {
if (principalName.equals(ace.getPrincipal().getName())) {
if (LOGGER.isInfoEnabled()) {
LOGGER.info(
"Found Existing ACE for principal {} on resource: ",
new Object[] {principalName, path});
}
oldAces.add(ace);
if (LOGGER.isInfoEnabled()) {
// collect the information for debug logging
boolean isAllow = AccessControlUtil.isAllow(ace);
Privilege[] privileges = ace.getPrivileges();
for (Privilege privilege : privileges) {
if (oldPrivileges.length() > 0) {
oldPrivileges.append(", "); // separate entries by commas
}
if (isAllow) {
oldPrivileges.append("granted=");
} else {
oldPrivileges.append("denied=");
}
oldPrivileges.append(privilege.getName());
}
}
}
}
// remove the old aces
if (!oldAces.isEmpty()) {
for (AccessControlEntry ace : oldAces) {
updatedAcl.removeAccessControlEntry(ace);
}
}
// add a fresh ACE with the granted privileges
List<Privilege> grantedPrivilegeList = new ArrayList<Privilege>();
for (String name : grantedPrivilegeNames) {
if (name.length() == 0) {
continue; // empty, skip it.
}
Privilege privilege = accessControlManager.privilegeFromName(name);
grantedPrivilegeList.add(privilege);
if (LOGGER.isInfoEnabled()) {
if (newPrivileges.length() > 0) {
newPrivileges.append(", "); // separate entries by commas
}
newPrivileges.append("granted=");
newPrivileges.append(privilege.getName());
}
}
if (grantedPrivilegeList.size() > 0) {
Principal principal = authorizable.getPrincipal();
updatedAcl.addAccessControlEntry(
principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));
}
// add a fresh ACE with the denied privileges
List<Privilege> deniedPrivilegeList = new ArrayList<Privilege>();
for (String name : deniedPrivilegeNames) {
if (name.length() == 0) {
continue; // empty, skip it.
}
Privilege privilege = accessControlManager.privilegeFromName(name);
deniedPrivilegeList.add(privilege);
if (LOGGER.isInfoEnabled()) {
if (newPrivileges.length() > 0) {
newPrivileges.append(", "); // separate entries by commas
}
newPrivileges.append("denied=");
newPrivileges.append(privilege.getName());
}
}
if (deniedPrivilegeList.size() > 0) {
Principal principal = authorizable.getPrincipal();
AccessControlUtil.addEntry(
updatedAcl,
principal,
deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]),
false);
}
accessControlManager.setPolicy(path, updatedAcl);
if (LOGGER.isInfoEnabled()) {
LOGGER.info(
"Updated ACE for principalId {} for resource {} from {} to {}",
new Object[] {
authorizable.getID(), path, oldPrivileges.toString(), newPrivileges.toString()
});
}
}