diff --git a/src/com/opencms/core/CmsShellCommands.java b/src/com/opencms/core/CmsShellCommands.java
index 4fedcc204c6..90b0d8a4011 100644
--- a/src/com/opencms/core/CmsShellCommands.java
+++ b/src/com/opencms/core/CmsShellCommands.java
@@ -1,7 +1,7 @@
/*
* File : $Source: /alkacon/cvs/opencms/src/com/opencms/core/Attic/CmsShellCommands.java,v $
-* Date : $Date: 2003/06/13 10:04:20 $
-* Version: $Revision: 1.76 $
+* Date : $Date: 2003/06/13 16:15:55 $
+* Version: $Revision: 1.77 $
*
* This library is part of OpenCms -
* the Open Source Content Mananagement System
@@ -64,7 +64,7 @@
* @author Andreas Schouten
* @author Anders Fugmann
*
- * @version $Revision: 1.76 $ $Date: 2003/06/13 10:04:20 $
+ * @version $Revision: 1.77 $ $Date: 2003/06/13 16:15:55 $
*
* @see com.opencms.file.CmsObject
*/
@@ -112,34 +112,6 @@ public void acceptTask(String taskId) {
}
}
- /**
- * Checks, if the user may create this resource.
- *
- * @param resource the resource to check.
- */
- public void accessCreate(String resource) {
- try {
- System.out.println(m_cms.accessCreate(resource));
- }
- catch(Exception exc) {
- CmsShell.printException(exc);
- }
- }
-
- /**
- * Checks, if the user may lock this resource.
- *
- * @param resource the resource to check.
- */
- public void accessLock(String resource) {
- try {
- System.out.println(m_cms.accessLock(resource));
- }
- catch(Exception exc) {
- CmsShell.printException(exc);
- }
- }
-
/**
* Tests if the user can access the project.
*
@@ -155,20 +127,6 @@ public void accessProject(String id) {
}
}
- /**
- * Checks, if the user may read this resource.
- *
- * @param resource The resource to check.
- */
- public void accessRead(String resource) {
- try {
- System.out.println(m_cms.accessRead(resource));
- }
- catch(Exception exc) {
- CmsShell.printException(exc);
- }
- }
-
/**
* Tests if the user can write the resource.
*
diff --git a/src/com/opencms/core/I_CmsConstants.java b/src/com/opencms/core/I_CmsConstants.java
index c08c02edbf3..57f4c4eec6e 100755
--- a/src/com/opencms/core/I_CmsConstants.java
+++ b/src/com/opencms/core/I_CmsConstants.java
@@ -1,7 +1,7 @@
/*
* File : $Source: /alkacon/cvs/opencms/src/com/opencms/core/Attic/I_CmsConstants.java,v $
-* Date : $Date: 2003/06/13 10:04:20 $
-* Version: $Revision: 1.231 $
+* Date : $Date: 2003/06/13 16:15:55 $
+* Version: $Revision: 1.232 $
*
* This library is part of OpenCms -
* the Open Source Content Mananagement System
@@ -40,7 +40,7 @@
* @author Michaela Schleich
* @author Thomas Weckert
*
- * @version $Revision: 1.231 $ $Date: 2003/06/13 10:04:20 $
+ * @version $Revision: 1.232 $ $Date: 2003/06/13 16:15:55 $
*/
public interface I_CmsConstants {
@@ -366,22 +366,42 @@ public interface I_CmsConstants {
/**
* The permission to read a resource
*/
- final static int C_PERMISSION_READ = 1;
+ int C_PERMISSION_READ = 1;
/**
* The permission to write a resource
*/
- final static int C_PERMISSION_WRITE = 2;
+ int C_PERMISSION_WRITE = 2;
/**
* The permission to view a resource
*/
- final static int C_PERMISSION_VIEW = 4;
+ int C_PERMISSION_VIEW = 4;
+
+ /**
+ * The permission to control a resource
+ */
+ int C_PERMISSION_CONTROL = 8;
- // Constants used for checking access
- final static CmsPermissionSet C_READ_ACCESS = new CmsPermissionSet(I_CmsConstants.C_PERMISSION_READ);
- final static CmsPermissionSet C_WRITE_ACCESS = new CmsPermissionSet(I_CmsConstants.C_PERMISSION_WRITE);
- final static CmsPermissionSet C_VIEW_ACCESS = new CmsPermissionSet(I_CmsConstants.C_PERMISSION_VIEW);
+ /**
+ * Permission set to check read acces
+ */
+ CmsPermissionSet C_READ_ACCESS = new CmsPermissionSet(C_PERMISSION_READ);
+
+ /**
+ * Permission set to check write access
+ */
+ CmsPermissionSet C_WRITE_ACCESS = new CmsPermissionSet(C_PERMISSION_WRITE);
+
+ /**
+ * Permission set to check view access
+ */
+ CmsPermissionSet C_VIEW_ACCESS = new CmsPermissionSet(C_PERMISSION_VIEW);
+
+ /**
+ * Permission set to check control access
+ */
+ CmsPermissionSet C_CONTROL_ACCESS = new CmsPermissionSet(C_PERMISSION_CONTROL);
/**
* Group may read this resource
diff --git a/src/com/opencms/file/CmsObject.java b/src/com/opencms/file/CmsObject.java
index 4ca789d5ed0..90ef2a2e726 100755
--- a/src/com/opencms/file/CmsObject.java
+++ b/src/com/opencms/file/CmsObject.java
@@ -1,7 +1,7 @@
/*
* File : $Source: /alkacon/cvs/opencms/src/com/opencms/file/Attic/CmsObject.java,v $
-* Date : $Date: 2003/06/13 10:04:20 $
-* Version: $Revision: 1.284 $
+* Date : $Date: 2003/06/13 16:17:05 $
+* Version: $Revision: 1.285 $
*
* This library is part of OpenCms -
* the Open Source Content Mananagement System
@@ -80,7 +80,7 @@
* @author Alexander Kandzior (a.kandzior@alkacon.com)
* @author Michaela Schleich
*
- * @version $Revision: 1.284 $
+ * @version $Revision: 1.285 $
*/
public class CmsObject implements I_CmsConstants {
@@ -140,36 +140,7 @@ public CmsObject () {
public void acceptTask(int taskId) throws CmsException {
m_driverManager.acceptTask(m_context.currentUser(), m_context.currentProject(), taskId);
}
-/**
- * Checks, if the user may create this resource.
