Class AbstractProfileStorageBasedAccessController
- java.lang.Object
-
- org.ametys.runtime.plugin.component.AbstractLogEnabled
-
- org.ametys.plugins.core.impl.right.AbstractProfileStorageBasedAccessController
-
- All Implemented Interfaces:
AccessController
,LogEnabled
,Initializable
,Component
,Serviceable
- Direct Known Subclasses:
AbstractHierarchicalAccessController
,LinkDirectoryAccessController
,ThesaurusAccessController
public abstract class AbstractProfileStorageBasedAccessController extends AbstractLogEnabled implements AccessController, Component, Serviceable, Initializable
This class delegates all it can to the profile assignment storage extension point
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description (package private) static class
AbstractProfileStorageBasedAccessController.Cache1Key
(package private) static class
AbstractProfileStorageBasedAccessController.Cache2Key
protected static class
AbstractProfileStorageBasedAccessController.CacheKind
The knd of cache to get/set-
Nested classes/interfaces inherited from interface org.ametys.core.right.AccessController
AccessController.AccessResult
-
-
Field Summary
Fields Modifier and Type Field Description protected static UserIdentity
__ANONYMOUS_USER_IDENTITY
The instance of ObjectUserIdentity for anonymousprotected static UserIdentity
__ANY_CONTECTED_USER_IDENTITY
The instance of ObjectUserIdentity for any connected userprivate String
_cache1
private String
_cache2
protected AbstractCacheManager
_cacheManager
Cache Managerprotected ProfileAssignmentStorageExtensionPoint
_profileAssignmentStorageEP
The extension point for the profile assignment storagesprotected RightProfilesDAO
_rightProfileDAO
The right profile DAO
-
Constructor Summary
Constructors Constructor Description AbstractProfileStorageBasedAccessController()
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description private I18nizableText
_buildI18n(String i18Key)
protected Object
_convertContext(Object initialContext)
For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it isprotected abstract Set<? extends Object>
_convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts)
Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to workprotected AccessController.AccessResult
_getPermission(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermission or getReadAccessPermissionprotected Map<GroupIdentity,AccessController.AccessResult>
_getPermissionByGroup(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionByGroup and getReadAccessPermissionByGroupprotected Map<UserIdentity,AccessController.AccessResult>
_getPermissionByUser(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionByUser and getReadAccessPermissionByUserprotected AccessController.AccessResult
_getPermissionForAnonymous(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymousprotected AccessController.AccessResult
_getPermissionForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUserprivate boolean
_hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, Set<String> profilesIds)
private boolean
_hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, Set<String> profilesIds)
protected Boolean
_hasRightResultInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object)
Seek in cacheprotected Object
_hasRightResultInSecondCache(Object object, Set<String> profilesIds, AbstractProfileStorageBasedAccessController.CacheKind key)
Seek in cacheprivate boolean
_hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds)
protected void
_putInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object, boolean rightResult)
Add to cacheprotected void
_putInSecondCache(Set<String> profilesIds, Object object, Object result, AbstractProfileStorageBasedAccessController.CacheKind key)
Add to cacheAccessController.AccessResult
getPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object)
Gets the kind of access a user has on an object for a given rightMap<GroupIdentity,AccessController.AccessResult>
getPermissionByGroup(String rightId, Object object)
Gets the permission by group only on an object for the given right.Map<String,AccessController.AccessResult>
getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object)
Gets the kind of access a user has on an object for all rightsMap<UserIdentity,AccessController.AccessResult>
getPermissionByUser(String rightId, Object object)
Gets the permission by user only on an object for the given right.AccessController.AccessResult
getPermissionForAnonymous(String rightId, Object object)
Gets the permission for Anonymous only on an object for a given rightAccessController.AccessResult
getPermissionForAnyConnectedUser(String rightId, Object object)
Gets the permission for any connected user only on an object for a given rightAccessController.AccessResult
getReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object)
