org.nuxeo.ecm.core.api.security.impl

Class ACPImpl

java.lang.Object

org.nuxeo.ecm.core.api.security.impl.ACPImpl

All Implemented Interfaces:

Serializable, Cloneable, ACP

public class ACPImpl
extends Object
implements ACP

The ACP implementation uses a cache used when calling getAccess().

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field and Description
static String	LEGACY_BEHAVIOR_PROPERTY ConfigurationService property to enable legacy behavior.

Constructor Summary

Constructors

Constructor and Description
ACPImpl()

Method Summary

Modifier and Type	Method and Description
void	addAccessRule(String aclName, ACE ace)
boolean	addACE(String aclName, ACE ace) Add an ACE to the given aclName.
void	addACL(ACL acl) This method must append the ACL and not insert it since it is used to append the inherited ACL which is the less significant ACL.
void	addACL(int pos, ACL acl)
void	addACL(String afterMe, ACL acl)
boolean	blockInheritance(String aclName, String username) Block the inheritance on the given aclName.
ACPImpl	clone() Return a recursive copy of the ACP sharing no mutable substructure with the original
static Access	getAccess(ACE ace, String[] principals, String[] permissions)
Access	getAccess(String[] principals, String[] permissions) Checks the access on the ACLs for each set of the given permissions and principals.
Access	getAccess(String principal, String permission) Check whether this ACP grant the given permission on the given user, denies it or doesn't specify a rule.
ACL	getACL(String name)
ACL[]	getACLs()
ACL	getMergedACLs(String name)
ACL	getOrCreateACL()
ACL	getOrCreateACL(String name)
String[]	listUsernamesForAnyPermission(Set<String> perms) Returns the usernames granted to perform an operation based on a list of permissions.
static ACL	newACL(String name)
boolean	removeACE(String aclName, ACE ace) Remove an ACE on the given aclName.
boolean	removeACEsByUsername(String username) Remove all ACEs for username on the whole ACP.
boolean	removeACEsByUsername(String aclName, String username) Remove all ACEs for username on the given aclName.
ACL	removeACL(String name)
boolean	replaceACE(String aclName, ACE oldACE, ACE newACE) Replace the oldACE with newACE on the given aclName, only if the oldACE exists.
void	setRules(String aclName, UserEntry[] userEntries) Replaces the modifiable user entries (associated with the currentDocument) related to the ACP.
void	setRules(String aclName, UserEntry[] userEntries, boolean overwrite) Replaces the modifiable user entries (associated with the currentDocument) related to the ACP.
void	setRules(UserEntry[] userEntries) Replaces the modifiable user entries (associated with the currentDocument) related to the current ACP.
void	setRules(UserEntry[] userEntries, boolean overwrite) Replaces the modifiable user entries (associated with the currentDocument) related to the current ACP.
boolean	unblockInheritance(String aclName) Unblock the inheritance on the given aclName.
protected boolean	useLegacyBehavior()

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LEGACY_BEHAVIOR_PROPERTY

public static final String LEGACY_BEHAVIOR_PROPERTY

ConfigurationService property to enable legacy behavior.

Since:

10.2

See Also:

Constant Field Values

Constructor Detail

ACPImpl

public ACPImpl()

Method Detail

addACL

public void addACL(ACL acl)

This method must append the ACL and not insert it since it is used to append the inherited ACL which is the less significant ACL.

Specified by:

addACL in interface ACP

addACL

public void addACL(int pos,
                   ACL acl)

Specified by:

addACL in interface ACP

addACL

public void addACL(String afterMe,
                   ACL acl)

Specified by:

addACL in interface ACP

getACL

public ACL getACL(String name)

Specified by:

getACL in interface ACP

getACLs

public ACL[] getACLs()

Specified by:

getACLs in interface ACP

getMergedACLs

public ACL getMergedACLs(String name)

Specified by:

getMergedACLs in interface ACP

newACL

public static ACL newACL(String name)

removeACL

public ACL removeACL(String name)

Specified by:

removeACL in interface ACP

getAccess

public Access getAccess(String principal,
                        String permission)

Description copied from interface: ACP

Check whether this ACP grant the given permission on the given user, denies it or doesn't specify a rule.

This is checking only the ACLs on that ACP. Parents if any are not checked.

Specified by:

getAccess in interface ACP

Parameters:

principal - the principal to check

permission - the permission to check

Returns:

Access.GRANT if granted, Access.DENY if denied or Access.UNKNOWN if no rule for that permission exists. Never returns null.

getAccess

public Access getAccess(String[] principals,
                        String[] permissions)

Description copied from interface: ACP

Checks the access on the ACLs for each set of the given permissions and principals.

