Author: dkuleshov
Date: 2010-12-21 04:43:31 -0500 (Tue, 21 Dec 2010)
New Revision: 3691
Added:
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/impl/access/TestAccessUpdateMixin.java
Modified:
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionDataManager.java
jcr/trunk/exo.jcr.docs/exo.jcr.docs.developer/en/src/main/docbook/en-US/modules/jcr/other/acl.xml
Log:
EXOJCR-1115: now we check permission on node itself in
SessionDataManager.validateAccessPermissions(ItemState changedItem) for state
"isMixinChanged"
Modified:
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionDataManager.java
===================================================================
---
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionDataManager.java 2010-12-21
08:56:24 UTC (rev 3690)
+++
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionDataManager.java 2010-12-21
09:43:31 UTC (rev 3691)
@@ -1669,6 +1669,10 @@
{
validateRemoveAccessPermission(changedItem);
}
+ else if (changedItem.isMixinChanged())
+ {
+ validateMixinChangedPermission(changedItem);
+ }
else
{
NodeData parent =
(NodeData)getItemData(changedItem.getData().getParentIdentifier());
@@ -1687,17 +1691,6 @@
+ " item owner " + parent.getACL().getOwner());
}
}
- else if (changedItem.isMixinChanged())
- {
- if (!accessManager.hasPermission(parent.getACL(), new
String[]{PermissionType.ADD_NODE,
- PermissionType.SET_PROPERTY},
session.getUserState().getIdentity()))
- {
- throw new AccessDeniedException("Access denied: ADD_NODE or
SET_PROPERTY"
- + changedItem.getData().getQPath().getAsString() + " for:
" + session.getUserID()
- + " item owner " + parent.getACL().getOwner());
- }
- }
-
}
else if (changedItem.isAdded() || changedItem.isUpdated())
{
@@ -1739,6 +1732,17 @@
}
}
+ private void validateMixinChangedPermission(ItemState changedItem) throws
AccessDeniedException
+ {
+ if (!accessManager.hasPermission(((NodeData)changedItem.getData()).getACL(), new
String[]{
+ PermissionType.ADD_NODE, PermissionType.SET_PROPERTY},
session.getUserState().getIdentity()))
+ {
+ throw new AccessDeniedException("Access denied: ADD_NODE or
SET_PROPERTY"
+ + changedItem.getData().getQPath().getAsString() + " for: " +
session.getUserID() + " item owner "
+ + ((NodeData)changedItem.getData()).getACL().getOwner());
+ }
+ }
+
/**
* Validate ItemState which represents the add node, for it's all mandatory items
*
Added:
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/impl/access/TestAccessUpdateMixin.java
===================================================================
---
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/impl/access/TestAccessUpdateMixin.java
(rev 0)
+++
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/impl/access/TestAccessUpdateMixin.java 2010-12-21
09:43:31 UTC (rev 3691)
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2003-2010 eXo Platform SAS.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Affero General Public License
+ * as published by the Free Software Foundation; either version 3
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not,
see<http://www.gnu.org/licenses/>.
+ */
+package org.exoplatform.services.jcr.impl.access;
+
+import org.exoplatform.services.jcr.BaseStandaloneTest;
+import org.exoplatform.services.jcr.access.PermissionType;
+import org.exoplatform.services.jcr.access.SystemIdentity;
+import org.exoplatform.services.jcr.core.CredentialsImpl;
+import org.exoplatform.services.jcr.impl.core.NodeImpl;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Node;
+import javax.jcr.Session;
+
+/**
+ * Created by The eXo Platform SAS.
+ *
+ * <br/>Date:
+ *
+ * @author <a href="karpenko.sergiy(a)gmail.com">Karpenko Sergiy</a>
+ * @version $Id: TestAccessUpdateMixin.java 111 2008-11-11 11:11:11Z serg $
+ */
+public class TestAccessUpdateMixin extends BaseStandaloneTest
+{
+
+ @Override
+ public String getRepositoryName()
+ {
+ return "db1";
+ }
+
+ public void setUp() throws Exception
+ {
+ super.setUp();
+ //create nodes with "john" user
+ Session sessJohn = repository.login(new CredentialsImpl("john",
"exo".toCharArray()));
+ Node testRoot = sessJohn.getRootNode().addNode("testRoot");
+ testRoot.addMixin("exo:privilegeable");
+ testRoot.setProperty("prop", "value");
+ sessJohn.save();
+ sessJohn.logout();
+ }
+
+ public void tearDown() throws Exception
+ {
+ Session sysSession =
this.repository.getSystemSession(session.getWorkspace().getName());
+ if (sysSession.getRootNode().hasNode("testRoot"))
+ {
+ Node testRoot = sysSession.getRootNode().getNode("testRoot");
+ testRoot.remove();
+ sysSession.save();
+ }
+ super.tearDown();
+ }
+
+ public void testUpdateWhenParentHasRightsButChildNot() throws Exception