Gets the kind of access a user has on an object for thye read accessMap<GroupIdentity,AccessController.AccessResult>
getReadAccessPermissionByGroup(Object object)
Gets the read access permission by group only on an object.Map<UserIdentity,AccessController.AccessResult>
getReadAccessPermissionByUser(Object object)
Gets the read access permission by user only on an object.AccessController.AccessResult
getReadAccessPermissionForAnonymous(Object object)
Gets the read access permission for Anonymous only on an objectAccessController.AccessResult
getReadAccessPermissionForAnyConnectedUser(Object object)
Gets the read access permission for any connected user only on an objectboolean
hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)
Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.boolean
hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)
Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.boolean
hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)
Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.boolean
hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)
Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.boolean
hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId)
Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.boolean
hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups)
Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.void
initialize()
void
service(ServiceManager manager)
-
Methods inherited from class org.ametys.runtime.plugin.component.AbstractLogEnabled
getLogger, setLogger
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.ametys.core.right.AccessController
isSupported
-
-
-
-
Field Detail
-
__ANONYMOUS_USER_IDENTITY
protected static final UserIdentity __ANONYMOUS_USER_IDENTITY
The instance of ObjectUserIdentity for anonymous
-
__ANY_CONTECTED_USER_IDENTITY
protected static final UserIdentity __ANY_CONTECTED_USER_IDENTITY
The instance of ObjectUserIdentity for any connected user
-
_profileAssignmentStorageEP
protected ProfileAssignmentStorageExtensionPoint _profileAssignmentStorageEP
The extension point for the profile assignment storages
-
_rightProfileDAO
protected RightProfilesDAO _rightProfileDAO
The right profile DAO
-
_cacheManager
protected AbstractCacheManager _cacheManager
Cache Manager
-
-
Constructor Detail
-
AbstractProfileStorageBasedAccessController
public AbstractProfileStorageBasedAccessController()
-
-
Method Detail
-
service
public void service(ServiceManager manager) throws ServiceException
- Specified by:
service
in interfaceServiceable
- Throws:
ServiceException
-
initialize
public void initialize() throws Exception
- Specified by:
initialize
in interfaceInitializable
- Throws:
Exception
-
_buildI18n
private I18nizableText _buildI18n(String i18Key)
-
getPermissionByRight
public Map<String,AccessController.AccessResult> getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object)
Description copied from interface:AccessController
Gets the kind of access a user has on an object for all rights- Specified by:
getPermissionByRight
in interfaceAccessController
- Parameters:
user
- The user. Cannot be null.userGroups
- The groups the user belongs toobject
- The context object to check the access- Returns:
- the kind of access a user has on an object for all rights
-
getPermission
public AccessController.AccessResult getPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object)
Description copied from interface:AccessController
Gets the kind of access a user has on an object for a given right- Specified by:
getPermission
in interfaceAccessController
- Parameters:
user
- The user. Cannot be null.userGroups
- The groups the user belongs torightId
- The id of the right of the userobject
- The context object to check the access- Returns:
- the kind of access a user has on an object for a right
-
getReadAccessPermission
public AccessController.AccessResult getReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object)
Description copied from interface:AccessController
Gets the kind of access a user has on an object for thye read access- Specified by:
getReadAccessPermission
in interfaceAccessController
- Parameters:
user
- The user. Cannot be null.userGroups
- The groups the user belongs toobject
- The context object to check the access- Returns:
- the kind of access a user has on an object for the read access
-
_getPermission
protected AccessController.AccessResult _getPermission(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermission or getReadAccessPermission- Parameters:
user
- The useuserGroups
- The groupsprofilesIds
- The profilesobject
- The original contextconvertedObject
- The converted context- Returns:
- the computed result
-
getPermissionForAnonymous
public AccessController.AccessResult getPermissionForAnonymous(String rightId, Object object)
Description copied from interface:AccessController
Gets the permission for Anonymous only on an object for a given right- Specified by:
getPermissionForAnonymous
in interfaceAccessController
- Parameters:
rightId
- The id of the right to checkobject
- The object- Returns:
- the permission for Anonymous only on an object for a given right
-
getReadAccessPermissionForAnonymous
public AccessController.AccessResult getReadAccessPermissionForAnonymous(Object object)
Description copied from interface:AccessController
Gets the read access permission for Anonymous only on an object- Specified by:
getReadAccessPermissionForAnonymous
in interfaceAccessController
- Parameters:
object
- The object- Returns:
- the read access permission for Anonymous only on an object
-
_getPermissionForAnonymous
protected AccessController.AccessResult _getPermissionForAnonymous(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymous- Parameters:
profilesIds
- The profiles idsobject
- The contextconvertedObject
- The converted context- Returns:
- The access result
-
getPermissionForAnyConnectedUser
public AccessController.AccessResult getPermissionForAnyConnectedUser(String rightId, Object object)
Description copied from interface:AccessController
Gets the permission for any connected user only on an object for a given right- Specified by:
getPermissionForAnyConnectedUser
in interfaceAccessController
- Parameters:
rightId
- The id of the right to checkobject
- The object- Returns:
- the permission for any connected user only on an object for a given right
-
getReadAccessPermissionForAnyConnectedUser
public AccessController.AccessResult getReadAccessPermissionForAnyConnectedUser(Object object)
Description copied from interface:AccessController
Gets the read access permission for any connected user only on an object- Specified by:
getReadAccessPermissionForAnyConnectedUser
in interfaceAccessController
- Parameters:
object
- The object- Returns:
- the read access permission for any connected user only on an object
-
_getPermissionForAnyConnectedUser
protected AccessController.AccessResult _getPermissionForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUser- Parameters:
profilesIds
- The profiles idsobject
- The contextconvertedObject
- The converted context- Returns:
- the access result
-
getPermissionByUser
public Map<UserIdentity,AccessController.AccessResult> getPermissionByUser(String rightId, Object object)
Description copied from interface:AccessController
Gets the permission by user only on an object for the given right. It does not take account of the groups of the user, etc.- Specified by:
getPermissionByUser
in interfaceAccessController
- Parameters:
rightId
- The id of the right to checkobject
- The object- Returns:
- the permission by user only on an object for the given right
-
getReadAccessPermissionByUser
public Map<UserIdentity,AccessController.AccessResult> getReadAccessPermissionByUser(Object object)
Description copied from interface:AccessController
Gets the read access permission by user only on an object. It does not take account of the groups of the user, etc.- Specified by:
getReadAccessPermissionByUser
in interfaceAccessController
- Parameters:
object
- The object- Returns:
- the read access permission by user only on an object
-
_getPermissionByUser
protected Map<UserIdentity,AccessController.AccessResult> _getPermissionByUser(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionByUser and getReadAccessPermissionByUser- Parameters:
profilesIds
- The profiles idsobject
- The contextconvertedObject
- The converted context- Returns:
- The users and their access results
-
getPermissionByGroup
public Map<GroupIdentity,AccessController.AccessResult> getPermissionByGroup(String rightId, Object object)
Description copied from interface:AccessController
Gets the permission by group only on an object for the given right.- Specified by:
getPermissionByGroup
in interfaceAccessController
- Parameters:
rightId
- The id of the right to checkobject
- The object- Returns:
- the permission by group only on an object for the given right
-
getReadAccessPermissionByGroup
public Map<GroupIdentity,AccessController.AccessResult> getReadAccessPermissionByGroup(Object object)
Description copied from interface:AccessController
Gets the read access permission by group only on an object.- Specified by:
getReadAccessPermissionByGroup
in interfaceAccessController
- Parameters:
object
- The object- Returns:
- the read access permission by group only on an object
-
_getPermissionByGroup
protected Map<GroupIdentity,AccessController.AccessResult> _getPermissionByGroup(Set<String> profilesIds, Object object, Object convertedObject)
Works for getPermissionByGroup and getReadAccessPermissionByGroup- Parameters:
profilesIds
- The profiles idsobject
- The contextconvertedObject
- The converted context- Returns:
- The users and their access results
-
_convertContext
protected Object _convertContext(Object initialContext)
For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it is- Parameters:
