|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
public interface NodeRights
This interface is responsible for getting the rights for a node in a view, and since each implied ACS may be generic or from an AcsAddon, the main job of this class is to give the correct method to use for each ACS and each search. The NodeRights true class is a NodeRights or one of its subclasses that is set in an AcsAddon. Then, each node offers to the paths search a set of methods from this NodeRights and, optionally, another set from the AcsAddon that are called from some NodeRights methods which are overridden.
The path search algorithms are then divided in 4 sets:
- the core algorithms are the larger part of the code, and they are in most of the gWork classes; they work for all the ACSs, generic one or from an AcsAddon, they consider the node general interface (EligibleParty or Resource, for instance), but they are independant to the effective properties of the node,
- the NodeRights generic methods: they are called by the core methods to process each node, and they use the generic properties of a node and its environment (like the generic properties of a Resource); they work for all the ACSs, they are always called by the core algorythms, but an AcsAddon may choose to override them in some rare cases,
- the NodeRights AcsAddon methods: the core methods test through the getXXXAddonYYY methods, if a given AcsAddon method (detectAddon... or selectAddon...) is defined for the node, and if it true, the relevant method is called during the paths search by the core algorithms; these AcsAddon methods are empty in the NodeRights class (all the getXXXAddonYYY methods return false), and they may be overridden in the subclasses to write a code that calls some specialized AcsAddon methods,
- the specialized methods of an AcsAddon are in a NodeRights subclass, and they are called by an overridden NodeRights AcsAddon method; there is no name pattern for these methods; they use the generic properties of a node and its environment, but they also handle the original properties of the AcsAddon node. Since an AcsAddon may be based on another AcsAddon, a NodeRights subclass may have another NodeRights subclass has super class.
This framework is an important part of the AcsAddon pattern. It gives to the AcsAddon designer the full control on the true search algorithms to use in its own ACSs, but it also provides the powerfull support of the generic algorithms and all the other AcsAddons, to limit the code he has to add in its AcsAddon.
A node is here the end of a view access path, or it may be a potential or effective intermediate node in an access path. Such an intermediate node is an ImmutableSource like Actor, GroupIDMember or VirtualFolder.
Generally speaking, the rights depend on the node and its one or two previous nodes in the access path. These rights are based mainly on the classes and properties of these 2 or 3 implied nodes, and naturally also on their ACS properties. The resulting rights depends usually on the NodeRights algorithms only, but in some rare cases, they may also depend on the single NodeRights property, defined at the NodeRights creation, that is simply the node itself.
Each node in a view and each intermediate node has one NodeRights instance for each view it belongs to. The implementation classes of this interface have properties that depend only on the class of the node ACS, then 2 nodes of the same view should use the same NodeRights instance, even if it is not the actual behavior in all cases. Each instance of NodeRights is called by only one thread. A node may be in several DisplayableLinks of the same view, but it has only one NodeRights instance for the view. The association between a node and its NodeRights instance is managed by the RightsMediatorImpl of the view.
Note : since the AGO rights are only inner rights of an ACS, and since all the nodes of an ACS have NodeRight instances that have the same behavior, it is possible for the AGO rights, and only for them, to use for a node, the NodeRight instance of another node from the same ACS. This is also true for VirtualFolder memberships, but not for the Bridge and Privilege rights.
Upper-level methods begin by get...() and detect...(), middle-level methods begin by select...(), lower-level methods begin by add...().
