// unit tested protected static ACLRow[] updateAclRows(ACLRow[] aclrows, ACP acp) { List<ACLRow> newaclrows = new LinkedList<ACLRow>(); Map<String, ACL> aclmap = new HashMap<String, ACL>(); for (ACL acl : acp.getACLs()) { String name = acl.getName(); if (ACL.INHERITED_ACL.equals(name)) { continue; } aclmap.put(name, acl); } List<ACE> aces = Collections.emptyList(); Set<String> aceKeys = null; String name = null; for (ACLRow aclrow : aclrows) { // new acl? if (!aclrow.name.equals(name)) { // finish remaining aces for (ACE ace : aces) { addACLRow(newaclrows, name, ace); } // start next round name = aclrow.name; ACL acl = aclmap.remove(name); aces = acl == null ? Collections.<ACE>emptyList() : new LinkedList<ACE>(Arrays.asList(acl.getACEs())); aceKeys = new HashSet<String>(); for (ACE ace : aces) { aceKeys.add(getACEkey(ace)); } } if (!aceKeys.contains(getACLrowKey(aclrow))) { // no match, keep the aclrow info instead of the ace newaclrows.add( new ACLRow( newaclrows.size(), name, aclrow.grant, aclrow.permission, aclrow.user, aclrow.group)); } } // finish remaining aces for last acl done for (ACE ace : aces) { addACLRow(newaclrows, name, ace); } // do non-done acls for (ACL acl : aclmap.values()) { name = acl.getName(); for (ACE ace : acl.getACEs()) { addACLRow(newaclrows, name, ace); } } ACLRow[] array = new ACLRow[newaclrows.size()]; return newaclrows.toArray(array); }
protected void checkNegativeAcl(ACP acp) { if (negativeAclAllowed) { return; } if (acp == null) { return; } for (ACL acl : acp.getACLs()) { if (acl.getName().equals(ACL.INHERITED_ACL)) { continue; } for (ACE ace : acl.getACEs()) { if (ace.isGranted()) { continue; } String permission = ace.getPermission(); if (permission.equals(SecurityConstants.EVERYTHING) && ace.getUsername().equals(SecurityConstants.EVERYONE)) { continue; } // allow Write, as we're sure it doesn't include Read/Browse if (permission.equals(SecurityConstants.WRITE)) { continue; } throw new IllegalArgumentException("Negative ACL not allowed: " + ace); } } }
// unit tested protected static ACLRow[] acpToAclRows(ACP acp) { List<ACLRow> aclrows = new LinkedList<ACLRow>(); for (ACL acl : acp.getACLs()) { String name = acl.getName(); if (name.equals(ACL.INHERITED_ACL)) { continue; } for (ACE ace : acl.getACEs()) { addACLRow(aclrows, name, ace); } } ACLRow[] array = new ACLRow[aclrows.size()]; return aclrows.toArray(array); }
@Test public void testACPInheritance() throws Exception { DocumentModel root = new DocumentModelImpl("/", "testACPInheritance", "Folder"); root = session.createDocument(root); DocumentModel doc = new DocumentModelImpl("/testACPInheritance", "folder", "Folder"); doc = session.createDocument(doc); ACP rootAcp = root.getACP(); ACL localACL = rootAcp.getOrCreateACL(); localACL.add(new ACE("joe_reader", READ, true)); root.setACP(rootAcp, true); ACP acp = doc.getACP(); localACL = acp.getOrCreateACL(); localACL.add(new ACE("joe_contributor", WRITE, true)); doc.setACP(acp, true); session.save(); doc = session.getDocument(new PathRef("/testACPInheritance/folder")); acp = doc.getACP(); ACL acl = acp.getACL(ACL.INHERITED_ACL); assertEquals("joe_reader", acl.getACEs()[0].getUsername()); // block inheritance acp.getOrCreateACL() .add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false)); doc.setACP(acp, true); session.save(); // now the inherited acl should be null doc = session.getDocument(new PathRef("/testACPInheritance/folder")); acp = doc.getACP(); acl = acp.getACL(ACL.INHERITED_ACL); assertNull(acl); }