001/* 002 * (C) Copyright 2006-2011 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Anahide Tchertchian 018 * Florent Guillaume 019 */ 020 021package org.nuxeo.ecm.core.security; 022 023import java.security.Principal; 024import java.util.Arrays; 025 026import org.nuxeo.ecm.core.api.Lock; 027import org.nuxeo.ecm.core.api.security.ACP; 028import org.nuxeo.ecm.core.api.security.Access; 029import org.nuxeo.ecm.core.api.security.SecurityConstants; 030import org.nuxeo.ecm.core.model.Document; 031import org.nuxeo.ecm.core.query.sql.model.SQLQuery; 032 033/** 034 * Security policy that blocks WRITE permission on a document if it is locked by someone else. 035 * 036 * @author Anahide Tchertchian 037 * @author Florent Guillaume 038 */ 039public class LockSecurityPolicy extends AbstractSecurityPolicy { 040 041 @Override 042 public Access checkPermission(Document doc, ACP mergedAcp, Principal principal, String permission, 043 String[] resolvedPermissions, String[] additionalPrincipals) { 044 Access access = Access.UNKNOWN; 045 // policy only applies on WRITE 046 if (resolvedPermissions == null || !Arrays.asList(resolvedPermissions).contains(SecurityConstants.WRITE)) { 047 return access; 048 } 049 // check the lock 050 String username = principal.getName(); 051 Lock lock = doc.getLock(); 052 if (lock != null && !username.equals(lock.getOwner())) { 053 // locked by another user => deny 054 access = Access.DENY; 055 } 056 return access; 057 } 058 059 @Override 060 public boolean isRestrictingPermission(String permission) { 061 assert permission.equals("Browse"); // others not coded 062 return false; 063 } 064 065 @Override 066 public boolean isExpressibleInQuery() { 067 return true; 068 } 069 070 @Override 071 public SQLQuery.Transformer getQueryTransformer() { 072 return SQLQuery.Transformer.IDENTITY; 073 } 074 075}