/** * @see * org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions) */ public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions) throws ItemNotFoundException, RepositoryException { checkInitialized(); NodeImpl targetNode; List<AccessControlList> acls = new ArrayList<AccessControlList>(); if (absPath == null) { targetNode = (NodeImpl) session.getRootNode(); if (isRepoAccessControlled(targetNode)) { if (permissions.grants(targetNode.getPrimaryPath(), Permission.READ_AC)) { acls.add(getACL(targetNode, N_REPO_POLICY, null)); } else { throw new AccessDeniedException("Access denied at " + targetNode.getPath()); } } } else { targetNode = (NodeImpl) session.getNode(session.getJCRPath(absPath)); NodeImpl node = getNode(targetNode, isAcItem(targetNode)); // collect all ACLs effective at node collectAcls(node, permissions, acls); } // if no effective ACLs are present -> add a default, empty acl. if (acls.isEmpty()) { // no access control information can be retrieved for the specified // node, since neither the node nor any of its parents is access // controlled. TODO: there should be a default policy in this case (see JCR-2331) log.warn( "No access controlled node present in item hierarchy starting from " + targetNode.getPath()); } return acls.toArray(new AccessControlList[acls.size()]); }
/** @see AccessManager#isGranted(Path, int) */ public boolean isGranted(Path absPath, int permissions) throws RepositoryException { checkInitialized(); if (!absPath.isAbsolute()) { throw new RepositoryException("Absolute path expected"); } return compiledPermissions.grants(absPath, permissions); }
/** @see AccessManager#checkRepositoryPermission(int) */ public void checkRepositoryPermission(int permissions) throws AccessDeniedException, RepositoryException { checkInitialized(); if (!compiledPermissions.grants(null, permissions)) { throw new AccessDeniedException("Access denied."); } }
/** @see AbstractAccessControlManager#checkPermission(String,int) */ @Override protected void checkPermission(String absPath, int permission) throws AccessDeniedException, RepositoryException { checkValidNodePath(absPath); Path p = getPath(absPath); if (!compiledPermissions.grants(p, permission)) { throw new AccessDeniedException("Access denied at " + absPath); } }
/** * Recursively collects all ACLs that are effective on the specified node. * * @param node the Node to collect the ACLs for, which must NOT be part of the structure defined * by mix:AccessControllable. * @param permissions * @param acls List used to collect the effective acls. * @throws RepositoryException if an error occurs */ private void collectAcls( NodeImpl node, CompiledPermissions permissions, List<AccessControlList> acls) throws RepositoryException { // if the given node is access-controlled, construct a new ACL and add // it to the list if (isAccessControlled(node)) { if (permissions.grants(node.getPrimaryPath(), Permission.READ_AC)) { acls.add(getACL(node, N_POLICY, node.getPath())); } else { throw new AccessDeniedException("Access denied at " + node.getPath()); } } // then, recursively look for access controlled parents up the hierarchy. if (!rootNodeId.equals(node.getId())) { NodeImpl parentNode = (NodeImpl) node.getParent(); collectAcls(parentNode, permissions, acls); } }