Java Code Examples for org.alfresco.service.cmr.security.AccessStatus#ALLOWED
The following examples show how to use
org.alfresco.service.cmr.security.AccessStatus#ALLOWED .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: HasPermissionMethod.java From alfresco-repository with GNU Lesser General Public License v3.0 | 6 votes |
@Override public AccessStatus execute(VirtualProtocol virtualProtocol, Reference reference) throws ProtocolMethodException { VirtualFolderDefinition definition = resolver.resolveVirtualFolderDefinition(reference); FilingRule filingRule = definition.getFilingRule(); boolean readonly = filingRule.isNullFilingRule() || filingRule.filingNodeRefFor(new FilingParameters(reference)) == null; if (readonly) { Set<String> deniedPermissions = userPermissions.getDenyReadonlySmartNodes(); if (deniedPermissions.contains(permissionToCheck)) { return AccessStatus.DENIED; } if (PermissionService.READ.equals(permissionToCheck)) { return AccessStatus.ALLOWED; } } return userPermissions.hasVirtualNodePermission(permissionToCheck, readonly); }
Example 2
Source File: SiteServiceImplTest.java From alfresco-repository with GNU Lesser General Public License v3.0 | 6 votes |
/** * Gets the authorities and their allowed permissions for a node */ private Map<String, Set<String>> getAllowedPermissionsMap(NodeRef nodeRef) { Map<String,Set<String>> perms = new HashMap<String, Set<String>>(); for (AccessPermission ap : permissionService.getAllSetPermissions(nodeRef)) { if (ap.getAccessStatus() == AccessStatus.ALLOWED) { Set<String> permsValue = perms.get(ap.getAuthority()); if (permsValue == null) { permsValue = new HashSet<String>(); } permsValue.add(ap.getPermission()); perms.put(ap.getAuthority(), permsValue); } } return perms; }
Example 3
Source File: MethodSecurityInterceptor.java From alfresco-repository with GNU Lesser General Public License v3.0 | 5 votes |
public AccessStatus pre(Object object) { ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource().getAttributes(object); if (this.getAccessDecisionManager() instanceof AffirmativeBasedAccessDecisionManger) { return ((AffirmativeBasedAccessDecisionManger)getAccessDecisionManager()).pre(object, attr); } else { return AccessStatus.ALLOWED; } }
Example 4
Source File: RuleServiceImpl.java From alfresco-repository with GNU Lesser General Public License v3.0 | 5 votes |
private List<Rule> getRulesForNode(NodeRef nodeRef) { // Extra check of CONSUMER permission was added to rule selection, // to prevent Access Denied Exception due to the bug: // https://issues.alfresco.com/browse/ETWOTWO-438 if (!runtimeNodeService.hasAspect(nodeRef, RuleModel.ASPECT_RULES) || permissionService.hasPermission(nodeRef, PermissionService.READ) != AccessStatus.ALLOWED) { // Doesn't have the aspect or the user doesn't have access return Collections.emptyList(); } List<Rule> nodeRules = nodeRulesCache.get(nodeRef); if (nodeRules != null) { // We have already processed this node return nodeRules; } // Not in the cache, so go and get the rules nodeRules = new ArrayList<Rule>(); NodeRef ruleFolder = getSavedRuleFolderRef(nodeRef); if (ruleFolder != null) { // Get the rules for this node List<ChildAssociationRef> ruleChildAssocRefs = this.runtimeNodeService.getChildAssocs(ruleFolder, RegexQNamePattern.MATCH_ALL, ASSOC_NAME_RULES_REGEX); for (ChildAssociationRef ruleChildAssocRef : ruleChildAssocRefs) { // Create the rule and add to the list NodeRef ruleNodeRef = ruleChildAssocRef.getChildRef(); Rule rule = getRule(ruleNodeRef); nodeRules.add(rule); } } // Store this in the cache for later re-use nodeRulesCache.put(nodeRef, nodeRules); // Done return nodeRules; }
Example 5
Source File: Search.java From alfresco-repository with GNU Lesser General Public License v3.0 | 5 votes |
/** * Find a single Node by the Node reference * * @param ref The NodeRef of the Node to find * * @return the Node if found or null if failed to find */ public ScriptNode findNode(NodeRef ref) { ParameterCheck.mandatory("ref", ref); if (this.services.getNodeService().exists(ref) && (this.services.getPermissionService().hasPermission(ref, PermissionService.READ) == AccessStatus.ALLOWED)) { return new ScriptNode(ref, this.services, getScope()); } return null; }
Example 6
Source File: JSONConversionComponent.java From alfresco-repository with GNU Lesser General Public License v3.0 | 5 votes |
/** * Convert a node reference to a JSON object. Selects the correct converter based on selection * implementation. */ @SuppressWarnings("unchecked") public JSONObject toJSONObject(final NodeRef nodeRef, final boolean useShortQNames) { final JSONObject json = new JSONObject(); if (this.nodeService.exists(nodeRef)) { if (publicServiceAccessService.hasAccess(ServiceRegistry.NODE_SERVICE.getLocalName(), "getProperties", nodeRef) == AccessStatus.ALLOWED) { // init namespace prefix cache namespacePrefixCache.get().clear(); // Get node info FileInfo nodeInfo = this.fileFolderService.getFileInfo(nodeRef); // Set root values setRootValues(nodeInfo, json, useShortQNames); // add permissions json.put("permissions", permissionsToJSON(nodeRef)); // add properties json.put("properties", propertiesToJSON(nodeRef, nodeInfo.getProperties(), useShortQNames)); // add aspects json.put("aspects", apsectsToJSON(nodeRef, useShortQNames)); } } return json; }
Example 7
Source File: CommentsPost.java From alfresco-remote-api with GNU Lesser General Public License v3.0 | 5 votes |
/** * generates an comment item value * * @param commentNodeRef * @return */ private Map<String, Object> generateItemValue(NodeRef commentNodeRef) { Map<String, Object> result = new HashMap<String, Object>(4, 1.0f); String creator = (String)this.nodeService.getProperty(commentNodeRef, ContentModel.PROP_CREATOR); Serializable created = this.nodeService.getProperty(commentNodeRef, ContentModel.PROP_CREATED); Serializable modified = this.nodeService.getProperty(commentNodeRef, ContentModel.PROP_MODIFIED); boolean isUpdated = false; if (created instanceof Date && modified instanceof Date) { isUpdated = ((Date)modified).getTime() - ((Date)created).getTime() > 5000; } // TODO refactor v0 Comments API to use CommentService (see ACE-5437) Serializable owner = this.nodeService.getProperty(commentNodeRef, ContentModel.PROP_OWNER); String currentUser = this.serviceRegistry.getAuthenticationService().getCurrentUserName(); boolean isSiteManager = this.permissionService.hasPermission(commentNodeRef, SiteModel.SITE_MANAGER) == (AccessStatus.ALLOWED); boolean isCoordinator = this.permissionService.hasPermission(commentNodeRef, PermissionService.COORDINATOR) == (AccessStatus.ALLOWED); boolean canEditComment = isSiteManager || isCoordinator || currentUser.equals(creator) || currentUser.equals(owner); result.put("node", commentNodeRef); result.put("author", this.personService.getPerson(creator)); result.put("isUpdated", isUpdated); result.put("canEditComment", canEditComment); return result; }
Example 8
Source File: CopyServiceImpl.java From alfresco-repository with GNU Lesser General Public License v3.0 | 5 votes |
/** * Copies the permissions of the source node reference onto the destination node reference * * @param sourceNodeRef the source node reference * @param destinationNodeRef the destination node reference */ private void copyPermissions(final NodeRef sourceNodeRef, final NodeRef destinationNodeRef) { if((publicServiceAccessService.hasAccess("PermissionService", "getAllSetPermissions", sourceNodeRef) == AccessStatus.ALLOWED) && (publicServiceAccessService.hasAccess("PermissionService", "getInheritParentPermissions", sourceNodeRef) == AccessStatus.ALLOWED)) { // Get the permission details of the source node reference Set<AccessPermission> permissions = permissionService.getAllSetPermissions(sourceNodeRef); boolean includeInherited = permissionService.getInheritParentPermissions(sourceNodeRef); if((publicServiceAccessService.hasAccess("PermissionService", "setPermission", destinationNodeRef, "dummyAuth", "dummyPermission", true) == AccessStatus.ALLOWED) && (publicServiceAccessService.hasAccess("PermissionService", "setInheritParentPermissions", destinationNodeRef, includeInherited) == AccessStatus.ALLOWED)) { // Set the permission values on the destination node for (AccessPermission permission : permissions) { if(permission.isSetDirectly()) { permissionService.setPermission( destinationNodeRef, permission.getAuthority(), permission.getPermission(), permission.getAccessStatus().equals(AccessStatus.ALLOWED)); } } permissionService.setInheritParentPermissions(destinationNodeRef, includeInherited); } } }
Example 9
Source File: PermissionServiceNOOPImpl.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
@Override public AccessStatus hasPermission(NodeRef nodeRef, PermissionReference perm) { return AccessStatus.ALLOWED; }
Example 10
Source File: SimplePermissionEntry.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
public boolean isAllowed() { return accessStatus == AccessStatus.ALLOWED; }
Example 11
Source File: PermissionServiceNOOPImpl.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
@Override public AccessStatus hasPermission(NodeRef nodeRef, String perm) { return AccessStatus.ALLOWED; }
Example 12
Source File: AllowPermissionServiceImpl.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
@Override public AccessStatus hasPermission(NodeRef nodeRef, String perm) { return AccessStatus.ALLOWED; }
Example 13
Source File: PermissionServiceImpl.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
/** * Is a permission granted * * @param ace AccessControlEntry * @param authority String * @param allowed - * the set of allowed permissions/authority pais * @return true if granted */ private boolean isDenied(AccessControlEntry ace, String authority, Set<Pair<String, PermissionReference>> allowed) { // If the permission entry denies then we just deny if (ace.getAccessStatus() == AccessStatus.ALLOWED) { allowed.add(new Pair<String, PermissionReference>(ace.getAuthority(), ace.getPermission())); Set<PermissionReference> granters = modelDAO.getGrantingPermissions(ace.getPermission()); for (PermissionReference granter : granters) { allowed.add(new Pair<String, PermissionReference>(ace.getAuthority(), granter)); } // All the things granted by this permission must be // denied Set<PermissionReference> grantees = modelDAO.getGranteePermissions(ace.getPermission()); for (PermissionReference grantee : grantees) { allowed.add(new Pair<String, PermissionReference>(ace.getAuthority(), grantee)); } // All permission excludes all permissions available for // the node. if (ace.getPermission().equals(getAllPermissionReference()) || ace.getPermission().equals(OLD_ALL_PERMISSIONS_REFERENCE)) { for (PermissionReference deny : modelDAO.getAllPermissions()) { allowed.add(new Pair<String, PermissionReference>(ace.getAuthority(), deny)); } } return false; } // The permission is allowed but we deny it as it is in the denied // set if (allowed != null) { Pair<String, PermissionReference> specific = new Pair<String, PermissionReference>(ace.getAuthority(), required); if (allowed.contains(specific)) { return false; } } // If the permission has a match in both the authorities and // granters list it is allowed // It applies to the current user and it is granted if (authority.equals(ace.getAuthority()) && granters.contains(ace.getPermission())) { { return true; } } // Default deny return false; }
Example 14
Source File: PermissionServiceImpl.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
/** * Is a permission granted * * @param ace AccessControlEntry * @param authorisations - * the set of authorities * @param allowed - * the set of denied permissions/authority pais * @param context PermissionContext * @return true if granted */ private boolean isDenied(AccessControlEntry ace, Set<String> authorisations, Set<Pair<String, PermissionReference>> allowed, PermissionContext context) { // If the permission entry denies then we just deny if (ace.getAccessStatus() == AccessStatus.ALLOWED) { allowed.add(new Pair<String, PermissionReference>(ace.getAuthority(), ace.getPermission())); Set<PermissionReference> granters = modelDAO.getGrantingPermissions(ace.getPermission()); for (PermissionReference granter : granters) { allowed.add(new Pair<String, PermissionReference>(ace.getAuthority(), granter)); } // All the things granted by this permission must be // denied Set<PermissionReference> grantees = modelDAO.getGranteePermissions(ace.getPermission()); for (PermissionReference grantee : grantees) { allowed.add(new Pair<String, PermissionReference>(ace.getAuthority(), grantee)); } // All permission excludes all permissions available for // the node. if (ace.getPermission().equals(getAllPermissionReference()) || ace.getPermission().equals(OLD_ALL_PERMISSIONS_REFERENCE)) { for (PermissionReference deny : modelDAO.getAllPermissions(context.getType(), context.getAspects())) { allowed.add(new Pair<String, PermissionReference>(ace.getAuthority(), deny)); } } return false; } // The permission is denied but we allow it as it is in the allowed // set if (allowed != null) { Pair<String, PermissionReference> specific = new Pair<String, PermissionReference>(ace.getAuthority(), required); if (allowed.contains(specific)) { return false; } } // If the permission has a match in both the authorities and // granters list it is allowed // It applies to the current user and it is granted if (authorisations.contains(ace.getAuthority()) && granters.contains(ace.getPermission())) { { return true; } } // Default allow return false; }
Example 15
Source File: PermissionServiceImpl.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
/** * Optimised read permission evaluation * caveats: * doesn't take into account dynamic authorities/groups * doesn't take into account node types/aspects for permissions * */ @Override @Extend(traitAPI = PermissionServiceTrait.class, extensionAPI = PermissionServiceExtension.class) public AccessStatus hasReadPermission(NodeRef nodeRef) { AccessStatus status = AccessStatus.DENIED; // If the node ref is null there is no sensible test to do - and there // must be no permissions // - so we allow it if (nodeRef == null) { return AccessStatus.ALLOWED; } // Allow permissions for nodes that do not exist if (!nodeService.exists(nodeRef)) { return AccessStatus.ALLOWED; } String runAsUser = AuthenticationUtil.getRunAsUser(); if (runAsUser == null) { return AccessStatus.DENIED; } if (AuthenticationUtil.isRunAsUserTheSystemUser()) { return AccessStatus.ALLOWED; } // any dynamic authorities other than those defined in the default permissions model with full // control or read permission force hasPermission check Boolean forceHasPermission = (Boolean)AlfrescoTransactionSupport.getResource("forceHasPermission"); if(forceHasPermission == null) { for(DynamicAuthority dynamicAuthority : dynamicAuthorities) { String authority = dynamicAuthority.getAuthority(); Set<PermissionReference> requiredFor = dynamicAuthority.requiredFor(); if(authority != PermissionService.OWNER_AUTHORITY && authority != PermissionService.ADMINISTRATOR_AUTHORITY && authority != PermissionService.LOCK_OWNER_AUTHORITY && (requiredFor == null || requiredFor.contains(modelDAO.getPermissionReference(null, PermissionService.FULL_CONTROL)) || requiredFor.contains(modelDAO.getPermissionReference(null, PermissionService.READ)))) { forceHasPermission = Boolean.TRUE; break; } } AlfrescoTransactionSupport.bindResource("forceHasPermission", forceHasPermission); } if(forceHasPermission == Boolean.TRUE) { return hasPermission(nodeRef, PermissionService.READ); } Long aclID = nodeService.getNodeAclId(nodeRef); if(aclID == null) { // ACLID is null - need to call default permissions evaluation // This will end up calling the old-style ACL code that walks up the ACL tree status = hasPermission(nodeRef, getPermissionReference(null, PermissionService.READ)); } else { status = (canRead(aclID) == AccessStatus.ALLOWED || adminRead() == AccessStatus.ALLOWED || ownerRead(runAsUser, nodeRef) == AccessStatus.ALLOWED) ? AccessStatus.ALLOWED : AccessStatus.DENIED; } return status; }
Example 16
Source File: NamePathResultsMap.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
/** * @see java.util.Map#get(java.lang.Object) */ public Object get(Object key) { String path = key.toString(); final StringTokenizer t = new StringTokenizer(path, "/"); // optimization if (this.services.getDictionaryService().isSubClass(parent.getType(), org.alfresco.model.ContentModel.TYPE_FOLDER)) { NodeRef result = AuthenticationUtil.runAs(new RunAsWork<NodeRef>() { @Override public NodeRef doWork() throws Exception { NodeRef child = parent.nodeRef; while (t.hasMoreTokens() && child != null) { String name = t.nextToken(); child = services.getNodeService().getChildByName(child, org.alfresco.model.ContentModel.ASSOC_CONTAINS, name); } return child; } }, AuthenticationUtil.getSystemUserName()); // final node must be accessible to the user via the usual ACL permission checks if (result != null && services.getPublicServiceAccessService().hasAccess("NodeService", "getProperties", result) != AccessStatus.ALLOWED) { result = null; } return (result != null ? new TemplateNode(result, this.services, this.parent.getImageResolver()) : null); } StringBuilder xpath = new StringBuilder(path.length() << 1); int count = 0; QueryParameterDefinition[] params = new QueryParameterDefinition[t.countTokens()]; DataTypeDefinition ddText = this.services.getDictionaryService().getDataType(DataTypeDefinition.TEXT); NamespaceService ns = this.services.getNamespaceService(); while (t.hasMoreTokens()) { if (xpath.length() != 0) { xpath.append('/'); } String strCount = Integer.toString(count); xpath.append("*[@cm:name=$cm:name") .append(strCount) .append(']'); params[count++] = new QueryParameterDefImpl( QName.createQName(NamespaceService.CONTENT_MODEL_PREFIX, "name" + strCount, ns), ddText, true, t.nextToken()); } List<TemplateNode> nodes = getChildrenByXPath(xpath.toString(), params, true); return (nodes.size() != 0) ? nodes.get(0) : null; }
Example 17
Source File: AclDAOImpl.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
private boolean checkPattern(AclCrudDAO aclCrudDAO, Map<String, Object> result, int position, AccessControlEntry pattern) { Boolean result_aceIsAllowed = (Boolean) result.get("allowed"); Integer result_aceType = (Integer) result.get("applies"); String result_authority = (String) result.get("authority"); Long result_permissionId = (Long) result.get("permissionId"); Integer result_position = (Integer) result.get("pos"); //Long result_aclmemId = (Long) result.get("aclmemId"); // not used if (pattern.getAccessStatus() != null) { if (pattern.getAccessStatus() != (result_aceIsAllowed ? AccessStatus.ALLOWED : AccessStatus.DENIED)) { return false; } } if (pattern.getAceType() != null) { if (pattern.getAceType() != ACEType.getACETypeFromId(result_aceType)) { return false; } } if (pattern.getAuthority() != null) { if ((pattern.getAuthorityType() != AuthorityType.WILDCARD) && !pattern.getAuthority().equals(result_authority)) { return false; } } if (pattern.getContext() != null) { throw new IllegalArgumentException("Context not yet supported"); } if (pattern.getPermission() != null) { Long permId = aclCrudDAO.getPermission(pattern.getPermission()).getId(); if (!permId.equals(result_permissionId)) { return false; } } if (pattern.getPosition() != null) { if (pattern.getPosition().intValue() >= 0) { if (result_position != position) { return false; } } else if (pattern.getPosition().intValue() == -1) { if (result_position <= position) { return false; } } } return true; }
Example 18
Source File: ScriptUtils.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
