001/* 002 * (C) Copyright 2006-2016 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Anahide Tchertchian 018 * Florent Guillaume 019 */ 020package org.nuxeo.ecm.core.security; 021 022import java.util.Arrays; 023 024import org.nuxeo.ecm.core.api.Lock; 025import org.nuxeo.ecm.core.api.NuxeoPrincipal; 026import org.nuxeo.ecm.core.api.security.ACP; 027import org.nuxeo.ecm.core.api.security.Access; 028import org.nuxeo.ecm.core.api.security.SecurityConstants; 029import org.nuxeo.ecm.core.model.Document; 030import org.nuxeo.ecm.core.query.sql.model.SQLQuery; 031 032/** 033 * Security policy that blocks WRITE permission on a document if it is locked by someone else. 034 * 035 * @author Anahide Tchertchian 036 * @author Florent Guillaume 037 */ 038public class LockSecurityPolicy extends AbstractSecurityPolicy { 039 040 protected static final ThreadLocal<Boolean> IGNORE_POLICY = new ThreadLocal<>(); 041 042 @Override 043 public Access checkPermission(Document doc, ACP mergedAcp, NuxeoPrincipal principal, String permission, 044 String[] resolvedPermissions, String[] additionalPrincipals) { 045 Access access = Access.UNKNOWN; 046 // policy only applies on WRITE 047 if (resolvedPermissions == null || !Arrays.asList(resolvedPermissions).contains(SecurityConstants.WRITE)) { 048 return access; 049 } 050 // Checked separately to be tested only if needed for performance concerns 051 if (isIgnorePolicy()) { 052 return access; 053 } 054 // check the lock 055 String username = principal.getName(); 056 Lock lock = doc.getLock(); 057 if (lock != null && !username.equals(lock.getOwner())) { 058 // locked by another user => deny 059 access = Access.DENY; 060 } 061 return access; 062 } 063 064 @Override 065 public boolean isRestrictingPermission(String permission) { 066 assert permission.equals("Browse"); // others not coded 067 return false; 068 } 069 070 @Override 071 public boolean isExpressibleInQuery(String repositoryName) { 072 return true; 073 } 074 075 @Override 076 public SQLQuery.Transformer getQueryTransformer(String repositoryName) { 077 return SQLQuery.Transformer.IDENTITY; 078 } 079 080 /** 081 * @since 11.1 082 */ 083 public static void setIgnorePolicy(boolean ignore) { 084 if (ignore) { 085 IGNORE_POLICY.set(Boolean.TRUE); 086 } else { 087 IGNORE_POLICY.remove(); 088 } 089 } 090 091 /** 092 * @since 11.1 093 */ 094 public static boolean isIgnorePolicy() { 095 Boolean ignore = IGNORE_POLICY.get(); 096 if (ignore == null) { 097 // don't leave an allocated null in the thead-local map 098 IGNORE_POLICY.remove(); 099 } 100 return Boolean.TRUE.equals(ignore); 101 } 102}