001/*
002 * (C) Copyright 2012 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Antoine Taillefer <ataillefer@nuxeo.com>
018 */
019package org.nuxeo.drive.hierarchy.permission.adapter;
020
021import java.util.ArrayList;
022import java.util.Collections;
023import java.util.Iterator;
024import java.util.List;
025import java.util.Map;
026import java.util.Set;
027
028import org.apache.logging.log4j.LogManager;
029import org.apache.logging.log4j.Logger;
030import org.nuxeo.drive.adapter.FileSystemItem;
031import org.nuxeo.drive.adapter.FolderItem;
032import org.nuxeo.drive.adapter.impl.AbstractVirtualFolderItem;
033import org.nuxeo.drive.service.NuxeoDriveManager;
034import org.nuxeo.drive.service.SynchronizationRoots;
035import org.nuxeo.ecm.core.api.CloseableCoreSession;
036import org.nuxeo.ecm.core.api.CoreInstance;
037import org.nuxeo.ecm.core.api.DocumentModel;
038import org.nuxeo.ecm.core.api.IdRef;
039import org.nuxeo.ecm.core.api.NuxeoPrincipal;
040import org.nuxeo.ecm.core.api.security.SecurityConstants;
041import org.nuxeo.runtime.api.Framework;
042
043/**
044 * Permission based implementation of the parent {@link FolderItem} of the user's shared synchronization roots.
045 *
046 * @author Antoine Taillefer
047 */
048public class SharedSyncRootParentFolderItem extends AbstractVirtualFolderItem {
049
050    private static final Logger log = LogManager.getLogger(SharedSyncRootParentFolderItem.class);
051
052    public SharedSyncRootParentFolderItem(String factoryName, NuxeoPrincipal principal, String parentId,
053            String parentPath, String folderName) {
054        super(factoryName, principal, parentId, parentPath, folderName);
055    }
056
057    protected SharedSyncRootParentFolderItem() {
058        // Needed for JSON deserialization
059    }
060
061    @Override
062    public List<FileSystemItem> getChildren() {
063
064        List<FileSystemItem> children = new ArrayList<>();
065        Map<String, SynchronizationRoots> syncRootsByRepo = Framework.getService(NuxeoDriveManager.class)
066                                                                     .getSynchronizationRoots(principal);
067        for (Map.Entry<String, SynchronizationRoots> entry : syncRootsByRepo.entrySet()) {
068            try (CloseableCoreSession session = CoreInstance.openCoreSession(entry.getKey(), principal)) {
069                Set<IdRef> syncRootRefs = entry.getValue().getRefs();
070                Iterator<IdRef> syncRootRefsIt = syncRootRefs.iterator();
071                while (syncRootRefsIt.hasNext()) {
072                    IdRef idRef = syncRootRefsIt.next();
073                    // TODO: ensure sync roots cache is up-to-date if ACL
074                    // change, for now need to check permission
075                    // See https://jira.nuxeo.com/browse/NXP-11146
076                    if (!session.hasPermission(idRef, SecurityConstants.READ)) {
077                        log.debug(
078                                "User {} has no READ access on synchronization root {}, not including it in children.",
079                                session::getPrincipal, () -> idRef);
080                        continue;
081                    }
082                    DocumentModel doc = session.getDocument(idRef);
083                    // Filter by creator
084                    // TODO: allow filtering by dc:creator in
085                    // NuxeoDriveManager#getSynchronizationRoots(NuxeoPrincipal
086                    // principal)
087                    if (!session.getPrincipal().getName().equals(doc.getPropertyValue("dc:creator"))) {
088                        // NXP-19442: Avoid useless and costly call to DocumentModel#getLockInfo
089                        FileSystemItem child = getFileSystemItemAdapterService().getFileSystemItem(doc, this, false,
090                                false, false);
091                        if (child == null) {
092                            log.debug(
093                                    "Synchronization root {} cannot be adapted as a FileSystemItem, maybe because user {} doesn't have the required permission on it (default required permission is ReadWrite). Not including it in children.",
094                                    () -> idRef, session::getPrincipal);
095                            continue;
096                        }
097                        log.debug("Including synchronization root {} in children.", idRef);
098                        children.add(child);
099                    }
100                }
101            }
102        }
103        Collections.sort(children);
104        return children;
105    }
106
107}