001/* 002 * (C) Copyright 2019 Nuxeo (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Florent Guillaume 018 */ 019package org.nuxeo.ecm.core.security; 020 021import java.util.Arrays; 022 023import org.nuxeo.ecm.core.api.NuxeoPrincipal; 024import org.nuxeo.ecm.core.api.security.ACP; 025import org.nuxeo.ecm.core.api.security.Access; 026import org.nuxeo.ecm.core.api.security.SecurityConstants; 027import org.nuxeo.ecm.core.model.Document; 028import org.nuxeo.ecm.core.query.sql.model.SQLQuery; 029 030/** 031 * Security policy that prevents deletion of a document when it is under retention or has a legal hold. 032 * 033 * @since 11.1 034 */ 035public class RetentionAndHoldSecurityPolicy extends AbstractSecurityPolicy { 036 037 @Override 038 public Access checkPermission(Document doc, ACP mergedAcp, NuxeoPrincipal principal, String permission, 039 String[] resolvedPermissions, String[] additionalPrincipals) { 040 if (!Arrays.asList(resolvedPermissions).contains(SecurityConstants.REMOVE)) { 041 // not checking REMOVE, ignore 042 return Access.UNKNOWN; 043 } 044 if (!doc.isUnderRetentionOrLegalHold()) { 045 return Access.UNKNOWN; 046 } 047 return Access.DENY; 048 } 049 050 @Override 051 public boolean isRestrictingPermission(String permission) { 052 // the important aspect is that we don't restrict BROWSE 053 return permission.equals(SecurityConstants.REMOVE); 054 } 055 056 @Override 057 public boolean isExpressibleInQuery(String repositoryName) { 058 return true; 059 } 060 061 @Override 062 public SQLQuery.Transformer getQueryTransformer(String repositoryName) { 063 return SQLQuery.Transformer.IDENTITY; 064 } 065 066}