ACL removePermission for SID

- because we persist noneGranting permissions - additional isolation READ_UNCOMMITTED in ACL service fixes deletes

ACL removePermission for SID
- because we persist noneGranting permissions - additional isolation READ_UNCOMMITTED in ACL service fixes deletes
f70eb997 · Matija Obreza · a3588258 · f70eb997 · f70eb997 · f70eb997
Commit f70eb997 authored Dec 25, 2018 by Matija Obreza
3 changed files
--- a/security/src/main/java/org/genesys/blocks/security/persistence/AclObjectIdentityPersistence.java
+++ b/security/src/main/java/org/genesys/blocks/security/persistence/AclObjectIdentityPersistence.java
@@ -15,6 +15,8 @@
 */
 package org.genesys.blocks.security.persistence;
+import java.util.List;
 import org.genesys.blocks.security.model.AclObjectIdentity;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Modifying;
@@ -45,4 +47,6 @@ public interface AclObjectIdentityPersistence extends JpaRepository<AclObjectIde
 	@Modifying
 	@Query("update AclObjectIdentity aoi set aoi.parentObject = null where aoi.parentObject = ?1")
 	void resetChildrenOfOID(AclObjectIdentity oID);
+	List<AclObjectIdentity> findByParentObject(AclObjectIdentity parentObject);
 }
--- a/security/src/main/java/org/genesys/blocks/security/service/CustomAclService.java
+++ b/security/src/main/java/org/genesys/blocks/security/service/CustomAclService.java
@@ -170,6 +170,15 @@ public interface CustomAclService extends JsonSidConverter.SidProvider {
 	 */
 	AclObjectIdentity setPermissions(AclObjectIdentity objectIdentity, AclSid sid, final Permissions permissions);
+	/**
+	 * Removes the permissions for SID on ACL OID
+	 *
+	 * @param objectIdentity the object identity
+	 * @param aclSid the acl sid
+	 * @return the acl object identity
+	 */
+	AclObjectIdentity removePermissions(AclObjectIdentity objectIdentity, AclSid aclSid);
 	/**
 	 * Gets the acl entries.
 	 *
@@ -245,4 +254,5 @@ public interface CustomAclService extends JsonSidConverter.SidProvider {
 	 * @return the sid name
 	 */
 	String getSidName(long id);
 }
--- a/security/src/main/java/org/genesys/blocks/security/service/impl/CustomAclServiceImpl.java
+++ b/security/src/main/java/org/genesys/blocks/security/service/impl/CustomAclServiceImpl.java
@@ -261,7 +261,7 @@ public class CustomAclServiceImpl implements CustomAclService {
 	 * permissions granted to the SID are removed.
 	 */
 	@Override
-	@Transactional(propagation = Propagation.REQUIRED)
+	@Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED)
 	public void removeAclAwareModel(final AclAwareModel target) {
 		LOG.debug("Deleting ACL data for {}", target);
@@ -272,6 +272,11 @@ public class CustomAclServiceImpl implements CustomAclService {
 		final AclObjectIdentity aclObjectIdentity = getObjectIdentity(target);
 		if (aclObjectIdentity != null) {
+			LOG.debug("OID {}#{} of {}", aclObjectIdentity.getAclClass().getAclClass(), aclObjectIdentity.getObjectIdIdentity(), target);
+			for (AclObjectIdentity child : aclObjectIdentityPersistence.findByParentObject(aclObjectIdentity)) {
+				LOG.debug("Has child {}#{}", child.getAclClass().getAclClass(), child.getObjectIdIdentity());
+			}
 			LOG.info("Deleting ACL data of {}", target);
 			final List<AclEntry> aclEntries = aclEntryPersistence.findByObjectIdentity(aclObjectIdentity);
 			if (aclEntries != null) {
@@ -488,7 +493,12 @@ public class CustomAclServiceImpl implements CustomAclService {
 			throw new NullPointerException("Permissions must be provided, was null.");
 		}
-		final AclObjectIdentity objectIdentity = getObjectIdentity(entity);
+		String className = entity.getClass().getName();
+		if (entity instanceof ClassAclOid<?>) {
+			className = ((ClassAclOid<?>) entity).getClassName();
+		}
+		final AclObjectIdentity objectIdentity = ensureObjectIdentity(entity.getId(), className);
 		return setPermissions(objectIdentity, sid, permissions);
 	}
@@ -544,6 +554,30 @@ public class CustomAclServiceImpl implements CustomAclService {
 		}
 	}
+	/* (non-Javadoc)
+	 * @see org.genesys.blocks.security.service.CustomAclService#removePermissions(org.genesys.blocks.security.model.AclObjectIdentity, org.genesys.blocks.security.model.AclSid)
+	 */
+	@Override
+	public AclObjectIdentity removePermissions(AclObjectIdentity objectIdentity, AclSid sid) {
+		if (objectIdentity == null) {
+			throw new NullPointerException("AclObjectIdentity must be provided, was null.");
+		}
+		if (sid == null) {
+			throw new NullPointerException("AclSid must be provided, was null.");
+		}
+		try {
+			final List<AclEntry> aclEntries = aclEntryPersistence.findBySidAndObjectIdentity(sid, objectIdentity);
+			// delete ACL entries for sid
+			aclEntryPersistence.delete(aclEntries);
+			return getObjectIdentity(objectIdentity.getId());
+		} finally {
+			clearAclCache();
+		}
+	}
 	/*
 	 * (non-Javadoc)
 	 * @see org.genesys.blocks.security.service.CustomAclService#getAclEntries(org.
@@ -627,7 +661,7 @@ public class CustomAclServiceImpl implements CustomAclService {
 	 * java.lang.String, long)
 	 */
 	@Override
-	@Transactional(propagation = Propagation.REQUIRED)
+	@Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED)
 	public AclObjectIdentity ensureObjectIdentity(final long objectIdIdentity, final String className) {
 		AclObjectIdentity aoi = aclObjectIdentityPersistence.findByObjectIdAndClassname(objectIdIdentity, className);
 		if (aoi == null) {
@@ -661,7 +695,7 @@ public class CustomAclServiceImpl implements CustomAclService {
 	 * .genesys.blocks.security.model.AclAwareModel, boolean)
 	 */
 	@Override
-	@Transactional(propagation = Propagation.REQUIRED)
+	@Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED)
 	@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#entity, 'ADMINISTRATION')")
 	public void makePubliclyReadable(AclAwareModel entity, boolean publiclyReadable) {
 		AclSid roleEveryone = getAuthoritySid("ROLE_EVERYONE");