001/* 002 * (C) Copyright 2006-2014 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Thierry Delprat <tdelprat@nuxeo.com> 018 */ 019 020package org.nuxeo.ecm.multi.tenant.acl; 021 022import java.util.List; 023 024import org.nuxeo.ecm.core.api.DocumentModel; 025import org.nuxeo.ecm.core.api.event.CoreEventConstants; 026import org.nuxeo.ecm.core.api.event.DocumentEventTypes; 027import org.nuxeo.ecm.core.api.security.ACE; 028import org.nuxeo.ecm.core.api.security.ACL; 029import org.nuxeo.ecm.core.api.security.ACP; 030import org.nuxeo.ecm.core.event.Event; 031import org.nuxeo.ecm.core.event.EventListener; 032import org.nuxeo.ecm.core.event.impl.DocumentEventContext; 033import org.nuxeo.ecm.multi.tenant.MultiTenantHelper; 034import org.nuxeo.ecm.multi.tenant.MultiTenantService; 035import org.nuxeo.runtime.api.Framework; 036 037/** 038 * Intercepts ACL changes and restrict Grant to Tenant bound groups for a configured list of global groups 039 * 040 * @author tiry 041 */ 042public class ACLUpdateListener implements EventListener { 043 044 @Override 045 public void handleEvent(Event event) { 046 047 if (DocumentEventTypes.BEFORE_DOC_SECU_UPDATE.equals(event.getName())) { 048 049 MultiTenantService mts = Framework.getService(MultiTenantService.class); 050 if (!mts.isTenantIsolationEnabled(event.getContext().getCoreSession())) { 051 return; 052 } 053 List<String> prohibitedGroups = mts.getProhibitedGroups(); 054 055 DocumentModel target = ((DocumentEventContext) event.getContext()).getSourceDocument(); 056 ACP newACP = (ACP) event.getContext().getProperty(CoreEventConstants.NEW_ACP); 057 058 for (ACL acl : newACP.getACLs()) { 059 int idx = 0; 060 for (ACE ace : acl.getACEs()) { 061 if (ace.isGranted() && prohibitedGroups.contains(ace.getUsername())) { 062 String tenantId = MultiTenantHelper.getOwningTenantId(target); 063 if (tenantId != null) { 064 acl.set(idx, 065 new ACE(MultiTenantHelper.computeTenantMembersGroup(tenantId), ace.getPermission(), 066 ace.isGranted())); 067 } 068 } 069 idx++; 070 } 071 } 072 } 073 } 074}