Package org.nuxeo.ecm.core.api.security

Interface ACP

  • All Superinterfaces:
    Cloneable, Serializable
    All Known Implementing Classes:
    ACPImpl
    public interface ACP
extends Serializable, Cloneable
    Access control policy (ACP) control the permissions access on a resource.

    An ACP may contains several ACLs (access control list) identified by names.

    The list of ACLs is ordered so that when checking permissions the ACL are consulted in an ascending order. (The ACL on position 0 is consulted first).

    Every ACP has at least one ACL having the reserved name "local". This is the only user editable list (through the security UI).

    Other ACLs are used internally and are editable only through the API.

    Also an ACP may have a list named "inherited" that represents the ACLs inherited from the resource parents if any. These ACLs are merged in a single list that is always read only even through the API.

    Author:
    Bogdan Stefanescu, Julien Anguenot

    • Method Detail

      • getAccess

        Access getAccess​(String principal,
                 String permission)
        Check whether this ACP grant the given permission on the given user, denies it or doesn't specify a rule.

        This is checking only the ACLs on that ACP. Parents if any are not checked.

        Parameters:
        principal - the principal to check
        permission - the permission to check
        Returns:
        Access.GRANT if granted, Access.DENY if denied or Access.UNKNOWN if no rule for that permission exists. Never returns null.

      • getAccess

        Access getAccess​(String[] principals,
                 String[] permissions)
        Checks the access on the ACLs for each set of the given permissions and principals.

        This differs for an iterative check using getAccess(String principal, String permission) in the order of checks - so that in this case each ACE is fully checked against the given users and permissions before passing to the next ACE.

      • setRules

        void setRules​(UserEntry[] userEntries)
        Replaces the modifiable user entries (associated with the currentDocument) related to the current ACP.

        Considers that all the passed entries are modifiable and attempts to set them as local entries related to the current document.

      • setRules

        void setRules​(UserEntry[] userEntries,
              boolean overwrite)
        Replaces the modifiable user entries (associated with the currentDocument) related to the current ACP.

        Considers that all the passed entries are modifiable and attempts to set them as local entries related to the current document.

        The current behavior reset completely the current ACL.

        Parameters:
        overwrite - if true, will overwrite the whole current ACL

      • setRules

        void setRules​(String aclName,
              UserEntry[] userEntries)
        Replaces the modifiable user entries (associated with the currentDocument) related to the ACP.

        Considers that all the passed entries are modifiable and attempts to set them as entries related to the current document.

      • setRules

        void setRules​(String aclName,
              UserEntry[] userEntries,
              boolean overwrite)
        Replaces the modifiable user entries (associated with the currentDocument) related to the ACP.

        Considers that all the passed entries are modifiable and attempts to set them as entries related to the current document.

        Parameters:
        overwrite - if true, will overwrite the whole ACL

      • addACL

        void addACL​(ACL acl)

      • addACL

        void addACL​(int pos,
            ACL acl)

      • getACLs

        ACL[] getACLs()

      • getMergedACLs

        ACL getMergedACLs​(String name)

      • getOrCreateACL

        ACL getOrCreateACL​(String name)

      • getOrCreateACL

        ACL getOrCreateACL()

      • listUsernamesForAnyPermission

        @Deprecated
String[] listUsernamesForAnyPermission​(Set<String> perms)
        Deprecated.
        since 5.4.2 Use the method from UserManager service getUsersForPermission instead
        Returns the usernames granted to perform an operation based on a list of permissions.
        Parameters:
        perms - the list of permissions.
        Returns:
        a list of usernames

      • clone

        ACP clone()
        Return a recursive copy of the ACP sharing no mutable substructure with the original
        Returns:
        a copy

      • blockInheritance

        boolean blockInheritance​(String aclName,
                         String username)
        Block the inheritance on the given aclName.
        Parameters:
        username - the user blocking the inheritance
        Returns:
        true if the ACP was changed.
        Since:
        7.4

      • unblockInheritance

        boolean unblockInheritance​(String aclName)
        Unblock the inheritance on the given aclName.
        Returns:
        true if the ACP was changed.
        Since:
        7.4

      • addACE

        boolean addACE​(String aclName,
               ACE ace)
        Add an ACE to the given aclName.
        Returns:
        true if the ACP was changed.
        Since:
        7.4

      • replaceACE

        boolean replaceACE​(String aclName,
                   ACE oldACE,
                   ACE newACE)
        Replace the oldACE with newACE on the given aclName, only if the oldACE exists.

        The newACE keeps the same index as oldACE.

        Returns:
        true if the ACP was changed.
        Since:
        7.4

      • removeACE

        boolean removeACE​(String aclName,
                  ACE ace)
        Remove an ACE on the given aclName.
        Returns:
        true if the ACP was changed.
        Since:
        7.4

      • removeACEsByUsername

        boolean removeACEsByUsername​(String aclName,
                             String username)
        Remove all ACEs for username on the given aclName.
        Returns:
        true if the ACP was changed.
        Since:
        7.4

      • removeACEsByUsername

        boolean removeACEsByUsername​(String username)
        Remove all ACEs for username on the whole ACP.
        Returns:
        true if the ACP was changed.
        Since:
        7.4

      • replacePermission

        void replacePermission​(String oldPerm,
                       String newPerm)
        Replaces a permission with another in this ACP.
        Parameters:
        oldPerm - the old permission
        newPerm - the new permission
        Since:
        11.3