- *
- * @param resource the resource to check.
- * @return true
if the user has the appropriate rigths to create the resource; false
otherwise
- *
- * @throws CmsException if operation was not successful.
- */
-public boolean accessCreate(String resource) throws CmsException {
- try {
- return m_driverManager.accessCreate(m_context.currentUser(), m_context.currentProject(), getSiteRoot(resource));
- } catch (Exception exc) {
- throw new CmsException(CmsException.C_UNKNOWN_EXCEPTION, exc);
- }
-}
-/**
- * Checks, if the user may lock this resource.
- *
- * @param resource the resource to check.
- * @return true
if the user has the appropriate rights to lock this resource; false
otherwise
- *
- * @throws CmsException if operation was not successful.
- */
-public boolean accessLock(String resource) throws CmsException {
- try {
- return m_driverManager.accessLock(m_context.currentUser(), m_context.currentProject(), getSiteRoot(resource));
- } catch (Exception exc) {
- throw new CmsException(CmsException.C_UNKNOWN_EXCEPTION, exc);
- }
-}
+
/**
* Checks if the user can access the project.
*
@@ -181,21 +152,7 @@ public boolean accessLock(String resource) throws CmsException {
public boolean accessProject(int projectId) throws CmsException {
return (m_driverManager.accessProject(m_context.currentUser(), m_context.currentProject(), projectId));
}
-/**
- * Checks, if the user may read this resource.
- *
- * @param resource The resource to check.
- * @return true
, if the user has the appropriate rigths to read the resource; false
otherwise.
- *
- * @throws CmsException if operation was not successful.
- */
-public boolean accessRead(String resource) throws CmsException {
- try {
- return m_driverManager.accessRead(m_context.currentUser(), m_context.currentProject(), getSiteRoot(resource));
- } catch (Exception exc) {
- throw new CmsException(CmsException.C_UNKNOWN_EXCEPTION, exc);
- }
-}
+
/**
* Checks, if the user may write this resource.
*
diff --git a/src/org/opencms/db/CmsDriverManager.java b/src/org/opencms/db/CmsDriverManager.java
index 5e668232538..0ca18663c3a 100644
--- a/src/org/opencms/db/CmsDriverManager.java
+++ b/src/org/opencms/db/CmsDriverManager.java
@@ -1,7 +1,7 @@
/*
* File : $Source: /alkacon/cvs/opencms/src/org/opencms/db/CmsDriverManager.java,v $
- * Date : $Date: 2003/06/13 13:17:22 $
- * Version: $Revision: 1.3 $
+ * Date : $Date: 2003/06/13 16:17:55 $
+ * Version: $Revision: 1.4 $
*
* This library is part of OpenCms -
* the Open Source Content Mananagement System
@@ -71,7 +71,7 @@
/**
* This is the driver manager.
*
- * @version $Revision: 1.3 $ $Date: 2003/06/13 13:17:22 $
+ * @version $Revision: 1.4 $ $Date: 2003/06/13 16:17:55 $
* @author Thomas Weckert (t.weckert@alkacon.com)
* @author Carsten Weinholz (c.weinholz@alkacon.com)
* @since 5.1
@@ -109,7 +109,7 @@ public boolean equals(Object obj) {
/**
* Inner class to define the access policy when checking permissions on vfs operations.
*
- * @version $Revision: 1.3 $ $Date: 2003/06/13 13:17:22 $
+ * @version $Revision: 1.4 $ $Date: 2003/06/13 16:17:55 $
* @author Carsten Weinholz (c.weinholz@alkacon.com)
*/
class VfsAccessGuard extends CmsAccessGuard {
@@ -216,6 +216,55 @@ public CmsPermissionSet evaluatePermissions(CmsResource resource, int checks) t
}
}
+ /**
+ * Inner class to define the access policy when checking permissions on user operations.
+ *
+ * @version $Revision: 1.4 $ $Date: 2003/06/13 16:17:55 $
+ * @author Carsten Weinholz (c.weinholz@alkacon.com)
+ */
+ class UserAccessGuard extends CmsAccessGuard {
+
+ /*
+ * Sets of checks
+ */
+ public static final int C_CHECK_DEFAULT = 0;
+
+ /**
+ * Constructor to create a new access guard to secure user access operations for a given user in a given project.
+ *
+ * @param user the user that requests access (typically the current user)
+ * @param project the project in which the permissions are evaluated (typically the current project)
+ * @param checks flags to define which permission constraints are performed
+ */
+ public UserAccessGuard(CmsUser user, CmsProject project, int checks) {
+ super(user, project, checks);
+ }
+
+ /**
+ * Evaluates the permissions of the given user on a resource within a given project by
+ * calculating a permission set following a certain policy.
+ *
+ * @param resource the resource on which permissions are required
+ * @param checks flags to define the checks performed when evaluating the permissions
+ *
+ * @return a set of allowed and denied permissions for the given user on the resource
+ * @throws CmsException if something goes wrong
+ * @see org.opencms.security.CmsAccessGuard#evaluatePermissions(com.opencms.file.CmsResource, int)
+ */
+ public CmsPermissionSet evaluatePermissions(CmsResource resource, int checks) throws CmsException {
+
+ if (isAdmin(getUser(),getProject())) {
+ // if the current user is administrator, anything is allowed
+ return new CmsPermissionSet(~0);
+
+ } else {
+ // otherwise, get the permissions from the access control list
+ CmsAccessControlList acl = getAccessControlList(getUser(), getProject(), resource);
+ return acl.getPermissions(getUser(), getGroupsOfUser(getUser(),getUser().getName()));
+ }
+ }
+ }
+
/**
* Constant to count the file-system changes.
