|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.ObjectARoad0.gWork.LinkRightsImpl
public class LinkRightsImpl
This class provides detection and filtering operations about links and privileges, for a given ACS. It operates on DisplayableLinkImpls, on the inherited rights and the typed privileges. An important service is the adding of a DisplayableLinkImpl to the view map for these objects, and its filtering by the AcsAddon subclasses (see the method addDisplayableLink). Another important service is the application of priority rules to filter a link after a comparison with the other links. This service may be defined for the AGO, ACL or Privilege rights. An another service is the handling of the inherited rights of a leaf through a tree. There is also the analysis of the Account/Groups context of a node in a given DisplayableLinkImpl. No direct call to the ACS methods.
Each node in a view and each intermediate node has one LinkRights instance for each view it belongs to. The implementation classes of this interface have properties that depend only on the class of the node ACS, then 2 nodes of the same view should use the same LinkRights instance, even if it is not the actual behavior in all cases. But there is an exception for the methods that detects the Account and AcsAddon priorities over all the links. They use RightsMediatorImpl.getAllLinkRights() which returns only one LinkRights instance per implied gWork package, and not one instance per view node.
Each instance of LinkRights is called by only one thread. A node may be in several DisplayableLinks of the same view, but it has only one LinkRights instance for the view. The association between a node and its LinkRights instance is managed by the RightsMediatorImpl of the view.
An AcsAddon may overread this class to change the implemented rules, for instance it may be necessary to change the 'ThroughNodesTree' methods for the rights inheritance.
During a search, a DisplayableLinkImpl may have to be removed after its insertion in the final result. The reason is the filtering of access paths to apply some priority rules among the AGO, PRI, ACL or BDG rights. Some of these priority rules may be from an AcsAddon, through the call to a method detectAddonPriorityInXXX(). These methods have the property to detect a prioritary link which enforces the removing of one or several longuer links in the final result. The inverse is not true, since a long link cannot produce, by its existence, the removing of a shorter link. To overcome this limit in an AcsAddon, it is possible to use the 3 methods NodeRights.detectAddon2Nodes, detectAddon3Nodes and detectAddonFinalAllNodes. These methods detect some long links, and may remove other links if there is a priority rule to fulfill with. However, this way breaks the semantic of these NodeRights methods. The work is longer and it would produce a code more difficult to maintain.
Note : since the AGO rights are only inner rights of an ACS, and since all the nodes of an ACS have LinkRight instances that have the same behavior, it is possible for the AGO rights to use for a node, the LinkRight instance of another node from the same ACS. This is also true for VirtualFolder memberships, but not for the Bridge and Privilege rights.
The calls to the ACS are for the methods getManageGroups(), getManageGroupTrees(), getManageLPRIRightsInheritance(), getManageACLRightsInheritance(), getManageAGORightsInheritance(), getManageSecGroupsForActor(). This class is used by the gWork and Gui2 classes.
AccessControlLinkImpl
Field Summary | |
---|---|
protected AlgorithmInterpreter |
interpreter_
|
protected DisplayableLinkUtilities |
linkUtil_
|
private static java.util.Map |
M_RIGHTS_ACRONYMS
|
protected UtilityImpl |
utility_
|
Fields inherited from interface ARoad0.gWorkInterface.LinkRights |
---|
INITIAL_CAPACITY |
Constructor Summary | |
---|---|
LinkRightsImpl(AlgorithmInterpreter _interpreter)
Only one constructor, called by RightsMediatorImpl after the creation of _interpreter. |
Method Summary | |
---|---|
DisplayableLinkImpl |
addDisplayableLink(DisplayableLinkImpl _dLink,
java.util.Map _upd_m_l_DisplayableLinks)
This important method adds a DisplayableLinkImpl in the map, if it does not exist, or adds the rights of each AccessControlLink in the link, to the matched link in the map. |
java.util.Collection |
detectAccountPriorityInAllLinksAGORights(java.util.Collection<DisplayableLinkImpl> _l_dLinks)
This heavy method removes any DisplayableLink which contains an Account/Group Group relation while there is an Account in another DisplayableLink. |
boolean |
detectAccountPriorityInLastLinkAGORights(DisplayableLinkImpl _dLink,
java.util.Collection<DisplayableLinkImpl> _upd_l_dLinks)
Applies the rule 'AGO right: A rights overlay G rights' to a DisplayableLink that ends with the sequence source/groupIDMember/resource, through the analysis of a list of DisplayableLinkImpls. |
java.util.Collection |
detectAddonPriorityInAllLinksAGORights(java.util.Collection<DisplayableLinkImpl> _l_dLinks)
This heavy method is overridden by the AcsAddon, to remove any DisplayableLink which has an AcsAddon object, and contains an AGO right while there is a superior right in another DisplayableLink, following the applicable ACS rules of the AcsAddon ACS. |
