Source code

001/*  
002 * (C) Copyright 2006-2014 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * All rights reserved. This program and the accompanying materials
005 * are made available under the terms of the GNU Lesser General Public License
006 * (LGPL) version 2.1 which accompanies this distribution, and is available at
007 * http://www.gnu.org/licenses/lgpl-2.1.html
008 *
009 * This library is distributed in the hope that it will be useful,
010 * but WITHOUT ANY WARRANTY; without even the implied warranty of
011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
012 * Lesser General Public License for more details.
013 *
014 * Contributors:
015 *     Thierry Delprat <tdelprat@nuxeo.com>
016 */
017
018package org.nuxeo.ecm.multi.tenant.acl;
019
020import java.util.List;
021
022import org.nuxeo.ecm.core.api.DocumentModel;
023import org.nuxeo.ecm.core.api.event.CoreEventConstants;
024import org.nuxeo.ecm.core.api.event.DocumentEventTypes;
025import org.nuxeo.ecm.core.api.security.ACE;
026import org.nuxeo.ecm.core.api.security.ACL;
027import org.nuxeo.ecm.core.api.security.ACP;
028import org.nuxeo.ecm.core.event.Event;
029import org.nuxeo.ecm.core.event.EventListener;
030import org.nuxeo.ecm.core.event.impl.DocumentEventContext;
031import org.nuxeo.ecm.multi.tenant.MultiTenantHelper;
032import org.nuxeo.ecm.multi.tenant.MultiTenantService;
033import org.nuxeo.runtime.api.Framework;
034
035/**
036 * Intercepts ACL changes and restrict Grant to Tenant bound groups for a configured list of global groups
037 * 
038 * @author tiry
039 */
040public class ACLUpdateListener implements EventListener {
041
042    @Override
043    public void handleEvent(Event event) {
044
045        if (DocumentEventTypes.BEFORE_DOC_SECU_UPDATE.equals(event.getName())) {
046
047            MultiTenantService mts = Framework.getService(MultiTenantService.class);
048            if (!mts.isTenantIsolationEnabled(event.getContext().getCoreSession())) {
049                return;
050            }
051            List<String> prohibitedGroups = mts.getProhibitedGroups();
052
053            DocumentModel target = ((DocumentEventContext) event.getContext()).getSourceDocument();
054            ACP newACP = (ACP) event.getContext().getProperty(CoreEventConstants.NEW_ACP);
055
056            for (ACL acl : newACP.getACLs()) {
057                int idx = 0;
058                for (ACE ace : acl.getACEs()) {
059                    if (ace.isGranted() && prohibitedGroups.contains(ace.getUsername())) {
060                        String tenantId = MultiTenantHelper.getOwningTenantId(target);
061                        if (tenantId != null) {
062                            acl.set(idx,
063                                    new ACE(MultiTenantHelper.computeTenantMembersGroup(tenantId), ace.getPermission(),
064                                            ace.isGranted()));
065                        }
066                    }
067                    idx++;
068                }
069            }
070        }
071    }
072}