public void process(Authorizable authorizable, Session session, Modification change)
      throws Exception {
    LOGGER.debug("Starting MessageAuthorizablePostProcessor process");
    if (authorizable != null && authorizable.getID() != null && !authorizable.isGroup()) {
      PrincipalManager principalManager = AccessControlUtil.getPrincipalManager(session);
      String path =
          PersonalUtils.getHomeFolder(authorizable) + "/" + MessageConstants.FOLDER_MESSAGES;
      LOGGER.debug("Getting/creating message store node: {}", path);

      Node messageStore = JcrUtils.deepGetOrCreateNode(session, path);
      messageStore.setProperty(
          JcrResourceConstants.SLING_RESOURCE_TYPE_PROPERTY,
          MessageConstants.SAKAI_MESSAGESTORE_RT);
      // ACL's are managed by the Personal User Post processor.
      Principal anon =
          new Principal() {

            public String getName() {
              return UserConstants.ANON_USERID;
            }
          };
      Principal everyone = principalManager.getEveryone();

      // The user can do everything on this node.
      replaceAccessControlEntry(
          session, path, authorizable.getPrincipal(), new String[] {JCR_ALL}, null, null, null);

      // explicitly deny anon and everyone, this is private space.
      String[] deniedPrivs = new String[] {JCR_READ, JCR_WRITE};
      replaceAccessControlEntry(session, path, anon, null, deniedPrivs, null, null);
      replaceAccessControlEntry(session, path, everyone, null, deniedPrivs, null, null);
    }
  }
  /**
   * KERN-1026 changed the results of this to be the authz's that are members of the managers group
   * associated to a group rather than the group managers associated to the group.
   *
   * <p><del>Get the managers for a group. These should be stored in the {@link
   * UserConstants#PROP_GROUP_MANAGERS}.</del>
   *
   * @param request
   * @param group
   * @param writer
   * @throws RepositoryException
   * @throws JSONException
   */
  protected TreeMap<String, Authorizable> getManagers(
      SlingHttpServletRequest request, Group group, Comparator<String> comparator)
      throws RepositoryException, JSONException {
    TreeMap<String, Authorizable> map = new TreeMap<String, Authorizable>(comparator);

    // KERN-949 will probably change this.
    // note above was made before this was changed to retrieving members of the managers
    // group and may not apply.
    Session session = request.getResourceResolver().adaptTo(Session.class);
    UserManager um = AccessControlUtil.getUserManager(session);
    Value[] managersGroup = group.getProperty(UserConstants.PROP_MANAGERS_GROUP);
    if (managersGroup != null && managersGroup.length == 1) {
      String mgrGroupName = managersGroup[0].getString();

      Group mgrGroup = (Group) um.getAuthorizable(mgrGroupName);

      Iterator<Authorizable> members = mgrGroup.getMembers();
      while (members.hasNext()) {
        Authorizable member = members.next();
        String prinName = member.getPrincipal().getName();
        Authorizable mau = um.getAuthorizable(prinName);
        String name = getName(mau);
        map.put(name, mau);
      }
    }
    return map;
  }
  protected void addMember(
      Session session, String filePath, Authorizable authorizable, String memberType)
      throws RepositoryException {
    Principal principal = authorizable.getPrincipal();

    // Add (or re-use) a members node for the new viewer or manager.
    String memberPath = getMemberNodePath(filePath, authorizable);
    Node memberNode = JcrUtils.deepGetOrCreateNode(session, memberPath);
    memberNode.setProperty(SLING_RESOURCE_TYPE_PROPERTY, POOLED_CONTENT_USER_RT);
    memberNode.setProperty(memberType, new String[] {principal.getName()});

    // Update the member's access to the pooled content.
    refreshMemberAccess(session, filePath, principal, memberNode);
  }
  /**
   * Remove a User or Group from the list of viewers or the list of managers. Currently, the node
   * which points to the user/group remains in place, and only the specified membership property is
   * deleted. Note that a single user/group can be on both lists, and so their access rights might
   * not actually change as a result of being removed from a single list.
   *
   * @param session
   * @param filePath
   * @param authorizable
   * @param memberType
   * @throws RepositoryException
   */
  protected void removeMember(
      Session session, String filePath, Authorizable authorizable, String memberType)
      throws RepositoryException {
    String memberPath = getMemberNodePath(filePath, authorizable);

    // Is there actually such a member?
    if (session.itemExists(memberPath)) {
      Node memberNode = session.getNode(memberPath);
      if (memberNode.hasProperty(memberType)) {
        // Remove the property.
        memberNode.setProperty(memberType, (Value[]) null);

