public interface PrivilegedAccess
Modifier and Type | Method and Description |
---|---|
void |
assignToWorkspace(DMXObject object,
long workspaceId)
Performs the initial workspace assignment for an object.
|
void |
changePassword(Credentials cred)
Changes the password of an existing user account.
|
Topic |
checkCredentials(Credentials cred)
Checks if the given credentials are valid.
|
void |
createMembership(String username,
long workspaceId)
Makes the given user a member of the given workspace.
|
void |
deleteAssocMapcontext(Assoc assoc) |
void |
deleteWorkspaceTopic(long workspaceId)
Deletes a Workspace topic and all its Memberships.
|
boolean |
emailAddressExists(String emailAddress)
Returns true if an "Email Address" (dmx.contacts.email_address) topic with the given value exists,
false otherwise.
|
long |
getAdminWorkspaceId()
Returns the ID of the "Administration" workspace.
|
long |
getAssignedWorkspaceId(long objectId)
Returns the ID of the workspace a topic or association is assigned to.
|
RelatedTopic |
getConfigTopic(String configTypeUri,
long topicId)
Returns the configuration topic of the given type for the given topic.
|
String |
getCreator(long objectId)
Returns the creator of a topic or an association.
|
long |
getDMXWorkspaceId()
Returns the ID of the "DMX" workspace.
|
String |
getEmailAddress(String username)
Returns the email address for the given username.
|
Topic |
getPrivateWorkspace(String username)
Returns the private workspace of the given user.
|
long |
getSystemWorkspaceId()
Returns the ID of the "System" workspace.
|
String |
getUsername(javax.servlet.http.HttpServletRequest request)
Returns the username that is associated with a request.
|
String |
getUsername(String emailAddress)
Returns the username for the given email address.
|
Topic |
getUsernameTopic(javax.servlet.http.HttpServletRequest request)
Convenience method that returns the Username topic that corresponds to a request.
|
Topic |
getUsernameTopic(String username)
Returns the Username topic that corresponds to a username (case-insensitive).
|
Topic |
getWorkspace(String uri)
Fetches a Workspace topic by URI.
|
Long |
getWorkspaceContext()
Returns the workspace ID of the most recent
runInWorkspaceContext(long, java.util.concurrent.Callable<V>) call in the current thread, or
null if there was no runInWorkspaceContext(long, java.util.concurrent.Callable<V>) call. |
boolean |
hasPermission(String username,
Operation operation,
long objectId)
Checks if a user is permitted to perform an operation on an object (topic or association).
|
boolean |
hasReadPermission(String username,
long workspaceId) |
boolean |
hasWritePermission(String username,
long workspaceId) |
boolean |
isMember(String username,
long workspaceId)
Checks if a user is a member of a given workspace.
|
<V> V |
runInWorkspaceContext(long workspaceId,
Callable<V> callable)
Executes a code block and assigns all topics/associations created while that execution to the given workspace.
|
String |
username(javax.servlet.http.HttpSession session)
Returns the username that is associated with a session.
|
boolean hasPermission(String username, Operation operation, long objectId)
username
- the logged in user, or null
if no user is logged in.objectId
- a topic ID, or an association ID.true
if permission is granted, false
otherwise.boolean hasReadPermission(String username, long workspaceId)
boolean hasWritePermission(String username, long workspaceId)
Topic checkCredentials(Credentials cred)
null
otherwise.void changePassword(Credentials cred)
This is a privileged method: it works also if the respective user is not logged in. The latter is a requirement for a reset-password feature, as realized by the "DMX Sign-up" 3rd-party plugin. (If a user forgot her password she is not logged in but still must be allowed to reset her password.)
Security: this method is neither called by the DMX platform itself, nor is it callable from outside as it has no REST interface. So the DMX platform is still secure. On the other hand, a 3rd-party plugin which provides a RESTful interface to this method is required to apply an additional authorization measure, e.g. a short-living access token sent via email.
cred
- the username and new password.
