/*
* (C) Copyright 2006-2014 Nuxeo SA (http://nuxeo.com/) and others.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Contributors:
* Alexandre Russel
* Florent Guillaume
*/
package org.nuxeo.ecm.platform.publisher.task;
import org.nuxeo.ecm.core.api.CoreSession;
import org.nuxeo.ecm.core.api.DocumentModel;
import org.nuxeo.ecm.core.api.DocumentRef;
import org.nuxeo.ecm.core.api.NuxeoPrincipal;
import org.nuxeo.ecm.core.api.UnrestrictedSessionRunner;
import org.nuxeo.ecm.core.api.security.ACE;
import org.nuxeo.ecm.core.api.security.ACL;
import org.nuxeo.ecm.core.api.security.ACP;
import org.nuxeo.ecm.core.api.security.SecurityConstants;
import org.nuxeo.ecm.platform.usermanager.UserManager;
import org.nuxeo.runtime.api.Framework;
/**
* Changes the permission on a document to only allow validators.
*/
public class ChangePermissionUnrestricted extends UnrestrictedSessionRunner {
private final DocumentRef ref;
private final NuxeoPrincipal principal;
private final String aclName;
private final String[] validators;
// acl unused
public ChangePermissionUnrestricted(CoreSession session, DocumentModel document, String[] validators,
NuxeoPrincipal principal, String aclName, ACL acl) {
super(session);
this.ref = document.getRef();
this.validators = validators;
this.principal = principal;
this.aclName = aclName;
}
@Override
public void run() {
ACP acp = session.getACP(ref);
ACL acl = acp.getOrCreateACL(aclName);
acl.clear();
for (String validator : validators) {
acl.add(new ACE(validator, SecurityConstants.READ));
acl.add(new ACE(validator, SecurityConstants.WRITE));
}
// Give View permission to the user who submitted for publishing.
acl.add(new ACE(principal.getName(), SecurityConstants.READ));
// Allow administrators too.
UserManager userManager = Framework.getService(UserManager.class);
for (String group : userManager.getAdministratorsGroups()) {
acl.add(new ACE(group, SecurityConstants.EVERYTHING));
}
// Deny everyone else.
acl.add(ACE.BLOCK);
session.setACP(ref, acp, true);
session.save();
}
}