jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1072087 - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/ main/java/org/apache/jackrabbit/core/security/authorization/ test/java/org/apache/jackrabbit/core/security/authorization/
Date Fri, 18 Feb 2011 17:55:20 GMT
Author: angela
Date: Fri Feb 18 17:55:19 2011
New Revision: 1072087

URL: http://svn.apache.org/viewvc?rev=1072087&view=rev
Log:
JCR-2883 : Node.orderBefore and JackrabbitNode.rename should check for ability to modify children-collection
on parent node

Added:
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java
  (with props)
Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/NodeImpl.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/NodeImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/NodeImpl.java?rev=1072087&r1=1072086&r2=1072087&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/NodeImpl.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/NodeImpl.java
Fri Feb 18 17:55:19 2011
@@ -1452,7 +1452,7 @@ public class NodeImpl extends ItemImpl i
         PathBuilder pb = new PathBuilder(getPrimaryPath());
         pb.addLast(srcName.getName(), srcName.getIndex());
         Path childPath = pb.getPath();
-        if (!acMgr.isGranted(childPath, Permission.ADD_NODE | Permission.REMOVE_NODE)) {
+        if (!acMgr.isGranted(childPath, Permission.MODIFY_CHILD_NODE_COLLECTION)) {
             String msg = "Not allowed to reorder child node " + sessionContext.getJCRPath(childPath)
+ ".";
             log.debug(msg);
             throw new AccessDeniedException(msg);
@@ -3596,10 +3596,17 @@ public class NodeImpl extends ItemImpl i
                     "Same name siblings not allowed: " + existing);
         }
 
-        // check permissions
+        // check permissions:
+        // 1. on the parent node the session must have permission to manipulate the child-entries
         AccessManager acMgr = sessionContext.getAccessManager();
-        if (!(acMgr.isGranted(getPrimaryPath(), Permission.REMOVE_NODE) &&
-                acMgr.isGranted(parent.getPrimaryPath(), qName, Permission.ADD_NODE | Permission.NODE_TYPE_MNGMT)))
{
+        if (!acMgr.isGranted(parent.getPrimaryPath(), qName, Permission.MODIFY_CHILD_NODE_COLLECTION))
{
+            String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
+            log.debug(msg);
+            throw new AccessDeniedException(msg);
+        }
+        // 2. in case of nt-changes the session must have permission to change
+        //    the primary node type on this node itself.
+        if (!nt.getName().equals(newTargetDef.getName()) && !(acMgr.isGranted(getPrimaryPath(),
Permission.NODE_TYPE_MNGMT))) {
             String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
             log.debug(msg);
             throw new AccessDeniedException(msg);

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java?rev=1072087&r1=1072086&r2=1072087&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
Fri Feb 18 17:55:19 2011
@@ -25,29 +25,31 @@ public final class Permission {
 
     public static final int READ = 1;   
 
-    public static final int SET_PROPERTY = 2;
+    public static final int SET_PROPERTY = READ << 1;
 
-    public static final int ADD_NODE = 4;
+    public static final int ADD_NODE = SET_PROPERTY << 1;
 
-    public static final int REMOVE_NODE = 8;
+    public static final int REMOVE_NODE = ADD_NODE << 1;
 
-    public static final int REMOVE_PROPERTY = 16;
+    public static final int REMOVE_PROPERTY = REMOVE_NODE << 1;
 
-    public static final int READ_AC = 32;
+    public static final int READ_AC = REMOVE_PROPERTY << 1;
     
-    public static final int MODIFY_AC = 64;
+    public static final int MODIFY_AC = READ_AC << 1;
 
-    public static final int NODE_TYPE_MNGMT = 128;
+    public static final int NODE_TYPE_MNGMT = MODIFY_AC << 1;
 
-    public static final int VERSION_MNGMT = 256;
+    public static final int VERSION_MNGMT = NODE_TYPE_MNGMT << 1;
 
-    public static final int LOCK_MNGMT = 512;
+    public static final int LOCK_MNGMT = VERSION_MNGMT << 1;
 
-    public static final int LIFECYCLE_MNGMT = 1024;
+    public static final int LIFECYCLE_MNGMT = LOCK_MNGMT << 1;
 
-    public static final int RETENTION_MNGMT = 2048;
+    public static final int RETENTION_MNGMT = LIFECYCLE_MNGMT << 1;
 
-    public static final int ALL = (READ | SET_PROPERTY | ADD_NODE | REMOVE_NODE | REMOVE_PROPERTY
| READ_AC | MODIFY_AC | NODE_TYPE_MNGMT | VERSION_MNGMT | LOCK_MNGMT | LIFECYCLE_MNGMT | RETENTION_MNGMT);
+    public static final int MODIFY_CHILD_NODE_COLLECTION = RETENTION_MNGMT << 1;
+
+    public static final int ALL = (READ | SET_PROPERTY | ADD_NODE | REMOVE_NODE | REMOVE_PROPERTY
| READ_AC | MODIFY_AC | NODE_TYPE_MNGMT | VERSION_MNGMT | LOCK_MNGMT | LIFECYCLE_MNGMT | RETENTION_MNGMT
| MODIFY_CHILD_NODE_COLLECTION);
 
     /**
      * Returns those bits from <code>permissions</code> that are not present
in

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java?rev=1072087&r1=1072086&r2=1072087&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
Fri Feb 18 17:55:19 2011
@@ -217,7 +217,9 @@ public final class PrivilegeRegistry {
     }
 
