/**
* @see
* org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
*/
public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions)
throws ItemNotFoundException, RepositoryException {
checkInitialized();
NodeImpl targetNode;
List<AccessControlList> acls = new ArrayList<AccessControlList>();
if (absPath == null) {
targetNode = (NodeImpl) session.getRootNode();
if (isRepoAccessControlled(targetNode)) {
if (permissions.grants(targetNode.getPrimaryPath(), Permission.READ_AC)) {
acls.add(getACL(targetNode, N_REPO_POLICY, null));
} else {
throw new AccessDeniedException("Access denied at " + targetNode.getPath());
}
}
} else {
targetNode = (NodeImpl) session.getNode(session.getJCRPath(absPath));
NodeImpl node = getNode(targetNode, isAcItem(targetNode));
// collect all ACLs effective at node
collectAcls(node, permissions, acls);
}
// if no effective ACLs are present -> add a default, empty acl.
if (acls.isEmpty()) {
// no access control information can be retrieved for the specified
// node, since neither the node nor any of its parents is access
// controlled. TODO: there should be a default policy in this case (see JCR-2331)
log.warn(
"No access controlled node present in item hierarchy starting from "
+ targetNode.getPath());
}
return acls.toArray(new AccessControlList[acls.size()]);
}
/** @see AccessManager#isGranted(Path, int) */
public boolean isGranted(Path absPath, int permissions) throws RepositoryException {
checkInitialized();
if (!absPath.isAbsolute()) {
throw new RepositoryException("Absolute path expected");
}
return compiledPermissions.grants(absPath, permissions);
}
/** @see AccessManager#checkRepositoryPermission(int) */
public void checkRepositoryPermission(int permissions)
throws AccessDeniedException, RepositoryException {
checkInitialized();
if (!compiledPermissions.grants(null, permissions)) {
throw new AccessDeniedException("Access denied.");
}
}
/** @see AbstractAccessControlManager#checkPermission(String,int) */
@Override
protected void checkPermission(String absPath, int permission)
throws AccessDeniedException, RepositoryException {
checkValidNodePath(absPath);
Path p = getPath(absPath);
if (!compiledPermissions.grants(p, permission)) {
throw new AccessDeniedException("Access denied at " + absPath);
}
}
/**
* Recursively collects all ACLs that are effective on the specified node.
*
* @param node the Node to collect the ACLs for, which must NOT be part of the structure defined
* by mix:AccessControllable.
* @param permissions
* @param acls List used to collect the effective acls.
* @throws RepositoryException if an error occurs
*/
private void collectAcls(
NodeImpl node, CompiledPermissions permissions, List<AccessControlList> acls)
throws RepositoryException {
// if the given node is access-controlled, construct a new ACL and add
// it to the list
if (isAccessControlled(node)) {
if (permissions.grants(node.getPrimaryPath(), Permission.READ_AC)) {
acls.add(getACL(node, N_POLICY, node.getPath()));
} else {
throw new AccessDeniedException("Access denied at " + node.getPath());
}
}
// then, recursively look for access controlled parents up the hierarchy.
if (!rootNodeId.equals(node.getId())) {
NodeImpl parentNode = (NodeImpl) node.getParent();
collectAcls(parentNode, permissions, acls);
}
}
