Package org.ametys.plugins.core.impl.right

Class AbstractProfileStorageBasedAccessController

java.lang.Object

org.ametys.runtime.plugin.component.AbstractLogEnabled

org.ametys.plugins.core.impl.right.AbstractAccessController

org.ametys.plugins.core.impl.right.AbstractProfileStorageBasedAccessController

All Implemented Interfaces:

AccessController, LogEnabled, PluginAware, Initializable, Component, Serviceable

Direct Known Subclasses:

AbstractHierarchicalWithPermissionContextAccessController, LinkDirectoryAccessController, ThesaurusAccessController

public abstract class AbstractProfileStorageBasedAccessController
extends AbstractAccessController
implements Serviceable, Initializable

This class delegates all it can to the profile assignment storage extension point

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static enum	AbstractProfileStorageBasedAccessController.CacheKind	The kind of cache to get/set
protected static class	AbstractProfileStorageBasedAccessController.PermissionDetails	Value class storing information describing how a permission was determined

Nested classes/interfaces inherited from interface org.ametys.core.right.AccessController

AccessController.AccessResult

Field Summary

Fields

Modifier and Type	Field	Description
protected static final UserIdentity	__ANONYMOUS_USER_IDENTITY	The instance of ObjectUserIdentity for anonymous
protected static final UserIdentity	__ANY_CONTECTED_USER_IDENTITY	The instance of ObjectUserIdentity for any connected user
protected AbstractCacheManager	_cacheManager	Cache Manager
protected GroupManager	_groupManager	The group manager
protected ProfileAssignmentStorageExtensionPoint	_profileAssignmentStorageEP	The extension point for the profile assignment storages
protected RightProfilesDAO	_rightProfileDAO	The right profile DAO

Fields inherited from class org.ametys.plugins.core.impl.right.AbstractAccessController

_id, _pluginName

Constructor Summary

Constructors

Constructor	Description
AbstractProfileStorageBasedAccessController()

Method Summary

Modifier and Type	Method	Description
protected AccessExplanation	_buildExplanation(AbstractProfileStorageBasedAccessController.PermissionDetails details)	Transform the permission details in an access explanation
protected Object	_convertContext(Object initialContext)	For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it is
protected abstract Set<? extends Object>	_convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts)	Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to work
protected AccessExplanation	_explainPermission(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject)	Works for explainPermission or explainReadAccessPermission
protected AccessExplanation	_explainPermissionForAnonymous(Set<String> profilesIds, Object object, Object convertedObject)	Works for explainReadAccessPermissionForAnonymous(Object) or _explainPermissionForAnonymous(Set, Object, Object)
protected AccessExplanation	_explainPermissionForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject)	Works for explainPermissionForAnyConnectedUser(String, Object) or explainReadAccessPermissionForAnyConnectedUser(Object)
protected abstract I18nizableText	_getObjectLabel(Object object)	Get the label describing the object that granted the right in the explanation.
protected AccessController.AccessResult	_getPermission(UserIdentity user, Set<GroupIdentity> userGroups, Set<String> profilesIds, Object object, Object convertedObject)	Works for getPermission or getReadAccessPermission
protected Map<GroupIdentity,AccessController.AccessResult>	_getPermissionByGroup(Set<String> profilesIds, Object object, Object convertedObject)	Works for getPermissionByGroup and getReadAccessPermissionByGroup
protected Map<UserIdentity,AccessController.AccessResult>	_getPermissionByUser(Set<String> profilesIds, Object object, Object convertedObject)	Works for getPermissionByUser and getReadAccessPermissionByUser
protected AbstractProfileStorageBasedAccessController.PermissionDetails	_getPermissionDetails(UserIdentity user, Set<GroupIdentity> groups, Set<String> profilesIds, Object object, Object convertedObject)	Get the details of how a permission is granted or denied.
protected AbstractProfileStorageBasedAccessController.PermissionDetails	_getPermissionDetailsForAnonymous(Set<String> profilesIds, Object object, Object convertedObject)	Get the details of how a permission is granted or denied.
protected AbstractProfileStorageBasedAccessController.PermissionDetails	_getPermissionDetailsForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject)	Get the details of how a permission is granted or denied.
protected AccessController.AccessResult	_getPermissionForAnonymous(Set<String> profilesIds, Object object, Object convertedObject)	Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymous
protected AccessController.AccessResult	_getPermissionForAnyConnectedUser(Set<String> profilesIds, Object object, Object convertedObject)	Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUser
protected Boolean	_hasRightResultInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object)	Seek in cache
protected Object	_hasRightResultInSecondCache(Object object, Set<String> profilesIds, AbstractProfileStorageBasedAccessController.CacheKind key)	Seek in cache
protected void	_putInFirstCache(UserIdentity userIdentity, Set<String> profilesIds, Object object, boolean rightResult)	Add to cache
protected void	_putInSecondCache(Set<String> profilesIds, Object object, Object result, AbstractProfileStorageBasedAccessController.CacheKind key)	Add to cache
AccessExplanation	explainPermission(UserIdentity user, Set<GroupIdentity> groups, String rightId, Object object)	Explain the permission for a user on the given right context.
AccessExplanation	explainPermissionForAnonymous(String rightId, Object object)	Explain the permission for anonymous on the given right context.
AccessExplanation	explainPermissionForAnyConnectedUser(String rightId, Object object)	Explain the permission for any connected user on the given right context.
AccessExplanation	explainReadAccessPermission(UserIdentity user, Set<GroupIdentity> groups, Object object)	Explain the read access permission for a user on the given right context.
AccessExplanation	explainReadAccessPermissionForAnonymous(Object object)	Explain the read access permission for anonymous on the given right context.
AccessExplanation	explainReadAccessPermissionForAnyConnectedUser(Object object)	Explain the read access permission for any connected user on the given right context.
AccessController.AccessResult	getPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object)	Gets the kind of access a user has on an object for a given right
Map<GroupIdentity,AccessController.AccessResult>	getPermissionByGroup(String rightId, Object object)	Gets the permission by group only on an object for the given right.
Map<String,AccessController.AccessResult>	getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object)	Gets the kind of access a user has on an object for all rights
Map<UserIdentity,AccessController.AccessResult>	getPermissionByUser(String rightId, Object object)	Gets the permission by user only on an object for the given right.
AccessController.AccessResult	getPermissionForAnonymous(String rightId, Object object)	Gets the permission for Anonymous only on an object for a given right
AccessController.AccessResult	getPermissionForAnyConnectedUser(String rightId, Object object)	Gets the permission for any connected user only on an object for a given right
AccessController.AccessResult	getReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object)	Gets the kind of access a user has on an object for thye read access
Map<GroupIdentity,AccessController.AccessResult>	getReadAccessPermissionByGroup(Object object)	Gets the read access permission by group only on an object.
Map<UserIdentity,AccessController.AccessResult>	getReadAccessPermissionByUser(Object object)	Gets the read access permission by user only on an object.
AccessController.AccessResult	getReadAccessPermissionForAnonymous(Object object)	Gets the read access permission for Anonymous only on an object
AccessController.AccessResult	getReadAccessPermissionForAnyConnectedUser(Object object)	Gets the read access permission for any connected user only on an object
boolean	hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)	Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
boolean	hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)	Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
boolean	hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)	Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
boolean	hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)	Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
boolean	hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId)	Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
boolean	hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups)	Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.
void	initialize()
void	service(ServiceManager manager)

Methods inherited from class org.ametys.plugins.core.impl.right.AbstractAccessController

getId, getStandardAccessExplanation, setPluginInfo

Methods inherited from class org.ametys.runtime.plugin.component.AbstractLogEnabled

getLogger, setLogger

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.ametys.core.right.AccessController

isSupported

Field Details

__ANONYMOUS_USER_IDENTITY

protected static final UserIdentity __ANONYMOUS_USER_IDENTITY

The instance of ObjectUserIdentity for anonymous

__ANY_CONTECTED_USER_IDENTITY

protected static final UserIdentity __ANY_CONTECTED_USER_IDENTITY

The instance of ObjectUserIdentity for any connected user

_profileAssignmentStorageEP

protected ProfileAssignmentStorageExtensionPoint _profileAssignmentStorageEP

The extension point for the profile assignment storages

_rightProfileDAO

protected RightProfilesDAO _rightProfileDAO

The right profile DAO

_cacheManager

protected AbstractCacheManager _cacheManager

Cache Manager

_groupManager

protected GroupManager _groupManager

The group manager

Constructor Details

AbstractProfileStorageBasedAccessController

public AbstractProfileStorageBasedAccessController()

Method Details

service

public void service(ServiceManager manager)
             throws ServiceException

Specified by:

service in interface Serviceable

Throws:

ServiceException

initialize

public void initialize()
                throws Exception

Specified by:

initialize in interface Initializable

Throws:

