systems.dmx.core.service.accesscontrol

Interface PrivilegedAccess

public interface PrivilegedAccess

Method Summary

Modifier and Type	Method and Description
void	assignToWorkspace(DMXObject object, long workspaceId) Performs the initial workspace assignment for an object.
void	changePassword(Credentials cred) Changes the password of an existing user account.
Topic	checkCredentials(Credentials cred) Checks if the given credentials are valid.
void	createMembership(String username, long workspaceId) Makes the given user a member of the given workspace.
void	deleteAssocMapcontext(Assoc assoc)
void	deleteWorkspaceTopic(long workspaceId) Deletes a Workspace topic and all its Memberships.
boolean	emailAddressExists(String emailAddress) Returns true if an "Email Address" (dmx.contacts.email_address) topic with the given value exists, false otherwise.
long	getAdminWorkspaceId() Returns the ID of the "Administration" workspace.
long	getAssignedWorkspaceId(long objectId) Returns the ID of the workspace a topic or association is assigned to.
RelatedTopic	getConfigTopic(String configTypeUri, long topicId) Returns the configuration topic of the given type for the given topic.
String	getCreator(long objectId) Returns the creator of a topic or an association.
long	getDMXWorkspaceId() Returns the ID of the "DMX" workspace.
String	getEmailAddress(String username) Returns the email address for the given username.
Topic	getPrivateWorkspace(String username) Returns the private workspace of the given user.
long	getSystemWorkspaceId() Returns the ID of the "System" workspace.
String	getUsername(javax.servlet.http.HttpServletRequest request) Returns the username that is associated with a request.
String	getUsername(String emailAddress) Returns the username for the given email address.
Topic	getUsernameTopic(javax.servlet.http.HttpServletRequest request) Convenience method that returns the Username topic that corresponds to a request.
Topic	getUsernameTopic(String username) Returns the Username topic that corresponds to a username (case-insensitive).
Topic	getWorkspace(String uri) Fetches a Workspace topic by URI.
Long	getWorkspaceContext() Returns the workspace ID of the most recent runInWorkspaceContext(long, java.util.concurrent.Callable<V>) call in the current thread, or null if there was no runInWorkspaceContext(long, java.util.concurrent.Callable<V>) call.
boolean	hasPermission(String username, Operation operation, long objectId) Checks if a user is permitted to perform an operation on an object (topic or association).
boolean	hasReadPermission(String username, long workspaceId)
boolean	hasWritePermission(String username, long workspaceId)
boolean	isMember(String username, long workspaceId) Checks if a user is a member of a given workspace.
<V> V	runInWorkspaceContext(long workspaceId, Callable<V> callable) Executes a code block and assigns all topics/associations created while that execution to the given workspace.
String	username(javax.servlet.http.HttpSession session) Returns the username that is associated with a session.

Method Detail

hasPermission

boolean hasPermission(String username,
                      Operation operation,
                      long objectId)

Checks if a user is permitted to perform an operation on an object (topic or association).

Parameters:

username - the logged in user, or null if no user is logged in.

objectId - a topic ID, or an association ID.

Returns:

true if permission is granted, false otherwise.

hasReadPermission

boolean hasReadPermission(String username,
                          long workspaceId)

hasWritePermission

boolean hasWritePermission(String username,
                           long workspaceId)

checkCredentials

Topic checkCredentials(Credentials cred)

Checks if the given credentials are valid.

Returns:

the corresponding Username topic if the credentials are valid, or null otherwise.

changePassword

void changePassword(Credentials cred)

Changes the password of an existing user account.

This is a privileged method: it works also if the respective user is not logged in. The latter is a requirement for a reset-password feature, as realized by the "DMX Sign-up" 3rd-party plugin. (If a user forgot her password she is not logged in but still must be allowed to reset her password.)

Security: this method is neither called by the DMX platform itself, nor is it callable from outside as it has no REST interface. So the DMX platform is still secure. On the other hand, a 3rd-party plugin which provides a RESTful interface to this method is required to apply an additional authorization measure, e.g. a short-living access token sent via email.

Parameters:

cred - the username and new password. An user account with the given username must exist. (The username can't be changed.)

getUsernameTopic

Topic getUsernameTopic(String username)

Returns the Username topic that corresponds to a username (case-insensitive).

Returns:

the Username topic, or null if no such Username topic exists.

getPrivateWorkspace

Topic getPrivateWorkspace(String username)

Returns the private workspace of the given user.

Note: a user can have more than one private workspace. This method returns only the first one.

Access control is bypassed.

Returns:

The user's private workspace (a topic of type "Workspace").

Throws:

RuntimeException - if the user has no private workspace.

createMembership

void createMembership(String username,
                      long workspaceId)

Makes the given user a member of the given workspace.

This is a privileged method: the current user is not required to have WRITE permission for the given workspace.

isMember

boolean isMember(String username,
                 long workspaceId)

Checks if a user is a member of a given workspace.

Parameters:

username - the logged in user, or null if no user is logged in.

getCreator

String getCreator(long objectId)

Returns the creator of a topic or an association.

Returns:

The username of the creator, or null if no creator is set.

getUsername

String getUsername(javax.servlet.http.HttpServletRequest request)

Returns the username that is associated with a request.

Returns:

the username, or null if no user is associated with the request.

getUsernameTopic

Topic getUsernameTopic(javax.servlet.http.HttpServletRequest request)

Convenience method that returns the Username topic that corresponds to a request. Basically it calls getUsernameTopic(getUsername(request)).

Returns:

the Username topic, or null if no user is associated with the request.

username

String username(javax.servlet.http.HttpSession session)

Returns the username that is associated with a session.

Returns:

the username, or null if no user is associated with the session.

getWorkspace

Topic getWorkspace(String uri)

Fetches a Workspace topic by URI.

This is a privileged method: it works even if the current user has no READ permission for the workspace.

Returns:

The Workspace topic.

Throws:

RuntimeException - if no workspace exists for the given URI.

getDMXWorkspaceId

long getDMXWorkspaceId()

Returns the ID of the "DMX" workspace.

getAdminWorkspaceId

long getAdminWorkspaceId()

Returns the ID of the "Administration" workspace.

getSystemWorkspaceId

long getSystemWorkspaceId()

Returns the ID of the "System" workspace.

getAssignedWorkspaceId

long getAssignedWorkspaceId(long objectId)

Returns the ID of the workspace a topic or association is assigned to.

Access control is bypassed. READ permission is neither required for the given topic/association, nor for the returned workspace.

Parameters:

objectId - a topic ID, or an association ID

Returns:

The workspace ID, or -1 if no workspace is assigned.

Throws:

RuntimeException - if no object with the given ID exists.

assignToWorkspace

void assignToWorkspace(DMXObject object,
                       long workspaceId)

Performs the initial workspace assignment for an object.

If the object is already assigned to the given workspace nothing is performed.

Note: this method can't be used to reassign an object to another workspace; use the WorkspacesService instead. Typically this method is used for objects created in a migration or objects created inside a runInWorkspaceContext -1 context, or when the WorkspacesService is not available for some reason.

Throws:

RuntimeException - if the object is already assigned to another workspace than the given workspace.

runInWorkspaceContext

<V> V runInWorkspaceContext(long workspaceId,
                            Callable<V> callable)
                     throws Exception

Executes a code block and assigns all topics/associations created while that execution to the given workspace.

Use this method to override the standard workspace assignment (which is based on dmx_workspace_id cookie or Workspace facet).

runInWorkspaceContext() calls can be nested.

Parameters:

workspaceId - the ID of the workspace the created topics/associations will be assigned to.

Pass -1 to do no workspace assignments. In this case the topics/ associations are created without any workspace assignment. Consider using privileged assignToWorkspace(systems.dmx.core.DMXObject, long) to do the initial workspace assignments later on.

callable - the code block to execute.

Returns:

The value returned by your callable.

Throws:

AccessControlException - if the current user has no WRITE permission for the given workspace.

IllegalArgumentException - if workspaceId does not refer to a Workspace.

Exception

getWorkspaceContext

Long getWorkspaceContext()

Returns the workspace ID of the most recent runInWorkspaceContext(long, java.util.concurrent.Callable<V>) call in the current thread, or null if there was no runInWorkspaceContext(long, java.util.concurrent.Callable<V>) call.

deleteWorkspaceTopic

void deleteWorkspaceTopic(long workspaceId)

Deletes a Workspace topic and all its Memberships. The current user needs WRITE permission to the workspace -- she must not necessarily be the workspace owner.

IMPORTANT: the actual workspace content is expected to be deleted already.

This is a privileged method for technical reasons: deleting a workspace topic involves deleting all its Membership associations. As soon as the current user's membership is deleted she would, in case she is not the workspace owner, have no permission anymore for deleting the Workspace topic eventually.

deleteAssocMapcontext

void deleteAssocMapcontext(Assoc assoc)

getConfigTopic

RelatedTopic getConfigTopic(String configTypeUri,
                            long topicId)

Returns the configuration topic of the given type for the given topic.

Access control is bypassed.

Throws:

RuntimeException - if no such configuration topic exists.

getUsername

String getUsername(String emailAddress)

Returns the username for the given email address.

The username is determined by traversing from the Email Address topic along a dmx.base.user_mailbox association.

Access control is bypassed.

Throws:

RuntimeException - if no such Email Address topic exists in the DB, or if more than one such Email Address topics exist in the DB, or if the Email Address topic is not associated to a Username topic.

getEmailAddress

String getEmailAddress(String username)

Returns the email address for the given username.

The email address is determined by traversing from the Username topic along a dmx.base.user_mailbox association.

Access control is bypassed.

Throws:

RuntimeException - if no such Username topic exists in the DB, or if the Username topic is not associated to an Email Address topic.

emailAddressExists

boolean emailAddressExists(String emailAddress)

Returns true if an "Email Address" (dmx.contacts.email_address) topic with the given value exists, false otherwise.

The Email Address search is case-insensitive.

Access control is bypassed.