You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/12/04 15:50:00 UTC
svn commit: r1547811 - in /jackrabbit/oak/trunk:
oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/
oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/
Author: angela
Date: Wed Dec 4 14:49:59 2013
New Revision: 1547811
URL: http://svn.apache.org/r1547811
Log:
OAK-1183 : UserQuery: Impersonators Constraint does not work for admin user
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/UserQueryManager.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/UserQueryManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/UserQueryManager.java?rev=1547811&r1=1547810&r2=1547811&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/UserQueryManager.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/UserQueryManager.java Wed Dec 4 14:49:59 2013
@@ -99,7 +99,7 @@ public class UserQueryManager {
}
StringBuilder statement = new StringBuilder();
- ConditionVisitor visitor = new XPathConditionVisitor(statement, namePathMapper);
+ ConditionVisitor visitor = new XPathConditionVisitor(statement, namePathMapper, userManager);
String searchRoot = namePathMapper.getJcrPath(QueryUtil.getSearchRoot(builder.getSelectorType(), config));
String ntName = namePathMapper.getJcrName(QueryUtil.getNodeTypeName(builder.getSelectorType()));
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java?rev=1547811&r1=1547810&r2=1547811&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java Wed Dec 4 14:49:59 2013
@@ -18,7 +18,12 @@ package org.apache.jackrabbit.oak.securi
import javax.jcr.RepositoryException;
+import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
/**
@@ -28,10 +33,13 @@ class XPathConditionVisitor implements C
private final StringBuilder statement;
private final NamePathMapper namePathMapper;
+ private final UserManager userMgr;
- XPathConditionVisitor(StringBuilder statement, NamePathMapper namePathMapper) {
+ XPathConditionVisitor(StringBuilder statement, NamePathMapper namePathMapper,
+ UserManager userMgr) {
this.statement = statement;
this.namePathMapper = namePathMapper;
+ this.userMgr = userMgr;
}
//---------------------------------------------------< ConditionVisitor >---
@@ -79,9 +87,27 @@ class XPathConditionVisitor implements C
@Override
public void visit(Condition.Impersonation condition) {
- statement.append("@rep:impersonators='")
- .append(condition.getName())
- .append('\'');
+ String principalName = condition.getName();
+ boolean isAdmin = false;
+ try {
+ Authorizable authorizable = userMgr.getAuthorizable(new PrincipalImpl(principalName));
+ isAdmin = authorizable != null && !authorizable.isGroup() && ((User) authorizable).isAdmin();
+ } catch (RepositoryException e) {
+ // unable to retrieve authorizable
+ }
+ if (isAdmin) {
+ statement.append('@')
+ .append(namePathMapper.getJcrName(JcrConstants.JCR_PRIMARYTYPE))
+ .append("='")
+ .append(namePathMapper.getJcrName(UserConstants.NT_REP_USER))
+ .append('\'');
+ } else {
+ statement.append('@')
+ .append(namePathMapper.getJcrName(UserConstants.REP_IMPERSONATORS))
+ .append("='")
+ .append(condition.getName())
+ .append('\'');
+ }
}
@Override
Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java?rev=1547811&r1=1547810&r2=1547811&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java (original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java Wed Dec 4 14:49:59 2013
@@ -34,6 +34,7 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.user.Query;
import org.apache.jackrabbit.api.security.user.QueryBuilder;
import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.junit.Test;
@@ -602,7 +603,22 @@ public class UserQueryTest extends Abstr
Iterator<User> expected = Iterators.singletonIterator(elephant);
assertTrue(result.hasNext());
- assertSameElements(result, expected);
+ assertSameElements(expected, result);
+ }
+
+ @Test
+ public void testAdminImpersonation() throws Exception {
+ final String adminPrincipalName = userMgr.getAuthorizable(superuser.getUserID()).getPrincipal().getName();
+ Iterator<Authorizable> result = userMgr.findAuthorizables(new Query() {
+ public <T> void build(QueryBuilder<T> builder) {
+ builder.setCondition(builder.
+ impersonates(adminPrincipalName));
+ }
+ });
+
+ Iterator<Authorizable> expected = userMgr.findAuthorizables("rep:principalName", null, UserManager.SEARCH_TYPE_USER);
+ assertTrue(result.hasNext());
+ assertSameElements(expected, result);
}
@Test