@Test
public void shouldDenyAccessOnUnsupportedACL() throws Exception {
assumeTrue(session.isNegativeAclAllowed());
buildAndIndexTree();
DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
Assert.assertEquals(10, docs.totalSize());
// check for user with no rights
CoreSession restrictedSession = getRestrictedSession("toto");
try {
docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
Assert.assertEquals(0, docs.totalSize());
// add READ rights and check that user now has access
DocumentRef ref = new PathRef("/folder0/folder1/folder2");
ACP acp = new ACPImpl();
ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
acl.add(new ACE("toto", SecurityConstants.READ, true));
acp.addACL(acl);
session.setACP(ref, acp, true);
TransactionHelper.commitOrRollbackTransaction();
waitForCompletion();
startTransaction();
docs =
ess.query(
new NxQueryBuilder(restrictedSession)
.nxql("select * from Document order by dc:title"));
Assert.assertEquals(8, docs.totalSize());
// Add an unsupported negative ACL
ref = new PathRef("/folder0/folder1/folder2/folder3/folder4/folder5");
acp = new ACPImpl();
acl = ACPImpl.newACL(ACL.LOCAL_ACL);
acl.add(new ACE("bob", SecurityConstants.EVERYTHING, false));
acp.addACL(acl);
session.setACP(ref, acp, true);
session.save();
TransactionHelper.commitOrRollbackTransaction();
waitForCompletion();
startTransaction();
docs =
ess.query(
new NxQueryBuilder(restrictedSession)
.nxql("select * from Document order by dc:title"));
// can view folder2, folder3 and folder4
Assert.assertEquals(3, docs.totalSize());
} finally {
restrictedSession.close();
}
}
@Test
public void shouldStoreOnlyEffectiveACEs() throws Exception {
buildAndIndexTree();
DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
Assert.assertEquals(10, docs.totalSize());
CoreSession restrictedSession = getRestrictedSession("toto");
try {
docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
Assert.assertEquals(0, docs.totalSize());
DocumentRef ref = new PathRef("/folder0");
ACP acp = new ACPImpl();
ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
acl.add(ACE.builder("toto", SecurityConstants.READ).build());
acp.addACL(acl);
session.setACP(ref, acp, true);
TransactionHelper.commitOrRollbackTransaction();
waitForCompletion();
startTransaction();
docs =
ess.query(
new NxQueryBuilder(restrictedSession)
.nxql("select * from Document order by dc:title"));
Assert.assertEquals(10, docs.totalSize());
acp = new ACPImpl();
acl = ACPImpl.newACL(ACL.LOCAL_ACL);
// make the ACE archived
Date now = new Date();
Calendar begin = new GregorianCalendar();
begin.setTimeInMillis(now.toInstant().minus(10, ChronoUnit.DAYS).toEpochMilli());
Calendar end = new GregorianCalendar();
end.setTimeInMillis(now.toInstant().minus(2, ChronoUnit.DAYS).toEpochMilli());
acl.add(ACE.builder("toto", SecurityConstants.READ).begin(begin).end(end).build());
acp.addACL(acl);
session.setACP(ref, acp, true);
TransactionHelper.commitOrRollbackTransaction();
waitForCompletion();
startTransaction();
docs =
ess.query(
new NxQueryBuilder(restrictedSession)
.nxql("select * from Document order by dc:title"));
Assert.assertEquals(0, docs.totalSize());
} finally {
restrictedSession.close();
}
}
// security on versions, see TestLocalAPIWithCustomVersioning
@Test
public void testVersionSecurity() throws Exception {
DocumentModel folder = new DocumentModelImpl("/", "folder", "Folder");
folder = session.createDocument(folder);
ACP acp = new ACPImpl();
ACE ace = new ACE("princ1", "perm1", true);
ACL acl = new ACLImpl("acl1", false);
acl.add(ace);
acp.addACL(acl);
session.setACP(folder.getRef(), acp, true);
DocumentModel file = new DocumentModelImpl("/folder", "file", "File");
file = session.createDocument(file);
// set security
acp = new ACPImpl();
ace = new ACE("princ2", "perm2", true);
acl = new ACLImpl("acl2", false);
acl.add(ace);
acp.addACL(acl);
session.setACP(file.getRef(), acp, true);
session.save();