Field Summary | |
---|---|
static int |
INITIAL_CAPACITY
|
Method Summary | |
---|---|
java.util.Map |
detectAddon2Nodes(EPRViewInBase _viewInBase,
ImmutableTarget _node,
java.util.Map _m_l_DisplayableLinks,
BaseObject _center)
For an AcsAddon, filters for a given node the incompatible rights, if any, in the 2-nodes DisplayableLinks, and adds the AcsAddon specific rights, if any. |
java.util.Map |
detectAddon3Nodes(EPRViewInBase _viewInBase,
ImmutableTarget _node,
java.util.Map _m_l_DisplayableLinks)
For an AcsAddon, filters for a given node the incompatible rights, if any, in the 3-nodes DisplayableLinks, and adds the AcsAddon specific rights, if any. |
java.util.Map |
detectAddonFinal2Nodes(EPRViewInBase _viewInBase,
ImmutableTarget _node,
java.util.Map _m_l_DisplayableLinks,
BaseObject _center)
For an AcsAddon, defines the specific final direct rights, if any, for a given node in the 2-nodes DisplayableLinks. |
java.util.Map |
detectAddonFinal3Nodes(EPRViewInBase _viewInBase,
ImmutableTarget _node,
java.util.Map _m_l_DisplayableLinks)
For an AcsAddon, defines the specific final direct rights, if any, for a given node in the 3-nodes DisplayableLinks. |
java.util.Map |
detectAddonFinalAllNodes(EPRViewInBase _viewInBase,
ImmutableTarget _node,
java.util.Map _m_l_DisplayableLinks,
java.util.Map<ImmutableName,java.util.Set<StringRight>> _m_effectiveRights)
For an AcsAddon, defines the specific final direct rights, if any, for a given node in the DisplayableLinks having more than 3 nodes. |
java.util.List<StringRight> |
detectL_aclEntryRights(ImmutableResource _res,
ImmutableEligibleParty _ep,
boolean _onlyNonConditionalACLs)
Gets all the rights of the relevant AclEntries managed by the Resource for a given EligibleParty. |
java.util.List<StringRight> |
detectL_linkedPrivilegeRights(ImmutablePrivilegeTarget _targ,
ImmutablePrivilegeSource _sour)
Gets all the rights of the relevant direct linked privileges managed by the Resource for a given EligibleParty. |
void |
finalizeForProcess()
Finalizes the instance. |
boolean |
getDetectAddon2Nodes()
Called by RightsFactory_Facade. |
boolean |
getDetectAddon3Nodes()
Called by RightsFactory_Facade. |
boolean |
getDetectAddonFinal2Nodes()
Called by RightsFactory_Facade. |
boolean |
getDetectAddonFinal3Nodes()
Called by RightsFactory_Facade. |
boolean |
getDetectAddonFinalAllNodes()
Called by RightsFactory_Facade. |
AccessControlLinkImpl |
getL_accessRightsThroughNodesTree(ImmutableLeaf _res,
ImmutableEligibleParty _acc,
ImmutableGroupID _grp)
Returns in an AccessControlLink the inherited rights given by the directory tree or virtual folder tree, as AG, ACL or LPRI rights. |
AccessControlLinkImpl |
getMergedInheritedAclPriRightsAndComments(ImmutableSource _so,
ImmutableLeaf _targ,
AccessControlLinkImpl _upd_acLink,
StringRight[] _l_transientInheritedRights)
Gets the effective ACL or LPRI rights of the source on the target when there are non-null inherited rights through the nodes tree, and adds some specific comments for the ACL or PRI rights from an AcsAddon, even if there is no inherited rights. |
boolean |
getSelectAddonLastViewNodeAfterActor()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop on the view nodes, and by detectOneHiddenNodeCompoundRights(). |
boolean |
getSelectAddonLastViewNodeAfterGroupIDMember()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop on the view nodes, and by detectOneHiddenNodeCompoundRights(). |
boolean |
getSelectAddonLastViewNodeAfterVirtualFolder()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop on the view nodes, and by detectOneHiddenNodeCompoundRights(). |
boolean |
getSelectAddonNewHiddenNodeForActor()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the central loop on the intermediate nodes. |
boolean |
getSelectAddonNewHiddenNodeForGroupIDMember()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the central loop on the intermediate nodes. |
boolean |
getSelectAddonNewHiddenNodeForVirtualFolder()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the central loop on the intermediate nodes. |
DisplayableLinkImpl |
selectAddonLastViewNodeAfterActor(EPRViewInBase _viewInBase,
ImmutableTarget _target,
DisplayableLinkImpl _dLink,
java.util.Map _m_l_DisplayableLinks)
Detects the view target that is linked to an actor, to extend the current DisplayableLink ended by this actor. |
DisplayableLinkImpl |
selectAddonLastViewNodeAfterGroupIDMember(EPRViewInBase _viewInBase,
ImmutableTarget _target,
DisplayableLinkImpl _dLink,
java.util.Map _m_l_DisplayableLinks)
Detects the view target that is linked to a groupIDMember, to extend the current DisplayableLink ended by this groupIDMember. |
DisplayableLinkImpl |
selectAddonLastViewNodeAfterVirtualFolder(EPRViewInBase _viewInBase,
ImmutableResource _target,
DisplayableLinkImpl _dLink,
java.util.Map _m_l_DisplayableLinks)
Detects the view target that is linked to a VirtualFolder, to extend the current DisplayableLink ended by this VirtualFolder. |
java.util.List<DisplayableLinkImpl> |
selectAddonNewHiddenNodeForActor(EPRViewInBase _viewInBase,
ImmutableActor _node,
java.util.Set<DisplayableLinkImpl> _l_dLinks,
java.util.Map _m_l_DisplayableLinks,
java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
Detects the hidden nodes that are linked to an Actor as access source, to extend the current DisplayableLinks ended by this actor. |
java.util.List<DisplayableLinkImpl> |
selectAddonNewHiddenNodeForGroupIDMember(EPRViewInBase _viewInBase,
ImmutableGroupIDMember _node,
java.util.Set<DisplayableLinkImpl> _l_dLinks,
java.util.Map _m_l_DisplayableLinks,
java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
Detects the hidden nodes that are linked to a GroupIDMember as access source, to extend the current DisplayableLinks ended by this groupIDMember. |
java.util.List<DisplayableLinkImpl> |
selectAddonNewHiddenNodeForVirtualFolder(EPRViewInBase _viewInBase,
ImmutableVirtualFolder _node,
java.util.Set<DisplayableLinkImpl> _l_dLinks,
java.util.Map _m_l_DisplayableLinks,
java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
Detects the hidden nodes that are linked to a VirtualFolder as access source, to extend the current DisplayableLinks ended by this VirtualFolder. |
java.util.Set<ImmutableGroupIDMember> |
selectDirectOwnerContainGlobalForActorAsEP(EPRViewInBase _viewInBase,
ImmutableActor _act)
Detects the current UserID (including 'root'), the current GroupID and the secondary groups under which an actor runs, if they are in the view. |
java.util.Set<DisplayableLinkImpl> |
selectForGroupIDMemberItsHiddenActorsWithNextLinks(EPRViewInBase _viewInBase,
ImmutableGroupIDMember _ep)
Detects all the actors that are not in _viewInBase, that are owned or contained by _ep, and executable from it, and that are access sources for another AG context. |
java.util.Set |
selectHiddenButNoDirectGroupLinks(EPRViewInBase _viewInBase,
ImmutableEligibleParty _ep)
Detects the main GroupID and, recursivelly, the tree of GroupIDs in the _ep ACS, that contains _ep indirectly, and are not in _viewInBase. |
java.util.Set |
selectHiddenDirectGroupIDForGroupIDMember(EPRViewInBase _viewInBase,
ImmutableGroupIDMember _memb)
Detects all the GroupIDs in the ACS, that contains directly a GroupIDMember (even for 'root'), and are not in _viewInBase. |
java.util.Set |
selectHiddenDirectOwnerContainForActorAsResource(EPRViewInBase _viewInBase,
ImmutableActor _act)
Detects the UserID and all the GroupIDs in the ACS, that owns or contains an actor directly as a Resource, and are not in _viewInBase. |
java.util.Set |
selectHiddenDirectOwnerContainForTarget(EPRViewInBase _viewInBase,
ImmutableResource _res)
Detects the UserID and the GroupID in the _res ACS, that owns or contains _res directly, and are not in _viewInBase. |
java.util.Set<ImmutableGroupIDMember> |
selectHiddenDirectOwnerContainGlobalForActorAsEP(EPRViewInBase _viewInBase,
ImmutableActor _act)
Detects the current UserID (including 'root'), the current GroupID and the secondary groups under which an actor runs, if they are not in the view. |
boolean |
withAccessThroughNodesTreeFromEP(ImmutableSource _ep,
ImmutableLeaf _res,
ImmutableGroupIDMember _ep_2)
This method is designed to be fast, and to returns true it the resource tree or the virtual folder tree allows the source to access through the inherited rights to the leaf. |
Field Detail |
---|
static final int INITIAL_CAPACITY
Method Detail |
---|
boolean getDetectAddon2Nodes()
boolean getDetectAddonFinal2Nodes()