Exception

getPermissionByRight

public Map<String,AccessController.AccessResult> getPermissionByRight(UserIdentity user,
 Set<GroupIdentity> userGroups,
 Object object)

Description copied from interface: AccessController

Gets the kind of access a user has on an object for all rights

Specified by:

getPermissionByRight in interface AccessController

Parameters:

user - The user. Cannot be null.

userGroups - The groups the user belongs to

object - The context object to check the access

Returns:

the kind of access a user has on an object for all rights

getPermission

public AccessController.AccessResult getPermission(UserIdentity user,
 Set<GroupIdentity> userGroups,
 String rightId,
 Object object)

Description copied from interface: AccessController

Gets the kind of access a user has on an object for a given right

Specified by:

getPermission in interface AccessController

Parameters:

user - The user. Cannot be null.

userGroups - The groups the user belongs to

rightId - The id of the right of the user

object - The context object to check the access

Returns:

the kind of access a user has on an object for a right

getReadAccessPermission

public AccessController.AccessResult getReadAccessPermission(UserIdentity user,
 Set<GroupIdentity> userGroups,
 Object object)

Description copied from interface: AccessController

Gets the kind of access a user has on an object for thye read access

Specified by:

getReadAccessPermission in interface AccessController

Parameters:

user - The user. Cannot be null.

userGroups - The groups the user belongs to

object - The context object to check the access

Returns:

the kind of access a user has on an object for the read access

_getPermission

protected AccessController.AccessResult _getPermission(UserIdentity user,
 Set<GroupIdentity> userGroups,
 Set<String> profilesIds,
 Object object,
 Object convertedObject)

Works for getPermission or getReadAccessPermission

Parameters:

user - The use

userGroups - The groups

profilesIds - The profiles

object - The original context

convertedObject - The converted context

Returns:

the computed result

getPermissionForAnonymous

public AccessController.AccessResult getPermissionForAnonymous(String rightId,
 Object object)

Description copied from interface: AccessController

Gets the permission for Anonymous only on an object for a given right

Specified by:

getPermissionForAnonymous in interface AccessController

Parameters:

rightId - The id of the right to check

object - The object

Returns:

the permission for Anonymous only on an object for a given right

getReadAccessPermissionForAnonymous

public AccessController.AccessResult getReadAccessPermissionForAnonymous(Object object)

Description copied from interface: AccessController

Gets the read access permission for Anonymous only on an object

Specified by:

getReadAccessPermissionForAnonymous in interface AccessController

Parameters:

object - The object

Returns:

the read access permission for Anonymous only on an object

_getPermissionForAnonymous

protected AccessController.AccessResult _getPermissionForAnonymous(Set<String> profilesIds,
 Object object,
 Object convertedObject)

Works for getPermissionForAnonymous and getReadAccessPermissionForAnonymous

Parameters:

profilesIds - The profiles ids

object - The context

convertedObject - The converted context

Returns:

The access result

getPermissionForAnyConnectedUser

public AccessController.AccessResult getPermissionForAnyConnectedUser(String rightId,
 Object object)

Description copied from interface: AccessController

Gets the permission for any connected user only on an object for a given right

Specified by:

getPermissionForAnyConnectedUser in interface AccessController

Parameters:

rightId - The id of the right to check

object - The object

Returns:

the permission for any connected user only on an object for a given right

getReadAccessPermissionForAnyConnectedUser

public AccessController.AccessResult getReadAccessPermissionForAnyConnectedUser(Object object)

Description copied from interface: AccessController

Gets the read access permission for any connected user only on an object

Specified by:

getReadAccessPermissionForAnyConnectedUser in interface AccessController

Parameters:

object - The object

Returns:

the read access permission for any connected user only on an object

_getPermissionForAnyConnectedUser

protected AccessController.AccessResult _getPermissionForAnyConnectedUser(Set<String> profilesIds,
 Object object,
 Object convertedObject)

Works for getPermissionForAnyConnectedUser and getReadAccessPermissionForAnyConnectedUser

Parameters:

profilesIds - The profiles ids

object - The context

convertedObject - The converted context

Returns:

the access result

getPermissionByUser

public Map<UserIdentity,AccessController.AccessResult> getPermissionByUser(String rightId,
 Object object)

Description copied from interface: AccessController

Gets the permission by user only on an object for the given right. It does not take account of the groups of the user, etc.

Specified by:

getPermissionByUser in interface AccessController

Parameters:

rightId - The id of the right to check

object - The object

Returns:

the permission by user only on an object for the given right

getReadAccessPermissionByUser

public Map<UserIdentity,AccessController.AccessResult> getReadAccessPermissionByUser(Object object)

Description copied from interface: AccessController

Gets the read access permission by user only on an object. It does not take account of the groups of the user, etc.

Specified by:

getReadAccessPermissionByUser in interface AccessController

Parameters:

object - The object

Returns:

the read access permission by user only on an object

_getPermissionByUser

protected Map<UserIdentity,AccessController.AccessResult> _getPermissionByUser(Set<String> profilesIds,
 Object object,
 Object convertedObject)

Works for getPermissionByUser and getReadAccessPermissionByUser

Parameters:

profilesIds - The profiles ids

object - The context

convertedObject - The converted context

Returns:

The users and their access results

getPermissionByGroup

public Map<GroupIdentity,AccessController.AccessResult> getPermissionByGroup(String rightId,
 Object object)

Description copied from interface: AccessController

Gets the permission by group only on an object for the given right.

Specified by:

getPermissionByGroup in interface AccessController

Parameters:

rightId - The id of the right to check

object - The object

Returns:

the permission by group only on an object for the given right

getReadAccessPermissionByGroup

public Map<GroupIdentity,AccessController.AccessResult> getReadAccessPermissionByGroup(Object object)

Description copied from interface: AccessController

Gets the read access permission by group only on an object.

Specified by:

getReadAccessPermissionByGroup in interface AccessController

Parameters:

object - The object

Returns:

the read access permission by group only on an object

_getPermissionByGroup

protected Map<GroupIdentity,AccessController.AccessResult> _getPermissionByGroup(Set<String> profilesIds,
 Object object,
 Object convertedObject)

Works for getPermissionByGroup and getReadAccessPermissionByGroup

Parameters:

profilesIds - The profiles ids

object - The context

convertedObject - The converted context

Returns:

The users and their access results

_convertContext

protected Object _convertContext(Object initialContext)

For methods getXXXXPermissionYYY allow to have a modification of the context before transfering it to the profile assignment storage extension point The default implemenation keep the context as it is

Parameters:

initialContext - The right context that is supported

Returns:

the context modified

hasAnonymousAnyReadAccessPermissionOnWorkspace

public boolean hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)

Description copied from interface: AccessController

Returns true if anonymous has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasAnonymousAnyReadAccessPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

Returns:

true if anonymous has a permission on at least one object, directly or though groups, for a given right

hasAnonymousAnyPermissionOnWorkspace

public boolean hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts,
 String rightId)

Description copied from interface: AccessController

Returns true if anonymous has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasAnonymousAnyPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

rightId - The id of the right to check

Returns:

true if anonymous has a permission on at least one object, directly or though groups, for a given right

hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace

public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)

Description copied from interface: AccessController

Returns true if any connected user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

Returns:

true if any connected user has a permission on at least one object, directly or though groups, for a given right

hasAnyConnectedUserAnyPermissionOnWorkspace

public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts,
 String rightId)

Description copied from interface: AccessController

Returns true if any connected user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasAnyConnectedUserAnyPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

rightId - The id of the right to check

Returns:

true if any connected user has a permission on at least one object, directly or though groups, for a given right

hasUserAnyReadAccessPermissionOnWorkspace

public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts,
 UserIdentity user,
 Set<GroupIdentity> userGroups)

Description copied from interface: AccessController

Returns true if the user has a read access permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasUserAnyReadAccessPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

user - The user

userGroups - The groups

Returns:

true if the user has a permission on at least one object, directly or though groups, for a given right

hasUserAnyPermissionOnWorkspace

public boolean hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts,
 UserIdentity user,
 Set<GroupIdentity> userGroups,
 String rightId)

Description copied from interface: AccessController

Returns true if the user has a permission on at least one object, directly or though groups, for a given rights and if the object is attached to the given context that is /${WorkspaceName} and its conversions.

Specified by:

hasUserAnyPermissionOnWorkspace in interface AccessController

Parameters:

workspacesContexts - The contexts to tests such as {"/${WorkspaceName}", "/repository", "/admin"}

user - The user

userGroups - The groups

rightId - The id of the right to check

Returns:

true if the user has a permission on at least one object, directly or though groups, for a given right

_convertWorkspaceToRootRightContexts

protected abstract Set<? extends Object> _convertWorkspaceToRootRightContexts(Set<Object> workspacesContexts)

Get the current workspaces contexts and turn it into root contexts in order to allow methods hasXXXAnyPermissionOnWorkspace to work

Parameters:

workspacesContexts - The workspace contexts. Such as '/${WorkspaceName}', '/admin'

Returns:

A null or empty set if the current AccessController does not apply to any workspace context, or the root object where ProfileAssignmentStorageExtension should start looking at to find any permission

_hasRightResultInFirstCache

protected Boolean _hasRightResultInFirstCache(UserIdentity userIdentity,
 Set<String> profilesIds,
 Object object)

Seek in cache

Parameters:

userIdentity - The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITY

profilesIds - The profiles identifiers

object - The context

Returns:

true or false if in cache. null otherwise

_putInFirstCache

protected void _putInFirstCache(UserIdentity userIdentity,
 Set<String> profilesIds,
 Object object,
 boolean rightResult)

Add to cache

Parameters:

userIdentity - The user identity or AbstractProfileStorageBasedAccessController.__ANONYMOUS_USER_IDENTITY or AbstractProfileStorageBasedAccessController.__ANY_CONTECTED_USER_IDENTITY

profilesIds - The profiles identifiers

object - The context

rightResult - The cache value. true if hasXXX or false otherwise.

_hasRightResultInSecondCache

protected Object _hasRightResultInSecondCache(Object object,
 Set<String> profilesIds,
 AbstractProfileStorageBasedAccessController.CacheKind key)

Seek in cache

Parameters:

object - The context

profilesIds - The set of profile ids to consider

key - The kind of cache to use

Returns:

The cached result per group. null otherwise

_putInSecondCache

protected void _putInSecondCache(Set<String> profilesIds,
 Object object,
 Object result,
 AbstractProfileStorageBasedAccessController.CacheKind key)

Add to cache

Parameters:

profilesIds - The profiles ids to consider

object - The context

result - The result

key - The kind of cache to use

explainReadAccessPermission

public AccessExplanation explainReadAccessPermission(UserIdentity user,
 Set<GroupIdentity> groups,
 Object object)

Description copied from interface: AccessController

Explain the read access permission for a user on the given right context. The access result in the explanation MUST be the same value as the one returned by AccessController.getReadAccessPermission(UserIdentity, Set, Object). And the explanation should described the actual context that granted the right to allow final user to see if any context conversion happened

Specified by:

explainReadAccessPermission in interface AccessController

Overrides:

explainReadAccessPermission in class AbstractAccessController

Parameters:

user - the user to test

groups - the groups of the user

object - the right context to test

Returns:

an explanation of the access

explainPermission

public AccessExplanation explainPermission(UserIdentity user,
 Set<GroupIdentity> groups,
 String rightId,
 Object object)

Description copied from interface: AccessController

Explain the permission for a user on the given right context. The access result in the explanation MUST be the same value as the one returned by AccessController.getPermission(UserIdentity, Set, String, Object). And the explanation should described the actual context that granted the right to allow final user to see if any context conversion happened

Specified by:

explainPermission in interface AccessController

Overrides:

explainPermission in class AbstractAccessController

Parameters:

user - the user to test

groups - the groups of the user

rightId - the right to test

object - the right context to test

Returns:

an explanation of the access

_explainPermission

protected AccessExplanation _explainPermission(UserIdentity user,
 Set<GroupIdentity> userGroups,
 Set<String> profilesIds,
 Object object,
 Object convertedObject)

Works for explainPermission or explainReadAccessPermission

Parameters:

user - The use

userGroups - The groups

profilesIds - The profiles

object - The original context

convertedObject - The converted context

Returns:

the computed result

_getPermissionDetails

protected AbstractProfileStorageBasedAccessController.PermissionDetails _getPermissionDetails(UserIdentity user,
 Set<GroupIdentity> groups,
 Set<String> profilesIds,
 Object object,
 Object convertedObject)

Get the details of how a permission is granted or denied.

Parameters:

user - the user we want to determine permission

groups - the groups the groups the user belong to.

profilesIds - the profile we want to check

object - the object we are inspecting

convertedObject - the converted context

Returns:

the access result details

_buildExplanation

protected AccessExplanation _buildExplanation(AbstractProfileStorageBasedAccessController.PermissionDetails details)

Transform the permission details in an access explanation

Parameters:

details - the permission details

Returns:

the computed access explanation

_getObjectLabel

protected abstract I18nizableText _getObjectLabel(Object object)
                                           throws RightsException

Get the label describing the object that granted the right in the explanation.

Parameters:

object - the object that granted the right

Returns:

the label

Throws:

RightsException - when the object is not supported by the controller

explainReadAccessPermissionForAnyConnectedUser

public AccessExplanation explainReadAccessPermissionForAnyConnectedUser(Object object)

Description copied from interface: AccessController

Explain the read access permission for any connected user on the given right context. The access result in the explanation MUST be the same value as the one returned by AccessController.getReadAccessPermissionForAnyConnectedUser(Object). And the explanation should described the actual context that granted the right to allow final user to see if any context conversion happened

Specified by:

explainReadAccessPermissionForAnyConnectedUser in interface AccessController

Overrides:

explainReadAccessPermissionForAnyConnectedUser in class AbstractAccessController

Parameters:

object - the right context to test

Returns:

an explanation of the access

explainPermissionForAnyConnectedUser

public AccessExplanation explainPermissionForAnyConnectedUser(String rightId,
 Object object)

Description copied from interface: AccessController

Explain the permission for any connected user on the given right context. The access result in the explanation MUST be the same value as the one returned by AccessController.getPermissionForAnyConnectedUser(String, Object). And the explanation should described the actual context that granted the right to allow final user to see if any context conversion happened

Specified by:

explainPermissionForAnyConnectedUser in interface AccessController

Overrides:

explainPermissionForAnyConnectedUser in class AbstractAccessController

Parameters:

rightId - the right to test

object - the right context to test

Returns:

an explanation of the access

_explainPermissionForAnyConnectedUser

protected AccessExplanation _explainPermissionForAnyConnectedUser(Set<String> profilesIds,
 Object object,
 Object convertedObject)

Works for explainPermissionForAnyConnectedUser(String, Object) or explainReadAccessPermissionForAnyConnectedUser(Object)

Parameters:

profilesIds - The profiles

object - The original context

convertedObject - The converted context

Returns:

the computed result

_getPermissionDetailsForAnyConnectedUser

protected AbstractProfileStorageBasedAccessController.PermissionDetails _getPermissionDetailsForAnyConnectedUser(Set<String> profilesIds,
 Object object,
 Object convertedObject)

Get the details of how a permission is granted or denied.

Parameters:

profilesIds - the profile we want to check

object - the object we are inspecting

convertedObject - the converted context

Returns:

the access result details

explainReadAccessPermissionForAnonymous

public AccessExplanation explainReadAccessPermissionForAnonymous(Object object)

Description copied from interface: AccessController

Explain the read access permission for anonymous on the given right context. The access result in the explanation MUST be the same value as the one returned by AccessController.getReadAccessPermissionForAnonymous(Object). And the explanation should described the actual context that granted the right to allow final user to see if any context conversion happened

Specified by:

explainReadAccessPermissionForAnonymous in interface AccessController

Overrides:

explainReadAccessPermissionForAnonymous in class AbstractAccessController

Parameters:

object - the right context to test

Returns:

an explanation of the access

explainPermissionForAnonymous

public AccessExplanation explainPermissionForAnonymous(String rightId,
 Object object)

Description copied from interface: AccessController

Explain the permission for anonymous on the given right context. The access result in the explanation MUST be the same value as the one returned by AccessController.getPermissionForAnonymous(String, Object). And the explanation should described the actual context that granted the right to allow final user to see if any context conversion happened

Specified by:

explainPermissionForAnonymous in interface AccessController

Overrides:

explainPermissionForAnonymous in class AbstractAccessController

Parameters:

rightId - the right to test

object - the right context to test

Returns:

an explanation of the access

_explainPermissionForAnonymous

protected AccessExplanation _explainPermissionForAnonymous(Set<String> profilesIds,
 Object object,
 Object convertedObject)

Works for explainReadAccessPermissionForAnonymous(Object) or _explainPermissionForAnonymous(Set, Object, Object)

Parameters:

profilesIds - The profiles

object - The original context

convertedObject - The converted context

Returns:

the computed result

_getPermissionDetailsForAnonymous

protected AbstractProfileStorageBasedAccessController.PermissionDetails _getPermissionDetailsForAnonymous(Set<String> profilesIds,
 Object object,
 Object convertedObject)

Get the details of how a permission is granted or denied.

Parameters:

profilesIds - the profile we want to check

object - the object we are inspecting

convertedObject - the converted context

Returns:

the access result details