4:25 p.m.
Author: sohil.shah(a)jboss.com
Date: 2008-07-14 17:25:06 -0400 (Mon, 14 Jul 2008)
New Revision: 11446
Modified:
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/interceptors/ACLInterceptor.java
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/jcr/JCRCMS.java
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/jcr/command/ACLEnforcer.java
branches/JBoss_Portal_Branch_2_6/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
Log:
JBPORTAL-2033 - User with only read-permissions on a folder cannot read a folder
Modified:
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/interceptors/ACLInterceptor.java
===================================================================
---
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/interceptors/ACLInterceptor.java 2008-07-14
20:52:35 UTC (rev 11445)
+++
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/interceptors/ACLInterceptor.java 2008-07-14
21:25:06 UTC (rev 11446)
@@ -232,44 +232,52 @@
JCRCommand command =
(JCRCommand)securityContext.getAttribute("command");
try
{
- if (filteredResponse instanceof Folder)
+ //UI-level filtering of resources for the CMSAdmin tool
+ if(JCRCMS.isUISecurityFilterActive())
{
- Folder folder = (Folder)filteredResponse;
- List filteredFolders = new ArrayList();
- List filteredFiles = new ArrayList();
- securityContext.removeAttribute("command");
- if (folder.getFolders() != null)
+ if (filteredResponse instanceof Folder)
{
- for (Iterator itr = folder.getFolders().iterator(); itr.hasNext();)
+ Folder folder = (Folder)filteredResponse;
+ List filteredFolders = new ArrayList();
+ List filteredFiles = new ArrayList();
+ securityContext.removeAttribute("command");
+ if (folder.getFolders() != null)
{
- Folder cour = (Folder)itr.next();
- securityContext.setAttribute("applyFilter",
cour.getBasePath());
- PortalPermission cmsPermission = new CMSPermission(securityContext);
- boolean allow =
this.authorizationManager.checkPermission(cmsPermission);
- if (allow)
+ for (Iterator itr = folder.getFolders().iterator(); itr.hasNext();)
{
- filteredFolders.add(cour);
+ Folder cour = (Folder)itr.next();
+ securityContext.setAttribute("applyFilter",
cour.getBasePath());
+ securityContext.setAttribute("isFolder", Boolean.TRUE);
+ PortalPermission cmsPermission = new
CMSPermission(securityContext);
+ boolean allow =
this.authorizationManager.checkPermission(cmsPermission);
+ if (allow)
+ {
+ filteredFolders.add(cour);
+ }
}
}
- }
- if (folder.getFiles() != null)
- {
- for (Iterator itr = folder.getFiles().iterator(); itr.hasNext();)
+ if (folder.getFiles() != null)
{
- File cour = (File)itr.next();
- securityContext.setAttribute("applyFilter",
cour.getBasePath());
- PortalPermission cmsPermission = new CMSPermission(securityContext);
- boolean allow =
this.authorizationManager.checkPermission(cmsPermission);
- if (allow)
+ for (Iterator itr = folder.getFiles().iterator(); itr.hasNext();)
{
- filteredFiles.add(cour);
+ File cour = (File)itr.next();
+ securityContext.setAttribute("applyFilter",
cour.getBasePath());
+ securityContext.setAttribute("isFolder", Boolean.FALSE);
+ PortalPermission cmsPermission = new
CMSPermission(securityContext);
+ boolean allow =
this.authorizationManager.checkPermission(cmsPermission);
+ if (allow)
+ {
+ filteredFiles.add(cour);
+ }
}
}
+ folder.setFolders(filteredFolders);
+ folder.setFiles(filteredFiles);
}
- folder.setFolders(filteredFolders);
- folder.setFiles(filteredFiles);
}
- else if ((filteredResponse instanceof List) && (command instanceof
SearchCommand))
+
+ //Filtering of resources in the context of Search
+ if ((filteredResponse instanceof List) && (command instanceof
SearchCommand))
{
List list = (List)filteredResponse;
List filteredFiles = new ArrayList();
Modified:
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/jcr/JCRCMS.java
===================================================================
---
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/jcr/JCRCMS.java 2008-07-14
20:52:35 UTC (rev 11445)
