示例#1
0
 @Override
 public void performAdditionalStatements(Connection connection) throws SQLException {
   // Warn user if BROWSE permissions has changed
   Set<String> dbPermissions = new HashSet<String>();
   String sql = "SELECT * FROM aclr_permission";
   Statement s = connection.createStatement();
   ResultSet rs = s.executeQuery(sql);
   while (rs.next()) {
     dbPermissions.add(rs.getString(1));
   }
   rs.close();
   s.close();
   Set<String> confPermissions = new HashSet<String>();
   SecurityService securityService = NXCore.getSecurityService();
   for (String perm : securityService.getPermissionsToCheck(SecurityConstants.BROWSE)) {
     confPermissions.add(perm);
   }
   if (!dbPermissions.equals(confPermissions)) {
     log.error(
         "Security permission for BROWSE has changed, you need to rebuild the optimized read acls:"
             + "DROP TABLE aclr_permission; DROP TABLE aclr; then restart.");
   }
 }
示例#2
0
 public void checkAccess(NuxeoPrincipal principal, String docAcl) {
   try {
     JSONObject docAclJson = new JSONObject(docAcl);
     JSONArray acl = docAclJson.getJSONObject("fields").getJSONArray("ecm:acl");
     String[] principals = SecurityService.getPrincipalsToCheck(principal);
     for (int i = 0; i < acl.length(); i++)
       for (String name : principals) {
         if (name.equals(acl.getString(i))) {
           return;
         }
       }
   } catch (JSONException e) {
     // throw a securityException
   }
   throw new SecurityException("Unauthorized access");
 }
  @Test
  public void testReadAclSecurity() {
    // Check that all permissions that contain Browse enable to list a
    // document using aclOptimization
    SecurityService securityService = NXCore.getSecurityService();
    String[] browsePermissions = securityService.getPermissionsToCheck(BROWSE);
    // Check for test permission contribution
    assertTrue(Arrays.asList(browsePermissions).contains("ViewTest"));
    List<String> docNames = new ArrayList<String>(browsePermissions.length);
    DocumentModel root = session.getRootDocument();
    for (String permission : browsePermissions) {
      // Create a folder with only the browse permission
      String name = "joe-has-" + permission + "-permission";
      docNames.add(name);
      DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), name, "Folder");
      folder = session.createDocument(folder);
      ACP acp = folder.getACP();
      assertNotNull(acp); // the acp inherited from root is returned
      acp = new ACPImpl();
      ACL acl = new ACLImpl();
      acl.add(new ACE("joe", permission, true));
      acp.addACL(acl);
      folder.setACP(acp, true);
    }
    session.save();
    CoreSession joeSession = openSessionAs("joe");
    try {
      DocumentModelList list;
      list = joeSession.query("SELECT * FROM Folder");
      List<String> names = new ArrayList<String>();
      for (DocumentModel doc : list) {
        names.add(doc.getName());
      }
      assertEquals(
          "Expecting " + docNames + " got " + names, browsePermissions.length, list.size());

      list = joeSession.query("SELECT * FROM Folder WHERE ecm:isProxy = 0");
      names.clear();
      for (DocumentModel doc : list) {
        names.add(doc.getName());
      }
      assertEquals(
          "Expecting " + docNames + " got " + names, browsePermissions.length, list.size());

      // Add a new folder to update the read acls
      DocumentModel folder = new DocumentModelImpl(root.getPathAsString(), "new-folder", "Folder");
      folder = session.createDocument(folder);
      ACP acp = folder.getACP();
      assertNotNull(acp); // the acp inherited from root is returned
      acp = new ACPImpl();
      ACL acl = new ACLImpl();
      acl.add(new ACE("joe", browsePermissions[0], true));
      acl.add(new ACE("bob", browsePermissions[0], true));
      acp.addACL(acl);
      folder.setACP(acp, true);
      session.save();

      list = joeSession.query("SELECT * FROM Folder");
      assertEquals(browsePermissions.length + 1, list.size());

    } finally {
      closeSession(joeSession);
    }
  }