Source code

001/*
002 * (C) Copyright 2006-2014 Nuxeo SAS (http://nuxeo.com/) and contributors.
003 *
004 * All rights reserved. This program and the accompanying materials
005 * are made available under the terms of the GNU Lesser General Public License
006 * (LGPL) version 2.1 which accompanies this distribution, and is available at
007 * http://www.gnu.org/licenses/lgpl-2.1.html
008 *
009 * This library is distributed in the hope that it will be useful,
010 * but WITHOUT ANY WARRANTY; without even the implied warranty of
011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
012 * Lesser General Public License for more details.
013 *
014 * Contributors:
015 *     Alexandre Russel
016 *     Florent Guillaume
017 */
018package org.nuxeo.ecm.platform.publisher.task;
019
020import org.nuxeo.ecm.core.api.CoreSession;
021import org.nuxeo.ecm.core.api.DocumentModel;
022import org.nuxeo.ecm.core.api.DocumentRef;
023import org.nuxeo.ecm.core.api.NuxeoPrincipal;
024import org.nuxeo.ecm.core.api.UnrestrictedSessionRunner;
025import org.nuxeo.ecm.core.api.security.ACE;
026import org.nuxeo.ecm.core.api.security.ACL;
027import org.nuxeo.ecm.core.api.security.ACP;
028import org.nuxeo.ecm.core.api.security.SecurityConstants;
029import org.nuxeo.ecm.platform.usermanager.UserManager;
030import org.nuxeo.runtime.api.Framework;
031
032/**
033 * Changes the permission on a document to only allow validators.
034 */
035public class ChangePermissionUnrestricted extends UnrestrictedSessionRunner {
036
037    private final DocumentRef ref;
038
039    private final NuxeoPrincipal principal;
040
041    private final String aclName;
042
043    private final String[] validators;
044
045    // acl unused
046    public ChangePermissionUnrestricted(CoreSession session, DocumentModel document, String[] validators,
047            NuxeoPrincipal principal, String aclName, ACL acl) {
048        super(session);
049        this.ref = document.getRef();
050        this.validators = validators;
051        this.principal = principal;
052        this.aclName = aclName;
053    }
054
055    @Override
056    public void run() {
057        ACP acp = session.getACP(ref);
058        ACL acl = acp.getOrCreateACL(aclName);
059        acl.clear();
060        for (String validator : validators) {
061            acl.add(new ACE(validator, SecurityConstants.READ));
062            acl.add(new ACE(validator, SecurityConstants.WRITE));
063        }
064        // Give View permission to the user who submitted for publishing.
065        acl.add(new ACE(principal.getName(), SecurityConstants.READ));
066        // Allow administrators too.
067        UserManager userManager = Framework.getService(UserManager.class);
068        for (String group : userManager.getAdministratorsGroups()) {
069            acl.add(new ACE(group, SecurityConstants.EVERYTHING));
070        }
071        // Deny everyone else.
072        acl.add(ACE.BLOCK);
073        session.setACP(ref, acp, true);
074        session.save();
075    }
076
077}