xwikirightserviceimpl.java

xwiki 源码

                    Iterator it = glist.iterator();
                    while (it.hasNext()) {
                        grouplist2.add(context.getDatabase() + ":" + it.next());
                    }
                    if (grouplist2!=null)
                        grouplistcache.put(key2, grouplist2);
                    else
                        grouplistcache.put(key2, new ArrayList());
                    }

                    if (grouplist2!=null)
                        grouplist.addAll(grouplist2);
                }
            } catch (Exception e) {
            } finally {
                context.setDatabase(database);
            }
        }

        if (log.isDebugEnabled())
            log.debug("Searching for matching rights for " + ((grouplist==null) ? "0" : "" + grouplist.size())
                    + " groups: " + grouplist);

        if (grouplist!=null) {
            Iterator groupit = grouplist.iterator();
            while (groupit.hasNext()) {
                String group = (String) groupit.next();
                try {
                    // We need to construct the full group name to make sure the groups are
                    // handled separately
                    boolean result = checkRight(group,doc, accessLevel, false, allow, global, context);
                    if (result)
                        return true;
                } catch (XWikiRightNotFoundException e) {
                }
                catch (Exception e) {
                    // This should not happen
                    e.printStackTrace();
                }
            }
        }

        if (log.isDebugEnabled())
            log.debug("Finished searching for rights for " + name + ": " + found);

        if (found)
            return false;
        else
            throw new XWikiRightNotFoundException();
    }

    public boolean hasAccessLevel(String accessLevel, String name, String resourceKey,
                                  boolean user, XWikiContext context) throws XWikiException {
        boolean deny = false;
        boolean allow = false;
        boolean allow_found = false;
        boolean deny_found = false;
        String database = context.getDatabase();
        XWikiDocument xwikimasterdoc;

        boolean isReadOnly = context.getWiki().isReadOnly();

        if (isReadOnly) {

            if ("edit".equals(accessLevel) ||
                    "delete".equals (accessLevel) ||
                    "comment".equals(accessLevel ) ||
                    "register".equals(accessLevel)) {
                logDeny (name,resourceKey,accessLevel,"server in read-only mode");
                return false;
           }
        }

        if (name.equals("XWiki.XWikiGuest")||name.endsWith(":XWiki.XWikiGuest")) {
            if (needsAuth(accessLevel, context))
                return false;
        }

        if (name.equals("XWiki.superadmin")||name.endsWith(":XWiki.superadmin")) {
             logAllow(name, resourceKey, accessLevel, "super admin level");
             return true;
        }

        try {
            // The master user and programming rights are checked in the main wiki
            context.setDatabase(context.getWiki().getDatabase());
            xwikimasterdoc = context.getWiki().getDocument("XWiki.XWikiPreferences", context);
// Verify XWiki Master super user
            try {
                allow = checkRight(name, xwikimasterdoc , "admin", true, true, true, context);
                if (allow) {
                    logAllow(name, resourceKey, accessLevel, "master admin level");
                    return true;
                }
            } catch (XWikiRightNotFoundException e) {}

// Verify XWiki programming right
            if (accessLevel.equals("programming")) {
                // Programming right can only been given if user is from main wiki
                if (!name.startsWith(context.getWiki().getDatabase() + ":"))
                    return false;

                try {
                    allow = checkRight(name, xwikimasterdoc , "programming", user, true, true, context);
                    if (allow) {
                        logAllow(name, resourceKey, accessLevel, "programming level");
                        return true;
                    }
                    else {
                        logDeny(name, resourceKey, accessLevel, "programming level");
                        return false;
                    }
                } catch (XWikiRightNotFoundException e) {}
                logDeny(name, resourceKey, accessLevel, "programming level (no right found)");
                return false;
            }
        } finally {
            // The next rights are checked in the virtual wiki
            context.setDatabase(database);
        }

// Verify XWiki register right
        if (accessLevel.equals("register")) {
            try {
                allow = checkRight(name, xwikimasterdoc , "register", user, true, true, context);
                if (allow) {
                    logAllow(name, resourceKey, accessLevel, "register level");
                    return true;
                }
                else {
                    logDeny(name, resourceKey, accessLevel, "register level");
                    return false;
                }
            } catch (XWikiRightNotFoundException e) {}
            logDeny(name, resourceKey, accessLevel, "register level (no right found)");
            return false;
        }

        try {
            // Verify Wiki Owner
            String wikiOwner = context.getWikiOwner();
            if (wikiOwner!=null) {
                if (wikiOwner.equals(name)) {
                    logAllow(name, resourceKey, accessLevel, "admin level from wiki ownership");
                    return true;
                }
            }

            XWikiDocument xwikidoc = null;
            if (context.getDatabase().equals(context.getWiki().getDatabase()))
                xwikidoc = xwikimasterdoc;
            else
                xwikidoc = context.getWiki().getDocument("XWiki.XWikiPreferences", context);

            // Verify XWiki super user
            try {
                allow = checkRight(name, xwikidoc , "admin", user, true, true, context);
                if (allow) {
                    logAllow(name, resourceKey, accessLevel, "admin level");
                    return true;
                }
            } catch (XWikiRightNotFoundException e) {}

// Verify Web super user
            String web = Util.getWeb(resourceKey);
            XWikiDocument webdoc = context.getWiki().getDocument(web, "WebPreferences", context);
            try {
                allow = checkRight(name, webdoc , "admin", user, true, true, context);
                if (allow) {
                    logAllow(name, resourceKey, accessLevel, "web admin level");
                    return true;
                }
            } catch (XWikiRightNotFoundException e) {}

            // First check if this document is denied to the specific user
            resourceKey = Util.getName(resourceKey, context);
            XWikiDocument doc = context.getWiki().getDocument(resourceKey, context);
            try {
                deny = checkRight(name, doc, accessLevel, user, false, false, context);
                deny_found = true;
                if (deny) {
                    logDeny(name, resourceKey, accessLevel, "document level");
                    return false;
                }
            } catch (XWikiRightNotFoundException e) {}

            try {
                allow = checkRight(name, doc , accessLevel, user, true, false, context);
                allow_found = true;
                if (allow) {
                    logAllow(name, resourceKey, accessLevel, "document level");
                    return true;
                }
            } catch (XWikiRightNotFoundException e) {}


// Check if this document is denied/allowed
// through the web WebPreferences Global Rights
            try {
                deny =  checkRight(name, webdoc, accessLevel, user, false, true, context);
                deny_found = true;
                if (deny) {
                    logDeny(name, resourceKey, accessLevel, "web level");
                    return false;
                }
            } catch (XWikiRightNotFoundException e) {}

            // If a right was found at the document level
            // then we cannot check the web rights anymore
            if (!allow_found) {
            try {
                allow = checkRight(name, webdoc , accessLevel, user, true, true, context);
                allow_found = true;
                if (allow) {
                    logAllow(name, resourceKey, accessLevel, "web level");
                    return true;
                }
            } catch (XWikiRightNotFoundException e) {}
            }
// Check if this document is denied/allowed
// through the XWiki.XWikiPreferences Global Rights
            try {
                deny = checkRight(name, xwikidoc , accessLevel, user, false, true, context);
                deny_found = true;
                if (deny) {
                    logDeny(name, resourceKey, accessLevel, "xwiki level");
                    return false;
                }
            } catch (XWikiRightNotFoundException e) {}

            // If a right was found at the document or web level 
            // then we cannot check the web rights anymore
            if (!allow_found) {
            try {
                allow = checkRight(name, xwikidoc , accessLevel, user, true, true, context);
                allow_found = true;
                if (allow) {
                    logAllow(name, resourceKey, accessLevel, "xwiki level");
                    return true;
                }
            } catch (XWikiRightNotFoundException e) {}
            }

// If neither doc, web or topic had any allowed ACL
// and that all users that were not denied
// should be allowed.
            if (!allow_found) {
                    logAllow(name, resourceKey, accessLevel, "global level (no restricting right)");
                    return true;
            }
            else {
                logDeny(name, resourceKey, accessLevel, "global level (restricting right was found)");
                return false;
            }

        } catch (XWikiException e) {
            logDeny(name, resourceKey, accessLevel, "global level (exception)", e);
            e.printStackTrace();
            return false;
        }
        finally {
            context.setDatabase(database);
        }
    }

    public boolean hasProgrammingRights(XWikiContext context) {
        XWikiDocument sdoc = (XWikiDocument) context.get("sdoc");
        if (sdoc==null)
         sdoc = context.getDoc();
        return hasProgrammingRights(sdoc, context);
    }

    public boolean hasProgrammingRights(XWikiDocument doc, XWikiContext context) {
        try {
            if (doc==null)
                return false;

            String username = doc.getAuthor();

            if (username==null)
                return false;

            String docname;
            if (context.getDatabase()!=null) {
                docname = context.getDatabase() + ":" + doc.getFullName();
                if (username.indexOf(":")==-1)
                    username = context.getDatabase() + ":" + username;
            }
            else
                docname = doc.getFullName();

            // programming rights can only been given for user of the main wiki
            if (context.getWiki().isVirtual()) {
             String maindb = context.getWiki().getDatabase();
             if ((maindb==null)||(!username.startsWith(maindb)))
                return false;
            }

            return hasAccessLevel("programming", username, docname, context);
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    public boolean hasAdminRights(XWikiContext context) {
        boolean hasAdmin = false;
        try {
            hasAdmin = hasAccessLevel("admin", context.getUser(),
                    "XWiki.XWikiPreferences", context);
        } catch (Exception e) {
            e.printStackTrace();
        }
        if (!hasAdmin) {
            try {
                hasAdmin = hasAccessLevel("admin", context.getUser(),
                        context.getDoc().getWeb() + ".WebPreferences", context);
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return hasAdmin;
    }

}