|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.ObjectARoad0.gWork.NodeRightsImpl
public class NodeRightsImpl
This class is responsible for getting the rights for a node in a view, and since each implied ACS may be generic or from an AcsAddon, the main job of this class is to give the correct method to use for each ACS and each search. The NodeRights effective class is a NodeRightsImpl or one of its subclasses that is set in an AcsAddon. Thus each node offers to the paths search a set of methods from this NodeRightsImpl and, as an option, another set from the AcsAddon that are called from some NodeRightsImpl methods which are overridden.
Overriding this class is the easiest way to change, in an ACS addon, the selection for a node of its direct or inherited ACL or PRI rights, or its AG inherited rights. For changing the selection of the AG direct rights or another relation, it is necessary to overread all the methods detectAddon and selectAddon. Each node in a view and each intermediate node has one NodeRightsImpl instance for each view it belongs to. This class has properties that depend only on the class of the node ACS, then 2 nodes of the same view should use the same NodeRights instance, even if it is not the actual behavior in all cases. Each instance of NodeRightsImpl is called by only one thread. A node may be in several DisplayableLinks of the same view, but it has only one NodeRightsImpl instance for the view. The association between a node and its NodeRights instance is managed by the RightsMediatorImpl of the view.
The path search algorithms are divided in 4 sets:
- the core algorithms are the larger part of the code, and they are in most of the gWork classes; they work for all the ACS, generic one or from an AcsAddon; they consider the node general interface (EligibleParty or Resource, for instance), but they are independant to the effective properties of the node,
- the NodeRightsImpl generic methods: they are called by the core methods to process each node, and they use the generic properties of a node and its environment (like the generic properties of a Resource); they work for all the ACSs, they are always called by the core algorythms, but an AcsAddon may choose to overread them in some rare cases,
- the NodeRightsImpl AcsAddon methods: the core methods test through the getXXXAddonYYY methods, if a given AcsAddon method (detectAddon... or selectAddon...) is defined for the node, and if it true, the relevant method is called during the paths search by the core algorithms; these AcsAddon methods are empty in the NodeRightsImpl class (all the getXXXAddonYYY methods return false), and they may be overridden in the subclasses to write a code that calls some specialized AcsAddon methods,
- the specialized methods of an AcsAddon are in a NodeRightsImpl subclass, and they are called by an overridden NodeRightsImpl AcsAddon method; there is no name pattern for these methods; they use the generic properties of a node and its environment, but they also handle the original properties of the AcsAddon node. Since an AcsAddon may be based on another AcsAddon, a NodeRightsImpl subclass may have another NodeRightsImpl subclass has super class.
This structure is an important part of the AcsAddon pattern. It gives to the AcsAddon designer the full control on the true search algorithms to use in its own ACSs, but it also provides the powerful support of the generic algorithms and all the other AcsAddons, to limit the code he has to add in its AcsAddon.
A node is here the end of a view access path, or it may be a potential or effective intermediate node in an access path. Such an intermediate node is an ImmutableSource like Actor, GroupIDMember or VirtualFolder. An simple ACSObject can be an intermediate node in a generic Alias relation, but not in an AcsAddon relation.
Generally speaking, the rights depend on the node and its one or two previous nodes in the access path. These rights are based mainly on the classes and properties of these 2 or 3 implied nodes, and naturally also on their ACS properties. The resulting rights depends usually on the NodeRightsImpl algorithms only, but in some rare cases, they may also depend on the single NodeRightsImpl property, defined at the NodeRightsImpl creation, that is simply the node itself.
Note: the AG rights are always internal ones, for a given ACS. Since all the nodes of an ACS have NodeRight instances that have the same behavior, it is possible for the AG rights, and only for them, to use for a node, the NodeRight instance of another node of the same ACS. This is also true for VirtualFolder memberships, but not for the Bridge, ACL and Privilege rights.
Upper-level methods begin by get...(), with...() and detect...(), middle-level methods begin by select...().
