BasePermissionsJsonEnricher.java

/*
 * (C) Copyright 2015 Nuxeo SA (http://nuxeo.com/) and others.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Contributors:
 *     Nicolas Chapurlat <nchapurlat@nuxeo.com>
 */

package org.nuxeo.ecm.core.io.marshallers.json.enrichers;

import static org.nuxeo.ecm.core.io.registry.reflect.Instantiations.SINGLETON;
import static org.nuxeo.ecm.core.io.registry.reflect.Priorities.REFERENCE;

import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

import org.codehaus.jackson.JsonGenerator;
import org.nuxeo.ecm.core.api.CoreSession;
import org.nuxeo.ecm.core.api.DocumentModel;
import org.nuxeo.ecm.core.api.security.PermissionProvider;
import org.nuxeo.ecm.core.api.security.SecurityConstants;
import org.nuxeo.ecm.core.api.security.UserVisiblePermission;
import org.nuxeo.ecm.core.io.registry.context.RenderingContext.SessionWrapper;
import org.nuxeo.ecm.core.io.registry.reflect.Setup;

import org.nuxeo.runtime.api.Framework;

/**
 * Enrich {@link DocumentModel} Json.
 * <p>
 * Add permission available for current user on given {@link DocumentModel}'s as json attachment. Limit permission to
 * Read, Write and Everything.
 * </p>
 * <p>
 * Enable if parameter enrichers-document=permissions is present.
 * </p>
 * <p>
 * Format is:
 *
 * <pre>
 * {@code
 * {
 *   "entity-type":"document",
 *   ...
 *   "contextParameters": {
 *     "permissions": [ "Read", "Write", "Everything" ]  <- depending on current user permission on document
 *   }
 * }
 * </pre>
 *
 * </p>
 *
 * @since 7.2
 */
@Setup(mode = SINGLETON, priority = REFERENCE)
public class BasePermissionsJsonEnricher extends AbstractJsonEnricher<DocumentModel> {

    public static final String NAME = "permissions";

    private final List<String> availablePermissions = Arrays.asList(SecurityConstants.READ, SecurityConstants.WRITE,
        SecurityConstants.EVERYTHING, SecurityConstants.ADD_CHILDREN, SecurityConstants.READ_CHILDREN,
        SecurityConstants.REMOVE_CHILDREN);

    public BasePermissionsJsonEnricher() {
        super(NAME);
    }

    @Override
    public void write(JsonGenerator jg, DocumentModel document) throws IOException {
        jg.writeArrayFieldStart(NAME);
        try (SessionWrapper wrapper = ctx.getSession(document)) {
            for (String permission : getPermissionsInSession(document, wrapper.getSession())) {
                jg.writeString(permission);
            }
        }
        jg.writeEndArray();
    }

    private Collection<String> getPermissionsInSession(DocumentModel doc, CoreSession session) {
        Principal principal = session.getPrincipal();
        PermissionProvider permissionProvider = Framework.getService(PermissionProvider.class);
        Set<String> permissions = permissionProvider.getUserVisiblePermissionDescriptors(doc.getType()).stream().map(
            UserVisiblePermission::getId).collect(Collectors.toSet());
        permissions.addAll(availablePermissions);
        return session.filterGrantedPermissions(principal, doc.getRef(), permissions);
    }

}