/** * Add an ACL entry at a path for the authorizable. * * @param path * @param authorizable * @param session * @param writePrivilageGranted * @throws RepositoryException */ public static void addEntry( String path, Authorizable authorizable, Session session, String... privilegeSpec) throws RepositoryException { String principalName = authorizable.getPrincipal().getName(); List<String> grantedPrivilegeNames = new ArrayList<String>(); List<String> deniedPrivilegeNames = new ArrayList<String>(); for (String spec : privilegeSpec) { if (spec.startsWith(GRANTED)) { grantedPrivilegeNames.add(spec.substring(GRANTED.length())); } else if (spec.startsWith(DENIED)) { deniedPrivilegeNames.add(spec.substring(DENIED.length())); } } AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session); AccessControlList updatedAcl = null; AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(path); while (applicablePolicies.hasNext()) { AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy(); if (policy instanceof AccessControlList) { updatedAcl = (AccessControlList) policy; break; } } if (updatedAcl == null) { throw new RepositoryException("Unable to find an access conrol policy to update."); } StringBuilder oldPrivileges = null; StringBuilder newPrivileges = null; if (LOGGER.isInfoEnabled()) { oldPrivileges = new StringBuilder(); newPrivileges = new StringBuilder(); } // keep track of the existing Aces for the target principal AccessControlEntry[] accessControlEntries = updatedAcl.getAccessControlEntries(); List<AccessControlEntry> oldAces = new ArrayList<AccessControlEntry>(); for (AccessControlEntry ace : accessControlEntries) { if (principalName.equals(ace.getPrincipal().getName())) { if (LOGGER.isInfoEnabled()) { LOGGER.info( "Found Existing ACE for principal {} on resource: ", new Object[] {principalName, path}); } oldAces.add(ace); if (LOGGER.isInfoEnabled()) { // collect the information for debug logging boolean isAllow = AccessControlUtil.isAllow(ace); Privilege[] privileges = ace.getPrivileges(); for (Privilege privilege : privileges) { if (oldPrivileges.length() > 0) { oldPrivileges.append(", "); // separate entries by commas } if (isAllow) { oldPrivileges.append("granted="); } else { oldPrivileges.append("denied="); } oldPrivileges.append(privilege.getName()); } } } } // remove the old aces if (!oldAces.isEmpty()) { for (AccessControlEntry ace : oldAces) { updatedAcl.removeAccessControlEntry(ace); } } // add a fresh ACE with the granted privileges List<Privilege> grantedPrivilegeList = new ArrayList<Privilege>(); for (String name : grantedPrivilegeNames) { if (name.length() == 0) { continue; // empty, skip it. } Privilege privilege = accessControlManager.privilegeFromName(name); grantedPrivilegeList.add(privilege); if (LOGGER.isInfoEnabled()) { if (newPrivileges.length() > 0) { newPrivileges.append(", "); // separate entries by commas } newPrivileges.append("granted="); newPrivileges.append(privilege.getName()); } } if (grantedPrivilegeList.size() > 0) { Principal principal = authorizable.getPrincipal(); updatedAcl.addAccessControlEntry( principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()])); } // add a fresh ACE with the denied privileges List<Privilege> deniedPrivilegeList = new ArrayList<Privilege>(); for (String name : deniedPrivilegeNames) { if (name.length() == 0) { continue; // empty, skip it. } Privilege privilege = accessControlManager.privilegeFromName(name); deniedPrivilegeList.add(privilege); if (LOGGER.isInfoEnabled()) { if (newPrivileges.length() > 0) { newPrivileges.append(", "); // separate entries by commas } newPrivileges.append("denied="); newPrivileges.append(privilege.getName()); } } if (deniedPrivilegeList.size() > 0) { Principal principal = authorizable.getPrincipal(); AccessControlUtil.addEntry( updatedAcl, principal, deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]), false); } accessControlManager.setPolicy(path, updatedAcl); if (LOGGER.isInfoEnabled()) { LOGGER.info( "Updated ACE for principalId {} for resource {} from {} to {}", new Object[] { authorizable.getID(), path, oldPrivileges.toString(), newPrivileges.toString() }); } }
/** * Checks to see if the current user is a member of the administrators group. * * @param session * @return * @throws UnsupportedRepositoryOperationException * @throws RepositoryException */ protected static boolean isAdminUser(final Session session) throws UnsupportedRepositoryOperationException, RepositoryException { final AccessControlManager acm = AccessControlUtil.getAccessControlManager(session); final Privilege[] privJcrAll = {acm.privilegeFromName(Privilege.JCR_ALL)}; return acm.hasPrivileges("/", privJcrAll); }