You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2011/09/20 16:20:20 UTC
svn commit: r1173164 - in /jackrabbit/trunk/jackrabbit-core/src:
main/java/org/apache/jackrabbit/core/security/authorization/
test/java/org/apache/jackrabbit/api/security/authorization/
test/java/org/apache/jackrabbit/core/security/authorization/
Author: angela
Date: Tue Sep 20 14:20:20 2011
New Revision: 1173164
URL: http://svn.apache.org/viewvc?rev=1173164&view=rev
Log:
JCR-2887 : Split PrivilegeRegistry in a per-session manager instance and a repository level registry [work in progress]
Modified:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImpl.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/api/security/authorization/PrivilegeManagerTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java?rev=1173164&r1=1173163&r2=1173164&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java Tue Sep 20 14:20:20 2011
@@ -49,7 +49,9 @@ public final class Permission {
public static final int MODIFY_CHILD_NODE_COLLECTION = RETENTION_MNGMT << 1;
- public static final int ALL = (READ | SET_PROPERTY | ADD_NODE | REMOVE_NODE | REMOVE_PROPERTY | READ_AC | MODIFY_AC | NODE_TYPE_MNGMT | VERSION_MNGMT | LOCK_MNGMT | LIFECYCLE_MNGMT | RETENTION_MNGMT | MODIFY_CHILD_NODE_COLLECTION);
+ public static final int PRIVILEGE_MNGMT = MODIFY_CHILD_NODE_COLLECTION << 1;
+
+ public static final int ALL = (READ | SET_PROPERTY | ADD_NODE | REMOVE_NODE | REMOVE_PROPERTY | READ_AC | MODIFY_AC | NODE_TYPE_MNGMT | VERSION_MNGMT | LOCK_MNGMT | LIFECYCLE_MNGMT | RETENTION_MNGMT | MODIFY_CHILD_NODE_COLLECTION | PRIVILEGE_MNGMT);
/**
* Returns those bits from <code>permissions</code> that are not present in
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImpl.java?rev=1173164&r1=1173163&r2=1173164&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImpl.java Tue Sep 20 14:20:20 2011
@@ -133,7 +133,7 @@ public final class PrivilegeManagerImpl
* In case of a non aggregate privilege an empty array should be passed.
* @return the new privilege.
* @throws AccessDeniedException If the session this manager has been created
- * for isn't the administrator.
+ * lacks rep:privilegeManagement privilege.
* @throws RepositoryException If the privilege could not be registered due
* to constraint violations or if persisting the custom privilege fails.
* @see PrivilegeManager#registerPrivilege(String, boolean, String[])
@@ -141,9 +141,15 @@ public final class PrivilegeManagerImpl
public Privilege registerPrivilege(String privilegeName, boolean isAbstract,
String[] declaredAggregateNames)
throws AccessDeniedException, RepositoryException {
- boolean isAdmin = (resolver instanceof SessionImpl) ? ((SessionImpl) resolver).isAdmin() : false;
- if (!isAdmin) {
- throw new AccessDeniedException("Registering privileges is only allowed to administrator.");
+ boolean allowed = false;
+ if (resolver instanceof SessionImpl) {
+ // TODO: FIXME should be 'null' path as privilegeManagement is a
+ // TODO: repo-level privilege such as namespace or node type mgt.
+ SessionImpl sImpl = (SessionImpl) resolver;
+ allowed = sImpl.getAccessManager().isGranted(sImpl.getQPath("/"), Permission.PRIVILEGE_MNGMT);
+ }
+ if (!allowed) {
+ throw new AccessDeniedException("Registering privileges is not allowed for the editing session.");
}
Name name = resolver.getQName(privilegeName);
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java?rev=1173164&r1=1173163&r2=1173164&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java Tue Sep 20 14:20:20 2011
@@ -75,6 +75,12 @@ public final class PrivilegeRegistry imp
public static final Name REP_WRITE_NAME = NAME_FACTORY.create(REP_WRITE);
/**
+ * Jackrabbit specific privilege for privilege management.
