/** * Add doc to field _allowRead if it doesn't exists in _allowRead set * @param doc {@link ODocument} role document * @return {@link com.orientechnologies.orient.core.hook.ORecordHook.RESULT} returns super.onBeforeCreate(doc) */ @Override public RESULT onRecordBeforeCreate(ODocument doc) { Set<ODocument> allowRead = doc.field(ORestrictedOperation.ALLOW_READ.getFieldName(), Set.class); if (allowRead == null || !allowRead.contains(doc)) { allowRead = allowRead != null ? new LinkedHashSet<>(allowRead) : new LinkedHashSet<>(); allowRead.add(doc); doc.field(ORestrictedOperation.ALLOW_READ.getFieldName(), allowRead); } return super.onRecordBeforeCreate(doc); }
@Override public OIdentifiable allowRole(final ODocument iDocument, final ORestrictedOperation iOperation, final String iRoleName) { final ORID role = getRoleRID(iRoleName); if (role == null) throw new IllegalArgumentException("Role '" + iRoleName + "' not found"); return allowIdentity(iDocument, iOperation.getFieldName(), role); }
@Override public OIdentifiable denyRole(final ODocument iDocument, final ORestrictedOperation iOperation, final String iRoleName) { final ORID role = getRoleRID(iRoleName); if (role == null) throw new IllegalArgumentException("Role '" + iRoleName + "' not found"); return disallowIdentity(iDocument, iOperation.getFieldName(), role); }
@Override public OIdentifiable allowUser(final ODocument iDocument, final ORestrictedOperation iOperation, final String iUserName) { final ORID user = getUserRID(iUserName); if (user == null) throw new IllegalArgumentException("User '" + iUserName + "' not found"); return allowIdentity(iDocument, iOperation.getFieldName(), user); }
@Override public OIdentifiable denyUser(final ODocument iDocument, final ORestrictedOperation iOperation, final String iUserName) { final ORID user = getUserRID(iUserName); if (user == null) throw new IllegalArgumentException("User '" + iUserName + "' not found"); return disallowIdentity(iDocument, iOperation.getFieldName(), user); }
private ODocument updateAndGetUserReader(ODatabaseDocument db) { String sql = String.format("select from %s where name = ?", OUser.CLASS_NAME); List<ODocument> docs = db.query(new OSQLSynchQuery<>(sql, 1), "reader"); ODocument reader = docs.get(0); Set<OIdentifiable> users = reader.field(ORestrictedOperation.ALLOW_READ.getFieldName(), Set.class); if (users == null || users.isEmpty()) { reader.field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singleton(reader)); } else { users.add(reader); reader.field(ORestrictedOperation.ALLOW_READ.getFieldName(), users); } reader.save(); return reader; }
doc.field(ORestrictedOperation.ALLOW_READ.getFieldName(), doc); doc.field(ORestrictedOperation.ALLOW_UPDATE.getFieldName(), doc);
String fieldNames = cls.getCustom(OSecurityShared.ONCREATE_FIELD); if (fieldNames == null) fieldNames = ORestrictedOperation.ALLOW_ALL.getFieldName(); final String[] fields = fieldNames.split(","); String identityType = cls.getCustom(OSecurityShared.ONCREATE_IDENTITY_TYPE);
private void updateReaderPermissions(ODatabaseDocument db, ODocument reader, ODocument perspective) { ORole role = db.getMetadata().getSecurity().getRole("reader"); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_ITEM, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_PERSPECTIVE, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, null, 0); role.grant(ResourceGeneric.CLASS, ORole.CLASS_NAME, READ.getPermissionFlag()); role.grant(OSecurityHelper.FEATURE_RESOURCE, SearchPage.SEARCH_FEATURE, 0); role.grant(OSecurityHelper.FEATURE_RESOURCE, SchemaPage.SCHEMA_FEATURE, 0); role.getDocument().field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singletonList(reader)); role.getDocument().field(PerspectivesModule.PROP_PERSPECTIVE, perspective); role.save(); perspective.field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singleton(role.getDocument())); perspective.save(); }
.isAllowed((Set<OIdentifiable>) doc.field(ORestrictedOperation.ALLOW_ALL.getFieldName()), (Set<OIdentifiable>) doc.field(iAllowOperation.getFieldName()));
private void updateOrienteerUserRoleDoc(ODatabaseDocument db, ODocument perspective) { OSecurity security = db.getMetadata().getSecurity(); ORole role = security.getRole(ORIENTEER_USER_ROLE); if (role == null) { ORole reader = security.getRole("reader"); role = security.createRole(ORIENTEER_USER_ROLE, reader, OSecurityRole.ALLOW_MODES.DENY_ALL_BUT); } role.grant(ResourceGeneric.CLASS, OWidgetsModule.OCLASS_WIDGET, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, OWidgetsModule.OCLASS_DASHBOARD, READ.getPermissionFlag()); // TODO: remove this after release with fix for roles in OrientDB: https://github.com/orientechnologies/orientdb/issues/8338 role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_ITEM, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, PerspectivesModule.OCLASS_PERSPECTIVE, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, ORole.CLASS_NAME, READ.getPermissionFlag()); role.grant(ResourceGeneric.SCHEMA, null, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLUSTER, "internal", READ.getPermissionFlag()); role.grant(ResourceGeneric.RECORD_HOOK, "", READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, null, READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, "systemclusters", READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, "function", READ.getPermissionFlag()); role.grant(ResourceGeneric.DATABASE, "command", READ.getPermissionFlag()); role.grant(OSecurityHelper.FEATURE_RESOURCE, SearchPage.SEARCH_FEATURE, READ.getPermissionFlag()); role.grant(ResourceGeneric.CLASS, OrienteerUser.CLASS_NAME, OrientPermission.combinedPermission(READ, UPDATE)); role.grant(ResourceGeneric.DATABASE, "cluster", OrientPermission.combinedPermission(READ, UPDATE)); role.getDocument().field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singletonList(role.getDocument())); role.getDocument().field(PerspectivesModule.PROP_PERSPECTIVE, perspective); role.save(); perspective.field(ORestrictedOperation.ALLOW_READ.getFieldName(), Collections.singletonList(role.getDocument())); perspective.save(); }