boolean getDetectAddon3Nodes()
boolean getDetectAddonFinal3Nodes()
boolean getDetectAddonFinalAllNodes()
boolean getSelectAddonLastViewNodeAfterActor()
boolean getSelectAddonLastViewNodeAfterGroupIDMember()
boolean getSelectAddonLastViewNodeAfterVirtualFolder()
boolean getSelectAddonNewHiddenNodeForActor()
boolean getSelectAddonNewHiddenNodeForGroupIDMember()
boolean getSelectAddonNewHiddenNodeForVirtualFolder()
java.util.Map detectAddon2Nodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks, BaseObject _center)
_viewInBase
- EPRViewInBase_node
- node of this instance_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair)
associated to the view, and to update._center
- is the central object of a sketch view. Null if it is not a sketch view.
detectAddonFinal2Nodes(ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ImmutableTarget, java.util.Map, ARoad0.gBaseInterface.BaseObject)
java.util.Map detectAddonFinal2Nodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks, BaseObject _center)
_viewInBase
- EPRViewInBase_node
- node of this instance_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair)
associated to the view, and to update._center
- is the central object of a sketch view. Null if it is not a sketch view.
detectAddon2Nodes(ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ImmutableTarget, java.util.Map, ARoad0.gBaseInterface.BaseObject)
java.util.Map detectAddon3Nodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks) throws java.lang.InterruptedException
_viewInBase
- EPRViewInBase_node
- node of this instance_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair)
associated to the view, and to update.
java.lang.InterruptedException
detectAddonFinal3Nodes(ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ImmutableTarget, java.util.Map)
java.util.Map detectAddonFinal3Nodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks) throws java.lang.InterruptedException
_viewInBase
- EPRViewInBase_node
- node of this instance_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair)
associated to the view, and to update.
java.lang.InterruptedException
detectAddon3Nodes(ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ImmutableTarget, java.util.Map)
java.util.Map detectAddonFinalAllNodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks, java.util.Map<ImmutableName,java.util.Set<StringRight>> _m_effectiveRights) throws java.lang.InterruptedException
Note: to speed up this method, the argument _m_effectiveRights is set from the initial argument _m_l_DisplayableLinks before the first call to this method, and for a given EPR view. _m_effectiveRights is then immutable while _m_l_DisplayableLinks may be updated by this method. This is not the case for the NoThan views. For the EPR views, this behavior implies this method provides independant changes for each _node for which it is called, so that the initial _m_effectiveRights remains usable. Called by RightsFactory_Facade.
_viewInBase
- EPRViewInBase_node
- node of this instance_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair)
associated to the view, and to update._m_effectiveRights
- non-null and immutable Map where the keys are
the _m_l_DisplayableLinks keys where rights are activated, and
the value is a set of StringRights. May be an empty set.
java.lang.InterruptedException
java.util.List<StringRight> detectL_aclEntryRights(ImmutableResource _res, ImmutableEligibleParty _ep, boolean _onlyNonConditionalACLs)
_res
- of this instance, with some AclEntries to filter_ep
- may be associated to some _res AclEntries_onlyNonConditionalACLs
- true to read only the non-conditional AClEntries
java.util.List<StringRight> detectL_linkedPrivilegeRights(ImmutablePrivilegeTarget _targ, ImmutablePrivilegeSource _sour)
_targ
- privilege target of this instance_sour
- privilege source
DisplayableLinkImpl selectAddonLastViewNodeAfterActor(EPRViewInBase _viewInBase, ImmutableTarget _target, DisplayableLinkImpl _dLink, java.util.Map _m_l_DisplayableLinks)
_viewInBase
- EPRViewInBase. Never null._target
- view node, not node of this instance. Never null._dLink
- with an actor as second end and node of this instance. Never null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method.
