Package org.nuxeo.ecm.core.security
Interface SecurityPolicy
- All Known Implementing Classes:
AbstractSecurityPolicy
,CheckInSecurityPolicy
,LockSecurityPolicy
,MailMessageSecurityPolicy
,NoFile2SecurityPolicy
,NoFileSecurityPolicy
,RetentionAndHoldSecurityPolicy
,WOPILockSecurityPolicy
public interface SecurityPolicy
Interface for pluggable core security policy.
- Author:
- Anahide Tchertchian, Florent Guillaume
-
Nested Class Summary
Modifier and TypeInterfaceDescriptionstatic class
Query transformer that does nothing.static interface
Interface for a class that can transform a string-based query into another. -
Method Summary
Modifier and TypeMethodDescriptioncheckPermission
(Document doc, ACP mergedAcp, NuxeoPrincipal principal, String permission, String[] resolvedPermissions, String[] additionalPrincipals) Checks given permission for doc and principal.getQueryTransformer
(String repositoryName) Get the transformer to use to apply this policy to a query.getQueryTransformer
(String repositoryName, String queryLanguage) Get the string-based transformer to use to apply this policy to a query.boolean
isExpressibleInQuery
(String repositoryName) Checks if this policy can be expressed in a query for given repository.boolean
isExpressibleInQuery
(String repositoryName, String queryLanguage) Checks if this policy can be expressed in a string-based query for given repository.boolean
isRestrictingPermission
(String permission) Checks if this policy is restricting the given permission.
-
Method Details
-
checkPermission
Access checkPermission(Document doc, ACP mergedAcp, NuxeoPrincipal principal, String permission, String[] resolvedPermissions, String[] additionalPrincipals) Checks given permission for doc and principal.Note that for the
Browse
permission, which is also implemented in SQL usinggetQueryTransformer(java.lang.String)
, a security policy must never bypass standard ACL access, it must only return DENY or UNKNOWN. Failing to do this would make direct access and queries behave differently.- Parameters:
doc
- the document to checkmergedAcp
- merged ACP resolved for this documentprincipal
- principal to checkpermission
- permission to checkresolvedPermissions
- permissions or groups of permissions containing permission- Returns:
- access: GRANT, DENY, or UNKNOWN. When UNKNOWN is returned, following policies or default core security are applied.
-
isRestrictingPermission
Checks if this policy is restricting the given permission.Queries check the BROWSE permission.
- Parameters:
permission
- the permission to check for- Returns:
true
if the policy restricts the permission
-
isExpressibleInQuery
Checks if this policy can be expressed in a query for given repository.If not, then any query made will have to be post-filtered.
- Parameters:
repositoryName
- the target repository name.- Returns:
true
if the policy can be expressed in a query
-
isExpressibleInQuery
Checks if this policy can be expressed in a string-based query for given repository.If not, then any query made will have to be post-filtered, if possible, otherwise denied.
- Parameters:
repositoryName
- the target repository name.- Returns:
true
if the policy can be expressed in a string-based query- Since:
- 5.7.2
-
getQueryTransformer
Get the transformer to use to apply this policy to a query.Called only when
isExpressibleInQuery(String)
returnedtrue
- Parameters:
repositoryName
- the target repository name.- Returns:
- the transformer
-
getQueryTransformer
Get the string-based transformer to use to apply this policy to a query.Called only when
isExpressibleInQuery(String, String)
returnedtrue
- Parameters:
repositoryName
- the target repository name.- Returns:
- the transformer
- Since:
- 5.7.2
-