[Commits] (bcm) enhance CosmoAccessManager to allow read access to version storage by all

Mon Apr 4 17:52:38 PDT 2005

Commit by: bcm
Modified files:
server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java 1.3 1.4

Log message:
enhance CosmoAccessManager to allow read access to version storage by all
users. this implementation will somebody be replaced by a stricter one which
checks ownership of a version history or version's related node, when the
jackrabbit internal apis give us the objects we need to do the lookup


ViewCVS links:
http://cvs.osafoundation.org/index.cgi/server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java.diff?r1=text&tr1=1.3&r2=text&tr2=1.4

Index: server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java
diff -u server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java:1.3 server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java:1.4

--- server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java:1.3	Thu Mar 31 14:50:54 2005
+++ server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java	Mon Apr  4 17:52:36 2005
@@ -114,10 +114,33 @@
             throw new IllegalStateException("not initialized");
         }
 
-        if (isRoot() || isOwner(id)) {
+        if (isRoot()) {
             return;
         }
 
+        // Jackrabbit does not use an AccessManager to enforce
+        // security for version storage (yet), but it does check read
+        // permissions for initializing a versionable node, so we need
+        // to allow it to do that.
+        // XXX remove when Jackrabbit gives us the ability to look up
+        // the versionable node from a version storage item
+        if (isVersionStorageItem(id)) {
+            if ((permissions & WRITE) == WRITE ||
+                (permissions & REMOVE) == REMOVE) {
+                log.error("write access not supported for version storage");
+                throw new AccessDeniedException();
+            }
+            return;
+        }
+
+        if (isOwner(id)) {
+            return;
+        }
+
+        if (log.isDebugEnabled()) {
+            log.debug("permissions " + permissions + " check failed for " +
+                      " item at path " + id2path(id));
+        }
         throw new AccessDeniedException("access denied to item " + id);
     }
 
@@ -130,7 +153,35 @@
             throw new IllegalStateException("not initialized");
         }
 
-        return isRoot() || isOwner(id);
+        if (isRoot()) {
+            return true;
+        }
+
+        // Jackrabbit does not use an AccessManager to enforce
+        // security for version storage (yet), but it does check read
+        // permissions for initializing a versionable node, so we need
+        // to allow it to do that.
+        // XXX remove when Jackrabbit gives us the ability to look up
+        // the versionable node from a version storage item
+        if (isVersionStorageItem(id)) {
+            if ((permissions & WRITE) == WRITE ||
+                (permissions & REMOVE) == REMOVE) {
+                log.error("write access not supported for version storage");
+                return false;
+            }
+
+            return true;
+        }
+
+        if (! isOwner(id)) {
+            if (log.isDebugEnabled()) {
+                log.debug("permissions " + permissions + " not granted for " +
+                          " item at path " + id2path(id));
+            }
+            return false;
+        }
+
+        return true;
     }
 
     /**
@@ -165,17 +216,22 @@
      */
     public boolean isOwner(ItemId id)
         throws ItemNotFoundException, RepositoryException {
-        Path path = null;
-        try {
-            path = getHierarchyManager().getPath(id).getCanonicalPath();
-        } catch (MalformedPathException e) {
-            throw new RepositoryException("malformed path for id " + id, e);
-        }
+        Path path = id2path(id);
 
+        // if the item represents the root node, then only root users
+        // can access it
         if (path.denotesRoot()) {
             return isRoot();
         }
 
+        // if the item is a version history node, then find the
+        // versionable node it represents and use that path instead
+        // it will be of type nt:versionHistory with a 
+        // jcr:versionableUuid property or of type nt:version whose
+        // parent is the nt:versionHistory
+        // XXX: can't do this until Jackrabbit gives us a system
+        // session to look up the versionable node
+
         // find the subject's username
         String username = securityContext.getUser().getUsername();
 
@@ -224,4 +280,35 @@
     public CosmoSecurityManager getSecurityManager() {
         return securityManager;
     }
+
+    private boolean isVersionStorageItem(ItemId id)
+        throws RepositoryException {
+        Path.PathElement[] pathElements = id2path(id).getElements();
+        if (pathElements.length < 3) {
+            return false;
+        }
+        if (! pathElements[0].denotesRoot()) {
+            return false;
+        }
+        // XXX: check namespace?
+        if (! pathElements[1].getName().getLocalName().
+            equals("system")) {
+            return false;
+        }
+        if (! pathElements[2].getName().getLocalName().
+            equals("versionStorage")) {
+            return false;
+        }
+
+        return true;
+    }
+
+    private Path id2path(ItemId id)
+        throws RepositoryException {
+        try {
+            return getHierarchyManager().getPath(id).getCanonicalPath();
+        } catch (MalformedPathException e) {
+            throw new RepositoryException("malformed path for id " + id, e);
+        }
+    }
 }