DocumentModel proxy = session.publishDocument(file, folder);
DocumentModel version = session.getLastDocumentVersion(file.getRef());
session.save();
// check security on version
acp = session.getACP(version.getRef());
ACL[] acls = acp.getACLs();
assertEquals(2, acls.length);
acl = acls[0];
assertEquals(1, acl.size());
assertEquals("princ2", acl.get(0).getUsername());
acl = acls[1];
assertEquals(1 + 3, acl.size()); // 1 + 3 root defaults
assertEquals("princ1", acl.get(0).getUsername());
// remove live document (there's a proxy so the version stays)
session.removeDocument(file.getRef());
session.save();
// recheck security on version (works because we're administrator)
acp = session.getACP(version.getRef());
assertNull(acp);
// check proxy still accessible (in another session)
try (CoreSession session2 = openSessionAs(SecurityConstants.ADMINISTRATOR)) {
session2.getDocument(proxy.getRef());
}
}
protected void setPermission(
DocumentModel doc, String userName, String permission, boolean isGranted) {
ACP acp = session.getACP(doc.getRef());
ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL);
localACL.add(new ACE(userName, permission, isGranted));
session.setACP(doc.getRef(), acp, true);
session.save();
}
protected void resetPermissions(DocumentModel doc, String userName) {
ACP acp = session.getACP(doc.getRef());
ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL);
Iterator<ACE> localACLIt = localACL.iterator();
while (localACLIt.hasNext()) {
ACE ace = localACLIt.next();
if (userName.equals(ace.getUsername())) {
localACLIt.remove();
}
}
session.setACP(doc.getRef(), acp, true);
session.save();
}
protected void resetPermissions(DocumentRef docRef, String userName) {
ACP acp = session.getACP(docRef);
ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL);
Iterator<ACE> localACLIt = localACL.iterator();
while (localACLIt.hasNext()) {
ACE ace = localACLIt.next();
if (userName.equals(ace.getUsername())) {
localACLIt.remove();
}
}
session.setACP(docRef, acp, true);
TransactionHelper.commitOrRollbackTransaction();
TransactionHelper.startTransaction();
}
@Test
public void shouldFilterTreeOnSecurity() throws Exception {
buildAndIndexTree();
DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document"));
Assert.assertEquals(10, docs.totalSize());
// check for user with no rights
startTransaction();
CoreSession restrictedSession = getRestrictedSession("toto");
try {
docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
Assert.assertEquals(0, docs.totalSize());
// add READ rights and check that user now has access
DocumentRef ref = new PathRef("/folder0/folder1/folder2");
ACP acp = new ACPImpl();
ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL);
acl.add(new ACE("toto", SecurityConstants.READ, true));
acp.addACL(acl);
session.setACP(ref, acp, true);
TransactionHelper.commitOrRollbackTransaction();
waitForCompletion();
if (syncMode) {
// in sync we split recursive update into 2 commands:
// 1 sync non recurse + 1 async recursive
assertNumberOfCommandProcessed(9);
} else {
assertNumberOfCommandProcessed(8);
}
startTransaction();
docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
Assert.assertEquals(8, docs.totalSize());
// block rights and check that blocking is taken into account
ref = new PathRef("/folder0/folder1/folder2/folder3/folder4/folder5");
acp = new ACPImpl();
acl = ACPImpl.newACL(ACL.LOCAL_ACL);
acl.add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false));
acl.add(new ACE("Administrator", SecurityConstants.EVERYTHING, true));
acp.addACL(acl);
session.setACP(ref, acp, true);
session.save();
TransactionHelper.commitOrRollbackTransaction();
waitForCompletion();
if (syncMode) {
assertNumberOfCommandProcessed(6);
} else {
assertNumberOfCommandProcessed(5);
}
startTransaction();
docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document"));
Assert.assertEquals(3, docs.totalSize());
} finally {
restrictedSession.close();
}
}