Index: trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Access.java =================================================================== --- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Access.java (revision 320) +++ trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Access.java (revision 448) @@ -58,5 +58,5 @@ import edu.rpi.cct.uwcal.access.Acl.CurrentAccess; -/** Class to handle access control. Because we may be evaluating access +/** Class to handle access control. Because we may be evaluating access * frequently we try do so without creating (many) objects. * @@ -110,5 +110,5 @@ acl.addAce(new Ace(null, false, Ace.whoTypeUnauthenticated, read)); defaultPublicAccess = new String(acl.encode()); - + acl.clear(); acl.addAce(new Ace(null, false, Ace.whoTypeOwner, all)); @@ -119,5 +119,5 @@ } } - + /** Constructor * @@ -186,11 +186,15 @@ * @param how Privilege set definign desired access * @param aclString String defining current acls for object + * @param filter if not null specifies maximum access * @return CurrentAccess access + allowed/disallowed * @throws AccessException */ public CurrentAccess evaluateAccess(AccessPrincipal who, String owner, - Privilege[] how, String aclString) - throws AccessException { - return new Acl(debug).evaluateAccess(who, owner, how, aclString.toCharArray()); + Privilege[] how, String aclString, + PrivilegeSet filter) + throws AccessException { + return new Acl(debug).evaluateAccess(who, owner, how, + aclString.toCharArray(), + filter); } @@ -201,11 +205,14 @@ * @param how Privilege set defining desired access * @param aclChars char[] defining current acls for object + * @param filter if not null specifies maximum access * @return CurrentAccess access + allowed/disallowed * @throws AccessException */ public CurrentAccess evaluateAccess(AccessPrincipal who, String owner, - Privilege[] how, char[] aclChars) - throws AccessException { - return new Acl(debug).evaluateAccess(who, owner, how, aclChars); + Privilege[] how, char[] aclChars, + PrivilegeSet filter) + throws AccessException { + return new Acl(debug).evaluateAccess(who, owner, how, aclChars, + filter); } @@ -215,11 +222,14 @@ * @param owner String owner of object * @param aclChars char[] defining current acls for object + * @param filter if not null specifies maximum access * @return CurrentAccess access + allowed/disallowed * @throws AccessException */ public CurrentAccess checkRead(AccessPrincipal who, String owner, - char[] aclChars) - throws AccessException { - return new Acl(debug).evaluateAccess(who, owner, privSetRead, aclChars); + char[] aclChars, + PrivilegeSet filter) + throws AccessException { + return new Acl(debug).evaluateAccess(who, owner, privSetRead, aclChars, + filter); } @@ -229,11 +239,14 @@ * @param owner String owner of object * @param aclChars char[] defining current acls for object + * @param filter if not null specifies maximum access * @return CurrentAccess access + allowed/disallowed * @throws AccessException */ public CurrentAccess checkReadWrite(AccessPrincipal who, String owner, - char[] aclChars) - throws AccessException { - return new Acl(debug).evaluateAccess(who, owner, privSetReadWrite, aclChars); + char[] aclChars, + PrivilegeSet filter) + throws AccessException { + return new Acl(debug).evaluateAccess(who, owner, privSetReadWrite, aclChars, + filter); } @@ -244,13 +257,15 @@ * @param priv int desired access as defined above * @param aclChars char[] defining current acls for object + * @param filter if not null specifies maximum access * @return CurrentAccess access + allowed/disallowed * @throws AccessException */ public CurrentAccess evaluateAccess(AccessPrincipal who, String owner, - int priv, char[] aclChars) + int priv, char[] aclChars, + PrivilegeSet filter) throws AccessException { return new Acl(debug).evaluateAccess(who, owner, new