+ {
+ Session sessJohn = repository.login(new CredentialsImpl("john",
"exo".toCharArray()));
+
+ NodeImpl subNode =
(NodeImpl)sessJohn.getRootNode().getNode("testRoot").addNode("testNode");
+ subNode.addMixin("exo:privilegeable");
+ sessJohn.save();
+
+ NodeImpl testRoot =
(NodeImpl)sessJohn.getRootNode().getNode("testRoot");
+
+ testRoot.setPermission("mary", PermissionType.ALL);
+ testRoot.setPermission("john", PermissionType.ALL);
+ testRoot.removePermission(SystemIdentity.ANY);
+
+ subNode.setPermission("mary", new String[]{PermissionType.READ,
PermissionType.SET_PROPERTY});
+ subNode.removePermission(SystemIdentity.ANY);
+ sessJohn.save();
+ sessJohn.logout();
+
+ // login as Mary with no rights, and try to addmixin
+ Session sessMary = repository.login(new CredentialsImpl("mary",
"exo".toCharArray()));
+ subNode =
(NodeImpl)sessMary.getRootNode().getNode("testRoot").getNode("testNode");
+
+ try
+ {
+ subNode.addMixin("mix:referenceable");
+ sessMary.save();
+ fail();
+ }
+ catch (AccessDeniedException e)
+ {
+ //ok
+ }
+ finally
+ {
+ sessMary.logout();
+ }
+ }
+
+ public void testUpdateWhenChildHasRightsButParentNot() throws Exception
+ {
+ Session sessJohn = repository.login(new CredentialsImpl("john",
"exo".toCharArray()));
+
+ NodeImpl subNode =
(NodeImpl)sessJohn.getRootNode().getNode("testRoot").addNode("testNode");
+ subNode.addMixin("exo:privilegeable");
+ sessJohn.save();
+
+ NodeImpl testRoot =
(NodeImpl)sessJohn.getRootNode().getNode("testRoot");
+
+ testRoot.setPermission("mary", new String[]{PermissionType.READ});
+ testRoot.setPermission("john", PermissionType.ALL);
+ testRoot.removePermission(SystemIdentity.ANY);
+
+ subNode.setPermission("mary", PermissionType.ALL);
+ subNode.removePermission(SystemIdentity.ANY);
+ sessJohn.save();
+ sessJohn.logout();
+
+ // login as Mary with no rights, and try to addmixin
+ Session sessMary = repository.login(new CredentialsImpl("mary",
"exo".toCharArray()));
+ subNode =
(NodeImpl)sessMary.getRootNode().getNode("testRoot").getNode("testNode");
+
+ try
+ {
+ subNode.addMixin("mix:referenceable");
+ sessMary.save();
+ }
+ catch (AccessDeniedException e)
+ {
+ fail("There must not be access denied exception.");
+ }
+ finally
+ {
+ sessMary.logout();
+ }
+ }
+
+}
\ No newline at end of file
Property changes on:
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/impl/access/TestAccessUpdateMixin.java
___________________________________________________________________
Name: svn:eol-style
+ native
Modified:
jcr/trunk/exo.jcr.docs/exo.jcr.docs.developer/en/src/main/docbook/en-US/modules/jcr/other/acl.xml
===================================================================
---
jcr/trunk/exo.jcr.docs/exo.jcr.docs.developer/en/src/main/docbook/en-US/modules/jcr/other/acl.xml 2010-12-21
08:56:24 UTC (rev 3690)
+++
jcr/trunk/exo.jcr.docs/exo.jcr.docs.developer/en/src/main/docbook/en-US/modules/jcr/other/acl.xml 2010-12-21
09:43:31 UTC (rev 3691)
@@ -450,21 +450,41 @@
role="bold">node1</emphasis>/myprop property - jcr will
check
"remove" permission on "node1".</para>
</listitem>
+
+ <listitem>
+ <para><emphasis role="bold">add mixin</emphasis>:
check "add_node"
+ and "set_property" permission on target node</para>
+
+ <para>For example. Try add mixin to /node1/<emphasis
+ role="bold">subnode</emphasis> node - jcr will check
"add_node"
+ and "set_property" permission on "subnode".</para>
+ </listitem>
</itemizedlist>
- <para>Behavior of the permission "remove" has changed since JCR
- 1.12.6-GA. The old behavior is:</para>
+ <note>
+ <para>Behavior of the permission "remove" and "add
mixin" validation
+ has changed since JCR 1.12.6-GA. The old behavior is:</para>
- <para><itemizedlist>
- <listitem>
- <para><emphasis role="bold">remove
node</emphasis>: check remove
- permission on parent node</para>
+ <para><itemizedlist>
+ <listitem>
+ <para><emphasis role="bold">remove
node</emphasis>: check
+ remove permission on parent node</para>
- <para>For example. Try to remove /<emphasis
- role="bold">node1</emphasis>/subnode node - jcr will
check
- "remove" permission on "node1".</para>
- </listitem>
- </itemizedlist></para>
+ <para>For example. Try to remove /<emphasis
+ role="bold">node1</emphasis>/subnode node - jcr will
check
+ "remove" permission on "node1".</para>
+ </listitem>
+
+ <listitem>
+ <para><emphasis role="bold">add
mixin</emphasis>: check
+ "add_node" and "set_property" permission on parent
node</para>
+
+ <para>For example. Try add mixin to /<emphasis
+ role="bold">node1</emphasis>/subnode node - jcr will
check
+ "add_node" and "set_property" permission on
"node1".</para>
+ </listitem>
+ </itemizedlist></para>
+ </note>
</section>
</section>