+ */
+ public static final String REP_PRIVILEGE_MANAGEMENT = "{" + Name.NS_REP_URI + "}privilegeManagement";
+ public static final Name REP_PRIVILEGE_MANAGEMENT_NAME = NAME_FACTORY.create(REP_PRIVILEGE_MANAGEMENT);
+
+ /**
* No privileges
*/
public static final int NO_PRIVILEGE = 0;
@@ -91,6 +97,7 @@ public final class PrivilegeRegistry imp
private static final int LOCK_MNGMT = VERSION_MNGMT << 1;
private static final int LIFECYCLE_MNGMT = LOCK_MNGMT << 1;
private static final int RETENTION_MNGMT = LIFECYCLE_MNGMT << 1;
+ private static final int PRIVILEGE_MNGMT = RETENTION_MNGMT << 1;
private static final Map<Name, Integer> PRIVILEGE_NAMES = new HashMap<Name, Integer>();
static {
@@ -106,6 +113,7 @@ public final class PrivilegeRegistry imp
PRIVILEGE_NAMES.put(NameConstants.JCR_LOCK_MANAGEMENT, LOCK_MNGMT);
PRIVILEGE_NAMES.put(NameConstants.JCR_LIFECYCLE_MANAGEMENT, LIFECYCLE_MNGMT);
PRIVILEGE_NAMES.put(NameConstants.JCR_RETENTION_MANAGEMENT, RETENTION_MNGMT);
+ PRIVILEGE_NAMES.put(REP_PRIVILEGE_MANAGEMENT_NAME, PRIVILEGE_MNGMT);
}
/**
@@ -412,6 +420,9 @@ public final class PrivilegeRegistry imp
if ((privs & VERSION_MNGMT) == VERSION_MNGMT) {
perm |= Permission.VERSION_MNGMT;
}
+ if ((privs & PRIVILEGE_MNGMT) == PRIVILEGE_MNGMT) {
+ perm |= Permission.PRIVILEGE_MNGMT;
+ }
return perm;
}
@@ -529,6 +540,9 @@ public final class PrivilegeRegistry imp
if ((bits & RETENTION_MNGMT) == RETENTION_MNGMT) {
names.add(NameConstants.JCR_RETENTION_MANAGEMENT);
}
+ if ((bits & PRIVILEGE_MNGMT) == PRIVILEGE_MNGMT) {
+ names.add(REP_PRIVILEGE_MANAGEMENT_NAME);
+ }
// include matching custom privilege names
Set<Name> customNames = new HashSet<Name>();
@@ -682,6 +696,8 @@ public final class PrivilegeRegistry imp
jcrAllAggregates.add(NameConstants.JCR_LIFECYCLE_MANAGEMENT);
jcrAllAggregates.add(NameConstants.JCR_WRITE);
jcrAllAggregates.add(REP_WRITE_NAME);
+ jcrAllAggregates.add(REP_PRIVILEGE_MANAGEMENT_NAME);
+
Definition jcrAll = new Definition(NameConstants.JCR_ALL, false, jcrAllAggregates, jcrAllBits);
defs.put(jcrAll.getName(), jcrAll);
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/api/security/authorization/PrivilegeManagerTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/api/security/authorization/PrivilegeManagerTest.java?rev=1173164&r1=1173163&r2=1173164&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/api/security/authorization/PrivilegeManagerTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/api/security/authorization/PrivilegeManagerTest.java Tue Sep 20 14:20:20 2011
@@ -18,13 +18,10 @@ package org.apache.jackrabbit.api.securi
import org.apache.jackrabbit.api.JackrabbitWorkspace;
import org.apache.jackrabbit.core.SessionImpl;
-import org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.spi.commons.conversion.IllegalNameException;
import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
import org.apache.jackrabbit.test.AbstractJCRTest;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import javax.jcr.NamespaceException;
import javax.jcr.RepositoryException;
@@ -74,6 +71,7 @@ public class PrivilegeManagerTest extend
assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
assertTrue(l.remove(privilegeMgr.getPrivilege(PrivilegeRegistry.REP_WRITE)));
+ assertTrue(l.remove(privilegeMgr.getPrivilege(PrivilegeRegistry.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(l.isEmpty());
}
@@ -98,12 +96,14 @@ public class PrivilegeManagerTest extend
assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_WRITE)));
assertTrue(l.remove(privilegeMgr.getPrivilege(PrivilegeRegistry.REP_WRITE)));
