001/*
002 * (C) Copyright 2006-2014 Nuxeo SA (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Alexandre Russel
018 *     Florent Guillaume
019 */
020package org.nuxeo.ecm.platform.publisher.task;
021
022import org.nuxeo.ecm.core.api.CoreSession;
023import org.nuxeo.ecm.core.api.DocumentModel;
024import org.nuxeo.ecm.core.api.DocumentRef;
025import org.nuxeo.ecm.core.api.NuxeoPrincipal;
026import org.nuxeo.ecm.core.api.UnrestrictedSessionRunner;
027import org.nuxeo.ecm.core.api.security.ACE;
028import org.nuxeo.ecm.core.api.security.ACL;
029import org.nuxeo.ecm.core.api.security.ACP;
030import org.nuxeo.ecm.core.api.security.SecurityConstants;
031import org.nuxeo.ecm.platform.usermanager.UserManager;
032import org.nuxeo.runtime.api.Framework;
033
034/**
035 * Changes the permission on a document to only allow validators.
036 */
037public class ChangePermissionUnrestricted extends UnrestrictedSessionRunner {
038
039    private final DocumentRef ref;
040
041    private final NuxeoPrincipal principal;
042
043    private final String aclName;
044
045    private final String[] validators;
046
047    // acl unused
048    public ChangePermissionUnrestricted(CoreSession session, DocumentModel document, String[] validators,
049            NuxeoPrincipal principal, String aclName, ACL acl) {
050        super(session);
051        this.ref = document.getRef();
052        this.validators = validators;
053        this.principal = principal;
054        this.aclName = aclName;
055    }
056
057    @Override
058    public void run() {
059        ACP acp = session.getACP(ref);
060        ACL acl = acp.getOrCreateACL(aclName);
061        acl.clear();
062        for (String validator : validators) {
063            acl.add(new ACE(validator, SecurityConstants.READ));
064            acl.add(new ACE(validator, SecurityConstants.WRITE));
065        }
066        // Give View permission to the user who submitted for publishing.
067        acl.add(new ACE(principal.getName(), SecurityConstants.READ));
068        // Allow administrators too.
069        UserManager userManager = Framework.getService(UserManager.class);
070        for (String group : userManager.getAdministratorsGroups()) {
071            acl.add(new ACE(group, SecurityConstants.EVERYTHING));
072        }
073        // Deny everyone else.
074        acl.add(ACE.BLOCK);
075        session.setACP(ref, acp, true);
076        session.save();
077    }
078
079}