java.util.Collection |
detectAddonPriorityInAllLinksNonAGORights(java.util.Collection<DisplayableLinkImpl> _l_dLinks)
This heavy method is overridden by the AcsAddon, to remove any DisplayableLink which has an AcsAddon object and contains an ACL right or a Privilege right, while there is a superior right in another DisplayableLink, following the applicable ACS rules of the AcsAddon ACS. |
boolean |
detectAddonPriorityInLastLinkAGORights(DisplayableLinkImpl _dLink,
java.util.Collection<DisplayableLinkImpl> _upd_l_dLinks)
Overridden by the AcsAddon, to apply the ACS priority rules to a DisplayableLink that ends with an access target, for a given Addon ACS that owns this target, through the analysis of a list of DisplayableLinkImpls. |
boolean |
detectAddonPriorityInLastLinkNonAGORights(DisplayableLinkImpl _dLink,
java.util.Collection<DisplayableLinkImpl> _upd_l_dLinks)
Overridden by the AcsAddon, to applies any priority rules to a DisplayableLink, about an ACL right or a Privilege right in the last AccessControlLink, through the analysis of a list of DisplayableLinkImpls. |
boolean |
equals(java.lang.Object _obj)
|
void |
finalizeForProcess()
Finalizes the instance. |
boolean |
getDetectAddonPriorityInAllLinksAGORights()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop, and by detectOneHiddenNodeCompoundRights(). |
boolean |
getDetectAddonPriorityInAllLinksNonAGORights()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop, and by detectOneHiddenNodeCompoundRights(). |
boolean |
getDetectAddonPriorityInLastLinksAGORights()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the central loops, and by ThreeNodeRightsFactoryImpl.endsPathsFromGroupIDMemberrWithAclPrivilegeMemberOwnContain(). |
boolean |
getDetectAddonPriorityInLastLinksNonAGORights()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the central loops. |
java.util.List<PrivilegeSource> |
getEorL_SourcesForPrivilegeForType(PrivilegeForType _priv,
ImmutableACS _acs)
Gets all the PrivilegeSources using a given PrivilegeForType. |
java.util.List<PrivilegeTarget> |
getEorL_TargetsForPrivilegeForType(PrivilegeForType _priv,
ImmutableACS _acs)
Gets all the PrivilegeTargets using a given PrivilegeForType. |
int |
hashCode()
|
boolean |
isSourceForPrivilegeForType(PrivilegeForType _priv,
ImmutablePrivilegeSource _ps)
NO USE - Returns true if a PrivilegeSource uses a given PrivilegeForType. |
boolean |
isTargetForPrivilegeForType(PrivilegeForType _priv,
ImmutablePrivilegeTarget _pt)
Returns true if a PrivilegeTarget uses a given PrivilegeForType. |
boolean |
isTransferingAGcontext(AccessControlLinkImpl _acLink,
ImmutableACS _firstACS,
ImmutableACS _secondACS)
Called by setNextNodeAGrunningContext() and updateAGrunningContext(). |
protected java.util.HashSet<ImmutableGroupIDMember> |
setNextNodeAGrunningContext(DisplayableLinkImpl _upd_dLink,
int _nodeIndex)
This method increments the Account/Groups context position, updates the AG context set in the DisplayableLinkImpl and returns this context. |
java.lang.String |
toString()
|
java.util.Set<ImmutableGroupIDMember> |
updateAGrunningContext(DisplayableLinkImpl _upd_dLink)
This important method updates the Account/Groups context of a DisplayableLinkImpl, either from the AG context of the last node having one, or from one of the following nodes in the same ACS, or, if there is no current AG context, through all the connected nodes from the same ACS. |
Methods inherited from class java.lang.Object |
---|
clone, finalize, getClass, notify, notifyAll, wait, wait, wait |
Field Detail |
---|
private static java.util.Map M_RIGHTS_ACRONYMS
protected AlgorithmInterpreter interpreter_
protected UtilityImpl utility_
protected DisplayableLinkUtilities linkUtil_
Constructor Detail |
---|
public LinkRightsImpl(AlgorithmInterpreter _interpreter)
_interpreter
- algorithm interpreter of this viewMethod Detail |
---|
public boolean equals(java.lang.Object _obj)
equals
in class java.lang.Object
_obj
- Object to compare
public int hashCode()
hashCode
in class java.lang.Object
public void finalizeForProcess()
finalizeForProcess
in interface LinkRights
public java.lang.String toString()
toString
in class java.lang.Object
public boolean getDetectAddonPriorityInAllLinksAGORights()
getDetectAddonPriorityInAllLinksAGORights
in interface LinkRights
public boolean getDetectAddonPriorityInAllLinksNonAGORights()
getDetectAddonPriorityInAllLinksNonAGORights
in interface LinkRights
public boolean getDetectAddonPriorityInLastLinksAGORights()
getDetectAddonPriorityInLastLinksAGORights
in interface LinkRights
public boolean getDetectAddonPriorityInLastLinksNonAGORights()
getDetectAddonPriorityInLastLinksNonAGORights
in interface LinkRights
public DisplayableLinkImpl addDisplayableLink(DisplayableLinkImpl _dLink, java.util.Map _upd_m_l_DisplayableLinks)
Caution: the rights and the comments are merging if there is in the map a DisplayableLinkImpl with the same nodes, and the result is then this previous link. But there is no merging of the _dLink properties since the merging algorithm depends on the semantic of the property.
This method may be subclassed by the AcsAddon subclasses for filtering the adding of a DisplayableLinkImpl following the previous DisplayableLinkImpls in the map. Called by AgoRightsFactoryImpl, AclRightsFactoryImpl, PrivilegeRightsFactoryImpl and CompoundRightsFactoryImpl. Calls DisplayableLinkImpl.mergeRightsWithoutFiltering() and mergeCommentsWithoutFiltering().
addDisplayableLink
in interface LinkRights
_dLink
- is the new link including some rights and to add to _upd_m_l_DisplayableLinks_upd_m_l_DisplayableLinks
- Map of DisplayableLinks ArrayLists (one per pair) to update.
getDisplayableLink()
public boolean detectAccountPriorityInLastLinkAGORights(DisplayableLinkImpl _dLink, java.util.Collection<DisplayableLinkImpl> _upd_l_dLinks)
If the last sequence is source/userID/resource in _dLink, this method removes any DisplayableLink in the list containing a sequence source/groupID/resource with the same source and resource, and the method returns false to say there is no priority that forbids the use of the argument _dLink as a valid link. Otherwise, with this last sequence, the method returns true.
If the last sequence is source/groupID/resource in _dLink, and if there is a DisplayableLink in the list containing a sequence source/userID/resource with the same source and resource, then the method returns true to say there is a priority that forbids the use of the argument _dLink as a valid link. Otherwise, with this last sequence, the method returns false.
The OWNER path may be without workable rights, since the account remains there the single applicable relation. Called by AgoRightsFactoryImpl.detectHiddenChainedGroupsRights().
detectAccountPriorityInLastLinkAGORights
in interface LinkRights
_dLink
- with a Resource as as node of this instance and as second end, and
a groupIDMember just before the second end. Returns true
if null, empty or with less than 3 nodes. Its AccessControlLinks are not analyzed._upd_l_dLinks
- to analyze and update, all with the same second end than _dLink.
Returns false if it is null or empty. It may be updated only if _dLink contains
an UserID as node before the last node. The last AccessControlLink of each
DisplayableLinkImpl is analyzed for the types OWNER and CONTAIN. May contain
the argument _dLink that is then ignored. May be null.
java.lang.InternalError
- with a list having links without the same _dLink ends, or
_dLink does not have a groupIDMember as node just before the last onepublic java.util.Collection detectAddonPriorityInAllLinksAGORights(java.util.Collection<DisplayableLinkImpl> _l_dLinks)
detectAddonPriorityInAllLinksAGORights
in interface LinkRights
_l_dLinks
- DisplayableLinkImpls to analyze, all with the same two ends or not,
where this LinkRights is for one of the node in at least one DisplayableLinkImpl.
Not null.
public java.util.Collection detectAddonPriorityInAllLinksNonAGORights(java.util.Collection<DisplayableLinkImpl> _l_dLinks)
detectAddonPriorityInAllLinksNonAGORights
in interface LinkRights
_l_dLinks
- DisplayableLinkImpls to analyze, all with the same two ends or not,
where this LinkRights is for one of the node in at least one DisplayableLinkImpl.
Not null
public boolean detectAddonPriorityInLastLinkNonAGORights(DisplayableLinkImpl _dLink, java.util.Collection<DisplayableLinkImpl> _upd_l_dLinks)
detectAddonPriorityInLastLinkNonAGORights
in interface LinkRights
_dLink
- where the second end is the node of this instance.
Returns true if null, empty or with less than 3 nodes._upd_l_dLinks
- to analyze and update, all with the same second end than _dLink.
Returns false if it is null or empty. It may be updated. May contain
the argument _dLink that is then ignored. May be null.
public boolean detectAddonPriorityInLastLinkAGORights(DisplayableLinkImpl _dLink, java.util.Collection<DisplayableLinkImpl> _upd_l_dLinks)
detectAddonPriorityInLastLinkAGORights
in interface LinkRights
_dLink
- where the second end is the node of this instance._upd_l_dLinks
- to analyze and update, all with the same two ends of _dLink.
Returns false if it is null or empty. It may be updated. May contain
the argument _dLink that is then ignored. May be null.
java.lang.InternalError
- with some ACS-specific errorspublic java.util.Collection detectAccountPriorityInAllLinksAGORights(java.util.Collection<DisplayableLinkImpl> _l_dLinks)
- in dLink to remove, there is a node triplet (ep)-RUN_UNDER or IS_MEMBER- (groupid)-CONTAIN-(resource), and in some dLink2, there is a node triplet (same ep)-RUN_UNDER-(userid)-OWNER-(same resource);
- in dLink to remove, there is a node triplet (userid)-IS_MEMBER-(groupid)-CONTAIN-(resource), and in some dLink2, there is a node couple (same userid)-OWNER-(same resource).
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop. Calls removeSomeGroupRightsInAllLinksAGORights().
detectAccountPriorityInAllLinksAGORights
in interface LinkRights
_l_dLinks
- DisplayableLinkImpls to analyze, all items with the same two ends,
where this LinkRights is for one of the node in at least one DisplayableLinkImpl.
Not null.
public java.util.Set<ImmutableGroupIDMember> updateAGrunningContext(DisplayableLinkImpl _upd_dLink) throws ProcessError
This method has to be called before the use of the AG context of the second end. This means that it the DisplayableLinkImpl has to be updated each time the paths search finds an actor running under its own AG context, or if the context is no more propagated. It is recommanded because the AG context may be needed for analyzing the next nodes of the path. This calling rule is also true for the AcsAddon path search methods. If it is done, any AcsAddon paths search method may read the current AG context of a DisplayableLinkImpl passed in as argument. If it is not done in an AcsAddon, the AcsAddons of the next nodes should call the generic method DisplayableLinkUtilities.getSecondEndAGcontext() to set the AG context properly.
If the DisplayableLinkImpl contains only nodes from one ACS, there is one LinkRights instance to use. One call to this method provides a complete result. Otherwise, if the nodes are from different ACSs, the caller of this method has to define a sequence of calls to this method on different LinkRights instances. The aim is to process each node in the right instance and the proper order, and this is done by DisplayableLinkUtilities.getSecondEndAGcontext(). In the returned DisplayablelinkImpl, the AG context current position is on the last node to have been analyzed. This position is ridden by the caller to define the next LinkRights instance on which this method has to be called, for the next node(s) to analyze. When this current position is the second end of the DisplayableLinkImpl, the work is completed.
Called by ThreeNodesRightsFactoryImpl.selectOneHiddenNodePathsForVirtualFolder(), addPathsFromActorStartsUnderGroupIDMember(), and by DisplayableLinkUtilities.getSecondEndAGcontext(). Calls setNextNodeAGrunningContext() that produces the effective work.
Overridden method in the AcsAddons. Caution: the overridding in a subclass should work only on the nodes of its AcsAddon. The overridding method may simply delete the AG context of the last analyzed node from a generic ACS or from another AcsAddon.
updateAGrunningContext
in interface LinkRights
_upd_dLink
- the node after the node having the AG context, if any, is the node
of this instance. Never null. Its properties should be updated by this method,
and they may be null after the updating. The AG context position is set to
the last node having been analyzed.
ProcessError
- if a node is not an ACSObject, if an AccessControLink
is applied to a node that has not the right class.DisplayableLinkUtilities.getSecondEndAGcontext(ARoad0.CNot.DisplayableLinkImpl)
,
setNextNodeAGrunningContext(ARoad0.CNot.DisplayableLinkImpl, int)
protected java.util.HashSet<ImmutableGroupIDMember> setNextNodeAGrunningContext(DisplayableLinkImpl _upd_dLink, int _nodeIndex) throws ProcessError
The couple of (UserID, GroupID) contains the 2 GroupIDMembers under which the second end is running, if it is an actor, or which is its AG context as resource or virtual folder. The UserID is given by the last UserID node in the DisplayableLinkImpl that is the source for an AccessControlLink with the types OWNER and through a chain of links that transfers the AG context. The GroupID is given by the last GroupID node in the DisplayableLinkImpl that is the source for an AccessControlLink with the types CONTAIN, and through a chain of links that transfers the AG context.
The list of GroupIDs depends on the first node of the DisplayableLinkImpl, if the chain of links transfers the AG context. If the first end is a GroupIDMember, the list contains the groups to which this GroupIDMember is member, if any. If the first end is an Actor, the list contains the secondary groups of this Actor, if any.
If the chain of links does not transfer the first end AG context, the list of GroupIDMembers is from the last intermediate Actor starting without transfered AG context. With the exemple of the 3-nodes path having the form 'ep/privilege/actor started from xid/alias/virtual folder', if the intermediate actor runs under the account U and the group G, the virtual folder in the path is on the mode VirtualFolderImpl.AG_CONTEXT_DEPENDENT, and the path has to be extended by two paths 'run under/U' and 'run under/G'. Otherwise, if the actor does not run under U, no running group is considered, the virtual folder has the mode PASS_ON, and the 'ep' rights on the virtual folder members are defined by the other properties of the path 'ep/privilege/actor started from xid/alias/virtual folder/virtual member/resource'.
The right proxy property of the actor is never considered. It is ridden in other core algorithms to allow an actor to be an intermediate node, whatever the AG context.
Called by updateAGrunningContext(). The caller must have checked the following requisites:
- the current node with the AG context is an ACSObject, like the next one,
- these two nodes have the same ACS,
- the current node with the AG context has the index just before _nodeIndex.
The AccessControlLink between theses two implied nodes may allow or not to transfer the AG context, and this is given by isTransferingAGcontext(). The returned DisplayableLinkImpl may have a null property for the key DisplayableLinkImpl.AG_CONTEXT_SET, but never for AG_CONTEXT_NODE_POSITION.
Overridden method in the AcsAddons, for instance to provide AG context transferings through the privileges. Another case is to reset the AG context of a no-simple DisplayableLinkImpl when an AccessControlLink transfers a null AG context between two nodes. The overriding method may simply delete the AG context of the last analyzed node from a generic ACS or from another AcsAddon. Caution: the overriding in an AcsAddon should work only on nodes from its AcsAddon. Called by updateAGrunningContext().
_upd_dLink
- its second end is the node of this instance. Never null.
Its properties should be updated by this method, and they may be null after it.
The AG context position is set to the node at _nodeIndex._nodeIndex
- index of the node to analyze; is the node of this instance.
Always greater than 0.
ProcessError
- if the position of the node to analyze is lesser than 1,
and varied casesCompoundRightsFactoryImpl.selectDirectHiddenReferenceForAlias(ARoad0.Gui2.GraphicView, ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ACSObject)
,
isTransferingAGcontext(ARoad0.CNot.AccessControlLinkImpl, ARoad0.gBaseInterface.ImmutableACS, ARoad0.gBaseInterface.ImmutableACS)
public boolean isTransferingAGcontext(AccessControlLinkImpl _acLink, ImmutableACS _firstACS, ImmutableACS _secondACS)
_acLink
- never null_firstACS
- ACS of the _acLink first node. May be null. No use in this version._secondACS
- ACS of the _acLink second node. May be null. No use in this version.
AccessControlLinkImpl.isTransferingAGcontextWithoutACL()
public boolean isSourceForPrivilegeForType(PrivilegeForType _priv, ImmutablePrivilegeSource _ps)
isSourceForPrivilegeForType
in interface LinkRights
_priv
- to test_ps
- to test
public boolean isTargetForPrivilegeForType(PrivilegeForType _priv, ImmutablePrivilegeTarget _pt)
isTargetForPrivilegeForType
in interface LinkRights
_priv
- to test. Not null._pt
- to test. Not null.
public java.util.List<PrivilegeSource> getEorL_SourcesForPrivilegeForType(PrivilegeForType _priv, ImmutableACS _acs)
getEorL_SourcesForPrivilegeForType
in interface LinkRights
_priv
- to analyze. Returns an empty list if null, empty, from another ACS._acs
- the privilege acs
public java.util.List<PrivilegeTarget> getEorL_TargetsForPrivilegeForType(PrivilegeForType _priv, ImmutableACS _acs)
getEorL_TargetsForPrivilegeForType
in interface LinkRights
_priv
- to analyze. Returns an empty list if null, empty, from another ACS._acs
- the privilege acs
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |