This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-resourceaccesssecurity.git
commit d12e4d88df92e12c621260283538736893591350 Author: Mike Müller <[email protected]> AuthorDate: Wed Mar 19 12:40:59 2014 +0000 SLING-3458 - Restrictions imposed by ProviderResourceAccessSecurity should not be discarded by ApplicationResourceAccessSecurity, SLING-3462 - Make ResourceAccessSecurity provider context and application context behave the same way git-svn-id: https://svn.apache.org/repos/asf/sling/trunk@1579213 13f79535-47bb-0310-9956-ffa450edef68 --- .../AllowingResourceAccessGate.java | 18 +++--- .../resourceaccesssecurity/ResourceAccessGate.java | 2 +- .../ApplicationResourceAccessSecurityImpl.java | 2 +- .../impl/ResourceAccessSecurityImpl.java | 72 ++++++++++++++-------- 4 files changed, 59 insertions(+), 35 deletions(-) diff --git a/src/main/java/org/apache/sling/resourceaccesssecurity/AllowingResourceAccessGate.java b/src/main/java/org/apache/sling/resourceaccesssecurity/AllowingResourceAccessGate.java index 1e7d8c7..2570f81 100644 --- a/src/main/java/org/apache/sling/resourceaccesssecurity/AllowingResourceAccessGate.java +++ b/src/main/java/org/apache/sling/resourceaccesssecurity/AllowingResourceAccessGate.java @@ -32,48 +32,48 @@ public abstract class AllowingResourceAccessGate implements ResourceAccessGate { @Override public GateResult canRead(final Resource resource) { - return GateResult.DONTCARE; + return GateResult.CANT_DECIDE; } @Override public GateResult canCreate(final String absPathName, final ResourceResolver resourceResolver) { - return GateResult.DONTCARE; + return GateResult.CANT_DECIDE; } @Override public GateResult canUpdate(final Resource resource) { - return GateResult.DONTCARE; + return GateResult.CANT_DECIDE; } @Override public GateResult canDelete(final Resource resource) { - return GateResult.DONTCARE; + return GateResult.CANT_DECIDE; } @Override public GateResult canExecute(final Resource resource) { - return GateResult.DONTCARE; + return GateResult.CANT_DECIDE; } @Override public GateResult canReadValue(final Resource resource, final String valueName) { - return GateResult.DONTCARE; + return GateResult.CANT_DECIDE; } @Override public GateResult canCreateValue(final Resource resource, final String valueName) { - return GateResult.DONTCARE; + return GateResult.CANT_DECIDE; } @Override public GateResult canUpdateValue(final Resource resource, final String valueName) { - return GateResult.DONTCARE; + return GateResult.CANT_DECIDE; } @Override public GateResult canDeleteValue(final Resource resource, final String valueName) { - return GateResult.DONTCARE; + return GateResult.CANT_DECIDE; } @Override diff --git a/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java b/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java index 4b096e8..6ee4e2b 100644 --- a/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java +++ b/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java @@ -123,7 +123,7 @@ public interface ResourceAccessGate { * </ul> */ public enum GateResult { - GRANTED, DENIED, DONTCARE + GRANTED, DENIED, CANT_DECIDE }; public enum Operation { diff --git a/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ApplicationResourceAccessSecurityImpl.java b/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ApplicationResourceAccessSecurityImpl.java index e784236..d4ac38e 100644 --- a/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ApplicationResourceAccessSecurityImpl.java +++ b/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ApplicationResourceAccessSecurityImpl.java @@ -37,6 +37,6 @@ import org.apache.sling.resourceaccesssecurity.ResourceAccessGate; public class ApplicationResourceAccessSecurityImpl extends ResourceAccessSecurityImpl { public ApplicationResourceAccessSecurityImpl() { - super(true); + super(false); } } diff --git a/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java b/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java index 72279e5..cd1f200 100644 --- a/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java +++ b/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java @@ -36,10 +36,10 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri private List<ResourceAccessGateHandler> allHandlers = Collections.emptyList(); - private final boolean defaultAllow; + private final boolean defaultAllowIfNoGateMatches; - public ResourceAccessSecurityImpl(final boolean defaultAllow) { - this.defaultAllow = defaultAllow; + public ResourceAccessSecurityImpl(final boolean defaultAllowIfNoGateMatches) { + this.defaultAllowIfNoGateMatches = defaultAllowIfNoGateMatches; } /** @@ -101,7 +101,7 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri @Override public Resource getReadableResource(final Resource resource) { - Resource returnValue = (this.defaultAllow ? resource : null); + Resource returnValue = null; final Iterator<ResourceAccessGateHandler> accessGateHandlers = getMatchingResourceAccessGateHandlerIterator( resource.getPath(), ResourceAccessGate.Operation.READ); @@ -113,7 +113,10 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri if ( accessGateHandlers != null ) { + boolean noGateMatched = true; + while ( accessGateHandlers.hasNext() ) { + noGateMatched = false; final ResourceAccessGateHandler resourceAccessGateHandler = accessGateHandlers.next(); final GateResult gateResult = resourceAccessGateHandler.getResourceAccessGate().canRead(resource); @@ -130,23 +133,24 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri } if (finalGateResult == null) { finalGateResult = gateResult; - } else if (finalGateResult != GateResult.GRANTED && gateResult != GateResult.DONTCARE) { + } else if (finalGateResult != GateResult.GRANTED && gateResult != GateResult.CANT_DECIDE) { finalGateResult = gateResult; } // stop checking if the operation is final and the result not GateResult.DONTCARE - if (gateResult != GateResult.DONTCARE && resourceAccessGateHandler.isFinalOperation(ResourceAccessGate.Operation.READ)) { + if (gateResult != GateResult.CANT_DECIDE && resourceAccessGateHandler.isFinalOperation(ResourceAccessGate.Operation.READ)) { break; } } // return null if access is denied or no ResourceAccessGate is present - if (finalGateResult == null || finalGateResult == GateResult.DENIED) { + if (finalGateResult == GateResult.DENIED) { returnValue = null; - } else if (finalGateResult == GateResult.DONTCARE) { - returnValue = (this.defaultAllow ? resource : null); } else if (finalGateResult == GateResult.GRANTED ) { returnValue = resource; + } else if (noGateMatched && this.defaultAllowIfNoGateMatches) + { + returnValue = resource; } } @@ -169,20 +173,22 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri final ResourceResolver resolver) { final Iterator<ResourceAccessGateHandler> handlers = getMatchingResourceAccessGateHandlerIterator( path, ResourceAccessGate.Operation.CREATE); - boolean result = this.defaultAllow; + boolean result = false; if ( handlers != null ) { GateResult finalGateResult = null; + boolean noGateMatched = true; while ( handlers.hasNext() ) { + noGateMatched = false; final ResourceAccessGateHandler resourceAccessGateHandler = handlers.next(); final GateResult gateResult = resourceAccessGateHandler.getResourceAccessGate().canCreate(path, resolver); if (finalGateResult == null) { finalGateResult = gateResult; - } else if (finalGateResult != GateResult.GRANTED && gateResult != GateResult.DONTCARE) { + } else if (finalGateResult != GateResult.GRANTED && gateResult != GateResult.CANT_DECIDE) { finalGateResult = gateResult; } - if (finalGateResult == GateResult.GRANTED || gateResult != GateResult.DONTCARE && + if (finalGateResult == GateResult.GRANTED || gateResult != GateResult.CANT_DECIDE && resourceAccessGateHandler.isFinalOperation(ResourceAccessGate.Operation.CREATE)) { break; } @@ -192,6 +198,9 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri result = true; } else if ( finalGateResult == GateResult.DENIED ) { result = false; + } else if ( noGateMatched && this.defaultAllowIfNoGateMatches ) + { + result = true; } } return result; @@ -201,20 +210,22 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri public boolean canUpdate(final Resource resource) { final Iterator<ResourceAccessGateHandler> handlers = getMatchingResourceAccessGateHandlerIterator( resource.getPath(), ResourceAccessGate.Operation.UPDATE); - boolean result = this.defaultAllow; + boolean result = this.defaultAllowIfNoGateMatches; if ( handlers != null ) { GateResult finalGateResult = null; + boolean noGateMatched = true; while ( handlers.hasNext() ) { + noGateMatched = false; final ResourceAccessGateHandler resourceAccessGateHandler = handlers.next(); final GateResult gateResult = resourceAccessGateHandler.getResourceAccessGate().canUpdate(resource); if (finalGateResult == null) { finalGateResult = gateResult; - } else if (finalGateResult != GateResult.GRANTED && gateResult != GateResult.DONTCARE) { + } else if (finalGateResult != GateResult.GRANTED && gateResult != GateResult.CANT_DECIDE) { finalGateResult = gateResult; } - if (finalGateResult == GateResult.GRANTED || gateResult != GateResult.DONTCARE && + if (finalGateResult == GateResult.GRANTED || gateResult != GateResult.CANT_DECIDE && resourceAccessGateHandler.isFinalOperation(ResourceAccessGate.Operation.UPDATE)) { break; } @@ -224,6 +235,9 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri result = true; } else if ( finalGateResult == GateResult.DENIED ) { result = false; + } else if ( noGateMatched && this.defaultAllowIfNoGateMatches ) + { + result = true; } } return result; @@ -233,20 +247,22 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri public boolean canDelete(final Resource resource) { final Iterator<ResourceAccessGateHandler> handlers = getMatchingResourceAccessGateHandlerIterator( resource.getPath(), ResourceAccessGate.Operation.DELETE); - boolean result = this.defaultAllow; + boolean result = this.defaultAllowIfNoGateMatches; if ( handlers != null ) { GateResult finalGateResult = null; + boolean noGateMatched = true; while ( handlers.hasNext() ) { + noGateMatched = false; final ResourceAccessGateHandler resourceAccessGateHandler = handlers.next(); final GateResult gateResult = resourceAccessGateHandler.getResourceAccessGate().canDelete(resource); if (finalGateResult == null) { finalGateResult = gateResult; - } else if (finalGateResult != GateResult.GRANTED && gateResult != GateResult.DONTCARE) { + } else if (finalGateResult != GateResult.GRANTED && gateResult != GateResult.CANT_DECIDE) { finalGateResult = gateResult; } - if (finalGateResult == GateResult.GRANTED || gateResult != GateResult.DONTCARE && + if (finalGateResult == GateResult.GRANTED || gateResult != GateResult.CANT_DECIDE && resourceAccessGateHandler.isFinalOperation(ResourceAccessGate.Operation.DELETE)) { break; } @@ -256,6 +272,9 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri result = true; } else if ( finalGateResult == GateResult.DENIED ) { result = false; + } else if ( noGateMatched && this.defaultAllowIfNoGateMatches ) + { + result = true; } } return result; @@ -265,20 +284,22 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri public boolean canExecute(final Resource resource) { final Iterator<ResourceAccessGateHandler> handlers = getMatchingResourceAccessGateHandlerIterator( resource.getPath(), ResourceAccessGate.Operation.EXECUTE); - boolean result = this.defaultAllow; + boolean result = this.defaultAllowIfNoGateMatches; if ( handlers != null ) { GateResult finalGateResult = null; + boolean noGateMatched = true; while ( handlers.hasNext() ) { + noGateMatched = false; final ResourceAccessGateHandler resourceAccessGateHandler = handlers.next(); final GateResult gateResult = resourceAccessGateHandler.getResourceAccessGate().canExecute(resource); if (finalGateResult == null) { finalGateResult = gateResult; - } else if (finalGateResult != GateResult.GRANTED && gateResult != GateResult.DONTCARE) { + } else if (finalGateResult != GateResult.GRANTED && gateResult != GateResult.CANT_DECIDE) { finalGateResult = gateResult; } - if (finalGateResult == GateResult.GRANTED || gateResult != GateResult.DONTCARE && resourceAccessGateHandler.isFinalOperation(ResourceAccessGate.Operation.EXECUTE)) { + if (finalGateResult == GateResult.GRANTED || gateResult != GateResult.CANT_DECIDE && resourceAccessGateHandler.isFinalOperation(ResourceAccessGate.Operation.EXECUTE)) { break; } } @@ -287,6 +308,9 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri result = true; } else if ( finalGateResult == GateResult.DENIED ) { result = false; + } else if ( noGateMatched && this.defaultAllowIfNoGateMatches ) + { + result = true; } } return result; @@ -295,19 +319,19 @@ public abstract class ResourceAccessSecurityImpl implements ResourceAccessSecuri @Override public boolean canReadValue(final Resource resource, final String valueName) { // TODO Auto-generated method stub - return this.defaultAllow; + return false; } @Override public boolean canSetValue(final Resource resource, final String valueName) { // TODO Auto-generated method stub - return this.defaultAllow; + return false; } @Override public boolean canDeleteValue(final Resource resource, final String valueName) { // TODO Auto-generated method stub - return this.defaultAllow; + return false; } @Override -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