*/
@@ -556,252 +605,7 @@ public void acceptTask(CmsUser currentUser, CmsProject currentProject, int taskI
task = m_workflowDriver.writeTask(task);
m_workflowDriver.writeSystemTaskLog(taskId, "Task was accepted from " + currentUser.getFirstname() + " " + currentUser.getLastname() + ".");
}
-
- /**
- * Checks, if the user may create this resource.
- *
- * @param currentUser The user who requested this method.
- * @param currentProject The current project of the user.
- * @param resource The resource to check.
- *
- * @return wether the user has access, or not.
- */
- public boolean accessCreate(CmsUser currentUser, CmsProject currentProject,
- CmsResource resource) throws CmsException {
-
- // check, if this is the onlineproject
- if(currentProject.isOnlineProject()){
- // the online-project is not writeable!
- return(false);
- }
-
- // check the access to the project
- if( ! accessProject(currentUser, currentProject, currentProject.getId()) ) {
- // no access to the project!
- return(false);
- }
-
- // check if the resource belongs to the current project
- if(resource.getProjectId() != currentProject.getId()) {
- return false;
- }
-
- // is the resource locked?
- if( resource.isLocked() && (!resource.isLockedBy().equals(currentUser.getId()) ||
- (resource.getLockedInProject() != currentProject.getId() &&
- currentProject.getFlags() != C_PROJECT_STATE_INVISIBLE)) ) {
- // resource locked by another user, no creation allowed
- return(false);
- }
-
- // check the rights for the current resource
- if (! getVfsAccessGuard(currentUser, currentProject).check(resource, C_WRITE_ACCESS, false))
- return false;
-
- // TODO: remove old access check
- //if( ! ( accessOther(resource, C_ACCESS_PUBLIC_WRITE) ||
- // accessOwner(currentUser, currentProject, resource, C_PERMISSION_WRITE) ||
- // accessGroup(currentUser, currentProject, resource, C_ACCESS_GROUP_WRITE) ) ) {
- // // no write access to this resource!
- // return false;
- //}
-
- // read the parent folder
- if(resource.getParent() != null) {
- // readFolder without checking access
- resource = m_vfsDriver.readFolder(resource.getProjectId(), resource.getRootName()+resource.getParent());
- } else {
- // no parent folder!
- return true;
- }
-
- // check the rights and if the resource is not locked
- do {
- //if( accessOther(resource, C_ACCESS_PUBLIC_READ) ||
- // accessOwner(currentUser, currentProject, resource, C_PERMISSION_READ) ||
- // accessGroup(currentUser, currentProject, resource, C_ACCESS_GROUP_READ) ) {
-
- // is the resource locked?
- if( resource.isLocked() && !resource.isLockedBy().equals(currentUser.getId()) ) {
- // resource locked by anopther user, no creation allowed
- return(false);
- }
-
- // read next resource
- if(resource.getParent() != null) {
- // readFolder without checking access
- resource = m_vfsDriver.readFolder(resource.getProjectId(), resource.getRootName()+resource.getParent());
- }
- // } else {
- // last check was negative
- // return(false);
- // }
- } while(resource.getParent() != null);
-
- // all checks are done positive
- return(true);
- }
- /**
- * Checks, if the user may create this resource.
- *
- * @param currentUser The user who requested this method.
- * @param currentProject The current project of the user.
- * @param resource The resource to check.
- *
- * @return wether the user has access, or not.
- */
- public boolean accessCreate(CmsUser currentUser, CmsProject currentProject,
- String resourceName) throws CmsException {
-
- CmsResource resource = m_vfsDriver.readFileHeader(currentProject.getId(), resourceName, false);
- return accessCreate(currentUser, currentProject, resource);
- }
- /**
- * Checks, if the group may access this resource.
- *
- * @param currentUser The user who requested this method.
- * @param currentProject The current project of the user.
- * @param resource The resource to check.
- * @param flags The flags to check.
- *
- * @return wether the user has access, or not.
- *//*
- protected boolean accessGroup(CmsUser currentUser, CmsProject currentProject,
- CmsResource resource, int flags)
- throws CmsException {
-
- // is the user in the group for the resource?
- if(userInGroup(currentUser, currentProject, currentUser.getName(),
- readGroup(currentUser, currentProject,
- resource).getName())) {
- if( (resource.getAccessFlags() & flags) == flags ) {
- return true;
- }
- }
- // the resource isn't accesible by the user.
-
- return false;
-
- }*/
- /**
- * Checks, if the user may lock this resource.
- *
- * @param currentUser The user who requested this method.
- * @param currentProject The current project of the user.
- * @param resource The resource to check.
- *
- * @return wether the user may lock this resource, or not.
- */
- public boolean accessLock(CmsUser currentUser, CmsProject currentProject,
- CmsResource resource) throws CmsException {
- // check, if this is the onlineproject
- if(currentProject.isOnlineProject()){
- // the online-project is not writeable!
- return(false);
- }
-
- // check the access to the project
- if( ! accessProject(currentUser, currentProject, currentProject.getId()) ) {
- // no access to the project!
- return(false);
- }
-
- // check if the resource belongs to the current project
- if(resource.getProjectId() != currentProject.getId()) {
- return false;
- }
-
- // read the parent folder
- if(resource.getParent() != null) {
- // readFolder without checking access
- resource = m_vfsDriver.readFolder(resource.getProjectId(), resource.getRootName()+resource.getParent());
- } else {
- // no parent folder!
- return true;
- }
-
- // check the rights and if the resource is not locked
- do {
- // is the resource locked?
