@Override public Object clone() { return new ACE(username, permission, isGranted, creator, begin, end, contextData); }
public static Access getAccess(ACE ace, String[] principals, String[] permissions) { String acePerm = ace.getPermission(); String aceUser = ace.getUsername(); for (String principal : principals) { if (principalsMatch(aceUser, principal)) { // check permission match only if principal is matching for (String permission : permissions) { if (permissionsMatch(acePerm, permission)) { return ace.isGranted() ? Access.GRANT : Access.DENY; } // end permissionMatch } // end perm for } // end principalMatch } // end princ for return Access.UNKNOWN; }
@Override public boolean blockInheritance(String username) { boolean aclChanged = false; List<ACE> aces = Lists.newArrayList(getACEs()); if (!aces.contains(ACE.BLOCK)) { aces.add(ACE.builder(username, SecurityConstants.EVERYTHING).creator(username).build()); aces.addAll(getAdminEverythingACES()); aces.add(ACE.BLOCK); aclChanged = true; setACEs(aces.toArray(new ACE[aces.size()])); } return aclChanged; }
/** * Constructs an ACE for a given username, permission, specifying whether to grant or deny it, creator user, begin * and end date. * * @since 7.4 */ ACE(String username, String permission, boolean isGranted, String creator, Calendar begin, Calendar end, Map<String, Serializable> contextData) { this.username = username; this.permission = permission; this.isGranted = isGranted; this.creator = creator; setBegin(begin); setEnd(end); if (contextData != null) { this.contextData = new HashMap<>(contextData); } if (begin != null && end != null) { if (begin.after(end)) { throw new IllegalArgumentException("'begin' date cannot be after 'end' date"); } } }
/** Key to distinguish ACEs */ protected static String getACEkey(ACE ace) { // TODO separate user/group return ace.getUsername() + '|' + ace.getPermission(); }
protected static void addACLRow(List<ACLRow> aclrows, String name, ACE ace) { // XXX should prefix user/group String user = ace.getUsername(); if (user == null) { // JCR implementation logs null and skips it return; } String group = null; // XXX all in user for now aclrows.add(new ACLRow(aclrows.size(), name, ace.isGranted(), ace.getPermission(), user, group, ace.getCreator(), ace.getBegin(), ace.getEnd(), ace.getLongStatus())); }
@Override protected void writeEntityBody(ACP acp, JsonGenerator jg) throws IOException { jg.writeArrayFieldStart("acl"); for (ACL acl : acp.getACLs()) { jg.writeStartObject(); jg.writeStringField("name", acl.getName()); jg.writeArrayFieldStart("ace"); for (ACE ace : acl.getACEs()) { jg.writeStartObject(); jg.writeStringField("id", ace.getId()); jg.writeStringField("username", ace.getUsername()); jg.writeStringField("permission", ace.getPermission()); jg.writeBooleanField("granted", ace.isGranted()); jg.writeStringField("creator", ace.getCreator()); jg.writeStringField("begin", ace.getBegin() != null ? DateParser.formatW3CDateTime(ace.getBegin().getTime()) : null); jg.writeStringField("end", ace.getEnd() != null ? DateParser.formatW3CDateTime(ace.getEnd().getTime()) : null); jg.writeStringField("status", ace.getStatus().toString().toLowerCase()); jg.writeEndObject(); } jg.writeEndArray(); jg.writeEndObject(); } jg.writeEndArray(); }
outerloop: for (ACL acl : acp.getACLs()) { for (ACE ace : acl.getACEs()) { if (ace.isGranted() && ace.isEffective() && browsePermissions.contains(ace.getPermission())) { jg.writeString(ace.getUsername()); if (ace.isDenied() && ace.isEffective()) { if (!EVERYONE.equals(ace.getUsername())) { jg.writeString(UNSUPPORTED_ACL);
ACE currentUserAce = new ACE(principal.getName(), SecurityConstants.WRITE, true); if(ACE.BLOCK.equals(ace)){ acesList.add(currentUserAce); acesList.add(ACE.BLOCK); } else { String username = ace.getUsername(); DocumentModel userModel = getUserManager().getUserModel(username);
if (currentActors.contains(ace.getUsername()) || taskInitator.equals(ace.getUsername())) { toRemove.add(ace); acl.add(new ACE(actorId, SecurityConstants.EVERYTHING, true));
private static boolean principalsMatch(ACE ace, String principal) { String acePrincipal = ace.getUsername(); return principalsMatch(acePrincipal, principal); }