Privilege[]{Privileges.makePriv(priv)}, - aclChars); + aclChars, filter); } } Index: trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Ace.java =================================================================== --- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Ace.java (revision 445) +++ trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Ace.java (revision 448) @@ -166,7 +166,7 @@ private boolean notWho; - /** array of allowed/denied/undefined indexed by Privilege index - */ - private char[] how; + /** allowed/denied/undefined indexed by Privilege index + */ + private PrivilegeSet how; /** Privilege objects defining the access. Used when manipulating acls @@ -200,5 +200,5 @@ boolean notWho, int whoType, - char[] how) { + PrivilegeSet how) { this.who = who; this.notWho = notWho; @@ -287,7 +287,7 @@ /** - * @param val char[] array of allowed/denied/undefined indexed by Privilege index - */ - public void setHow(char[] val) { + * @param val PrivilegeSet of allowed/denied/undefined indexed by Privilege index + */ + public void setHow(PrivilegeSet val) { how = val; } @@ -295,7 +295,7 @@ /** * - * @return char[] array of allowed/denied/undefined indexed by Privilege index - */ - public char[] getHow() { + * @return PrivilegeSet array of allowed/denied/undefined indexed by Privilege index + */ + public PrivilegeSet getHow() { return how; } @@ -348,10 +348,10 @@ * @param name * @param whoType - * @return char[] merged privileges if we find a match else null + * @return PrivilegeSet merged privileges if we find a match else null * @throws AccessException */ - public static char[] findMergedPrivilege(Acl acl, + public static PrivilegeSet findMergedPrivilege(Acl acl, String name, int whoType) throws AccessException { - char[] privileges = null; + PrivilegeSet privileges = null; Iterator it = acl.getAces().iterator(); @@ -363,53 +363,10 @@ (whoType == whoTypeOwner) || ace.whoMatch(name))) { - privileges = mergePrivileges(privileges, ace.getHow(), - ace.getInherited()); + privileges = PrivilegeSet.mergePrivileges(privileges, ace.getHow(), + ace.getInherited()); } } return privileges; - } - - /** If current is null it is set to a cloned copy of morePriv otherwise the - * privilege(s) in morePriv are merged into current. - * - *

Specified access overrides inherited access,
- * allowed overrides denied overrides unspecified so the order is, from - * highest to lowest:
- * - * allowed, denied, allowedInherited, deniedInherited, unspecified. - * - *

Only allowed and denied appear in encoded aces. - * - * @param current - * @param morePriv - * @param inherited true if the ace was an inherited ace - * @return char[] mergedPrivileges - */ - public static char[] mergePrivileges(char[] current, char[] morePriv, - boolean inherited) { - char[] mp = (char[])morePriv.clone(); - - if (inherited) { - for (int i = 0; i <= privMaxType; i++) { - char p = mp[i]; - if (p == allowed) { - mp[i] = allowedInherited; - } else if (p == denied) { - mp[i] = deniedInherited; - } - } - } - if (current == null) { - return mp; - } - - for (int i = 0; i <= privMaxType; i++) { - if (current[i] < mp[i]) { - current[i] = mp[i]; - } - } - - return current; } Index: trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Acl.java =================================================================== --- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Acl.java (revision 445) +++ trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Acl.java (revision 448) @@ -130,5 +130,5 @@ * @see PrivilegeDefs */ - public char[] privileges = null; + public PrivilegeSet privileges = null; /** Privileges desired */ @@ -183,9 +183,11 @@ * @param how * @param acl + * @param filter if not null specifies maximum access * @return CurrentAccess access + allowed/disallowed * @throws AccessException */ public CurrentAccess evaluateAccess(AccessPrincipal who, String