SecurityPolicy (Nuxeo ECM Projects 5.4.3-SNAPSHOT API Documentation)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

Nuxeo ECM Projects 5.4.3-SNAPSHOT

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.nuxeo.ecm.core.security
Interface SecurityPolicy

All Known Implementing Classes:: AbstractSecurityPolicy, CheckInSecurityPolicy, LockSecurityPolicy

public interface SecurityPolicy

Interface for pluggable core security policy.

Author:: Anahide Tchertchian, Florent Guillaume

Method Summary
`Access`	`checkPermission(Document doc, ACP mergedAcp, Principal principal, String permission, String[] resolvedPermissions, String[] additionalPrincipals)` Checks given permission for doc and principal.
`SQLQuery.Transformer`	`getQueryTransformer(String repositoryName)` Get the transformer to use to apply this policy to a query.
`boolean`	`isExpressibleInQuery(String repositoryName)` Checks if this policy can be expressed in a query for given repository.
`boolean`	`isRestrictingPermission(String permission)` Checks if this policy is restricting the given permission.

Method Detail

checkPermission

Access checkPermission(Document doc,
                       ACP mergedAcp,
                       Principal principal,
                       String permission,
                       String[] resolvedPermissions,
                       String[] additionalPrincipals)

Checks given permission for doc and principal.

Note that for the Browse permission, which is also implemented in SQL using getQueryTransformer(java.lang.String), a security policy must never bypass standard ACL access, it must only return DENY or UNKNOWN. Failing to do this would make direct access and queries behave differently.

Parameters:: doc - the document to check; mergedAcp - merged ACP resolved for this document; principal - principal to check; permission - permission to check; resolvedPermissions - permissions or groups of permissions containing permission; additionalPrincipals -
Returns:: access: GRANT, DENY, or UNKNOWN. When UNKNOWN is returned, following policies or default core security are applied.

isRestrictingPermission

boolean isRestrictingPermission(String permission)

Checks if this policy is restricting the given permission.

Queries check the BROWSE permission.

Parameters:: permission - the permission to check for
Returns:: true if the policy restricts the permission

isExpressibleInQuery

boolean isExpressibleInQuery(String repositoryName)

Checks if this policy can be expressed in a query for given repository.

If not, then any query made will have to be post-filtered.

Parameters:: repositoryName - the target repository name.
Returns:: true if the policy can be expressed in a query

getQueryTransformer

SQLQuery.Transformer getQueryTransformer(String repositoryName)

Get the transformer to use to apply this policy to a query.

Called only when #isExpressibleInQuery() returned true

Parameters:: repositoryName - the target repository name.
Returns:: the transformer