PermissionFilter.java

/*
 * (C) Copyright 2013 Nuxeo SA (http://nuxeo.com/) and others.
 *
 * All rights reserved. This program and the accompanying materials
 * are made available under the terms of the GNU Lesser General Public License
 * (LGPL) version 2.1 which accompanies this distribution, and is available at
 * http://www.gnu.org/licenses/lgpl-2.1.html
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * Contributors:
 *     Thomas Roger
 */

package org.nuxeo.ecm.core.api.impl;

import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.ecm.core.api.ClientException;
import org.nuxeo.ecm.core.api.CoreSession;
import org.nuxeo.ecm.core.api.DocumentModel;
import org.nuxeo.ecm.core.api.Filter;

/**
 * A filter based on permissions.
 * <p>
 * If one of the permission check throws an Exception, the {@link #accept}
 * method returns false.
 *
 * @since 5.7.2
 */
public class PermissionFilter implements Filter {

    private static final long serialVersionUID = 1L;

    private static final Log log = LogFactory.getLog(PermissionFilter.class);

    protected final Set<String> required;

    protected final Set<String> excluded;

    public PermissionFilter(List<String> required, List<String> excluded) {
        if (required == null) {
            this.required = Collections.emptySet();
        } else {
            this.required = new HashSet<>(required);
        }
        if (excluded == null) {
            this.excluded = Collections.emptySet();
        } else {
            this.excluded = new HashSet<>(excluded);
        }
    }

    public PermissionFilter(String permission, boolean isRequired) {
        if (isRequired) {
            required = Collections.singleton(permission);
            excluded = Collections.emptySet();
        } else {
            required = Collections.emptySet();
            excluded = Collections.singleton(permission);
        }
    }

    @Override
    public boolean accept(DocumentModel docModel) {
        CoreSession session = docModel.getCoreSession();
        return session != null
                && hasPermission(session, docModel, excluded, false)
                && hasPermission(session, docModel, required, true);

    }

    protected boolean hasPermission(CoreSession session, DocumentModel doc,
            Set<String> permissions, boolean required) {
        for (String permission : permissions) {
            try {
                if ((required && !session.hasPermission(doc.getRef(),
                        permission))
                        || (!required && session.hasPermission(doc.getRef(),
                                permission))) {
                    return false;
                }
            } catch (ClientException e) {
                String message = String.format(
                        "Unable to check '%s' permission for document '%s': %s",
                        permission, doc.getPathAsString(), e.getMessage());
                log.warn(message);
                log.debug(message, e);
                return false;
            }
        }
        return true;
    }

}