+++
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/jcr/JCRCMS.java 2008-07-14
21:25:06 UTC (rev 11446)
@@ -132,6 +132,30 @@
{
turnOffWorkflow.set(null);
}
+
+ /**
+ *
+ */
+ protected static ThreadLocal applyUISecurityFilter = new ThreadLocal();
+ public static void enableUISecurityFilter()
+ {
+ applyUISecurityFilter.set(Boolean.TRUE);
+ }
+ public static void disableUISecurityFilter()
+ {
+ applyUISecurityFilter.set(null);
+ }
+ public static boolean isUISecurityFilterActive()
+ {
+ boolean isUISecurityFilterActive = false;
+
+ if(applyUISecurityFilter.get() != null &&
((Boolean)applyUISecurityFilter.get()))
+ {
+ isUISecurityFilterActive = true;
+ }
+
+ return isUISecurityFilterActive;
+ }
public JCRCMS()
{
Modified:
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/jcr/command/ACLEnforcer.java
===================================================================
---
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/jcr/command/ACLEnforcer.java 2008-07-14
20:52:35 UTC (rev 11445)
+++
branches/JBoss_Portal_Branch_2_6/cms/src/main/org/jboss/portal/cms/impl/jcr/command/ACLEnforcer.java 2008-07-14
21:25:06 UTC (rev 11446)
@@ -35,7 +35,6 @@
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
@@ -146,7 +145,15 @@
if (cmsSecurityContext.getAttribute("applyFilter") != null)
{
String path =
(String)cmsSecurityContext.getAttribute("applyFilter");
- hasAccess = this.computeToolAccess(loggedInUser, path);
+ Boolean isFolder =
(Boolean)cmsSecurityContext.getAttribute("isFolder");
+ if(isFolder)
+ {
+ hasAccess = this.hasReadAccess(loggedInUser, path);
+ }
+ else
+ {
+ hasAccess = this.hasWriteAccess(loggedInUser, path);
+ }
}
else if (cmsSecurityContext.getAttribute("path") != null)
{
@@ -211,22 +218,33 @@
path = ((FileGetListCommand)command).sFilePath;
}
- hasReadAccess = this.computeAccess(user, path, "read");
- if (!hasReadAccess)
+ hasReadAccess = this.hasReadAccess(user, path);
+
+ return hasReadAccess;
+ }
+
+ /**
+ *
+ * @param user
+ * @param path
+ * @return
+ */
+ private boolean hasReadAccess(User user, String path)
+ {
+ boolean hasAccess = this.computeAccess(user, path, "read");
+ if (!hasAccess)
{
//make sure implied write is not available
- hasReadAccess = this.computeAccess(user, path, "write");
- if (!hasReadAccess)
+ hasAccess = this.computeAccess(user, path, "write");
+ if (!hasAccess)
{
//make sure implied manage is not available
- hasReadAccess = this.computeAccess(user, path, "manage");
+ hasAccess = this.computeAccess(user, path, "manage");
}
}
-
- return hasReadAccess;
+ return hasAccess;
}
-
//-------------------------------------------------------------------------------------------------------------------------------------------
/**
* @param user
* @param command
@@ -275,8 +293,24 @@
return hasWriteAccess;
}
+
+ /**
+ *
+ * @param user
+ * @param path
+ * @return
+ */
+ private boolean hasWriteAccess(User user, String path)
+ {
+ boolean hasAccess = this.computeAccess(user, path, "write");
+ if (!hasAccess)
+ {
+ //make sure implied manage is not available
+ hasAccess = this.computeAccess(user, path, "manage");
+ }
+ return hasAccess;
+ }
-
//-----------------------------------------------------------------------------------------------------------------------------------------
/**
* @param user
* @param command
@@ -315,8 +349,7 @@
return hasManageAccess;
}
-
-
//-----------------------------------------------------------------------------------------------------------------------------------------
+
//----------------------------------------------------------------------------------------------------------------------------------------------------------------------
/**
*
*/
@@ -461,82 +494,9 @@
}
/**
- * This is used to filter out cms resources in the CMS Admin tool, so that the user
can see only the resources that
- * he has write/manage access to
- *
* @param user
- * @param path
* @return
*/
- private boolean computeToolAccess(User user, String path)
- {
- boolean toolAccess = false;
-
