public class UnionMailboxACLResolver extends Object implements MailboxACLResolver
UnionMailboxACLResolver#resolveRights(String, org.apache.james.mailbox.MailboxACLResolver.GroupMembershipResolver, MailboxACL, String, boolean)
all applicable negative and non-negative rights are union-ed separately and
the result is computed afterwards with
nonNegativeUnion.except(negativeUnion)
.
Allows for setting distinct global ACL for users' mailboxes on one hand and
group (a.k.a shared) mailboxes on the other hand. E.g. the zero parameter
constructor uses full rights for user mailboxes and
full-except-administration rights for group mailboxes.Modifier and Type | Field and Description |
---|---|
static MailboxACL |
DEFAULT_GLOBAL_GROUP_ACL |
static MailboxACL |
DEFAULT_GLOBAL_USER_ACL
Nothing else than full rights for the owner.
|
Constructor and Description |
---|
UnionMailboxACLResolver()
Creates a new instance of UnionMailboxACLResolver with
DEFAULT_GLOBAL_USER_ACL as userGlobalACL and
DEFAULT_GLOBAL_USER_ACL as groupGlobalACL . |
UnionMailboxACLResolver(MailboxACL userGlobalACL,
MailboxACL groupGlobalACL)
Creates a new instance of UnionMailboxACLResolver with the given
globalACL.
|
Modifier and Type | Method and Description |
---|---|
protected static boolean |
applies(MailboxACL.MailboxACLEntryKey aclKey,
MailboxACL.MailboxACLEntryKey queryKey,
GroupMembershipResolver groupMembershipResolver,
String resourceOwner,
boolean resourceOwnerIsGroup)
|
MailboxACL |
applyGlobalACL(MailboxACL resourceACL,
boolean resourceOwnerIsGroup)
Applies global ACL to the given
resourceACL . |
boolean |
hasRight(String requestUser,
GroupMembershipResolver groupMembershipResolver,
MailboxACL.MailboxACLRight right,
MailboxACL resourceACL,
String resourceOwner,
boolean resourceOwnerIsGroup)
Tells whether the given user has the given right granted on the basis of
the given resourceACL.
|
boolean |
isReadWrite(MailboxACL.MailboxACLRights mailboxACLRights,
javax.mail.Flags sharedFlags)
Maps the given
mailboxACLRights to READ-WRITE and READ-ONLY
response codes. |
MailboxACL.MailboxACLRights[] |
listRights(MailboxACL.MailboxACLEntryKey queryKey,
GroupMembershipResolver groupMembershipResolver,
String resourceOwner,
boolean resourceOwnerIsGroup)
The key point of this implementation is that it resolves everything what
can be resolved.
|
MailboxACL.MailboxACLRights |
resolveRights(String requestUser,
GroupMembershipResolver groupMembershipResolver,
MailboxACL resourceACL,
String resourceOwner,
boolean resourceOwnerIsGroup)
Computes the rights which apply to the given user and resource.
|
public static final MailboxACL DEFAULT_GLOBAL_GROUP_ACL
public static final MailboxACL DEFAULT_GLOBAL_USER_ACL
public UnionMailboxACLResolver()
DEFAULT_GLOBAL_USER_ACL
as userGlobalACL
and
DEFAULT_GLOBAL_USER_ACL
as groupGlobalACL
.public UnionMailboxACLResolver(MailboxACL userGlobalACL, MailboxACL groupGlobalACL)
groupGlobalACL
- globalACL
- see userGlobalACL
, cannot be null.NullPointerException
- when globalACL is null.protected static boolean applies(MailboxACL.MailboxACLEntryKey aclKey, MailboxACL.MailboxACLEntryKey queryKey, GroupMembershipResolver groupMembershipResolver, String resourceOwner, boolean resourceOwnerIsGroup)
aclKey
MailboxACL.MailboxACLEntryKey
is
applicable for the given queryKey
.
There are two use cases for which this method was designed and tested:
(1) Calls from
#hasRight(String, GroupMembershipResolver, MailboxACLRight, MailboxACL, String, boolean)
and
resolveRights(String, GroupMembershipResolver, MailboxACL, String, boolean)
in which the queryKey
is a MailboxACL.NameType.user
.
(2) Calls from
#listRights(MailboxACLEntryKey, GroupMembershipResolver, String, boolean)
where queryKey
can be anything including MailboxACL.NameType.user
,
MailboxACL.NameType.group
and all MailboxACL.NameType.special
identifiers.