An user account with the given username must exist. (The username can't be changed.)Topic getUsernameTopic(String username)
null
if no such Username topic exists.Topic getPrivateWorkspace(String username)
Note: a user can have more than one private workspace. This method returns only the first one.
Access control is bypassed.
RuntimeException
- if the user has no private workspace.void createMembership(String username, long workspaceId)
This is a privileged method: the current user is not required to have WRITE permission for the given workspace.
boolean isMember(String username, long workspaceId)
username
- the logged in user, or null
if no user is logged in.String getCreator(long objectId)
null
if no creator is set.String getUsername(javax.servlet.http.HttpServletRequest request)
null
if no user is associated with the request.Topic getUsernameTopic(javax.servlet.http.HttpServletRequest request)
getUsernameTopic(getUsername(request))
.null
if no user is associated with the request.String username(javax.servlet.http.HttpSession session)
null
if no user is associated with the session.Topic getWorkspace(String uri)
This is a privileged method: it works even if the current user has no READ permission for the workspace.
RuntimeException
- if no workspace exists for the given URI.long getDMXWorkspaceId()
long getAdminWorkspaceId()
long getSystemWorkspaceId()
long getAssignedWorkspaceId(long objectId)
Access control is bypassed. READ permission is neither required for the given topic/association, nor for the returned workspace.
objectId
- a topic ID, or an association ID-1
if no workspace is assigned.RuntimeException
- if no object with the given ID exists.void assignToWorkspace(DMXObject object, long workspaceId)
If the object is already assigned to the given workspace nothing is performed.
Note: this method can't be used to reassign an object to another workspace; use the
WorkspacesService
instead. Typically this method is used for objects created in a migration or
objects created inside a runInWorkspaceContext -1
context, or when the
WorkspacesService
is not available for some reason.
RuntimeException
- if the object is already assigned to another workspace than the given workspace.<V> V runInWorkspaceContext(long workspaceId, Callable<V> callable) throws Exception
Use this method to override the standard workspace assignment (which is based on dmx_workspace_id
cookie or Workspace facet).
runInWorkspaceContext()
calls can be nested.
workspaceId
- the ID of the workspace the created topics/associations will be assigned to.
Pass -1
to do no workspace assignments. In this case the topics/
associations are created without any workspace assignment. Consider using privileged
assignToWorkspace(systems.dmx.core.DMXObject, long)
to do the initial workspace assignments later on.
callable
- the code block to execute.callable
.AccessControlException
- if the current user has no WRITE permission for the given workspace.IllegalArgumentException
- if workspaceId
does not refer to a Workspace.Exception
Long getWorkspaceContext()
runInWorkspaceContext(long, java.util.concurrent.Callable<V>)
call in the current thread, or
null
if there was no runInWorkspaceContext(long, java.util.concurrent.Callable<V>)
call.void deleteWorkspaceTopic(long workspaceId)
IMPORTANT: the actual workspace content is expected to be deleted already.
This is a privileged method for technical reasons: deleting a workspace topic involves deleting all its Membership associations. As soon as the current user's membership is deleted she would, in case she is not the workspace owner, have no permission anymore for deleting the Workspace topic eventually.
void deleteAssocMapcontext(Assoc assoc)
RelatedTopic getConfigTopic(String configTypeUri, long topicId)
Access control is bypassed.
RuntimeException
- if no such configuration topic exists.String getUsername(String emailAddress)
The username is determined by traversing from the Email Address topic along a
dmx.base.user_mailbox
association.
Access control is bypassed.
RuntimeException
- if no such Email Address topic exists in the DB, or
if more than one such Email Address topics exist in the DB, or
if the Email Address topic is not associated to a Username topic.String getEmailAddress(String username)
The email address is determined by traversing from the Username topic along a
dmx.base.user_mailbox
association.
Access control is bypassed.
RuntimeException
- if no such Username topic exists in the DB, or
if the Username topic is not associated to an Email Address topic.boolean emailAddressExists(String emailAddress)
The Email Address search is case-insensitive.
Access control is bypassed.
Copyright © 2023. All Rights Reserved.