Field Summary | |
---|---|
protected AclRightsFactoryImpl |
aclFact_
|
protected AlgorithmInterpreter |
interpreter_
|
protected LinkRights |
link_
instance of LinkRightsImpl or one of its subclass |
protected DisplayableLinkUtilities |
linkUtil_
|
protected PrivilegeRightsFactoryImpl |
priFact_
|
protected UtilityImpl |
utility_
|
Fields inherited from interface ARoad0.gWorkInterface.NodeRights |
---|
INITIAL_CAPACITY |
Constructor Summary | |
---|---|
NodeRightsImpl(AlgorithmInterpreter _interpreter,
LinkRights _link)
Only one constructor, called by RightsMediatorImpl after the creation of the DisplayableLinkUtilities instance of _interpreter. |
Method Summary | |
---|---|
java.util.Map |
detectAddon2Nodes(EPRViewInBase _viewInBase,
ImmutableTarget _node,
java.util.Map _m_l_DisplayableLinks,
BaseObject _center)
For an AcsAddon, filters for a given node the incompatible rights, if any, in the 2-nodes DisplayableLinks, and adds the AcsAddon specific rights, if any. |
java.util.Map |
detectAddon3Nodes(EPRViewInBase _viewInBase,
ImmutableTarget _node,
java.util.Map _m_l_DisplayableLinks)
For an AcsAddon, filters for a given node the incompatible rights, if any, in the 3-nodes DisplayableLinks, and adds the AcsAddon specific rights, if any.. |
java.util.Map |
detectAddonFinal2Nodes(EPRViewInBase _viewInBase,
ImmutableTarget _node,
java.util.Map _m_l_DisplayableLinks,
BaseObject _center)
For an AcsAddon, defines the specific final direct rights, if any, for a given node in the 2-nodes DisplayableLinks. |
java.util.Map |
detectAddonFinal3Nodes(EPRViewInBase _viewInBase,
ImmutableTarget _node,
java.util.Map _m_l_DisplayableLinks)
For an AcsAddon, filters the incompatible rights, if any, for a node, and adds the AcsAddon specific rights, if any. |
java.util.Map |
detectAddonFinalAllNodes(EPRViewInBase _viewInBase,
ImmutableTarget _node,
java.util.Map _m_l_DisplayableLinks,
java.util.Map<ImmutableName,java.util.Set<StringRight>> _m_effectiveRights)
For an AcsAddon, defines the specific final direct rights, if any, for a given node in the DisplayableLinks having more than 3 nodes. |
java.util.List<StringRight> |
detectL_aclEntryRights(ImmutableResource _res,
ImmutableEligibleParty _ep,
boolean _onlyNonConditionalACLs)
Gets all the rights of the relevant AclEntries managed by the Resource for a given EligibleParty, without the inherited AclEntries. |
java.util.List<StringRight> |
detectL_linkedPrivilegeRights(ImmutablePrivilegeTarget _targ,
ImmutablePrivilegeSource _sour)
Gets all the rights of the relevant direct linked privileges managed by the target for a given source. |
void |
finalizeForProcess()
Finalizes the instance. |
boolean |
getDetectAddon2Nodes()
Called by RightsFactory_Facade. |
boolean |
getDetectAddon3Nodes()
Called by RightsFactory_Facade. |
boolean |
getDetectAddonFinal2Nodes()
Called by RightsFactory_Facade. |
boolean |
getDetectAddonFinal3Nodes()
Called by RightsFactory_Facade. |
boolean |
getDetectAddonFinalAllNodes()
Called by RightsFactory_Facade. |
AccessControlLinkImpl |
getL_accessRightsThroughNodesTree(ImmutableLeaf _res,
ImmutableEligibleParty _ep,
ImmutableGroupID _grp)
Returns in an AccessControlLink the inherited rights given by the directory tree or virtual folder tree, as AG, ACL or LPRI rights. |
AccessControlLinkImpl |
getMergedInheritedAclPriRightsAndComments(ImmutableSource _so,
ImmutableLeaf _targ,
AccessControlLinkImpl _upd_acLink,
StringRight[] _l_transientInheritedRights)
Gets the effective ACL or LPRI rights of the source on the target when there are non-null inherited rights through the nodes tree, and adds some specific comments for the ACL or PRI rights from an AcsAddon, even if there is no inherited rights. |
boolean |
getSelectAddonLastViewNodeAfterActor()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop on the view nodes, and by ThreeNodesRightsFactoryImpl. |
boolean |
getSelectAddonLastViewNodeAfterGroupIDMember()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop on the view nodes, and by ThreeNodesRightsFactoryImpl.endsPathsFromGroupIDMemberWithAclPrivilege(). |
boolean |
getSelectAddonLastViewNodeAfterVirtualFolder()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the final loop on the view nodes, and by ThreeNodesRightsFactoryImpl. |
boolean |
getSelectAddonNewHiddenNodeForActor()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the central loop on the intermediate nodes, and by ThreeNodesRightsFactoryImpl. |
boolean |
getSelectAddonNewHiddenNodeForGroupIDMember()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the central loop on the intermediate nodes, and by ThreeNodesRightsFactoryImpl.addPathsFromGroupIDMemberAcsAddonRelationActor() and addPathsFromGroupIDMemberAcsAddonRelationNoActor(). |
boolean |
getSelectAddonNewHiddenNodeForVirtualFolder()
Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights() in the central loop on the intermediate nodes, and by ThreeNodesRightsFactoryImpl. |
DisplayableLinkImpl |
selectAddonLastViewNodeAfterActor(EPRViewInBase _viewInBase,
ImmutableTarget _target,
DisplayableLinkImpl _dLink,
java.util.Map _m_l_DisplayableLinks)
Detects the view target that is linked to an actor, to extend the current DisplayableLink ended by this actor. |
DisplayableLinkImpl |
selectAddonLastViewNodeAfterGroupIDMember(EPRViewInBase _viewInBase,
ImmutableTarget _target,
DisplayableLinkImpl _dLink,
java.util.Map _m_l_DisplayableLinks)
Detects the view target that is linked to a groupIDMember, to extend the current DisplayableLink ended by this groupIDMember. |
DisplayableLinkImpl |
selectAddonLastViewNodeAfterVirtualFolder(EPRViewInBase _viewInBase,
ImmutableResource _target,
DisplayableLinkImpl _dLink,
java.util.Map _m_l_DisplayableLinks)
Detects the view target that is linked to a VirtualFolder, to extend the current DisplayableLink ended by this VirtualFolder. |
java.util.List<DisplayableLinkImpl> |
selectAddonNewHiddenNodeForActor(EPRViewInBase _viewInBase,
ImmutableActor _node,
java.util.Set<DisplayableLinkImpl> _l_dLinks,
java.util.Map _m_l_DisplayableLinks,
java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
Detects the hidden nodes that are linked to an Actor as access source, to extend the current DisplayableLinks ended by this actor. |
java.util.List<DisplayableLinkImpl> |
selectAddonNewHiddenNodeForGroupIDMember(EPRViewInBase _viewInBase,
ImmutableGroupIDMember _node,
java.util.Set<DisplayableLinkImpl> _l_dLinks,
java.util.Map _m_l_DisplayableLinks,
java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
Detects the hidden nodes that are linked to a GroupIDMember as access source, to extend the current DisplayableLinks ended by this GroupIDMember. |
java.util.List<DisplayableLinkImpl> |
selectAddonNewHiddenNodeForVirtualFolder(EPRViewInBase _viewInBase,
ImmutableVirtualFolder _node,
java.util.Set<DisplayableLinkImpl> _l_dLinks,
java.util.Map _m_l_DisplayableLinks,
java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
Detects the hidden nodes that are linked to a VirtualFolder as access source, to extend the current DisplayableLinks ended by this VirtualFolder. |
java.util.Set<ImmutableGroupIDMember> |
selectDirectOwnerContainGlobalForActorAsEP(EPRViewInBase _viewInBase,
ImmutableActor _act)
Detects the current UserID (including 'root'), the current GroupID and the secondary groups under which an actor runs, if they are in the view. |
java.util.Set<DisplayableLinkImpl> |
selectForGroupIDMemberItsHiddenActorsWithNextLinks(EPRViewInBase _viewInBase,
ImmutableGroupIDMember _ep)
Detects all the actors that are owned or contained by _ep, that are not in _viewInBase and executable from _ep, and that are access sources for another AG context. |
java.util.Set |
selectHiddenButNoDirectGroupLinks(EPRViewInBase _viewInBase,
ImmutableEligibleParty _ep)
Detects the main GroupID and, recursivelly, the tree of GroupIDs in the _ep ACS, that contains _ep indirectly, and are not in _viewInBase. |
java.util.Set |
selectHiddenDirectGroupIDForGroupIDMember(EPRViewInBase _viewInBase,
ImmutableGroupIDMember _memb)
Detects all the GroupIDs in the ACS, for which a GroupIDMember (even for 'root') is a member, and are not in _viewInBase. |
java.util.Set |
selectHiddenDirectOwnerContainForActorAsResource(EPRViewInBase _viewInBase,
ImmutableActor _act)
Detects the UserID and all the GroupIDs in the ACS, that owns or contains an actor directly as a Resource, and are not in _viewInBase. |
java.util.Set |
selectHiddenDirectOwnerContainForTarget(EPRViewInBase _viewInBase,
ImmutableResource _res)
Detects the UserID and the GroupID in the _res ACS, that owns or contains _res directly, and are not in _viewInBase. |
java.util.Set<ImmutableGroupIDMember> |
selectHiddenDirectOwnerContainGlobalForActorAsEP(EPRViewInBase _viewInBase,
ImmutableActor _act)
Detects the current UserID (including 'root'), the current GroupID and the secondary groups under which an actor runs, if they are not in the view. |
java.lang.String |
toString()
|
boolean |
withAccessThroughNodesTreeFromEP(ImmutableSource _ep,
ImmutableLeaf _res,
ImmutableGroupIDMember _ep_2)
This method is designed to be fast, and to returns true if the resource tree or the virtual folder tree allows the source to access through the inherited AGO, ACL or PRI rights to the leaf. |
protected boolean |
withAclAccessThroughNodesTree(ImmutableResource _res,
ImmutableEligibleParty _ep,
ImmutableGroupID _grp)
Returns true if the AclEntry inherited rights in the resources tree allows to access to the resource for the EligibleParties _ep or _grp. |
protected boolean |
withAgoAccessThroughNodesTree(ImmutableResource _res,
ImmutableUserID _acc,
ImmutableGroupID _grp)
Returns true if the Account/Group inherited rights in the resources tree allows to access to the resouce. |
protected boolean |
withPriAccessThroughNodesTree(ImmutablePrivilegeTarget _res,
ImmutableEligibleParty _ep,
ImmutableGroupID _grp)
