org.ametys.core.right

Class RightManager

java.lang.Object

org.ametys.runtime.plugin.component.AbstractLogEnabled

org.ametys.core.right.RightManager

All Implemented Interfaces:

LogEnabled, Component, Configurable, Contextualizable, Serviceable, ThreadSafe

public class RightManager
extends AbstractLogEnabled
implements Serviceable, Configurable, ThreadSafe, Component, Contextualizable

Abstraction for testing a right associated with a resource and a user from a single source.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	RightManager.RightResult Enumeration of all possible values returned by hasRight(user, right, context)

Field Summary

Fields

Modifier and Type	Field and Description
protected static UserIdentity	__ANONYMOUS_USER_IDENTITY The instance of ObjectUserIdentity for anonymous
protected static UserIdentity	__ANY_CONNECTED_USER_IDENTITY The instance of ObjectUserIdentity for any connected user
protected AccessControllerExtensionPoint	_accessControllerEP The extension point for Access Controllers
private Context	_context
protected CurrentUserProvider	_currentUserProvider The current user provider
protected GroupDirectoryDAO	_groupDirectoryDAO The DAO for group directories
protected GroupManager	_groupManager The group manager
protected ServiceManager	_manager Avalon ServiceManager
protected RightProfilesDAO	_profilesDAO The rights DAO
protected SourceResolver	_resolver Avalon SourceResolver
protected RightContextConvertorExtensionPoint	_rightContextConvertorEP The extension point for the Right Context Convertors
protected RightsExtensionPoint	_rightsEP The rights' list container
protected UserManager	_userManager The user manager
protected UserPopulationDAO	_userPopulationDAO The DAO for user populations
private static String	CACHE_1 This first cache is for right result on non-null contexts when calling hasRight(UserIdentity, String, Object) { UserIdentity : { RightId : { Context : RightResult } } }
private static String	CACHE_2 This second cache is for right result on null contexts when calling hasRight(UserIdentity, String, Object) { UserIdentity : { RightId : { WorkspaceContexts : RightResult } } }
static String	CACHE_REQUEST_ATTRIBUTE_NAME The id of the READER profile
static String	READER_PROFILE_ID The id of the READER profile
static String	ROLE For avalon service manager

Constructor Summary

Constructors

Constructor and Description
RightManager()

Method Summary

Modifier and Type	Method and Description
private Map<String,AccessController.AccessResult>	_getAccessResultByRight(UserIdentity userIdentity, Set<GroupIdentity> groups, Set<Object> objects)
private Set<AccessController.AccessResult>	_getAccessResults(UserIdentity userIdentity, Set<GroupIdentity> groups, String rightId, Set<Object> objects)
private AllowedUsers	_getAllowedUsers(String rightId, Object object)
private Set<Object>	_getConvertedObjects(Object object, Set<Object> alreadyHandledObjects)
private Set<GroupIdentity>	_getGroups(UserIdentity userIdentity)
protected RightProfilesDAO	_getProfileDAO() Returns the DAO for profiles
private RightManager.RightResult	_hasRight(UserIdentity userIdentity, String rightId, Object object)
private RightManager.RightResult	_hasRightOrRead(UserIdentity userIdentity, String rightId) Has the user/anonymous/anyconnected the non null right on any content of the current workspace?
private RightManager.RightResult	_hasRightOrRead(UserIdentity userIdentity, String rightId, Object object)
private RightManager.RightResult	_hasRightResultInFirstCache(UserIdentity userIdentity, String rightId, Object object)
private RightManager.RightResult	_hasRightResultInSecondCache(Set<Object> workspacesContexts, UserIdentity userIdentity, String rightId)
private void	_putInFirstCache(UserIdentity userIdentity, String rightId, Object object, RightManager.RightResult rightResult)
private void	_putInSecondCache(Set<Object> workspacesContexts, UserIdentity userIdentity, String rightId, RightManager.RightResult rightResult)
void	configure(Configuration configuration)
private void	configureRights(Configuration configuration)
void	contextualize(Context context)
boolean	currentUserHasReadAccess(Object object) Returns true if the current user has READ access on the given object
RightManager.RightResult	currentUserHasRight(String rightId, Object object) Checks a permission for the current logged user, on a given object (or context). If null, it checks if there is at least one object with this permission
AllowedUsers	getAllowedUsers(String rightId, Object object) Get the list of users that have a particular right in a particular context.
Map	getCache(String cacheKey, boolean createIfUnexisting) Get the RightManager cache.
AllowedUsers	getReadAccessAllowedUsers(Object object) Get the users with a READ access on given object
Set<String>	getUserRights(UserIdentity userIdentity, Object object) Get the list of rights a user is allowed, on a particular object.
boolean	hasAnonymousReadAccess(Object object) Returns true if the object is not restricted, i.e.
RightManager.RightResult	hasAnonymousRight(String rightId, Object object) Gets the right result for anonymous with given right on given object context
boolean	hasAnyConnectedUserReadAccess(Object object) Returns true if any connected user has READ access allowed on the object
RightManager.RightResult	hasAnyConnectedUserRight(String rightId, Object object) Gets the right result for any connected user with given profile on given object context
boolean	hasReadAccess(UserIdentity userIdentity, Object object) Returns true if the given user has READ access on the given object
RightManager.RightResult	hasRight(UserIdentity userIdentity, String rightId, Object object) Checks a permission for a user, on a given object (or context). If null, it checks if there is at least one object with this permission
void	service(ServiceManager manager)

