@Test public void shouldDenyAccessOnUnsupportedACL() throws Exception { assumeTrue(session.isNegativeAclAllowed()); buildAndIndexTree(); DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document")); Assert.assertEquals(10, docs.totalSize()); // check for user with no rights CoreSession restrictedSession = getRestrictedSession("toto"); try { docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document")); Assert.assertEquals(0, docs.totalSize()); // add READ rights and check that user now has access DocumentRef ref = new PathRef("/folder0/folder1/folder2"); ACP acp = new ACPImpl(); ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL); acl.add(new ACE("toto", SecurityConstants.READ, true)); acp.addACL(acl); session.setACP(ref, acp, true); TransactionHelper.commitOrRollbackTransaction(); waitForCompletion(); startTransaction(); docs = ess.query( new NxQueryBuilder(restrictedSession) .nxql("select * from Document order by dc:title")); Assert.assertEquals(8, docs.totalSize()); // Add an unsupported negative ACL ref = new PathRef("/folder0/folder1/folder2/folder3/folder4/folder5"); acp = new ACPImpl(); acl = ACPImpl.newACL(ACL.LOCAL_ACL); acl.add(new ACE("bob", SecurityConstants.EVERYTHING, false)); acp.addACL(acl); session.setACP(ref, acp, true); session.save(); TransactionHelper.commitOrRollbackTransaction(); waitForCompletion(); startTransaction(); docs = ess.query( new NxQueryBuilder(restrictedSession) .nxql("select * from Document order by dc:title")); // can view folder2, folder3 and folder4 Assert.assertEquals(3, docs.totalSize()); } finally { restrictedSession.close(); } }
@Test public void shouldStoreOnlyEffectiveACEs() throws Exception { buildAndIndexTree(); DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document")); Assert.assertEquals(10, docs.totalSize()); CoreSession restrictedSession = getRestrictedSession("toto"); try { docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document")); Assert.assertEquals(0, docs.totalSize()); DocumentRef ref = new PathRef("/folder0"); ACP acp = new ACPImpl(); ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL); acl.add(ACE.builder("toto", SecurityConstants.READ).build()); acp.addACL(acl); session.setACP(ref, acp, true); TransactionHelper.commitOrRollbackTransaction(); waitForCompletion(); startTransaction(); docs = ess.query( new NxQueryBuilder(restrictedSession) .nxql("select * from Document order by dc:title")); Assert.assertEquals(10, docs.totalSize()); acp = new ACPImpl(); acl = ACPImpl.newACL(ACL.LOCAL_ACL); // make the ACE archived Date now = new Date(); Calendar begin = new GregorianCalendar(); begin.setTimeInMillis(now.toInstant().minus(10, ChronoUnit.DAYS).toEpochMilli()); Calendar end = new GregorianCalendar(); end.setTimeInMillis(now.toInstant().minus(2, ChronoUnit.DAYS).toEpochMilli()); acl.add(ACE.builder("toto", SecurityConstants.READ).begin(begin).end(end).build()); acp.addACL(acl); session.setACP(ref, acp, true); TransactionHelper.commitOrRollbackTransaction(); waitForCompletion(); startTransaction(); docs = ess.query( new NxQueryBuilder(restrictedSession) .nxql("select * from Document order by dc:title")); Assert.assertEquals(0, docs.totalSize()); } finally { restrictedSession.close(); } }
// security on versions, see TestLocalAPIWithCustomVersioning @Test public void testVersionSecurity() throws Exception { DocumentModel folder = new DocumentModelImpl("/", "folder", "Folder"); folder = session.createDocument(folder); ACP acp = new ACPImpl(); ACE ace = new ACE("princ1", "perm1", true); ACL acl = new ACLImpl("acl1", false); acl.add(ace); acp.addACL(acl); session.setACP(folder.getRef(), acp, true); DocumentModel file = new DocumentModelImpl("/folder", "file", "File"); file = session.createDocument(file); // set security acp = new ACPImpl(); ace = new ACE("princ2", "perm2", true); acl = new ACLImpl("acl2", false); acl.add(ace); acp.addACL(acl); session.setACP(file.getRef(), acp, true); session.save(); DocumentModel proxy = session.publishDocument(file, folder); DocumentModel version = session.getLastDocumentVersion(file.getRef()); session.save(); // check security on version acp = session.getACP(version.getRef()); ACL[] acls = acp.getACLs(); assertEquals(2, acls.length); acl = acls[0]; assertEquals(1, acl.size()); assertEquals("princ2", acl.get(0).getUsername()); acl = acls[1]; assertEquals(1 + 3, acl.size()); // 1 + 3 root defaults assertEquals("princ1", acl.get(0).getUsername()); // remove live document (there's a proxy so the version stays) session.removeDocument(file.getRef()); session.save(); // recheck security on version (works because we're administrator) acp = session.getACP(version.getRef()); assertNull(acp); // check proxy still accessible (in another session) try (CoreSession session2 = openSessionAs(SecurityConstants.ADMINISTRATOR)) { session2.getDocument(proxy.getRef()); } }
protected void setPermission( DocumentModel doc, String userName, String permission, boolean isGranted) { ACP acp = session.getACP(doc.getRef()); ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL); localACL.add(new ACE(userName, permission, isGranted)); session.setACP(doc.getRef(), acp, true); session.save(); }
protected void resetPermissions(DocumentModel doc, String userName) { ACP acp = session.getACP(doc.getRef()); ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL); Iterator<ACE> localACLIt = localACL.iterator(); while (localACLIt.hasNext()) { ACE ace = localACLIt.next(); if (userName.equals(ace.getUsername())) { localACLIt.remove(); } } session.setACP(doc.getRef(), acp, true); session.save(); }
protected void resetPermissions(DocumentRef docRef, String userName) { ACP acp = session.getACP(docRef); ACL localACL = acp.getOrCreateACL(ACL.LOCAL_ACL); Iterator<ACE> localACLIt = localACL.iterator(); while (localACLIt.hasNext()) { ACE ace = localACLIt.next(); if (userName.equals(ace.getUsername())) { localACLIt.remove(); } } session.setACP(docRef, acp, true); TransactionHelper.commitOrRollbackTransaction(); TransactionHelper.startTransaction(); }
@Test public void shouldFilterTreeOnSecurity() throws Exception { buildAndIndexTree(); DocumentModelList docs = ess.query(new NxQueryBuilder(session).nxql("select * from Document")); Assert.assertEquals(10, docs.totalSize()); // check for user with no rights startTransaction(); CoreSession restrictedSession = getRestrictedSession("toto"); try { docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document")); Assert.assertEquals(0, docs.totalSize()); // add READ rights and check that user now has access DocumentRef ref = new PathRef("/folder0/folder1/folder2"); ACP acp = new ACPImpl(); ACL acl = ACPImpl.newACL(ACL.LOCAL_ACL); acl.add(new ACE("toto", SecurityConstants.READ, true)); acp.addACL(acl); session.setACP(ref, acp, true); TransactionHelper.commitOrRollbackTransaction(); waitForCompletion(); if (syncMode) { // in sync we split recursive update into 2 commands: // 1 sync non recurse + 1 async recursive assertNumberOfCommandProcessed(9); } else { assertNumberOfCommandProcessed(8); } startTransaction(); docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document")); Assert.assertEquals(8, docs.totalSize()); // block rights and check that blocking is taken into account ref = new PathRef("/folder0/folder1/folder2/folder3/folder4/folder5"); acp = new ACPImpl(); acl = ACPImpl.newACL(ACL.LOCAL_ACL); acl.add(new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false)); acl.add(new ACE("Administrator", SecurityConstants.EVERYTHING, true)); acp.addACL(acl); session.setACP(ref, acp, true); session.save(); TransactionHelper.commitOrRollbackTransaction(); waitForCompletion(); if (syncMode) { assertNumberOfCommandProcessed(6); } else { assertNumberOfCommandProcessed(5); } startTransaction(); docs = ess.query(new NxQueryBuilder(restrictedSession).nxql("select * from Document")); Assert.assertEquals(3, docs.totalSize()); } finally { restrictedSession.close(); } }