Package de.hybris.platform.servicelayer.security.permissions

Interface PermissionCheckingService

All Known Implementing Classes:

DefaultPermissionCheckingService

public interface PermissionCheckingService

Provides permission checking operations.

Description

This service is used to check for effective permission assignments. Effective permission assignments is the result of combining actual permission assignments with permission checking rules. Actual permission assignments are basic relations between objects (such as items, types and so on), principals and permissions as defined by PermissionManagementService. Permission checking rules are defined by this service and they govern how should actual permission assignments be interpreted within principal group hierarchy and item type hierarchy with respect to permission target object - item,type,attribute descriptor or global permissions. Possible outcomes of permission checking operations are defined by PermissionCheckValue enumeration.

PermissionManagementService allows to define permission assignments to items, types, attribute descriptors. It also allows to define so called global permission assignments which do not refer to any concrete objects, but just describe the relation of principal, permission and value (GRANTED or DENIED). This gives 4 possible target objects of permission assignments (item, type, attribute, global). Permission checking rules are different depending on the target object. The rule of thumb is that the priority of assignments is (from highest to lowest) is: item/attribute, type, global. See description of each checking algorithm for details. Some of the methods defined here use default Principal. This service defines this principal as current session user.

Permission checking algorithms

• Global permission assignments checking

  input: principal, permission

  When checking global permission assignments, first a permission assignments for a principal is checked. If no assignment is found, principal's group hierarchy is checked using the algorithm for group hierarchy inheritance.




• Type permission assignments checking

  input: principal, permission, type

  When checking permission assignments to a type for a principal, the type hierarchy is taken into account. The steps are:

  1. Permission assignment to the type for the principal is checked. If an assignment is found, it determines the result.
  2. Permission assignment to the type across principal group hierarchy is checked using the algorithm for group hierarchy inheritance. If an assignment is found, it determines the result.
  3. if the type's super-type is not null, the algorithm is repeated for the type's super-type
  4. global permission assignments are checked as a fall-back.




• Attribute Descriptor permission assignments checking

  input: principal, permission, attribute descriptor

  When checking permission assignments to an attribute descriptor for a principal, the attribute hierarchy is taken into account. The steps are:

  1. Permission assignment to the current attribute descriptor for the principal is checked. If an assignment is found, it determines the result.
  2. Permission assignment to the current attribute descriptor across principal group hierarchy is checked using the algorithm for group hierarchy inheritance. If an assignment is found, it determines the result.
  3. Permission assignment to the attribute's enclosing type is checked - without traversing type's hierarchy! If an assignment is found, it determines the result.
  4. Attribute descriptor's super-attribute is determined. If it is defined, the algorithm is repeated for the super-attribute (A super-attribute is a corresponding attribute descriptor of original attribute descriptor's enclosing type's super-type).
  5. If there is no super-attribute, checking continues as described in: Type permission assignments checking, where the initial type is the current attribute's enclosing type's super-type.




• Item permission assignments checking

  input: principal, permission, item instance

  When checking permission assignments to an item the steps are:

  1. Permission assignment to the item for the principal is checked. If an assignment is found, it determines the result.
  2. Permission assignment to the item across principal group hierarchy is checked using the algorithm for group hierarchy inheritance. If an assignment is found, it determines the result.
  3. Permission assignment to the item is checked as described in: Type permission assignments checking, where the initial type is the item's type.

Principal Group Hierarchy Inheritance

The following algorithm is used to resolve permission assignments inheritance across group hierarchy of given principal. This algorithm only checks assignments for a single permission and a single principal given as input.

Algorithm input: a permission for which we are checking assignments and a set [P] of principals. Set [P] initially contains only one element: the given principal.

Note that principal groups are also principals, and all members of the group inherit the group's permission assignments as described below.

Definition: Direct super-group of a principal: the group the principal is direct member of (i.e. the super-group contains the principal directly, not through some other group)

• If there exist actual permission assignment for the principal, it determines the result.

• If there is no actual permission assignment for the principal, the following algorithm is used.

  1. The set [SP] of all direct super-groups of principals in the given set [P] is determined.
  2. The set [A] of actual permission assignments for all the groups in [SP] is determined.
  3. If the set [A] contains a single permission assignment, it determines the result.
  4. If the set [A] contains more than one permission assignment:
  • If value of "isGranted" flag of all assignments in [A] is the same, this determines the result.
  • If value of "isGranted" flag of all assignments in [A] is not the same, the result is PermissionCheckValue.CONFLICTING
  5. if the set [A] is empty: Build a set [NP] that contains all super-groups of groups contained in [SP]. Execute the algorithm again with [NP] as input.

