1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.security.authorization.internal

File DefaultContextualAuthorizationManager.java

 

Coverage histogram

../../../../../img/srcFileCovDistChart9.png
38% of files have more coverage

Code metrics

34
57
13
1
248
156
33
0.58
4.38
13
2.54

Classes

Class Line # Actions
DefaultContextualAuthorizationManager 54 57 0% 33 15
0.855769285.6%
 

Contributing tests

This file is covered by 5 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.security.authorization.internal;
21   
22    import java.util.Arrays;
23    import java.util.HashSet;
24    import java.util.Set;
25   
26    import javax.inject.Inject;
27    import javax.inject.Named;
28    import javax.inject.Provider;
29    import javax.inject.Singleton;
30   
31    import org.xwiki.component.annotation.Component;
32    import org.xwiki.model.EntityType;
33    import org.xwiki.model.reference.DocumentReference;
34    import org.xwiki.model.reference.EntityReference;
35    import org.xwiki.model.reference.EntityReferenceResolver;
36    import org.xwiki.rendering.transformation.RenderingContext;
37    import org.xwiki.security.authorization.AccessDeniedException;
38    import org.xwiki.security.authorization.AuthorizationManager;
39    import org.xwiki.security.authorization.ContextualAuthorizationManager;
40    import org.xwiki.security.authorization.Right;
41    import org.xwiki.security.internal.XWikiConstants;
42   
43    import com.xpn.xwiki.XWikiContext;
44    import com.xpn.xwiki.doc.XWikiDocument;
45   
46    /**
47    * Default implementation of the {@link ContextualAuthorizationManager}.
48    *
49    * @version $Id: 73b086d17ff2750654f03de6d3a0f286f80bb5fc $
50    * @since 6.1RC1
51    */
52    @Component
53    @Singleton
 
54    public class DefaultContextualAuthorizationManager implements ContextualAuthorizationManager
55    {
56    /**
57    * Rights to be checked for the content author instead of the current user.
58    */
59    private static final Set<Right> CONTENT_AUTHOR_RIGHTS = new HashSet<Right>(Arrays.asList(Right.SCRIPT,
60    Right.PROGRAM));
61   
62    @Inject
63    private AuthorizationManager authorizationManager;
64   
65    @Inject
66    private RenderingContext renderingContext;
67   
68    @Inject
69    @Named("current")
70    private EntityReferenceResolver<EntityReference> resolver;
71   
72    @Inject
73    private Provider<XWikiContext> xcontextProvider;
74   
 
75  5 toggle @Override
76    public void checkAccess(Right right) throws AccessDeniedException
77    {
78  5 if (CONTENT_AUTHOR_RIGHTS.contains(right)) {
79  5 EntityReference entity;
80  5 if (right == Right.PROGRAM) {
81    // Defaults to the main wiki reference.
82  5 entity = null;
83    } else {
84  0 entity = getCurrentEntity();
85    }
86  5 checkAccess(right, getCurrentUser(right, null), entity);
87    } else {
88  0 checkAccess(right, getCurrentEntity());
89    }
90    }
91   
 
92  1 toggle @Override
93    public void checkAccess(Right right, EntityReference entity) throws AccessDeniedException
94    {
95  1 DocumentReference user = getCurrentUser(right, entity);
96   
97  1 checkAccess(right, user, entity);
98    }
99   
 
100  6 toggle private void checkAccess(Right right, DocumentReference user, EntityReference entity) throws AccessDeniedException
101    {
102  6 if (!checkPreAccess(right)) {
103  0 throw new AccessDeniedException(right, user, entity);
104    }
105   
106  6 this.authorizationManager.checkAccess(right, user, getFullReference(entity));
107    }
108   
 
109  32218 toggle @Override
110    public boolean hasAccess(Right right)
111    {
112  32217 if (CONTENT_AUTHOR_RIGHTS.contains(right)) {
113  11319 EntityReference entity;
114  11317 if (right == Right.PROGRAM) {
115    // Defaults to the main wiki reference.
116  2730 entity = null;
117    } else {
118  8589 entity = getCurrentEntity();
119    }
120  11317 return hasAccess(right, getCurrentUser(right, null), entity);
121    }
122   
123  20899 return hasAccess(right, getCurrentEntity());
124    }
125   
 
