ome.security

Interface ACLVoter

All Known Implementing Classes:

BasicACLVoter, CompositeACLVoter, SharingACLVoter

public interface ACLVoter

helper security interface for all decisions on access control

Since:

3.0-M3

Version:

$Revision$, $Date$

Author:

Josh Moore, josh.moore at gmx.de

See Also:

SecuritySystem, ACLEventListener

Method Summary

Modifier and Type	Method and Description
boolean	allowAnnotate(IObject iObject, Details trustedDetails) test whether the given object should be annotatable given the trusted details.
boolean	allowChmod(IObject iObject) test whether the given object can have its Permissions changed within the current security context.
boolean	allowCreation(IObject iObject) test whether the given object should be insertable into the DB.
boolean	allowDelete(IObject iObject, Details trustedDetails) test whether the given object should be deleteable given the trusted details.
boolean	allowLoad(org.hibernate.Session session, Class<? extends IObject> klass, Details trustedDetails, long id) test whether the object of the given Class with the given Details should be loadable in the current security context.
boolean	allowUpdate(IObject iObject, Details trustedDetails) test whether the given object should be updateable given the trusted details.
void	postProcess(IObject obj) Gives the ACLVoter instance a chance to act on the IObject after the transaction but before finishing the AOP stack.
Set<String>	restrictions(IObject object) Provide the active restrictions for this IObject.
void	throwCreationViolation(IObject iObject) throws a SecurityViolation based on the given IObject and the context of the current user.
void	throwDeleteViolation(IObject iObject) throws a SecurityViolation based on the given IObject and the context of the current user.
void	throwLoadViolation(IObject iObject) throws a SecurityViolation based on the given IObject and the context of the current user.
void	throwUpdateViolation(IObject iObject) throws a SecurityViolation based on the given IObject and the context of the current user.

Method Detail

allowChmod

boolean allowChmod(IObject iObject)

test whether the given object can have its Permissions changed within the current security context.

Parameters:

iObject - a model object

Returns:

if the object's permissions may be changed

allowLoad

boolean allowLoad(org.hibernate.Session session,
                  Class<? extends IObject> klass,
                  Details trustedDetails,
                  long id)

test whether the object of the given Class with the given Details should be loadable in the current security context. This method does not take an actual object because that will not be generated until after loading is permitted. The SecuritySystem implementors will usually call throwLoadViolation(IObject) if this method returns false.

Parameters:

session - the Hibernate session to use for the query

klass - a non-null class to test for loading

trustedDetails - the non-null trusted details (usually from the db) for this instance

id - the id of the object which will be loaded. As opposed to the rest of the object, this must be known.

Returns:

true if loading of this object can proceed

See Also:

ACLEventListener.onPostLoad(org.hibernate.event.PostLoadEvent)

allowCreation

boolean allowCreation(IObject iObject)

test whether the given object should be insertable into the DB. No trusted details is passed to this method, since for transient entities there are no trusted values. The SecuritySystem implementors will usually call throwCreationViolation(IObject) if this method returns false.

Parameters:

iObject - a non-null entity to test for creation.

Returns:

true if creation of this object can proceed

See Also:

ACLEventListener.onPreInsert(org.hibernate.event.PreInsertEvent)

allowAnnotate

boolean allowAnnotate(IObject iObject,
                      Details trustedDetails)

test whether the given object should be annotatable given the trusted details. The details will usually be retrieved from the current state array coming from the database.

Parameters:

iObject - a non-null entity to test for update.

trustedDetails - a Details instance that is known to be valid.

Returns:

true if annotation of this object can proceed

allowUpdate

boolean allowUpdate(IObject iObject,
                    Details trustedDetails)

test whether the given object should be updateable given the trusted details. The details will usually be retrieved from the current state array coming from the database. The SecuritySystem implementors will usually call throwUpdateViolation(IObject) if this method returns false.

Parameters:

iObject - a non-null entity to test for update.

trustedDetails - a Details instance that is known to be valid.

Returns:

true if update of this object can proceed

See Also:

ACLEventListener.onPreUpdate(org.hibernate.event.PreUpdateEvent)

allowDelete

boolean allowDelete(IObject iObject,
                    Details trustedDetails)

test whether the given object should be deleteable given the trusted details. The details will usually be retrieved from the current state array coming from the database. The SecuritySystem implementors will usually call throwDeleteViolation(IObject) if this method returns false.

Parameters:

iObject - a non-null entity to test for deletion.

trustedDetails - a Details instance that is known to be valid.

Returns:

true if deletion of this object can proceed

See Also:

ACLEventListener.onPreDelete(org.hibernate.event.PreDeleteEvent)

throwLoadViolation

void throwLoadViolation(IObject iObject)
                 throws SecurityViolation

throws a SecurityViolation based on the given IObject and the context of the current user.

Parameters:

iObject - Non-null object which caused this violation

Throws:

SecurityViolation

See Also:

ACLEventListener.onPostLoad(org.hibernate.event.PostLoadEvent)

throwCreationViolation

void throwCreationViolation(IObject iObject)
                     throws SecurityViolation

throws a SecurityViolation based on the given IObject and the context of the current user.

Parameters:

iObject - Non-null object which caused this violation

Throws:

SecurityViolation

See Also:

ACLEventListener.onPreInsert(org.hibernate.event.PreInsertEvent)

throwUpdateViolation

void throwUpdateViolation(IObject iObject)
                   throws SecurityViolation

throws a SecurityViolation based on the given IObject and the context of the current user.

Parameters:

iObject - Non-null object which caused this violation

Throws:

SecurityViolation

See Also:

ACLEventListener.onPreUpdate(org.hibernate.event.PreUpdateEvent)

throwDeleteViolation

void throwDeleteViolation(IObject iObject)
                   throws SecurityViolation

throws a SecurityViolation based on the given IObject and the context of the current user.

Parameters:

iObject - Non-null object which caused this violation

Throws:

SecurityViolation

See Also:

ACLEventListener.onPreDelete(org.hibernate.event.PreDeleteEvent)

restrictions

Set<String> restrictions(IObject object)

Provide the active restrictions for this IObject. See PolicyService for further details.

Parameters:

object - a model object

Returns:

the restrictions applying for the object

postProcess

void postProcess(IObject obj)

Gives the ACLVoter instance a chance to act on the IObject after the transaction but before finishing the AOP stack.

Parameters:

obj - a model object