owner, - Privilege[] how, char[] acl) + Privilege[] how, char[] acl, + PrivilegeSet filter) throws AccessException { boolean authenticated = !who.getUnauthenticated(); @@ -222,5 +224,5 @@ ca.privileges = Ace.findMergedPrivilege(this, null, Ace.whoTypeOwner); if (ca.privileges == null) { - ca.privileges = defaultOwnerPrivileges; + ca.privileges = PrivilegeSet.makeDefaultOwnerPrivileges(); } @@ -232,5 +234,5 @@ if (ca.privileges != null) { if (debug) { - debugsb.append("... For user got: " + new String(ca.privileges)); + debugsb.append("... For user got: " + ca.privileges); } @@ -248,7 +250,7 @@ debugsb.append("...Try access for group " + group); } - char[] privs = Ace.findMergedPrivilege(this, group, Ace.whoTypeGroup); + PrivilegeSet privs = Ace.findMergedPrivilege(this, group, Ace.whoTypeGroup); if (privs != null) { - ca.privileges = Ace.mergePrivileges(ca.privileges, privs, false); + ca.privileges = PrivilegeSet.mergePrivileges(ca.privileges, privs, false); } } @@ -257,5 +259,5 @@ if (ca.privileges != null) { if (debug) { - debugsb.append("...For groups got: " + new String(ca.privileges)); + debugsb.append("...For groups got: " + ca.privileges); } @@ -267,5 +269,5 @@ if (ca.privileges != null) { if (debug) { - debugsb.append("...For other got: " + new String(ca.privileges)); + debugsb.append("...For other got: " + ca.privileges); } @@ -281,17 +283,12 @@ } - ca.privileges = (char[])ca.privileges.clone(); - for (int pi = 0; pi < ca.privileges.length; pi++) { - if (ca.privileges[pi] == unspecified) { - if (isOwner) { - ca.privileges[pi] = allowed; - } else { - ca.privileges[pi] = denied; - } - } + ca.privileges.setUnspecified(isOwner); + + if (filter != null) { + ca.privileges.filterPrivileges(filter); } for (int i = 0; i < how.length; i++) { - char priv = ca.privileges[how[i].getIndex()]; + char priv = ca.privileges.getPrivilege(how[i].getIndex()); if ((priv != allowed) && (priv != allowedInherited)) { @@ -377,5 +374,5 @@ } - return aces.remove(new Ace(who, notWho, whoType, (char[])null)); + return aces.remove(new Ace(who, notWho, whoType, (PrivilegeSet)null)); } Index: trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/PrivilegeDefs.java =================================================================== --- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/PrivilegeDefs.java (revision 445) +++ trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/PrivilegeDefs.java (revision 448) @@ -184,5 +184,5 @@ /** Default privs for an owner - */ + * / public char[] defaultOwnerPrivileges = { allowed, // privAll @@ -201,6 +201,26 @@ }; + /** User home max privileges for non-super user + * This allows us to turn off privileges which would allow delete or rename + * for example. + * / + public char[] userHomeMaxPrivileges = { + denied, // privAll + allowed, // privRead + allowed, // privReadAcl + allowed, // privReadCurrentUserPrivilegeSet + allowed, // privReadFreeBusy + denied, // privWrite + allowed, // privWriteAcl + allowed, // privWriteProperties + allowed, // privWriteContent + denied, // privBind + denied, // privUnbind + allowed, // privUnlock + allowed, // privNone + }; + /** Default privs for a non owner - */ + * / public char[] defaultNonOwnerPrivileges = { denied, // privAll @@ -217,5 +237,5 @@ denied, // privUnlock denied, // privNone - }; + };*/ } Index: trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/PrivilegeSet.java =================================================================== --- (revision ) +++ trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/PrivilegeSet.java (revision 448) @@ -1,0 +1,322 @@ +/* + Copyright (c) 2000-2005 University of Washington. All rights reserved. + + Redistribution and use of this distribution in source and binary forms, + with or without modification, are permitted provided that: + + The above copyright notice and this permission notice appear in + all copies and