You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/10/18 23:25:59 UTC
[sling-org-apache-sling-jcr-resourcesecurity] 05/26: SLING-3438 :
Provide ResourceAccessGate implementation that authorizes CRUD operations
based on JCR permissios. Merge patch from Marius Petria with existing
implementation
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-resourcesecurity.git
commit 54bd43a26b0c67ba0ccf891cde41b91b12e1da26
Author: Carsten Ziegeler <cz...@apache.org>
AuthorDate: Fri Mar 28 16:30:00 2014 +0000
SLING-3438 : Provide ResourceAccessGate implementation that authorizes CRUD operations based on JCR permissios. Merge patch from Marius Petria with existing implementation
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk@1582808 13f79535-47bb-0310-9956-ffa450edef68
---
.../impl/ResourceAccessGateFactory.java | 111 +++++++++++++++++++--
1 file changed, 105 insertions(+), 6 deletions(-)
diff --git a/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java b/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java
index eab7816..e9ba073 100644
--- a/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java
+++ b/src/main/java/org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.java
@@ -36,7 +36,6 @@ import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate;
import org.apache.sling.resourceaccesssecurity.ResourceAccessGate;
-
@Component(configurationFactory=true, policy=ConfigurationPolicy.REQUIRE, metatype=true,
label="Apache Sling JCR Resource Access Gate",
description="This access gate can be used to handle the access to resources" +
@@ -49,7 +48,7 @@ import org.apache.sling.resourceaccesssecurity.ResourceAccessGate;
@Property(name=ResourceAccessGateFactory.PROP_JCR_PATH,
label="JCR Node",
description="This node is checked for permissions to the resources."),
- @Property(name=ResourceAccessGate.OPERATIONS, value="read", propertyPrivate=true),
+ @Property(name=ResourceAccessGate.OPERATIONS, value= {"read", "create", "update", "delete"}, propertyPrivate=true),
@Property(name=ResourceAccessGate.CONTEXT, value=ResourceAccessGate.PROVIDER_CONTEXT, propertyPrivate=true)
})
public class ResourceAccessGateFactory
@@ -65,16 +64,51 @@ public class ResourceAccessGateFactory
this.jcrPath = PropertiesUtil.toString(props.get(PROP_JCR_PATH), null);
}
+ /**
+ * Skip the check if the resource is backed by a JCR resource.
+ * This is a sanity check which should usually not be required if the system
+ * is configured correctly.
+ */
+ private boolean skipCheck(final Resource resource) {
+ // if resource is backed by a JCR node, skip check
+ return resource.adaptTo(Node.class) != null;
+ }
+
+ /**
+ * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasReadRestrictions(org.apache.sling.api.resource.ResourceResolver)
+ */
@Override
- public boolean hasReadRestrictions(ResourceResolver resourceResolver) {
+ public boolean hasReadRestrictions(final ResourceResolver resourceResolver) {
return true;
}
- private boolean skipCheck(final Resource resource) {
- // if resource is backed by a jcr node, skip check
- return resource.adaptTo(Node.class) != null;
+ /**
+ * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasCreateRestrictions(org.apache.sling.api.resource.ResourceResolver)
+ */
+ @Override
+ public boolean hasCreateRestrictions(final ResourceResolver resourceResolver) {
+ return true;
+ }
+
+ /**
+ * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasUpdateRestrictions(org.apache.sling.api.resource.ResourceResolver)
+ */
+ @Override
+ public boolean hasUpdateRestrictions(final ResourceResolver resourceResolver) {
+ return true;
+ }
+
+ /**
+ * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#hasDeleteRestrictions(org.apache.sling.api.resource.ResourceResolver)
+ */
+ @Override
+ public boolean hasDeleteRestrictions(final ResourceResolver resourceResolver) {
+ return true;
}
+ /**
+ * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canRead(org.apache.sling.api.resource.Resource)
+ */
@Override
public GateResult canRead(final Resource resource) {
if ( this.skipCheck(resource) ) {
@@ -91,4 +125,69 @@ public class ResourceAccessGateFactory
}
return canRead ? GateResult.GRANTED : GateResult.DENIED;
}
+
+ /**
+ * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canDelete(org.apache.sling.api.resource.Resource)
+ */
+ @Override
+ public GateResult canDelete(Resource resource) {
+ if ( this.skipCheck(resource) ) {
+ return GateResult.GRANTED;
+ }
+
+ boolean canDelete = false;
+ final Session session = resource.getResourceResolver().adaptTo(Session.class);
+ if ( session != null ) {
+ try {
+ canDelete = session.hasPermission(jcrPath, Session.ACTION_REMOVE);
+ } catch (final RepositoryException re) {
+ // ignore
+ }
+ }
+
+ return canDelete ? GateResult.GRANTED : GateResult.DENIED;
+
+ }
+
+ /**
+ * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canUpdate(org.apache.sling.api.resource.Resource)
+ */
+ @Override
+ public GateResult canUpdate(Resource resource) {
+ if ( this.skipCheck(resource) ) {
+ return GateResult.GRANTED;
+ }
+
+ boolean canUpdate = false;
+
+ final Session session = resource.getResourceResolver().adaptTo(Session.class);
+ if ( session != null ) {
+ try {
+ canUpdate = session.hasPermission(jcrPath, Session.ACTION_SET_PROPERTY);
+ } catch (final RepositoryException re) {
+ // ignore
+ }
+ }
+
+ return canUpdate ? GateResult.GRANTED : GateResult.DENIED;
+ }
+
+ /**
+ * @see org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate#canCreate(java.lang.String, org.apache.sling.api.resource.ResourceResolver)
+ */
+ @Override
+ public GateResult canCreate(String absPathName, ResourceResolver resourceResolver) {
+ boolean canCreate = false;
+
+ final Session session = resourceResolver.adaptTo(Session.class);
+ if ( session != null ) {
+ try {
+ canCreate = session.hasPermission(jcrPath, Session.ACTION_ADD_NODE);
+ } catch (final RepositoryException re) {
+ // ignore
+ }
+ }
+
+ return canCreate ? GateResult.GRANTED : GateResult.DENIED;
+ }
}
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.