Methods inherited from class org.ametys.runtime.plugin.component.AbstractLogEnabled

getLogger, setLogger

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ROLE

public static final String ROLE

For avalon service manager

READER_PROFILE_ID

public static final String READER_PROFILE_ID

The id of the READER profile

See Also:

Constant Field Values

CACHE_REQUEST_ATTRIBUTE_NAME

public static final String CACHE_REQUEST_ATTRIBUTE_NAME

The id of the READER profile

__ANONYMOUS_USER_IDENTITY

protected static final UserIdentity __ANONYMOUS_USER_IDENTITY

The instance of ObjectUserIdentity for anonymous

__ANY_CONNECTED_USER_IDENTITY

protected static final UserIdentity __ANY_CONNECTED_USER_IDENTITY

The instance of ObjectUserIdentity for any connected user

CACHE_1

private static final String CACHE_1

This first cache is for right result on non-null contexts when calling hasRight(UserIdentity, String, Object) { UserIdentity : { RightId : { Context : RightResult } } }

CACHE_2

private static final String CACHE_2

This second cache is for right result on null contexts when calling hasRight(UserIdentity, String, Object) { UserIdentity : { RightId : { WorkspaceContexts : RightResult } } }

_manager

protected ServiceManager _manager

Avalon ServiceManager

_resolver

protected SourceResolver _resolver

Avalon SourceResolver

_rightsEP

protected RightsExtensionPoint _rightsEP

The rights' list container

_rightContextConvertorEP

protected RightContextConvertorExtensionPoint _rightContextConvertorEP

The extension point for the Right Context Convertors

_accessControllerEP

protected AccessControllerExtensionPoint _accessControllerEP

The extension point for Access Controllers

_userManager

protected UserManager _userManager

The user manager

_groupManager

protected GroupManager _groupManager

The group manager

_userPopulationDAO

protected UserPopulationDAO _userPopulationDAO

The DAO for user populations

_groupDirectoryDAO

protected GroupDirectoryDAO _groupDirectoryDAO

The DAO for group directories

_currentUserProvider

protected CurrentUserProvider _currentUserProvider

The current user provider

_profilesDAO

protected RightProfilesDAO _profilesDAO

The rights DAO

_context

private Context _context

Constructor Detail

RightManager

public RightManager()

Method Detail

contextualize

public void contextualize(Context context)
                   throws ContextException

Specified by:

contextualize in interface Contextualizable

Throws:

ContextException

service

public void service(ServiceManager manager)
             throws ServiceException

Specified by:

service in interface Serviceable

Throws:

ServiceException

_getProfileDAO

protected RightProfilesDAO _getProfileDAO()

Returns the DAO for profiles

Returns:

The DAO

configure

public void configure(Configuration configuration)
               throws ConfigurationException

Specified by:

configure in interface Configurable

Throws:

ConfigurationException

configureRights

private void configureRights(Configuration configuration)
                      throws ConfigurationException

Throws:

ConfigurationException

currentUserHasRight

public RightManager.RightResult currentUserHasRight(String rightId,
                                                    Object object)
                                             throws RightsException

Checks a permission for the current logged user, on a given object (or context).
If null, it checks if there is at least one object with this permission

Parameters:

rightId - The name of the right to check. Cannot be null.

object - The object to check the right. Can be null to search on any object.

Returns:

RightManager.RightResult.RIGHT_ALLOW, RightManager.RightResult.RIGHT_DENY or RightManager.RightResult.RIGHT_UNKNOWN

Throws:

RightsException - if an error occurs.

hasRight

public RightManager.RightResult hasRight(UserIdentity userIdentity,
                                         String rightId,
                                         Object object)
                                  throws RightsException

Checks a permission for a user, on a given object (or context).
If null, it checks if there is at least one object with this permission

Parameters:

userIdentity - The user identity. Can be null for anonymous

rightId - The name of the right to check. Cannot be null.

object - The object to check the right. Can be null to search on any object.

Returns:

RightManager.RightResult.RIGHT_ALLOW, RightManager.RightResult.RIGHT_DENY or RightManager.RightResult.RIGHT_UNKNOWN

Throws:

RightsException - if an error occurs.

hasAnonymousRight

public RightManager.RightResult hasAnonymousRight(String rightId,
                                                  Object object)

Gets the right result for anonymous with given right on given object context

Parameters:

rightId - The id of the right

object - The object to check

Returns:

the right result for anonymous with given profile on given object context

hasAnyConnectedUserRight

public RightManager.RightResult hasAnyConnectedUserRight(String rightId,
                                                         Object object)

Gets the right result for any connected user with given profile on given object context

Parameters:

rightId - The right id to test

object - The object to check

Returns:

the right result for any connected user with given profile on given object context

_hasRight

private RightManager.RightResult _hasRight(UserIdentity userIdentity,
                                           String rightId,
                                           Object object)

_hasRightOrRead

private RightManager.RightResult _hasRightOrRead(UserIdentity userIdentity,
                                                 String rightId,
                                                 Object object)

_hasRightOrRead

private RightManager.RightResult _hasRightOrRead(UserIdentity userIdentity,
                                                 String rightId)

Has the user/anonymous/anyconnected the non null right on any content of the current workspace?

Parameters:

userIdentity - The user connecter or the value for anonymous or any connected user

rightId - The right id to test. Can be null to test read access

Returns:

The computed right result

_getAccessResults

private Set<AccessController.AccessResult> _getAccessResults(UserIdentity userIdentity,
                                                             Set<GroupIdentity> groups,
                                                             String rightId,
                                                             Set<Object> objects)

currentUserHasReadAccess

public boolean currentUserHasReadAccess(Object object)

Returns true if the current user has READ access on the given object

Parameters:

object - The object to check the right. Can be null to search on any object.

Returns:

true if the given user has READ access on the given object

hasReadAccess

public boolean hasReadAccess(UserIdentity userIdentity,
                             Object object)

Returns true if the given user has READ access on the given object

Parameters:

userIdentity - The user identity. Cannot be null.

object - The object to check the right. Can be null to search on any object.

Returns:

true if the given user has READ access on the given object

hasAnonymousReadAccess

public boolean hasAnonymousReadAccess(Object object)

Returns true if the object is not restricted, i.e. an anonymous user has READ access (is allowed) on the object

Parameters:

object - The object to check. Cannot be null

Returns:

true if the object is restricted, i.e. an anonymous user has READ access (is allowed) on the object

hasAnyConnectedUserReadAccess

public boolean hasAnyConnectedUserReadAccess(Object object)

Returns true if any connected user has READ access allowed on the object

Parameters:

object - The object to check. Cannot be null

Returns:

true if any connected user has READ access allowed on the object

getAllowedUsers

public AllowedUsers getAllowedUsers(String rightId,
                                    Object object)

Get the list of users that have a particular right in a particular context.

Parameters:

rightId - The name of the right to check. Cannot be null.

object - The object to check the right. Cannot be null.

Returns:

The list of users allowed with that right as a Set of String (user identities).

Throws:

RightsException - if an error occurs.

getReadAccessAllowedUsers

public AllowedUsers getReadAccessAllowedUsers(Object object)

Get the users with a READ access on given object

Parameters:

object - The object

Returns:

The representation of allowed users

_getAllowedUsers

private AllowedUsers _getAllowedUsers(String rightId,
                                      Object object)

getUserRights

public Set<String> getUserRights(UserIdentity userIdentity,
                                 Object object)
                          throws RightsException

Get the list of rights a user is allowed, on a particular object.

Parameters:

userIdentity - the user identity. Cannot be null.

object - The object to check the right. Cannot be null.

Returns:

The list of rights as a Set of String (id).

Throws:

RightsException - if an error occurs.

_getAccessResultByRight

private Map<String,AccessController.AccessResult> _getAccessResultByRight(UserIdentity userIdentity,
                                                                          Set<GroupIdentity> groups,
                                                                          Set<Object> objects)

_getConvertedObjects

private Set<Object> _getConvertedObjects(Object object,
                                         Set<Object> alreadyHandledObjects)

_getGroups

private Set<GroupIdentity> _getGroups(UserIdentity userIdentity)

_hasRightResultInFirstCache

private RightManager.RightResult _hasRightResultInFirstCache(UserIdentity userIdentity,
                                                             String rightId,
                                                             Object object)

_putInFirstCache

private void _putInFirstCache(UserIdentity userIdentity,
                              String rightId,
                              Object object,
                              RightManager.RightResult rightResult)

_hasRightResultInSecondCache

private RightManager.RightResult _hasRightResultInSecondCache(Set<Object> workspacesContexts,
                                                              UserIdentity userIdentity,
                                                              String rightId)

_putInSecondCache

private void _putInSecondCache(Set<Object> workspacesContexts,
                               UserIdentity userIdentity,
                               String rightId,
                               RightManager.RightResult rightResult)

getCache

public Map getCache(String cacheKey,
                    boolean createIfUnexisting)

Get the RightManager cache. Use this to store your information on rights

Parameters:

cacheKey - The cache key

createIfUnexisting - Creates a new HashMap if the cache does not exists yet

Returns:

The existing cache. Can be null if there is no cache and createIfUnexisting is false, but can also be null if there is no running request to store the cache