/** * Use the Node Locator Service to find the a node reference from a number of possible locator types. * This method is responsible for determining the locator type and then calling the Service as the * Service does not know how to guess which locator to use. * <p> * This service supports 'virtual' nodes including the following: * <p> * alfresco://company/home The Company Home root node<br> * alfresco://user/home The User Home node under Company Home<br> * alfresco://company/shared The Shared node under Company Home<br> * alfresco://sites/home The Sites home node under Company Home<br> * workspace://.../... Any standard NodeRef<br> * /app:company_home/cm:... XPath QName style node reference<br> * * @param reference The node reference - See above for list of possible node references supported. * * @return ScriptNode representing the node or null if not found */ public ScriptNode resolveNodeReference(final String reference) { if (reference == null) { throw new IllegalArgumentException("Node 'reference' argument is mandatory."); } final NodeLocatorService locatorService = this.services.getNodeLocatorService(); NodeRef nodeRef = null; switch (reference) { case "alfresco://company/home": nodeRef = locatorService.getNode(CompanyHomeNodeLocator.NAME, null, null); break; case "alfresco://user/home": nodeRef = locatorService.getNode(UserHomeNodeLocator.NAME, null, null); break; case "alfresco://company/shared": nodeRef = locatorService.getNode(SharedHomeNodeLocator.NAME, null, null); break; case "alfresco://sites/home": nodeRef = locatorService.getNode(SitesHomeNodeLocator.NAME, null, null); break; default: if (reference.indexOf("://") > 0) { NodeRef ref = new NodeRef(reference); if (this.services.getNodeService().exists(ref) && this.services.getPermissionService().hasPermission(ref, PermissionService.READ) == AccessStatus.ALLOWED) { nodeRef = ref; } } else if (reference.startsWith("/")) { final Map<String, Serializable> params = new HashMap<>(1, 1.0f); params.put(XPathNodeLocator.QUERY_KEY, reference); nodeRef = locatorService.getNode(XPathNodeLocator.NAME, null, params); } break; } return nodeRef != null ? (ScriptNode)new ValueConverter().convertValueForScript(this.services, getScope(), null, nodeRef) : null; }
Example 19
Source File: AffirmativeBasedAccessDecisionManger.java From alfresco-repository with GNU Lesser General Public License v3.0 | 4 votes |
public AccessStatus pre(Object object, ConfigAttributeDefinition attr) { Iterator iter = this.getDecisionVoters().iterator(); int deny = 0; while (iter.hasNext()) { AccessDecisionVoter voter = (AccessDecisionVoter) iter.next(); int result = voter.vote(AuthenticationUtil.getFullAuthentication(), object, attr); switch (result) { case AccessDecisionVoter.ACCESS_GRANTED: return AccessStatus.ALLOWED; case AccessDecisionVoter.ACCESS_DENIED: deny++; break; default: break; } } if (deny > 0) { return AccessStatus.DENIED; } // To get this far, every AccessDecisionVoter abstained if (this.isAllowIfAllAbstainDecisions()) { return AccessStatus.ALLOWED; } else { return AccessStatus.DENIED; } }
Example 20
Source File: PreferenceServiceImpl.java From alfresco-repository with GNU Lesser General Public License v3.0 | 3 votes |
/** * Helper to encapsulate the test for whether the currently authenticated user can write to the * preferences objects for the given username and person node reference. * * @param userName Username owner of the preferences object for modification test * @param personNodeRef Non-null person representing the given username * * @return true if they are allowed to write to the user preferences, false otherwise */ private boolean userCanWritePreferences(final String userName, final NodeRef personNodeRef) { final String currentUserName = AuthenticationUtil.getFullyAuthenticatedUser(); return (userName.equals(currentUserName) || personService.getUserIdentifier(userName).equals(personService.getUserIdentifier(currentUserName)) || authenticationContext.isSystemUserName(currentUserName) || permissionService.hasPermission(personNodeRef, PermissionService.WRITE) == AccessStatus.ALLOWED); }