Class AbstractProfileStorageBasedAccessController
java.lang.Object
org.ametys.runtime.plugin.component.AbstractLogEnabled
org.ametys.plugins.core.impl.right.AbstractProfileStorageBasedAccessController
- All Implemented Interfaces:
AccessController
,LogEnabled
,Initializable
,Component
,Serviceable
- Direct Known Subclasses:
AbstractHierarchicalAccessController
,LinkDirectoryAccessController
,ThesaurusAccessController
public abstract class AbstractProfileStorageBasedAccessController
extends AbstractLogEnabled
implements AccessController, Component, Serviceable, Initializable
This class delegates all it can to the profile assignment storage extension point
-
Nested Class Summary
Modifier and TypeClassDescriptionprotected static enum
The knd of cache to get/setNested classes/interfaces inherited from interface org.ametys.core.right.AccessController
AccessController.AccessResult
-
Field Summary
Modifier and TypeFieldDescriptionprotected static final UserIdentity
The instance of ObjectUserIdentity for anonymousprotected static final UserIdentity
The instance of ObjectUserIdentity for any connected userprotected AbstractCacheManager
Cache Managerprotected ProfileAssignmentStorageExtensionPoint
The extension point for the profile assignment storagesprotected RightProfilesDAO
The right profile DAO -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected Object
_convertContext
(Object initialContext) For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it is_convertWorkspaceToRootRightContexts
(Set<Object> workspacesContexts) Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to workprotected AccessController.AccessResult
_getPermission
(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject) Works for getPermission or getReadAccessPermissionprotected Map<GroupIdentity,
AccessController.AccessResult> _getPermissionByGroup
(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionByGroup and getReadAccessPermissionByGroupprotected Map<UserIdentity,
AccessController.AccessResult> _getPermissionByUser
(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionByUser and getReadAccessPermissionByUserprotected AccessController.AccessResult
_getPermissionForAnonymous
(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymousprotected AccessController.AccessResult
_getPermissionForAnyConnectedUser
(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUserprotected Boolean
_hasRightResultInFirstCache
(UserIdentity userIdentity, Set<String> profilesIds, Object object) Seek in cacheprotected Object
_hasRightResultInSecondCache
(Object object, Set<String> profilesIds, AbstractProfileStorageBasedAccessController.CacheKind key) Seek in cacheprotected void
_putInFirstCache
(UserIdentity userIdentity, Set<String> profilesIds, Object object, boolean rightResult) Add to cacheprotected void
_putInSecondCache
(Set<String> profilesIds, Object object, Object result, AbstractProfileStorageBasedAccessController.CacheKind key) Add to cachegetPermission
(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object) Gets the kind of access a user has on an object for a given rightgetPermissionByGroup
(String rightId, Object object) Gets the permission by group only on an object for the given right.getPermissionByRight
(UserIdentity user, Set<GroupIdentity> userGroups, Object object) Gets the kind of access a user has on an object for all rightsgetPermissionByUser
(String rightId, Object object) Gets the permission by user only on an object for the given right.getPermissionForAnonymous
(String rightId, Object object) Gets the permission for Anonymous only on an object for a given rightgetPermissionForAnyConnectedUser
(String rightId, Object object) Gets the permission for any connected user only on an object for a given rightgetReadAccessPermission
(UserIdentity user, Set<GroupIdentity> userGroups, Object object) Gets the kind of access a user has on an object for thye read accessgetReadAccessPermissionByGroup
(Object object) Gets the read access permission by group only on an object.getReadAccessPermissionByUser
(Object object) Gets the read access permission by user only on an object.Gets the read access permission for Anonymous only on an objectGets the read access permission for any connected user only on an objectboolean
hasAnonymousAnyPermissionOnWorkspace
(Set<Object> workspacesContexts, String rightId) Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.boolean
hasAnonymousAnyReadAccessPermissionOnWorkspace
(Set<Object> workspacesContexts) Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.boolean
hasAnyConnectedUserAnyPermissionOnWorkspace
(Set<Object> workspacesContexts, String rightId) Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.boolean
hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace
(Set<Object> workspacesContexts) Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.boolean
hasUserAnyPermissionOnWorkspace
(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId) Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.boolean
hasUserAnyReadAccessPermissionOnWorkspace
(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups) Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.void
void
service
(ServiceManager manager) Methods inherited from class org.ametys.runtime.plugin.component.AbstractLogEnabled
getLogger, setLogger
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.ametys.core.right.AccessController
isSupported
-
Field Details
-
__ANONYMOUS_USER_IDENTITY
The instance of ObjectUserIdentity for anonymous -
__ANY_CONTECTED_USER_IDENTITY
The instance of ObjectUserIdentity for any connected user -
_profileAssignmentStorageEP
The extension point for the profile assignment storages -
_rightProfileDAO
The right profile DAO -
_cacheManager
Cache Manager
-
-
Constructor Details
-
AbstractProfileStorageBasedAccessController
-
-
Method Details
-
service
- Specified by:
service
in interfaceServiceable
- Throws:
ServiceException
-
initialize
- Specified by:
initialize
in interfaceInitializable
- Throws:
Exception
-
getPermissionByRight
public Map<String,AccessController.AccessResult> getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object) Description copied from interface:AccessController
Gets the kind of access a user has on an object for all rights- Specified by:
getPermissionByRight
in interfaceAccessController
- Parameters:
user
- The user. Cannot be null.userGroups
- The groups the user belongs toobject
- The context object to check the access- Returns:
- the kind of access a user has on an object for all rights
-
getPermission
public AccessController.AccessResult getPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object) Description copied from interface:AccessController
Gets the kind of access a user has on an object for a given right- Specified by:
getPermission
in interfaceAccessController
- Parameters:
user
- The user. Cannot be null.userGroups
- The groups the user belongs torightId
- The id of the right of the userobject
- The context object to check the access- Returns:
- the kind of access a user has on an object for a right
-
getReadAccessPermission
public AccessController.AccessResult getReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object) Description copied from interface:AccessController
Gets the kind of access a user has on an object for thye read access- Specified by:
getReadAccessPermission
in interfaceAccessController
- Parameters:
user
- The user. Cannot be null.userGroups
- The groups the user belongs toobject
- The context object to check the access- Returns:
- the kind of access a user has on an object for the read access
-
_getPermission
protected AccessController.AccessResult _getPermission(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject) Works for getPermission or getReadAccessPermission- Parameters:
user
- The useuserGroups
- The groupsprofilesIds
- The profilesobject
- The original contextconvertedObject
- The converted context- Returns:
- the computed result
-
getPermissionForAnonymous
Description copied from interface:AccessController
Gets the permission for Anonymous only on an object for a given right- Specified by:
getPermissionForAnonymous
in interfaceAccessController
- Parameters:
rightId
- The id of the right to checkobject
- The object- Returns:
- the permission for Anonymous only on an object for a given right
-
getReadAccessPermissionForAnonymous
Description copied from interface:AccessController
Gets the read access permission for Anonymous only on an object- Specified by:
getReadAccessPermissionForAnonymous
in interfaceAccessController
- Parameters:
object
- The object- Returns:
- the read access permission for Anonymous only on an object
-
_getPermissionForAnonymous
protected AccessController.AccessResult _getPermissionForAnonymous(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymous- Parameters:
profilesIds
- The profiles idsobject
- The contextconvertedObject
- The converted context- Returns:
- The access result
-
getPermissionForAnyConnectedUser
public AccessController.AccessResult getPermissionForAnyConnectedUser(String rightId, Object object) Description copied from interface:AccessController
Gets the permission for any connected user only on an object for a given right- Specified by:
getPermissionForAnyConnectedUser
in interfaceAccessController
- Parameters:
rightId
- The id of the right to checkobject
- The object- Returns:
- the permission for any connected user only on an object for a given right
-
getReadAccessPermissionForAnyConnectedUser
Description copied from interface:AccessController
Gets the read access permission for any connected user only on an object- Specified by:
getReadAccessPermissionForAnyConnectedUser
in interfaceAccessController
- Parameters:
object
- The object- Returns:
- the read access permission for any connected user only on an object
-
_getPermissionForAnyConnectedUser
protected AccessController.AccessResult _getPermissionForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUser- Parameters:
profilesIds
- The profiles idsobject
- The contextconvertedObject
- The converted context- Returns:
- the access result
-
getPermissionByUser
public Map<UserIdentity,AccessController.AccessResult> getPermissionByUser(String rightId, Object object) Description copied from interface:AccessController
Gets the permission by user only on an object for the given right. It does not take account of the groups of the user, etc.- Specified by:
getPermissionByUser
in interfaceAccessController
- Parameters:
rightId
- The id of the right to checkobject
- The object- Returns:
- the permission by user only on an object for the given right
-
getReadAccessPermissionByUser
Description copied from interface:AccessController
Gets the read access permission by user only on an object. It does not take account of the groups of the user, etc.- Specified by:
getReadAccessPermissionByUser
in interfaceAccessController
- Parameters:
object
- The object- Returns:
- the read access permission by user only on an object
-
_getPermissionByUser
protected Map<UserIdentity,AccessController.AccessResult> _getPermissionByUser(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionByUser and getReadAccessPermissionByUser- Parameters:
profilesIds
- The profiles idsobject
- The contextconvertedObject
- The converted context- Returns:
- The users and their access results
-
getPermissionByGroup
public Map<GroupIdentity,AccessController.AccessResult> getPermissionByGroup(String rightId, Object object) Description copied from interface:AccessController
Gets the permission by group only on an object for the given right.- Specified by:
getPermissionByGroup
in interfaceAccessController
- Parameters:
rightId
- The id of the right to checkobject
- The object- Returns:
- the permission by group only on an object for the given right
-
getReadAccessPermissionByGroup
public Map<GroupIdentity,AccessController.AccessResult> getReadAccessPermissionByGroup(Object object) Description copied from interface:AccessController
Gets the read access permission by group only on an object.- Specified by:
getReadAccessPermissionByGroup
in interfaceAccessController
- Parameters:
object
- The object- Returns:
- the read access permission by group only on an object
-
_getPermissionByGroup
protected Map<GroupIdentity,AccessController.AccessResult> _getPermissionByGroup(Set<String> profilesIds, Object object, Object convertedObject) Works for getPermissionByGroup and getReadAccessPermissionByGroup- Parameters:
profilesIds
- The profiles idsobject
- The contextconvertedObject
- The converted context- Returns:
- The users and their access results
-
_convertContext
For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it is- Parameters:
initialContext
- The right context that is supported- Returns:
- the context modified
-
hasAnonymousAnyReadAccessPermissionOnWorkspace
Description copied from interface:AccessController
Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnonymousAnyReadAccessPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}- Returns:
- true if anonymous has a permission on at least one object, directly or though groups, for a given right
-
hasAnonymousAnyPermissionOnWorkspace
Description copied from interface:AccessController
Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnonymousAnyPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}rightId
- The id of the right to check- Returns:
- true if anonymous has a permission on at least one object, directly or though groups, for a given right
-
hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace
public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts) Description copied from interface:AccessController
Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}- Returns:
- true if any connected user has a permission on at least one object, directly or though groups, for a given right
-
hasAnyConnectedUserAnyPermissionOnWorkspace
public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId) Description copied from interface:AccessController
Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasAnyConnectedUserAnyPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}rightId
- The id of the right to check- Returns:
- true if any connected user has a permission on at least one object, directly or though groups, for a given right
-
hasUserAnyReadAccessPermissionOnWorkspace
public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups) Description copied from interface:AccessController
Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasUserAnyReadAccessPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}user
- The useruserGroups
- The groups- Returns:
- true if the user has a permission on at least one object, directly or though groups, for a given right
-
hasUserAnyPermissionOnWorkspace
public boolean hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId) Description copied from interface:AccessController
Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.- Specified by:
hasUserAnyPermissionOnWorkspace
in interfaceAccessController
- Parameters:
workspacesContexts
- The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}user
- The useruserGroups
- The groupsrightId
- The id of the right to check- Returns:
- true if the user has a permission on at least one object, directly or though groups, for a given right
-
_convertWorkspaceToRootRightContexts
protected abstract Set<? extends Object> _convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts) Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to work- Parameters:
workspacesContexts
- The workspace contexts. Such as '/${WorkspaceName}', '/admin'- Returns:
- A null or empty set if the current AccessController does not apply to any workspace context, or the root object where ProfileAssignmentStorageExtension should start looking at to find any permission
-
_hasRightResultInFirstCache
protected Boolean _hasRightResultInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object) Seek in cache- Parameters:
userIdentity
- The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITYprofilesIds
- The profiles identifiersobject
- The context- Returns:
- true or false if in cache. null otherwise
-
_putInFirstCache
protected void _putInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object, boolean rightResult) Add to cache- Parameters:
userIdentity
- The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITYprofilesIds
- The profiles identifiersobject
- The contextrightResult
- The cache value. true if hasXXX or false otherwise.
-
_hasRightResultInSecondCache
protected Object _hasRightResultInSecondCache(Object object, Set<String> profilesIds, AbstractProfileStorageBasedAccessController.CacheKind key) Seek in cache- Parameters:
object
- The contextprofilesIds
- The set of profile ids to considerkey
- The kind of cache to use- Returns:
- The cached result per group. null otherwise
-
_putInSecondCache
protected void _putInSecondCache(Set<String> profilesIds, Object object, Object result, AbstractProfileStorageBasedAccessController.CacheKind key) Add to cache- Parameters:
profilesIds
- The profiles ids to considerobject
- The contextresult
- The resultkey
- The kind of cache to use
-