protected void checkNegativeAcl(ACP acp) {
if (negativeAclAllowed) {
return;
}
if (acp == null) {
return;
}
for (ACL acl : acp.getACLs()) {
if (acl.getName().equals(ACL.INHERITED_ACL)) {
continue;
}
for (ACE ace : acl.getACEs()) {
if (ace.isGranted()) {
continue;
}
String permission = ace.getPermission();
if (permission.equals(SecurityConstants.EVERYTHING)
&& ace.getUsername().equals(SecurityConstants.EVERYONE)) {
continue;
}
// allow Write, as we're sure it doesn't include Read/Browse
if (permission.equals(SecurityConstants.WRITE)) {
continue;
}
throw new IllegalArgumentException("Negative ACL not allowed: " + ace);
}
}
}
protected static void addACLRow(List<ACLRow> aclrows, String name, ACE ace) {
// XXX should prefix user/group
String user = ace.getUsername();
if (user == null) {
// JCR implementation logs null and skips it
return;
}
String group = null; // XXX all in user for now
aclrows.add(
new ACLRow(aclrows.size(), name, ace.isGranted(), ace.getPermission(), user, group));
}
@Test
public void shouldStoreOnlyEffectiveACEs() throws Exception {
buildAndIndexTree();
DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
Assert.assertEquals(10, docs.totalSize());
CoreSession restrictedSession = getRestrictedSession("toto");
try {
docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
Assert.assertEquals(0, docs.totalSize());
DocumentRef ref = new PathRef("/folder0");
ACP acp = new ACPImpl();
ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
acl.add(ACE.builder("toto", SecurityConstants.READ).build());
acp.addACL(acl);
session.setACP(ref, acp, true);
TransactionHelper.commitOrRollbackTransaction();
waitForCompletion();
startTransaction();
docs =
ess.query(
new NxQueryBuilder(restrictedSession)
.nxql("select * from Document order by dc:title"));
Assert.assertEquals(10, docs.totalSize());
acp = new ACPImpl();
acl = ACPImpl.newACL(ACL.LOCAL_ACL);
// make the ACE archived
Date now = new Date();
Calendar begin = new GregorianCalendar();
begin.setTimeInMillis(now.toInstant().minus(10, ChronoUnit.DAYS).toEpochMilli());
Calendar end = new GregorianCalendar();
end.setTimeInMillis(now.toInstant().minus(2, ChronoUnit.DAYS).toEpochMilli());
acl.add(ACE.builder("toto", SecurityConstants.READ).begin(begin).end(end).build());
acp.addACL(acl);
session.setACP(ref, acp, true);
TransactionHelper.commitOrRollbackTransaction();
waitForCompletion();
startTransaction();
docs =
ess.query(
new NxQueryBuilder(restrictedSession)
.nxql("select * from Document order by dc:title"));
Assert.assertEquals(0, docs.totalSize());
} finally {
restrictedSession.close();
}
}
protected void resetPermissions(DocumentModel doc, String userName) {
ACP acp = session.getACP(doc.getRef());
ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL);
Iterator<ACE> localACLIt = localACL.iterator();
while (localACLIt.hasNext()) {
ACE ace = localACLIt.next();
if (userName.equals(ace.getUsername())) {
localACLIt.remove();
}
}
session.setACP(doc.getRef(), acp, true);
session.save();
}
protected void resetPermissions(DocumentRef docRef, String userName) {
ACP acp = session.getACP(docRef);
ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL);
Iterator<ACE> localACLIt = localACL.iterator();
while (localACLIt.hasNext()) {
ACE ace = localACLIt.next();
if (userName.equals(ace.getUsername())) {
localACLIt.remove();
}
}
session.setACP(docRef, acp, true);
TransactionHelper.commitOrRollbackTransaction();
TransactionHelper.startTransaction();
}
/** Key to distinguish ACEs */
protected static String getACEkey(ACE ace) {
// TODO separate user/group
return ace.getUsername() + '|' + ace.getPermission();
}