Package org.apache.jackrabbit.oak.spi.security.authorization.permission

Interface PermissionProvider

All Known Subinterfaces:
AggregatedPermissionProvider
All Known Implementing Classes:
EmptyPermissionProvider, OpenPermissionProvider
public interface PermissionProvider
Main entry point for permission evaluation in Oak. This provider covers permission validation upon read and write access on the Oak API as well as the various permission related methods defined by the JCR API, namely on AccessControlManager and Session.
See Also:

  • Method Summary

    Modifier and Type
    Method
    Description
    @NotNull Set<String>
    getPrivileges(@Nullable org.apache.jackrabbit.oak.api.Tree tree)
    Returns the set of privilege names which are granted to the set of Principals associated with this provider instance for the specified Tree.
    @NotNull RepositoryPermission
    getRepositoryPermission()
    Return the RepositoryPermission for the set of Principals associated with this provider instance.
    @NotNull TreePermission
    getTreePermission(@NotNull org.apache.jackrabbit.oak.api.Tree tree, @NotNull TreePermission parentPermission)
    Return the TreePermission for the set of Principals associated with this provider at the specified tree.
    boolean
    hasPrivileges(@Nullable org.apache.jackrabbit.oak.api.Tree tree, @NotNull String... privilegeNames)
    Returns whether the principal set associated with this PrivilegeManager is granted the privileges identified by the specified privilege names for the given tree.
    boolean
    isGranted(@NotNull String oakPath, @NotNull String jcrActions)
    Tests if the the specified actions are granted at the given path for the set of Principals associated with this provider instance.
    boolean
    isGranted(@NotNull org.apache.jackrabbit.oak.api.Tree tree, @Nullable org.apache.jackrabbit.oak.api.PropertyState property, long permissions)
    Test if the specified permissions are granted for the set of Principals associated with this provider instance for the item identified by the given tree and optionally property.
    void
    refresh()
    Refresh this PermissionProvider.

  • Method Details

    • refresh

      void refresh()
      Refresh this PermissionProvider. The implementation is expected to subsequently return permission evaluation results that reflect the most recent revision of the repository.

    • getPrivileges

      @NotNull @NotNull Set<String> getPrivileges(@Nullable @Nullable org.apache.jackrabbit.oak.api.Tree tree)
      Returns the set of privilege names which are granted to the set of Principals associated with this provider instance for the specified Tree.
      Parameters:
      tree - The tree for which the privileges should be retrieved.
      Returns:
      set of privilege names

    • hasPrivileges

      boolean hasPrivileges(@Nullable @Nullable org.apache.jackrabbit.oak.api.Tree tree, @NotNull @NotNull String... privilegeNames)
      Returns whether the principal set associated with this PrivilegeManager is granted the privileges identified by the specified privilege names for the given tree. In order to test for privileges being granted on a repository level rather than on a particular tree a null tree should be passed to this method.

      Testing a name identifying an aggregate privilege is equivalent to testing each non aggregate privilege name.

      Parameters:
      tree - The tree to test for privileges being granted.
      privilegeNames - The name of the privileges.
      Returns:
      true if all privileges are granted; false otherwise.

    • getRepositoryPermission

      @NotNull @NotNull RepositoryPermission getRepositoryPermission()
      Return the RepositoryPermission for the set of Principals associated with this provider instance.
      Returns:
      The RepositoryPermission for the set of Principals this provider instance has been created for.

    • getTreePermission

      @NotNull @NotNull TreePermission getTreePermission(@NotNull @NotNull org.apache.jackrabbit.oak.api.Tree tree, @NotNull @NotNull TreePermission parentPermission)
      Return the TreePermission for the set of Principals associated with this provider at the specified tree.
      Parameters:
      tree - The tree for which the TreePermission object should be built.
      parentPermission - The TreePermission object that has been obtained before for the parent tree.
      Returns:
      The TreePermission object for the specified tree.

    • isGranted

      boolean isGranted(@NotNull @NotNull org.apache.jackrabbit.oak.api.Tree tree, @Nullable @Nullable org.apache.jackrabbit.oak.api.PropertyState property, long permissions)
      Test if the specified permissions are granted for the set of Principals associated with this provider instance for the item identified by the given tree and optionally property. This method will only return true if all permissions are granted.
      Parameters:
      tree - The Tree to test the permissions for.
      property - A PropertyState if the item to test is a property or null if the item is a Tree.
      permissions - The permissions to be tested.
      Returns:
      true if the specified permissions are granted for the item identified by the given tree and optionally property state.

    • isGranted

      boolean isGranted(@NotNull @NotNull String oakPath, @NotNull @NotNull String jcrActions)
      Tests if the the specified actions are granted at the given path for the set of Principals associated with this provider instance.

      The jcrActions parameter is a comma separated list of action strings such as defined by Session and passed to Session.hasPermission(String, String). When more than one action is specified in the jcrActions parameter, this method will only return true if all of them are granted on the specified path.

      Parameters:
      oakPath - A valid oak path.
      jcrActions - The JCR actions that should be tested separated by ','
      Returns:
      true if all actions are granted at the specified path; false otherwise.