Source code

001/*
002 * Copyright (c) 2006-2011 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * All rights reserved. This program and the accompanying materials
005 * are made available under the terms of the Eclipse Public License v1.0
006 * which accompanies this distribution, and is available at
007 * http://www.eclipse.org/legal/epl-v10.html
008 *
009 * Contributors:
010 *     Anahide Tchertchian
011 *     Florent Guillaume
012 */
013
014package org.nuxeo.ecm.core.security;
015
016import java.security.Principal;
017import java.util.Arrays;
018
019import org.nuxeo.ecm.core.api.Lock;
020import org.nuxeo.ecm.core.api.security.ACP;
021import org.nuxeo.ecm.core.api.security.Access;
022import org.nuxeo.ecm.core.api.security.SecurityConstants;
023import org.nuxeo.ecm.core.model.Document;
024import org.nuxeo.ecm.core.query.sql.model.SQLQuery;
025
026/**
027 * Security policy that blocks WRITE permission on a document if it is locked by someone else.
028 *
029 * @author Anahide Tchertchian
030 * @author Florent Guillaume
031 */
032public class LockSecurityPolicy extends AbstractSecurityPolicy {
033
034    @Override
035    public Access checkPermission(Document doc, ACP mergedAcp, Principal principal, String permission,
036            String[] resolvedPermissions, String[] additionalPrincipals) {
037        Access access = Access.UNKNOWN;
038        // policy only applies on WRITE
039        if (resolvedPermissions == null || !Arrays.asList(resolvedPermissions).contains(SecurityConstants.WRITE)) {
040            return access;
041        }
042        // check the lock
043        String username = principal.getName();
044        Lock lock = doc.getLock();
045        if (lock != null && !username.equals(lock.getOwner())) {
046            // locked by another user => deny
047            access = Access.DENY;
048        }
049        return access;
050    }
051
052    @Override
053    public boolean isRestrictingPermission(String permission) {
054        assert permission.equals("Browse"); // others not coded
055        return false;
056    }
057
058    @Override
059    public boolean isExpressibleInQuery() {
060        return true;
061    }
062
063    @Override
064    public SQLQuery.Transformer getQueryTransformer() {
065        return SQLQuery.Transformer.IDENTITY;
066    }
067
068}