Source code

001/*
002 * (C) Copyright 2018 Nuxeo (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Antoine Taillefer <[email protected]>
018 */
019package org.nuxeo.wopi.lock;
020
021import org.apache.logging.log4j.LogManager;
022import org.apache.logging.log4j.Logger;
023import org.nuxeo.ecm.core.api.NuxeoPrincipal;
024import org.nuxeo.ecm.core.api.security.ACP;
025import org.nuxeo.ecm.core.api.security.Access;
026import org.nuxeo.ecm.core.model.Document;
027import org.nuxeo.ecm.core.security.LockSecurityPolicy;
028
029/**
030 * Security policy to allow collaborative edition with WOPI.
031 * <p>
032 * See <a href="https://wopi.readthedocs.io/en/latest/scenarios/coauth.html">Co-authoring using Office Online</a>.
033 * <p>
034 * Unlike the standard {@link LockSecurityPolicy}, even if the document is locked by someone else, the WRITE permission
035 * is not blocked if a WOPI lock exists for the document and the request originated from a WOPI client.
036 * <p>
037 * This handles the case of multiple users editing a document at the same time in Office Online, which is considered by
038 * the Nuxeo WOPI host as a single WOPI client.
039 *
040 * @since 10.3
041 */
042public class WOPILockSecurityPolicy extends LockSecurityPolicy {
043
044    private static final Logger log = LogManager.getLogger(WOPILockSecurityPolicy.class);
045
046    @Override
047    public Access checkPermission(Document doc, ACP mergedAcp, NuxeoPrincipal principal, String permission,
048            String[] resolvedPermissions, String[] additionalPrincipals) {
049        Access access = super.checkPermission(doc, mergedAcp, principal, permission, resolvedPermissions,
050                additionalPrincipals);
051        String repositoryName = doc.getSession().getRepositoryName();
052        String docUUID = doc.getUUID();
053        if (Access.DENY.equals(access) && LockHelper.isLocked(repositoryName, docUUID) && LockHelper.isWOPIRequest()) {
054            // locked by another user but WOPI lock and WOPI request, don't block
055            log.debug(
056                    "Security: repository={} docId={} user={} Document is locked by another user but it has a WOPI lock and the current user belongs to a WOPI session, don't block WRITE permission",
057                    repositoryName, docUUID, principal);
058            return Access.UNKNOWN;
059        }
060        return access;
061    }
062
063}