sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cziege...@apache.org
Subject svn commit: r1582808 - /sling/trunk/contrib/jcr/resourcesecurity/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java
Date Fri, 28 Mar 2014 16:30:00 GMT
Author: cziegeler
Date: Fri Mar 28 16:30:00 2014
New Revision: 1582808

URL: http://svn.apache.org/r1582808
Log:
SLING-3438 : Provide ResourceAccessGate implementation that authorizes CRUD operations based
on JCR permissios. Merge patch from Marius Petria with existing implementation

Modified:
    sling/trunk/contrib/jcr/resourcesecurity/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java

Modified: sling/trunk/contrib/jcr/resourcesecurity/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/jcr/resourcesecurity/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java?rev=1582808&r1=1582807&r2=1582808&view=diff
==============================================================================
--- sling/trunk/contrib/jcr/resourcesecurity/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java
(original)
+++ sling/trunk/contrib/jcr/resourcesecurity/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java
Fri Mar 28 16:30:00 2014
@@ -36,7 +36,6 @@ import org.apache.sling.commons.osgi.Pro
 import org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate;
 import org.apache.sling.resourceaccesssecurity.ResourceAccessGate;
 
-
 @Component(configurationFactory=true, policy=ConfigurationPolicy.REQUIRE, metatype=true,
            label="Apache Sling JCR Resource Access Gate",
            description="This access gate can be used to handle the access to resources" +
@@ -49,7 +48,7 @@ import org.apache.sling.resourceaccessse
     @Property(name=ResourceAccessGateFactory.PROP_JCR_PATH,
               label="JCR Node",
               description="This node is checked for permissions to the resources."),
-    @Property(name=ResourceAccessGate.OPERATIONS, value="read", propertyPrivate=true),
+    @Property(name=ResourceAccessGate.OPERATIONS, value= {"read", "create", "update", "delete"},
propertyPrivate=true),
     @Property(name=ResourceAccessGate.CONTEXT, value=ResourceAccessGate.PROVIDER_CONTEXT,
propertyPrivate=true)
 })
 public class ResourceAccessGateFactory
@@ -65,16 +64,51 @@ public class ResourceAccessGateFactory
         this.jcrPath = PropertiesUtil.toString(props.get(PROP_JCR_PATH), null);
     }
 
+    /**
+     * Skip the check if the resource is backed by a JCR resource.
+     * This is a sanity check which should usually not be required if the system
+     * is configured correctly.
+     */
+    private boolean skipCheck(final Resource resource) {
+        // if resource is backed by a JCR node, skip check
+        return resource.adaptTo(Node.class) != null;
+    }
+
+    /**
+     * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasReadRestrictions(org.apache.sling.api.resource.ResourceResolver)
+     */
     @Override
-    public boolean hasReadRestrictions(ResourceResolver resourceResolver) {
+    public boolean hasReadRestrictions(final ResourceResolver resourceResolver) {
         return true;
     }
 
-    private boolean skipCheck(final Resource resource) {
-        // if resource is backed by a jcr node, skip check
-        return resource.adaptTo(Node.class) != null;
+    /**
+     * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasCreateRestrictions(org.apache.sling.api.resource.ResourceResolver)
+     */
+    @Override
+    public boolean hasCreateRestrictions(final ResourceResolver resourceResolver) {
+        return true;
+    }
+
+    /**
+     * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasUpdateRestrictions(org.apache.sling.api.resource.ResourceResolver)
+     */
+    @Override
+    public boolean hasUpdateRestrictions(final ResourceResolver resourceResolver) {
+        return true;
+    }
+
+    /**
+     * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasDeleteRestrictions(org.apache.sling.api.resource.ResourceResolver)
+     */
+    @Override
+    public boolean hasDeleteRestrictions(final ResourceResolver resourceResolver) {
+        return true;
     }
 
+    /**
+     * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canRead(org.apache.sling.api.resource.Resource)
+     */
     @Override
     public GateResult canRead(final Resource resource) {
         if ( this.skipCheck(resource) ) {
@@ -91,4 +125,69 @@ public class ResourceAccessGateFactory
         }
         return canRead ? GateResult.GRANTED : GateResult.DENIED;
     }
+
+    /**
+     * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canDelete(org.apache.sling.api.resource.Resource)
+     */
+    @Override
+    public GateResult canDelete(Resource resource) {
+        if ( this.skipCheck(resource) ) {
+            return GateResult.GRANTED;
+        }
+
+        boolean canDelete = false;
+        final Session session = resource.getResourceResolver().adaptTo(Session.class);
+        if ( session != null ) {
+            try {
+                canDelete = session.hasPermission(jcrPath, Session.ACTION_REMOVE);
+            } catch (final RepositoryException re) {
+                // ignore
+            }
+        }
+
+        return canDelete ? GateResult.GRANTED : GateResult.DENIED;
+
+    }
+
+    /**
+     * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canUpdate(org.apache.sling.api.resource.Resource)
+     */
+    @Override
+    public GateResult canUpdate(Resource resource) {
+        if ( this.skipCheck(resource) ) {
+            return GateResult.GRANTED;
+        }
+
+        boolean canUpdate = false;
+
+        final Session session = resource.getResourceResolver().adaptTo(Session.class);
+        if ( session != null ) {
+            try {
+                canUpdate = session.hasPermission(jcrPath, Session.ACTION_SET_PROPERTY);
+            } catch (final RepositoryException re) {
+                // ignore
+            }
+        }
+
+        return canUpdate ? GateResult.GRANTED : GateResult.DENIED;
+    }
+
+    /**
+     * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canCreate(java.lang.String,
org.apache.sling.api.resource.ResourceResolver)
+     */
+    @Override
+    public GateResult canCreate(String absPathName, ResourceResolver resourceResolver) {
+        boolean canCreate = false;
+
+        final Session session = resourceResolver.adaptTo(Session.class);
+        if ( session != null ) {
+            try {
+                canCreate = session.hasPermission(jcrPath, Session.ACTION_ADD_NODE);
+            } catch (final RepositoryException re) {
+                // ignore
+            }
+        }
+
+        return canCreate ? GateResult.GRANTED : GateResult.DENIED;
+    }
 }



Mime
View raw message