001/* 002 * (C) Copyright 2006-2014 Nuxeo SAS (http://nuxeo.com/) and contributors. 003 * 004 * All rights reserved. This program and the accompanying materials 005 * are made available under the terms of the GNU Lesser General Public License 006 * (LGPL) version 2.1 which accompanies this distribution, and is available at 007 * http://www.gnu.org/licenses/lgpl-2.1.html 008 * 009 * This library is distributed in the hope that it will be useful, 010 * but WITHOUT ANY WARRANTY; without even the implied warranty of 011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 012 * Lesser General Public License for more details. 013 * 014 * Contributors: 015 * Alexandre Russel 016 * Florent Guillaume 017 */ 018package org.nuxeo.ecm.platform.publisher.task; 019 020import org.nuxeo.ecm.core.api.CoreSession; 021import org.nuxeo.ecm.core.api.DocumentModel; 022import org.nuxeo.ecm.core.api.DocumentRef; 023import org.nuxeo.ecm.core.api.NuxeoPrincipal; 024import org.nuxeo.ecm.core.api.UnrestrictedSessionRunner; 025import org.nuxeo.ecm.core.api.security.ACE; 026import org.nuxeo.ecm.core.api.security.ACL; 027import org.nuxeo.ecm.core.api.security.ACP; 028import org.nuxeo.ecm.core.api.security.SecurityConstants; 029import org.nuxeo.ecm.platform.usermanager.UserManager; 030import org.nuxeo.runtime.api.Framework; 031 032/** 033 * Changes the permission on a document to only allow validators. 034 */ 035public class ChangePermissionUnrestricted extends UnrestrictedSessionRunner { 036 037 private final DocumentRef ref; 038 039 private final NuxeoPrincipal principal; 040 041 private final String aclName; 042 043 private final String[] validators; 044 045 // acl unused 046 public ChangePermissionUnrestricted(CoreSession session, DocumentModel document, String[] validators, 047 NuxeoPrincipal principal, String aclName, ACL acl) { 048 super(session); 049 this.ref = document.getRef(); 050 this.validators = validators; 051 this.principal = principal; 052 this.aclName = aclName; 053 } 054 055 @Override 056 public void run() { 057 ACP acp = session.getACP(ref); 058 ACL acl = acp.getOrCreateACL(aclName); 059 acl.clear(); 060 for (String validator : validators) { 061 acl.add(new ACE(validator, SecurityConstants.READ)); 062 acl.add(new ACE(validator, SecurityConstants.WRITE)); 063 } 064 // Give View permission to the user who submitted for publishing. 065 acl.add(new ACE(principal.getName(), SecurityConstants.READ)); 066 // Allow administrators too. 067 UserManager userManager = Framework.getService(UserManager.class); 068 for (String group : userManager.getAdministratorsGroups()) { 069 acl.add(new ACE(group, SecurityConstants.EVERYTHING)); 070 } 071 // Deny everyone else. 072 acl.add(ACE.BLOCK); 073 session.setACP(ref, acp, true); 074 session.save(); 075 } 076 077}