001/* 002 * (C) Copyright 2006-2014 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * All rights reserved. This program and the accompanying materials 005 * are made available under the terms of the GNU Lesser General Public License 006 * (LGPL) version 2.1 which accompanies this distribution, and is available at 007 * http://www.gnu.org/licenses/lgpl-2.1.html 008 * 009 * This library is distributed in the hope that it will be useful, 010 * but WITHOUT ANY WARRANTY; without even the implied warranty of 011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 012 * Lesser General Public License for more details. 013 * 014 * Contributors: 015 * Thierry Delprat <tdelprat@nuxeo.com> 016 */ 017 018package org.nuxeo.ecm.multi.tenant.acl; 019 020import java.util.List; 021 022import org.nuxeo.ecm.core.api.DocumentModel; 023import org.nuxeo.ecm.core.api.event.CoreEventConstants; 024import org.nuxeo.ecm.core.api.event.DocumentEventTypes; 025import org.nuxeo.ecm.core.api.security.ACE; 026import org.nuxeo.ecm.core.api.security.ACL; 027import org.nuxeo.ecm.core.api.security.ACP; 028import org.nuxeo.ecm.core.event.Event; 029import org.nuxeo.ecm.core.event.EventListener; 030import org.nuxeo.ecm.core.event.impl.DocumentEventContext; 031import org.nuxeo.ecm.multi.tenant.MultiTenantHelper; 032import org.nuxeo.ecm.multi.tenant.MultiTenantService; 033import org.nuxeo.runtime.api.Framework; 034 035/** 036 * Intercepts ACL changes and restrict Grant to Tenant bound groups for a configured list of global groups 037 * 038 * @author tiry 039 */ 040public class ACLUpdateListener implements EventListener { 041 042 @Override 043 public void handleEvent(Event event) { 044 045 if (DocumentEventTypes.BEFORE_DOC_SECU_UPDATE.equals(event.getName())) { 046 047 MultiTenantService mts = Framework.getService(MultiTenantService.class); 048 if (!mts.isTenantIsolationEnabled(event.getContext().getCoreSession())) { 049 return; 050 } 051 List<String> prohibitedGroups = mts.getProhibitedGroups(); 052 053 DocumentModel target = ((DocumentEventContext) event.getContext()).getSourceDocument(); 054 ACP newACP = (ACP) event.getContext().getProperty(CoreEventConstants.NEW_ACP); 055 056 for (ACL acl : newACP.getACLs()) { 057 int idx = 0; 058 for (ACE ace : acl.getACEs()) { 059 if (ace.isGranted() && prohibitedGroups.contains(ace.getUsername())) { 060 String tenantId = MultiTenantHelper.getOwningTenantId(target); 061 if (tenantId != null) { 062 acl.set(idx, 063 new ACE(MultiTenantHelper.computeTenantMembersGroup(tenantId), ace.getPermission(), 064 ace.isGranted())); 065 } 066 } 067 idx++; 068 } 069 } 070 } 071 } 072}