@Override public boolean addACE(String aclName, ACE ace) { if (aclName == null) { throw new NullPointerException("'aclName' cannot be null"); } ACL acl = getOrCreateACL(aclName); boolean aclChanged = acl.add(ace); if (aclChanged) { addACL(acl); } return aclChanged; }
@Override public String[] listUsernamesForAnyPermission(Set<String> perms) { List<String> usernames = new ArrayList<>(); ACL merged = getMergedACLs("merged"); for (ACE ace : merged.getACEs()) { if (perms.contains(ace.getPermission()) && ace.isGranted()) { String username = ace.getUsername(); if (!usernames.contains(username)) { usernames.add(username); } } } return usernames.toArray(new String[usernames.size()]); }
@Override public void setRules(String aclName, UserEntry[] userEntries, boolean overwrite) { ACL acl = getACL(aclName); if (acl == null) { // create the loca ACL acl = new ACLImpl(aclName); addACL(acl); } else if (overwrite) { // :XXX: Should not overwrite entries not given as parameters here. acl.clear(); } for (UserEntry entry : userEntries) { String username = entry.getUserName(); for (String permission : entry.getGrantedPermissions()) { acl.add(new ACE(username, permission, true)); } for (String permission : entry.getDeniedPermissions()) { acl.add(new ACE(username, permission, false)); } } cache.clear(); }
protected static ACLRow[] acpToAclRows(ACP acp) { List<ACLRow> aclrows = new LinkedList<>(); for (ACL acl : acp.getACLs()) { String name = acl.getName(); if (name.equals(ACL.INHERITED_ACL)) { continue; } for (ACE ace : acl.getACEs()) { addACLRow(aclrows, name, ace); } } ACLRow[] array = new ACLRow[aclrows.size()]; return aclrows.toArray(array); }
/** * Blocks inheritance and set default rule. * * @param session * @param document * @return acl */ protected ACL blockLocalACLIfNecessary(CoreSession session, DocumentModel document, ACL localAcl) { // Block ACL ACE blockInhACe = ACEsOperationHelper.getBlockInheritanceACe(); if (!localAcl.contains(blockInhACe)) { // Add default rule ACL defaultLocalACL = ACEsOperationHelper.buildDefaultLocalACL(session, document); for(ACE ace : defaultLocalACL){ if(!localAcl.contains(ace)){ localAcl.add(ace); } } // Blocks localAcl.add(blockInhACe); } return localAcl; }
/** * Add ACEs on ACL. * * @param acl * @param aces * @return modifed ACL */ @Override protected ACL modifyACEs(ACL acl, List<ACE> aces) { // Add: // If inheritance id blocked, add before block ACE blockInhACe = ACEsOperationHelper.getBlockInheritanceACe(); int blockInhPos = acl.indexOf(blockInhACe); for (ACE aceToAdd : aces) { if (!acl.contains(aceToAdd)) { if (blockInhPos != -1) { acl.add(blockInhPos, aceToAdd); } else { acl.add(aceToAdd); } } } return acl; }
/** * Gets default local ACL, i.e. when inheritance * is blocked. * * @return default local ACL */ public static ACL buildDefaultLocalACL(CoreSession session, DocumentModel document) { ACL acl = new ACLImpl(); String currentUser = session.getPrincipal().getName(); acl.add(new ACE(currentUser, SecurityConstants.EVERYTHING)); // acl.addAll(ACEsOperationHelper.getAdminEverythingACEs()); acl.addAll(getMasterOwnerACEs(session, document)); return acl; }
@Override protected DocumentModel initCreateUserWorkspacesRoot(CoreSession unrestrictedSession, DocumentModel doc) { ACP acp = new ACPImpl(); ACE denyEverything = new ACE(SecurityConstants.EVERYONE, SecurityConstants.EVERYTHING, false); ACL acl = new ACLImpl(); acl.setACEs(new ACE[] { denyEverything }); acp.addACL(acl); doc.setACP(acp, true); return doc; }
@Override public ACL getACL(String name) { String localName = name == null ? ACL.LOCAL_ACL : name; return acls.stream().filter(acl -> acl.getName().equals(localName)).findFirst().orElse(null); }
@Override @WebMethod public WsACE[] getDocumentLocalACL(@WebParam(name = "sessionId") String sid, @WebParam(name = "uuid") String uuid) { logDeprecation(); WSRemotingSession rs = initSession(sid); ACP acp = rs.getDocumentManager().getACP(new IdRef(uuid)); if (acp != null) { ACL mergedAcl = new ACLImpl("MergedACL", true); for (ACL acl : acp.getACLs()) { if (!ACL.INHERITED_ACL.equals(acl.getName())) { mergedAcl.addAll(acl); } } return WsACE.wrap(mergedAcl.toArray(new ACE[mergedAcl.size()])); } else { return null; } }
/** * Restore inheritance. * * @param session * @param document * @return acp */ protected ACP restoreInheritanceIfNecessary(CoreSession session, DocumentModel document, ACL localAcl) { // ACP ACP acp = document.getACP(); // Remove default rule ACL defaultLocalACL = ACEsOperationHelper.buildDefaultLocalACL(session, document); if (localAcl.containsAll(defaultLocalACL)) { localAcl.removeAll(defaultLocalACL); } // Remove block to restore inheritance ACE blockInACe = ACEsOperationHelper.getBlockInheritanceACe(); if (localAcl.contains(blockInACe)) { localAcl.remove(blockInACe); } // To clear cache acp.addACL(localAcl); return acp; } //
@Override public ACL getMergedACLs(String name) { ACL mergedAcl = new ACLImpl(name, true); for (ACL acl : acls) { mergedAcl.addAll(acl); } return mergedAcl; }
protected void checkNegativeAcl(ACP acp) { if (negativeAclAllowed) { return; } if (acp == null) { return; } for (ACL acl : acp.getACLs()) { if (acl.getName().equals(ACL.INHERITED_ACL)) { continue; } for (ACE ace : acl.getACEs()) { if (ace.isGranted()) { continue; } String permission = ace.getPermission(); if (permission.equals(SecurityConstants.EVERYTHING) && ace.getUsername().equals(SecurityConstants.EVERYONE)) { continue; } // allow Write, as we're sure it doesn't include Read/Browse if (permission.equals(SecurityConstants.WRITE)) { continue; } throw new IllegalArgumentException("Negative ACL not allowed: " + ace); } } }
@Override public void run() { ACP acp = session.getACP(ref); ACL acl = acp.getOrCreateACL(aclName); acl.clear(); for (String validator : validators) { acl.add(new ACE(validator, SecurityConstants.READ)); acl.add(new ACE(validator, SecurityConstants.WRITE)); } // Give View permission to the user who submitted for publishing. acl.add(new ACE(principal.getName(), SecurityConstants.READ)); // Allow administrators too. UserManager userManager = Framework.getService(UserManager.class); for (String group : userManager.getAdministratorsGroups()) { acl.add(new ACE(group, SecurityConstants.EVERYTHING)); } // Deny everyone else. acl.add(ACE.BLOCK); session.setACP(ref, acp, true); session.save(); }