Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

[feature] Support for setGID on Collections in eXist

  • Loading branch information...
commit 615169827ef122eca130047d635c3a19daec15ab 1 parent e014439
@adamretter adamretter authored
View
2  src/org/exist/dom/DocumentImpl.java
@@ -129,7 +129,7 @@ public DocumentImpl(BrokerPool pool, Collection collection, XmldbURI fileURI) {
//inherit the group to the resource if current collection is setGid
if(collection != null && collection.getPermissions().isSetGid()) {
try {
- this.permissions.setGroup(collection.getPermissions().getGroup());
+ this.permissions.setGroupFrom(collection.getPermissions());
} catch(final PermissionDeniedException pde) {
throw new IllegalArgumentException(pde); //TODO improve
}
View
2  src/org/exist/security/AbstractUnixStylePermission.java
@@ -252,7 +252,7 @@ private void setSimpleSymbolicMode(final String simpleSymbolicMode)
private final static Matcher simpleSymbolicModeMatcher = simpleSymbolicModePattern.matcher("");
/**
- * Note we dont need @PermissionRequired(user = IS_DBA | IS_OWNER) here
+ * Note: we don't need @PermissionRequired(user = IS_DBA | IS_OWNER) here
* because all of these methods delegate to the subclass implementation.
*
* @param modeStr The String representing a mode to set
View
40 src/org/exist/security/Permission.java
@@ -132,6 +132,20 @@
public void setGroup(String name) throws PermissionDeniedException;
/**
+ * Set the owner group
+ *
+ * This is used to set the owner group
+ * of this permission to the same
+ * as the owner group of the <i>other</i>
+ * permission.
+ *
+ * This is typically used in setGID situations.
+ *
+ * @param other Another permissions object
+ */
+ public void setGroupFrom(Permission other) throws PermissionDeniedException;
+
+ /**
* Sets mode for group
*
* @param perm The new group mode value
@@ -160,25 +174,21 @@
public void setOwner(String user) throws PermissionDeniedException;
/**
- * Set mode using a string. The string has the
- * following syntax:
- *
- * [user|group|other]=[+|-][read|write|update]
+ * Set mode using a string.
*
- * For example, to set read and write mode for the group, but
- * not for others:
+ * The string can either be in one of three formats:
+ *
+ * 1) Unix Symbolic format as given to 'chmod' on Unix/Linux
+ * 2) eXist Symbolic format as described in @see org.exist.security.AbstractUnixStylePermission#setExistSymbolicMode(java.lang.String)
+ * 3) Simple Symbolic format e.g. "rwxr-xr-x"
*
- * group=+read,+write,other=-read,-write
+ * The eXist symbolic format should be avoided
+ * in new applications as it is deprecated
*
- * The new settings are or'ed with the existing settings.
- *
- *@param str The new mode
- *@exception SyntaxException Description of the Exception
- *
- * @deprecated Setting permissions via string is not very efficient!
+ * @param str The new mode
+ * @exception SyntaxException Description of the Exception
*/
- @Deprecated
- public void setMode(String str) throws SyntaxException, PermissionDeniedException;
+ public void setMode(String modeStr) throws SyntaxException, PermissionDeniedException;
/**
* Set mode
View
9 src/org/exist/security/PermissionRequiredAspect.java
@@ -32,6 +32,7 @@
import static org.exist.security.PermissionRequired.IS_OWNER;
import static org.exist.security.PermissionRequired.IS_MEMBER;
import static org.exist.security.PermissionRequired.ACL_WRITE;
+import static org.exist.security.PermissionRequired.IS_SET_GID;
/**
* @author Adam Retter <adam@exist-db.org>
@@ -65,6 +66,14 @@ public void enforcePermissionsOnParameter(JoinPoint joinPoint, Permission permis
return;
}
}
+
+ //3) check if we are looking for setGID
+ if((parameterPermissionRequired.mode() & IS_SET_GID) == IS_SET_GID) {
+ final Permission other = (Permission)o;
+ if(other.isSetGid()) {
+ return;
+ }
+ }
throw new PermissionDeniedException("You must be a member of the group you are changing the item to");
}
View
20 src/org/exist/security/UnixStylePermission.java
@@ -25,6 +25,7 @@
import static org.exist.security.PermissionRequired.IS_DBA;
import static org.exist.security.PermissionRequired.IS_MEMBER;
import static org.exist.security.PermissionRequired.IS_OWNER;
+import static org.exist.security.PermissionRequired.IS_SET_GID;
import org.exist.security.internal.RealmImpl;
import org.exist.storage.io.VariableByteInput;
import org.exist.storage.io.VariableByteOutputStream;
@@ -185,15 +186,30 @@ public void setGroup(final int id) {
}
setGroupId(group.getId());
}
-
+
@PermissionRequired(user = IS_DBA | IS_OWNER)
private void setGroupId(@PermissionRequired(user = IS_DBA | IS_MEMBER) final int groupId) {
+ /*
+ This function wrapper is really just used as a place
+ to focus PermissionRequired checks for several public
+ functions
+ */
+ _setGroupId(groupId);
+ }
+
+ @PermissionRequired(user = IS_DBA | IS_OWNER)
+ @Override
+ public void setGroupFrom(@PermissionRequired(mode = IS_SET_GID) final Permission other) {
+ _setGroupId(other.getGroup().getId());
+ }
+
+ private void _setGroupId(final int groupId) {
this.vector =
((vector >>> 28) << 28) | //current ownerId and ownerMode, mask rest
(groupId << 8) | //left shift new groupId into positon
(vector & 255); //current groupMode and otherMode
}
-
+
/**
* Get the mode
*
View
7 src/org/exist/security/internal/aider/UnixStylePermissionAider.java
@@ -27,6 +27,8 @@
import org.exist.security.Group;
import org.exist.security.SecurityManager;
import org.exist.security.Account;
+import org.exist.security.Permission;
+import org.exist.security.PermissionDeniedException;
import org.exist.security.Subject;
import org.exist.storage.io.VariableByteInput;
import org.exist.storage.io.VariableByteOutputStream;
@@ -195,6 +197,11 @@ public void setGroup(final Group group) {
public void setGroup(final String group) {
this.ownerGroup = new GroupAider(group);
}
+
+ @Override
+ public void setGroupFrom(Permission other) throws PermissionDeniedException {
+ this.ownerGroup = new GroupAider(other.getGroup().getName());
+ }
/**
* Sets mode for group
View
3  src/org/exist/storage/NativeBroker.java
@@ -785,7 +785,8 @@ public Collection getOrCreateCollection(Txn transaction, XmldbURI name) throws P
//inherit the group to the sub-collection if current collection is setGid
if(current.getPermissions().isSetGid()) {
- sub.getPermissions().setGroup(current.getPermissions().getGroup());
+ sub.getPermissions().setGroupFrom(current.getPermissions()); //inherit group
+ sub.getPermissions().setSetGid(true); //inherit setGid bit
}
sub.setId(getNextCollectionId(transaction));
Please sign in to comment.
Something went wrong with that request. Please try again.