supporting documentation; + + The name, identifiers, and trademarks of the University of Washington + are not used in advertising or publicity without the express prior + written permission of the University of Washington; + + Recipients acknowledge that this distribution is made available as a + research courtesy, "as is", potentially with defects, without + any obligation on the part of the University of Washington to + provide support, services, or repair; + + THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR + IMPLIED, WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION + ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE UNIVERSITY OF + WASHINGTON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL + DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT (INCLUDING + NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION WITH + THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +/* ********************************************************************** + Copyright 2005 Rensselaer Polytechnic Institute. All worldwide rights reserved. + + Redistribution and use of this distribution in source and binary forms, + with or without modification, are permitted provided that: + The above copyright notice and this permission notice appear in all + copies and supporting documentation; + + The name, identifiers, and trademarks of Rensselaer Polytechnic + Institute are not used in advertising or publicity without the + express prior written permission of Rensselaer Polytechnic Institute; + + DISCLAIMER: The software is distributed" AS IS" without any express or + implied warranty, including but not limited to, any implied warranties + of merchantability or fitness for a particular purpose or any warrant)' + of non-infringement of any current or pending patent rights. The authors + of the software make no representations about the suitability of this + software for any particular purpose. The entire risk as to the quality + and performance of the software is with the user. Should the software + prove defective, the user assumes the cost of all necessary servicing, + repair or correction. In particular, neither Rensselaer Polytechnic + Institute, nor the authors of the software are liable for any indirect, + special, consequential, or incidental damages related to the software, + to the maximum extent the law permits. +*/ +package edu.rpi.cct.uwcal.access; + +import java.io.Serializable; + +/** Allowed privileges for a principal + * + * @author Mike Douglass douglm@rpi.edu + */ +public class PrivilegeSet implements Serializable, PrivilegeDefs { + private char[] privileges; + + /** Default privs for an owner + */ + public static PrivilegeSet defaultOwnerPrivileges = + new PrivilegeSet(denied, // privAll + denied, // privRead + denied, // privReadAcl + denied, // privReadCurrentUserPrivilegeSet + denied, // privReadFreeBusy + denied, // privWrite + denied, // privWriteAcl + denied, // privWriteProperties + denied, // privWriteContent + denied, // privBind + denied, // privUnbind + denied, // privUnlock + denied); // privNone + + /** User home max privileges for non-super user + * This allows us to turn off privileges which would allow delete or rename + * for example. + */ + public static PrivilegeSet userHomeMaxPrivileges = + new PrivilegeSet(denied, // privAll + allowed, // privRead + allowed, // privReadAcl + allowed, // privReadCurrentUserPrivilegeSet + allowed, // privReadFreeBusy + denied, // privWrite + allowed, // privWriteAcl + allowed, // privWriteProperties + allowed, // privWriteContent + denied, // privBind + denied, // privUnbind + allowed, // privUnlock + allowed); // privNone + + /** Default privs for a non owner + */ + public static PrivilegeSet defaultNonOwnerPrivileges = + new PrivilegeSet(denied, // privAll + denied, // privRead + denied, // privReadAcl + denied, // privReadCurrentUserPrivilegeSet + denied, // privReadFreeBusy + denied, // privWrite + denied, // privWriteAcl + denied, // privWriteProperties + denied, // privWriteContent + denied, // privBind + denied, // privUnbind + denied, // privUnlock + denied); // privNone + + /** + * @param privAllState + * @param privReadState + * @param privReadAclState + * @param privReadCurrentUserPrivilegeSetState + * @param privReadFreeBusyState + * @param privWriteState + * @param privWriteAclState + * @param privWritePropertiesState + * @param privWriteContentState + * @param privBindState + * @param privUnbindState + * @param privUnlockState + * @param privNoneState + */ + public PrivilegeSet(char privAllState, + char privReadState, + char privReadAclState, + char privReadCurrentUserPrivilegeSetState, + char privReadFreeBusyState, + char privWriteState, + char privWriteAclState, + char privWritePropertiesState, + char privWriteContentState, + char privBindState, + char privUnbindState, + char privUnlockState, + char privNoneState) { + privileges = new char[privMaxType + 1]; + + privileges[privAll] = privAllState; + privileges[privRead] = privReadState; + privileges[privReadAcl] = privReadAclState; + privileges[privReadCurrentUserPrivilegeSet] = privReadCurrentUserPrivilegeSetState; + privileges[privReadFreeBusy] = privReadFreeBusyState; + privileges[privWrite] = privWriteState; + privileges[privWriteAcl] = privWriteAclState; + privileges[privWriteProperties] = privWritePropertiesState; + privileges[privWriteContent] = privWriteContentState; + privileges[privBind] = privBindState; + privileges[privUnbind] = privUnbindState; + privileges[privUnlock] = privUnlockState; + privileges[privNone] = privNoneState; + } + + /** + * @param privileges + */ + public PrivilegeSet(char[] privileges) { + this.privileges = privileges; + } + + /** Default privs for an owner + * + * @return PrivilegeSet + */ + public static PrivilegeSet makeDefaultOwnerPrivileges() { + return (PrivilegeSet)defaultOwnerPrivileges.clone(); + } + + /** User home max privileges for non-super user + * This allows us to turn off privileges which would allow delete or rename + * for example. + * + * @return PrivilegeSet + */ + public static PrivilegeSet makeUserHomeMaxPrivileges() { + return (PrivilegeSet)userHomeMaxPrivileges.clone(); + } + + /** Default privs for a non owner + * + * @return PrivilegeSet + */ + public static PrivilegeSet makeDefaultNonOwnerPrivileges() { + return (PrivilegeSet)defaultNonOwnerPrivileges.clone(); + } + + /** Set the given privilege + * + * @param index + * @param val + */ + public void setPrivilege(int index, char val) { + if (privileges == null) { + privileges = (char[])defaultNonOwnerPrivileges.getPrivileges().clone(); + } + + privileges[index] = val; + } + + /** Get the given privilege + * + * @param index + * @return char + */ + public char getPrivilege(int index) { + if (privileges == null) { + return unspecified; + } + + return privileges[index]; + } + + /** Ensure thsi privilegeset has no privilege greater than those in the filter + * + * @param filter + */ + public void filterPrivileges(PrivilegeSet filter) { + if (privileges == null) { + privileges = (char[])defaultNonOwnerPrivileges.getPrivileges().clone(); + } + + char[] filterPrivs = filter.getPrivileges(); + + for (int pi = 0; pi < privileges.length; pi++) { + if (privileges[pi] > filterPrivs[pi]) { + privileges[pi] = filterPrivs[pi]; + } + } + } + + /** If current is null it is set to a cloned copy of morePriv otherwise the + * privilege(s) in morePriv are merged into current. + * + *

Specified access overrides inherited access,
+ * allowed overrides denied overrides unspecified so the order is, from + * highest to lowest:
+ * + * allowed, denied, allowedInherited, deniedInherited, unspecified. + * + *

Only allowed and denied appear in encoded aces. + * + * @param current + * @param morePriv + * @param inherited true if the ace was an inherited ace + * @return PrivilegeSet mergedPrivileges + */ + public static PrivilegeSet mergePrivileges(PrivilegeSet current, + PrivilegeSet morePriv, + boolean inherited) { + PrivilegeSet mp = (PrivilegeSet)morePriv.clone(); + + if (inherited) { + for (int i = 0; i <= privMaxType; i++) { + char p = mp.getPrivilege(i); + if (p == allowed) { + mp.setPrivilege(i, allowedInherited); + } else if (p == denied) { + mp.setPrivilege(i, deniedInherited); + } + } + } + + if (current == null) { + return mp; + } + + for (int i = 0; i <= privMaxType; i++) { + char priv = mp.getPrivilege(i); + if (current.getPrivilege(i) < priv) { + current.setPrivilege(i, priv); + } + } + + return current; + } + + /** Set all unspecified values to allowed for the owner or denied otherwise. + * + * @param isOwner + */ + public void setUnspecified(boolean isOwner) { + for (int pi = 0; pi < privileges.length; pi++) { + if (privileges[pi] == unspecified) { + if (isOwner) { + privileges[pi] = allowed; + } else { + privileges[pi] = denied; + } + } + } + } + + /** + * @return char[] privileges for this object + */ + public char[] getPrivileges() { + return privileges; + } + + public Object clone() { + return new PrivilegeSet((char[])getPrivileges().clone()); + } + + public String toString() { + StringBuffer sb = new StringBuffer("PrivilegeSet["); + + sb.append(privileges); + sb.append("]"); + + return sb.toString(); + } +} + Index: trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Privileges.java =================================================================== --- trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Privileges.java (revision 445) +++ trunk/calendar3/access/src/edu/rpi/cct/uwcal/access/Privileges.java (revision 448) @@ -196,5 +196,5 @@ * @throws AccessException */ - public static char[] fromEncoding(EncodedAcl acl) throws AccessException { + public static PrivilegeSet fromEncoding(EncodedAcl acl) throws AccessException { char[] privStates = { unspecified, // privAll @@ -229,5 +229,5 @@ } - return privStates; + return new PrivilegeSet(privStates); } Index: trunk/calendar3/appcommon/src/org/bedework/appcommon/AccessAppUtil.java =================================================================== --- trunk/calendar3/appcommon/src/org/bedework/appcommon/AccessAppUtil.java (revision 445) +++ trunk/calendar3/appcommon/src/org/bedework/appcommon/AccessAppUtil.java (revision 448) @@ -62,4 +62,5 @@ import edu.rpi.cct.uwcal.access.Privilege; import edu.rpi.cct.uwcal.access.PrivilegeDefs; +import edu.rpi.cct.uwcal.access.PrivilegeSet; import edu.rpi.cct.uwcal.access.Privileges; import edu.rpi.sss.util.xml.QName; @@ -254,11 +255,13 @@ * returning the representation a a String * - * @param privileges char[] of allowed/disallowed + * @param ps PrivilegeSet allowed/disallowed * @return String xml * @throws CalFacadeException */ - public static String getCurrentPrivSetString(char[] privileges) + public static String getCurrentPrivSetString(PrivilegeSet ps) throws CalFacadeException { try { + char[] privileges = ps.getPrivileges(); + XmlEmit xml = new XmlEmit(true); // no headers StringWriter su = new StringWriter(); Index: trunk/calendar3/calCore/src/org/bedework/calcore/hibernate/AccessUtil.java =================================================================== --- trunk/calendar3/calCore/src/org/bedework/calcore/hibernate/AccessUtil.java (revision 445) +++ trunk/calendar3/calCore/src/org/bedework/calcore/hibernate/AccessUtil.java (revision 448) @@ -58,4 +58,5 @@ import edu.rpi.cct.uwcal.access.Acl; import edu.rpi.cct.uwcal.access.PrivilegeDefs; +import edu.rpi.cct.uwcal.access.PrivilegeSet; import edu.rpi.cct.uwcal.access.Acl.CurrentAccess; @@ -66,4 +67,5 @@ import org.bedework.calfacade.BwLocation; import org.bedework.calfacade.BwSponsor; +import org.bedework.calfacade.BwSystem; import org.bedework.calfacade.BwUser; import org.bedework.calfacade.CalFacadeAccessException; @@ -93,4 +95,10 @@ private BwUser authUser; + private BwSystem syspars; + + private String userRootPath; + + private String userHomePathPrefix; + private transient Logger log; @@ -140,4 +148,14 @@ */ public void close() { + } + + /** Set the system parameters object. + * @param val + */ + public void setSyspars(BwSystem val) { + syspars = val; + + userRootPath = "/" + syspars.getUserCalendarRoot(); + userHomePathPrefix = userRootPath + "/"; } @@ -249,15 +267,48 @@ try { - CurrentAccess ca; + CurrentAccess ca = null; + String account = ent.getOwner().getAccount(); - - char[] aclChars = getAclChars(ent); - - if (desiredAccess == privRead) { - ca = access.checkRead(authUser, account, aclChars); - } else if (desiredAccess == privWrite) { - ca = access.checkReadWrite(authUser, account, aclChars); - } else { - ca = access.evaluateAccess(authUser, account, desiredAccess, aclChars); + PrivilegeSet maxPrivs = null; + + char[] aclChars = null; + + if (ent instanceof BwCalendar) { + BwCalendar cal = (BwCalendar)ent; + String path = cal.getPath(); + + if (userRootPath.equals(path)) { + ca = new CurrentAccess(); + + if (getSuperUser()) { + ca.privileges = PrivilegeSet.makeDefaultOwnerPrivileges(); + } else { + ca.privileges = PrivilegeSet.makeDefaultNonOwnerPrivileges(); + } + } else if (path.equals(userHomePathPrefix + account)){ + // Accessing user home directory + if (getSuperUser()) { + ca = new CurrentAccess(); + + ca.privileges = PrivilegeSet.makeDefaultOwnerPrivileges(); + } else { + // Set the maximumn access + maxPrivs = PrivilegeSet.userHomeMaxPrivileges; + } + } + } + + if (ca == null) { + // Not special + aclChars = getAclChars(ent); + + if (desiredAccess == privRead) { + ca = access.checkRead(authUser, account, aclChars, maxPrivs); + } else if (desiredAccess == privWrite) { + ca = access.checkReadWrite(authUser, account, aclChars, maxPrivs); + } else { + ca = access.evaluateAccess(authUser, account, desiredAccess, aclChars, + maxPrivs); + } } Index: trunk/calendar3/calCore/src/org/bedework/calcore/hibernate/CalintfImpl.java =================================================================== --- trunk/calendar3/calCore/src/org/bedework/calcore/hibernate/CalintfImpl.java (revision 445) +++ trunk/calendar3/calCore/src/org/bedework/calcore/hibernate/CalintfImpl.java (revision 448) @@ -298,4 +298,5 @@ authUser.setGroups(groups.getAllGroups(authUser)); access.setAuthUser(authUser); + access.setSyspars((BwSystem)getSyspars().clone()); events = new Events(this, access, currentMode, debug); @@ -322,4 +323,5 @@ calendars.addNewCalendars(authUser); } + return userCreated; } @@ -407,4 +409,6 @@ checkOpen(); sess.update(val); + syspars = null; // Force refresh + access.setSyspars((BwSystem)getSyspars().clone()); } Index: trunk/calendar3/test/src/org/bedework/tests/access/AccessTest.java =================================================================== --- trunk/calendar3/test/src/org/bedework/tests/access/AccessTest.java (revision 320) +++ trunk/calendar3/test/src/org/bedework/tests/access/AccessTest.java (revision 448) @@ -155,5 +155,6 @@ Privilege[] how,char[] encoded, boolean expected, String title) throws Throwable { - CurrentAccess ca = new Acl().evaluateAccess(who, owner.getAccount(), how, encoded); + CurrentAccess ca = new Acl().evaluateAccess(who, owner.getAccount(), how, + encoded, null); if (debug) { Index: trunk/calendar3/webadmin/src/org/bedework/webadmin/system/UpdateSysparsAction.java =================================================================== --- trunk/calendar3/webadmin/src/org/bedework/webadmin/system/UpdateSysparsAction.java (revision 446) +++ trunk/calendar3/webadmin/src/org/bedework/webadmin/system/UpdateSysparsAction.java (revision 448) @@ -66,4 +66,7 @@ * *

Parameters are: