Interface SecurityPolicy

    • Method Detail

      • checkPermission

        Access checkPermission​(Document doc,
                               ACP mergedAcp,
                               NuxeoPrincipal principal,
                               String permission,
                               String[] resolvedPermissions,
                               String[] additionalPrincipals)
        Checks given permission for doc and principal.

        Note that for the Browse permission, which is also implemented in SQL using getQueryTransformer(java.lang.String), a security policy must never bypass standard ACL access, it must only return DENY or UNKNOWN. Failing to do this would make direct access and queries behave differently.

        Parameters:
        doc - the document to check
        mergedAcp - merged ACP resolved for this document
        principal - principal to check
        permission - permission to check
        resolvedPermissions - permissions or groups of permissions containing permission
        Returns:
        access: GRANT, DENY, or UNKNOWN. When UNKNOWN is returned, following policies or default core security are applied.
      • isRestrictingPermission

        boolean isRestrictingPermission​(String permission)
        Checks if this policy is restricting the given permission.

        Queries check the BROWSE permission.

        Parameters:
        permission - the permission to check for
        Returns:
        true if the policy restricts the permission
      • isExpressibleInQuery

        boolean isExpressibleInQuery​(String repositoryName)
        Checks if this policy can be expressed in a query for given repository.

        If not, then any query made will have to be post-filtered.

        Parameters:
        repositoryName - the target repository name.
        Returns:
        true if the policy can be expressed in a query
      • isExpressibleInQuery

        boolean isExpressibleInQuery​(String repositoryName,
                                     String queryLanguage)
        Checks if this policy can be expressed in a string-based query for given repository.

        If not, then any query made will have to be post-filtered, if possible, otherwise denied.

        Parameters:
        repositoryName - the target repository name.
        Returns:
        true if the policy can be expressed in a string-based query
        Since:
        5.7.2
      • getQueryTransformer

        SQLQuery.Transformer getQueryTransformer​(String repositoryName)
        Get the transformer to use to apply this policy to a query.

        Called only when isExpressibleInQuery(String) returned true

        Parameters:
        repositoryName - the target repository name.
        Returns:
        the transformer