001/* 002 * (C) Copyright 2006-2016 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Anahide Tchertchian 018 * Florent Guillaume 019 */ 020package org.nuxeo.ecm.core.security; 021 022import java.security.Principal; 023import java.util.Arrays; 024 025import org.nuxeo.ecm.core.api.Lock; 026import org.nuxeo.ecm.core.api.security.ACP; 027import org.nuxeo.ecm.core.api.security.Access; 028import org.nuxeo.ecm.core.api.security.SecurityConstants; 029import org.nuxeo.ecm.core.model.Document; 030import org.nuxeo.ecm.core.query.sql.model.SQLQuery; 031 032/** 033 * Security policy that blocks WRITE permission on a document if it is locked by someone else. 034 * 035 * @author Anahide Tchertchian 036 * @author Florent Guillaume 037 */ 038public class LockSecurityPolicy extends AbstractSecurityPolicy { 039 040 @Override 041 public Access checkPermission(Document doc, ACP mergedAcp, Principal principal, String permission, 042 String[] resolvedPermissions, String[] additionalPrincipals) { 043 Access access = Access.UNKNOWN; 044 // policy only applies on WRITE 045 if (resolvedPermissions == null || !Arrays.asList(resolvedPermissions).contains(SecurityConstants.WRITE)) { 046 return access; 047 } 048 // check the lock 049 String username = principal.getName(); 050 Lock lock = doc.getLock(); 051 if (lock != null && !username.equals(lock.getOwner())) { 052 // locked by another user => deny 053 access = Access.DENY; 054 } 055 return access; 056 } 057 058 @Override 059 public boolean isRestrictingPermission(String permission) { 060 assert permission.equals("Browse"); // others not coded 061 return false; 062 } 063 064 @Override 065 public boolean isExpressibleInQuery(String repositoryName) { 066 return true; 067 } 068 069 @Override 070 public SQLQuery.Transformer getQueryTransformer(String repositoryName) { 071 return SQLQuery.Transformer.IDENTITY; 072 } 073 074}