Package org.apache.jackrabbit.core.security.authorization

Examples of org.apache.jackrabbit.core.security.authorization.PrivilegeBits$UnmodifiableData


                        // remove the existing entry and create a new one that
                        // includes both the new privileges and the existing ones.
                        entries.remove(e);

                        PrivilegeBits mergedBits = PrivilegeBits.getInstance(e.getPrivilegeBits());
                        mergedBits.add(entry.getPrivilegeBits());
                       
                        // omit validation check.
                        entry = new Entry(entry, mergedBits, entry.isAllow());
                    } else {
                        complementEntry = e;
                    }
                }
            }

            // make sure, that the complement entry (if existing) does not
            // grant/deny the same privileges -> remove privileges that are now
            // denied/granted.
            if (complementEntry != null) {

                PrivilegeBits complPrivs = complementEntry.getPrivilegeBits();
                PrivilegeBits diff = PrivilegeBits.getInstance(complPrivs);
                diff.diff(entry.getPrivilegeBits());
               
                if (diff.isEmpty()) {
                    // remove the complement entry as the new entry covers
                    // all privileges granted by the existing entry.
                    entries.remove(complementEntry);
                    updateIndex--;

                } else if (!diff.equals(complPrivs)) {
                    // replace the existing entry having the privileges adjusted
                    int index = entries.indexOf(complementEntry);
                    entries.remove(complementEntry);

                    // combine set of new builtin and custom privileges
View Full Code Here


            // no explicit denied permissions:
            int denies = Permission.NONE;
            // default allow permission and default privileges
            int allows = Permission.READ;
            PrivilegeBits privs;
            // Determine if for path, the set of privileges must be calculated:
            // Generally, privileges can only be determined for existing nodes.
            String jcrPath = session.getJCRPath(path.getNormalizedPath());
            boolean calcPrivs = session.nodeExists(jcrPath);
            if (calcPrivs) {
                privs = getPrivilegeBits(Privilege.JCR_READ);
            } else {
                privs = PrivilegeBits.EMPTY;
            }

            if (Text.isDescendant(usersPath, jcrPath)) {
                boolean isUserAdmin = containsGroup(principals, userAdminGroup);
                /*
                 below the user-tree
                 - determine position of target relative to the editing user
                 - target may not be below an existing user but only below an
                   authorizable folder.
                 - determine if the editing user is user-admin
                 */
                NodeImpl node = (NodeImpl) getExistingNode(path);
                if (node.isNodeType(NT_REP_AUTHORIZABLE_FOLDER)) {
                    // an authorizable folder -> must be user admin in order
                    // to have permission to write.
                    if (isUserAdmin) {
                        allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                        if (calcPrivs) {
                            // grant WRITE privilege
                            // note: ac-read/modification is not included
                            privs = assertModifiable(privs);
                            privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                        }
                    }
                } else {
                    // rep:User node or some other custom node below an existing user.
                    // as the authorizable folder doesn't allow other residual
                    // child nodes.
                    boolean editingOwnUser = node.isSame(userNode);
                    if (editingOwnUser) {
                        // user can only read && write his own props
                        allows |= (Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY);
                        if (calcPrivs) {
                            privs = assertModifiable(privs);
                            privs.add(getPrivilegeBits(Privilege.JCR_MODIFY_PROPERTIES));
                        }
                    } else if (isUserAdmin) {
                        allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                        if (calcPrivs) {
                            // grant WRITE privilege
                            // note: ac-read/modification is not included
                            privs = assertModifiable(privs);
                            privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                        }
                    } // else: normal user that isn't allowed to modify another user.
                }
            } else if (Text.isDescendant(groupsPath, jcrPath)) {
                boolean isGroupAdmin = containsGroup(principals, groupAdminGroup);
                /*
                below group-tree:
                - test if the user is group-administrator.
                - make sure group-admin cannot modify user-admin or administrators
                - ... and cannot remove itself.
                */
                if (isGroupAdmin) {
                    if (!jcrPath.startsWith(administratorsGroupPath) &&
                            !jcrPath.startsWith(userAdminGroupPath)) {
                        if (jcrPath.equals(groupAdminGroupPath)) {
                            // no remove perm on group-admin node
                            allows |= (Permission.ADD_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                            if (calcPrivs) {
                                privs = assertModifiable(privs);
                                privs.add(getPrivilegeBits(Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES, Privilege.JCR_NODE_TYPE_MANAGEMENT));
                            }
                        } else {
                            // complete write
                            allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                            if (calcPrivs) {
                                privs = assertModifiable(privs);
                                privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                            }
                        }
                    }
                }
            } // else outside of user/group tree -> read only.
View Full Code Here

TOP

Related Classes of org.apache.jackrabbit.core.security.authorization.PrivilegeBits$UnmodifiableData

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.