Revision 1424
Added by Jing Tao almost 22 years ago
| src/edu/ucsb/nceas/metacat/AccessControlList.java | ||
|---|---|---|
| 895 | 895 |
//If begin_time or end_time is null in table, isnull(begin_time, sysdate) |
| 896 | 896 |
//function will assign begin_time=sysdate |
| 897 | 897 |
pStmt = conn.prepareStatement( |
| 898 |
"SELECT permission, ticket_count " +
|
|
| 898 |
"SELECT permission " + |
|
| 899 | 899 |
"FROM xml_access " + |
| 900 | 900 |
"WHERE docid = ? " + |
| 901 | 901 |
"AND principal_name = ? " + |
| 902 |
"AND perm_type = ? " + |
|
| 903 |
"AND " + sysdate + |
|
| 904 |
" BETWEEN " + isnull + "(begin_time," + sysdate + ") " + |
|
| 905 |
"AND " + isnull + "(end_time," + sysdate + ")"); |
|
| 902 |
"AND perm_type = ? "); |
|
| 906 | 903 |
//bind docid, perm_type |
| 907 | 904 |
pStmt.setString(1, docId); |
| 908 | 905 |
pStmt.setString(3, ALLOW); |
| ... | ... | |
| 916 | 913 |
while (rs.next())//check every entry for one user |
| 917 | 914 |
{
|
| 918 | 915 |
permissionValueInTable=rs.getInt(1); |
| 919 |
ticketCount=rs.getInt(2); |
|
| 920 |
|
|
| 921 |
//permission is ok and ticketcount geat than 0 or ticket is null, |
|
| 916 |
|
|
| 917 |
//permission is ok |
|
| 922 | 918 |
//the user have a permission to access the file |
| 923 |
if ((( permissionValueInTable & permissionValue )== permissionValue ) |
|
| 924 |
&& (rs.wasNull()||ticketCount > 0)) |
|
| 919 |
if (( permissionValueInTable & permissionValue )== permissionValue ) |
|
| 925 | 920 |
{
|
| 926 |
//ticket count should minus one |
|
| 927 |
//ticketCount isnot null and greater than 0, order is allowfirst |
|
| 928 |
if (!rs.wasNull() && ticketCount>0 && isAllowFirst(principals,docId)) |
|
| 929 |
{
|
|
| 930 |
decreaseNumberOfAccess(permissionValueInTable, principals[i], |
|
| 931 |
docId, ALLOW, ALLOWFIRST); |
|
| 932 |
} |
|
| 933 |
//ticketCount isnot null and greater than 0, order is not allowfirst |
|
| 934 |
if (!rs.wasNull() &&ticketCount>0 && !isAllowFirst(principals,docId)) |
|
| 935 |
{
|
|
| 936 |
decreaseNumberOfAccess(permissionValueInTable, principals[i], |
|
| 937 |
docId, ALLOW, DENYFIRST); |
|
| 938 |
} |
|
| 939 |
|
|
| 940 | 921 |
allow=true;//has allow rule entry |
| 941 |
}//if
|
|
| 922 |
}//if |
|
| 942 | 923 |
}//while |
| 943 | 924 |
}//for |
| 944 | 925 |
}//try |
| ... | ... | |
| 992 | 973 |
conn=DBConnectionPool.getDBConnection("AccessControlList.hasExplicitDeny");
|
| 993 | 974 |
serialNumber=conn.getCheckOutSerialNumber(); |
| 994 | 975 |
|
| 995 |
//This sql statement will select entry with |
|
| 996 |
//begin_time<=currentTime<=end_time in xml_access table |
|
| 997 |
//If begin_time or end_time is null in table, isnull(begin_time, sysdate) |
|
| 998 |
//function will assign begin_time=sysdate |
|
| 999 |
pStmt = conn.prepareStatement( |
|
| 976 |
pStmt = conn.prepareStatement( |
|
| 1000 | 977 |
"SELECT permission " + |
| 1001 | 978 |
"FROM xml_access " + |
| 1002 | 979 |
"WHERE docid = ? " + |
| 1003 | 980 |
"AND principal_name = ? " + |
| 1004 |
"AND perm_type = ? " + |
|
| 1005 |
"AND " + sysdate + |
|
| 1006 |
" BETWEEN " + isnull + "(begin_time," + sysdate + ") " + |
|
| 1007 |
"AND " + isnull + "(end_time," + sysdate + ")"); |
|
| 981 |
"AND perm_type = ? "); |
|
| 1008 | 982 |
//bind docid, perm_type |
| 1009 | 983 |
pStmt.setString(1, docId); |
| 1010 | 984 |
pStmt.setString(3, DENY); |
| ... | ... | |
| 1047 | 1021 |
return false;//no deny rule |
| 1048 | 1022 |
}//hasExplicitDenyRule |
| 1049 | 1023 |
|
| 1050 |
/** |
|
| 1051 |
* Check if the users array has implicit deny rules for given users, docid |
|
| 1052 |
* and permission. That means the though perm_type is "allow" but current |
|
| 1053 |
* time is less than begin_time or greater than end time, or ticket count |
|
| 1054 |
* is 0. |
|
| 1055 |
* @param principals, list of names of principals to check for |
|
| 1056 |
* @param docid, document identifier to check for |
|
| 1057 |
* @param permission, the permssion need to check |
|
| 1058 |
*/ |
|
| 1059 |
private static boolean hasImplicitDenyRule(String [] principals, String docId, |
|
| 1060 |
String permission) |
|
| 1061 |
throws SQLException |
|
| 1062 |
{
|
|
| 1063 |
int lengthOfArray=principals.length; |
|
| 1064 |
ResultSet rs; |
|
| 1065 |
PreparedStatement pStmt = null; |
|
| 1066 |
int permissionValue=intValue(permission); |
|
| 1067 |
int permissionValueInTable; |
|
| 1068 |
DBConnection conn = null; |
|
| 1069 |
int serialNumber = -1; |
|
| 1070 |
|
|
| 1071 |
|
|
| 1072 |
try |
|
| 1073 |
{
|
|
| 1074 |
//check out DBConnection |
|
| 1075 |
conn=DBConnectionPool.getDBConnection("AccessControlList.hasImplicitDeny");
|
|
| 1076 |
serialNumber=conn.getCheckOutSerialNumber(); |
|
| 1077 |
//This sql statement will select entry with perm_type =allow and |
|
| 1078 |
//currentTime is less than begin_time or greater than end time |
|
| 1079 |
//in xml_access table. This is an implicit deny rule (allow is out of date) |
|
| 1080 |
pStmt = conn.prepareStatement( |
|
| 1081 |
"SELECT permission " + |
|
| 1082 |
"FROM xml_access " + |
|
| 1083 |
"WHERE docid = ? " + |
|
| 1084 |
"AND principal_name = ? " + |
|
| 1085 |
"AND perm_type = ? " + |
|
| 1086 |
"AND " + sysdate + |
|
| 1087 |
" < " + isnull + "(begin_time," + sysdate + ") " + |
|
| 1088 |
"OR " + sysdate + " > "+ isnull + "(end_time," + sysdate + ")"); |
|
| 1089 |
//bind docid, perm_type |
|
| 1090 |
pStmt.setString(1, docId); |
|
| 1091 |
pStmt.setString(3, ALLOW);//It is allow |
|
| 1092 |
|
|
| 1093 |
//bind every elenment in user name array |
|
| 1094 |
for (int i=0;i<lengthOfArray; i++) |
|
| 1095 |
{
|
|
| 1096 |
pStmt.setString(2, principals[i]); |
|
| 1097 |
pStmt.execute(); |
|
| 1098 |
rs=pStmt.getResultSet(); |
|
| 1099 |
while (rs.next())//check every entry for one user |
|
| 1100 |
{
|
|
| 1101 |
permissionValueInTable=rs.getInt(1); |
|
| 1102 |
|
|
| 1103 |
//permission is ok the user doesn't have permission to access the file |
|
| 1104 |
if (( permissionValueInTable & permissionValue )== permissionValue ) |
|
| 1105 |
|
|
| 1106 |
{
|
|
| 1107 |
pStmt.close(); |
|
| 1108 |
//has a implicit deny rule: allow is out of date |
|
| 1109 |
return true; |
|
| 1110 |
}//if |
|
| 1111 |
}//while |
|
| 1112 |
}//for |
|
| 1113 |
pStmt.close(); |
|
| 1114 |
|
|
| 1115 |
//Now, there is no implicit deny rule which is allow is out of date |
|
| 1116 |
//another implicit deny rule need to be check: allow is out of ticketCount |
|
| 1117 |
//ticketCount=0 |
|
| 1118 |
pStmt = conn.prepareStatement( |
|
| 1119 |
"SELECT permission " + |
|
| 1120 |
"FROM xml_access " + |
|
| 1121 |
"WHERE docid = ? " + |
|
| 1122 |
"AND principal_name = ? " + |
|
| 1123 |
"AND perm_type = ? " + |
|
| 1124 |
"AND ticket_count = ?"); |
|
| 1125 |
//bind docid, perm_type, ticket_count |
|
| 1126 |
pStmt.setString(1, docId); |
|
| 1127 |
pStmt.setString(3, ALLOW);//It is allow! |
|
| 1128 |
pStmt.setInt(4,0); |
|
| 1129 |
|
|
| 1130 |
//Because this DBConnection used twice in this method. But we only count one |
|
| 1131 |
//when it checked out. So we should increase another one |
|
| 1132 |
conn.increaseUsageCount(1); |
|
| 1133 |
|
|
| 1134 |
//bind every elenment in user name array |
|
| 1135 |
for (int i=0;i<lengthOfArray; i++) |
|
| 1136 |
{
|
|
| 1137 |
pStmt.setString(2, principals[i]); |
|
| 1138 |
pStmt.execute(); |
|
| 1139 |
