Class AbstractProfileStorageBasedAccessController
- java.lang.Object
-
- org.ametys.runtime.plugin.component.AbstractLogEnabled
-
- org.ametys.plugins.core.impl.right.AbstractProfileStorageBasedAccessController
-
- All Implemented Interfaces:
AccessController,LogEnabled,Initializable,Component,Serviceable
- Direct Known Subclasses:
AbstractHierarchicalAccessController,LinkDirectoryAccessController,ThesaurusAccessController
public abstract class AbstractProfileStorageBasedAccessController extends AbstractLogEnabled implements AccessController, Component, Serviceable, Initializable
This class delegates all it can to the profile assignment storage extension point
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description (package private) static classAbstractProfileStorageBasedAccessController.Cache1Key(package private) static classAbstractProfileStorageBasedAccessController.Cache2Keyprotected static classAbstractProfileStorageBasedAccessController.CacheKindThe knd of cache to get/set-
Nested classes/interfaces inherited from interface org.ametys.core.right.AccessController
AccessController.AccessResult
-
-
Field Summary
Fields Modifier and Type Field Description protected static UserIdentity__ANONYMOUS_USER_IDENTITYThe instance of ObjectUserIdentity for anonymousprotected static UserIdentity__ANY_CONTECTED_USER_IDENTITYThe instance of ObjectUserIdentity for any connected userprivate String_cache1private String_cache2protected AbstractCacheManager_cacheManagerCache Managerprotected ProfileAssignmentStorageExtensionPoint_profileAssignmentStorageEPThe extension point for the profile assignment storagesprotected RightProfilesDAO_rightProfileDAOThe right profile DAO
-
Constructor Summary
Constructors Constructor Description AbstractProfileStorageBasedAccessController()
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description private I18nizableText_buildI18n(String i18Key)protected Object_convertContext(Object initialContext)For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it isprotected abstract Set<? extends Object>_convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts)Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to workprotected AccessController.AccessResult_getPermission(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject)Works for getPermission or getReadAccessPermissionprotected Map<GroupIdentity,AccessController.AccessResult>_getPermissionByGroup(Set<String> profilesIds, Object object, Object convertedObject)Works for getPermissionByGroup and getReadAccessPermissionByGroupprotected Map<UserIdentity,AccessController.AccessResult>_getPermissionByUser(Set<String> profilesIds, Object object, Object convertedObject)Works for getPermissionByUser and getReadAccessPermissionByUserprotected AccessController.AccessResult_getPermissionForAnonymous(Set<String> profilesIds, Object object, Object convertedObject)Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymousprotected AccessController.AccessResult_getPermissionForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject)Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUserprivate boolean_hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, Set<String> profilesIds)private boolean_hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, Set<String> profilesIds)protected Boolean_hasRightResultInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object)Seek in cacheprotected Object_hasRightResultInSecondCache(Object object, Set<String> profilesIds, AbstractProfileStorageBasedAccessController.CacheKind key)Seek in cacheprivate boolean_hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds)protected void_putInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object, boolean rightResult)Add to cacheprotected void_putInSecondCache(Set<String> profilesIds, Object object, Object result, AbstractProfileStorageBasedAccessController.CacheKind key)Add to cacheAccessController.AccessResultgetPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object)Gets the kind of access a user has on an object for a given rightMap<GroupIdentity,AccessController.AccessResult>getPermissionByGroup(String rightId, Object object)Gets the permission by group only on an object for the given right.Map<String,AccessController.AccessResult>getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object)Gets the kind of access a user has on an object for all rightsMap<UserIdentity,AccessController.AccessResult>getPermissionByUser(String rightId, Object object)Gets the permission by user only on an object for the given right.AccessController.AccessResultgetPermissionForAnonymous(String rightId, Object object)Gets the permission for Anonymous only on an object for a given rightAccessController.AccessResultgetPermissionForAnyConnectedUser(String rightId, Object object)Gets the permission for any connected user only on an object for a given rightAccessController.AccessResultgetReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object)Gets the kind of access a user has on an object for thye read accessMap<GroupIdentity,AccessController.AccessResult>getReadAccessPermissionByGroup(Object object)Gets the read access permission by group only on an object.Map<UserIdentity,AccessController.AccessResult>getReadAccessPermissionByUser(Object object)Gets the read access permission by user only on an object.AccessController.AccessResultgetReadAccessPermissionForAnonymous(Object object)Gets the read access permission for Anonymous only on an objectAccessController.AccessResultgetReadAccessPermissionForAnyConnectedUser(Object object)Gets the read access permission for any connected user only on an objectbooleanhasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.booleanhasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.booleanhasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.booleanhasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.booleanhasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId)Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.booleanhasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups)Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.voidinitialize()voidservice(ServiceManager manager)-
Methods inherited from class org.ametys.runtime.plugin.component.AbstractLogEnabled
getLogger, setLogger
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.ametys.core.right.AccessController
isSupported
-
-
-
-
Field Detail
-
__ANONYMOUS_USER_IDENTITY
protected static final UserIdentity __ANONYMOUS_USER_IDENTITY
The instance of ObjectUserIdentity for anonymous
-
__ANY_CONTECTED_USER_IDENTITY
protected static final UserIdentity __ANY_CONTECTED_USER_IDENTITY
The instance of ObjectUserIdentity for any connected user
-
_profileAssignmentStorageEP
protected ProfileAssignmentStorageExtensionPoint _profileAssignmentStorageEP
The extension point for the profile assignment storages
-
_rightProfileDAO
protected RightProfilesDAO _rightProfileDAO
The right profile DAO
-
_cacheManager
protected AbstractCacheManager _cacheManager
Cache Manager
-
-
Constructor Detail
-
AbstractProfileStorageBasedAccessController
public AbstractProfileStorageBasedAccessController()
-
-
Method Detail
-
service
public void service(ServiceManager manager) throws ServiceException
- Specified by:
servicein interfaceServiceable- Throws:
ServiceException
-
initialize
public void initialize() throws Exception
- Specified by:
initializein interfaceInitializable- Throws:
Exception
-
_buildI18n
private I18nizableText _buildI18n(String i18Key)
-
getPermissionByRight
public Map<String,AccessController.AccessResult> getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object)
Description copied from interface:AccessControllerGets the kind of access a user has on an object for all rights- Specified by:
getPermissionByRightin interfaceAccessController- Parameters:
user- The user. Cannot be null.userGroups- The groups the user belongs toobject- The context object to check the access- Returns:
- the kind of access a user has on an object for all rights
-
getPermission
public AccessController.AccessResult getPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object)
Description copied from interface:AccessControllerGets the kind of access a user has on an object for a given right- Specified by:
getPermissionin interfaceAccessController- Parameters:
user- The user. Cannot be null.userGroups- The groups the user belongs torightId- The id of the right of the userobject- The context object to check the access- Returns:
- the kind of access a user has on an object for a right
-
getReadAccessPermission
public AccessController.AccessResult getReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object)
Description copied from interface:AccessControllerGets the kind of access a user has on an object for thye read access- Specified by:
getReadAccessPermissionin interfaceAccessController- Parameters:
user- The user. Cannot be null.userGroups- The groups the user belongs toobject- The context object to check the access- Returns:
- the kind of access a user has on an object for the read access
-
_getPermission
protected AccessController.AccessResult _getPermission(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermission or getReadAccessPermission- Parameters:
user- The useuserGroups- The groupsprofilesIds- The profilesobject- The original contextconvertedObject- The converted context- Returns:
- the computed result
-
getPermissionForAnonymous
public AccessController.AccessResult getPermissionForAnonymous(String rightId, Object object)
Description copied from interface:AccessControllerGets the permission for Anonymous only on an object for a given right- Specified by:
getPermissionForAnonymousin interfaceAccessController- Parameters:
rightId- The id of the right to checkobject- The object- Returns:
- the permission for Anonymous only on an object for a given right
-
getReadAccessPermissionForAnonymous
public AccessController.AccessResult getReadAccessPermissionForAnonymous(Object object)
Description copied from interface:AccessControllerGets the read access permission for Anonymous only on an object- Specified by:
getReadAccessPermissionForAnonymousin interfaceAccessController- Parameters:
object- The object- Returns:
- the read access permission for Anonymous only on an object
-
_getPermissionForAnonymous
protected AccessController.AccessResult _getPermissionForAnonymous(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymous- Parameters:
profilesIds- The profiles idsobject- The contextconvertedObject- The converted context- Returns:
- The access result
-
getPermissionForAnyConnectedUser
public AccessController.AccessResult getPermissionForAnyConnectedUser(String rightId, Object object)
Description copied from interface:AccessControllerGets the permission for any connected user only on an object for a given right- Specified by:
getPermissionForAnyConnectedUserin interfaceAccessController- Parameters:
rightId- The id of the right to checkobject- The object- Returns:
- the permission for any connected user only on an object for a given right
-
getReadAccessPermissionForAnyConnectedUser
public AccessController.AccessResult getReadAccessPermissionForAnyConnectedUser(Object object)
Description copied from interface:AccessControllerGets the read access permission for any connected user only on an object- Specified by:
getReadAccessPermissionForAnyConnectedUserin interfaceAccessController- Parameters:
object- The object- Returns:
- the read access permission for any connected user only on an object
-
_getPermissionForAnyConnectedUser
protected AccessController.AccessResult _getPermissionForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUser- Parameters:
profilesIds- The profiles idsobject- The contextconvertedObject- The converted context- Returns:
- the access result
-
getPermissionByUser
public Map<UserIdentity,AccessController.AccessResult> getPermissionByUser(String rightId, Object object)
Description copied from interface:AccessControllerGets the permission by user only on an object for the given right. It does not take account of the groups of the user, etc.- Specified by:
getPermissionByUserin interfaceAccessController- Parameters:
rightId- The id of the right to checkobject- The object- Returns:
- the permission by user only on an object for the given right
-
getReadAccessPermissionByUser
public Map<UserIdentity,AccessController.AccessResult> getReadAccessPermissionByUser(Object object)
Description copied from interface:AccessControllerGets the read access permission by user only on an object. It does not take account of the groups of the user, etc.- Specified by:
getReadAccessPermissionByUserin interfaceAccessController- Parameters:
object- The object- Returns:
- the read access permission by user only on an object
-
_getPermissionByUser
protected Map<UserIdentity,AccessController.AccessResult> _getPermissionByUser(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionByUser and getReadAccessPermissionByUser- Parameters:
profilesIds- The profiles idsobject- The contextconvertedObject- The converted context- Returns:
- The users and their access results
-
getPermissionByGroup
public Map<GroupIdentity,AccessController.AccessResult> getPermissionByGroup(String rightId, Object object)
Description copied from interface:AccessControllerGets the permission by group only on an object for the given right.- Specified by:
getPermissionByGroupin interfaceAccessController- Parameters:
rightId- The id of the right to checkobject- The object- Returns:
- the permission by group only on an object for the given right
-
getReadAccessPermissionByGroup
public Map<GroupIdentity,AccessController.AccessResult> getReadAccessPermissionByGroup(Object object)
Description copied from interface:AccessControllerGets the read access permission by group only on an object.- Specified by:
getReadAccessPermissionByGroupin interfaceAccessController- Parameters:
object- The object- Returns:
- the read access permission by group only on an object
-
_getPermissionByGroup
protected Map<GroupIdentity,AccessController.AccessResult> _getPermissionByGroup(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionByGroup and getReadAccessPermissionByGroup- Parameters:
profilesIds- The profiles idsobject- The contextconvertedObject- The converted context- Returns:
- The users and their access results
-
_convertContext
protected Object _convertContext(Object initialContext)
For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it is- Parameters:
initialContext- The right context that is supported- Returns:
- the context modified
-
hasAnonymousAnyReadAccessPermissionOnWorkspace
public boolean hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)
Description copied from interface:AccessControllerReturns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnonymousAnyReadAccessPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}- Returns:
- true if anonymous has a permission on at least one object, directly or though groups, for a given right
-
hasAnonymousAnyPermissionOnWorkspace
public boolean hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)
Description copied from interface:AccessControllerReturns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnonymousAnyPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}rightId- The id of the right to check- Returns:
- true if anonymous has a permission on at least one object, directly or though groups, for a given right
-
_hasAnonymousAnyPermissionOnWorkspace
private boolean _hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, Set<String> profilesIds)
-
hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace
public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)
Description copied from interface:AccessControllerReturns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnyConnectedUserAnyReadAccessPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}- Returns:
- true if any connected user has a permission on at least one object, directly or though groups, for a given right
-
hasAnyConnectedUserAnyPermissionOnWorkspace
public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)
Description copied from interface:AccessControllerReturns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnyConnectedUserAnyPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}rightId- The id of the right to check- Returns:
- true if any connected user has a permission on at least one object, directly or though groups, for a given right
-
_hasAnyConnectedUserAnyPermissionOnWorkspace
private boolean _hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, Set<String> profilesIds)
-
hasUserAnyReadAccessPermissionOnWorkspace
public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups)
Description copied from interface:AccessControllerReturns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasUserAnyReadAccessPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}user- The useruserGroups- The groups- Returns:
- true if the user has a permission on at least one object, directly or though groups, for a given right
-
hasUserAnyPermissionOnWorkspace
public boolean hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId)
Description copied from interface:AccessControllerReturns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasUserAnyPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}user- The useruserGroups- The groupsrightId- The id of the right to check- Returns:
- true if the user has a permission on at least one object, directly or though groups, for a given right
-
_hasUserAnyPermissionOnWorkspace
private boolean _hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds)
-
_convertWorkspaceToRootRightContexts
protected abstract Set<? extends Object> _convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts)
Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to work- Parameters:
workspacesContexts- The workspace contexts. Such as '/${WorkspaceName}', '/admin'- Returns:
- A null or empty set if the current AccessController does not apply to any workspace context, or the root object where ProfileAssignmentStorageExtension should start looking at to find any permission
-
_hasRightResultInFirstCache
protected Boolean _hasRightResultInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object)
Seek in cache- Parameters:
userIdentity- The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITYprofilesIds- The profiles identifiersobject- The context- Returns:
- true or false if in cache. null otherwise
-
_putInFirstCache
protected void _putInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object, boolean rightResult)
Add to cache- Parameters:
userIdentity- The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITYprofilesIds- The profiles identifiersobject- The contextrightResult- The cache value. true if hasXXX or false otherwise.
-
_hasRightResultInSecondCache
protected Object _hasRightResultInSecondCache(Object object, Set<String> profilesIds, AbstractProfileStorageBasedAccessController.CacheKind key)
Seek in cache- Parameters:
object- The contextprofilesIds- The set of profile ids to considerkey- The kind of cache to use- Returns:
- The cached result per group. null otherwise
-
_putInSecondCache
protected void _putInSecondCache(Set<String> profilesIds, Object object, Object result, AbstractProfileStorageBasedAccessController.CacheKind key)
Add to cache- Parameters:
profilesIds- The profiles ids to considerobject- The contextresult- The resultkey- The kind of cache to use
-
-