Class AccessManager

  • All Implemented Interfaces:
    ItemLifecycleListener, java.io.Serializable

    public class AccessManager
    extends Manager
    Manager of all security based functionality of the hybris Platform. Here you can defined new UserRights, assign them to Principals and Items, and check access on items.
    There are two ways of assigning rights to a user (all Users are Principals): as global permission or as local permission. First is not bound to an Item and so can be checked without one. Local permissions are assignments of userrights for a user to a specific item. This permission can only be checked on this item.
    You can combine both ways to have a hierarchical permission checking, if you assign one right global and optionally local. Example: A user might global be allowed to see all products (by globally assigning the right product.read), but is forbidden to see the special product MY_CHEFS_SECRET_CAR (by negatively assigning this right to this product). The great advantage is that all other products must not have this righ explicitely assigned, but can be checked anyway (because it is globally assigned).
    See Also:
    Serialized Form
    • Field Detail

      • READ

        @Deprecated
        public static final java.lang.String READ
        Deprecated.
        since ages - Instead use PermissionsConstants.READ
        See Also:
        Constant Field Values
      • CHANGE

        @Deprecated
        public static final java.lang.String CHANGE
        Deprecated.
        since ages - Instead use PermissionsConstants.CHANGE
        See Also:
        Constant Field Values
      • CHANGE_PERMISSIONS

        @Deprecated
        public static final java.lang.String CHANGE_PERMISSIONS
        Deprecated.
        since ages - Instead use PermissionsConstants.CHANGE_PERMISSIONS
        See Also:
        Constant Field Values
      • CREATE

        @Deprecated
        public static final java.lang.String CREATE
        Deprecated.
        since ages - Instead use PermissionsConstants.CREATE
        See Also:
        Constant Field Values
      • REMOVE

        @Deprecated
        public static final java.lang.String REMOVE
        Deprecated.
        since ages - Instead use PermissionsConstants.REMOVE
        See Also:
        Constant Field Values
    • Constructor Detail

      • AccessManager

        public AccessManager()
    • Method Detail

      • getInstance

        public static AccessManager getInstance()
        Returns:
        instance of this manager
      • notifyItemRemoval

        protected void notifyItemRemoval​(SessionContext ctx,
                                         Item item)
        Clears all permissions which are set for this item. If the item is a Principal it clears its permissions on any other item too.
        Overrides:
        notifyItemRemoval in class Manager
        Parameters:
        ctx - the currency session context
        item - the item which is going to be removed
        Since:
        2.10
      • checkPermissionOn

        public boolean checkPermissionOn​(Item item,
                                         Principal principal,
                                         UserRight permission)
        Checks permission on an item. This will give a positive result, if this userright was positively assigned to this item and user or (if not locally assigned) if it was positively globally assigned ti the user. If it was local (or global if not local ) negatively assigned the result is negative.
        Since a user can be part of multiple UserGroups which might have their own rights assigned too, there is the case that positive and negative assignments might be found. In this case the reault is negative.
        As you can see we have two kind of hierarchy in our security model: global and local permissions, and user and usergroup permissions. As a rule of thumb you should allwas expect local permissions and user permissions to be stronger than global and usergroup permissions.

        The return values for item i, Principal p and UserRight r as table:

        entry return value comment
        none false default is 'not allowed'
        (i,p,r,+) true user has permission
        (i,p,r,-) false user has negative permission
        (*,p,r,+) true user has global permission (item-independent)
        (*,p,r,-) false user has negative global permission (item-independent)
        (i,G(p),r,+) true (at least) one group of user has permission
        (i,G(p),r,-) false groups of user have negative permissions (or none!)
        (*,G(p),r,+) true (at least) one group of user has global permission
        (*,G(p),r,-) false groups of user have negative global permissions (or none)
        special cases
        (*,G1(p),r,+) but also (*,G2(p),r,-) false if one group is not allowed the user is not allowed
        (*,p,r,+) but also (i,p,r,-) false global permissions are overruled by item-permissions
        (i,G(p),r,+) but also (i,p,r,-) false group permissions are overruled by principal permissions
        Syntax: + ... positive permission
        - ... negative permission
        ... permission is global (item-independent)
        G(p)... the groups of principal p
        G1(p), G2(p) ... groups of principal in two parts
        Parameters:
        item - the item to check the right for
        principal - the user to check the right for
        permission - the right to check
      • removePermissionOn

        public void removePermissionOn​(Item item,
                                       Principal caller,
                                       Principal principal,
                                       UserRight permission)
                                throws JaloSecurityException
        Removes the local assignment of a userright for a user on a specific item. Since assignments can only be removed by ACL-owners of this item such one must be specified too.
        Parameters:
        item - the item to remove the assignment from
        caller - the ACL-owner which is allowed to remove this assignment on this item
        principal - the user to remove the assignment for
        permission - the right to remove
        Throws:
        JaloSecurityException
      • addPositivePermissionOn

        public void addPositivePermissionOn​(Item item,
                                            Principal caller,
                                            Principal principal,
                                            UserRight permission)
                                     throws JaloSecurityException
        Positively assigns a right for a user to a item. Since assignments can only be created by ACL-owners of this item such one must be specified too.
        Parameters:
        item - the item to add the assignment to
        caller - the ACL-owner which is allowed to add this assignment to this item
        principal - the user to add the assignment for
        permission - the right to add
        Throws:
        JaloSecurityException
      • addNegativePermissionOn

