// unit tested
protected static ACLRow[] updateAclRows(ACLRow[] aclrows, ACP acp) {
List<ACLRow> newaclrows = new LinkedList<ACLRow>();
Map<String, ACL> aclmap = new HashMap<String, ACL>();
for (ACL acl : acp.getACLs()) {
String name = acl.getName();
if (ACL.INHERITED_ACL.equals(name)) {
continue;
}
aclmap.put(name, acl);
}
List<ACE> aces = Collections.emptyList();
Set<String> aceKeys = null;
String name = null;
for (ACLRow aclrow : aclrows) {
// new acl?
if (!aclrow.name.equals(name)) {
// finish remaining aces
for (ACE ace : aces) {
addACLRow(newaclrows, name, ace);
}
// start next round
name = aclrow.name;
ACL acl = aclmap.remove(name);
aces =
acl == null
? Collections.<ACE>emptyList()
: new LinkedList<ACE>(Arrays.asList(acl.getACEs()));
aceKeys = new HashSet<String>();
for (ACE ace : aces) {
aceKeys.add(getACEkey(ace));
}
}
if (!aceKeys.contains(getACLrowKey(aclrow))) {
// no match, keep the aclrow info instead of the ace
newaclrows.add(
new ACLRow(
newaclrows.size(),
name,
aclrow.grant,
aclrow.permission,
aclrow.user,
aclrow.group));
}
}
// finish remaining aces for last acl done
for (ACE ace : aces) {
addACLRow(newaclrows, name, ace);
}
// do non-done acls
for (ACL acl : aclmap.values()) {
name = acl.getName();
for (ACE ace : acl.getACEs()) {
addACLRow(newaclrows, name, ace);
}
}
ACLRow[] array = new ACLRow[newaclrows.size()];
return newaclrows.toArray(array);
}
protected void checkNegativeAcl(ACP acp) {
if (negativeAclAllowed) {
return;
}
if (acp == null) {
return;
}
for (ACL acl : acp.getACLs()) {
if (acl.getName().equals(ACL.INHERITED_ACL)) {
continue;
}
for (ACE ace : acl.getACEs()) {
if (ace.isGranted()) {
continue;
}
String permission = ace.getPermission();
if (permission.equals(SecurityConstants.EVERYTHING)
&& ace.getUsername().equals(SecurityConstants.EVERYONE)) {
continue;
}
// allow Write, as we're sure it doesn't include Read/Browse
if (permission.equals(SecurityConstants.WRITE)) {
continue;
}
throw new IllegalArgumentException("Negative ACL not allowed: " + ace);
}
}
}
// unit tested
protected static ACLRow[] acpToAclRows(ACP acp) {
List<ACLRow> aclrows = new LinkedList<ACLRow>();
for (ACL acl : acp.getACLs()) {
String name = acl.getName();
if (name.equals(ACL.INHERITED_ACL)) {
continue;
}
for (ACE ace : acl.getACEs()) {
addACLRow(aclrows, name, ace);
}
}
ACLRow[] array = new ACLRow[aclrows.size()];
return aclrows.toArray(array);
}
@Test
public void testACPInheritance() throws Exception {
DocumentModel root = new DocumentModelImpl("/", "testACPInheritance", "Folder");
root = session.createDocument(root);
DocumentModel doc = new DocumentModelImpl("/testACPInheritance", "folder", "Folder");
doc = session.createDocument(doc);
ACP rootAcp = root.getACP();
ACL localACL = rootAcp.getOrCreateACL();
localACL.add(new ACE("joe_reader", READ, true));
root.setACP(rootAcp, true);
ACP acp = doc.getACP();
localACL = acp.getOrCreateACL();
localACL.add(new ACE("joe_contributor", WRITE, true));
doc.setACP(acp, true);
session.save();
doc = session.getDocument(new PathRef("/testACPInheritance/folder"));
acp = doc.getACP();
ACL acl = acp.getACL(ACL.INHERITED_ACL);
assertEquals("joe_reader", acl.getACEs()[0].getUsername());
// block inheritance
acp.getOrCreateACL()
.add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false));
doc.setACP(acp, true);
session.save();
// now the inherited acl should be null
doc = session.getDocument(new PathRef("/testACPInheritance/folder"));
acp = doc.getACP();
acl = acp.getACL(ACL.INHERITED_ACL);
assertNull(acl);
}