This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.jcr.resourcesecurity-1.0.0 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-resourcesecurity.git
commit 9615f3d4c50184c8dca6bcc218c18c8164b58a5f Author: Carsten Ziegeler <[email protected]> AuthorDate: Fri Mar 28 16:30:00 2014 +0000 SLING-3438 : Provide ResourceAccessGate implementation that authorizes CRUD operations based on JCR permissios. Merge patch from Marius Petria with existing implementation git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/jcr/resourcesecurity@1582808 13f79535-47bb-0310-9956-ffa450edef68 --- .../impl/ResourceAccessGateFactory.java | 111 +++++++++++++++++++-- 1 file changed, 105 insertions(+), 6 deletions(-) diff --git a/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java b/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java index eab7816..e9ba073 100644 --- a/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java +++ b/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java @@ -36,7 +36,6 @@ import org.apache.sling.commons.osgi.PropertiesUtil; import org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate; import org.apache.sling.resourceaccesssecurity.ResourceAccessGate; - @Component(configurationFactory=true, policy=ConfigurationPolicy.REQUIRE, metatype=true, label="Apache Sling JCR Resource Access Gate", description="This access gate can be used to handle the access to resources" + @@ -49,7 +48,7 @@ import org.apache.sling.resourceaccesssecurity.ResourceAccessGate; @Property(name=ResourceAccessGateFactory.PROP_JCR_PATH, label="JCR Node", description="This node is checked for permissions to the resources."), - @Property(name=ResourceAccessGate.OPERATIONS, value="read", propertyPrivate=true), + @Property(name=ResourceAccessGate.OPERATIONS, value= {"read", "create", "update", "delete"}, propertyPrivate=true), @Property(name=ResourceAccessGate.CONTEXT, value=ResourceAccessGate.PROVIDER_CONTEXT, propertyPrivate=true) }) public class ResourceAccessGateFactory @@ -65,16 +64,51 @@ public class ResourceAccessGateFactory this.jcrPath = PropertiesUtil.toString(props.get(PROP_JCR_PATH), null); } + /** + * Skip the check if the resource is backed by a JCR resource. + * This is a sanity check which should usually not be required if the system + * is configured correctly. + */ + private boolean skipCheck(final Resource resource) { + // if resource is backed by a JCR node, skip check + return resource.adaptTo(Node.class) != null; + } + + /** + * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasReadRestrictions(org.apache.sling.api.resource.ResourceResolver) + */ @Override - public boolean hasReadRestrictions(ResourceResolver resourceResolver) { + public boolean hasReadRestrictions(final ResourceResolver resourceResolver) { return true; } - private boolean skipCheck(final Resource resource) { - // if resource is backed by a jcr node, skip check - return resource.adaptTo(Node.class) != null; + /** + * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasCreateRestrictions(org.apache.sling.api.resource.ResourceResolver) + */ + @Override + public boolean hasCreateRestrictions(final ResourceResolver resourceResolver) { + return true; + } + + /** + * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasUpdateRestrictions(org.apache.sling.api.resource.ResourceResolver) + */ + @Override + public boolean hasUpdateRestrictions(final ResourceResolver resourceResolver) { + return true; + } + + /** + * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasDeleteRestrictions(org.apache.sling.api.resource.ResourceResolver) + */ + @Override + public boolean hasDeleteRestrictions(final ResourceResolver resourceResolver) { + return true; } + /** + * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canRead(org.apache.sling.api.resource.Resource) + */ @Override public GateResult canRead(final Resource resource) { if ( this.skipCheck(resource) ) { @@ -91,4 +125,69 @@ public class ResourceAccessGateFactory } return canRead ? GateResult.GRANTED : GateResult.DENIED; } + + /** + * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canDelete(org.apache.sling.api.resource.Resource) + */ + @Override + public GateResult canDelete(Resource resource) { + if ( this.skipCheck(resource) ) { + return GateResult.GRANTED; + } + + boolean canDelete = false; + final Session session = resource.getResourceResolver().adaptTo(Session.class); + if ( session != null ) { + try { + canDelete = session.hasPermission(jcrPath, Session.ACTION_REMOVE); + } catch (final RepositoryException re) { + // ignore + } + } + + return canDelete ? GateResult.GRANTED : GateResult.DENIED; + + } + + /** + * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canUpdate(org.apache.sling.api.resource.Resource) + */ + @Override + public GateResult canUpdate(Resource resource) { + if ( this.skipCheck(resource) ) { + return GateResult.GRANTED; + } + + boolean canUpdate = false; + + final Session session = resource.getResourceResolver().adaptTo(Session.class); + if ( session != null ) { + try { + canUpdate = session.hasPermission(jcrPath, Session.ACTION_SET_PROPERTY); + } catch (final RepositoryException re) { + // ignore + } + } + + return canUpdate ? GateResult.GRANTED : GateResult.DENIED; + } + + /** + * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canCreate(java.lang.String, org.apache.sling.api.resource.ResourceResolver) + */ + @Override + public GateResult canCreate(String absPathName, ResourceResolver resourceResolver) { + boolean canCreate = false; + + final Session session = resourceResolver.adaptTo(Session.class); + if ( session != null ) { + try { + canCreate = session.hasPermission(jcrPath, Session.ACTION_ADD_NODE); + } catch (final RepositoryException re) { + // ignore + } + } + + return canCreate ? GateResult.GRANTED : GateResult.DENIED; + } } -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