     /**
-     * Build the permissions granted by evaluating the given privileges.
+     * Build the permissions granted by evaluating the given privileges. Note,
+     * that only built-in privileges can be mapped to permissions. Any other
+     * privileges will be ignored.
      *
      * @param privs The privileges granted on the Node itself (for properties
      * the ACL of the direct ancestor).
@@ -255,6 +257,14 @@ public final class PrivilegeRegistry {
             if ((parentPrivs & ADD_CHILD_NODES) == ADD_CHILD_NODES) {
                 perm |= Permission.ADD_NODE;
             }
+
+            // modify_child_node_collection permission is granted through
+            // privileges on the parent
+            if ((parentPrivs & ADD_CHILD_NODES) == ADD_CHILD_NODES &&
+                    (parentPrivs & REMOVE_CHILD_NODES) == REMOVE_CHILD_NODES) {
+                perm |= Permission.MODIFY_CHILD_NODE_COLLECTION;
+            }
+
             /*
              remove_node is
              allowed: only if remove_child_nodes privilege is present on

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java?rev=1072087&r1=1072086&r2=1072087&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractWriteTest.java
Fri Feb 18 17:55:19 2011
@@ -16,10 +16,9 @@
  */
 package org.apache.jackrabbit.core.security.authorization;
 
+import org.apache.jackrabbit.api.JackrabbitNode;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.user.Group;
-import org.apache.jackrabbit.api.security.user.UserManager;
-import org.apache.jackrabbit.core.security.TestPrincipal;
 import org.apache.jackrabbit.test.JUnitTest;
 import org.apache.jackrabbit.test.NotExecutableException;
 import org.apache.jackrabbit.test.api.observation.EventResult;
@@ -40,13 +39,11 @@ import javax.jcr.observation.Observation
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.AccessControlPolicy;
 import javax.jcr.security.Privilege;
-import java.security.Principal;
 import java.util.HashMap;
 import java.util.List;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Map;
-import java.util.UUID;
 
 /**
  * <code>AbstractEvaluationTest</code>...
@@ -993,21 +990,38 @@ public abstract class AbstractWriteTest 
         }
 
         // add 'remove_child_nodes' at 'path
-        // -> not sufficient for a reorder since 'remove_node' privilege is missing
-        //    on the target
+        // -> reorder must now succeed
         givePrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES), getRestrictions(superuser,
path));
+        n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+        testSession.save();
+    }
+
+    public void testRename() throws RepositoryException, NotExecutableException {
+        Session testSession = getTestSession();
+        Node child = testSession.getNode(childNPath);
         try {
-            n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+            ((JackrabbitNode) child).rename("rename");
             testSession.save();
-            fail("test session must not be allowed to reorder nodes.");
+            fail("test session must not be allowed to rename nodes.");
         } catch (AccessDeniedException e) {
             // success.
         }
 
-        // allow 'remove_node' at childNPath
-        // -> now reorder must succeed
-        givePrivileges(childNPath, privilegesFromName(Privilege.JCR_REMOVE_NODE), getRestrictions(superuser,
childNPath));
-        n.orderBefore(Text.getName(childNPath), Text.getName(childNPath2));
+        // give 'add_child_nodes' and 'nt-management' privilege
+        // -> not sufficient privileges for a renaming of the child
+        givePrivileges(path, privilegesFromNames(new String[] {Privilege.JCR_ADD_CHILD_NODES,
Privilege.JCR_NODE_TYPE_MANAGEMENT}), getRestrictions(superuser, path));
+        try {
+            ((JackrabbitNode) child).rename("rename");
+            testSession.save();
+            fail("test session must not be allowed to rename nodes.");
+        } catch (AccessDeniedException e) {
+            // success.
+        }
+
+        // add 'remove_child_nodes' at 'path
+        // -> rename of child must now succeed
+        givePrivileges(path, privilegesFromName(Privilege.JCR_REMOVE_CHILD_NODES), getRestrictions(superuser,
path));
+        ((JackrabbitNode) child).rename("rename");
         testSession.save();
     }
     

Added: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java?rev=1072087&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java
(added)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java
Fri Feb 18 17:55:19 2011
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import junit.framework.TestCase;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * <code>PermissionTest</code>...
+ */
+public class PermissionTest extends TestCase {
+
+    /**
+     * logger instance
+     */
+    private static final Logger log = LoggerFactory.getLogger(PermissionTest.class);
+
+    public void testPermissions() {
+        assertEquals(0, Permission.NONE);
+        assertEquals(1, Permission.READ);
+        assertEquals(2, Permission.SET_PROPERTY);
+        assertEquals(4, Permission.ADD_NODE);
+        assertEquals(8, Permission.REMOVE_NODE);
+        assertEquals(16, Permission.REMOVE_PROPERTY);
+        assertEquals(32, Permission.READ_AC);
+        assertEquals(64, Permission.MODIFY_AC);
+        assertEquals(128, Permission.NODE_TYPE_MNGMT);
+        assertEquals(256, Permission.VERSION_MNGMT);
+        assertEquals(512, Permission.LOCK_MNGMT);
+        assertEquals(1024, Permission.LIFECYCLE_MNGMT);
+        assertEquals(2048, Permission.RETENTION_MNGMT);
+        assertEquals(4096, Permission.MODIFY_CHILD_NODE_COLLECTION);        
+    }
+}
\ No newline at end of file

Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision Rev URL

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java?rev=1072087&r1=1072086&r2=1072087&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
Fri Feb 18 17:55:19 2011
@@ -38,6 +38,7 @@ public class TestAll extends TestCase {
         suite.addTestSuite(PrivilegeRegistryTest.class);
         suite.addTestSuite(JackrabbitAccessControlListTest.class);
         suite.addTestSuite(GlobPatternTest.class);
+        suite.addTestSuite(PermissionTest.class);
 
         return suite;
     }



Mime
View raw message