Package org.apache.jackrabbit.core.security.authorization

Examples of org.apache.jackrabbit.core.security.authorization.PrivilegeBits


        without taking the given target name or target item into account.
        */
        int allows = Permission.NONE;
        int denies = Permission.NONE;

        PrivilegeBits allowBits = PrivilegeBits.getInstance();
        PrivilegeBits denyBits = PrivilegeBits.getInstance();
        PrivilegeBits parentAllowBits = PrivilegeBits.getInstance();
        PrivilegeBits parentDenyBits = PrivilegeBits.getInstance();

        String parentPath = Text.getRelativeParent(filter.getPath(), 1);
        NodeId nodeId = (node == null) ? null : node.getNodeId();

        while (entries.hasNext()) {
            Entry ace = entries.next();
            /*
            Determine if the ACE also takes effect on the parent:
            Some permissions (e.g. add-node or removal) must be determined
            from privileges defined for the parent.
            A 'local' entry defined on the target node never effects the
            parent. For inherited ACEs determine if the ACE matches the
            parent path.
            */
            PrivilegeBits entryBits = ace.getPrivilegeBits();
            boolean isLocal = isExistingNode && ace.isLocal(nodeId);
            boolean matchesParent = (!isLocal && ace.matches(parentPath));
            if (matchesParent) {
                if (ace.isAllow()) {
                    parentAllowBits.addDifference(entryBits, parentDenyBits);
View Full Code Here


                        // remove the existing entry and create a new one that
                        // includes both the new privileges and the existing ones.
                        entries.remove(e);

                        PrivilegeBits mergedBits = PrivilegeBits.getInstance(e.getPrivilegeBits());
                        mergedBits.add(entry.getPrivilegeBits());
                       
                        // omit validation check.
                        entry = new Entry(entry, mergedBits, entry.isAllow());
                    } else {
                        complementEntry = e;
                    }
                }
            }

            // make sure, that the complement entry (if existing) does not
            // grant/deny the same privileges -> remove privileges that are now
            // denied/granted.
            if (complementEntry != null) {

                PrivilegeBits complPrivs = complementEntry.getPrivilegeBits();
                PrivilegeBits diff = PrivilegeBits.getInstance(complPrivs);
                diff.diff(entry.getPrivilegeBits());
               
                if (diff.isEmpty()) {
                    // remove the complement entry as the new entry covers
                    // all privileges granted by the existing entry.
                    entries.remove(complementEntry);
                    updateIndex--;

                } else if (!diff.equals(complPrivs)) {
                    // replace the existing entry having the privileges adjusted
                    int index = entries.indexOf(complementEntry);
                    entries.remove(complementEntry);

                    // combine set of new builtin and custom privileges
View Full Code Here

        without taking the given target name or target item into account.
        */
        int allows = Permission.NONE;
        int denies = Permission.NONE;

        PrivilegeBits allowBits = PrivilegeBits.getInstance();
        PrivilegeBits denyBits = PrivilegeBits.getInstance();
        PrivilegeBits parentAllowBits = PrivilegeBits.getInstance();
        PrivilegeBits parentDenyBits = PrivilegeBits.getInstance();

        String parentPath = Text.getRelativeParent(filter.getPath(), 1);
        NodeId nodeId = (node == null) ? null : node.getNodeId();

        while (entries.hasNext()) {
            ACLTemplate.Entry ace = (ACLTemplate.Entry) entries.next();
            /*
            Determine if the ACE also takes effect on the parent:
            Some permissions (e.g. add-node or removal) must be determined
            from privileges defined for the parent.
            A 'local' entry defined on the target node never effects the
            parent. For inherited ACEs determine if the ACE matches the
            parent path.
            */
            PrivilegeBits entryBits = ace.getPrivilegeBits();
            boolean isLocal = isExistingNode && ace.isLocal(nodeId);
            boolean matchesParent = (!isLocal && ace.matches(parentPath));
            if (matchesParent) {
                if (ace.isAllow()) {
                    parentAllowBits.addDifference(entryBits, parentDenyBits);
View Full Code Here

                        // remove the existing entry and create a new one that
                        // includes both the new privileges and the existing ones.
                        entries.remove(e);

                        PrivilegeBits mergedBits = PrivilegeBits.getInstance(e.getPrivilegeBits());
                        mergedBits.add(entry.getPrivilegeBits());
                       
                        // omit validation check.
                        entry = new Entry(entry, mergedBits, entry.isAllow());
                    } else {
                        complementEntry = e;
                    }
                }
            }

            // make sure, that the complement entry (if existing) does not
            // grant/deny the same privileges -> remove privileges that are now
            // denied/granted.
            if (complementEntry != null) {

                PrivilegeBits complPrivs = complementEntry.getPrivilegeBits();
                PrivilegeBits diff = PrivilegeBits.getInstance(complPrivs);
                diff.diff(entry.getPrivilegeBits());
               
                if (diff.isEmpty()) {
                    // remove the complement entry as the new entry covers
                    // all privileges granted by the existing entry.
                    entries.remove(complementEntry);
                    updateIndex--;

                } else if (!diff.equals(complPrivs)) {
                    // replace the existing entry having the privileges adjusted
                    int index = entries.indexOf(complementEntry);
                    entries.remove(complementEntry);

                    // combine set of new builtin and custom privileges
View Full Code Here

        private Result buildResult(String targetPath,
                                   boolean isAcItem) throws RepositoryException {
            int allows = Permission.NONE;
            int denies = Permission.NONE;

            PrivilegeBits allowBits = PrivilegeBits.getInstance();
            PrivilegeBits denyBits = PrivilegeBits.getInstance();
            PrivilegeBits parentAllowBits = PrivilegeBits.getInstance();
            PrivilegeBits parentDenyBits = PrivilegeBits.getInstance();

            String parentPath = Text.getRelativeParent(targetPath, 1);
            for (AccessControlEntry entry : entries) {
                if (!(entry instanceof ACLTemplate.Entry)) {
                    log.warn("Unexpected AccessControlEntry instance -> ignore");
                    continue;
                }
                ACLTemplate.Entry entr = (ACLTemplate.Entry) entry;
                PrivilegeBits privs = entr.getPrivilegeBits();

                if (!"".equals(parentPath) && entr.matches(parentPath)) {
                    if (entr.isAllow()) {
                        parentAllowBits.addDifference(privs, parentDenyBits);
                    } else {
View Full Code Here

            // no explicit denied permissions:
            int denies = Permission.NONE;
            // default allow permission and default privileges
            int allows = Permission.READ;
            PrivilegeBits privs;
            // Determine if for path, the set of privileges must be calculated:
            // Generally, privileges can only be determined for existing nodes.
            String jcrPath = session.getJCRPath(path.getNormalizedPath());
            boolean calcPrivs = session.nodeExists(jcrPath);
            if (calcPrivs) {
                privs = getPrivilegeBits(Privilege.JCR_READ);
            } else {
                privs = PrivilegeBits.EMPTY;
            }

            if (Text.isDescendant(usersPath, jcrPath)) {
                boolean isUserAdmin = containsGroup(principals, userAdminGroup);
                /*
                 below the user-tree
                 - determine position of target relative to the editing user
                 - target may not be below an existing user but only below an
                   authorizable folder.
                 - determine if the editing user is user-admin
                 */
                NodeImpl node = (NodeImpl) getExistingNode(path);
                if (node.isNodeType(NT_REP_AUTHORIZABLE_FOLDER)) {
                    // an authorizable folder -> must be user admin in order
                    // to have permission to write.
                    if (isUserAdmin) {
                        allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                        if (calcPrivs) {
                            // grant WRITE privilege
                            // note: ac-read/modification is not included
                            privs = assertModifiable(privs);
                            privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                        }
                    }
                } else {
                    // rep:User node or some other custom node below an existing user.
                    // as the authorizable folder doesn't allow other residual
                    // child nodes.
                    boolean editingOwnUser = node.isSame(userNode);
                    if (editingOwnUser) {
                        // user can only read && write his own props
                        allows |= (Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY);
                        if (calcPrivs) {
                            privs = assertModifiable(privs);
                            privs.add(getPrivilegeBits(Privilege.JCR_MODIFY_PROPERTIES));
                        }
                    } else if (isUserAdmin) {
                        allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                        if (calcPrivs) {
                            // grant WRITE privilege
                            // note: ac-read/modification is not included
                            privs = assertModifiable(privs);
                            privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                        }
                    } // else: normal user that isn't allowed to modify another user.
                }
            } else if (Text.isDescendant(groupsPath, jcrPath)) {
                boolean isGroupAdmin = containsGroup(principals, groupAdminGroup);
                /*
                below group-tree:
                - test if the user is group-administrator.
                - make sure group-admin cannot modify user-admin or administrators
                - ... and cannot remove itself.
                */
                if (isGroupAdmin) {
                    if (!jcrPath.startsWith(administratorsGroupPath) &&
                            !jcrPath.startsWith(userAdminGroupPath)) {
                        if (jcrPath.equals(groupAdminGroupPath)) {
                            // no remove perm on group-admin node
                            allows |= (Permission.ADD_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                            if (calcPrivs) {
                                privs = assertModifiable(privs);
                                privs.add(getPrivilegeBits(Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES, Privilege.JCR_NODE_TYPE_MANAGEMENT));
                            }
                        } else {
                            // complete write
                            allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                            if (calcPrivs) {
                                privs = assertModifiable(privs);
                                privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                            }
                        }
                    }
                }
            } // else outside of user/group tree -> read only.
View Full Code Here

