Class AbstractProfileStorageBasedAccessController
java.lang.Object
org.ametys.runtime.plugin.component.AbstractLogEnabled
org.ametys.plugins.core.impl.right.AbstractProfileStorageBasedAccessController
- All Implemented Interfaces:
AccessController,LogEnabled,Initializable,Component,Serviceable
- Direct Known Subclasses:
AbstractHierarchicalAccessController,LinkDirectoryAccessController,ThesaurusAccessController
public abstract class AbstractProfileStorageBasedAccessController
extends AbstractLogEnabled
implements AccessController, Component, Serviceable, Initializable
This class delegates all it can to the profile assignment storage extension point
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprotected static enumThe knd of cache to get/setNested classes/interfaces inherited from interface org.ametys.core.right.AccessController
AccessController.AccessResult -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected static final UserIdentityThe instance of ObjectUserIdentity for anonymousprotected static final UserIdentityThe instance of ObjectUserIdentity for any connected userprotected AbstractCacheManagerCache Managerprotected ProfileAssignmentStorageExtensionPointThe extension point for the profile assignment storagesprotected RightProfilesDAOThe right profile DAO -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected Object_convertContext(Object initialContext) For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it is_convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts) Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to workprotected AccessController.AccessResult_getPermission(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject) Works for getPermission or getReadAccessPermissionprotected Map<GroupIdentity,AccessController.AccessResult> _getPermissionByGroup(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionByGroup and getReadAccessPermissionByGroupprotected Map<UserIdentity,AccessController.AccessResult> _getPermissionByUser(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionByUser and getReadAccessPermissionByUserprotected AccessController.AccessResult_getPermissionForAnonymous(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymousprotected AccessController.AccessResult_getPermissionForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUserprotected Boolean_hasRightResultInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object) Seek in cacheprotected Object_hasRightResultInSecondCache(Object object, Set<String> profilesIds, AbstractProfileStorageBasedAccessController.CacheKind key) Seek in cacheprotected void_putInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object, boolean rightResult) Add to cacheprotected void_putInSecondCache(Set<String> profilesIds, Object object, Object result, AbstractProfileStorageBasedAccessController.CacheKind key) Add to cachegetPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object) Gets the kind of access a user has on an object for a given rightgetPermissionByGroup(String rightId, Object object) Gets the permission by group only on an object for the given right.getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object) Gets the kind of access a user has on an object for all rightsgetPermissionByUser(String rightId, Object object) Gets the permission by user only on an object for the given right.getPermissionForAnonymous(String rightId, Object object) Gets the permission for Anonymous only on an object for a given rightgetPermissionForAnyConnectedUser(String rightId, Object object) Gets the permission for any connected user only on an object for a given rightgetReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object) Gets the kind of access a user has on an object for thye read accessgetReadAccessPermissionByGroup(Object object) Gets the read access permission by group only on an object.getReadAccessPermissionByUser(Object object) Gets the read access permission by user only on an object.Gets the read access permission for Anonymous only on an objectGets the read access permission for any connected user only on an objectbooleanhasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId) Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.booleanhasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts) Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.booleanhasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId) Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.booleanhasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts) Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.booleanhasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId) Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.booleanhasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups) Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.voidvoidservice(ServiceManager manager) Methods inherited from class org.ametys.runtime.plugin.component.AbstractLogEnabled
getLogger, setLoggerMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.ametys.core.right.AccessController
isSupported
-
Field Details
-
__ANONYMOUS_USER_IDENTITY
The instance of ObjectUserIdentity for anonymous -
__ANY_CONTECTED_USER_IDENTITY
The instance of ObjectUserIdentity for any connected user -
_profileAssignmentStorageEP
The extension point for the profile assignment storages -
_rightProfileDAO
The right profile DAO -
_cacheManager
Cache Manager
-
-
Constructor Details
-
AbstractProfileStorageBasedAccessController
-
-
Method Details
-
service
- Specified by:
servicein interfaceServiceable- Throws:
ServiceException
-
initialize
- Specified by:
initializein interfaceInitializable- Throws:
Exception
-
getPermissionByRight
public Map<String,AccessController.AccessResult> getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object) Description copied from interface:AccessControllerGets the kind of access a user has on an object for all rights- Specified by:
getPermissionByRightin interfaceAccessController- Parameters:
user- The user. Cannot be null.userGroups- The groups the user belongs toobject- The context object to check the access- Returns:
- the kind of access a user has on an object for all rights
-
getPermission
public AccessController.AccessResult getPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object) Description copied from interface:AccessControllerGets the kind of access a user has on an object for a given right- Specified by:
getPermissionin interfaceAccessController- Parameters:
user- The user. Cannot be null.userGroups- The groups the user belongs torightId- The id of the right of the userobject- The context object to check the access- Returns:
- the kind of access a user has on an object for a right
-
getReadAccessPermission
public AccessController.AccessResult getReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object) Description copied from interface:AccessControllerGets the kind of access a user has on an object for thye read access- Specified by:
getReadAccessPermissionin interfaceAccessController- Parameters:
user- The user. Cannot be null.userGroups- The groups the user belongs toobject- The context object to check the access- Returns:
- the kind of access a user has on an object for the read access
-
_getPermission
protected AccessController.AccessResult _getPermission(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject) Works for getPermission or getReadAccessPermission- Parameters:
user- The useuserGroups- The groupsprofilesIds- The profilesobject- The original contextconvertedObject- The converted context- Returns:
- the computed result
-
getPermissionForAnonymous
Description copied from interface:AccessControllerGets the permission for Anonymous only on an object for a given right- Specified by:
getPermissionForAnonymousin interfaceAccessController- Parameters:
rightId- The id of the right to checkobject- The object- Returns:
- the permission for Anonymous only on an object for a given right
-
getReadAccessPermissionForAnonymous
Description copied from interface:AccessControllerGets the read access permission for Anonymous only on an object- Specified by:
getReadAccessPermissionForAnonymousin interfaceAccessController- Parameters:
object- The object- Returns:
- the read access permission for Anonymous only on an object
-
_getPermissionForAnonymous
protected AccessController.AccessResult _getPermissionForAnonymous(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymous- Parameters:
profilesIds- The profiles idsobject- The contextconvertedObject- The converted context- Returns:
- The access result
-
getPermissionForAnyConnectedUser
public AccessController.AccessResult getPermissionForAnyConnectedUser(String rightId, Object object) Description copied from interface:AccessControllerGets the permission for any connected user only on an object for a given right- Specified by:
getPermissionForAnyConnectedUserin interfaceAccessController- Parameters:
rightId- The id of the right to checkobject- The object- Returns:
- the permission for any connected user only on an object for a given right
-
getReadAccessPermissionForAnyConnectedUser
Description copied from interface:AccessControllerGets the read access permission for any connected user only on an object- Specified by:
getReadAccessPermissionForAnyConnectedUserin interfaceAccessController- Parameters:
object- The object- Returns:
- the read access permission for any connected user only on an object
-
_getPermissionForAnyConnectedUser
protected AccessController.AccessResult _getPermissionForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUser- Parameters:
profilesIds- The profiles idsobject- The contextconvertedObject- The converted context- Returns:
- the access result
-
getPermissionByUser
public Map<UserIdentity,AccessController.AccessResult> getPermissionByUser(String rightId, Object object) Description copied from interface:AccessControllerGets the permission by user only on an object for the given right. It does not take account of the groups of the user, etc.- Specified by:
getPermissionByUserin interfaceAccessController- Parameters:
rightId- The id of the right to checkobject- The object- Returns:
- the permission by user only on an object for the given right
-
getReadAccessPermissionByUser
Description copied from interface:AccessControllerGets the read access permission by user only on an object. It does not take account of the groups of the user, etc.- Specified by:
getReadAccessPermissionByUserin interfaceAccessController- Parameters:
object- The object- Returns:
- the read access permission by user only on an object
-
_getPermissionByUser
protected Map<UserIdentity,AccessController.AccessResult> _getPermissionByUser(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionByUser and getReadAccessPermissionByUser- Parameters:
profilesIds- The profiles idsobject- The contextconvertedObject- The converted context- Returns:
- The users and their access results
-
getPermissionByGroup
public Map<GroupIdentity,AccessController.AccessResult> getPermissionByGroup(String rightId, Object object) Description copied from interface:AccessControllerGets the permission by group only on an object for the given right.- Specified by:
getPermissionByGroupin interfaceAccessController- Parameters:
rightId- The id of the right to checkobject- The object- Returns:
- the permission by group only on an object for the given right
-
getReadAccessPermissionByGroup
public Map<GroupIdentity,AccessController.AccessResult> getReadAccessPermissionByGroup(Object object) Description copied from interface:AccessControllerGets the read access permission by group only on an object.- Specified by:
getReadAccessPermissionByGroupin interfaceAccessController- Parameters:
object- The object- Returns:
- the read access permission by group only on an object
-
_getPermissionByGroup
protected Map<GroupIdentity,AccessController.AccessResult> _getPermissionByGroup(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionByGroup and getReadAccessPermissionByGroup- Parameters:
profilesIds- The profiles idsobject- The contextconvertedObject- The converted context- Returns:
- The users and their access results
-
_convertContext
For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it is- Parameters:
initialContext- The right context that is supported- Returns:
- the context modified
-
hasAnonymousAnyReadAccessPermissionOnWorkspace
Description copied from interface:AccessControllerReturns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnonymousAnyReadAccessPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}- Returns:
- true if anonymous has a permission on at least one object, directly or though groups, for a given right
-
hasAnonymousAnyPermissionOnWorkspace
Description copied from interface:AccessControllerReturns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnonymousAnyPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}rightId- The id of the right to check- Returns:
- true if anonymous has a permission on at least one object, directly or though groups, for a given right
-
hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace
public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts) Description copied from interface:AccessControllerReturns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnyConnectedUserAnyReadAccessPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}- Returns:
- true if any connected user has a permission on at least one object, directly or though groups, for a given right
-
hasAnyConnectedUserAnyPermissionOnWorkspace
public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId) Description copied from interface:AccessControllerReturns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnyConnectedUserAnyPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}rightId- The id of the right to check- Returns:
- true if any connected user has a permission on at least one object, directly or though groups, for a given right
-
hasUserAnyReadAccessPermissionOnWorkspace
public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups) Description copied from interface:AccessControllerReturns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasUserAnyReadAccessPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}user- The useruserGroups- The groups- Returns:
- true if the user has a permission on at least one object, directly or though groups, for a given right
-
hasUserAnyPermissionOnWorkspace
public boolean hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId) Description copied from interface:AccessControllerReturns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasUserAnyPermissionOnWorkspacein interfaceAccessController- Parameters:
workspacesContexts- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}user- The useruserGroups- The groupsrightId- The id of the right to check- Returns:
- true if the user has a permission on at least one object, directly or though groups, for a given right
-
_convertWorkspaceToRootRightContexts
protected abstract Set<? extends Object> _convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts) Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to work- Parameters:
workspacesContexts- The workspace contexts. Such as '/${WorkspaceName}', '/admin'- Returns:
- A null or empty set if the current AccessController does not apply to any workspace context, or the root object where ProfileAssignmentStorageExtension should start looking at to find any permission
-
_hasRightResultInFirstCache
protected Boolean _hasRightResultInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object) Seek in cache- Parameters:
userIdentity- The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITYprofilesIds- The profiles identifiersobject- The context- Returns:
- true or false if in cache. null otherwise
-
_putInFirstCache
protected void _putInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object, boolean rightResult) Add to cache- Parameters:
userIdentity- The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITYprofilesIds- The profiles identifiersobject- The contextrightResult- The cache value. true if hasXXX or false otherwise.
-
_hasRightResultInSecondCache
protected Object _hasRightResultInSecondCache(Object object, Set<String> profilesIds, AbstractProfileStorageBasedAccessController.CacheKind key) Seek in cache- Parameters:
object- The contextprofilesIds- The set of profile ids to considerkey- The kind of cache to use- Returns:
- The cached result per group. null otherwise
-
_putInSecondCache
protected void _putInSecondCache(Set<String> profilesIds, Object object, Object result, AbstractProfileStorageBasedAccessController.CacheKind key) Add to cache- Parameters:
profilesIds- The profiles ids to considerobject- The contextresult- The resultkey- The kind of cache to use
-