org.ametys.plugins.core.impl.right

Class AbstractProfileStorageBasedAccessController

java.lang.Object

org.ametys.runtime.plugin.component.AbstractLogEnabled

org.ametys.plugins.core.impl.right.AbstractProfileStorageBasedAccessController

All Implemented Interfaces:

AccessController, LogEnabled, Component, Serviceable

Direct Known Subclasses:

AbstractHierarchicalAccessController, ProjectAccessController, SurveyAccessController, ThesaurusAccessController

public abstract class AbstractProfileStorageBasedAccessController
extends AbstractLogEnabled
implements AccessController, Component, Serviceable

This class delegates all it can to the profile assignment storage extension point

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	AbstractProfileStorageBasedAccessController.CacheKind The knd of cache to get/set

Nested classes/interfaces inherited from interface org.ametys.core.right.AccessController

AccessController.AccessResult

Field Summary

Fields

Modifier and Type	Field and Description
protected static UserIdentity	__ANONYMOUS_USER_IDENTITY The instance of ObjectUserIdentity for anonymous
protected static UserIdentity	__ANY_CONTECTED_USER_IDENTITY The instance of ObjectUserIdentity for any connected user
private String	_cache1 This first cache is for right result on non-null contexts when calling hasXXX methods On the contratry of the other cache, this one is split between profiles, as we check for the first true result (no negativity) { UserIdentity : { Set<ProfileId> : { Context : boolean } } }
private String	_cache2 This second cache is for right result on non-null contexts when calling getXXXByGroup methods { Set<ProfileId> : { Context : { CacheKind.ANONYMOUS: AccessResult CacheKind.ANY_CONNECTED_USER: AccessResult CacheKind.USERS: Map<UserIdentity, AccessResult>, CacheKind.USER: Map<UserIdentity, AccessResult>, CacheKind.GROUPS: Map<GroupIdentity, AccessResult> } } }
protected ProfileAssignmentStorageExtensionPoint	_profileAssignmentStorageEP The extension point for the profile assignment storages
protected RightManager	_rightManager The right manager
protected RightProfilesDAO	_rightProfileDAO The right profile DAO

Constructor Summary

Constructors

Constructor and Description
AbstractProfileStorageBasedAccessController()

Method Summary

Modifier and Type	Method and Description
protected Object	_convertContext(Object initialContext) For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it is
protected abstract Set<? extends Object>	_convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts) Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to work
protected AccessController.AccessResult	_getPermission(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject) Works for getPermission or getReadAccessPermission
protected Map<GroupIdentity,AccessController.AccessResult>	_getPermissionByGroup(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionByGroup and getReadAccessPermissionByGroup
protected Map<UserIdentity,AccessController.AccessResult>	_getPermissionByUser(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionByUser and getReadAccessPermissionByUser
protected AccessController.AccessResult	_getPermissionForAnonymous(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymous
protected AccessController.AccessResult	_getPermissionForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUser
private boolean	_hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, Set<String> profilesIds)
private boolean	_hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, Set<String> profilesIds)
protected Boolean	_hasRightResultInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object) Seek in cache
protected Object	_hasRightResultInSecondCache(Object object, Set<String> profilesIds, AbstractProfileStorageBasedAccessController.CacheKind key) Seek in cache
private boolean	_hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds)
protected void	_putInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object, boolean rightResult) Add to cache
protected void	_putInSecondCache(Set<String> profilesIds, Object object, Object result, AbstractProfileStorageBasedAccessController.CacheKind key) Add to cache
AccessController.AccessResult	getPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object) Gets the kind of access a user has on an object for a given right
Map<GroupIdentity,AccessController.AccessResult>	getPermissionByGroup(String rightId, Object object) Gets the permission by group only on an object for the given right.
Map<String,AccessController.AccessResult>	getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object) Gets the kind of access a user has on an object for all rights
Map<UserIdentity,AccessController.AccessResult>	getPermissionByUser(String rightId, Object object) Gets the permission by user only on an object for the given right.
AccessController.AccessResult	getPermissionForAnonymous(String rightId, Object object) Gets the permission for Anonymous only on an object for a given right
AccessController.AccessResult	getPermissionForAnyConnectedUser(String rightId, Object object) Gets the permission for any connected user only on an object for a given right
AccessController.AccessResult	getReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object) Gets the kind of access a user has on an object for thye read access
Map<GroupIdentity,AccessController.AccessResult>	getReadAccessPermissionByGroup(Object object) Gets the read access permission by group only on an object.
Map<UserIdentity,AccessController.AccessResult>	getReadAccessPermissionByUser(Object object) Gets the read access permission by user only on an object.
AccessController.AccessResult	getReadAccessPermissionForAnonymous(Object object) Gets the read access permission for Anonymous only on an object
AccessController.AccessResult	getReadAccessPermissionForAnyConnectedUser(Object object) Gets the read access permission for any connected user only on an object
boolean	hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId) Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
boolean	hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts) Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
boolean	hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId) Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
boolean	hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts) Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
boolean	hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId) Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
boolean	hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups) Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
void	service(ServiceManager manager)

Methods inherited from class org.ametys.runtime.plugin.component.AbstractLogEnabled

getLogger, setLogger

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.ametys.core.right.AccessController

isSupported

Field Detail

__ANONYMOUS_USER_IDENTITY

protected static final UserIdentity __ANONYMOUS_USER_IDENTITY

The instance of ObjectUserIdentity for anonymous

__ANY_CONTECTED_USER_IDENTITY

protected static final UserIdentity __ANY_CONTECTED_USER_IDENTITY

The instance of ObjectUserIdentity for any connected user

_profileAssignmentStorageEP

protected ProfileAssignmentStorageExtensionPoint _profileAssignmentStorageEP

The extension point for the profile assignment storages

_rightProfileDAO

protected RightProfilesDAO _rightProfileDAO

The right profile DAO

_rightManager

protected RightManager _rightManager

The right manager

_cache1

private final String _cache1

This first cache is for right result on non-null contexts when calling hasXXX methods On the contratry of the other cache, this one is split between profiles, as we check for the first true result (no negativity) { UserIdentity : { Set<ProfileId> : { Context : boolean } } }

_cache2

private final String _cache2

This second cache is for right result on non-null contexts when calling getXXXByGroup methods { Set<ProfileId> : { Context : { CacheKind.ANONYMOUS: AccessResult CacheKind.ANY_CONNECTED_USER: AccessResult CacheKind.USERS: Map<UserIdentity, AccessResult>, CacheKind.USER: Map<UserIdentity, AccessResult>, CacheKind.GROUPS: Map<GroupIdentity, AccessResult> } } }

Constructor Detail

AbstractProfileStorageBasedAccessController

public AbstractProfileStorageBasedAccessController()

Method Detail

service

public void service(ServiceManager manager)
             throws ServiceException

Specified by:

service in interface Serviceable

Throws:

ServiceException

getPermissionByRight

public Map<String,AccessController.AccessResult> getPermissionByRight(UserIdentity user,
                                                                      Set<GroupIdentity> userGroups,
                                                                      Object object)

Description copied from interface: AccessController

Gets the kind of access a user has on an object for all rights

Specified by:

getPermissionByRight in interface AccessController

Parameters:

user - The user. Cannot be null.

userGroups - The groups the user belongs to

object - The context object to check the access

Returns:

the kind of access a user has on an object for all rights

getPermission

public AccessController.AccessResult getPermission(UserIdentity user,
                                                   Set<GroupIdentity> userGroups,
                                                   String rightId,
                                                   Object object)

Description copied from interface: AccessController

Gets the kind of access a user has on an object for a given right

Specified by:

getPermission in interface AccessController

Parameters:

user - The user. Cannot be null.

userGroups - The groups the user belongs to

rightId - The id of the right of the user

object - The context object to check the access

Returns:

the kind of access a user has on an object for a right

getReadAccessPermission

public AccessController.AccessResult getReadAccessPermission(UserIdentity user,
                                                             Set<GroupIdentity> userGroups,
                                                             Object object)

Description copied from interface: AccessController

Gets the kind of access a user has on an object for thye read access

Specified by:

getReadAccessPermission in interface AccessController

Parameters:

user - The user. Cannot be null.

userGroups - The groups the user belongs to

object - The context object to check the access

Returns:

the kind of access a user has on an object for the read access

_getPermission

protected AccessController.AccessResult _getPermission(UserIdentity user,
                                                       Set<GroupIdentity> userGroups,
                                                       Set<String> profilesIds,
                                                       Object object,
                                                       Object convertedObject)

Works for getPermission or getReadAccessPermission

Parameters:

user - The use

userGroups - The groups

profilesIds - The profiles

object - The original context

convertedObject - The converted context

Returns:

the computed result

getPermissionForAnonymous

public AccessController.AccessResult getPermissionForAnonymous(String rightId,
                                                               Object object)

Description copied from interface: AccessController

Gets the permission for Anonymous only on an object for a given right

Specified by:

getPermissionForAnonymous in interface AccessController

Parameters:

rightId - The id of the right to check

object - The object

Returns:

the permission for Anonymous only on an object for a given right

getReadAccessPermissionForAnonymous

public AccessController.AccessResult getReadAccessPermissionForAnonymous(Object object)

Description copied from interface: AccessController

Gets the read access permission for Anonymous only on an object

Specified by:

getReadAccessPermissionForAnonymous in interface AccessController

Parameters:

object - The object

Returns:

the read access permission for Anonymous only on an object

_getPermissionForAnonymous

protected AccessController.AccessResult _getPermissionForAnonymous(Set<String> profilesIds,
                                                                   Object object,
                                                                   Object convertedObject)

Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymous

Parameters:

profilesIds - The profiles ids

object - The context

convertedObject - The converted context

Returns:

The access result

getPermissionForAnyConnectedUser

public AccessController.AccessResult getPermissionForAnyConnectedUser(String rightId,
                                                                      Object object)

Description copied from interface: AccessController

Gets the permission for any connected user only on an object for a given right

Specified by:

getPermissionForAnyConnectedUser in interface AccessController

Parameters:

rightId - The id of the right to check

object - The object

Returns:

the permission for any connected user only on an object for a given right

getReadAccessPermissionForAnyConnectedUser

public AccessController.AccessResult getReadAccessPermissionForAnyConnectedUser(Object object)

Description copied from interface: AccessController

Gets the read access permission for any connected user only on an object

Specified by:

getReadAccessPermissionForAnyConnectedUser in interface AccessController

Parameters:

object - The object

Returns:

the read access permission for any connected user only on an object

_getPermissionForAnyConnectedUser

protected AccessController.AccessResult _getPermissionForAnyConnectedUser(Set<String> profilesIds,
                                                                          Object object,
                                                                          Object convertedObject)

Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUser

Parameters:

profilesIds - The profiles ids

object - The context

convertedObject - The converted context

Returns:

the access result

getPermissionByUser

public Map<UserIdentity,AccessController.AccessResult> getPermissionByUser(String rightId,
                                                                           Object object)

Description copied from interface: AccessController

Gets the permission by user only on an object for the given right. It does not take account of the groups of the user, etc.

Specified by:

getPermissionByUser in interface AccessController

Parameters:

rightId - The id of the right to check

object - The object

Returns:

the permission by user only on an object for the given right

getReadAccessPermissionByUser

public Map<UserIdentity,AccessController.AccessResult> getReadAccessPermissionByUser(Object object)

Description copied from interface: AccessController

Gets the read access permission by user only on an object. It does not take account of the groups of the user, etc.

Specified by:

getReadAccessPermissionByUser in interface AccessController

Parameters:

object - The object

Returns:

the read access permission by user only on an object

_getPermissionByUser

protected Map<UserIdentity,AccessController.AccessResult> _getPermissionByUser(Set<String> profilesIds,
                                                                               Object object,
                                                                               Object convertedObject)

Works for getPermissionByUser and getReadAccessPermissionByUser

Parameters:

profilesIds - The profiles ids

object - The context

convertedObject - The converted context

Returns:

The users and their access results

getPermissionByGroup

public Map<GroupIdentity,AccessController.AccessResult> getPermissionByGroup(String rightId,
                                                                             Object object)

Description copied from interface: AccessController

Gets the permission by group only on an object for the given right.

Specified by:

getPermissionByGroup in interface AccessController

Parameters:

rightId - The id of the right to check

object - The object

Returns:

the permission by group only on an object for the given right

getReadAccessPermissionByGroup

public Map<GroupIdentity,AccessController.AccessResult> getReadAccessPermissionByGroup(Object object)

Description copied from interface: AccessController

Gets the read access permission by group only on an object.

Specified by:

getReadAccessPermissionByGroup in interface AccessController

Parameters:

object - The object

Returns:

the read access permission by group only on an object

_getPermissionByGroup

protected Map<GroupIdentity,AccessController.AccessResult> _getPermissionByGroup(Set<String> profilesIds,
                                                                                 Object object,
                                                                                 Object convertedObject)

Works for getPermissionByGroup and getReadAccessPermissionByGroup

Parameters:

profilesIds - The profiles ids

object - The context

convertedObject - The converted context

Returns:

The users and their access results

_convertContext

protected Object _convertContext(Object initialContext)

For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it is

Parameters:

initialContext - The right context that is supported

Returns:

the context modified

hasAnonymousAnyReadAccessPermissionOnWorkspace

public boolean hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)

Description copied from interface: AccessController

Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasAnonymousAnyReadAccessPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

Returns:

true if anonymous has a permission on at least one object, directly or though groups, for a given right

hasAnonymousAnyPermissionOnWorkspace

public boolean hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts,
                                                    String rightId)

Description copied from interface: AccessController

Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasAnonymousAnyPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

rightId - The id of the right to check

Returns:

true if anonymous has a permission on at least one object, directly or though groups, for a given right

_hasAnonymousAnyPermissionOnWorkspace

private boolean _hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts,
                                                      Set<String> profilesIds)

hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace

public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)

Description copied from interface: AccessController

Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

Returns:

true if any connected user has a permission on at least one object, directly or though groups, for a given right

hasAnyConnectedUserAnyPermissionOnWorkspace

public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts,
                                                           String rightId)

Description copied from interface: AccessController

Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasAnyConnectedUserAnyPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

rightId - The id of the right to check

Returns:

true if any connected user has a permission on at least one object, directly or though groups, for a given right

_hasAnyConnectedUserAnyPermissionOnWorkspace

private boolean _hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts,
                                                             Set<String> profilesIds)

hasUserAnyReadAccessPermissionOnWorkspace

public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts,
                                                         UserIdentity user,
                                                         Set<GroupIdentity> userGroups)

Description copied from interface: AccessController

Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasUserAnyReadAccessPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

user - The user

userGroups - The groups

Returns:

true if the user has a permission on at least one object, directly or though groups, for a given right

hasUserAnyPermissionOnWorkspace

public boolean hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts,
                                               UserIdentity user,
                                               Set<GroupIdentity> userGroups,
                                               String rightId)

Description copied from interface: AccessController

Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasUserAnyPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

user - The user

userGroups - The groups

rightId - The id of the right to check

Returns:

true if the user has a permission on at least one object, directly or though groups, for a given right

_hasUserAnyPermissionOnWorkspace

private boolean _hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts,
                                                 UserIdentity user,
                                                 Set<GroupIdentity> userGroups,
                                                 Set<String> profilesIds)

_convertWorkspaceToRootRightContexts

protected abstract Set<? extends Object> _convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts)

Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to work

Parameters:

workspacesContexts - The workspace contexts. Such as '/${WorkspaceName}', '/admin'

Returns:

A null or empty set if the current AccessController does not apply to any workspace context, or the root object where ProfileAssignmentStorageExtension should start looking at to find any permission

_hasRightResultInFirstCache

protected Boolean _hasRightResultInFirstCache(UserIdentity userIdentity,
                                              Set<String> profilesIds,
                                              Object object)

Seek in cache

Parameters:

userIdentity - The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITY

profilesIds - The profiles identifiers

object - The context

Returns:

true or false if in cache. null otherwise

_putInFirstCache

protected void _putInFirstCache(UserIdentity userIdentity,
                                Set<String> profilesIds,
                                Object object,
                                boolean rightResult)

Add to cache

Parameters:

userIdentity - The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITY

profilesIds - The profiles identifiers

object - The context

rightResult - The cache value. true if hasXXX or false otherwise.

_hasRightResultInSecondCache

protected Object _hasRightResultInSecondCache(Object object,
                                              Set<String> profilesIds,
                                              AbstractProfileStorageBasedAccessController.CacheKind key)

Seek in cache

Parameters:

object - The context

profilesIds - The set of profile ids to consider

key - The kind of cache to use

Returns:

The cached result per group. null otherwise

_putInSecondCache

protected void _putInSecondCache(Set<String> profilesIds,
                                 Object object,
                                 Object result,
                                 AbstractProfileStorageBasedAccessController.CacheKind key)

Add to cache

Parameters:

profilesIds - The profiles ids to consider

object - The context

result - The result

key - The kind of cache to use