126  93874 toggle @Override
127    public boolean hasAccess(Right right, EntityReference entity)
128    {
129  93873 DocumentReference user = getCurrentUser(right, entity);
130   
131  93872 return hasAccess(right, user, entity);
132    }
133   
 
134  105182 toggle private boolean hasAccess(Right right, DocumentReference user, EntityReference entity)
135    {
136  105185 return checkPreAccess(right) && this.authorizationManager.hasAccess(right, user, getFullReference(entity));
137    }
138   
 
139  105172 toggle private EntityReference getFullReference(EntityReference reference)
140    {
141  105175 return reference != null ? this.resolver.resolve(reference, reference.getType()) : null;
142    }
143   
144    /**
145    * Check pre-condition for access.
146    *
147    * @param right the right being checked.
148    * @return true if pre-condition are fulfilled.
149    */
 
150  105190 toggle private boolean checkPreAccess(Right right)
151    {
152  105194 if (CONTENT_AUTHOR_RIGHTS.contains(right)) {
153  18152 if (this.renderingContext.isRestricted()) {
154  0 return false;
155  18152 } else if (right == Right.PROGRAM && this.xcontextProvider.get().hasDroppedPermissions()) {
156  22 return false;
157    }
158    }
159   
160  105167 return true;
161    }
162   
 
163  105196 toggle private DocumentReference getCurrentUser(Right right, EntityReference entity)
164    {
165    // Backward compatibility for the old way of assigning programming right.
166  105195 if (CONTENT_AUTHOR_RIGHTS.contains(right)) {
167  18152 XWikiDocument doc = entity == null ? getProgrammingDocument() : getDocument(entity);
168  18151 if (doc != null) {
169  18105 return getContentAuthor(doc);
170    }
171    }
172   
173  87088 return this.xcontextProvider.get().getUserReference();
174    }
175   
 
176  6828 toggle private XWikiDocument getDocument(EntityReference entity)
177    {
178  6828 if (entity == null) {
179  0 return null;
180    }
181   
182  6828 EntityReference docEntity = entity.extractReference(EntityType.DOCUMENT);
183  6828 if (docEntity == null) {
184  0 return null;
185    }
186   
187  6828 XWikiContext xcontext = this.xcontextProvider.get();
188   
189  6828 try {
190  6828 return xcontext.getWiki().getDocument(new DocumentReference(docEntity), xcontext);
191    } catch (Exception e) {
192    // Ignored
193    }
194   
195  0 return null;
196    }
197   
198    /**
199    * @param doc a document.
200    * @return the content author reference of that document.
201    */
 
202  18107 toggle private DocumentReference getContentAuthor(XWikiDocument doc)
203    {
204  18107 DocumentReference user = doc.getContentAuthorReference();
205   
206  18105 if (user != null && XWikiConstants.GUEST_USER.equals(user.getName())) {
207    // Public users (not logged in) should be passed as null in the new API. It may happen that badly
208    // design code, and poorly written API does not take care, so we prevent security issue here.
209  0 user = null;
210    }
211   
212  18107 return user;
213    }
214   
215    /**
216    * Get the current entity from context.
217    *
218    * @return the current sdoc or doc document reference, or the current wiki reference if no doc available.
219    */
 
220  29487 toggle private EntityReference getCurrentEntity()
221    {
222  29487 XWikiContext xcontext = this.xcontextProvider.get();
223  29488 XWikiDocument doc = xcontext.getDoc();
224   
225  29488 if (doc != null) {
226  29485 return doc.getDocumentReference();
227    }
228   
229  1 return null;
230    }
231   
232    /**
233    * Get the document used to test programming right.
234    *
235    * @return the current sdoc or doc document, null if no doc available.
236    */
 
237  11324 toggle private XWikiDocument getProgrammingDocument()
238    {
239  11324 XWikiContext xcontext = this.xcontextProvider.get();
240   
241  11324 XWikiDocument document = (XWikiDocument) xcontext.get(XWikiDocument.CKEY_SDOC);
242  11323 if (document == null) {
243  140 document = xcontext.getDoc();
244    }
245   
246  11323 return document;
247    }
248    }