        public void addNegativePermissionOn​(Item item,
                                            Principal caller,
                                            Principal principal,
                                            UserRight permission)
                                     throws JaloSecurityException
        Negatively assigns a right for a user to a item (prohibition). Since assignments can only be created by ACL-owners of this item such one must be specified too.
        Parameters:
        item - the item to add the assignment to
        caller - the ACL-owner which is allowed to add this assignment to this item
        principal - the user to add the assignment for
        permission - the right to add
        Throws:
        JaloSecurityException
      • checkPermission

        public boolean checkPermission​(Principal principal,
                                       UserRight permission)
        Checks a global permission for a user and a right. The result will only be positive if a positive global assignment for this user and this right exists.
        Since a user can be part of multiple UserGroups which might have their own rights assigned too, there is the case that positive and negative assignments might be found. In this case the result is negative.
        Parameters:
        principal - the user to check the right for
        permission - the right to check
      • checkPermission

        public boolean checkPermission​(Principal principal,
                                       java.lang.String permissionCode)
        Same as checkPermission(Principal, UserRight) but with the permissions code instead of passing the whole UserRight object.
      • removeGlobalPermission

        @Deprecated
        public void removeGlobalPermission​(Principal caller,
                                           Principal principal,
                                           UserRight permission)
                                    throws JaloSecurityException
        Deprecated.
        since ages - please usePrincipal.clearGlobalPermission(UserRight) instead
        Removes the global assignment of a userright for a user on a specific item. Since assignments can only be removed by global ACL-owners such one must be specified too.
        Parameters:
        caller - the ACL-owner which is allowed to remove this assignment
        principal - the user to remove the assignment for
        permission - the right to remove
        Throws:
        JaloSecurityException
      • addGlobalPositivePermission

        @Deprecated
        public void addGlobalPositivePermission​(Principal caller,
                                                Principal principal,
                                                UserRight permission)
                                         throws JaloSecurityException
        Deprecated.
        Positively assigns a right for a user globally. Since assignments can only be created by global ACL-owners such one must be specified too.
        Parameters:
        caller - the ACL-owner which is allowed to add this assignment
        principal - the user to add the assignment for
        permission - the right to add
        Throws:
        JaloSecurityException
      • addGlobalNegativePermission

        @Deprecated
        public void addGlobalNegativePermission​(Principal caller,
                                                Principal principal,
                                                UserRight permission)
                                         throws JaloSecurityException
        Deprecated.
        Negatively assigns a right for a user globally(prohibition). Since assignments can only be created by global ACL-owners such one must be specified too.
        Parameters:
        caller - the ACL-owner which is allowed to add this assignment
        principal - the user to add the assignment for
        permission - the right to add
        Throws:
        JaloSecurityException
      • getGlobalPositivePermissions

        public java.util.Collection getGlobalPositivePermissions​(Principal principal)
        Returns all globally positively assigned rights of a user.
        Parameters:
        principal - the user for which the rights are assigned
      • getGlobalNegativePermissions

        public java.util.Collection getGlobalNegativePermissions​(Principal principal)
        Returns all globally negatively assigned rights of a user.
        Parameters:
        principal - the user for which the rights are assigned
      • getAllGlobalPositivePermissions

        public java.util.Collection getAllGlobalPositivePermissions​(Principal principal)
        Returns all globally positively assigned rights of a user. Here also rights of usergroups which the user is in will be included.
        Parameters:
        principal - the user for which the rights are assigned
      • getAllGlobalNegativePermissions

        public java.util.Collection getAllGlobalNegativePermissions​(Principal principal)
        Returns all globally negatively assigned rights of a user. Here also rights of usergroups which the user is in will be included.
        Parameters:
        principal - the user for which the rights are assigned
      • getUserRightsByCode

        public java.util.Collection getUserRightsByCode​(java.lang.String code)
        Returns all UserRights which code matches the specified search string. The syntax of this string is equivalent to SQL LIKE statements.
        Parameters:
        code -
        Returns:
        Collection
      • getUserRightByCode

        public UserRight getUserRightByCode​(java.lang.String code)
        Returns the UserRight with the specified code. Unlike getUserRightsByCode( String ) this method does only exact matching.
        Parameters:
        code -
      • getOrCreateUserRightByCode

        public UserRight getOrCreateUserRightByCode​(java.lang.String code)
        Convenience method which first tries to get the user right with the given code and when such a user right does not exists, it will be created.
        Parameters:
        code -
      • getAllUserRights

        public java.util.Collection getAllUserRights()
        All existing userrights in the system.
      • isEditable

        public boolean isEditable​(Item item,
                                  AttributeDescriptor descriptor)
        Asks all those extensions which implement RightsProvider if the attribute should be editable.
        Since:
        2.20
      • getRestrictedLanguages

        public java.util.Set<Language> getRestrictedLanguages​(Item item)
        Asks all those extensions which implement Extension.ResctrictedLanguageProvider for all available languages for the given item and returns the intersection of these languages.
        Since:
        3.00 (beta1)
      • checkLicence

        public java.util.ArrayList checkLicence()
        This Method returns a list with LicenceInfo objects. The size of this list is equal to how many licence terms exists.
        Returns:
        a list
      • getRestrictedItemsMapForPrincipal

        public java.util.Map getRestrictedItemsMapForPrincipal​(Principal p,
                                                               java.util.List permissionList)
      • getGlobalRestrictedPrincipals

        public java.util.Collection getGlobalRestrictedPrincipals​(UserRight permission)
      • getGlobalRestrictedPrincipals

        public java.util.Collection getGlobalRestrictedPrincipals​(PK permissionPK)
      • writeReplace

        public java.lang.Object writeReplace()
                                      throws java.io.ObjectStreamException
        Specified by:
        writeReplace in class Manager
        Throws:
        java.io.ObjectStreamException