Prepare schema for task authorizations (MID-3121)

This is preliminary proposal only.
Evolveum · Aug 2, 2018 · 160549d · 160549d
1 parent 52d27b6
commit 160549d
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
@@ -11938,6 +11938,9 @@
 							<xsd:documentation>
 								The object matches the specification if it has an owner specified by this element.
 								The "owner" means a focus that has a link to the object.
+
+								LIMITATION: for search pre-processing this option is supported in a very limited way
+								(only for TaskType.ownerRef and AbstractRoleType.ownerRef and only for "self" owners).
 							</xsd:documentation>
 						</xsd:annotation>
 			        </xsd:element>
@@ -11954,7 +11957,38 @@
 							</xsd:appinfo>
 						</xsd:annotation>
 			        </xsd:element>
-		        </xsd:sequence>        	
+					<xsd:element name="requester" type="tns:SubjectedObjectSelectorType" minOccurs="0" maxOccurs="1">
+						<xsd:annotation>
+							<xsd:documentation>
+								The object matches the specification if it has a requester specified by this element.
+								(So it is applicable only for tasks and, in the future, case- and work items-like objects.)
+
+								LIMITATION: Supported only for TaskType and not for search pre-processing.
+							</xsd:documentation>
+						</xsd:annotation>
+					</xsd:element>
+					<xsd:element name="assignee" type="tns:SubjectedObjectSelectorType" minOccurs="0" maxOccurs="1">
+						<xsd:annotation>
+							<xsd:documentation>
+								The object matches the specification if it has a (current) assignee specified by this element.
+								(So it is applicable only for task-, case- and work item-like objects.)
+
+								LIMITATION: Supported only for TaskType with work items fully fetched; and not for search
+								pre-processing.
+							</xsd:documentation>
+						</xsd:annotation>
+					</xsd:element>
+					<xsd:element name="object" type="tns:SubjectedObjectSelectorType" minOccurs="0" maxOccurs="1">
+						<xsd:annotation>
+							<xsd:documentation>
+								The object matches the specification if it has a related object specified by this element.
+								(So it is applicable only for task-, case- and work item-like objects.)
+
+								LIMITATION: Supported only for TaskType; and for search pre-processing it is limited to "self".
+							</xsd:documentation>
+						</xsd:annotation>
+					</xsd:element>
+		        </xsd:sequence>
         	</xsd:extension>
         </xsd:complexContent>
 	</xsd:complexType>

diff --git a/...impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.java b/...impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.java
@@ -1165,7 +1165,9 @@ private <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObje
 									objectDefinition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(objectType);
 								}
 								// TODO: MID-3899
+								// TODO what if owner is specified not as "self" ?
 								if (AbstractRoleType.class.isAssignableFrom(objectType)) {
+									// TODO beware, role.ownerRef is deprecated
 									objSpecSecurityFilter = applyOwnerFilterOwnerRef(new ItemPath(AbstractRoleType.F_OWNER_REF), objSpecSecurityFilter,  principal, objectDefinition);
 								} else if (TaskType.class.isAssignableFrom(objectType)) {
 									objSpecSecurityFilter = applyOwnerFilterOwnerRef(new ItemPath(TaskType.F_OWNER_REF), objSpecSecurityFilter,  principal, objectDefinition);