Package org.nuxeo.ecm.core.security

Interface SecurityPolicyService

All Superinterfaces:

Serializable

All Known Implementing Classes:

SecurityPolicyServiceImpl

public interface SecurityPolicyService
extends Serializable

Service checking permissions for pluggable policies.

Author:

Anahide Tchertchian, Florent Guillaume

Method Summary

Modifier and Type	Method	Description
boolean	arePoliciesExpressibleInQuery(String repositoryName)	Checks if the policies can be expressed in a query for a given repository.
boolean	arePoliciesRestrictingPermission(String permission)	Checks if any policy restricts the given permission.
Access	checkPermission(Document doc, ACP mergedAcp, NuxeoPrincipal principal, String permission, String[] resolvedPermissions, String[] principalsToCheck)	Checks given permission for doc and principal.
List<SecurityPolicy>	getPolicies()	Gets the list of registered security policies.
Collection<SQLQuery.Transformer>	getPoliciesQueryTransformers(String repositoryName)	Get the transformers to apply the policies to a query for given repository.
void	registerDescriptor(SecurityPolicyDescriptor descriptor)
void	unregisterDescriptor(SecurityPolicyDescriptor descriptor)

Method Details

checkPermission

Access checkPermission(Document doc,
 ACP mergedAcp,
 NuxeoPrincipal principal,
 String permission,
 String[] resolvedPermissions,
 String[] principalsToCheck)

Checks given permission for doc and principal.

The security service checks this service for a security access. This access is defined iterating over pluggable policies in a defined order. If access is not specified, security service applies its default policy.

Parameters:

doc - the document to check

mergedAcp - merged acp resolved for this document

principal - principal to check

permission - permission to check

resolvedPermissions - permissions or groups of permissions containing permission

principalsToCheck - principals (groups) to check for principal

Returns:

access: true, false, or nothing. When nothing is returned, following policies or default core security are applied.

registerDescriptor

void registerDescriptor(SecurityPolicyDescriptor descriptor)

unregisterDescriptor

void unregisterDescriptor(SecurityPolicyDescriptor descriptor)

arePoliciesRestrictingPermission

boolean arePoliciesRestrictingPermission(String permission)

Checks if any policy restricts the given permission.

If not, then no post-filtering on policies will be needed for query results.

Returns:

true if a policy restricts the permission

arePoliciesExpressibleInQuery

boolean arePoliciesExpressibleInQuery(String repositoryName)

Checks if the policies can be expressed in a query for a given repository.

If not, then any query made will have to be post-filtered.

Parameters:

repositoryName - the target repository name.

Returns:

true if all policies can be expressed in a query

getPoliciesQueryTransformers

Collection<SQLQuery.Transformer> getPoliciesQueryTransformers(String repositoryName)

Get the transformers to apply the policies to a query for given repository.

Parameters:

repositoryName - the target repository name.

Returns:

the transformers.

getPolicies

List<SecurityPolicy> getPolicies()

Gets the list of registered security policies.

Returns:

the policies

Since:

5.7.2