public CurrentDetails(SessionCache cache) { this.cache = cache; this.roles = new Roles(); this.sysTypes = new SystemTypes(roles); this.adminPrivileges = new LightAdminPrivileges(roles); this.managedRepoUuids = Collections.emptySet(); this.scriptRepoUuids = Collections.emptySet(); }
/** * */ public boolean allowLoad(Session session, Class<? extends IObject> klass, Details d, long id) { Assert.notNull(klass); // Assert.notNull(d); if (d == null || sysTypes.isSystemType(klass) || sysTypes.isInSystemGroup(d)) { return true; } long sessionID = cd.getCurrentEventContext().getCurrentShareId(); ShareData data = store.get(sessionID); if (data.enabled) { return store.contains(sessionID, klass, id); } return false; }
public boolean isInUserGroup(Details d) { if (d == null || d.getGroup() == null) { return false; } Long groupId = d.getGroup().getId(); return isInUserGroup(groupId); } }
if (d == null || sysTypes.isSystemType(klass)) { if (sysTypes.isInSystemGroup(d) || sysTypes.isInUserGroup(d)) { rv = true;
/** * classes which cannot be created by regular users. * * @see <a * href="https://trac.openmicroscopy.org/ome/ticket/156">ticket156</a> */ public boolean isSystemType(Class<? extends IObject> klass) { return sysTypes.isSystemType(klass); }
final boolean sysType = sysTypes.isSystemType(obj.getClass()); final Set<AdminPrivilege> privileges = bec.getCurrentAdminPrivileges(); .getCurrentGroupPermissions(); boolean isInUsrGrp = sysTypes.isInUserGroup(newDetails); if (groupPerms.identical(source.getPermissions())) { } else if (!sysTypes.isSystemType(obj.getClass())) { if (isInUsrGrp) {
public boolean isInSystemGroup(Details d) { if (d == null || d.getGroup() == null) { return false; } Long groupId = d.getGroup().getId(); return isInSystemGroup(groupId); }
if (sysTypes.isSystemType(changedObject.getClass()) || sysTypes.isInSystemGroup(changedObject.getDetails())) { return rv; if (sysTypes.isSystemType(linkedObject.getClass()) || sysTypes.isInSystemGroup(linkedObject.getDetails()) || sysTypes.isInUserGroup(linkedObject.getDetails())) { continue;
public void throwUpdateViolation(IObject iObject) throws SecurityViolation { Assert.notNull(iObject); boolean sysType = sysTypes.isSystemType(iObject.getClass()); if (!sysType && currentUser.isGraphCritical(iObject.getDetails())) { // ticket:1769 throw new GroupSecurityViolation(iObject +"-modification violates " + "group-security."); } throw new SecurityViolation("Updating " + iObject + " not allowed."); }
final boolean sysType = sysTypes.isSystemType(iObject.getClass()); final boolean sysTypeOrUsrGroup = sysType || sysTypes.isInUserGroup(d);
public void throwCreationViolation(IObject iObject) throws SecurityViolation { Assert.notNull(iObject); boolean sysType = sysTypes.isSystemType(iObject.getClass()); if (sysType) { throw new SecurityViolation(iObject + " is a System-type, and may be created only through privileged APIs."); } else if (iObject instanceof OriginalFile && ((OriginalFile) iObject).getRepo() != null) { /* Cannot yet set OriginalFile.repo except via secret key stored in database. */ throw new SecurityViolation("cannot set repo property of " + iObject + " via ORM"); } else if (currentUser.isGraphCritical(iObject.getDetails())) { // ticket:1769 throw new GroupSecurityViolation(iObject + "-insertion violates " + "group-security."); } else { throw new SecurityViolation("not permitted to create " + iObject); } }
/** * Simplified factory method which generates all the security primitives * internally. Primarily useful for generated testing instances. * @param sm the session manager * @param sf the session factory * @param cache the session cache * @return a configured security system */ public static BasicSecuritySystem selfConfigure(SessionManager sm, ServiceFactory sf, SessionCache cache) { CurrentDetails cd = new CurrentDetails(cache); SystemTypes st = new SystemTypes(); TokenHolder th = new TokenHolder(); Roles roles = new Roles(); final SessionProvider sessionProvider = new SessionProviderInMemory(roles, new NodeProviderInMemory(""), null); final OmeroInterceptor oi = new OmeroInterceptor(roles, st, new ExtendedMetadata.Impl(), cd, th, new PerSessionStats(cd), new LightAdminPrivileges(roles), null, new HashSet<String>(), new HashSet<String>()); SecurityFilterHolder holder = new SecurityFilterHolder( cd, new OneGroupSecurityFilter(roles), new AllGroupsSecurityFilter(null, roles), new SharingSecurityFilter(roles, null)); BasicSecuritySystem sec = new BasicSecuritySystem(oi, st, cd, sm, sessionProvider, new EventProviderInMemory(), roles, sf, new TokenHolder(), Collections.<SecurityFilter>singletonList(holder), new DefaultPolicyService(), new BasicACLVoter(cd, st, th, holder, sessionProvider, new ReadOnlyStatus(false, false))); return sec; }
@SuppressWarnings({ "unchecked", "rawtypes" }) public Object[] getChecks(IObject obj, String permissions) { ExperimenterGroup trusted = load(obj); if (!voter.allowChmod(trusted)) { throw new SecurityViolation("chmod not permitted"); } PermDrop drop = new PermDrop(trusted, permissions); if (!drop.found()) { return new Object[0]; // none needed. } List<Object> checks = new ArrayList<Object>(); Collection<String> classeNames = em.getClasses(); for (String className : classeNames) { Class k = em.getHibernateClass(className); if (voter.sysTypes.isSystemType(k)) { continue; // Skip experimenters, etc. } String[][] lockChecks = em.getLockChecks(k); checks.add(new Check(trusted.getId(), permissions, k, lockChecks, drop)); } return checks.toArray(new Object[checks.size()]); }
if (sysTypes.isSystemType(iObject.getClass())) { if (iObject instanceof Experimenter) { return privileges.contains(adminPrivileges.getPrivilege(AdminPrivilege.VALUE_MODIFY_USER));
boolean sysType = sysTypes.isSystemType(cls);
final boolean isSysType = sysTypes.isSystemType(object.getClass()); final Set<AdminPrivilege> privileges = ec.getCurrentAdminPrivileges();
final boolean sysType = sysTypes.isSystemType(iobj.getClass());