private String[] getReadingPrincipals(
     RepositorySession repositorySession, String zone, String path) throws StorageClientException {
   Session session = repositorySession.adaptTo(Session.class);
   AccessControlManager accessControlManager = session.getAccessControlManager();
   return accessControlManager.findPrincipals(
       zone, path, Permissions.CAN_READ.getPermission(), true);
 }
 /**
  * Gets the principals that can read content at a given path.
  *
  * @param session
  * @param path The path to check.
  * @return {@link String[]} of principal names that can read {@link path}. An empty array is
  *     returned if no principals can read the path.
  * @throws StorageClientException
  */
 @SuppressWarnings("unused")
 private String[] getReadingPrincipals(Session session, String path)
     throws StorageClientException {
   AccessControlManager accessControlManager = session.getAccessControlManager();
   return accessControlManager.findPrincipals(
       Security.ZONE_CONTENT, path, Permissions.CAN_READ.getPermission(), true);
 }
Exemplo n.º 3
0
  public void createActivity(
      Session session, Content targetLocation, String userId, ActivityServiceCallback callback)
      throws AccessDeniedException, StorageClientException, ServletException, IOException {
    if (userId == null) {
      userId = session.getUserId();
    }
    if (!userId.equals(session.getUserId()) && !User.ADMIN_USER.equals(session.getUserId())) {
      throw new IllegalStateException(
          "Only Administrative sessions may act on behalf of another user for activities");
    }
    ContentManager contentManager = session.getContentManager();
    // create activityStore if it does not exist
    String path = StorageClientUtils.newPath(targetLocation.getPath(), ACTIVITY_STORE_NAME);
    if (!contentManager.exists(path)) {
      contentManager.update(
          new Content(
              path,
              ImmutableMap.<String, Object>of(
                  SLING_RESOURCE_TYPE_PROPERTY, ACTIVITY_STORE_RESOURCE_TYPE)));
      // inherit ACL from the target node, but let logged-in users write activities
      session
          .getAccessControlManager()
          .setAcl(
              Security.ZONE_CONTENT,
              path,
              new AclModification[] {
                new AclModification(
                    AclModification.grantKey(Group.EVERYONE),
                    Permissions.CAN_WRITE.getPermission(),
                    Operation.OP_AND)
              });
    }
    // create activity within activityStore
    String activityPath = StorageClientUtils.newPath(path, ActivityUtils.createId());
    String activityFeedPath = StorageClientUtils.newPath(targetLocation.getPath(), "activityFeed");

    if (!contentManager.exists(activityFeedPath)) {
      contentManager.update(new Content(activityFeedPath, null));
    }
    if (!contentManager.exists(activityPath)) {
      contentManager.update(
          new Content(
              activityPath,
              ImmutableMap.of(
                  JcrResourceConstants.SLING_RESOURCE_TYPE_PROPERTY,
                  (Object) ActivityConstants.ACTIVITY_ITEM_RESOURCE_TYPE)));
    }

    Content activtyNode = contentManager.get(activityPath);
    callback.processRequest(activtyNode);

    activtyNode = contentManager.get(activityPath);
    activtyNode.setProperty(PARAM_ACTOR_ID, userId);
    activtyNode.setProperty(ActivityConstants.PARAM_SOURCE, targetLocation.getPath());

    Session adminSession = repository.loginAdministrative();
    List<String> routesStr = new LinkedList<String>();
    List<String> readers = new LinkedList<String>();
    try {
      List<ActivityRoute> routes =
          activityRouterManager.getActivityRoutes(activtyNode, adminSession);
      if (routes != null) {
        for (ActivityRoute route : routes) {
          routesStr.add(route.getDestination());
          if (route.getReaders() != null && route.getReaders().length > 0) {
            readers.addAll(Arrays.asList(route.getReaders()));
          }
        }
      }

      // store the routes as child content of the activity so we may lock it down to admin. It's
      // common for
      // the activity to be stored within the context of the content to which it pertains (e.g.,
      // within the
      // pooled content item on which the user performed the activity), therefore we could expose
      // user
      // activity routes there -- that is an exposure of potentially sensitive content such as who
      // the user's
      // connections are.
      String routesPath =
          StorageClientUtils.newPath(activtyNode.getPath(), ActivityConstants.PARAM_ROUTES);
      contentManager.update(
          new Content(
              routesPath,
              ImmutableMap.<String, Object>of(
                  ActivityConstants.PARAM_ROUTES,
                  routesStr.toArray(new String[routesStr.size()]))));
      adminSession
          .getAccessControlManager()
          .setAcl(
              Security.ZONE_CONTENT,
              routesPath,
              new AclModification[] {
                new AclModification(
                    AclModification.denyKey(User.ANON_USER),
                    Permissions.ALL.getPermission(),
                    Operation.OP_REPLACE),
                new AclModification(
                    AclModification.denyKey(Group.EVERYONE),
                    Permissions.ALL.getPermission(),
                    Operation.OP_REPLACE),
                new AclModification(
                    AclModification.denyKey(userId),
                    Permissions.ALL.getPermission(),
                    Operation.OP_REPLACE)
              });

      if (!readers.isEmpty()) {
        AclModification[] readerAcls = new AclModification[readers.size()];
        int i = 0;
        for (String reader : readers) {
          // ensure all the necessary readers/routes can read the activity
          readerAcls[i] =
              new AclModification(
                  AclModification.grantKey(reader),
                  Permissions.CAN_READ.getPermission(),
                  Operation.OP_OR);
          i++;
        }

        adminSession
            .getAccessControlManager()
            .setAcl(Security.ZONE_CONTENT, activtyNode.getPath(), readerAcls);
      }
    } finally {
      SparseUtils.logoutQuietly(adminSession);
    }

    // store the activity node
    contentManager.update(activtyNode);

    // post the asynchronous OSGi event
    final Dictionary<String, String> properties = new Hashtable<String, String>();
    properties.put(UserConstants.EVENT_PROP_USERID, userId);
    properties.put(ActivityConstants.EVENT_PROP_PATH, activityPath);
    properties.put("path", activityPath);
    properties.put("resourceType", ActivityConstants.ACTIVITY_ITEM_RESOURCE_TYPE);
    EventUtils.sendOsgiEvent(properties, LITE_EVENT_TOPIC, eventAdmin);
  }