Package org.nuxeo.ecm.core.security

Interface SecurityPolicy

All Known Implementing Classes:
AbstractSecurityPolicy, CheckInSecurityPolicy, LockSecurityPolicy, MailMessageSecurityPolicy, NoFile2SecurityPolicy, NoFileSecurityPolicy, RetentionAndHoldSecurityPolicy, WOPILockSecurityPolicy
public interface SecurityPolicy
Interface for pluggable core security policy.
Author:
Anahide Tchertchian, Florent Guillaume

  • Method Details

    • checkPermission

      Access checkPermission(Document doc, ACP mergedAcp, NuxeoPrincipal principal, String permission, String[] resolvedPermissions, String[] additionalPrincipals)
      Checks given permission for doc and principal.

      Note that for the Browse permission, which is also implemented in SQL using getQueryTransformer(java.lang.String), a security policy must never bypass standard ACL access, it must only return DENY or UNKNOWN. Failing to do this would make direct access and queries behave differently.

      Parameters:
      doc - the document to check
      mergedAcp - merged ACP resolved for this document
      principal - principal to check
      permission - permission to check
      resolvedPermissions - permissions or groups of permissions containing permission
      Returns:
      access: GRANT, DENY, or UNKNOWN. When UNKNOWN is returned, following policies or default core security are applied.

    • isRestrictingPermission

      boolean isRestrictingPermission(String permission)
      Checks if this policy is restricting the given permission.

      Queries check the BROWSE permission.

      Parameters:
      permission - the permission to check for
      Returns:
      true if the policy restricts the permission

    • isExpressibleInQuery

      boolean isExpressibleInQuery(String repositoryName)
      Checks if this policy can be expressed in a query for given repository.

      If not, then any query made will have to be post-filtered.

      Parameters:
      repositoryName - the target repository name.
      Returns:
      true if the policy can be expressed in a query

    • isExpressibleInQuery

      boolean isExpressibleInQuery(String repositoryName, String queryLanguage)
      Checks if this policy can be expressed in a string-based query for given repository.

      If not, then any query made will have to be post-filtered, if possible, otherwise denied.

      Parameters:
      repositoryName - the target repository name.
      Returns:
      true if the policy can be expressed in a string-based query
      Since:
      5.7.2

    • getQueryTransformer

      SQLQuery.Transformer getQueryTransformer(String repositoryName)
      Get the transformer to use to apply this policy to a query.

      Called only when isExpressibleInQuery(String) returned true

      Parameters:
      repositoryName - the target repository name.
      Returns:
      the transformer

    • getQueryTransformer

      SecurityPolicy.QueryTransformer getQueryTransformer(String repositoryName, String queryLanguage)
      Get the string-based transformer to use to apply this policy to a query.

      Called only when isExpressibleInQuery(String, String) returned true

      Parameters:
      repositoryName - the target repository name.
      Returns:
      the transformer
      Since:
      5.7.2