82 |
82 |
private String beginTime;
|
83 |
83 |
private String endTime;
|
84 |
84 |
private int ticketCount;
|
|
85 |
private int serverCode = 1;
|
85 |
86 |
|
86 |
87 |
/**
|
87 |
88 |
* Construct an instance of the AccessControlList class.
|
88 |
89 |
* It is used by the permission check up from DBQuery and DocumentImpl
|
|
90 |
* and for "getaccesscontrol" action
|
89 |
91 |
*
|
90 |
|
* @param conn the JDBC connection where acl data are loaded
|
|
92 |
* @param conn the JDBC connection where acl info is get
|
91 |
93 |
*/
|
92 |
|
public AccessControlList ( Connection conn ) throws SQLException
|
|
94 |
public AccessControlList(Connection conn) throws SQLException
|
93 |
95 |
{
|
94 |
96 |
this.conn = conn;
|
95 |
97 |
}
|
... | ... | |
99 |
101 |
* It parse acl file and loads acl data into db connection.
|
100 |
102 |
*
|
101 |
103 |
* @param conn the JDBC connection where acl data are loaded
|
102 |
|
* @param docid the Accession# of the document with the acl data
|
|
104 |
* @param aclid the Accession# of the document with the acl data
|
103 |
105 |
* @param acl the acl file containing acl data
|
|
106 |
* @param user the user connected to MetaCat servlet and owns the document
|
|
107 |
* @param group the group to which user belongs
|
|
108 |
* @param serverCode the serverid from xml_replication on which this document
|
|
109 |
* resides.
|
104 |
110 |
*/
|
105 |
111 |
public AccessControlList(Connection conn, String aclid, Reader acl,
|
106 |
|
String user, String group)
|
|
112 |
String user, String group, int serverCode)
|
107 |
113 |
throws SAXException, IOException, ClassNotFoundException
|
108 |
114 |
{
|
109 |
115 |
// Get an instance of the parser
|
... | ... | |
124 |
130 |
this.principal = new Vector();
|
125 |
131 |
this.permission = 0;
|
126 |
132 |
this.ticketCount = 0;
|
|
133 |
this.serverCode = serverCode;
|
127 |
134 |
|
128 |
135 |
// Initialize the parser and read the queryspec
|
129 |
136 |
XMLReader parser = initializeParser();
|
... | ... | |
144 |
151 |
throws SAXException, IOException, ClassNotFoundException
|
145 |
152 |
{
|
146 |
153 |
this(conn, aclid, new FileReader(new File(aclfilename).toString()),
|
147 |
|
user, group);
|
|
154 |
user, group, 1);
|
148 |
155 |
}
|
149 |
156 |
|
150 |
157 |
/* Set up the SAX parser for reading the XML serialized ACL */
|
... | ... | |
241 |
248 |
// collect them in Vector variables
|
242 |
249 |
resourceID.addElement(docid);
|
243 |
250 |
resourceURL.addElement(docurl);
|
244 |
|
// check permissions for @user on the current resource first
|
|
251 |
|
|
252 |
// if it is the local server (originator of the document),
|
|
253 |
// check for permission for @user on resource is needed
|
245 |
254 |
// @user must have permission "all" on it(docid)
|
246 |
|
boolean hasPermission = false;
|
247 |
|
try {
|
248 |
|
hasPermission = hasPermission("ALL",user,docid);
|
249 |
|
if ( !hasPermission && group != null ) {
|
250 |
|
hasPermission = hasPermission("ALL",group,docid);
|
|
255 |
if ( serverCode == 1 ) {
|
|
256 |
boolean hasPermission = false;
|
|
257 |
try {
|
|
258 |
hasPermission = hasPermission("ALL",user,docid);
|
|
259 |
if ( !hasPermission && group != null ) {
|
|
260 |
hasPermission = hasPermission("ALL",group,docid);
|
|
261 |
}
|
|
262 |
} catch (SQLException e) {
|
|
263 |
throw new SAXException(e.getMessage());
|
251 |
264 |
}
|
252 |
|
} catch (SQLException e) {
|
253 |
|
throw new SAXException(e.getMessage());
|
|
265 |
if ( !hasPermission ) {
|
|
266 |
throw new SAXException(
|
|
267 |
"Permission denied for setting access control on " + docid);
|
|
268 |
}
|
254 |
269 |
}
|
255 |
|
if ( !hasPermission ) {
|
256 |
|
throw new SAXException(
|
257 |
|
"Permission denied for setting access control on " + docid);
|
258 |
|
}
|
259 |
270 |
// end of check for "all" perm on docid
|
260 |
271 |
|
261 |
272 |
} else if (currentTag.equals("principal")) {
|
Solving the problem with relication of access file where access files were rejected from the replication servers.
In AccessControlList check for serverCode is included,
so only on the local server the connected user is checked for having "all" permissions on the resources specified in it
the replication servers don't need such check b' always the connected users are different there
thus not owners of the relicated access file and not having "all" permissions on the resources.
Chad, you can try the replication now