Returns true if the Privilege inherited rights in the resources or the virtual folders tree allows to access to the PrivilegeTarget for the EligibleParties _ep or _grp. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Field Detail |
---|
protected LinkRights link_
protected AlgorithmInterpreter interpreter_
protected DisplayableLinkUtilities linkUtil_
protected UtilityImpl utility_
protected PrivilegeRightsFactoryImpl priFact_
protected AclRightsFactoryImpl aclFact_
Constructor Detail |
---|
public NodeRightsImpl(AlgorithmInterpreter _interpreter, LinkRights _link)
_interpreter
- algorithm interpreter of this view_link
- to use for processing this nodeMethod Detail |
---|
public boolean getDetectAddon2Nodes()
getDetectAddon2Nodes
in interface NodeRights
public boolean getDetectAddonFinal2Nodes()
getDetectAddonFinal2Nodes
in interface NodeRights
public boolean getDetectAddon3Nodes()
getDetectAddon3Nodes
in interface NodeRights
public boolean getDetectAddonFinal3Nodes()
getDetectAddonFinal3Nodes
in interface NodeRights
public boolean getDetectAddonFinalAllNodes()
getDetectAddonFinalAllNodes
in interface NodeRights
public boolean getSelectAddonLastViewNodeAfterActor()
getSelectAddonLastViewNodeAfterActor
in interface NodeRights
public boolean getSelectAddonLastViewNodeAfterGroupIDMember()
getSelectAddonLastViewNodeAfterGroupIDMember
in interface NodeRights
public boolean getSelectAddonLastViewNodeAfterVirtualFolder()
getSelectAddonLastViewNodeAfterVirtualFolder
in interface NodeRights
public boolean getSelectAddonNewHiddenNodeForActor()
getSelectAddonNewHiddenNodeForActor
in interface NodeRights
public boolean getSelectAddonNewHiddenNodeForGroupIDMember()
getSelectAddonNewHiddenNodeForGroupIDMember
in interface NodeRights
public boolean getSelectAddonNewHiddenNodeForVirtualFolder()
getSelectAddonNewHiddenNodeForVirtualFolder
in interface NodeRights
public java.util.Map detectAddon2Nodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks, BaseObject _center)
detectAddon2Nodes
in interface NodeRights
_viewInBase
- EPRViewInBase_node
- node of this instance_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair)
associated to the view, and to update._center
- is the central object of a sketch view. Null if it is not a sketch view.
detectAddonFinal2Nodes(ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ImmutableTarget, java.util.Map, ARoad0.gBaseInterface.BaseObject)
public java.util.Map detectAddonFinal2Nodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks, BaseObject _center)
detectAddonFinal2Nodes
in interface NodeRights
_viewInBase
- EPRViewInBase_node
- node of this instance_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair)
associated to the view, and to update._center
- is the central object of a sketch view. Null if it is not a sketch view.
detectAddon2Nodes(ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ImmutableTarget, java.util.Map, ARoad0.gBaseInterface.BaseObject)
public java.util.Map detectAddon3Nodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks) throws java.lang.InterruptedException
detectAddon3Nodes
in interface NodeRights
_viewInBase
- EPRViewInBase_node
- node of this instance_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair)
associated to the view, and to update.
java.lang.InterruptedException
detectAddonFinal3Nodes(ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ImmutableTarget, java.util.Map)
public java.util.Map detectAddonFinal3Nodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks) throws java.lang.InterruptedException
detectAddonFinal3Nodes
in interface NodeRights
_viewInBase
- EPRViewInBase_node
- node of this instance_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair)
associated to the view, and to update.
java.lang.InterruptedException
detectAddon3Nodes(ARoad0.gBaseInterface.EPRViewInBase, ARoad0.gBaseInterface.ImmutableTarget, java.util.Map)
public java.util.Map detectAddonFinalAllNodes(EPRViewInBase _viewInBase, ImmutableTarget _node, java.util.Map _m_l_DisplayableLinks, java.util.Map<ImmutableName,java.util.Set<StringRight>> _m_effectiveRights) throws java.lang.InterruptedException
Note: to speed up this method, the argument _m_effectiveRights is set from the initial argument _m_l_DisplayableLinks before the first call to this method, and for a given EPR view. _m_effectiveRights is then immutable while _m_l_DisplayableLinks may be updated by this method. This is not the case for the NoThan views. For the EPR views, this behavior implies this method provides independant changes for each _node for which it is called, so that the initial _m_effectiveRights remains usable. Called by RightsFactory_Facade.
detectAddonFinalAllNodes
in interface NodeRights
_viewInBase
- EPRViewInBase_node
- node of this instance_m_l_DisplayableLinks
- Map of DisplayableLinks lists (one per pair)
associated to the view, and to update._m_effectiveRights
- non-null Map where the keys are the _m_l_DisplayableLinks keys
where rights are activated, and the value is a set of StringRights. May be an empty set.
