1. Project Clover database Sat Feb 2 2019 06:45:20 CET
  2. Package org.xwiki.security.authorization.internal

File DefaultContextualAuthorizationManager.java

 

Coverage histogram

../../../../../img/srcFileCovDistChart9.png
41% of files have more coverage

Code metrics

34
53
14
1
246
152
34
0.64
3.79
14
2.43

Classes

Class Line # Actions
DefaultContextualAuthorizationManager 54 53 0% 34 14
0.861386186.1%
 

Contributing tests

This file is covered by 5 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.security.authorization.internal;
21   
22    import java.util.Arrays;
23    import java.util.HashSet;
24    import java.util.Set;
25   
26    import javax.inject.Inject;
27    import javax.inject.Named;
28    import javax.inject.Provider;
29    import javax.inject.Singleton;
30   
31    import org.xwiki.component.annotation.Component;
32    import org.xwiki.model.EntityType;
33    import org.xwiki.model.reference.DocumentReference;
34    import org.xwiki.model.reference.EntityReference;
35    import org.xwiki.model.reference.EntityReferenceResolver;
36    import org.xwiki.rendering.transformation.RenderingContext;
37    import org.xwiki.security.authorization.AccessDeniedException;
38    import org.xwiki.security.authorization.AuthorizationManager;
39    import org.xwiki.security.authorization.ContextualAuthorizationManager;
40    import org.xwiki.security.authorization.Right;
41    import org.xwiki.security.internal.XWikiConstants;
42   
43    import com.xpn.xwiki.XWikiContext;
44    import com.xpn.xwiki.doc.XWikiDocument;
45   
46    /**
47    * Default implementation of the {@link ContextualAuthorizationManager}.
48    *
49    * @version $Id: 28227ba5bf72af6d47c39ee7063940e0607fee15 $
50    * @since 6.1RC1
51    */
52    @Component
53    @Singleton
 
54    public class DefaultContextualAuthorizationManager implements ContextualAuthorizationManager
55    {
56    /**
57    * Rights to be checked for the content author instead of the current user.
58    */
59    private static final Set<Right> CONTENT_AUTHOR_RIGHTS =
60    new HashSet<Right>(Arrays.asList(Right.SCRIPT, Right.PROGRAM));
61   
62    @Inject
63    private AuthorizationManager authorizationManager;
64   
65    @Inject
66    private RenderingContext renderingContext;
67   
68    @Inject
69    @Named("current")
70    private EntityReferenceResolver<EntityReference> resolver;
71   
72    @Inject
73    private Provider<XWikiContext> xcontextProvider;
74   
 
75  5 toggle @Override
76    public void checkAccess(Right right) throws AccessDeniedException
77    {
78  5 if (CONTENT_AUTHOR_RIGHTS.contains(right)) {
79  5 checkAccess(right, getCurrentUser(right, null), getCurrentAuthorDocumentReference(right));
80    } else {
81  0 checkAccess(right, getCurrentEntity());
82    }
83    }
84   
 
85  30 toggle @Override
86    public void checkAccess(Right right, EntityReference entity) throws AccessDeniedException
87    {
88  30 DocumentReference user = getCurrentUser(right, entity);
89   
90  30 checkAccess(right, user, entity);
91    }
92   
 
93  35 toggle private void checkAccess(Right right, DocumentReference user, EntityReference entity) throws AccessDeniedException
94    {
95  35 if (!checkPreAccess(right)) {
96  0 throw new AccessDeniedException(right, user, entity);
97    }
98   
99  35 this.authorizationManager.checkAccess(right, user, getFullReference(entity));
100    }
101   
 
102  634602 toggle @Override
103    public boolean hasAccess(Right right)
104    {
105  634942 if (CONTENT_AUTHOR_RIGHTS.contains(right)) {
106  465348 return hasAccess(right, getCurrentUser(right, null), getCurrentAuthorDocumentReference(right));
107    }
108   
109  169748 return hasAccess(right, getCurrentEntity());
110    }
111   
 
112  963710 toggle @Override
113    public boolean hasAccess(Right right, EntityReference entity)
114    {
115  964025 DocumentReference user = getCurrentUser(right, entity);
116   
117  964233 return hasAccess(right, user, entity);
118    }
119   
 
120  1429310 toggle private boolean hasAccess(Right right, DocumentReference user, EntityReference entity)
121    {
122  1429319 return checkPreAccess(right) && this.authorizationManager.hasAccess(right, user, getFullReference(entity));
123    }
124   
 
125  1427659 toggle private EntityReference getFullReference(EntityReference reference)
126    {
127  1427804 return reference != null ? this.resolver.resolve(reference, reference.getType()) : null;
128    }
129   
130    /**
131    * Check pre-condition for access.
132    *
133    * @param right the right being checked.
134    * @return true if pre-condition are fulfilled.
135    */
 
136  1429538 toggle private boolean checkPreAccess(Right right)
137    {
138  1428901 if (CONTENT_AUTHOR_RIGHTS.contains(right)) {
139  474873 if (this.renderingContext.isRestricted()) {
140  0 return false;
141  474876 } else if (right == Right.PROGRAM && this.xcontextProvider.get().hasDroppedPermissions()) {
142  1796 return false;
143    }
144    }
145   
146  1427684 return true;
147    }
148   
 
149  1428396 toggle private DocumentReference getCurrentUser(Right right, EntityReference entity)
150    {
151    // Backward compatibility for the old way of assigning programming right.
152  1429248 if (CONTENT_AUTHOR_RIGHTS.contains(right)) {
153  474884 XWikiDocument doc = entity == null ? getProgrammingDocument() : getDocument(entity);
154  474890 if (doc != null) {
155  474843 return getContentAuthor(doc);
156    }
157    }
158   
159  954563 return this.xcontextProvider.get().getUserReference();
160    }
161   
 
162  465436 toggle private DocumentReference getCurrentAuthorDocumentReference(Right right)
163    {
164  465350 if (right == Right.PROGRAM) {
165    // Defaults to the main wiki reference.
166  202725 return null;
167    }
168   
169  262742 XWikiDocument doc = getProgrammingDocument();
170   
171  262736 return doc != null ? doc.getDocumentReference() : null;
172    }
173   
 
174  9406 toggle private XWikiDocument getDocument(EntityReference entity)
175    {
176  9406 if (entity == null) {
177  0 return null;
178    }
179   
180  9406 EntityReference docEntity = entity.extractReference(EntityType.DOCUMENT);
181  9406 if (docEntity == null) {
182  0 return null;
183    }
184   
185  9406 XWikiContext xcontext = this.xcontextProvider.get();
186   
187  9406 try {
188  9406 return xcontext.getWiki().getDocument(new DocumentReference(docEntity), xcontext);
189    } catch (Exception e) {
190    // Ignored
191    }
192   
193  0 return null;
194    }
195   
196    /**
197    * @param doc a document.
198    * @return the content author reference of that document.
199    */
 
200  474581 toggle private DocumentReference getContentAuthor(XWikiDocument doc)
201    {
202  474656 DocumentReference user = doc.getContentAuthorReference();
203   
204  474701 if (user != null && XWikiConstants.GUEST_USER.equals(user.getName())) {
205    // Public users (not logged in) should be passed as null in the new API. It may happen that badly
206    // design code, and poorly written API does not take care, so we prevent security issue here.
207  0 user = null;
208    }
209   
210  474779 return user;
211    }
212   
213    /**
214    * Get the current entity from context.
215    *
216    * @return the current sdoc or doc document reference, or the current wiki reference if no doc available.
217    */
 
218  169306 toggle private EntityReference getCurrentEntity()
219    {
220  169447 XWikiContext xcontext = this.xcontextProvider.get();
221  169793 XWikiDocument doc = xcontext.getDoc();
222   
223  169681 if (doc != null) {
224  169691 return doc.getDocumentReference();
225    }
226   
227  1 return null;
228    }
229   
230    /**
231    * Get the document used to test programming right.
232    *
233    * @return the current sdoc or doc document, null if no doc available.
234    */
 
235  727893 toggle private XWikiDocument getProgrammingDocument()
236    {
237  727994 XWikiContext xcontext = this.xcontextProvider.get();
238   
239  728313 XWikiDocument document = (XWikiDocument) xcontext.get(XWikiDocument.CKEY_SDOC);
240  728227 if (document == null) {
241  2051 document = xcontext.getDoc();
242    }
243   
244  728249 return document;
245    }
246    }