DisplayableLinkImpl selectAddonLastViewNodeAfterGroupIDMember(EPRViewInBase _viewInBase, ImmutableTarget _target, DisplayableLinkImpl _dLink, java.util.Map _m_l_DisplayableLinks)
_viewInBase
- EPRViewInBase. Never null._target
- view node, not node of this instance. Never null._dLink
- with a groupidmember as second end and node of this instance.
Never null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method.
DisplayableLinkImpl selectAddonLastViewNodeAfterVirtualFolder(EPRViewInBase _viewInBase, ImmutableResource _target, DisplayableLinkImpl _dLink, java.util.Map _m_l_DisplayableLinks)
_viewInBase
- EPRViewInBase. Never null._target
- view resource, not node of this instance. Never null._dLink
- with a VirtualFolder as second end and node of this instance.
Never null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method.
java.util.List<DisplayableLinkImpl> selectAddonNewHiddenNodeForActor(EPRViewInBase _viewInBase, ImmutableActor _node, java.util.Set<DisplayableLinkImpl> _l_dLinks, java.util.Map _m_l_DisplayableLinks, java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
_viewInBase
- EPRViewInBase. Never null._node
- node of this instance. Never null._l_dLinks
- list of links with _node as second end. May be null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method._upd_l_NoProxyOrNoExecuteNodes
- updated by the adding of the hidden nodes
without executing right or which are not right-proxy nodes, if any.
This list is only extended if necessary, as a complement of the returned value of the method.
This argument is usually empty at the call of this method, but this is not mandatory.
Never null.
java.util.List<DisplayableLinkImpl> selectAddonNewHiddenNodeForGroupIDMember(EPRViewInBase _viewInBase, ImmutableGroupIDMember _node, java.util.Set<DisplayableLinkImpl> _l_dLinks, java.util.Map _m_l_DisplayableLinks, java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
_viewInBase
- EPRViewInBase. Never null._node
- node of this instance. Never null._l_dLinks
- list of links with _node as second end. May be null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method._upd_l_NoProxyOrNoExecuteNodes
- updated by the adding of the hidden nodes
without executing right or which are not right-proxy nodes, if any.
This list is only extended if necessary, as a complement of the returned value of the method.
This argument is usually empty at the call of this method, but this is not mandatory.
Never null.
java.util.List<DisplayableLinkImpl> selectAddonNewHiddenNodeForVirtualFolder(EPRViewInBase _viewInBase, ImmutableVirtualFolder _node, java.util.Set<DisplayableLinkImpl> _l_dLinks, java.util.Map _m_l_DisplayableLinks, java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
_viewInBase
- EPRViewInBase. Never null._node
- node of this instance. May be a Resource VirtualFolder. Never null._l_dLinks
- list of links with _node as second end. May be null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method._upd_l_NoProxyOrNoExecuteNodes
- updated by the adding of the hidden nodes
without executing right or which are not right-proxy nodes, if any.
This list is only extended if necessary, as a complement of the returned value of the method.
This argument is usually empty at the call of this method, but this is not mandatory.
Never null.
java.util.Set selectHiddenButNoDirectGroupLinks(EPRViewInBase _viewInBase, ImmutableEligibleParty _ep)
_viewInBase
- EPRViewInBase_ep
- node of this instance; is in _viewInBase
java.lang.InternalError
- if the number of iterations is up to 40.java.util.Set<ImmutableGroupIDMember> selectHiddenDirectOwnerContainGlobalForActorAsEP(EPRViewInBase _viewInBase, ImmutableActor _act)
_viewInBase
- EPRViewInBase_act
- node of this instance; is in _viewInBase
java.util.Set<ImmutableGroupIDMember> selectDirectOwnerContainGlobalForActorAsEP(EPRViewInBase _viewInBase, ImmutableActor _act)
_viewInBase
- EPRViewInBase_act
- node of this instance; is in _viewInBase
java.util.Set selectHiddenDirectOwnerContainForActorAsResource(EPRViewInBase _viewInBase, ImmutableActor _act)
_viewInBase
- EPRViewInBase_act
- node of this instance; is in _viewInBase
java.util.Set selectHiddenDirectGroupIDForGroupIDMember(EPRViewInBase _viewInBase, ImmutableGroupIDMember _memb)
_viewInBase
- EPRViewInBase_memb
- node of this instance; is in _viewInBase
java.util.Set selectHiddenDirectOwnerContainForTarget(EPRViewInBase _viewInBase, ImmutableResource _res)
- the userID that owns the resource,
- the groupID that contains the resource.
As selectHiddenDirectOwnerContainForActorAsResource(), but without search of the actor secondary groups.
_viewInBase
- EPRViewInBase_res
- node of this instance; is in _viewInBase
java.util.Set<DisplayableLinkImpl> selectForGroupIDMemberItsHiddenActorsWithNextLinks(EPRViewInBase _viewInBase, ImmutableGroupIDMember _ep)
- at least it has one ACL as access source,
- or at least it has one Bridge as access source,
- or at least it has one Privilege as access source.
No adding of the actor whether _ep is a secondary group for the actor. The ACL, Bridge or Privilege rights of the actor as source are not checked, then they may be without effective rights. The AGO priorities of the ACS are not checked. An AcsAddon may overread this method, for instance to process the inherited AclEntries or Privileges. Note: if there is an ACL with the same ACS for the source and the target, the AG context is not changed, but the ACL target may be an actor which is a source for ACL, Bridge or Privileges, and then the path has to be explored.
_viewInBase
- the view to analyze_ep
- node of this instance; is in _viewInBase or not
AccessControlLinkImpl getL_accessRightsThroughNodesTree(ImmutableLeaf _res, ImmutableEligibleParty _acc, ImmutableGroupID _grp)
For the ACL and LPRI inherited rights, the inherited rights of the leaf which are returned are those of the first eligible party that is linked to the argument _acc or to _grp. In the map of the inherited rights of _res, this method searches among the map keys to find a linked eligible party. It applies a bottom-up test among the parent tree, using the fact that a key is the name of an eligible party extended by the order of the parent from _res. For example, if both the _res direct parent and its proper parent deliver two inherited rights sets for _acc to _res in the map, there are two keys '_acc primary group name + 1' and '_acc primary group name + 2' in the inherited rights map of _res, and the returned rights will be the value for the key '_acc primary group name + 1', from the _res direct parent.
For the AGO inherited rights, the account or group inherited rights of the resource are returned simply if the tested eligible party is equal to the resource account or group.
The order of the linked eligible parties to be tested in the inherited rights map is identical for the three types of inherited rights, and this EP search order is:
1/ the account _acc first - and the method ends immediately if _acc is able to deliver some inherited rights to _res, from one of the _res parent -
2/ if the previous result is null, the _acc primary group is tested, if any,
3/ otherwise, the group _grp passed in to the method is tested,
4/ if the result is still null, the _acc groups,
5/ at the end, all the _grp groups at the first level are tested.
The EP search order does not depend on the distance from _res to the parent which delivers the effective rights. This is why a parent at three levels above _res will be able to deliver inherited rights to _acc, while the _res direct parent delivers rights to _grp that wont be returned. The EP search order algorithm may be overridden by an AcsAddon. This generic algorithm is trully used only in the rare cases where the _res ACS structure includes all the relevant properties.
This method is strongly coupled to withAccessThroughNodesTreeFromEP(), and the rules to follow are explained in the documentation of this method. It is recommanded to use withAccessThroughNodesTreeFromEP() before, to check in if an access is allowed. An AcsAddon may overread this method, and then, it is mandatory to analyze the need to change also the methods withAcl/Ago/PriAccessThroughNodesTree() and withAccessThroughNodesTreeFromEP(). For example, the AcsAddon Ubuntu overrides it to add the AG Other rights.
Caution: this method does not check the identity of the ACS for the 3 arguments.
_res
- Resource or VirtualFolder of this instance;
may be accessed or not through its parent tree. May be null._acc
- the _res userID or not, or an Actor. May be null. If not null and is
an account, the account primary group may deliver the inherited rights if
the account does not do it._grp
- the _res groupID or not. May be null.
withAccessThroughNodesTreeFromEP(ARoad0.gBaseInterface.ImmutableSource, ARoad0.gBaseInterface.ImmutableLeaf, ARoad0.gBaseInterface.ImmutableGroupIDMember)
AccessControlLinkImpl getMergedInheritedAclPriRightsAndComments(ImmutableSource _so, ImmutableLeaf _targ, AccessControlLinkImpl _upd_acLink, StringRight[] _l_transientInheritedRights)
If that is not the good algorithm for a given AcsAddon, this method or getL_accessRightsThroughNodesTree() should be overridden.
_so
- source for which the rights on _targ has to be set_targ
- Resource or VirtualFolder of this instance. May be null. May be empty._upd_acLink
- contains the direct ACL or LPRI rights, if any. Never null._l_transientInheritedRights
- has to be from getL_accessRightsThroughNodesTree().
May be null or empty.
boolean withAccessThroughNodesTreeFromEP(ImmutableSource _ep, ImmutableLeaf _res, ImmutableGroupIDMember _ep_2)
This method applies the following generic rules for one of the three inherited rights:
- 'ACL/AGO/LPRI right inheritance 1: child/node inherits rights from the direct and indirect parents',
- 'ACL/LPRI right inheritance 1: if activated and no access from the inherited rights, no AGO access to the child',
- 'ACL/AGO/LPRI right inheritance 2: at each access of an account, the first eligible party having inherited rights set them, and the search order is, first the account, second its primary group, and third the account groups',
- 'ACL/AGO/LPRI right inheritance 2: at each access of a group, the first eligible party having inherited rights set them, and the search order is first the group, second the group groups',
- 'ACL/LPRI right inheritance 2: at each access of an actor, the first eligible party having inherited rights set them, and the search order is, first the actor, second the account of its AG context, third the group of its AG context, fourth the secondary groups of the actor',
- 'AGO right inheritance 1: if activated and no access from the inherited rights, no AGO access to the child if and only if the account or the group is not null',
- 'AGO right inheritance 2: at each access of an actor, the first eligible party having inherited rights set them, and the search order is, first the account of its AG context, second the group of its AG context, third the secondary groups of the actor',
For the account-to-group primary group relation, these rules imply that the primary group of the account argument delivers its inherited rights, if any, before any group, even the group argument.
For the group-to-group is_member relation, this implies the rule 'EP: group of groups on N levels, with search of the group inherited rights only for the first is_member level'
An AcsAddon may overread this method to change these rules, for example to simplify the method. It is then recommanded to analyze the need to change the method getL_accessRightsThroughNodesTree().
_ep
- Actor, UserID or GroupID to test. If null, returns true.
If its ACS does not manage any rights inheritance, returns true._res
- Resource or VirtualFolder of this instance,
which may be accessed or not through its parent tree. Never null._ep_2
- the group member which may be accessed by _ep. May be null. If
_ep is not an Actor, this argument is not used. For an Actor, this argument
replaces in this method, the current UserID or the current GroupID of the Actor.
getL_accessRightsThroughNodesTree(ARoad0.gBaseInterface.ImmutableLeaf, ARoad0.gBaseInterface.ImmutableEligibleParty, ARoad0.gBaseInterface.ImmutableGroupID)
void finalizeForProcess()
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |