LibreCCM
/
libreccm-legacy
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
libreccm-legacy/ccm-core/pdl/com/arsdigita/kernel/permissions.pdl

565 lines
17 KiB
Plaintext
Executable File
Raw Blame History

//
// Copyright (C) 2001-2004 Red Hat Inc. All Rights Reserved.
//
// This library is free software; you can redistribute it and/or
// modify it under the terms of the GNU Lesser General Public License
// as published by the Free Software Foundation; either version 2.1 of
// the License, or (at your option) any later version.
//
// This library is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
// Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public
// License along with this library; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
//
// $Id: permissions.pdl 2037 2009-12-12 15:56:26Z terry $
// $DateTime: 2004/08/16 18:10:38 $
model com.arsdigita.kernel.permissions;
import com.arsdigita.kernel.*;
//
// Permission
// MDSQL does not correctly handle multiple keys
//
object type Permission {
BigDecimal[1..1] objectId = acs_permissions.object_id INTEGER;
BigDecimal[1..1] partyId = acs_permissions.grantee_id INTEGER;
String[1..1] privilege = acs_permissions.privilege VARCHAR(100);
Date[1..1] creationDate = acs_permissions.creation_date TIMESTAMP;
String[0..1] creationIP = acs_permissions.creation_ip VARCHAR(50);
// these are 0..1 to avoid persistence 1..1 checks
// they are actually set with the id properties above
composite ACSObject[0..1] object =
join acs_permissions.object_id to acs_objects.object_id;
composite Party[0..1] party =
join acs_permissions.grantee_id to parties.party_id;
composite Privilege[0..1] priv =
join acs_permissions.privilege
to acs_privileges.privilege;
User[0..1] creationUser =
join acs_permissions.creation_user to users.user_id;
object key (objectId, partyId, privilege);
retrieve {
do {
select acs_permissions.object_id,
acs_permissions.grantee_id,
acs_permissions.privilege,
acs_permissions.creation_date,
acs_permissions.creation_ip
from acs_permissions
where acs_permissions.object_id = :objectId
and acs_permissions.grantee_id = :partyId
and acs_permissions.privilege = :privilege
} map {
objectId = acs_permissions.object_id;
partyId = acs_permissions.grantee_id;
privilege = acs_permissions.privilege;
creationDate = acs_permissions.creation_date;
creationIP = acs_permissions.creation_ip;
}
}
retrieve all {
do {
select acs_permissions.object_id,
acs_permissions.grantee_id,
acs_permissions.privilege,
acs_permissions.creation_date,
acs_permissions.creation_ip
from acs_permissions
} map {
objectId = acs_permissions.object_id;
partyId = acs_permissions.grantee_id;
privilege = acs_permissions.privilege;
creationDate = acs_permissions.creation_date;
creationIP = acs_permissions.creation_ip;
}
}
insert {
do {
insert into acs_permissions
(object_id, grantee_id, privilege,
creation_user, creation_date, creation_ip)
values
(:objectId, :partyId, :privilege,
:creationUser.id, :creationDate, :creationIP)
}
}
update {}
delete {
do {
delete from acs_permissions
where object_id = :objectId
and grantee_id = :partyId
and privilege = :privilege
}
}
retrieve creationUser {
do {
select users.user_id,
users.screen_name,
parties.uri, acs_objects.object_type
from users, parties, acs_objects, acs_permissions
where parties.party_id = users.user_id
and acs_objects.object_id = parties.party_id
and acs_permissions.creation_user = users.user_id
and acs_permissions.object_id = :objectId
and acs_permissions.grantee_id = :partyId
and acs_permissions.privilege = :privilege
} map {
creationUser.id = users.user_id;
creationUser.screenName = users.screen_name;
creationUser.uri = parties.uri;
creationUser.objectType = acs_objects.object_type;
}
}
add creationUser {}
remove creationUser {}
}
// query that is encapsulated by ObjectDirectPermissionCollection.
// This is one nasty query that includes display information about
// the grantee, which may be a user or group (hence the union).
query ObjectDirectPermissionCollection {
String privilege;
Boolean isInherited;
BigDecimal granteeID;
Boolean granteeIsUser;
String granteeName;
String granteeEmail;
String granteeGivenName;
String granteeFamilyName;
BigDecimal granteeNameID;
do {
select acs_permissions.privilege,
0 as inherited_p,
acs_permissions.grantee_id,
parties.user_p,
parties.name,
parties.primary_email,
parties.given_name,
parties.family_name,
parties.name_id
from acs_permissions,
(select groups.group_id as party_id,
0 as user_p,
groups.name as name,
parties.primary_email as primary_email,
cast('' as char) as given_name,
cast('' as char) as family_name,
0 as name_id
from groups, parties
where groups.group_id = parties.party_id) parties
where acs_permissions.object_id = :objectID
and acs_permissions.grantee_id = parties.party_id
UNION ALL
select acs_permissions.privilege,
0 as inherited_p,
acs_permissions.grantee_id,
parties.user_p,
parties.name,
parties.primary_email,
parties.given_name,
parties.family_name,
parties.name_id
from acs_permissions,
(select users.user_id as party_id,
1 as user_p,
cast('' as char) as name,
parties.primary_email as primary_email,
person_names.given_name as given_name,
person_names.family_name as family_name,
users.name_id
from users, parties, person_names
where users.user_id = parties.party_id
and users.name_id = person_names.name_id) parties
where acs_permissions.object_id = :objectID
and acs_permissions.grantee_id = parties.party_id
} map {
privilege = acs_permissions.privilege;
isInherited = inherited_p;
granteeID = acs_permissions.grantee_id;
granteeIsUser = parties.user_p;
granteeName = parties.name;
granteeEmail = parties.primary_email;
granteeGivenName = parties.given_name;
granteeFamilyName = parties.family_name;
granteeNameID = parties.name_id;
}
}
// if oracle upgrade 6.5.4-6.5.5 has been carried out,
// this won't work if site admin is filtering a collection
// of objects without context or permissions eg - site nodes
//
// but I don't think this ever happens - cg
//
query PartyPermissionFilterQuery {
Boolean hasPermission;
do {
select 1 as permission_p
from dnm_object_1_granted_context dogc,
dnm_granted_context dgc,
dnm_permissions dp,
dnm_group_membership dgm
where dogc.pd_context_id = dgc.pd_object_id
and dgc.pd_context_id = dp.pd_object_id
and dgm.pd_member_id in :partyID
and dp.pd_grantee_id = dgm.pd_group_id
} map {
hasPermission = permission_p;
}
}
// aram@kananov.com
// It is very strange query
// I just changed it to use new denormalization
//
query ObjectPermissionFilterQuery {
BigDecimal granteeID;
do {
select dgm.pd_member_id
from dnm_object_1_granted_context dogc,
dnm_granted_context dgc,
dnm_permissions dp,
dnm_group_membership dgm
where (dogc.pd_object_id = :objectID or dogc.pd_object_id = 0)
and dogc.pd_context_id = dgc.pd_object_id
and dgc.pd_context_id = dp.pd_object_id
and dp.pd_grantee_id = dgm.pd_group_id
} map {
granteeID = dgm.pd_member_id;
}
}
query PermissionCheckPlaceholder {
Boolean hasPermission;
do {
select 1 as permission_p from dual
} map {
hasPermission = permission_p;
}
}
query CheckPermissionForParty {
Boolean hasPermission;
do {
select 1 as permission_p
from dnm_object_1_granted_context dogc,
dnm_granted_context dgc,
dnm_permissions dp,
dnm_group_membership dgm
where (dogc.pd_object_id = :objectID or dogc.pd_object_id = 0)
and dogc.pd_context_id = dgc.pd_object_id
and dgc.pd_context_id = dp.pd_object_id
and dgm.pd_member_id in :partyID
and dp.pd_grantee_id = dgm.pd_group_id
} map {
hasPermission = permission_p;
}
}
query CheckUninheritedPermissionForParty {
Boolean hasPermission;
do {
select 1 as permission_p
from dnm_permissions dp,
dnm_group_membership dgm
where dp.pd_object_id = :objectID
and dp.pd_grantee_id = dgm.pd_group_id
and dgm.pd_member_id in :partyID
} map {
hasPermission = permission_p;
}
}
query CheckDirectGrantWithImpliedPrivileges {
Boolean hasPermission;
do {
select 1 as permission_p
from dnm_permissions dp
where dp.pd_grantee_id in :partyID
and dp.pd_object_id = :objectID
} map {
hasPermission = permission_p;
}
}
query CheckDirectGrant {
Boolean hasPermission;
do {
select 1 as permission_p from dual
where exists (
select 1
from acs_permissions
where acs_permissions.grantee_id in :partyID
and acs_permissions.object_id = :objectID
and acs_permissions.privilege = :privilege
)
} map {
hasPermission = permission_p;
}
}
data operation RevokePartyPermissions {
do {
delete from acs_permissions
where grantee_id = :partyID
}
}
query PrivilegesForParty {
String privilege;
do {
select distinct ap.privilege
from acs_permissions ap,
dnm_object_1_granted_context dogc,
dnm_granted_context dgc,
dnm_group_membership dgm
where (dogc.pd_object_id = :objectID or dogc.pd_object_id = 0)
and dogc.pd_context_id = dgc.pd_object_id
and dgc.pd_context_id = ap.object_id
and ap.grantee_id = dgm.pd_group_id
and dgm.pd_member_id = :partyID
} map {
privilege = ap.privilege;
}
}
query ImpliedPrivilegesForParty {
String privilege;
do {
select distinct dphm.pd_child_privilege
from acs_permissions ap,
dnm_object_1_granted_context dogc,
dnm_granted_context dgc,
dnm_group_membership dgm,
dnm_privilege_hierarchy_map dphm
where (dogc.pd_object_id = :objectID or dogc.pd_object_id = 0)
and dogc.pd_context_id = dgc.pd_object_id
and dgc.pd_context_id = ap.object_id
and ap.grantee_id = dgm.pd_group_id
and dgm.pd_member_id = :partyID
and ap.privilege = dphm.pd_privilege
} map {
privilege = dphm.pd_child_privilege;
}
}
//
// Privilege
//
object type Privilege {
String privilege = acs_privileges.privilege VARCHAR(100);
object key (privilege);
}
//
// Privilege Column name map
//
query PrivilegeColumnNameMap {
String columnName;
do {
select dpcm.column_name
from dnm_privilege_col_map dpcm
where dpcm.pd_privilege =:privilege
} map {
columnName = dpcm.column_name;
}
}
//
// Privilege Column name map
//
query getAllPrivilegeColumnNameMap {
String columnName;
String privilegeName;
do {
select dpcm.column_name, dpcm.pd_privilege
from dnm_privilege_col_map dpcm
} map {
columnName = dpcm.column_name;
privilegeName = dpcm.pd_privilege;
}
}
query ImpliedPrivilege {
String privilege;
do {
select dphm.pd_privilege
from dnm_privilege_hierarchy_map dphm
where dphm.pd_child_privilege =:childPrivilege
} map {
privilege = dpcm.pd_privilege;
}
}
//
// Add child privilege
//
data operation addChildPrivilege {
do {
insert into acs_privilege_hierarchy (
privilege,
child_privilege
) values (
:privilege, :childPrivilege
)
}
}
//
// ObjectContext
//
object type ObjectContext {
BigDecimal[1..1] objectId = object_context.object_id INTEGER;
composite ACSObject[1..1] object = join object_context.object_id
to acs_objects.object_id;
composite ACSObject[0..1] context = join object_context.context_id
to acs_objects.object_id;
object key (objectId);
insert {
// Because the insertion occurs via trigger,
// acs_objects_context_in_tr.
do {
update object_context
set context_id = :context.id
where object_id = :objectId
}
}
}
// query that is encapsulated by ObjectPermissionCollection.
// This is one nasty query that includes display information about
// the grantee, which may be a user or group (hence the union).
// cg - doesn't acount for objects without dnm_object_1_granted_context
// entries, as it wouldn't make sense to view object permissions
// for an object without any security presence
query ObjectPermissionCollection {
String privilege;
Boolean isInherited;
BigDecimal granteeID;
Boolean granteeIsUser;
String granteeName;
String granteeEmail;
PersonName granteePersonName;
do {
select acs_permissions.privilege,
CASE
WHEN acs_permissions.object_id = :objectID THEN
0
ELSE
1
END as inherited_p,
acs_permissions.grantee_id,
parties.user_p,
parties.name,
parties.primary_email,
parties.given_name,
parties.family_name,
parties.name_id
from
(select
p.privilege,
p.object_id,
p.grantee_id
from
acs_permissions p,
dnm_object_1_granted_context dogc,
dnm_granted_context dgc
where dogc.pd_object_id = :objectID
and dogc.pd_context_id = dgc.pd_object_id
and p.object_id = dgc.pd_context_id) acs_permissions,
(select groups.group_id as party_id,
0 as user_p,
groups.name as name,
parties.primary_email as primary_email,
cast('' as char) as given_name,
cast('' as char) as family_name,
0 as name_id
from groups, parties
where groups.group_id = parties.party_id) parties
where acs_permissions.grantee_id = parties.party_id
UNION ALL
select acs_permissions.privilege,
CASE
WHEN acs_permissions.object_id = :objectID THEN
0
ELSE
1
END as inherited_p,
acs_permissions.grantee_id,
parties.user_p,
parties.name,
parties.primary_email,
parties.given_name,
parties.family_name,
parties.name_id
from
(select
p.privilege,
p.object_id,
p.grantee_id
from
acs_permissions p,
dnm_object_1_granted_context dogc,
dnm_granted_context dgc
where dogc.pd_object_id = :objectID
and dogc.pd_context_id = dgc.pd_object_id
and p.object_id = dgc.pd_context_id) acs_permissions,
(select users.user_id as party_id,
1 as user_p,
cast('' as char) as name,
parties.primary_email as primary_email,
person_names.given_name as given_name,
person_names.family_name as family_name,
users.name_id
from users, parties, person_names
where users.user_id = parties.party_id
and users.name_id = person_names.name_id) parties
where acs_permissions.grantee_id = parties.party_id
} map {
privilege = acs_permissions.privilege;
isInherited = inherited_p;
granteeID = acs_permissions.grantee_id;
granteeIsUser = parties.user_p;
granteeName = parties.name;
granteeEmail = parties.primary_email;
granteePersonName.id = parties.name_id;
granteePersonName.givenName = parties.given_name;
granteePersonName.familyName = parties.family_name;
}
}
Reference in New Issue View Git Blame Copy Permalink