initialContext
- The right context that is supported- Returns:
- the context modified
-
hasAnonymousAnyReadAccessPermissionOnWorkspace
public boolean hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)
Description copied from interface:AccessController
Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnonymousAnyReadAccessPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}- Returns:
- true if anonymous has a permission on at least one object, directly or though groups, for a given right
-
hasAnonymousAnyPermissionOnWorkspace
public boolean hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)
Description copied from interface:AccessController
Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnonymousAnyPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}rightId
- The id of the right to check- Returns:
- true if anonymous has a permission on at least one object, directly or though groups, for a given right
-
_hasAnonymousAnyPermissionOnWorkspace
private boolean _hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, Set<String> profilesIds)
-
hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace
public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)
Description copied from interface:AccessController
Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}- Returns:
- true if any connected user has a permission on at least one object, directly or though groups, for a given right
-
hasAnyConnectedUserAnyPermissionOnWorkspace
public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)
Description copied from interface:AccessController
Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnyConnectedUserAnyPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}rightId
- The id of the right to check- Returns:
- true if any connected user has a permission on at least one object, directly or though groups, for a given right
-
_hasAnyConnectedUserAnyPermissionOnWorkspace
private boolean _hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, Set<String> profilesIds)
-
hasUserAnyReadAccessPermissionOnWorkspace
public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups)
Description copied from interface:AccessController
Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasUserAnyReadAccessPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}user
- The useruserGroups
- The groups- Returns:
- true if the user has a permission on at least one object, directly or though groups, for a given right
-
hasUserAnyPermissionOnWorkspace
public boolean hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId)
Description copied from interface:AccessController
Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasUserAnyPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}user
- The useruserGroups
- The groupsrightId
- The id of the right to check- Returns:
- true if the user has a permission on at least one object, directly or though groups, for a given right
-
_hasUserAnyPermissionOnWorkspace
private boolean _hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds)
-
_convertWorkspaceToRootRightContexts
protected abstract Set<? extends Object> _convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts)
Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to work- Parameters:
workspacesContexts
- The workspace contexts. Such as '/${WorkspaceName}', '/admin'- Returns:
- A null or empty set if the current AccessController does not apply to any workspace context, or the root object where ProfileAssignmentStorageExtension should start looking at to find any permission
-
_hasRightResultInFirstCache
protected Boolean _hasRightResultInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object)
Seek in cache- Parameters:
userIdentity
- The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITYprofilesIds
- The profiles identifiersobject
- The context- Returns:
- true or false if in cache. null otherwise
-
_putInFirstCache
protected void _putInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object, boolean rightResult)
Add to cache- Parameters:
userIdentity
- The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITYprofilesIds
- The profiles identifiersobject
- The contextrightResult
- The cache value. true if hasXXX or false otherwise.
-
_hasRightResultInSecondCache
protected Object _hasRightResultInSecondCache(Object object, Set<String> profilesIds, AbstractProfileStorageBasedAccessController.CacheKind key)
Seek in cache- Parameters:
object
- The contextprofilesIds
- The set of profile ids to considerkey
- The kind of cache to use- Returns:
- The cached result per group. null otherwise
-
_putInSecondCache
protected void _putInSecondCache(Set<String> profilesIds, Object object, Object result, AbstractProfileStorageBasedAccessController.CacheKind key)
Add to cache- Parameters:
profilesIds
- The profiles ids to considerobject
- The contextresult
- The resultkey
- The kind of cache to use
-
-