+ assertTrue(l.remove(privilegeMgr.getPrivilege(PrivilegeRegistry.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(l.isEmpty());
l = new ArrayList<Privilege>(Arrays.asList(p.getDeclaredAggregatePrivileges()));
assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ)));
assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_WRITE)));
assertTrue(l.remove(privilegeMgr.getPrivilege(PrivilegeRegistry.REP_WRITE)));
+ assertTrue(l.remove(privilegeMgr.getPrivilege(PrivilegeRegistry.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
assertTrue(l.remove(privilegeMgr.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java?rev=1173164&r1=1173163&r2=1173164&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PermissionTest.java Tue Sep 20 14:20:20 2011
@@ -45,5 +45,6 @@ public class PermissionTest extends Test
assertEquals(1024, Permission.LIFECYCLE_MNGMT);
assertEquals(2048, Permission.RETENTION_MNGMT);
assertEquals(4096, Permission.MODIFY_CHILD_NODE_COLLECTION);
+ assertEquals(8192, Permission.PRIVILEGE_MNGMT);
}
}
\ No newline at end of file
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java?rev=1173164&r1=1173163&r2=1173164&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java Tue Sep 20 14:20:20 2011
@@ -67,6 +67,7 @@ public class PrivilegeRegistryTest exten
assertTrue(l.remove(privilegeRegistry.get(NameConstants.JCR_RETENTION_MANAGEMENT)));
assertTrue(l.remove(privilegeRegistry.get(NameConstants.JCR_VERSION_MANAGEMENT)));
assertTrue(l.remove(privilegeRegistry.get(resolver.getQName(PrivilegeRegistry.REP_WRITE))));
+ assertTrue(l.remove(privilegeRegistry.get(resolver.getQName(PrivilegeRegistry.REP_PRIVILEGE_MANAGEMENT))));
assertTrue(l.isEmpty());
}
@@ -131,6 +132,7 @@ public class PrivilegeRegistryTest exten
assertTrue(l.remove(NameConstants.JCR_READ));
assertTrue(l.remove(NameConstants.JCR_WRITE));
assertTrue(l.remove(resolver.getQName(PrivilegeRegistry.REP_WRITE)));
+ assertTrue(l.remove(resolver.getQName(PrivilegeRegistry.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(l.remove(NameConstants.JCR_READ_ACCESS_CONTROL));
assertTrue(l.remove(NameConstants.JCR_MODIFY_ACCESS_CONTROL));
assertTrue(l.remove(NameConstants.JCR_LIFECYCLE_MANAGEMENT));
@@ -201,6 +203,7 @@ public class PrivilegeRegistryTest exten
assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_RETENTION_MANAGEMENT)));
assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
assertTrue(l.remove(privilegeRegistry.getPrivilege(PrivilegeRegistry.REP_WRITE)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(PrivilegeRegistry.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(l.isEmpty());
}
@@ -225,12 +228,14 @@ public class PrivilegeRegistryTest exten
assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_VERSION_MANAGEMENT)));
assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_WRITE)));
assertTrue(l.remove(privilegeRegistry.getPrivilege(PrivilegeRegistry.REP_WRITE)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(PrivilegeRegistry.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(l.isEmpty());
l = new ArrayList<Privilege>(Arrays.asList(p.getDeclaredAggregatePrivileges()));
assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ)));
assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_WRITE)));
assertTrue(l.remove(privilegeRegistry.getPrivilege(PrivilegeRegistry.REP_WRITE)));
+ assertTrue(l.remove(privilegeRegistry.getPrivilege(PrivilegeRegistry.REP_PRIVILEGE_MANAGEMENT)));
assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_READ_ACCESS_CONTROL)));
assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_MODIFY_ACCESS_CONTROL)));
assertTrue(l.remove(privilegeRegistry.getPrivilege(Privilege.JCR_LIFECYCLE_MANAGEMENT)));