示例#1
0
 @Override
 public ACP getMergedACP(Document doc) {
   Document base = doc.isVersion() ? doc.getSourceDocument() : doc;
   if (base == null) {
     return null;
   }
   ACP acp = getACP(base);
   if (doc.getParent() == null) {
     return acp;
   }
   // get inherited acls only if no blocking inheritance ACE exists in the top level acp.
   ACL acl = null;
   if (acp == null
       || acp.getAccess(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING) != Access.DENY) {
     acl = getInheritedACLs(doc);
   }
   if (acp == null) {
     if (acl == null) {
       return null;
     }
     acp = new ACPImpl();
   }
   if (acl != null) {
     acp.addACL(acl);
   }
   return acp;
 }
示例#2
0
 protected ACL getInheritedACLs(Document doc) {
   doc = doc.getParent();
   ACL merged = null;
   while (doc != null) {
     ACP acp = getACP(doc);
     if (acp != null) {
       ACL acl = acp.getMergedACLs(ACL.INHERITED_ACL);
       if (merged == null) {
         merged = acl;
       } else {
         merged.addAll(acl);
       }
       if (acp.getAccess(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING)
           == Access.DENY) {
         break;
       }
     }
     doc = doc.getParent();
   }
   return merged;
 }
  @Test
  public void testSecurity() {
    // temporary set an Everything privileges on the root for anonymous
    // so that we can create a folder
    setPermissionToAnonymous(EVERYTHING);

    CoreSession anonSession = openSessionAs("anonymous");
    try {
      DocumentModel root = anonSession.getRootDocument();

      DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), "folder#1", "Folder");
      folder = anonSession.createDocument(folder);

      ACP acp = folder.getACP();
      assertNotNull(acp); // the acp inherited from root is returned

      acp = new ACPImpl();

      ACL acl = new ACLImpl();
      acl.add(new ACE("a", "Read", true));
      acl.add(new ACE("b", "Write", true));
      acp.addACL(acl);

      folder.setACP(acp, true);

      acp = folder.getACP();

      assertNotNull(acp);

      assertEquals("a", acp.getACL(ACL.LOCAL_ACL).get(0).getUsername());
      assertEquals("b", acp.getACL(ACL.LOCAL_ACL).get(1).getUsername());

      assertSame(GRANT, acp.getAccess("a", "Read"));
      assertSame(UNKNOWN, acp.getAccess("a", "Write"));
      assertSame(GRANT, acp.getAccess("b", "Write"));
      assertSame(UNKNOWN, acp.getAccess("b", "Read"));
      assertSame(UNKNOWN, acp.getAccess("c", "Read"));
      assertSame(UNKNOWN, acp.getAccess("c", "Write"));

      // insert a deny Write ACE before the GRANT

      acp.getACL(ACL.LOCAL_ACL).add(0, new ACE("b", "Write", false));
      // store changes
      folder.setACP(acp, true);
      // refetch ac
      acp = folder.getACP();
      // check perms now
      assertSame(GRANT, acp.getAccess("a", "Read"));
      assertSame(UNKNOWN, acp.getAccess("a", "Write"));
      assertSame(DENY, acp.getAccess("b", "Write"));
      assertSame(UNKNOWN, acp.getAccess("b", "Read"));
      assertSame(UNKNOWN, acp.getAccess("c", "Read"));
      assertSame(UNKNOWN, acp.getAccess("c", "Write"));

      // create a child document and grant on it the write for b

      // remove anonymous Everything privileges on the root
      // so that it not influence test results
      removePermissionToAnonymous();
      anonSession.save(); // process invalidations

      try {
        DocumentModel folder2 =
            new DocumentModelImpl(folder.getPathAsString(), "folder#2", "Folder");
        folder2 = anonSession.createDocument(folder2);
        fail("privilege is granted but should not be");
      } catch (DocumentSecurityException e) {
        // ok
      }

      setPermissionToAnonymous(EVERYTHING);
      anonSession.save(); // process invalidations

      root = anonSession.getRootDocument();

      // and try again - this time it should work
      DocumentModel folder2 = new DocumentModelImpl(folder.getPathAsString(), "folder#2", "Folder");
      folder2 = anonSession.createDocument(folder2);

      ACP acp2 = new ACPImpl();
      acl = new ACLImpl();
      acl.add(new ACE("b", "Write", true));
      acp2.addACL(acl);

      folder2.setACP(acp2, true);
      acp2 = folder2.getACP();

      assertSame(GRANT, acp2.getAccess("a", "Read"));
      assertSame(UNKNOWN, acp2.getAccess("a", "Write"));
      assertSame(GRANT, acp2.getAccess("b", "Write"));
      assertSame(UNKNOWN, acp2.getAccess("b", "Read"));
      assertSame(UNKNOWN, acp2.getAccess("c", "Read"));
      assertSame(UNKNOWN, acp2.getAccess("c", "Write"));

      // remove anonymous Everything privileges on the root
      // so that it not influence test results
      removePermissionToAnonymous();
      anonSession.save(); // process invalidations

      setPermissionToEveryone(WRITE, REMOVE, ADD_CHILDREN, REMOVE_CHILDREN, READ);
      root = anonSession.getRootDocument();

      DocumentModel folder3 = new DocumentModelImpl(folder.getPathAsString(), "folder#3", "Folder");
      folder3 = anonSession.createDocument(folder3);

      anonSession.removeDocument(folder3.getRef());

      removePermissionToEveryone();
      setPermissionToEveryone(REMOVE);
      anonSession.save(); // process invalidations

      try {
        folder3 = new DocumentModelImpl(folder.getPathAsString(), "folder#3", "Folder");
        folder3 = anonSession.createDocument(folder3);
        fail();
      } catch (Exception e) {

      }
    } finally {
      closeSession(anonSession);
    }
  }