for (ACL acl : acp.getACLs()) { for (ACE ace : acl) { if (username.equals(ace.getUsername())) { Calendar now = new GregorianCalendar(); ace.setEnd(now); changed = true;
for (ACL acl : acpParent.getACLs()) { for (ACE ace : acl.getACEs()) { if (ace.isGranted() && !lstPerm.contains(ace.getPermission())) {
/** * @param docCtx * @param sourceDocument */ public void removePublicAce(CoreSession session, DocumentModel sourceDocument) { // Get proxy DocumentModel proxy = ToutaticeDocumentHelper.getProxy(session, sourceDocument, SecurityConstants.READ); // Get local ACL ACP acp = session.getACP(sourceDocument.getRef()); ACL acl = acp.getOrCreateACL(ACL.LOCAL_ACL); // Remove public ACE (iteraot for dirty doublon case) ACE publicAce = new ACE(SecurityConstants.EVERYONE, SecurityConstants.READ); Iterator<ACE> iterator = acl.iterator(); while (iterator.hasNext()) { ACE ace = iterator.next(); if (publicAce.equals(ace)) { iterator.remove(); } } UnrestrictedAcpSetter setter = new UnrestrictedAcpSetter(session, proxy, acp); setter.runUnrestricted(); }
private static boolean permissionsMatch(ACE ace, String permission) { String acePerm = ace.getPermission(); // RESTRICTED_READ needs special handling, is not implied by EVERYTHING. if (!SecurityConstants.RESTRICTED_READ.equals(permission)) { if (SecurityConstants.EVERYTHING.equals(acePerm)) { return true; } } return StringUtils.equals(acePerm, permission); }
@Override public Access getAccess(String principal, String permission) { // check first the cache String key = principal + ':' + permission; Access access = cache.get(key); if (access == null) { access = Access.UNKNOWN; FOUND_ACE: for (ACL acl : acls) { for (ACE ace : acl) { if (permissionsMatch(ace, permission) && principalsMatch(ace, principal)) { access = ace.isGranted() ? Access.GRANT : Access.DENY; break FOUND_ACE; } } } cache.put(key, access); } return access; }
protected void replacePermission(DocumentModel doc) { Map<String, Serializable> contextData = new HashMap<>(); contextData.put(NOTIFY_KEY, notify); contextData.put(COMMENT_KEY, comment); ACE oldACE = ACE.fromId(id); ACE newACE = ACE.builder(user, permission) .creator(session.getPrincipal().getName()) .begin(begin) .end(end) .contextData(contextData) .build(); session.replaceACE(doc.getRef(), aclName, oldACE, newACE); }
protected static void readACP(Element element, ACP acp) { ACL[] acls = acp.getACLs(); for (ACL acl : acls) { Element aclElement = element.addElement(ExportConstants.ACL_TAG); aclElement.addAttribute(ExportConstants.NAME_ATTR, acl.getName()); ACE[] aces = acl.getACEs(); for (ACE ace : aces) { Element aceElement = aclElement.addElement(ExportConstants.ACE_TAG); aceElement.addAttribute(ExportConstants.PRINCIPAL_ATTR, ace.getUsername()); aceElement.addAttribute(ExportConstants.PERMISSION_ATTR, ace.getPermission()); aceElement.addAttribute(ExportConstants.GRANT_ATTR, String.valueOf(ace.isGranted())); aceElement.addAttribute(ExportConstants.CREATOR_ATTR, ace.getCreator()); Calendar begin = ace.getBegin(); if (begin != null) { aceElement.addAttribute(ExportConstants.BEGIN_ATTR, DateParser.formatW3CDateTime((begin).getTime())); } Calendar end = ace.getEnd(); if (end != null) { aceElement.addAttribute(ExportConstants.END_ATTR, DateParser.formatW3CDateTime((end).getTime())); } } } }
/** * Gets IANs of given activity. * * @param session * @param doc * @return login and groups of IANs of activity */ public List<String> getIans(CoreSession session, DocumentModel doc){ List<String> ians = new ArrayList<String>(0); ACP acp = doc.getACP(); for(ACL acl : acp.getACLs()){ for(ACE ace : acl.getACEs()){ String permission = ace.getPermission(); if(CartoSecurityConstants.MANAGE_DUN.equals(permission)){ ians.add(ace.getUsername()); } } } return ians; }
@Override public boolean removeByUsername(String username) { boolean aclChanged = false; List<ACE> aces = Lists.newArrayList(getACEs()); for (Iterator<ACE> it = aces.iterator(); it.hasNext();) { ACE ace = it.next(); if (ace.getUsername().equals(username)) { it.remove(); aclChanged = true; } } setACEs(aces.toArray(new ACE[aces.size()])); return aclChanged; }