Examples of org.pentaho.platform.api.engine.IAuthorizationPolicy

• org.pentaho.platform.api.engine.IAuthorizationPolicy
  An access control policy.

  Reponsible for determining if access to a given action should be allowed or denied. A implementation could be one based on roles, as is done in the Servlet specification. (In other words, if the policy has an association between the given action and a role that has been granted to the user, then the decision will be to allow.)

  @author mlowery

    }
    return Response.ok( responseBody, MediaType.TEXT_HTML ).build();
  }

  private void validateAccess() throws PentahoAccessControlException {
    IAuthorizationPolicy policy = PentahoSystem.get( IAuthorizationPolicy.class );
    boolean isAdmin =
        policy.isAllowed( RepositoryReadAction.NAME ) && policy.isAllowed( RepositoryCreateAction.NAME )
            && ( policy.isAllowed( AdministerSecurityAction.NAME ) || policy.isAllowed( PublishAction.NAME ) );
    if ( !isAdmin ) {
      throw new PentahoAccessControlException( "Access Denied" );
    }
  }

      throw new WebApplicationException( t );
    }
  }

  private boolean canAdminister() {
    IAuthorizationPolicy policy = PentahoSystem.get( IAuthorizationPolicy.class );
    return policy.isAllowed( RepositoryReadAction.NAME ) && policy.isAllowed( RepositoryCreateAction.NAME )
        && ( policy.isAllowed( AdministerSecurityAction.NAME ) );
  }

  }


  private List<AclMethod> getAcl(String file, boolean folder) {
    List<AclMethod> acls = new ArrayList<AclMethod>();
      IAuthorizationPolicy policy = PentahoSystem.get( IAuthorizationPolicy.class );
    boolean isAdmin = policy.isAllowed( AdministerSecurityAction.NAME );
    IUserContentAccess access = contentAccessFactory.getUserContentAccess(null);
    if (access.fileExists(file)) {
      acls.add(AclMethod.READ);
      if (isAdmin || access.hasAccess(file, FileAccess.WRITE)) {
        acls.add(AclMethod.WRITE);

    RepositoryFileTree tree = repo.getTree( repositoryRequest );

    // Filter system folders from non-admin users.
    // PDI uses this web-service and system folders must be returned to admin repository database connections.
    List<RepositoryFileTree> files = new ArrayList<RepositoryFileTree>();
    IAuthorizationPolicy policy = PentahoSystem.get( IAuthorizationPolicy.class );
    boolean isAdmin = policy.isAllowed( AdministerSecurityAction.NAME );
    for ( RepositoryFileTree file : tree.getChildren() ) {
      Map<String, Serializable> fileMeta = repo.getFileMetadata( file.getFile().getId() );
      boolean isSystemFolder =
          fileMeta.containsKey( IUnifiedRepository.SYSTEM_FOLDER ) ? (Boolean) fileMeta
              .get( IUnifiedRepository.SYSTEM_FOLDER ) : false;

      }
    }
  }

  protected void validateEtcReadAccess( String path ) {
    IAuthorizationPolicy policy = PentahoSystem.get( IAuthorizationPolicy.class );
    boolean isAdmin = policy.isAllowed( AdministerSecurityAction.NAME );
    if ( !isAdmin && path.startsWith( "/etc" ) ) {
      throw new RuntimeException( "This user is not allowed to access the ETC folder in JCR." );
    }
  }

    targetNamespace = "http://www.pentaho.org/ws/1.0" )
public class AuthorizationPolicyBasedUserRoleWebService extends UserRoleWebService {

  @Override
  protected boolean isAdmin() {
    IAuthorizationPolicy policy = PentahoSystem.get( IAuthorizationPolicy.class );
    if ( policy == null ) {
      throw new IllegalStateException( Messages.getInstance().getString(
          "AuthorizationPolicyBasedUserRoleWebService.ERROR_0001_MISSING_AUTHZ_POLICY" ) ); //$NON-NLS-1$
    }
    return policy.isAllowed( AdministerSecurityAction.NAME ); //$NON-NLS-1$
  }

import org.pentaho.platform.security.policy.rolebased.actions.RepositoryCreateAction;
import org.pentaho.platform.security.policy.rolebased.actions.RepositoryReadAction;

public class SystemUtils {
  public static boolean canAdminister() {
    IAuthorizationPolicy policy = PentahoSystem.get( IAuthorizationPolicy.class );
    return policy.isAllowed( RepositoryReadAction.NAME ) && policy.isAllowed( RepositoryCreateAction.NAME )
        && ( policy.isAllowed( AdministerSecurityAction.NAME ) );
  }

    RepositoryDownloadWhitelist mockWhiteList = mock( RepositoryDownloadWhitelist.class );
    doReturn( mockWhiteList ).when( fileService ).getWhitelist();
    doReturn( false ).when( mockWhiteList ).accept( anyString() );

    IAuthorizationPolicy mockPolicy = mock( IAuthorizationPolicy.class );
    doReturn( mockPolicy ).when( fileService ).getPolicy();
    doReturn( false ).when( mockPolicy ).isAllowed( anyString() );

    try {
      fileService.doGetFileAsInline( "test" );

  @Test
  public void testDoGetFileOrDirAsDownload() throws Throwable {
    final String fileName = "mockFileName";

    IAuthorizationPolicy mockAuthPolicy = mock( IAuthorizationPolicy.class );
    doReturn( true ).when( mockAuthPolicy ).isAllowed( anyString() );

    BaseExportProcessor mockExportProcessor = mock( BaseExportProcessor.class );
    File mockExportFile = mock( File.class );
    ExportHandler mockExportHandler = mock( ExportHandler.class );

  }

  @Test
  public void testDoGetFileOrDirAsDownloadException() {
    // Test 1
    IAuthorizationPolicy mockAuthPolicy = mock( IAuthorizationPolicy.class );
    doReturn( false ).when( mockAuthPolicy ).isAllowed( anyString() );
    doReturn( mockAuthPolicy ).when( fileService ).getPolicy();

    try {
      FileService.DownloadFileWrapper wrapper =