rs=pStmt.getResultSet(); |
|
| 1140 |
while (rs.next())//check every entry for one user |
|
| 1141 |
{
|
|
| 1142 |
permissionValueInTable=rs.getInt(1); |
|
| 1143 |
|
|
| 1144 |
//permission is ok the user doesn't have permission to access the file |
|
| 1145 |
if (( permissionValueInTable & permissionValue )== permissionValue ) |
|
| 1146 |
|
|
| 1147 |
{
|
|
| 1148 |
|
|
| 1149 |
pStmt.close(); |
|
| 1150 |
//has a implicit deny rule: allow is out of ticketCount |
|
| 1151 |
return true; |
|
| 1152 |
}//if |
|
| 1153 |
}//while |
|
| 1154 |
}//for |
|
| 1155 |
}//try |
|
| 1156 |
finally |
|
| 1157 |
{
|
|
| 1158 |
|
|
| 1159 |
try |
|
| 1160 |
{
|
|
| 1161 |
pStmt.close(); |
|
| 1162 |
} |
|
| 1163 |
finally |
|
| 1164 |
{
|
|
| 1165 |
DBConnectionPool.returnDBConnection(conn, serialNumber); |
|
| 1166 |
} |
|
| 1167 |
}//finally |
|
| 1168 |
return false;//no implicit deny rule |
|
| 1169 |
}//hasImplicitDenyRule |
|
| 1170 |
|
|
| 1024 |
|
|
| 1171 | 1025 |
/** |
| 1172 | 1026 |
* Creat a users pakages to check permssion rule, user itself, public and |
| 1173 | 1027 |
* the gourps the user belong will be include in this package |
| ... | ... | |
| 1354 | 1208 |
if (isAllowFirst(principals, docId)) |
| 1355 | 1209 |
{
|
| 1356 | 1210 |
|
| 1357 |
if (hasExplicitDenyRule(principals, docId, permission)|| |
|
| 1358 |
hasImplicitDenyRule(principals, docId, permission)) |
|
| 1211 |
if (hasExplicitDenyRule(principals, docId, permission)) |
|
| 1359 | 1212 |
{
|
| 1360 |
//if it is allowfirst and has deny rule(either explicit or implicit)
|
|
| 1213 |
//if it is allowfirst and has deny rule(either explicit ) |
|
| 1361 | 1214 |
//deny access |
| 1362 | 1215 |
return false; |
| 1363 | 1216 |
}//if |
| ... | ... | |
| 1397 | 1250 |
}//hasPermission |
| 1398 | 1251 |
|
| 1399 | 1252 |
|
| 1400 |
/* Decrease the number of access to @docid for @principal in db. */ |
|
| 1401 |
private static void decreaseNumberOfAccess(int permission, String principal, |
|
| 1402 |
String docid, String permType, |
|
| 1403 |
String permOrder) |
|
| 1404 |
throws SQLException |
|
| 1405 |
{
|
|
| 1406 |
PreparedStatement pstmt = null; |
|
| 1407 |
DBConnection conn = null; |
|
| 1408 |
int serialNumber = -1; |
|
| 1409 |
try |
|
| 1410 |
{
|
|
| 1411 |
//check out DBConnection |
|
| 1412 |
conn=DBConnectionPool.getDBConnection("AccessControlList.decreaseNumOfA");
|
|
| 1413 |
serialNumber=conn.getCheckOutSerialNumber(); |
|
| 1414 |
|
|
| 1415 |
pstmt = conn.prepareStatement( |
|
| 1416 |
"UPDATE xml_access SET ticket_count = ticket_count - 1 " + |
|
| 1417 |
"WHERE docid = ? " + |
|
| 1418 |
"AND principal_name = ? " + |
|
| 1419 |
"AND permission = ? " + |
|
| 1420 |
"AND perm_type = ? " + |
|
| 1421 |
"AND perm_order = ? " + |
|
| 1422 |
"AND " + sysdate + |
|
| 1423 |
" BETWEEN " + isnull + "(begin_time," + sysdate + ") " + |
|
| 1424 |
"AND " + isnull + "(end_time," + sysdate + ")"); |
|
| 1425 |
// Bind the values to the query |
|
| 1426 |
pstmt.setString(1, docid); |
|
| 1427 |
pstmt.setString(2, principal); |
|
| 1428 |
pstmt.setInt(3, permission); |
|
| 1429 |
pstmt.setString(4, permType); |
|
| 1430 |
pstmt.setString(5, permOrder); |
|
| 1431 |
|
|
| 1432 |
pstmt.execute(); |
|
| 1433 |
}//try |
|
| 1434 |
finally |
|
| 1435 |
{
|
|
| 1436 |
try |
|
| 1437 |
{
|
|
| 1438 |
pstmt.close(); |
|
| 1439 |
} |
|
| 1440 |
finally |
|
| 1441 |
{
|
|
| 1442 |
DBConnectionPool.returnDBConnection(conn, serialNumber); |
|
| 1443 |
} |
|
| 1444 |
}//finally |
|
| 1445 |
} |
|
| 1446 | 1253 |
|
| 1447 | 1254 |
|
| 1448 | 1255 |
/** |
Also available in: Unified diff
Get rid of the permission code to handle ticket count and duration.