Clearly the set of cases which this method has to handle in (1) is a
proper subset of the cases handled in (2). See the javadoc on
#listRights(MailboxACLEntryKey, GroupMembershipResolver, String, boolean)
for more details.aclKey
- queryKey
- groupMembershipResolver
- resourceOwner
- resourceOwnerIsGroup
- public MailboxACL applyGlobalACL(MailboxACL resourceACL, boolean resourceOwnerIsGroup) throws UnsupportedRightException
MailboxACLResolver
resourceACL
. From RFC 4314:
An implementation [...] MAY force rights to always or never be granted to
particular identifiers.applyGlobalACL
in interface MailboxACLResolver
UnsupportedRightException
org.apache.james.mailbox.MailboxACLResolver#applyGlobalACL(org.apache
.james.mailbox.MailboxACL, boolean)
public boolean hasRight(String requestUser, GroupMembershipResolver groupMembershipResolver, MailboxACL.MailboxACLRight right, MailboxACL resourceACL, String resourceOwner, boolean resourceOwnerIsGroup) throws UnsupportedRightException
MailboxACLResolver
hasRight
in interface MailboxACLResolver
requestUser
- the user for whom the given right is tested, possibly
null
when there is no authenticated user in the
given context.groupMembershipResolver
- this resolver is used when checking whether any group rights
contained in resourceACL are applicable for the requestUser.right
- the right which will be proven to apply for the given
requestUser.resourceACL
- the ACL defining the access right for the resource in
question.resourceOwner
- this user name is used as a replacement for the "owner" place
holder in the resourceACL.resourceOwnerIsGroup
- true if the resourceOwner is a group of users, false
otherwise.UnsupportedRightException
org.apache.james.mailbox.store.mail.MailboxACLResolver#hasRight(java.
lang.String, org.apache.james.mailbox.store.mail.MailboxACLResolver.
GroupMembershipResolver,
org.apache.james.mailbox.MailboxACL.MailboxACLRight,
org.apache.james.mailbox.MailboxACL, java.lang.String)
public boolean isReadWrite(MailboxACL.MailboxACLRights mailboxACLRights, javax.mail.Flags sharedFlags) throws UnsupportedRightException
MailboxACLResolver
mailboxACLRights
to READ-WRITE and READ-ONLY
response codes.
From RFC 4314 section 5.2:
The server SHOULD include a READ-WRITE response code in the tagged OK
response if at least one of the "i", "e", or "shared flag rights"(***) is
granted to the current user.
The server MUST include a READ-ONLY response code in the tagged OK
response to a SELECT command if none of the following rights is granted
to the current user: "i", "e", and "shared flag rights"(***).isReadWrite
in interface MailboxACLResolver
mailboxACLRights
- the rights applicable to the user and resource in question.
This method supposes that any global ACLs were already applied
to the mailboxACLRights
parameter before this method
is called.sharedFlags
- From RFC 4314 section 5.2: If the ACL server implements some
flags as shared for a mailbox (i.e., the ACL for the mailbox
MAY be set up so that changes to those flags are visible to
another user), let’s call the set of rights associated with
these flags (as described in Section 4) for that mailbox
collectively as "shared flag rights". Note that the
"shared flag rights" set MAY be different for different
mailboxes.
If the server doesn’t support "shared multiuser write access"
to a mailbox or doesn’t implement shared flags on the mailbox,
"shared flag rights" for the mailbox is defined to be the
empty set.UnsupportedRightException
MailboxACLResolver.isReadWrite(org.apache.james.mailbox.model.MailboxACL.MailboxACLRights,
javax.mail.Flags)
public MailboxACL.MailboxACLRights[] listRights(MailboxACL.MailboxACLEntryKey queryKey, GroupMembershipResolver groupMembershipResolver, String resourceOwner, boolean resourceOwnerIsGroup) throws UnsupportedRightException
queryKey
is a user key, the rights included come from the
following ACL entries:
queryKey
is a group key, the rights included come from the
following ACL entries:
queryKey
is a special key, the rights included come from
the following ACL entries:
queryKey
is the "owner"
query key (*)listRights
in interface MailboxACLResolver
queryKey
- the identifier from the LISTRIGHTS commandresourceOwner
- the owner of the mailbox named in the LISTRIGHTS command. User
name or group name.resourceOwnerIsGroup
- true if the resourceOwner
is a group of users, false
otherwise.MailboxACL.MailboxACLRights
. The first element is the
set of implicit (global) rights which does not need to be set
explicitly for the given identifier. Further elements are groups
of rights which can be set for the given identifier and resource.UnsupportedRightException
org.apache.james.mailbox.acl.MailboxACLResolver#listRightsDefault(boolean)
public MailboxACL.MailboxACLRights resolveRights(String requestUser, GroupMembershipResolver groupMembershipResolver, MailboxACL resourceACL, String resourceOwner, boolean resourceOwnerIsGroup) throws UnsupportedRightException
MailboxACLResolver
resolveRights
in interface MailboxACLResolver
requestUser
- the user for whom the rights are computed, possibly
null
when there is no authenticated user in the
given context.groupMembershipResolver
- this resolver is used when checking whether any group rights
contained in resourceACL are applicable for the requestUser.resourceACL
- the ACL defining the access right for the resource in
question.resourceOwner
- this user name is used as a replacement for the "owner" place
holder in the resourceACL.resourceOwnerIsGroup
- true if the resourceOwner is a group of users, false
otherwise.UnsupportedRightException
org.apache.james.mailbox.store.mail.MailboxACLResolver#rightsOf(java.
lang.String, org.apache.james.mailbox.store.mail.MailboxACLResolver.
GroupMembershipResolver, org.apache.james.mailbox.MailboxACL,
java.lang.String)
Copyright © 2010-2012 The Apache Software Foundation. All Rights Reserved.