@Override public String[] listUsernamesForAnyPermission(Set<String> perms) { List<String> usernames = new ArrayList<>(); ACL merged = getMergedACLs("merged"); for (ACE ace : merged.getACEs()) { if (perms.contains(ace.getPermission()) && ace.isGranted()) { String username = ace.getUsername(); if (!usernames.contains(username)) { usernames.add(username); } } } return usernames.toArray(new String[usernames.size()]); }
@Override public Access getAccess(String principal, String permission) { // check first the cache String key = principal + ':' + permission; Access access = cache.get(key); if (access == null) { access = Access.UNKNOWN; FOUND_ACE: for (ACL acl : acls) { for (ACE ace : acl) { if (permissionsMatch(ace, permission) && principalsMatch(ace, principal)) { access = ace.isGranted() ? Access.GRANT : Access.DENY; break FOUND_ACE; } } } cache.put(key, access); } return access; }
public static Access getAccess(ACE ace, String[] principals, String[] permissions) { String acePerm = ace.getPermission(); String aceUser = ace.getUsername(); for (String principal : principals) { if (principalsMatch(aceUser, principal)) { // check permission match only if principal is matching for (String permission : permissions) { if (permissionsMatch(acePerm, permission)) { return ace.isGranted() ? Access.GRANT : Access.DENY; } // end permissionMatch } // end perm for } // end principalMatch } // end princ for return Access.UNKNOWN; }
public WsACE(ACE ace) { this(ace.getUsername(), ace.getPermission(), ace.isGranted()); }
protected void checkNegativeAcl(ACP acp) { if (negativeAclAllowed) { return; } if (acp == null) { return; } for (ACL acl : acp.getACLs()) { if (acl.getName().equals(ACL.INHERITED_ACL)) { continue; } for (ACE ace : acl.getACEs()) { if (ace.isGranted()) { continue; } String permission = ace.getPermission(); if (permission.equals(SecurityConstants.EVERYTHING) && ace.getUsername().equals(SecurityConstants.EVERYONE)) { continue; } // allow Write, as we're sure it doesn't include Read/Browse if (permission.equals(SecurityConstants.WRITE)) { continue; } throw new IllegalArgumentException("Negative ACL not allowed: " + ace); } } }
@Override protected void writeEntityBody(ACP acp, JsonGenerator jg) throws IOException { jg.writeArrayFieldStart("acl"); for (ACL acl : acp.getACLs()) { jg.writeStartObject(); jg.writeStringField("name", acl.getName()); jg.writeArrayFieldStart("ace"); for (ACE ace : acl.getACEs()) { jg.writeStartObject(); jg.writeStringField("id", ace.getId()); jg.writeStringField("username", ace.getUsername()); jg.writeStringField("permission", ace.getPermission()); jg.writeBooleanField("granted", ace.isGranted()); jg.writeStringField("creator", ace.getCreator()); jg.writeStringField("begin", ace.getBegin() != null ? DateParser.formatW3CDateTime(ace.getBegin().getTime()) : null); jg.writeStringField("end", ace.getEnd() != null ? DateParser.formatW3CDateTime(ace.getEnd().getTime()) : null); jg.writeStringField("status", ace.getStatus().toString().toLowerCase()); jg.writeEndObject(); } jg.writeEndArray(); jg.writeEndObject(); } jg.writeEndArray(); }
private static void copyTo(ACE[] aces, int s0, UserEntry[] entries, int s1, int len) { for (int i = s0, k = s1; i < len; i++, k++) { ACE ace = aces[i]; UserEntry entry = new UserEntryImpl(ace.getUsername()); entry.addPrivilege(ace.getPermission(), ace.isGranted(), false); entries[k] = entry; } }
protected static void addACLRow(List<ACLRow> aclrows, String name, ACE ace) { // XXX should prefix user/group String user = ace.getUsername(); if (user == null) { // JCR implementation logs null and skips it return; } String group = null; // XXX all in user for now aclrows.add(new ACLRow(aclrows.size(), name, ace.isGranted(), ace.getPermission(), user, group, ace.getCreator(), ace.getBegin(), ace.getEnd(), ace.getLongStatus())); }
for (ACL acl : acpParent.getACLs()) { for (ACE ace : acl.getACEs()) { if (ace.isGranted() && !lstPerm.contains(ace.getPermission())) {
/** * Feeds security data object with user entries. */ public static void convertToSecurityData(ACP acp, SecurityData securityData) { if (null == acp || null == securityData) { log.error("Null params received, returning..."); return; } securityData.clear(); for (ACL acl : acp.getACLs()) { boolean modifiable = acl.getName().equals(ACL.LOCAL_ACL); for (ACE entry : acl.getACEs()) { if (modifiable) { securityData.addModifiablePrivilege(entry.getUsername(), entry.getPermission(), entry.isGranted()); } else { securityData.addUnModifiablePrivilege(entry.getUsername(), entry.getPermission(), entry.isGranted()); } if (!entry.isGranted() && entry.getUsername().equals(SecurityConstants.EVERYONE) && entry.getPermission().equals(SecurityConstants.EVERYTHING)) { break; } } } // needed so that the user lists are updated securityData.rebuildUserLists(); securityData.setNeedSave(false); }
/** * Converts ACE to JSOObject. * * @param ace * @param groupIds * @return ACE as JSONObject */ protected JSONObject convert(ACE ace, List<String> groupIds){ JSONObject aceEntry = new JSONObject(); aceEntry.element("username", ace.getUsername()); aceEntry.element("permission", ace.getPermission()); aceEntry.element("isGranted", ace.isGranted()); if(CollectionUtils.isNotEmpty(groupIds)){ aceEntry.element("isGroup", groupIds.contains(ace.getUsername())); } else { aceEntry.element("isGroup", false); } return aceEntry; }
outerloop: for (ACL acl : acp.getACLs()) { for (ACE ace : acl.getACEs()) { if (ace.isGranted() && ace.isEffective() && browsePermissions.contains(ace.getPermission())) { jg.writeString(ace.getUsername());
public List<Permission> getPermissions() { try { ACP acp = ctx.getCoreSession().getACP(getTarget().getAdapter(DocumentModel.class).getRef()); List<Permission> permissions = new ArrayList<Permission>(); for (ACL acl : acp.getACLs()) { for (ACE ace : acl.getACEs()) { permissions.add(new Permission(ace.getUsername(), ace.getPermission(), ace.isGranted())); } } return permissions; } catch (NuxeoException e) { e.addInfo("Failed to get ACLs"); throw e; } }
/** * @param document * @param permission * @return names of groups with given permission. */ protected List<String> getGroupsForPermission(DocumentModel document, String permission) { List<String> groups = new ArrayList<String>(); PrincipalHelper principalHelper = new PrincipalHelper(userManager, permissionProvider); String[] perms = principalHelper.getPermissionsToCheck(permission); ACP acp = document.getACP(); for (ACL acl : acp.getACLs()) { for (ACE ace : acl.getACEs()) { if (ace.isGranted() && permissionMatch(perms, ace.getPermission())) { NuxeoGroup group = userManager.getGroup(ace.getUsername()); if(group != null){ groups.add(group.getName()); } } } } return groups; }
protected static void readACP(Element element, ACP acp) { ACL[] acls = acp.getACLs(); for (ACL acl : acls) { Element aclElement = element.addElement(ExportConstants.ACL_TAG); aclElement.addAttribute(ExportConstants.NAME_ATTR, acl.getName()); ACE[] aces = acl.getACEs(); for (ACE ace : aces) { Element aceElement = aclElement.addElement(ExportConstants.ACE_TAG); aceElement.addAttribute(ExportConstants.PRINCIPAL_ATTR, ace.getUsername()); aceElement.addAttribute(ExportConstants.PERMISSION_ATTR, ace.getPermission()); aceElement.addAttribute(ExportConstants.GRANT_ATTR, String.valueOf(ace.isGranted())); aceElement.addAttribute(ExportConstants.CREATOR_ATTR, ace.getCreator()); Calendar begin = ace.getBegin(); if (begin != null) { aceElement.addAttribute(ExportConstants.BEGIN_ATTR, DateParser.formatW3CDateTime((begin).getTime())); } Calendar end = ace.getEnd(); if (end != null) { aceElement.addAttribute(ExportConstants.END_ATTR, DateParser.formatW3CDateTime((end).getTime())); } } } }
@OperationMethod public Blob run(DocumentModel doc) throws Exception { JSONArray rows = new JSONArray(); ACP acp = doc.getACP(); ACL[] aclTab = acp.getACLs(); for(int i=0;i<aclTab.length;i++){ ACL acl = aclTab[i]; ACE[] aceTab = acl.getACEs(); for(int j=0;j<aceTab.length;j++){ ACE ace = aceTab[j]; JSONObject obj = new JSONObject(); if(ace.isGranted()){ obj.element("userOrGroup", ace.getUsername()); obj.element("permission", ace.getPermission()); rows.add(obj); } } } if(rows.size()>0){ return new StringBlob(rows.toString(), "application/json"); }else{ return null; } }
for (ACL acl : acp.getACLs()) { for (ACE ace : acl.getACEs()) { if (ace.isGranted() && permissionMatch(perms, ace.getPermission())) { NuxeoGroup group = userManager.getGroup(ace.getUsername());