1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.rendering.internal.macro.script

File PermissionCheckerListener.java

 

Coverage histogram

../../../../../../img/srcFileCovDistChart8.png
54% of files have more coverage

Code metrics

6
12
3
1
118
64
8
0.67
4
3
2.67

Classes

Class Line # Actions
PermissionCheckerListener 50 12 0% 8 4
0.809523881%
 

Contributing tests

This file is covered by 96 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.rendering.internal.macro.script;
21   
22    import javax.inject.Inject;
23    import javax.inject.Named;
24    import javax.inject.Singleton;
25   
26    import org.xwiki.component.annotation.Component;
27    import org.xwiki.component.manager.ComponentLookupException;
28    import org.xwiki.component.manager.ComponentManager;
29    import org.xwiki.observation.event.CancelableEvent;
30    import org.xwiki.rendering.macro.MacroId;
31    import org.xwiki.rendering.macro.MacroLookupException;
32    import org.xwiki.rendering.macro.MacroManager;
33    import org.xwiki.rendering.macro.script.MacroPermissionPolicy;
34    import org.xwiki.rendering.macro.script.PrivilegedScriptMacro;
35    import org.xwiki.rendering.macro.script.ScriptMacroParameters;
36    import org.xwiki.rendering.transformation.MacroTransformationContext;
37    import org.xwiki.security.authorization.ContextualAuthorizationManager;
38    import org.xwiki.security.authorization.Right;
39   
40    /**
41    * Listens to {@link org.xwiki.script.event.ScriptEvaluatingEvent} and aborts execution if the user is
42    * not permitted to execute the script.
43    *
44    * @version $Id: fef1be6d540c3d0ab960546969e01746a5eeaf29 $
45    * @since 2.5M1
46    */
47    @Component
48    @Named("permissionchecker")
49    @Singleton
 
50    public class PermissionCheckerListener extends AbstractScriptCheckerListener
51    {
52    /** Used to find the type of a Macro defined by a Macro Marker block. */
53    @Inject
54    private MacroManager macroManager;
55   
56    /** Used to check if programming rights is allowed. */
57    @Inject
58    private ContextualAuthorizationManager authorizationManager;
59   
60    /**
61    * Used to get Macro Permission Policy implementations.
62    */
63    @Inject
64    private ComponentManager componentManager;
65   
 
66  510 toggle @Override
67    public String getName()
68    {
69  510 return "permissionchecker";
70    }
71   
 
72  8747 toggle @Override
73    protected void check(CancelableEvent event, MacroTransformationContext context,
74    ScriptMacroParameters parameters)
75    {
76  8748 MacroId currentMacroId = new MacroId(context.getCurrentMacroBlock().getId());
77  8747 try {
78  8747 MacroPermissionPolicy mpp =
79    this.componentManager.getInstance(MacroPermissionPolicy.class, currentMacroId.getId());
80  8745 if (!mpp.hasPermission(parameters, context)) {
81  7 event.cancel(String.format("The execution of the [%s] script macro is not allowed."
82    + " Check the rights of its last author or the parameters if it's rendered from another script.",
83    currentMacroId));
84    }
85    } catch (ComponentLookupException e) {
86    // Policy not found for macro, check permission using backward compatibility check
87  3 backwardCompatibilityCheck(currentMacroId, event);
88    }
89    }
90   
91    /**
92    * Used for backward compatibility. Uses the following algorithm:
93    * <ul>
94    * <li>if the executing Macro doesn't implements PrivilegedScriptMacro then allow execution</li>
95    * <li>otherwise allow execution only if the current document has Programming Rights</li>
96    * </ul>
97    *
98    * @param macroId the information about the current executing script macro
99    * @param event the script event which we use to cancel script execution if permission is not allowed
100    */
 
101  3 toggle private void backwardCompatibilityCheck(MacroId macroId, CancelableEvent event)
102    {
103  3 try {
104  3 if (!(macroManager.getMacro(macroId) instanceof PrivilegedScriptMacro)) {
105    // no special permission needed
106  0 return;
107    }
108    // with not protected script engine, we are testing if programming right is allowed
109  3 if (!this.authorizationManager.hasAccess(Right.PROGRAM)) {
110  0 event.cancel(
111    String.format("You need Programming Rights to execute the script macro [%s]", macroId.getId()));
112    }
113    } catch (MacroLookupException exception) {
114    // should not happen, this method was called from that macro
115    }
116    }
117    }
118