- if( resource.isLocked() && ((!resource.isLockedBy().equals(currentUser.getId())) ||
- (resource.getLockedInProject() != currentProject.getId() &&
- currentProject.getFlags() != C_PROJECT_STATE_INVISIBLE)) ) {
- // resource locked by anopther user, no creation allowed
- return(false);
- }
-
- // read next resource
- if(resource.getParent() != null) {
- // readFolder without checking access
- resource = m_vfsDriver.readFolder(resource.getProjectId(), resource.getRootName()+resource.getParent());
- }
- } while(resource.getParent() != null);
-
- // all checks are done positive
- return(true);
- }
- /**
- * Checks, if the user may lock this resource.
- *
- * @param currentUser The user who requested this method.
- * @param currentProject The current project of the user.
- * @param resource The resource to check.
- *
- * @return wether the user may lock this resource, or not.
- */
- public boolean accessLock(CmsUser currentUser, CmsProject currentProject,
- String resourceName) throws CmsException {
-
- CmsResource resource = m_vfsDriver.readFileHeader(currentProject.getId(), resourceName, false);
- return accessLock(currentUser,currentProject,resource);
- }
-/**
- * Checks, if others may access this resource.
- *
- * @param resource The resource to check.
- * @param flags The flags to check.
- *
- * @return wether the user has access, or not.
- *//*
-protected boolean accessOther(CmsResource resource, int flags) throws CmsException
-{
- if ((resource.getAccessFlags() & flags) == flags)
- {
- return true;
- }
- else
- {
- return false;
- }
- }*/
-
- /**
- * Checks, if the owner may access this resource.
- *
- * @param currentUser The user who requested this method.
- * @param currentProject The current project of the user.
- * @param resource The resource to check.
- * @param flags The flags to check.
- *
- * @return wether the user has access, or not.
- *//*
- protected boolean accessOwner(CmsUser currentUser, CmsProject currentProject,
- CmsResource resource, int flags)
- throws CmsException {
- // The Admin has always access
- if( isAdmin(currentUser, currentProject) ) {
- return(true);
- }
- // is the resource owned by this user?
- if(resource.getOwnerId().equals(currentUser.getId())) {
- if( (resource.getAccessFlags() & flags) == flags ) {
- return true ;
- }
- }
- // the resource isn't accesible by the user.
- return false;
- }*/
-
+
// Methods working with projects
/**
@@ -845,137 +649,7 @@ public boolean accessProject(CmsUser currentUser, CmsProject currentProject, int
}
return (false);
}
-
- /**
- * Checks if the user may read this resource.
- * NOTE: If the ressource is in the project you never have to fallback.
- *
- * @param currentUser The user who requested this method.
- * @param currentProject The current project of the user.
- * @param resource The resource to check.
- *
- * @return weather the user has access, or not.
- */
- public boolean accessRead(CmsUser currentUser, CmsProject currentProject, CmsResource resource) throws CmsException {
- String cacheKey = getCacheKey(null, currentUser, new CmsProject(currentProject.getId(), -1), resource.getResourceName());
- Boolean access = (Boolean)m_accessCache.get(cacheKey);
-
- if (access != null) {
- return access.booleanValue();
- } else {
- if ( (resource == null)
- || !accessProject(currentUser, currentProject, resource.getProjectId())
- || ! getVfsAccessGuard(currentUser, currentProject).check(resource, C_READ_ACCESS, false)) {
-
- // ( !accessOther(resource, C_ACCESS_PUBLIC_READ)
- // && !accessOwner(currentUser, currentProject, resource, C_PERMISSION_READ)
- // && !accessGroup(currentUser, currentProject, resource, C_ACCESS_GROUP_READ))) {
-
- m_accessCache.put(cacheKey, new Boolean(false));
- return false;
- }
-
- // check the rights for all
- /*
- CmsResource res = resource; // save the original resource name to be used if an error occurs.
- while (res.getParent() != null) {
- // readFolder without checking access
- res = m_vfsDriver.readFolder(currentProject.getId(), res.getRootName() + res.getParent());
- if (res == null) {
- if (I_CmsLogChannels.C_PREPROCESSOR_IS_LOGGING && A_OpenCms.isLogging()) {
- A_OpenCms.log(A_OpenCms.C_OPENCMS_DEBUG, "Resource has no parent: " + resource.getAbsolutePath());
- }
- throw new CmsException(getClass().getName() + ".accessRead(): Cannot find \'" + resource.getName(), CmsException.C_NOT_FOUND);
- }
- if ( !accessOther(res, C_ACCESS_PUBLIC_READ)
- && !accessOwner(currentUser, currentProject, res, C_PERMISSION_READ)
- && !accessGroup(currentUser, currentProject, res, C_ACCESS_GROUP_READ)) {
-
- m_accessCache.put(cacheKey, new Boolean(false));
- return false;
- }
- }
- */
- m_accessCache.put(cacheKey, new Boolean(true));
- return true;
- }
- }
-
- /**
- * Checks if the user may read this resource.
- * NOTE: If the ressource is in the project you never have to fallback.
- *
- * @param currentUser The user who requested this method.
- * @param currentProject The current project of the user.
- * @param resource The resource to check.
- *
- * @return weather the user has access, or not.
- */
- public boolean accessRead(CmsUser currentUser, CmsProject currentProject, String resourceName) throws CmsException {
-
- //System.err.println("Accessing: " + currentProject.getId() + resourceName);
- CmsResource resource = m_vfsDriver.readFileHeader(currentProject.getId(), resourceName, false);
- return accessRead(currentUser, currentProject, resource);
- }
-
- /**
- * Checks, if the user may unlock this resource.
- *
- * @param currentUser The user who requested this method.
- * @param currentProject The current project of the user.
- * @param resource The resource to check.
- *
- * @return wether the user may unlock this resource, or not.