java.lang.InterruptedException
public java.util.List<StringRight> detectL_aclEntryRights(ImmutableResource _res, ImmutableEligibleParty _ep, boolean _onlyNonConditionalACLs)
detectL_aclEntryRights
in interface NodeRights
_res
- of this instance, with some AclEntries to filter_ep
- may be associated to some _res AclEntries_onlyNonConditionalACLs
- true to read only the non-conditional AclEntries
public java.util.List<StringRight> detectL_linkedPrivilegeRights(ImmutablePrivilegeTarget _targ, ImmutablePrivilegeSource _sour)
detectL_linkedPrivilegeRights
in interface NodeRights
_targ
- privilege target of this instance_sour
- privilege source
protected boolean withAgoAccessThroughNodesTree(ImmutableResource _res, ImmutableUserID _acc, ImmutableGroupID _grp)
- 'AGO right inheritance 1: if no access from the inherited rights, no AGO access to the child if and only if the account or the group is not null'
- 'AGO right: A rights overlay G rights'
Called by withAccessThroughNodesTreeFromEP().
Caution: To follow the AcsAddon pattern, withAccessThroughNodesTreeFromEP() should be the single caller in the generic gWork package. This method is not private only to let the subclasses overread it, but it is necessary there to call it only from the same method, to not jump withAccessThroughNodesTreeFromEP().
Calls Resource.getAGOAccessFromTheParentAccount() and getAGOAccessFromTheParentGroup(). Overridden method by the AcsAddons, like in the AcsAddon Ubuntu for instance.
_res
- Resource of this instance; may be accessed or not
through its parent tree_acc
- the _res userID or not. May be null. If null and if
all the _res parents have no UserID, returns true._grp
- the _res groupID or not. May be null. If null and if
all the _res parents have no GroupID, returns true.
BaseUtilityImpl.withAcrossToDirectoryAGRights(ARoad0.gBaseInterface.StringRight[])
protected boolean withPriAccessThroughNodesTree(ImmutablePrivilegeTarget _res, ImmutableEligibleParty _ep, ImmutableGroupID _grp)
Caution: To follow the AcsAddon pattern, withAccessThroughNodesTreeFromEP() should be the single caller, from the generic gWork package or not. This method is not private only to let the subclasses overread it, but it is necessary there to call it through the same way, that is to never jump the method withAccessThroughNodesTreeFromEP() which chooses the good arguments for calling this method.
Calls ImmutablePrivilegeTarget.getM_TargetInheritedLinkedPRIRights(). Overridden method by the AcsAddons.
_res
- Resource or VirtualFolder of this instance; may be accessed or not
through its parent tree_ep
- the _res userID or not, or an Actor. May be null._grp
- the _res groupID or not. May be null.
protected boolean withAclAccessThroughNodesTree(ImmutableResource _res, ImmutableEligibleParty _ep, ImmutableGroupID _grp)
Caution: to follow the AcsAddon pattern, withAccessThroughNodesTreeFromEP() should be the single caller of this method, from the generic gWork package or not. This method is not private to let the subclasses overread it, but it is necessary there to call it through the same way, that is to never jump the method withAccessThroughNodesTreeFromEP() which chooses the good arguments for calling this method.
Calls ImmutableResource.getM_TargetInheritedACLRights(). Overridden method by the AcsAddons.
_res
- Resource of this instance; may be accessed or not
through its parent tree_ep
- the _res userID or not, or an Actor. May be null._grp
- the _res groupID or not. May be null.
public boolean withAccessThroughNodesTreeFromEP(ImmutableSource _ep, ImmutableLeaf _res, ImmutableGroupIDMember _ep_2)
This method implements the following generic rules for one of the three inherited rights:
- 'ACL/AGO/LPRI right inheritance 1: child/node inherits rights from the direct and indirect parents',
- 'ACL/LPRI right inheritance 1: if activated and no access from the inherited rights, no ACL/LPRI access to the child',
- 'ACL/AGO/LPRI right inheritance 2: at each access of an account, the first eligible party having inherited rights set them, and the search order is, first the account, second its primary group, and third the account groups',
- 'ACL/AGO/LPRI right inheritance 2: at each access of a group, the first eligible party having inherited rights set them, and the search order is first the group, second the group groups',
- 'ACL/LPRI right inheritance 2: at each access of an actor, the first eligible party having inherited rights set them, and the search order is, first the actor, second the account of its AG context, third the group of its AG context, fourth the secondary groups of the actor',
- 'AGO right inheritance 1: if activated and no access from the inherited rights, no AGO access to the child if and only if the account or the group is not null',
- 'AGO right inheritance 2: at each access of an actor, the first eligible party having inherited rights set them, and the search order is, first the account of its AG context, second the group of its AG context, third the secondary groups of the actor',
For the account-to-group primary group relation, these rules imply that the primary group of the account argument delivers its inherited rights, before any group, even the group argument. For an actor, these rules imply that access may be authorize through the actor current userID, even if the AG context of the actor has not to be considered in the access path. In this latter case, the effective rights of the actor are null, but that is the responsability of the consumer of this method.
For the group-to-group is_member relation, this method does not apply the rule 'EP: group of groups on N levels, with search of the group inherited rights only for the first is_member level'
An AcsAddon may overread this method to change these rules, for example to simplify the method, or to change one of the three called methods withAgo/Pri/AclAccessThroughNodesTree(). It is then recommanded to analyze the need to change the method getL_accessRightsThroughNodesTree(). Any code editing should have a similar changing in the AcsAddon ACS rules.
Called by AgoRightsFactoryImpl.detectHiddenChainedGroupsRights(), detectOneHiddenNodeWithCommonAGORights(), detectAGRights(), detectOwnerContainRights(), and selectForGroupIDMemberItsHiddenActorsWithNextLinks(), AclRightsFactoryImpl.addAclInAccessControlLink(), ThreeNodesRightsFactoryImpl.endsPathsFromGroupIDMemberWithAclPrivilegeMemberOwnContain(), CompoundRightsFactoryImpl.detectHiddenCompoundEpRights(). Calls the three methods withAgo/Pri/AclAccessThroughNodesTree().
withAccessThroughNodesTreeFromEP
in interface NodeRights
_ep
- Actor, UserID or GroupID to test. If null, returns true.
If its ACS does not manage any rights inheritance, returns true._res
- Resource or VirtualFolder of this instance,
which may be accessed or not through its parent tree. Never null._ep_2
- the group member which may be accessed by _ep. May be null. If
_ep is not an Actor, this argument is not used. Otherwise, in the generic gWork algorithms,
only AgoRightsFactoryImpl.detectOneHiddenNodeWithCommonAGORights() uses this argument.
Then, for an Actor, this argument replaces the current UserID or the current GroupID
of the Actor.
getL_accessRightsThroughNodesTree(ARoad0.gBaseInterface.ImmutableLeaf, ARoad0.gBaseInterface.ImmutableEligibleParty, ARoad0.gBaseInterface.ImmutableGroupID)
public AccessControlLinkImpl getL_accessRightsThroughNodesTree(ImmutableLeaf _res, ImmutableEligibleParty _ep, ImmutableGroupID _grp)
For the ACL and LPRI inherited rights, in the default algorithm of this method, the rights of the leaf are those of the -first- EligibleParty that is linked to the argument _ep or to _grp. In the map of the inherited rights of _res, this method searches among the map keys to find a linked eligible party. It applies a bottom-up test among the parents tree, where the key is the name of an eligible party extended by the order of the parent from _res. For example, if both the _res direct parent and its proper parent deliver two inherited rights sets for _ep to _res in the map, there are two keys '_ep primary group name + 1' and '_ep primary group name + 2' in the inherited rights map of _res, and the returned rights will be the value for the key '_ep primary group name + 1', from the _res direct parent. This is due to the fact that the method ImmutableResource.getM_TargetInheritedACLRights() returns a map where the keySet() method has an iterator in the natural order of the ImmutableNames it uses. This implies that the root of the tree should not give inherited rights to _ep or _grp, while the leaf provides non-null inherited rights through an intermediate parent. In all cases, the method mergeInheritedAclPriRightsThroughNodesTree() is responsible to set the effective ACL or LPRI rights, from the inheritance or not, only if the array of inherited rights is not null (but it may be empty).
For the AGO inherited rights, the account or group inherited rights of the resource are returned simply if the tested eligible party is equal to the resource account or group.
In the default algorithm of this method, the order of the linked eligible parties to be tested in the inherited rights map is identical for the three types of inherited rights, and this EP search order is:
1/ the account _ep first - and the method ends immediately if _ep is able to deliver some inherited rights to _res
2/ if the previous result is null, the _ep primary group is tested, if any,
3/ otherwise, the group _grp passed in to the method is tested,
4/ if the result is still null, the _ep groups,
5/ at the end, all the _grp groups at the first level are tested.
The EP search order does not depend on the distance from _res to the parent which delivers the inherited rights. This is why a parent at three levels above _res will be able to deliver inherited rights to _ep, while the _res direct parent delivers rights to _grp that wont be returned. The EP search order algorithm may be overridden by an AcsAddon. This generic algorithm is trully used only in the rare cases where the _res ACS structure includes all the relevant properties.
This method is strongly coupled to withAccessThroughNodesTreeFromEP(), and the rules to follow are explained in the documentation of this method. For the AGO right inheritance, it is recommanded to use withAccessThroughNodesTreeFromEP() before, to check in if an access is allowed. An AcsAddon may overread this method, and then, it is necessary to analyze the need to change also the methods withAcl/Ago/PriAccessThroughNodesTree() and withAccessThroughNodesTreeFromEP(). For example, the AcsAddon Ubuntu Overrides it to add the AG 'Other' rights. No comment is added by this method, but this may be false in an AcsAddon.
Called by AgoRightsFactoryImpl.detectAGRights(), addOwnerContainRightsToLastLinkInDisplayableLink(), detectOwnerContainRights(), and selectForGroupIDMemberItsHiddenActorsWithNextLinks(), PrivilegeRightsFactoryImpl.addPrivilegeInAccessControlLink() and AclRightsFactoryImpl.addAclInAccessControlLink().
getL_accessRightsThroughNodesTree
in interface NodeRights
_res
- Resource or VirtualFolder of this instance
may be accessed or not through its parent tree. May be null._ep
- the _res userID or not, or an Actor. May be null. If not null and is
an account, the account primary group may deliver the inherited rights if
the account does not provide it._grp
- the _res groupID or not. May be null.
withAccessThroughNodesTreeFromEP(ARoad0.gBaseInterface.ImmutableSource, ARoad0.gBaseInterface.ImmutableLeaf, ARoad0.gBaseInterface.ImmutableGroupIDMember)
,
getMergedInheritedAclPriRightsAndComments(ARoad0.gBaseInterface.ImmutableSource, ARoad0.gBaseInterface.ImmutableLeaf, ARoad0.CNot.AccessControlLinkImpl, ARoad0.gBaseInterface.StringRight[])
public AccessControlLinkImpl getMergedInheritedAclPriRightsAndComments(ImmutableSource _so, ImmutableLeaf _targ, AccessControlLinkImpl _upd_acLink, StringRight[] _l_transientInheritedRights)
An AcsAddon may always return null even if there are non-null direct rights or non-null inherited rights. Called by PrivilegeRightsFactoryImpl.addPrivilegeInAccessControlLink() and AclRightsFactoryImpl.addAclInAccessControlLink().
getMergedInheritedAclPriRightsAndComments
in interface NodeRights
_so
- source for which the rights on _targ has to be set_targ
- Resource or VirtualFolder of this instance. May be null._upd_acLink
- contains the direct ACL and/or LPRI rights, if any. Never null.
May be empty._l_transientInheritedRights
- has to be from getL_accessRightsThroughNodesTree().
May be null or empty.
public DisplayableLinkImpl selectAddonLastViewNodeAfterActor(EPRViewInBase _viewInBase, ImmutableTarget _target, DisplayableLinkImpl _dLink, java.util.Map _m_l_DisplayableLinks)
selectAddonLastViewNodeAfterActor
in interface NodeRights
_viewInBase
- EPRViewInBase. Never null._target
- view node, not node of this instance. Never null._dLink
- with an actor as second end and node of this instance. Never null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method.
public DisplayableLinkImpl selectAddonLastViewNodeAfterGroupIDMember(EPRViewInBase _viewInBase, ImmutableTarget _target, DisplayableLinkImpl _dLink, java.util.Map _m_l_DisplayableLinks)
selectAddonLastViewNodeAfterGroupIDMember
in interface NodeRights
_viewInBase
- EPRViewInBase. Never null._target
- view node, not node of this instance. Never null._dLink
- with a groupIDMember as second end and node of this instance. Never null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method.
public DisplayableLinkImpl selectAddonLastViewNodeAfterVirtualFolder(EPRViewInBase _viewInBase, ImmutableResource _target, DisplayableLinkImpl _dLink, java.util.Map _m_l_DisplayableLinks)
selectAddonLastViewNodeAfterVirtualFolder
in interface NodeRights
_viewInBase
- EPRViewInBase. Never null._target
- view node, not node of this instance. Never null._dLink
- with a VirtualFolder as second end and node of this instance. Never null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method.
public java.util.List<DisplayableLinkImpl> selectAddonNewHiddenNodeForActor(EPRViewInBase _viewInBase, ImmutableActor _node, java.util.Set<DisplayableLinkImpl> _l_dLinks, java.util.Map _m_l_DisplayableLinks, java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
selectAddonNewHiddenNodeForActor
in interface NodeRights
_viewInBase
- EPRViewInBase. Never null._node
- node of this instance. Never null._l_dLinks
- list of links with _node as second end. May be null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method._upd_l_NoProxyOrNoExecuteNodes
- updated by the adding of the hidden nodes
without executing right or which are not right-proxy nodes, if any.
This list is only extended if necessary, as a complement of the returned value of the method.
This argument is usually empty at the call of this method, but this is not mandatory.
Never null.
public java.util.List<DisplayableLinkImpl> selectAddonNewHiddenNodeForGroupIDMember(EPRViewInBase _viewInBase, ImmutableGroupIDMember _node, java.util.Set<DisplayableLinkImpl> _l_dLinks, java.util.Map _m_l_DisplayableLinks, java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
selectAddonNewHiddenNodeForGroupIDMember
in interface NodeRights
_viewInBase
- EPRViewInBase. Never null._node
- node of this instance. Never null._l_dLinks
- list of links with _node as second end. May be null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method._upd_l_NoProxyOrNoExecuteNodes
- updated by the adding of the hidden nodes
without executing right or which are not right-proxy nodes, if any.
This list is only extended if necessary, as a complement of the returned value of the method.
This argument is usually empty at the call of this method, but this is not mandatory.
Never null.
public java.util.List<DisplayableLinkImpl> selectAddonNewHiddenNodeForVirtualFolder(EPRViewInBase _viewInBase, ImmutableVirtualFolder _node, java.util.Set<DisplayableLinkImpl> _l_dLinks, java.util.Map _m_l_DisplayableLinks, java.util.List<ACSObject> _upd_l_NoProxyOrNoExecuteNodes)
selectAddonNewHiddenNodeForVirtualFolder
in interface NodeRights
_viewInBase
- EPRViewInBase. Never null._node
- node of this instance. May be a Resource VirtualFolder. Never null._l_dLinks
- list of links with _node as second end. May be null._m_l_DisplayableLinks
- immutabke Map of DisplayableLinks lists (one per pair)
to never update in this method._upd_l_NoProxyOrNoExecuteNodes
- updated by the adding of the hidden nodes
without executing right or which are not right-proxy nodes, if any.
This list is only extended if necessary, as a complement of the returned value of the method.
This argument is usually empty at the call of this method, but this is not mandatory.
Never null.
public java.util.Set selectHiddenButNoDirectGroupLinks(EPRViewInBase _viewInBase, ImmutableEligibleParty _ep)
selectHiddenButNoDirectGroupLinks
in interface NodeRights
_viewInBase
- EPRViewInBase_ep
- node of this instance; is in _viewInBase
java.lang.InternalError
- if the number of iterations is up to 40.public java.util.Set<ImmutableGroupIDMember> selectHiddenDirectOwnerContainGlobalForActorAsEP(EPRViewInBase _viewInBase, ImmutableActor _act)
Note: this method is sensible, since it is called for 3-nodes paths and for the longer paths. Returns null if there is no current UserID, and returns only the relevant GroupIDs if the current UserID is in the view. No control to check up if the actor is a right proxy. Called by selectHiddenDirectOwnerContainLinksForActor(), CompoundRightsFactoryImpl.detectOneHiddenNodeCompoundRights() and ThreeNodesRightsFactoryImpl.detectHiddenCompoundEpRights().
selectHiddenDirectOwnerContainGlobalForActorAsEP
in interface NodeRights
_viewInBase
- EPRViewInBase_act
- node of this instance; is in _viewInBase
public java.util.Set<ImmutableGroupIDMember> selectDirectOwnerContainGlobalForActorAsEP(EPRViewInBase _viewInBase, ImmutableActor _act)
selectDirectOwnerContainGlobalForActorAsEP
in interface NodeRights
_viewInBase
- EPRViewInBase_act
- node of this instance; is in _viewInBase
public java.util.Set selectHiddenDirectOwnerContainForActorAsResource(EPRViewInBase _viewInBase, ImmutableActor _act)
selectHiddenDirectOwnerContainForActorAsResource
in interface NodeRights
_viewInBase
- EPRViewInBase_act
- node of this instance; is in _viewInBase
public java.util.Set selectHiddenDirectGroupIDForGroupIDMember(EPRViewInBase _viewInBase, ImmutableGroupIDMember _memb)
selectHiddenDirectGroupIDForGroupIDMember
in interface NodeRights
_viewInBase
- EPRViewInBase_memb
- node of this instance; is in _viewInBase
public java.util.Set selectHiddenDirectOwnerContainForTarget(EPRViewInBase _viewInBase, ImmutableResource _res)
- the userID that owns the resource,
- the groupID that contains the resource.
As selectHiddenDirectOwnerContainForActorAsResource(), but without search of the actor secondary groups. Called by detectHiddenChainedGroupsRights() and selectHiddenDirectOwnerContainForActor().
selectHiddenDirectOwnerContainForTarget
in interface NodeRights
_viewInBase
- EPRViewInBase_res
- node of this instance; is in _viewInBase
public java.util.Set<DisplayableLinkImpl> selectForGroupIDMemberItsHiddenActorsWithNextLinks(EPRViewInBase _viewInBase, ImmutableGroupIDMember _ep)
- at least it has one external ACL as access source,
- or at least it has one Bridge as access source,
- or at least it has one Privilege as access source,
- or at least if is an Alias.
No adding of the actor whether _ep is a secondary group for the actor. The ACL, Bridge or Privilege rights of the actor as source are not checked, then they may be without effective rights. The AGO priorities of the ACS are not checked. An AcsAddon may overread this method, for instance to process the inherited AclEntries or Privileges. Note: the actors running under xid, and those that are not proxy, are not selected. Note: if there is an ACL with the same ACS for the source and the target, the AG context is not changed, but the ACL target may be an actor which is a source for ACL, Bridge or Privileges, and then the path has to be explored. Called by CompoundRightsFactoryImpl.detectHiddenCompoundEpRights(), detectOneHiddenNodeCompoundRights() and by ThreeNodesRightsFactoryImpl.addPathsFromGroupIDMemberOwnContainActor().
selectForGroupIDMemberItsHiddenActorsWithNextLinks
in interface NodeRights
_viewInBase
- the view to analyze_ep
- node of this instance; may be in _viewInBase or not
public void finalizeForProcess()
finalizeForProcess
in interface NodeRights
public java.lang.String toString()
toString
in class java.lang.Object
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |