Home » Modeling » EMF » [CDO] Get access only the readable resources in a view
|
| Re: [CDO] Get access only the readable resources in a view [message #1038200 is a reply to message #1038085] |
Wed, 10 April 2013 14:40   |
 Marc Gil
Messages: 81
Registered: July 2009 |
Member |
|
|
I realized that I was introducing wrongly the pattern, cause it should be like "/marc.*". Using this pattern, I can write to that folder.
What I'm trying to do, is to configure a User with only WRITE permissions to its folder, with the above pattern. But if I don't specify no more, it doesn't work, cause the user has NONE permission on root element. As I said in my previous comment, if I specify READ access to ".*", the user can read all the repository, but it could be no safe in certain scenarios.
Imagine the following scenario: a shared repository with 50 users. Every user has its own home folder and exists another shared folders. Every user expects that when get connected only see its own home (where he has write permissions) and other common folders with read or write permissions. But not all the other user homes.
Maybe another permission is needed to indicate that? Cause if now I have no permissions to access to a certain resource (i.e. root resource), I always get a NoPermissionException...
Cheers,
Marc
|
|
|
| Re: [CDO] Get access only the readable resources in a view [message #1038630 is a reply to message #1038085] |
Thu, 11 April 2013 05:26 |
|
Am 10.04.2013 13:31, schrieb Marc Gil:
> Hi,
>
> I'm working with the CDO authentication and I want to set something like a folder home for every user. Mi aim is that
> the repository seems like a hard disk where users only could see the resources with permission.
>
> For instance, I can have my home folder named "marc" in the root, and there I can create all the resources I want.
>
> But I don't know how to specify it in the security model. I try to set a new Role with a Resource Permission with the
> pattern set as "marc" and the access as "WRITE". But when I try to filter the elements in the view, I get that I have
> no permissions to the root element.
>
> If I use the default All Objects Reader Role (READ; .*), I'm having read access to every resource, but I don't want it.
>
> There exists any way to resolve that in the security model?
> There exists any way to indicate to the view that it should only list the resources the user have permission?
It would be nice if the value of session.getUserID() could be used in the resource patterns. You can already use it in
your custom subclasses of the new ObjectPermission:
401172: [Security] Support permissions on objects
https://bugs.eclipse.org/bugs/show_bug.cgi?id=401172
If you want me to investigate a special "[userID]" marker in ResourcePermission patterns submit a bugzilla, please.
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
|
|
|
| Re: [CDO] Get access only the readable resources in a view [message #1038631 is a reply to message #1038200] |
Thu, 11 April 2013 05:28 |
|
Am 10.04.2013 16:40, schrieb Marc Gil:
> I realized that I was introducing wrongly the pattern, cause it should be like "/marc.*". Using this pattern, I can
> write to that folder.
>
> What I'm trying to do, is to configure a User with only WRITE permissions to its folder, with the above pattern. But
> if I don't specify no more, it doesn't work, cause the user has NONE permission on root element.
I don't understand. By "root element" you mean the "root resource"?
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
> As I said in my previous comment, if I specify READ access to ".*", the user can read all the repository, but it could
> be no safe in certain scenarios.
>
> Imagine the following scenario: a shared repository with 50 users. Every user has its own home folder and exists
> another shared folders. Every user expects that when get connected only see its own home (where he has write
> permissions) and other common folders with read or write permissions. But not all the other user homes.
>
> Maybe another permission is needed to indicate that? Cause if now I have no permissions to access to a certain
> resource (i.e. root resource), I always get a NoPermissionException...
>
> Cheers,
> Marc
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
|
|
| |
| Re: [CDO] Get access only the readable resources in a view [message #1038975 is a reply to message #1038659] |
Thu, 11 April 2013 15:11 |
Marc Gil
Messages: 81
Registered: July 2009 |
Member |
|
|
But Eike, what I'm telling you here I think it's different of the bugzilla you refer to me. The new implementation of ObjectPermission could be nice, but I think it will not resolve the problem I'm telling you.
If I want to show to the user only the Resources he has permission (read or write permission), how can I hide the rest of Resources? At the moment, if a user has not read/write permissions to a Resource, an NoPermissionException is thrown, even if I try to iterate one of these resources. For example:
List<CDOResourceNode> list = new ArrayList<CDOResourceNode>();
CDOResourceNode rootResource = view.getRootResource(); // this is the root resource
for (EObject eo : rootResource.eContents()) {
if (!(eo instanceof CDOResourceNode)) {
continue;
}
CDOResourceNode res = (CDOResourceNode) eo;
if (res.cdoRevision().getPermission().isReadable()) {
list.add(res);
}
}
If the user has not permission to read the Root Resource, the rootResource.eContents() call raises the exception, and I can't fill the list with the available resources.
Cheers,
Marc
|
|
|
| Re: [CDO] Get access only the readable resources in a view [message #1039529 is a reply to message #1038975] |
Fri, 12 April 2013 09:03 |
Marc Gil
Messages: 81
Registered: July 2009 |
Member |
|
|
I have implemented a workaround that works really fine for me:
public static List<CDOResourceNode> getChildNodes(CDOResourceNode resource) {
List<CDOResourceNode> list = new ArrayList<CDOResourceNode>();
if (hasReadPermission(resource)) {
for (EObject eo : resource.eContents()) {
if (!(eo instanceof CDOResourceNode)) {
continue;
}
CDOResourceNode res = (CDOResourceNode) eo;
if (hasReadPermission(res)) {
list.add(res);
}
}
} else {
CDOResourceFolder folder = resource instanceof CDOResourceFolder ? (CDOResourceFolder) resource : null;
List<CDOResourceNode> l = resource.cdoView().queryResources(folder, "", false);
int i = 0;
while (true) {
try {
CDOResourceNode node = l.get(i);
if (hasReadPermission(node)) {
list.add(node);
}
} catch (NoPermissionException e) {
continue;
} catch (IndexOutOfBoundsException e) {
break;
} finally {
i++;
}
}
}
return list;
}
public static boolean hasReadPermission(CDOResourceNode node) {
// force to get the last revision
node.cdoReload();
CDOPermission permission = node.cdoRevision().getPermission();
return permission.isReadable();
}
Then, my security model looks like following:
User: [ID: marc, Groups: Users]
Group: [ID: Users, Roles: userRole]
Role: [ID: userRole]
> Resource Permission: [Access: WRITE, Pattern: /user.*]
The first if conditional, is used to check if the user can read or not the current resource (Taking into account the security model). If true, all their contents are readable too; if false, we use a query to check the resources in the current folder (or root resource).
But here I found a possible bug. Although the query returns a list of CDOResourceNode elements, it never retrieves the CDOBinaryResources and CDOTextResources. There exist any reason for that?
With this configuration, when the user "marc" is logged, I only see the "/user" folder content. Of course, previously this folder needs to be created.
Eike, if you consider it interesting, you can include this code as Snipped in the CDO website.
Cheers,
Marc
|
|
|
| Re: [CDO] Get access only the readable resources in a view [message #1043780 is a reply to message #1038975] |
Thu, 18 April 2013 05:44 |
|
Am 11.04.2013 17:11, schrieb Marc Gil:
> But Eike, what I'm telling you here I think it's different of the bugzilla you refer to me. The new implementation of
> ObjectPermission could be nice, but I think it will not resolve the problem I'm telling you.
>
> If I want to show to the user only the Resources he has permission (read or write permission), how can I hide the rest
> of Resources? At the moment, if a user has not read/write permissions to a Resource, an NoPermissionException is
> thrown, even if I try to iterate one of these resources. For example:
>
>
> List<CDOResourceNode> list = new ArrayList<CDOResourceNode>();
> CDOResourceNode rootResource = view.getRootResource(); // this is the root resource
> for (EObject eo : rootResource.eContents()) {
> if (!(eo instanceof CDOResourceNode)) {
> continue;
> }
> CDOResourceNode res = (CDOResourceNode) eo;
> if (res.cdoRevision().getPermission().isReadable()) {
> list.add(res);
> }
> }
>
>
> If the user has not permission to read the Root Resource, the rootResource.eContents() call raises the exception, and
> I can't fill the list with the available resources.
I'm still trying to understand the fundamental problem. Is it that the ResourcePermissions always apply to a
CDOResourceNode *and* all its contents? So that you can't allow access to, e.g., the root resource but not *all* its
contents?
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
Cheers
/Eike
----
http://www.esc-net.de
http://thegordian.blogspot.com
http://twitter.com/eikestepper
|
|
|
Goto Forum:
Current Time: Thu Apr 25 18:52:17 GMT 2024
Powered by FUDForum. Page generated in 0.03000 seconds |
] 
Search
Help
Register
Login
Home