Method Summary

Modifier and Type	Method	Description
PermissionCheckResult	checkAttributeDescriptorPermission(AttributeDescriptorModel attributeDescriptor, PrincipalModel principal, java.lang.String permissionName)	Checks if a principal has a permission to an attribute descriptor.
PermissionCheckResult	checkAttributeDescriptorPermission(AttributeDescriptorModel attributeDescriptor, java.lang.String permissionName)	Same as checkAttributeDescriptorPermission(AttributeDescriptorModel, PrincipalModel, String) but uses default principal.
PermissionCheckResult	checkAttributeDescriptorPermission(java.lang.String typeCode, java.lang.String attributeQualifier, PrincipalModel principal, java.lang.String permissionName)	Same as checkAttributeDescriptorPermission(AttributeDescriptorModel, PrincipalModel, String) but allows to use String values to specify attribute descriptor.
PermissionCheckResult	checkAttributeDescriptorPermission(java.lang.String typeCode, java.lang.String attributeQualifier, java.lang.String permissionName)	Same as checkAttributeDescriptorPermission(String, String, PrincipalModel, String) but uses default principal.
PermissionCheckResult	checkGlobalPermission(PrincipalModel principal, java.lang.String permissionName)	Checks if a principal has a given permission assigned globally.
PermissionCheckResult	checkGlobalPermission(java.lang.String permissionName)	Same as checkGlobalPermission(PrincipalModel, String) but uses default principal.
PermissionCheckResult	checkItemPermission(ItemModel item, PrincipalModel principal, java.lang.String permissionName)	Checks if a principal has a permission to an item.
PermissionCheckResult	checkItemPermission(ItemModel item, java.lang.String permissionName)	Same as checkItemPermission(ItemModel, PrincipalModel, String) but uses default principal.
PermissionCheckResult	checkTypePermission(ComposedTypeModel type, PrincipalModel principal, java.lang.String permissionName)	Checks if a principal has a permission to a type.
PermissionCheckResult	checkTypePermission(ComposedTypeModel type, java.lang.String permissionName)	Same as checkTypePermission(ComposedTypeModel, PrincipalModel, String) but uses default principal.
PermissionCheckResult	checkTypePermission(java.lang.String typeCode, PrincipalModel principal, java.lang.String permissionName)	Same as checkTypePermission(ComposedTypeModel, PrincipalModel, String)
PermissionCheckResult	checkTypePermission(java.lang.String typeCode, java.lang.String permissionName)	Same as checkTypePermission(String, PrincipalModel, String) but uses default principal.

Method Detail

checkItemPermission

PermissionCheckResult checkItemPermission(ItemModel item,
                                          PrincipalModel principal,
                                          java.lang.String permissionName)

Checks if a principal has a permission to an item.

Principal can be given permission to an item by creating permission assignment to an item for the principal, by creating permission assignment to the item's type for the principal, or by creating global permission assignment for the principal. Note that principal groups are also principals, and all members of the group inherit the group's permission assignments as described in group hierarchy inheritance.

For details see: Item permission assignments checking

checkItemPermission

PermissionCheckResult checkItemPermission(ItemModel item,
                                          java.lang.String permissionName)

Same as checkItemPermission(ItemModel, PrincipalModel, String) but uses default principal.

checkTypePermission

PermissionCheckResult checkTypePermission(ComposedTypeModel type,
                                          PrincipalModel principal,
                                          java.lang.String permissionName)

Checks if a principal has a permission to a type.

Principal has a permission to a type if there is a permission assignment to a type or to a type's super-type (transitively) for the principal.

Note that principal inherits it's permission from the groups it belongs to as described in group hierarchy inheritance.

For details see: Type permission assignments checking

checkTypePermission

PermissionCheckResult checkTypePermission(java.lang.String typeCode,
                                          PrincipalModel principal,
                                          java.lang.String permissionName)

Same as checkTypePermission(ComposedTypeModel, PrincipalModel, String)

checkTypePermission

PermissionCheckResult checkTypePermission(ComposedTypeModel type,
                                          java.lang.String permissionName)

Same as checkTypePermission(ComposedTypeModel, PrincipalModel, String) but uses default principal.

checkTypePermission

PermissionCheckResult checkTypePermission(java.lang.String typeCode,
                                          java.lang.String permissionName)

Same as checkTypePermission(String, PrincipalModel, String) but uses default principal.

checkAttributeDescriptorPermission

PermissionCheckResult checkAttributeDescriptorPermission(AttributeDescriptorModel attributeDescriptor,
                                                         PrincipalModel principal,
                                                         java.lang.String permissionName)

Checks if a principal has a permission to an attribute descriptor. For explanation when a principal has permission to an attribute descriptor see: Attribute Descriptor permission assignments checking

checkAttributeDescriptorPermission

PermissionCheckResult checkAttributeDescriptorPermission(AttributeDescriptorModel attributeDescriptor,
                                                         java.lang.String permissionName)

Same as checkAttributeDescriptorPermission(AttributeDescriptorModel, PrincipalModel, String) but uses default principal.

checkAttributeDescriptorPermission

PermissionCheckResult checkAttributeDescriptorPermission(java.lang.String typeCode,
                                                         java.lang.String attributeQualifier,
                                                         PrincipalModel principal,
                                                         java.lang.String permissionName)

Same as checkAttributeDescriptorPermission(AttributeDescriptorModel, PrincipalModel, String) but allows to use String values to specify attribute descriptor.

checkAttributeDescriptorPermission

PermissionCheckResult checkAttributeDescriptorPermission(java.lang.String typeCode,
                                                         java.lang.String attributeQualifier,
                                                         java.lang.String permissionName)

Same as checkAttributeDescriptorPermission(String, String, PrincipalModel, String) but uses default principal.

checkGlobalPermission

PermissionCheckResult checkGlobalPermission(PrincipalModel principal,
                                            java.lang.String permissionName)

Checks if a principal has a given permission assigned globally. For explanation when a principal has permission assigned globally see: Global permission assignments checking

checkGlobalPermission

PermissionCheckResult checkGlobalPermission(java.lang.String permissionName)

Same as checkGlobalPermission(PrincipalModel, String) but uses default principal.