// no explicit denied permissions:
int denies = Permission.NONE;
// default allow permission and default privileges
int allows = Permission.READ;
PrivilegeBits privs;
// Determine if for path, the set of privileges must be calculated:
// Generally, privileges can only be determined for existing nodes.
String jcrPath = session.getJCRPath(path.getNormalizedPath());
boolean calcPrivs = session.nodeExists(jcrPath);
if (calcPrivs) {
privs = getPrivilegeBits(Privilege.JCR_READ);
} else {
privs = PrivilegeBits.EMPTY;
}
if (Text.isDescendant(usersPath, jcrPath)) {
boolean isUserAdmin = containsGroup(principals, userAdminGroup);
/*
below the user-tree
- determine position of target relative to the editing user
- target may not be below an existing user but only below an
authorizable folder.
- determine if the editing user is user-admin
*/
NodeImpl node = (NodeImpl) getExistingNode(path);
if (node.isNodeType(NT_REP_AUTHORIZABLE_FOLDER)) {
// an authorizable folder -> must be user admin in order
// to have permission to write.
if (isUserAdmin) {
allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
if (calcPrivs) {
// grant WRITE privilege
// note: ac-read/modification is not included
privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
}
}
} else {
// rep:User node or some other custom node below an existing user.
// as the authorizable folder doesn't allow other residual
// child nodes.
boolean editingOwnUser = node.isSame(userNode);
if (editingOwnUser) {
// user can only read && write his own props
allows |= (Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY);
if (calcPrivs) {
privs.add(getPrivilegeBits(Privilege.JCR_MODIFY_PROPERTIES));
}
} else if (isUserAdmin) {
allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
if (calcPrivs) {
// grant WRITE privilege
// note: ac-read/modification is not included
privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
}
} // else: normal user that isn't allowed to modify another user.
}
} else if (Text.isDescendant(groupsPath, jcrPath)) {
boolean isGroupAdmin = containsGroup(principals, groupAdminGroup);
/*
below group-tree:
- test if the user is group-administrator.
- make sure group-admin cannot modify user-admin or administrators
- ... and cannot remove itself.
*/
if (isGroupAdmin) {
if (!jcrPath.startsWith(administratorsGroupPath) &&
!jcrPath.startsWith(userAdminGroupPath)) {
if (jcrPath.equals(groupAdminGroupPath)) {
// no remove perm on group-admin node
allows |= (Permission.ADD_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
if (calcPrivs) {
privs.add(getPrivilegeBits(Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES, Privilege.JCR_NODE_TYPE_MANAGEMENT));
}
} else {
// complete write
allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
if (calcPrivs) {
privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
}
}
}
}
} // else outside of user/group tree -> read only.