public interface SecurityPolicy
Modifier and Type | Interface and Description |
---|---|
static class |
SecurityPolicy.IdentityQueryTransformer
Query transformer that does nothing.
|
static interface |
SecurityPolicy.QueryTransformer
Interface for a class that can transform a string-based query into another.
|
Modifier and Type | Method and Description |
---|---|
Access |
checkPermission(Document doc,
ACP mergedAcp,
Principal principal,
String permission,
String[] resolvedPermissions,
String[] additionalPrincipals)
Checks given permission for doc and principal.
|
SQLQuery.Transformer |
getQueryTransformer(String repositoryName)
Get the transformer to use to apply this policy to a query.
|
SecurityPolicy.QueryTransformer |
getQueryTransformer(String repositoryName,
String queryLanguage)
Get the string-based transformer to use to apply this policy to a query.
|
boolean |
isExpressibleInQuery(String repositoryName)
Checks if this policy can be expressed in a query for given repository.
|
boolean |
isExpressibleInQuery(String repositoryName,
String queryLanguage)
Checks if this policy can be expressed in a string-based query for given repository.
|
boolean |
isRestrictingPermission(String permission)
Checks if this policy is restricting the given permission.
|
Access checkPermission(Document doc, ACP mergedAcp, Principal principal, String permission, String[] resolvedPermissions, String[] additionalPrincipals)
Note that for the Browse
permission, which is also implemented in SQL using getQueryTransformer(java.lang.String)
,
a security policy must never bypass standard ACL access, it must only return DENY or UNKNOWN. Failing to do this
would make direct access and queries behave differently.
doc
- the document to checkmergedAcp
- merged ACP resolved for this documentprincipal
- principal to checkpermission
- permission to checkresolvedPermissions
- permissions or groups of permissions containing permissionadditionalPrincipals
- boolean isRestrictingPermission(String permission)
Queries check the BROWSE permission.
permission
- the permission to check fortrue
if the policy restricts the permissionboolean isExpressibleInQuery(String repositoryName)
If not, then any query made will have to be post-filtered.
repositoryName
- the target repository name.true
if the policy can be expressed in a queryboolean isExpressibleInQuery(String repositoryName, String queryLanguage)
If not, then any query made will have to be post-filtered, if possible, otherwise denied.
repositoryName
- the target repository name.true
if the policy can be expressed in a string-based querySQLQuery.Transformer getQueryTransformer(String repositoryName)
Called only when #isExpressibleInQuery()
returned true
repositoryName
- the target repository name.SecurityPolicy.QueryTransformer getQueryTransformer(String repositoryName, String queryLanguage)
Called only when isExpressibleInQuery(String, String)
returned true
repositoryName
- the target repository name.Copyright © 2018 Nuxeo. All rights reserved.