        // net-effect: 2 entries with the allow entry being adjusted
        assertTrue(pt.size() == 2);
        AccessControlEntry[] entries = pt.getAccessControlEntries();
        for (AccessControlEntry entry1 : entries) {
            ACLTemplate.Entry entry = (ACLTemplate.Entry) entry1;
            PrivilegeBits privs = entry.getPrivilegeBits();
            if (entry.isAllow()) {
                Privilege[] result = privilegesFromNames(new String[] {
                        Privilege.JCR_ADD_CHILD_NODES,
                        Privilege.JCR_NODE_TYPE_MANAGEMENT,
                        Privilege.JCR_REMOVE_CHILD_NODES,
                        Privilege.JCR_REMOVE_NODE});   
                PrivilegeBits bits = privilegeMgr.getBits(result);
                assertEquals(privs, bits);
            } else {
                assertEquals(privs, privilegeMgr.getBits(modProperties));
            }
        }
View Full Code Here

                        // remove the existing entry and create a new one that
                        // includes both the new privileges and the existing ones.
                        entries.remove(e);

                        PrivilegeBits mergedBits = PrivilegeBits.getInstance(e.getPrivilegeBits());
                        mergedBits.add(entry.getPrivilegeBits());
                       
                        // omit validation check.
                        entry = new Entry(entry, mergedBits, entry.isAllow());
                    } else {
                        complementEntry = e;
                    }
                }
            }

            // make sure, that the complement entry (if existing) does not
            // grant/deny the same privileges -> remove privileges that are now
            // denied/granted.
            if (complementEntry != null) {

                PrivilegeBits complPrivs = complementEntry.getPrivilegeBits();
                PrivilegeBits diff = PrivilegeBits.getInstance(complPrivs);
                diff.diff(entry.getPrivilegeBits());
               
                if (diff.isEmpty()) {
                    // remove the complement entry as the new entry covers
                    // all privileges granted by the existing entry.
                    entries.remove(complementEntry);
                    updateIndex--;

                } else if (!diff.equals(complPrivs)) {
                    // replace the existing entry having the privileges adjusted
                    int index = entries.indexOf(complementEntry);
                    entries.remove(complementEntry);

                    // combine set of new builtin and custom privileges
View Full Code Here

            // no explicit denied permissions:
            int denies = Permission.NONE;
            // default allow permission and default privileges
            int allows = Permission.READ;
            PrivilegeBits privs;
            // Determine if for path, the set of privileges must be calculated:
            // Generally, privileges can only be determined for existing nodes.
            String jcrPath = session.getJCRPath(path.getNormalizedPath());
            boolean calcPrivs = session.nodeExists(jcrPath);
            if (calcPrivs) {
                privs = getPrivilegeBits(Privilege.JCR_READ);
            } else {
                privs = PrivilegeBits.EMPTY;
            }

            if (Text.isDescendant(usersPath, jcrPath)) {
                boolean isUserAdmin = containsGroup(principals, userAdminGroup);
                /*
                 below the user-tree
                 - determine position of target relative to the editing user
                 - target may not be below an existing user but only below an
                   authorizable folder.
                 - determine if the editing user is user-admin
                 */
                NodeImpl node = (NodeImpl) getExistingNode(path);
                if (node.isNodeType(NT_REP_AUTHORIZABLE_FOLDER)) {
                    // an authorizable folder -> must be user admin in order
                    // to have permission to write.
                    if (isUserAdmin) {
                        allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                        if (calcPrivs) {
                            // grant WRITE privilege
                            // note: ac-read/modification is not included
                            privs = assertModifiable(privs);
                            privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                        }
                    }
                } else {
                    // rep:User node or some other custom node below an existing user.
                    // as the authorizable folder doesn't allow other residual
                    // child nodes.
                    boolean editingOwnUser = node.isSame(userNode);
                    if (editingOwnUser) {
                        // user can only read && write his own props
                        allows |= (Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY);
                        if (calcPrivs) {
                            privs = assertModifiable(privs);
                            privs.add(getPrivilegeBits(Privilege.JCR_MODIFY_PROPERTIES));
                        }
                    } else if (isUserAdmin) {
                        allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                        if (calcPrivs) {
                            // grant WRITE privilege
                            // note: ac-read/modification is not included
                            privs = assertModifiable(privs);
                            privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                        }
                    } // else: normal user that isn't allowed to modify another user.
                }
            } else if (Text.isDescendant(groupsPath, jcrPath)) {
                boolean isGroupAdmin = containsGroup(principals, groupAdminGroup);
                /*
                below group-tree:
                - test if the user is group-administrator.
                - make sure group-admin cannot modify user-admin or administrators
                - ... and cannot remove itself.
                */
                if (isGroupAdmin) {
                    if (!jcrPath.startsWith(administratorsGroupPath) &&
                            !jcrPath.startsWith(userAdminGroupPath)) {
                        if (jcrPath.equals(groupAdminGroupPath)) {
                            // no remove perm on group-admin node
                            allows |= (Permission.ADD_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                            if (calcPrivs) {
                                privs = assertModifiable(privs);
                                privs.add(getPrivilegeBits(Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_MODIFY_PROPERTIES, Privilege.JCR_NODE_TYPE_MANAGEMENT));
                            }
                        } else {
                            // complete write
                            allows |= (Permission.ADD_NODE | Permission.REMOVE_NODE | Permission.SET_PROPERTY | Permission.REMOVE_PROPERTY | Permission.NODE_TYPE_MNGMT);
                            if (calcPrivs) {
                                privs = assertModifiable(privs);
                                privs.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                            }
                        }
                    }
                }
            } // else outside of user/group tree -> read only.
View Full Code Here

     * target item into account.
     */
    int allows = Permission.NONE;
    int denies = Permission.NONE;

    PrivilegeBits allowBits = PrivilegeBits.getInstance();
    PrivilegeBits denyBits = PrivilegeBits.getInstance();
    PrivilegeBits parentAllowBits = PrivilegeBits.getInstance();
    PrivilegeBits parentDenyBits = PrivilegeBits.getInstance();

    String parentPath = Text.getRelativeParent( filter.getPath(), 1 );
    NodeId nodeId = ( node == null ) ? null : node.getNodeId();

    while ( entries.hasNext() ) {
      ACLTemplate.Entry ace = (ACLTemplate.Entry) entries.next();
      /*
       * Determine if the ACE also takes effect on the parent: Some permissions (e.g. add-node or removal) must be
       * determined from privileges defined for the parent. A 'local' entry defined on the target node never
       * effects the parent. For inherited ACEs determine if the ACE matches the parent path.
       */
      PrivilegeBits entryBits = ace.getPrivilegeBits();
      boolean isLocal = isExistingNode && ace.isLocal( nodeId );
      boolean matchesParent = ( !isLocal && ace.matches( parentPath ) );

      // check specific case: "Inherit permissions" may have been unchecked, and node operation permissions may
      // have been granted directly to the item ( thus not requiring having those permissions defined for the parent )
View Full Code Here

TOP

Related Classes of org.apache.jackrabbit.core.security.authorization.PrivilegeBits

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.