Commit f70eb997 authored by Matija Obreza's avatar Matija Obreza

ACL removePermission for SID

- because we persist noneGranting permissions
- additional isolation READ_UNCOMMITTED in ACL service fixes deletes
parent a3588258
...@@ -15,6 +15,8 @@ ...@@ -15,6 +15,8 @@
*/ */
package org.genesys.blocks.security.persistence; package org.genesys.blocks.security.persistence;
import java.util.List;
import org.genesys.blocks.security.model.AclObjectIdentity; import org.genesys.blocks.security.model.AclObjectIdentity;
import org.springframework.data.jpa.repository.JpaRepository; import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Modifying; import org.springframework.data.jpa.repository.Modifying;
...@@ -45,4 +47,6 @@ public interface AclObjectIdentityPersistence extends JpaRepository<AclObjectIde ...@@ -45,4 +47,6 @@ public interface AclObjectIdentityPersistence extends JpaRepository<AclObjectIde
@Modifying @Modifying
@Query("update AclObjectIdentity aoi set aoi.parentObject = null where aoi.parentObject = ?1") @Query("update AclObjectIdentity aoi set aoi.parentObject = null where aoi.parentObject = ?1")
void resetChildrenOfOID(AclObjectIdentity oID); void resetChildrenOfOID(AclObjectIdentity oID);
List<AclObjectIdentity> findByParentObject(AclObjectIdentity parentObject);
} }
...@@ -170,6 +170,15 @@ public interface CustomAclService extends JsonSidConverter.SidProvider { ...@@ -170,6 +170,15 @@ public interface CustomAclService extends JsonSidConverter.SidProvider {
*/ */
AclObjectIdentity setPermissions(AclObjectIdentity objectIdentity, AclSid sid, final Permissions permissions); AclObjectIdentity setPermissions(AclObjectIdentity objectIdentity, AclSid sid, final Permissions permissions);
/**
* Removes the permissions for SID on ACL OID
*
* @param objectIdentity the object identity
* @param aclSid the acl sid
* @return the acl object identity
*/
AclObjectIdentity removePermissions(AclObjectIdentity objectIdentity, AclSid aclSid);
/** /**
* Gets the acl entries. * Gets the acl entries.
* *
...@@ -245,4 +254,5 @@ public interface CustomAclService extends JsonSidConverter.SidProvider { ...@@ -245,4 +254,5 @@ public interface CustomAclService extends JsonSidConverter.SidProvider {
* @return the sid name * @return the sid name
*/ */
String getSidName(long id); String getSidName(long id);
} }
...@@ -261,7 +261,7 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -261,7 +261,7 @@ public class CustomAclServiceImpl implements CustomAclService {
* permissions granted to the SID are removed. * permissions granted to the SID are removed.
*/ */
@Override @Override
@Transactional(propagation = Propagation.REQUIRED) @Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED)
public void removeAclAwareModel(final AclAwareModel target) { public void removeAclAwareModel(final AclAwareModel target) {
LOG.debug("Deleting ACL data for {}", target); LOG.debug("Deleting ACL data for {}", target);
...@@ -272,6 +272,11 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -272,6 +272,11 @@ public class CustomAclServiceImpl implements CustomAclService {
final AclObjectIdentity aclObjectIdentity = getObjectIdentity(target); final AclObjectIdentity aclObjectIdentity = getObjectIdentity(target);
if (aclObjectIdentity != null) { if (aclObjectIdentity != null) {
LOG.debug("OID {}#{} of {}", aclObjectIdentity.getAclClass().getAclClass(), aclObjectIdentity.getObjectIdIdentity(), target);
for (AclObjectIdentity child : aclObjectIdentityPersistence.findByParentObject(aclObjectIdentity)) {
LOG.debug("Has child {}#{}", child.getAclClass().getAclClass(), child.getObjectIdIdentity());
}
LOG.info("Deleting ACL data of {}", target); LOG.info("Deleting ACL data of {}", target);
final List<AclEntry> aclEntries = aclEntryPersistence.findByObjectIdentity(aclObjectIdentity); final List<AclEntry> aclEntries = aclEntryPersistence.findByObjectIdentity(aclObjectIdentity);
if (aclEntries != null) { if (aclEntries != null) {
...@@ -488,7 +493,12 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -488,7 +493,12 @@ public class CustomAclServiceImpl implements CustomAclService {
throw new NullPointerException("Permissions must be provided, was null."); throw new NullPointerException("Permissions must be provided, was null.");
} }
final AclObjectIdentity objectIdentity = getObjectIdentity(entity); String className = entity.getClass().getName();
if (entity instanceof ClassAclOid<?>) {
className = ((ClassAclOid<?>) entity).getClassName();
}
final AclObjectIdentity objectIdentity = ensureObjectIdentity(entity.getId(), className);
return setPermissions(objectIdentity, sid, permissions); return setPermissions(objectIdentity, sid, permissions);
} }
...@@ -544,6 +554,30 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -544,6 +554,30 @@ public class CustomAclServiceImpl implements CustomAclService {
} }
} }
/* (non-Javadoc)
* @see org.genesys.blocks.security.service.CustomAclService#removePermissions(org.genesys.blocks.security.model.AclObjectIdentity, org.genesys.blocks.security.model.AclSid)
*/
@Override
public AclObjectIdentity removePermissions(AclObjectIdentity objectIdentity, AclSid sid) {
if (objectIdentity == null) {
throw new NullPointerException("AclObjectIdentity must be provided, was null.");
}
if (sid == null) {
throw new NullPointerException("AclSid must be provided, was null.");
}
try {
final List<AclEntry> aclEntries = aclEntryPersistence.findBySidAndObjectIdentity(sid, objectIdentity);
// delete ACL entries for sid
aclEntryPersistence.delete(aclEntries);
return getObjectIdentity(objectIdentity.getId());
} finally {
clearAclCache();
}
}
/* /*
* (non-Javadoc) * (non-Javadoc)
* @see org.genesys.blocks.security.service.CustomAclService#getAclEntries(org. * @see org.genesys.blocks.security.service.CustomAclService#getAclEntries(org.
...@@ -627,7 +661,7 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -627,7 +661,7 @@ public class CustomAclServiceImpl implements CustomAclService {
* java.lang.String, long) * java.lang.String, long)
*/ */
@Override @Override
@Transactional(propagation = Propagation.REQUIRED) @Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED)
public AclObjectIdentity ensureObjectIdentity(final long objectIdIdentity, final String className) { public AclObjectIdentity ensureObjectIdentity(final long objectIdIdentity, final String className) {
AclObjectIdentity aoi = aclObjectIdentityPersistence.findByObjectIdAndClassname(objectIdIdentity, className); AclObjectIdentity aoi = aclObjectIdentityPersistence.findByObjectIdAndClassname(objectIdIdentity, className);
if (aoi == null) { if (aoi == null) {
...@@ -661,7 +695,7 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -661,7 +695,7 @@ public class CustomAclServiceImpl implements CustomAclService {
* .genesys.blocks.security.model.AclAwareModel, boolean) * .genesys.blocks.security.model.AclAwareModel, boolean)
*/ */
@Override @Override
@Transactional(propagation = Propagation.REQUIRED) @Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED)
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#entity, 'ADMINISTRATION')") @PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#entity, 'ADMINISTRATION')")
public void makePubliclyReadable(AclAwareModel entity, boolean publiclyReadable) { public void makePubliclyReadable(AclAwareModel entity, boolean publiclyReadable) {
AclSid roleEveryone = getAuthoritySid("ROLE_EVERYONE"); AclSid roleEveryone = getAuthoritySid("ROLE_EVERYONE");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment