org.nuxeo.ecm.core.api.security
Interface ACP

All Superinterfaces:

Cloneable, Serializable

All Known Implementing Classes:

ACPImpl

public interface ACP
extends Serializable, Cloneable

Access control policy (ACP) control the permissions access on a resource.

An ACP may contains several ACLs (access control list) identified by names.

The list of ACLs is ordered so that when checking permissions the ACL are consulted in an ascending order. (The ACL on position 0 is consulted first).

Every ACP has at least one ACL having the reserved name "local". This is the only user editable list (through the security UI).

Other ACLs are used internally and are editable only through the API.

Also an ACP may have a list named "inherited" that represents the ACLs inherited from the resource parents if any. These ACLs are merged in a single list that is always read only even through the API.

Author:

Bogdan Stefanescu, Julien Anguenot

Method Summary

void	addACL(ACL acl)
void	addACL(int pos, ACL acl)
void	addACL(String afterMe, ACL acl)
void	addOwner(String owner)
Object	clone() Return a recursive copy of the ACP sharing no mutable substructure with the original
Access	getAccess(String[] principals, String[] permissions) Checks the access on the ACLs for each set of the given permissions and principals.
Access	getAccess(String principal, String permission) Check whether this ACP grant the given permission on the given user, denies it or doesn't specify a rule.
ACL	getACL(String name)
ACL[]	getACLs()
ACL	getMergedACLs(String name)
ACL	getOrCreateACL()
ACL	getOrCreateACL(String name)
String[]	getOwners()
boolean	isOwner(String username)
String[]	listUsernamesForAnyPermission(Set<String> perms) Deprecated. Use the method from UserManager service getUsersForPermission instead
String[]	listUsernamesForPermission(String perm) Deprecated. Use the method from UserManager service getUsersForPermission instead
ACL	removeACL(String name)
void	removeOwner(String owner)
void	setOwners(String[] owners)
void	setRules(String aclName, UserEntry[] userEntries) Replaces the modifiable user entries (associated with the currentDocument) related to the ACP.
void	setRules(String aclName, UserEntry[] userEntries, boolean overwrite) Replaces the modifiable user entries (associated with the currentDocument) related to the ACP.
void	setRules(UserEntry[] userEntries) Replaces the modifiable user entries (associated with the currentDocument) related to the current ACP.
void	setRules(UserEntry[] userEntries, boolean overwrite) Replaces the modifiable user entries (associated with the currentDocument) related to the current ACP.

Method Detail

getAccess

Access getAccess(String principal,
                 String permission)

Check whether this ACP grant the given permission on the given user, denies it or doesn't specify a rule.

This is checking only the ACLs on that ACP. Parents if any are not checked.

Parameters:

principal - the principal to check

permission - the permission to check

Returns:

Access.GRANT if granted, Access.DENY if denied or Access.UNKNOWN if no rule for that permission exists. Never returns null.

getAccess

Access getAccess(String[] principals,
                 String[] permissions)

Checks the access on the ACLs for each set of the given permissions and principals.

This differs for an iterative check using getAccess(String principal, String permission) in the order of checks - so that in this case each ACE is fully checked against the given users and permissions before passing to the next ACE.

Parameters:

principals -

permissions -

Returns:

setRules

void setRules(UserEntry[] userEntries)

Replaces the modifiable user entries (associated with the currentDocument) related to the current ACP.

Considers that all the passed entries are modifiable and attempts to set them as local entries related to the current document.

Parameters:

userEntries -

setRules

void setRules(UserEntry[] userEntries,
              boolean overwrite)

Replaces the modifiable user entries (associated with the currentDocument) related to the current ACP.

Considers that all the passed entries are modifiable and attempts to set them as local entries related to the current document.

The current behavior reset completely the current ACL.

Parameters:

userEntries -

overwrite - if true, will overwrite the whole current ACL

setRules

void setRules(String aclName,
              UserEntry[] userEntries)

Replaces the modifiable user entries (associated with the currentDocument) related to the ACP.

Considers that all the passed entries are modifiable and attempts to set them as entries related to the current document.

Parameters:

aclName -

userEntries -

setRules

void setRules(String aclName,
              UserEntry[] userEntries,
              boolean overwrite)

Replaces the modifiable user entries (associated with the currentDocument) related to the ACP.

Considers that all the passed entries are modifiable and attempts to set them as entries related to the current document.

Parameters:

aclName -

userEntries -

overwrite - if true, will overwrite the whole ACL

getOwners

String[] getOwners()

setOwners

void setOwners(String[] owners)

removeOwner

void removeOwner(String owner)

addOwner

void addOwner(String owner)

isOwner

boolean isOwner(String username)

addACL

void addACL(ACL acl)

addACL

void addACL(int pos,
            ACL acl)

addACL

void addACL(String afterMe,
            ACL acl)

removeACL

ACL removeACL(String name)

getACL

ACL getACL(String name)

getACLs

ACL[] getACLs()

getMergedACLs

ACL getMergedACLs(String name)

getOrCreateACL

ACL getOrCreateACL(String name)

getOrCreateACL

ACL getOrCreateACL()

listUsernamesForPermission

@Deprecated
String[] listUsernamesForPermission(String perm)

Deprecated. Use the method from UserManager service getUsersForPermission instead

Returns the usernames having a given permission.

Parameters:

perm - the permission name.

Returns:

a list of usernames

listUsernamesForAnyPermission

@Deprecated
String[] listUsernamesForAnyPermission(Set<String> perms)

Deprecated. Use the method from UserManager service getUsersForPermission instead

Returns the usernames granted to perform an operation based on a list of permissions.

Parameters:

perms - the list of permissions.

Returns:

a list of usernames

clone

Object clone()

Return a recursive copy of the ACP sharing no mutable substructure with the original

Returns:

a copy