Changeset 448
- Timestamp:
- 05/04/06 15:16:09
- Files:
-
- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Access.java (modified) (8 diffs)
- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Ace.java (modified) (6 diffs)
- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Acl.java (modified) (9 diffs)
- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/PrivilegeDefs.java (modified) (3 diffs)
- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/PrivilegeSet.java (added)
- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Privileges.java (modified) (2 diffs)
- trunk/calendar3/appcommon/src/org/bedework/appcommon/AccessAppUtil.java (modified) (2 diffs)
- trunk/calendar3/calCore/src/org/bedework/calcore/hibernate/AccessUtil.java (modified) (5 diffs)
- trunk/calendar3/calCore/src/org/bedework/calcore/hibernate/CalintfImpl.java (modified) (3 diffs)
- trunk/calendar3/test/src/org/bedework/tests/access/AccessTest.java (modified) (1 diff)
- trunk/calendar3/webadmin/src/org/bedework/webadmin/system/UpdateSysparsAction.java (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Access.java
r320 r448 58 58 import edu.rpi.cct.uwcal.access.Acl.CurrentAccess; 59 59 60 /** Class to handle access control. Because we may be evaluating access 60 /** Class to handle access control. Because we may be evaluating access 61 61 * frequently we try do so without creating (many) objects. 62 62 * … … 110 110 acl.addAce(new Ace(null, false, Ace.whoTypeUnauthenticated, read)); 111 111 defaultPublicAccess = new String(acl.encode()); 112 112 113 113 acl.clear(); 114 114 acl.addAce(new Ace(null, false, Ace.whoTypeOwner, all)); … … 119 119 } 120 120 } 121 121 122 122 /** Constructor 123 123 * … … 186 186 * @param how Privilege set definign desired access 187 187 * @param aclString String defining current acls for object 188 * @param filter if not null specifies maximum access 188 189 * @return CurrentAccess access + allowed/disallowed 189 190 * @throws AccessException 190 191 */ 191 192 public CurrentAccess evaluateAccess(AccessPrincipal who, String owner, 192 Privilege[] how, String aclString) 193 throws AccessException { 194 return new Acl(debug).evaluateAccess(who, owner, how, aclString.toCharArray()); 193 Privilege[] how, String aclString, 194 PrivilegeSet filter) 195 throws AccessException { 196 return new Acl(debug).evaluateAccess(who, owner, how, 197 aclString.toCharArray(), 198 filter); 195 199 } 196 200 … … 201 205 * @param how Privilege set defining desired access 202 206 * @param aclChars char[] defining current acls for object 207 * @param filter if not null specifies maximum access 203 208 * @return CurrentAccess access + allowed/disallowed 204 209 * @throws AccessException 205 210 */ 206 211 public CurrentAccess evaluateAccess(AccessPrincipal who, String owner, 207 Privilege[] how, char[] aclChars) 208 throws AccessException { 209 return new Acl(debug).evaluateAccess(who, owner, how, aclChars); 212 Privilege[] how, char[] aclChars, 213 PrivilegeSet filter) 214 throws AccessException { 215 return new Acl(debug).evaluateAccess(who, owner, how, aclChars, 216 filter); 210 217 } 211 218 … … 215 222 * @param owner String owner of object 216 223 * @param aclChars char[] defining current acls for object 224 * @param filter if not null specifies maximum access 217 225 * @return CurrentAccess access + allowed/disallowed 218 226 * @throws AccessException 219 227 */ 220 228 public CurrentAccess checkRead(AccessPrincipal who, String owner, 221 char[] aclChars) 222 throws AccessException { 223 return new Acl(debug).evaluateAccess(who, owner, privSetRead, aclChars); 229 char[] aclChars, 230 PrivilegeSet filter) 231 throws AccessException { 232 return new Acl(debug).evaluateAccess(who, owner, privSetRead, aclChars, 233 filter); 224 234 } 225 235 … … 229 239 * @param owner String owner of object 230 240 * @param aclChars char[] defining current acls for object 241 * @param filter if not null specifies maximum access 231 242 * @return CurrentAccess access + allowed/disallowed 232 243 * @throws AccessException 233 244 */ 234 245 public CurrentAccess checkReadWrite(AccessPrincipal who, String owner, 235 char[] aclChars) 236 throws AccessException { 237 return new Acl(debug).evaluateAccess(who, owner, privSetReadWrite, aclChars); 246 char[] aclChars, 247 PrivilegeSet filter) 248 throws AccessException { 249 return new Acl(debug).evaluateAccess(who, owner, privSetReadWrite, aclChars, 250 filter); 238 251 } 239 252 … … 244 257 * @param priv int desired access as defined above 245 258 * @param aclChars char[] defining current acls for object 259 * @param filter if not null specifies maximum access 246 260 * @return CurrentAccess access + allowed/disallowed 247 261 * @throws AccessException 248 262 */ 249 263 public CurrentAccess evaluateAccess(AccessPrincipal who, String owner, 250 int priv, char[] aclChars) 264 int priv, char[] aclChars, 265 PrivilegeSet filter) 251 266 throws AccessException { 252 267 return new Acl(debug).evaluateAccess(who, owner, 253 268 new Privilege[]{Privileges.makePriv(priv)}, 254 aclChars );269 aclChars, filter); 255 270 } 256 271 } trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Ace.java
r445 r448 166 166 private boolean notWho; 167 167 168 /** a rray of allowed/denied/undefined indexed by Privilege index169 */ 170 private char[]how;168 /** allowed/denied/undefined indexed by Privilege index 169 */ 170 private PrivilegeSet how; 171 171 172 172 /** Privilege objects defining the access. Used when manipulating acls … … 200 200 boolean notWho, 201 201 int whoType, 202 char[]how) {202 PrivilegeSet how) { 203 203 this.who = who; 204 204 this.notWho = notWho; … … 287 287 288 288 /** 289 * @param val char[] arrayof allowed/denied/undefined indexed by Privilege index290 */ 291 public void setHow( char[]val) {289 * @param val PrivilegeSet of allowed/denied/undefined indexed by Privilege index 290 */ 291 public void setHow(PrivilegeSet val) { 292 292 how = val; 293 293 } … … 295 295 /** 296 296 * 297 * @return char[]array of allowed/denied/undefined indexed by Privilege index298 */ 299 public char[]getHow() {297 * @return PrivilegeSet array of allowed/denied/undefined indexed by Privilege index 298 */ 299 public PrivilegeSet getHow() { 300 300 return how; 301 301 } … … 348 348 * @param name 349 349 * @param whoType 350 * @return char[]merged privileges if we find a match else null350 * @return PrivilegeSet merged privileges if we find a match else null 351 351 * @throws AccessException 352 352 */ 353 public static char[]findMergedPrivilege(Acl acl,353 public static PrivilegeSet findMergedPrivilege(Acl acl, 354 354 String name, int whoType) throws AccessException { 355 char[]privileges = null;355 PrivilegeSet privileges = null; 356 356 Iterator it = acl.getAces().iterator(); 357 357 … … 363 363 (whoType == whoTypeOwner) || 364 364 ace.whoMatch(name))) { 365 privileges = mergePrivileges(privileges, ace.getHow(),366 ace.getInherited());365 privileges = PrivilegeSet.mergePrivileges(privileges, ace.getHow(), 366 ace.getInherited()); 367 367 } 368 368 } 369 369 370 370 return privileges; 371 }372 373 /** If current is null it is set to a cloned copy of morePriv otherwise the374 * privilege(s) in morePriv are merged into current.375 *376 * <p>Specified access overrides inherited access,<br/>377 * allowed overrides denied overrides unspecified so the order is, from378 * highest to lowest:<br/>379 *380 * allowed, denied, allowedInherited, deniedInherited, unspecified.381 *382 * <p>Only allowed and denied appear in encoded aces.383 *384 * @param current385 * @param morePriv386 * @param inherited true if the ace was an inherited ace387 * @return char[] mergedPrivileges388 */389 public static char[] mergePrivileges(char[] current, char[] morePriv,390 boolean inherited) {391 char[] mp = (char[])morePriv.clone();392 393 if (inherited) {394 for (int i = 0; i <= privMaxType; i++) {395 char p = mp[i];396 if (p == allowed) {397 mp[i] = allowedInherited;398 } else if (p == denied) {399 mp[i] = deniedInherited;400 }401 }402 }403 if (current == null) {404 return mp;405 }406 407 for (int i = 0; i <= privMaxType; i++) {408 if (current[i] < mp[i]) {409 current[i] = mp[i];410 }411 }412 413 return current;414 371 } 415 372 trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Acl.java
r445 r448 130 130 * @see PrivilegeDefs 131 131 */ 132 public char[]privileges = null;132 public PrivilegeSet privileges = null; 133 133 134 134 /** Privileges desired */ … … 183 183 * @param how 184 184 * @param acl 185 * @param filter if not null specifies maximum access 185 186 * @return CurrentAccess access + allowed/disallowed 186 187 * @throws AccessException 187 188 */ 188 189 public CurrentAccess evaluateAccess(AccessPrincipal who, String owner, 189 Privilege[] how, char[] acl) 190 Privilege[] how, char[] acl, 191 PrivilegeSet filter) 190 192 throws AccessException { 191 193 boolean authenticated = !who.getUnauthenticated(); … … 222 224 ca.privileges = Ace.findMergedPrivilege(this, null, Ace.whoTypeOwner); 223 225 if (ca.privileges == null) { 224 ca.privileges = defaultOwnerPrivileges;226 ca.privileges = PrivilegeSet.makeDefaultOwnerPrivileges(); 225 227 } 226 228 … … 232 234 if (ca.privileges != null) { 233 235 if (debug) { 234 debugsb.append("... For user got: " + new String(ca.privileges));236 debugsb.append("... For user got: " + ca.privileges); 235 237 } 236 238 … … 248 250 debugsb.append("...Try access for group " + group); 249 251 } 250 char[]privs = Ace.findMergedPrivilege(this, group, Ace.whoTypeGroup);252 PrivilegeSet privs = Ace.findMergedPrivilege(this, group, Ace.whoTypeGroup); 251 253 if (privs != null) { 252 ca.privileges = Ace.mergePrivileges(ca.privileges, privs, false);254 ca.privileges = PrivilegeSet.mergePrivileges(ca.privileges, privs, false); 253 255 } 254 256 } … … 257 259 if (ca.privileges != null) { 258 260 if (debug) { 259 debugsb.append("...For groups got: " + new String(ca.privileges));261 debugsb.append("...For groups got: " + ca.privileges); 260 262 } 261 263 … … 267 269 if (ca.privileges != null) { 268 270 if (debug) { 269 debugsb.append("...For other got: " + new String(ca.privileges));271 debugsb.append("...For other got: " + ca.privileges); 270 272 } 271 273 … … 281 283 } 282 284 283 ca.privileges = (char[])ca.privileges.clone(); 284 for (int pi = 0; pi < ca.privileges.length; pi++) { 285 if (ca.privileges[pi] == unspecified) { 286 if (isOwner) { 287 ca.privileges[pi] = allowed; 288 } else { 289 ca.privileges[pi] = denied; 290 } 291 } 285 ca.privileges.setUnspecified(isOwner); 286 287 if (filter != null) { 288 ca.privileges.filterPrivileges(filter); 292 289 } 293 290 294 291 for (int i = 0; i < how.length; i++) { 295 char priv = ca.privileges [how[i].getIndex()];292 char priv = ca.privileges.getPrivilege(how[i].getIndex()); 296 293 297 294 if ((priv != allowed) && (priv != allowedInherited)) { … … 377 374 } 378 375 379 return aces.remove(new Ace(who, notWho, whoType, ( char[])null));376 return aces.remove(new Ace(who, notWho, whoType, (PrivilegeSet)null)); 380 377 } 381 378 trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/PrivilegeDefs.java
r445 r448 184 184 185 185 /** Default privs for an owner 186 * /186 * / 187 187 public char[] defaultOwnerPrivileges = { 188 188 allowed, // privAll … … 201 201 }; 202 202 203 /** User home max privileges for non-super user 204 * This allows us to turn off privileges which would allow delete or rename 205 * for example. 206 * / 207 public char[] userHomeMaxPrivileges = { 208 denied, // privAll 209 allowed, // privRead 210 allowed, // privReadAcl 211 allowed, // privReadCurrentUserPrivilegeSet 212 allowed, // privReadFreeBusy 213 denied, // privWrite 214 allowed, // privWriteAcl 215 allowed, // privWriteProperties 216 allowed, // privWriteContent 217 denied, // privBind 218 denied, // privUnbind 219 allowed, // privUnlock 220 allowed, // privNone 221 }; 222 203 223 /** Default privs for a non owner 204 * /224 * / 205 225 public char[] defaultNonOwnerPrivileges = { 206 226 denied, // privAll … … 217 237 denied, // privUnlock 218 238 denied, // privNone 219 }; 239 };*/ 220 240 221 241 } trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Privileges.java
r445 r448 196 196 * @throws AccessException 197 197 */ 198 public static char[]fromEncoding(EncodedAcl acl) throws AccessException {198 public static PrivilegeSet fromEncoding(EncodedAcl acl) throws AccessException { 199 199 char[] privStates = { 200 200 unspecified, // privAll … … 229 229 } 230 230 231 return privStates;231 return new PrivilegeSet(privStates); 232 232 } 233 233 trunk/calendar3/appcommon/src/org/bedework/appcommon/AccessAppUtil.java
r445 r448 62 62 import edu.rpi.cct.uwcal.access.Privilege; 63 63 import edu.rpi.cct.uwcal.access.PrivilegeDefs; 64 import edu.rpi.cct.uwcal.access.PrivilegeSet; 64 65 import edu.rpi.cct.uwcal.access.Privileges; 65 66 import edu.rpi.sss.util.xml.QName; … … 254 255 * returning the representation a a String 255 256 * 256 * @param p rivileges char[] ofallowed/disallowed257 * @param ps PrivilegeSet allowed/disallowed 257 258 * @return String xml 258 259 * @throws CalFacadeException 259 260 */ 260 public static String getCurrentPrivSetString( char[] privileges)261 public static String getCurrentPrivSetString(PrivilegeSet ps) 261 262 throws CalFacadeException { 262 263 try { 264 char[] privileges = ps.getPrivileges(); 265 263 266 XmlEmit xml = new XmlEmit(true); // no headers 264 267 StringWriter su = new StringWriter(); trunk/calendar3/calCore/src/org/bedework/calcore/hibernate/AccessUtil.java
r445 r448 58 58 import edu.rpi.cct.uwcal.access.Acl; 59 59 import edu.rpi.cct.uwcal.access.PrivilegeDefs; 60 import edu.rpi.cct.uwcal.access.PrivilegeSet; 60 61 import edu.rpi.cct.uwcal.access.Acl.CurrentAccess; 61 62 … … 66 67 import org.bedework.calfacade.BwLocation; 67 68 import org.bedework.calfacade.BwSponsor; 69 import org.bedework.calfacade.BwSystem; 68 70 import org.bedework.calfacade.BwUser; 69 71 import org.bedework.calfacade.CalFacadeAccessException; … … 93 95 private BwUser authUser; 94 96 97 private BwSystem syspars; 98 99 private String userRootPath; 100 101 private String userHomePathPrefix; 102 95 103 private transient Logger log; 96 104 … … 140 148 */ 141 149 public void close() { 150 } 151 152 /** Set the system parameters object. 153 * @param val 154 */ 155 public void setSyspars(BwSystem val) { 156 syspars = val; 157 158 userRootPath = "/" + syspars.getUserCalendarRoot(); 159 userHomePathPrefix = userRootPath + "/"; 142 160 } 143 161 … … 249 267 250 268 try { 251 CurrentAccess ca; 269 CurrentAccess ca = null; 270 252 271 String account = ent.getOwner().getAccount(); 253 254 char[] aclChars = getAclChars(ent); 255 256 if (desiredAccess == privRead) { 257 ca = access.checkRead(authUser, account, aclChars); 258 } else if (desiredAccess == privWrite) { 259 ca = access.checkReadWrite(authUser, account, aclChars); 260 } else { 261 ca = access.evaluateAccess(authUser, account, desiredAccess, aclChars); 272 PrivilegeSet maxPrivs = null; 273 274 char[] aclChars = null; 275 276 if (ent instanceof BwCalendar) { 277 BwCalendar cal = (BwCalendar)ent; 278 String path = cal.getPath(); 279 280 if (userRootPath.equals(path)) { 281 ca = new CurrentAccess(); 282 283 if (getSuperUser()) { 284 ca.privileges = PrivilegeSet.makeDefaultOwnerPrivileges(); 285 } else { 286 ca.privileges = PrivilegeSet.makeDefaultNonOwnerPrivileges(); 287 } 288 } else if (path.equals(userHomePathPrefix + account)){ 289 // Accessing user home directory 290 if (getSuperUser()) { 291 ca = new CurrentAccess(); 292 293 ca.privileges = PrivilegeSet.makeDefaultOwnerPrivileges(); 294 } else { 295 // Set the maximumn access 296 maxPrivs = PrivilegeSet.userHomeMaxPrivileges; 297 } 298 } 299 } 300 301 if (ca == null) { 302 // Not special 303 aclChars = getAclChars(ent); 304 305 if (desiredAccess == privRead) { 306 ca = access.checkRead(authUser, account, aclChars, maxPrivs); 307 } else if (desiredAccess == privWrite) { 308 ca = access.checkReadWrite(authUser, account, aclChars, maxPrivs); 309 } else { 310 ca = access.evaluateAccess(authUser, account, desiredAccess, aclChars, 311 maxPrivs); 312 } 262 313 } 263 314 trunk/calendar3/calCore/src/org/bedework/calcore/hibernate/CalintfImpl.java
r445 r448 298 298 authUser.setGroups(groups.getAllGroups(authUser)); 299 299 access.setAuthUser(authUser); 300 access.setSyspars((BwSystem)getSyspars().clone()); 300 301 301 302 events = new Events(this, access, currentMode, debug); … … 322 323 calendars.addNewCalendars(authUser); 323 324 } 325 324 326 return userCreated; 325 327 } … … 407 409 checkOpen(); 408 410 sess.update(val); 411 syspars = null; // Force refresh 412 access.setSyspars((BwSystem)getSyspars().clone()); 409 413 } 410 414 trunk/calendar3/test/src/org/bedework/tests/access/AccessTest.java
r320 r448 155 155 Privilege[] how,char[] encoded, 156 156 boolean expected, String title) throws Throwable { 157 CurrentAccess ca = new Acl().evaluateAccess(who, owner.getAccount(), how, encoded); 157 CurrentAccess ca = new Acl().evaluateAccess(who, owner.getAccount(), how, 158 encoded, null); 158 159 159 160 if (debug) { trunk/calendar3/webadmin/src/org/bedework/webadmin/system/UpdateSysparsAction.java
r446 r448 66 66 * 67 67 * <p>Parameters are:<ul> 68 * <li>updateCancelled</li> 69 * <li>admingroupsClass</li> 70 * <li>usergroupsClass</li> 68 71 * <li>defaultUserViewName</li> 69 72 * <li>directoryBrowsingDisallowed</li>