- //to prevent any administration issues, if the user is the 'cmsRoot'
- //treat him like a super user with access to everything in the cms
- User root = this.authorizationManager.getProvider().getRoot();
- if (user != null && user.getUserName() != null &&
user.getUserName().equals(root.getUserName()))
- {
- return true;
- }
-
- //get the permissions available for the user in question
- Collection userPermissions = this.getPermissions(user);
-
- //check against permissions that are explicitly specified on this node (file or
folder)
- Collection specificPermissions = this.getPermissions(path);
- for (Iterator itr = specificPermissions.iterator(); itr.hasNext();)
- {
- Permission specificPermission = (Permission)itr.next();
- if ((specificPermission.getService().equals("cms")) &&
- (specificPermission.getAction().equals("write") ||
specificPermission.getAction().equals("manage"))
- )
- {
- for (Iterator itr2 = userPermissions.iterator(); itr2.hasNext();)
- {
- Permission userPermission = (Permission)itr2.next();
- if ((userPermission.getService().equals("cms")) &&
- (userPermission.getAction().equals("write") ||
userPermission.getAction().equals("manage"))
- )
- {
- String pathCriteria =
userPermission.findCriteriaValue("path");
- if (pathCriteria.equals(path))
- {
- //this means this user has read access to this path
- toolAccess = true;
- }
- }
- }
- }
- }
-
- if (specificPermissions != null && !specificPermissions.isEmpty())
- {
- //explicit permissions on this node have been specified....
- //which override any permissions that could be inherited via the path hierarchy
- return toolAccess;
- }
-
- //if i am here...calculate based on permissions inherited via path hierarchy
- Collection writeOrMoreCriteria = this.getWriteOrMore(userPermissions);
- for (Iterator itr = writeOrMoreCriteria.iterator(); itr.hasNext();)
- {
- Criteria cour = (Criteria)itr.next();
- if (this.doesPathMatchPattern(path, cour.getValue()))
- {
-
- toolAccess = true;
- break;
- }
- }
-
- return toolAccess;
- }
-
- /**
- * @param user
- * @return
- */
private boolean computeWorkflowManagementAccess(User user, Set managerRoles)
{
if (managerRoles == null || managerRoles.isEmpty())
@@ -614,106 +574,6 @@
}
/**
- * @param allPermissions
- * @return
- */
- private Collection getWriteOrMore(Collection allPermissions)
- {
- Collection writeOrMore = new HashSet();
-
- if (allPermissions != null)
- {
- for (Iterator itr = allPermissions.iterator(); itr.hasNext();)
- {
- Permission cour = (Permission)itr.next();
- if ((cour.getService().equals("cms")) &&
- (cour.getAction().equals("write") ||
cour.getAction().equals("manage"))
- )
- {
- writeOrMore.addAll(cour.getCriteria());
- }
- }
- }
-
- return writeOrMore;
- }
-
- /**
- * @param path
- * @param pattern
- * @return
- */
- private boolean doesPathMatchPattern(String path, String pattern)
- {
- boolean match = true;
-
- //format the path first before starting to match it with the specified pattern
- if (!path.startsWith("/"))
- {
- path = "/" + path;
- }
- if (!path.endsWith("/"))
- {
- path = path + "/";
- }
-
- StringTokenizer patternTokenizer = new StringTokenizer(pattern, "/");
- StringTokenizer pathTokenizer = new StringTokenizer(path, "/");
- StringBuffer pathMatched = new StringBuffer("/");
- StringBuffer patternMatched = new StringBuffer();
- if (pattern.startsWith("/"))
- {
- patternMatched.append("/");
- }
- while (
- patternTokenizer.hasMoreTokens() &&
- pathTokenizer.hasMoreTokens()
- )
- {
- String patternToken = patternTokenizer.nextToken();
- String pathToken = pathTokenizer.nextToken();
-
- //setup token tracking
- pathMatched.append(pathToken + "/");
- if (patternTokenizer.hasMoreTokens())
- {
- patternMatched.append(patternToken + "/");
- }
- else
- {
- patternMatched.append(patternToken);
- }
-
- //perform token matching
- if (!match)
- {
- continue;
- }
- int wildCardIndex = patternToken.indexOf('*');
- //if wildCard is not relevant
- if (wildCardIndex <= 0)
- {
- //if wildCardIndex == 0 then this token matches...
- if (wildCardIndex != 0 && !pathToken.equals(patternToken))
- {
- match = false;
- }
- }
- else
- {
- String wildPath = pathToken.substring(0, wildCardIndex);
- String wildPattern = patternToken.substring(0, wildCardIndex);
- if (!wildPath.equals(wildPattern))
- {
- match = false;
- }
- }
- }
-
- return match;
- }
-
- /**
* @param action
* @param impliedTarget
* @return
Modified:
branches/JBoss_Portal_Branch_2_6/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
---
branches/JBoss_Portal_Branch_2_6/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2008-07-14
20:52:35 UTC (rev 11445)
+++
branches/JBoss_Portal_Branch_2_6/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2008-07-14
21:25:06 UTC (rev 11446)
@@ -44,6 +44,7 @@
import org.jboss.portal.cms.util.NodeUtil;
import org.jboss.portal.cms.workflow.ApprovePublish;
import org.jboss.portal.cms.workflow.CMSWorkflowUtil;
+import org.jboss.portal.cms.impl.jcr.JCRCMS;
import org.jboss.portal.core.cms.ui.Util;
import org.jboss.portal.core.cms.command.StreamContentCommand;
import org.jboss.portal.core.controller.ControllerContext;
@@ -148,19 +149,16 @@
this.resources = config.getResourceBundle(Locale.getDefault());
}
-
-
+ /**
+ *
+ */
protected void doView(final JBossRenderRequest rReq, final JBossRenderResponse rRes)
throws PortletException, IOException, UnavailableException
{
//check and make sure the CMSAdminPortlet is accessible to the current user
if (!this.isPortletAccessible(rReq))
{
- rRes.setContentType("text/html");
- PrintWriter writer = rRes.getWriter();
- String sHTML = "<h2>Access Denied</h2>";
- writer.write(sHTML);
- writer.close();
+ this.showAccessDeniedScreen(rRes);
return;
}
@@ -170,29 +168,27 @@
{
if (!this.isSecurityConsoleAccessible(rReq))
{
- rRes.setContentType("text/html");
- PrintWriter writer = rRes.getWriter();
- String sHTML = "<h2>Access Denied</h2>";
- writer.write(sHTML);
- writer.close();
+ this.showAccessDeniedScreen(rRes);
return;
}
}
-
try
{
if (rReq.getParameter("accessDenied") != null)
{
- throw new PortletException("Access to this resource is denied");
+ this.showAccessDeniedScreen(rRes);
}
- internalDoView(rReq, rRes);
+ else
+ {
+ internalDoView(rReq, rRes);
+ }
}
catch (CMSException e)
{
if (e.toString().indexOf("Access to this resource is denied") != -1)
{
- throw new PortletException("Access to this resource is denied");
+ this.showAccessDeniedScreen(rRes);
}
else
{
@@ -200,6 +196,30 @@
}
}
}
+
+ /**
+ *
+ * @param renderResponse
+ * @throws IOException
+ */
+ private void showAccessDeniedScreen(JBossRenderResponse renderResponse) throws
IOException
+ {
+ renderResponse.setContentType("text/html");
+ PrintWriter writer = null;
+ try
+ {
+ writer = renderResponse.getWriter();
+ String sHTML = "<h2>Access Denied</h2>";
+ writer.write(sHTML);
+ }
+ finally
+ {
+ if(writer != null)
+ {
+ writer.close();
+ }
+ }
+ }
private void internalDoView(JBossRenderRequest rReq, JBossRenderResponse rRes)
throws CMSException, PortletException, IOException
@@ -217,11 +237,13 @@
{
sPath = "/";
}
-
+
+ JCRCMS.enableUISecurityFilter();
Command listCMD =
CMSService.getCommandFactory().createFolderGetListCommand(sPath);
Folder mainFolder = (Folder)CMSService.execute(listCMD);
List folders = mainFolder.getFolders();
List files = mainFolder.getFiles();
+ JCRCMS.disableUISecurityFilter();
rRes.setContentType("text/html");
rReq.setAttribute("folders", folders);
@@ -1788,4 +1810,9 @@
this.setApprovePublish(null);
}
}
+
+ private void filterResourceBySecurity(List resources, PortalCMSSecurityContext
securityContext)
+ {
+
+ }
}
\ No newline at end of file