Class AccessControlManager

    • Method Detail

      • init

        public void init()
      • reloadProperties

        public void reloadProperties()
      • propertiesChange

        public void propertiesChange​(JProperties properties)
        Description copied from interface: JPropertiesListener
        Invoked after properties have been modified in JCMS and save on disk.

        You cannot alter the value received in parameters.

        Note that properties parameter may be null, a limited set of site properties, or all site properties.

        To check that a property has been modified, reload the "current" property instead using channel.getProperties or channel.getProperty.

        Specified by:
        propertiesChange in interface JPropertiesListener
        Parameters:
        properties - the properties which have been submitted to change
      • initBeforeStoreLoad

        public void initBeforeStoreLoad()
                                 throws java.lang.Exception
        Description copied from class: ChannelListener
        Called just before the store has been loaded. If for any reason you want to interrupt JCMS startup, you can throw an exception. The exception's message will be displayed in JCMS status page (to any user!).
        Overrides:
        initBeforeStoreLoad in class ChannelListener
        Throws:
        java.lang.Exception - any exception you may want to throw if a problem occurs needing to interrupt JCMS startup.
      • initAfterStoreLoad

        public void initAfterStoreLoad()
                                throws java.lang.Exception
        Description copied from class: ChannelListener
        Called just after the store has been loaded and the channel has been initialized. If for any reason you want to interrupt JCMS startup, you can throw an exception. The exception's message will be displayed in JCMS status page (to any user!).
        Overrides:
        initAfterStoreLoad in class ChannelListener
        Throws:
        java.lang.Exception - any exception you may want to throw if a problem occurs needing to interrupt JCMS startup.
      • handleCreate

        public void handleCreate​(Storable acl,
                                 boolean firstTime)
        Description copied from interface: StoreListener
        This method gets called when a storable is created.
        Specified by:
        handleCreate in interface StoreListener
        Parameters:
        acl - the storable
        firstTime - true if it is the first time this operation is processed
      • handlePrepareUpdate

        public void handlePrepareUpdate​(Storable acl,
                                        java.util.Map<java.lang.String,​java.lang.String> attributes,
                                        boolean firstTime)
        Description copied from interface: StoreListener
        This method gets called when before a storable will be updated.
        deprecated It should not be used anymore and will be removed from future version.
        Specified by:
        handlePrepareUpdate in interface StoreListener
        Parameters:
        acl - the storable
        attributes - the attributes to update
        firstTime - true if it is the first time this operation is processed
      • handleCommitUpdate

        public void handleCommitUpdate​(Storable acl,
                                       Storable oldAcl,
                                       boolean firstTime)
        Description copied from interface: StoreListener
        This method gets called when after a storable has been updated.
        Specified by:
        handleCommitUpdate in interface StoreListener
        Parameters:
        acl - the storable, this instance is the object that was created at first and that will be stored in jcms until deletion of the storable with this ID. You should always manipulate this object if you maintain any index.
        oldAcl - the previous version of the storable, it is a clone, do not use in any index, it should only be used to access old values.
        firstTime - true if it is the first time this operation is processed
      • handleDelete

        public void handleDelete​(Storable acl,
                                 boolean firstTime)
        Description copied from interface: StoreListener
        This method gets called when a storable is deleted.
        Specified by:
        handleDelete in interface StoreListener
        Parameters:
        acl - the storable
        firstTime - true if it is the first time this operation is processed
      • getDeclaredResources

        public java.util.Set<java.lang.String> getDeclaredResources()
        Retrieve the resources declared in properties.
        Returns:
        a Set of resource path.
      • getValidResources

        public java.util.Set<java.lang.String> getValidResources()
        Retrieve the resources allowed to be accessed (those declared in properties and the associated zone).
        Returns:
        a Set of resource path.
      • checkAccess

        public boolean checkAccess​(Member member,
                                   java.lang.String resource,
                                   java.util.Map<java.lang.String,​java.lang.Object> context)
        Check if the specified member is authorized to access the specified resource.

        A valid context map containing the current Workspace is required for all access check on workspace resources (eg resource starting with "admin-ws/" as defined by "admin-ws".
        Use utility method for easier invocation :

          boolean isAuthorized = AccessControlManager.checkAccess(loggedMember, "admin-ws/types/content", AccessControlUtil.getContext(workspace));
         

        A valid context map containing the current Data being edited is required for all access to data resource (as declared in properties). Use utility method for easier invocation :

          Map<String,Object> aclContext = AccessControlUtil.getContext(null, AccessControlConstants.CTXT_DATA, someMemberBeingEdited);
          boolean isAuthorized = AccessControlManager.checkAccess(loggedMember, "admin/users/member", aclContext);
         
        Parameters:
        member - a Member
        resource - a resource URI using a path representation, eg "admin/dev/store-cleaner"
        context - an optional context map containing relevant information such as workspace or data
        Returns:
        true if the access is authorized, false otherwise
        Since:
        jcms-7.0.0
      • internalCheckWorkspaceDataAccess

        protected static boolean internalCheckWorkspaceDataAccess​(java.lang.String resource,
                                                                  Group aclGroup,
                                                                  Workspace ws,
                                                                  Data data,
                                                                  Member mbr)
        This method is invoked when a Data ACL has been granted for a member, in such case, we check the minimum requirement to validate the authorization or not.
        Parameters:
        resource - the resource which granted the edit authorization check
        aclGroup - Group to which the ACL edit authorization was attached
        ws - the current Workspace in which it is being edited
        data - the Data being edited
        mbr - the Member editing
        Returns:
        is the authorization is validated or not
        Since:
        jcms-7.0.0
      • checkAccessIfAclExists

        public boolean checkAccessIfAclExists​(Member member,
                                              java.lang.String resource,
                                              java.util.Map<java.lang.String,​java.lang.Object> context)
        Check if the specified member is authorized to access the specified resource IF AND ONLY IF resource has been configured.

        This method ONLY performs the ACL check when the specified resource has been configured on at least one AccessControlList, if resource has not been specified explicitely in any AccessControlList, access is AUTHORIZED..

        DO NOT use this method for any security related resource that MUST be enforced by an implicit or explicit assignement of the ACL resource to a user. In such case, use checkAccess(Member, String, Map).

        Access is always denied to anonymous user.

        Parameters:
        member - a Member
        resource - a resource URI using a path representation, eg "admin/dev/store-cleaner"
        context - an optional context map containing relevant information such as workspace or data
        Returns:
        true if the access is authorized, false otherwise
        Since:
        jcms-10.0.4 / JCMS-7996
      • isResourceExplicitelyConfiguredInAtLeastOneAcl

        public boolean isResourceExplicitelyConfiguredInAtLeastOneAcl​(java.lang.String resource)
        Check if the specified resources is explicitely configured on at least one ACL instance.
        Parameters:
        resource - the resource to check.
        Returns:
        true if resource exist in at least one ACL of the site, false if resource was NEVER explicitely been referenced in any ACL.
        Since:
        jcms-10.0.4 / JCMS-7996