- */
- public boolean accessUnlock(CmsUser currentUser, CmsProject currentProject,
- CmsResource resource)
- throws CmsException {
- // check, if this is the onlineproject
- if(currentProject.isOnlineProject()){
- // the online-project is not writeable!
- return(false);
- }
-
- // check the access to the project
- if( ! accessProject(currentUser, currentProject, currentProject.getId()) ) {
- // no access to the project!
- return(false);
- }
-
- // check if the resource belongs to the current project
- if(resource.getProjectId() != currentProject.getId()) {
- return false;
- }
-
- // read the parent folder
- if(resource.getParent() != null) {
- // readFolder without checking access
- resource = m_vfsDriver.readFolder(resource.getProjectId(), resource.getRootName()+resource.getParent());
- } else {
- // no parent folder!
- return true;
- }
-
-
- // check if the resource is not locked
- do {
- // is the resource locked?
- if( resource.isLocked() ) {
- // resource locked by anopther user, no creation allowed
- return(false);
- }
-
- // read next resource
- if(resource.getParent() != null) {
- // readFolder without checking access
- resource = m_vfsDriver.readFolder(resource.getProjectId(), resource.getRootName()+resource.getParent());
- }
- } while(resource.getParent() != null);
-
- // all checks are done positive
- return(true);
- }
/**
* Checks, if the user may write this resource.
*
@@ -997,7 +671,7 @@ public boolean accessWrite(CmsUser currentUser, CmsProject currentProject,
}
// check the access to the project
- if( ! accessProject(currentUser, currentProject, currentProject.getId()) ) {
+ if(! accessProject(currentUser, currentProject, currentProject.getId())) {
// no access to the project!
return(false);
}
@@ -1067,12 +741,13 @@ public boolean accessWrite(CmsUser currentUser, CmsProject currentProject,
// all checks are done positive
return(true);
}
+
/**
* Checks, if the user may write this resource.
*
* @param currentUser The user who requested this method.
* @param currentProject The current project of the user.
- * @param resource The resource to check.
+ * @param resourceName The name of the resource to check.
*
* @return wether the user has access, or not.
*/
@@ -1082,81 +757,27 @@ public boolean accessWrite(CmsUser currentUser, CmsProject currentProject,
CmsResource resource = m_vfsDriver.readFileHeader(currentProject.getId(), resourceName, false);
return accessWrite(currentUser,currentProject,resource);
}
+
/**
- * Checks, if the user may write the unlocked resource.
- *
- * @param currentUser The user who requested this method.
- * @param currentProject The current project of the user.
- * @param resource The resource to check.
- *
- * @return wether the user has access, or not.
- */
- public boolean accessWriteUnlocked(CmsUser currentUser, CmsProject currentProject,
- CmsResource resource) throws CmsException {
-
-
- // check, if this is the onlineproject
-
- if(currentProject.isOnlineProject()){
- // the online-project is not writeable!
- return(false);
- }
-
- // check the access to the project
- if( ! accessProject(currentUser, currentProject, currentProject.getId()) ) {
- // no access to the project!
- return(false);
- }
-
- // check if the resource belongs to the current project
- if(resource.getProjectId() != currentProject.getId()) {
- return false;
- }
-
- // check the rights for the current resource
- if (!getVfsAccessGuard(currentUser, currentProject).check(resource, C_WRITE_ACCESS, false))
- return false;
-
- // read the parent folder
- if(resource.getParent() != null) {
- // readFolder without checking access
- resource = m_vfsDriver.readFolder(resource.getProjectId(), resource.getRootName()+resource.getParent());
- } else {
- // no parent folder!
- return true;
- }
-
-
- // check the rights and if the resource is not locked
- // for parent folders only read access is needed
- do {
- //if( accessOther(resource, C_ACCESS_PUBLIC_READ) ||
- // accessOwner(currentUser, currentProject, resource, C_PERMISSION_READ) ||
- // accessGroup(currentUser, currentProject, resource, C_ACCESS_GROUP_READ) ) {
-
- // is the resource locked?
- if( resource.isLocked() && (!resource.isLockedBy().equals(currentUser.getId()) ) ) {
- // resource locked by anopther user, no creation allowed
- return(false);
- }
-
- // read next resource
- if(resource.getParent() != null) {
- // readFolder without checking access
- resource = m_vfsDriver.readFolder(resource.getProjectId(), resource.getRootName()+resource.getParent());
- }
- //} else {
- // // last check was negative
- // return(false);
- //}
- } while(resource.getParent() != null);
-
- // all checks are done positive
- return(true);
+ * Returns an instance of the vfs access guard performing permission checks for vfs operations.
+ *
+ * @param currentUser the user who requested this method
+ * @param currentProject the current project of the user
+ * @return an initialized instance of CmsAccessGuard
+ */
+ public CmsAccessGuard getVfsAccessGuard(CmsUser currentUser, CmsProject currentProject) {
+ return new VfsAccessGuard(currentUser, currentProject, VfsAccessGuard.C_CHECK_DEFAULT);
}
- public CmsAccessGuard getVfsAccessGuard(CmsUser currentUser, CmsProject currentProject) {
- return new VfsAccessGuard(currentUser, currentProject, VfsAccessGuard.C_CHECK_DEFAULT);
+ /**
+ * Returns an instance of the user access guard performing permission checks for user operations.
+ *
+ * @param currentUser the user who requested this method
+ * @param currentProject the current project of the user
+ * @return an initialized instance of CmsAccessGuard
+ */
+ public CmsAccessGuard getUserAccessGuard(CmsUser currentUser, CmsProject currentProject) {
+ return new UserAccessGuard(currentUser, currentProject, UserAccessGuard.C_CHECK_DEFAULT);
}
/**
@@ -1845,9 +1466,11 @@ public void copyFile(CmsUser currentUser, CmsProject currentProject, String sour
ListIterator aceList = m_userDriver.getAccessControlEntries(currentProject, sourceFile.getResourceAceId(), false).listIterator();
while (aceList.hasNext()) {
CmsAccessControlEntry ace = (CmsAccessControlEntry) aceList.next();
- createAccessControlEntry(currentUser, currentProject, newResource, ace.getPrincipal(), ace.getPermissions(), ace.getFlags());
+ m_userDriver.createAccessControlEntry(currentProject, newResource.getResourceAceId(), ace.getPrincipal(), ace.getPermissions().getAllowedPermissions(), ace.getPermissions().getDeniedPermissions(), ace.getFlags());
+
}
-
+
+ clearAccessControlListCache();
m_accessCache.clear();
// inform about the file-system-change
fileSystemChanged(sourceFile.isFolder());
@@ -1900,9 +1523,10 @@ public void copyFolder(CmsUser currentUser, CmsProject currentProject,
ListIterator aceList = getAccessControlEntries(currentUser, currentProject, folder,false).listIterator();
while (aceList.hasNext()) {
CmsAccessControlEntry ace = (CmsAccessControlEntry)aceList.next();
- createAccessControlEntry(currentUser, currentProject, newResource, ace.getPrincipal(), ace.getPermissions(), ace.getFlags());
+ m_userDriver.createAccessControlEntry(currentProject, newResource.getResourceAceId(), ace.getPrincipal(), ace.getPermissions().getAllowedPermissions(), ace.getPermissions().getDeniedPermissions(), ace.getFlags());
}
-
+
+ clearAccessControlListCache();
m_resourceListCache.clear();
m_accessCache.clear();
// inform about the file-system-change
@@ -2030,9 +1654,7 @@ public int countLockedResources(CmsUser currentUser, CmsProject currentProject,
* @param currentUser The user who owns this file.
* @param currentGroup The group who owns this file.
* @param currentProject The project in which the resource will be used.
- * @param folder The complete m_path to the folder in which the new folder will
- * be created.
- * @param file The name of the new file (No pathinformation allowed).
+ * @param newFileName The name of the new file
* @param contents The contents of the new file.
* @param type The name of the resourcetype of the new file.
* @param propertyinfos A Hashtable of propertyinfos, that should be set for this folder.
@@ -2050,7 +1672,16 @@ public CmsFile createFile(CmsUser currentUser, CmsGroup currentGroup, CmsProject
// checks, if the filename is valid, if not it throws a exception
validFilename(resourceName);
-
+
+ // checks, if the type is valid, i.e. the user can create files of this type
+ // we can't utilize the access guard to do this, since it needs a resource to check
+ // TODO: preliminary version - improve later
+ I_CmsResourceType resType = getResourceType(currentUser, currentProject, type);
+ if(("XMLTemplate".equals(resType.getResourceTypeName())||"jsp".equals(resType.getResourceTypeName()))
+ && !isAdmin(currentUser, currentProject)) {
+ throw new CmsException("[" + this.getClass().getName() + "] " + resourceName, CmsException.C_NO_ACCESS);
+ }
+
CmsFolder cmsFolder = readFolder(currentUser, currentProject, folderName);
// check if the user has write access to the destination folder
@@ -2610,14 +2241,15 @@ public void deleteFile(CmsUser currentUser, CmsProject currentProject,
deleteAllProperties(currentUser,currentProject,file.getResourceName());
m_vfsDriver.removeFile(currentProject.getId(), filename);
// remove the access control entries
- removeAllAccessControlEntries(currentUser, currentProject, file);
+ m_userDriver.removeAllAccessControlEntries(currentProject,file.getResourceAceId());
} else {
m_vfsDriver.deleteFile(currentProject, filename);
// delete the access control entries
deleteAllAccessControlEntries(currentUser, currentProject, file);
}
// update the cache
- this.clearResourceCache(filename, currentProject, currentUser);
+ clearAccessControlListCache();
+ clearResourceCache(filename, currentProject, currentUser);
m_accessCache.clear();
// inform about the file-system-change
@@ -2670,14 +2302,16 @@ public void deleteFolder(CmsUser currentUser, CmsProject currentProject,
deleteAllProperties(currentUser,currentProject, cmsFolder.getResourceName());
m_vfsDriver.removeFolder(currentProject.getId(),cmsFolder);
// remove the access control entries
- removeAllAccessControlEntries(currentUser, currentProject, cmsFolder);
+ m_userDriver.removeAllAccessControlEntries(currentProject,cmsFolder.getResourceAceId());
+
} else {
m_vfsDriver.deleteFolder(currentProject,cmsFolder);
// delete the access control entries
deleteAllAccessControlEntries(currentUser, currentProject, cmsFolder);
}
// update cache
- this.clearResourceCache(foldername, currentProject, currentUser);
+ clearAccessControlListCache();
+ clearResourceCache(foldername, currentProject, currentUser);
m_accessCache.clear();
// inform about the file-system-change
fileSystemChanged(true);
@@ -2810,7 +2444,7 @@ public void deleteProject(CmsUser currentUser, CmsProject currentProject,
// delete the file
m_vfsDriver.removeFile(id, currentFile.getResourceName());
// remove the access control entries
- removeAllAccessControlEntries(currentUser, currentProject, currentFile);
+ m_userDriver.removeAllAccessControlEntries(currentProject,currentFile.getResourceAceId());
} else if (currentFile.getState() == C_STATE_CHANGED){
if(!currentFile.isLocked()){
// lock the resource
@@ -2860,11 +2494,12 @@ public void deleteProject(CmsUser currentUser, CmsProject currentProject,
CmsFolder delFolder = ((CmsFolder) deletedFolders.elementAt(i));
m_vfsDriver.removeFolder(id, delFolder);
// remove the access control entries
- removeAllAccessControlEntries(currentUser, currentProject, delFolder);
+ m_userDriver.removeAllAccessControlEntries(currentProject,delFolder.getResourceAceId());
}
// unlock all resources in the project
m_projectDriver.unlockProject(deleteProject);
- this.clearResourceCache();
+ clearAccessControlListCache();
+ clearResourceCache();
// delete the project
m_projectDriver.deleteProject(deleteProject);
m_projectCache.remove(new Integer(id));
@@ -6434,12 +6069,15 @@ public Vector readProjectLogs(CmsUser currentUser, CmsProject currentProject,
* Looks up a specified property with optional direcory upward cascading.
*
* Security:
- * Only a user is granted who has the right to read the resource.
+ * Only a user is granted who has the right to read or to view the resource.
+ *
+ * Note: view instead of read permission is required intentionally, since the
+ * workplace needs properties when displaying file and folder lists.
*
* @param currentUser the current user
* @param currentProject the current project of the user
* @param resource the resource to look up the property for
- * @param siteroot the site root where to stop the cascading
+ * @param siteRoot the site root where to stop the cascading
* @param property the name of the property to look up
* @param search if true
, the property will be looked up on all parent folders
* if it is not attached to the the resource, if false not (ie. normal
@@ -6452,8 +6090,10 @@ public String readProperty(CmsUser currentUser, CmsProject currentProject, Strin
// read the resource
CmsResource res = readFileHeader(currentUser, currentProject, resource);
- // check the security
- getVfsAccessGuard(currentUser, currentProject).check(res, C_READ_ACCESS);
+ // check the security
+ CmsAccessGuard accessGuard = getVfsAccessGuard(currentUser, currentProject);
+ if (!(accessGuard.check(res, C_VIEW_ACCESS, false) && accessGuard.check(res,C_READ_ACCESS, false)))
+ throw new CmsException("[" + this.getClass().getName() + "] " + resource, CmsException.C_NO_ACCESS);
search = search && (siteRoot != null);
// check if we have the result already cached
@@ -6512,12 +6152,15 @@ public String readProperty(CmsUser currentUser, CmsProject currentProject, Strin
* resource (or it's parent folders in case search is set to true
).
*
* Security:
- * Only a user is granted who has the right to read the resource.
+ * Only a user is granted who has the right to read or to view the resource.
+ *
+ * Note: view instead of read permission is required intentionally, since the
+ * workplace needs properties when displaying file and folder lists.
*
* @param currentUser the current user
* @param currentProject the current project of the user
* @param resource the resource to look up the property for
- * @param siteroot the site root where to stop the cascading
+ * @param siteRoot the site root where to stop the cascading
* @param property the name of the property to look up
* @param search if true
, the property will be looked up on all parent folders
* if it is not attached to the the resource, if false
not (ie. normal
@@ -6540,7 +6183,10 @@ public String readProperty(CmsUser currentUser, CmsProject currentProject, Strin
* Looks up all properties for a resource with optional direcory upward cascading.
* * Security: - * Only a user is granted who has the right to read the resource. + * Only a user is granted who has the right to read or to view the resource. + * + * Note: view instead of read permission is required intentionally, since the + * workplace needs properties when displaying file and folder lists. * * @param currentUser the current user * @param currentProject the current project of the user @@ -6557,7 +6203,10 @@ public Map readProperties(CmsUser currentUser, CmsProject currentProject, String CmsResource res = readFileHeader(currentUser, currentProject, resource); // check the security - getVfsAccessGuard(currentUser, currentProject).check(res, C_READ_ACCESS); + CmsAccessGuard accessGuard = getVfsAccessGuard(currentUser, currentProject); + if (!accessGuard.check(res, C_VIEW_ACCESS, false) || !accessGuard.check(res,C_READ_ACCESS, false)) + throw new CmsException("[" + this.getClass().getName() + "] " + resource, CmsException.C_NO_ACCESS); + search = search && (siteRoot != null); // check if we have the result already cached @@ -7508,14 +7157,15 @@ public void unlockProject(CmsUser currentUser, CmsProject currentProject, int id * Security: * Access is granted, if: *
* - * @version $Revision: 1.2 $ $Date: 2003/06/13 14:48:16 $ + * @version $Revision: 1.3 $ $Date: 2003/06/13 16:17:55 $ * @author Thomas Weckert (t.weckert@alkacon.com) * @author Carsten Weinholz (c.weinholz@alkacon.com) * @since 5.1 @@ -742,9 +742,9 @@ public void fillDefaults() throws CmsException { siteRootId = rootFolder.getId(); // create the access control entries - m_driverManager.getUserDriver().createAccessControlEntry(online,rootFolder.getResourceAceId(),administrators.getId(),I_CmsConstants.C_PERMISSION_READ|I_CmsConstants.C_PERMISSION_WRITE|I_CmsConstants.C_PERMISSION_VIEW,0,I_CmsConstants.C_ACCESSFLAGS_INHERITED); - m_driverManager.getUserDriver().createAccessControlEntry(online,rootFolder.getResourceAceId(),projectleader.getId(),I_CmsConstants.C_PERMISSION_READ|I_CmsConstants.C_PERMISSION_WRITE|I_CmsConstants.C_PERMISSION_VIEW,0,I_CmsConstants.C_ACCESSFLAGS_INHERITED); - m_driverManager.getUserDriver().createAccessControlEntry(online,rootFolder.getResourceAceId(),users.getId(),I_CmsConstants.C_PERMISSION_READ|I_CmsConstants.C_PERMISSION_WRITE|I_CmsConstants.C_PERMISSION_VIEW,0,I_CmsConstants.C_ACCESSFLAGS_INHERITED); + m_driverManager.getUserDriver().createAccessControlEntry(online,rootFolder.getResourceAceId(),administrators.getId(),I_CmsConstants.C_PERMISSION_READ|I_CmsConstants.C_PERMISSION_WRITE|I_CmsConstants.C_PERMISSION_VIEW|I_CmsConstants.C_PERMISSION_CONTROL,0,I_CmsConstants.C_ACCESSFLAGS_INHERITED); + m_driverManager.getUserDriver().createAccessControlEntry(online,rootFolder.getResourceAceId(),projectleader.getId(),I_CmsConstants.C_PERMISSION_READ|I_CmsConstants.C_PERMISSION_WRITE|I_CmsConstants.C_PERMISSION_VIEW|I_CmsConstants.C_PERMISSION_CONTROL,0,I_CmsConstants.C_ACCESSFLAGS_INHERITED); + m_driverManager.getUserDriver().createAccessControlEntry(online,rootFolder.getResourceAceId(),users.getId(),I_CmsConstants.C_PERMISSION_READ|I_CmsConstants.C_PERMISSION_WRITE|I_CmsConstants.C_PERMISSION_VIEW|I_CmsConstants.C_PERMISSION_CONTROL,0,I_CmsConstants.C_ACCESSFLAGS_INHERITED); m_driverManager.getUserDriver().createAccessControlEntry(online,rootFolder.getResourceAceId(),guests.getId(),I_CmsConstants.C_PERMISSION_READ|I_CmsConstants.C_PERMISSION_VIEW,0,I_CmsConstants.C_ACCESSFLAGS_INHERITED); // create the folder for the virtual file system diff --git a/src/org/opencms/security/CmsPermissionSet.java b/src/org/opencms/security/CmsPermissionSet.java index 052fc05e66f..7509c0595f7 100644 --- a/src/org/opencms/security/CmsPermissionSet.java +++ b/src/org/opencms/security/CmsPermissionSet.java @@ -1,7 +1,7 @@ /* * File : $Source: /alkacon/cvs/opencms/src/org/opencms/security/CmsPermissionSet.java,v $ - * Date : $Date: 2003/06/13 10:03:10 $ - * Version: $Revision: 1.1 $ + * Date : $Date: 2003/06/13 16:17:55 $ + * Version: $Revision: 1.2 $ * * This library is part of OpenCms - * the Open Source Content Mananagement System @@ -37,7 +37,7 @@ /** * A permission set contains both allowed and denied permissions as bitsets.
* - * @version $Revision: 1.1 $ $Date: 2003/06/13 10:03:10 $ + * @version $Revision: 1.2 $ $Date: 2003/06/13 16:17:55 $ * @author Carsten Weinholz (c.weinholz@alkacon.com) */ public class CmsPermissionSet { @@ -52,9 +52,6 @@ public class CmsPermissionSet { */ int m_denied; - int m_flags; - - /** * Constructor to create an empty permission set. */ @@ -62,7 +59,6 @@ public CmsPermissionSet() { m_allowed = 0; m_denied = 0; - m_flags = 0; } /** @@ -74,7 +70,6 @@ public CmsPermissionSet (int allowedPermissions) { m_allowed = allowedPermissions; m_denied = 0; - m_flags = 0; } /** @@ -87,7 +82,6 @@ public CmsPermissionSet(int allowedPermissions, int deniedPermissions) { m_allowed = allowedPermissions; m_denied = deniedPermissions; - m_flags = 0; } /** @@ -101,7 +95,6 @@ public CmsPermissionSet(String permissionString) { StringTokenizer tok = new StringTokenizer(permissionString, "+-", true); m_allowed = 0; m_denied = 0; - m_flags = 0; while(tok.hasMoreElements()) { String prefix = tok.nextToken(); @@ -119,6 +112,10 @@ public CmsPermissionSet(String permissionString) { if (prefix.charAt(0) == '+') m_allowed |= I_CmsConstants.C_PERMISSION_VIEW; if (prefix.charAt(0) == '-') m_denied |= I_CmsConstants.C_PERMISSION_VIEW; break; + case 'C': case 'c': + if (prefix.charAt(0) == '+') m_allowed |= I_CmsConstants.C_PERMISSION_CONTROL; + if (prefix.charAt(0) == '-') m_denied |= I_CmsConstants.C_PERMISSION_CONTROL; + break; default: // ignore break; @@ -228,21 +225,24 @@ public int getDeniedPermissions() { /** * Returns the string representation of the current permissions in this permission set. * - * @return string of the format {{+|-}{r|w|v}}* + * @return string of the format {{+|-}{r|w|v|c}}* */ public String getPermissionString() { StringBuffer p = new StringBuffer(""); - if ((m_denied & I_CmsConstants.C_PERMISSION_READ)>0) p.append("-r"); - else if ((m_allowed & I_CmsConstants.C_PERMISSION_READ)>0) p.append("+r"); + if ((m_denied & I_CmsConstants.C_PERMISSION_READ)>0) p.append("-r"); + else if ((m_allowed & I_CmsConstants.C_PERMISSION_READ)>0) p.append("+r"); - if ((m_denied & I_CmsConstants.C_PERMISSION_WRITE)>0) p.append("-w"); - else if ((m_allowed & I_CmsConstants.C_PERMISSION_WRITE)>0) p.append("+w"); - - if ((m_denied & I_CmsConstants.C_PERMISSION_VIEW)>0) p.append("-v"); - else if ((m_allowed & I_CmsConstants.C_PERMISSION_VIEW)>0) p.append("+v"); + if ((m_denied & I_CmsConstants.C_PERMISSION_WRITE)>0) p.append("-w"); + else if ((m_allowed & I_CmsConstants.C_PERMISSION_WRITE)>0) p.append("+w"); + if ((m_denied & I_CmsConstants.C_PERMISSION_VIEW)>0) p.append("-v"); + else if ((m_allowed & I_CmsConstants.C_PERMISSION_VIEW)>0) p.append("+v"); + + if ((m_denied & I_CmsConstants.C_PERMISSION_CONTROL)>0) p.append("-c"); + else if ((m_allowed & I_CmsConstants.C_PERMISSION_CONTROL)>0) p.append("+c"); + return p.toString(); }