This differs for an iterative check using getAccess(String principal, String permission) in the order of checks - so that in this case each ACE is fully checked against the given users and permissions before passing to the next ACE.

Specified by:

getAccess in interface ACP

getAccess

public static Access getAccess(ACE ace,
                               String[] principals,
                               String[] permissions)

addAccessRule

public void addAccessRule(String aclName,
                          ACE ace)

getOrCreateACL

public ACL getOrCreateACL(String name)

Specified by:

getOrCreateACL in interface ACP

getOrCreateACL

public ACL getOrCreateACL()

Specified by:

getOrCreateACL in interface ACP

setRules

public void setRules(String aclName,
                     UserEntry[] userEntries)

Description copied from interface: ACP

Replaces the modifiable user entries (associated with the currentDocument) related to the ACP.

Considers that all the passed entries are modifiable and attempts to set them as entries related to the current document.

Specified by:

setRules in interface ACP

setRules

public void setRules(String aclName,
                     UserEntry[] userEntries,
                     boolean overwrite)

Description copied from interface: ACP

Replaces the modifiable user entries (associated with the currentDocument) related to the ACP.

Considers that all the passed entries are modifiable and attempts to set them as entries related to the current document.

Specified by:

setRules in interface ACP

overwrite - if true, will overwrite the whole ACL

setRules

public void setRules(UserEntry[] userEntries)

Description copied from interface: ACP

Replaces the modifiable user entries (associated with the currentDocument) related to the current ACP.

Considers that all the passed entries are modifiable and attempts to set them as local entries related to the current document.

Specified by:

setRules in interface ACP

setRules

public void setRules(UserEntry[] userEntries,
                     boolean overwrite)

Description copied from interface: ACP

Replaces the modifiable user entries (associated with the currentDocument) related to the current ACP.

Considers that all the passed entries are modifiable and attempts to set them as local entries related to the current document.

The current behavior reset completely the current ACL.

Specified by:

setRules in interface ACP

overwrite - if true, will overwrite the whole current ACL

listUsernamesForAnyPermission

public String[] listUsernamesForAnyPermission(Set<String> perms)

Description copied from interface: ACP

Returns the usernames granted to perform an operation based on a list of permissions.

Specified by:

listUsernamesForAnyPermission in interface ACP

Parameters:

perms - the list of permissions.

Returns:

a list of usernames

clone

public ACPImpl clone()

Description copied from interface: ACP

Return a recursive copy of the ACP sharing no mutable substructure with the original

Specified by:

clone in interface ACP

Overrides:

clone in class Object

Returns:

a copy

blockInheritance

public boolean blockInheritance(String aclName,
                                String username)

Description copied from interface: ACP

Block the inheritance on the given aclName.

Specified by:

blockInheritance in interface ACP

username - the user blocking the inheritance

Returns:

true if the ACP was changed.

unblockInheritance

public boolean unblockInheritance(String aclName)

Description copied from interface: ACP

Unblock the inheritance on the given aclName.

Specified by:

unblockInheritance in interface ACP

Returns:

true if the ACP was changed.

addACE

public boolean addACE(String aclName,
                      ACE ace)

Description copied from interface: ACP

Add an ACE to the given aclName.

Specified by:

addACE in interface ACP

Returns:

true if the ACP was changed.

replaceACE

public boolean replaceACE(String aclName,
                          ACE oldACE,
                          ACE newACE)

Description copied from interface: ACP

Replace the oldACE with newACE on the given aclName, only if the oldACE exists.

The newACE keeps the same index as oldACE.

Specified by:

replaceACE in interface ACP

Returns:

true if the ACP was changed.

removeACE

public boolean removeACE(String aclName,
                         ACE ace)

Description copied from interface: ACP

Remove an ACE on the given aclName.

Specified by:

removeACE in interface ACP

Returns:

true if the ACP was changed.

removeACEsByUsername

public boolean removeACEsByUsername(String aclName,
                                    String username)

Description copied from interface: ACP

Remove all ACEs for username on the given aclName.

Specified by:

removeACEsByUsername in interface ACP

Returns:

true if the ACP was changed.

removeACEsByUsername

public boolean removeACEsByUsername(String username)

Description copied from interface: ACP

Remove all ACEs for username on the whole ACP.

Specified by:

removeACEsByUsername in interface ACP

Returns:

true if the ACP was changed.

useLegacyBehavior

protected boolean useLegacyBehavior()