        // Update ACEs that refer to this member.
        Principal principal = authorizable.getPrincipal();
        refreshMemberAccess(session, filePath, principal, memberNode);
      }
    }
  }
Пример #5
0
  /**
   * Add an ACL entry at a path for the authorizable.
   *
   * @param path
   * @param authorizable
   * @param session
   * @param writePrivilageGranted
   * @throws RepositoryException
   */
  public static void addEntry(
      String path, Authorizable authorizable, Session session, String... privilegeSpec)
      throws RepositoryException {

    String principalName = authorizable.getPrincipal().getName();

    List<String> grantedPrivilegeNames = new ArrayList<String>();
    List<String> deniedPrivilegeNames = new ArrayList<String>();
    for (String spec : privilegeSpec) {
      if (spec.startsWith(GRANTED)) {
        grantedPrivilegeNames.add(spec.substring(GRANTED.length()));
      } else if (spec.startsWith(DENIED)) {
        deniedPrivilegeNames.add(spec.substring(DENIED.length()));
      }
    }

    AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
    AccessControlList updatedAcl = null;
    AccessControlPolicyIterator applicablePolicies =
        accessControlManager.getApplicablePolicies(path);
    while (applicablePolicies.hasNext()) {
      AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy();
      if (policy instanceof AccessControlList) {
        updatedAcl = (AccessControlList) policy;
        break;
      }
    }
    if (updatedAcl == null) {
      throw new RepositoryException("Unable to find an access conrol policy to update.");
    }

    StringBuilder oldPrivileges = null;
    StringBuilder newPrivileges = null;
    if (LOGGER.isInfoEnabled()) {
      oldPrivileges = new StringBuilder();
      newPrivileges = new StringBuilder();
    }

    // keep track of the existing Aces for the target principal
    AccessControlEntry[] accessControlEntries = updatedAcl.getAccessControlEntries();
    List<AccessControlEntry> oldAces = new ArrayList<AccessControlEntry>();
    for (AccessControlEntry ace : accessControlEntries) {
      if (principalName.equals(ace.getPrincipal().getName())) {
        if (LOGGER.isInfoEnabled()) {
          LOGGER.info(
              "Found Existing ACE for principal {} on resource: ",
              new Object[] {principalName, path});
        }
        oldAces.add(ace);

        if (LOGGER.isInfoEnabled()) {
          // collect the information for debug logging
          boolean isAllow = AccessControlUtil.isAllow(ace);
          Privilege[] privileges = ace.getPrivileges();
          for (Privilege privilege : privileges) {
            if (oldPrivileges.length() > 0) {
              oldPrivileges.append(", "); // separate entries by commas
            }
            if (isAllow) {
              oldPrivileges.append("granted=");
            } else {
              oldPrivileges.append("denied=");
            }
            oldPrivileges.append(privilege.getName());
          }
        }
      }
    }

    // remove the old aces
    if (!oldAces.isEmpty()) {
      for (AccessControlEntry ace : oldAces) {
        updatedAcl.removeAccessControlEntry(ace);
      }
    }

    // add a fresh ACE with the granted privileges
    List<Privilege> grantedPrivilegeList = new ArrayList<Privilege>();
    for (String name : grantedPrivilegeNames) {
      if (name.length() == 0) {
        continue; // empty, skip it.
      }
      Privilege privilege = accessControlManager.privilegeFromName(name);
      grantedPrivilegeList.add(privilege);

      if (LOGGER.isInfoEnabled()) {
        if (newPrivileges.length() > 0) {
          newPrivileges.append(", "); // separate entries by commas
        }
        newPrivileges.append("granted=");
        newPrivileges.append(privilege.getName());
      }
    }
    if (grantedPrivilegeList.size() > 0) {
      Principal principal = authorizable.getPrincipal();
      updatedAcl.addAccessControlEntry(
          principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));
    }

    // add a fresh ACE with the denied privileges
    List<Privilege> deniedPrivilegeList = new ArrayList<Privilege>();
    for (String name : deniedPrivilegeNames) {
      if (name.length() == 0) {
        continue; // empty, skip it.
      }
      Privilege privilege = accessControlManager.privilegeFromName(name);
      deniedPrivilegeList.add(privilege);

      if (LOGGER.isInfoEnabled()) {
        if (newPrivileges.length() > 0) {
          newPrivileges.append(", "); // separate entries by commas
        }
        newPrivileges.append("denied=");
        newPrivileges.append(privilege.getName());
      }
    }
    if (deniedPrivilegeList.size() > 0) {
      Principal principal = authorizable.getPrincipal();
      AccessControlUtil.addEntry(
          updatedAcl,
          principal,
          deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]),
          false);
    }

    accessControlManager.setPolicy(path, updatedAcl);

    if (LOGGER.isInfoEnabled()) {
      LOGGER.info(
          "Updated ACE for principalId {} for resource {} from {} to {}",
          new Object[] {
            authorizable.getID(), path, oldPrivileges.toString(), newPrivileges.toString()
          });
    }
  }