User's Manual
104 Chapter 10. Kernel Tutorial
10.1.2. Revoking Access
Revoking a privilege on an object from a party is accomplished by creating a PermissionDescrip-
tor and passing it to PermissionService.revokePermission. The following example revokes
read privilege on MyACSObject 50 from Group 5:
import com.arsdigita.kernel.permissions.PermissionService;
import com.arsdigita.kernel.permissions.PermissionDescriptor;
import com.arsdigita.kernel.permissions.PrivilegeDescriptor;
import com.arsdigita.persistence.OID;
OID acsObject = new OID("example.MyACSObject",
new BigDecimal(50));
OID party = new OID("com.arsdigita.kernel.Group", new BigDecimal(5));
PermissionDescriptor perm =
new PermissionDescriptor(PrivilegeDescriptor.READ,
acsObject, party);
PermissionService.revokePermission(perm);
The next example revokes admin privilege on all objects from User 100:
import com.arsdigita.kernel.permissions.PermissionService;
import com.arsdigita.kernel.permissions.UniversalPermissionDescriptor;
import com.arsdigita.kernel.permissions.PrivilegeDescriptor;
import com.arsdigita.persistence.OID;
OID party = new OID("com.arsdigita.kernel.User", new BigDecimal(100));
PermissionDescriptor perm =
new UniversalPermissionDescriptor(PrivilegeDescriptor.ADMIN,
party);
PermissionService.revokePermission(perm);
10.1.3. Basic Access Check
The basic access check indicate whether a user has a privilege on an object. User X has privilege Y
on object Z if either of the following is true:
• Privilege Y or admin has been granted universally to user X or some group to which X belongs.
• Privilege Y or admin has been granted on object Z or some object from which Z inherits permis-
sions (via Z’s context) to user X or some group to which X belongs.
To perform this check, you create a PermissionDescriptor and pass it to PermissionSer-
vice.checkPermission. The following example checks read privilege on MyACSObject 50 for
User 100:
import com.arsdigita.kernel.permissions.PermissionService;
import com.arsdigita.kernel.permissions.PermissionDescriptor;
import com.arsdigita.kernel.permissions.PrivilegeDescriptor;
import com.arsdigita.persistence.OID;
OID acsObject = new OID("example.MyACSObject",
new BigDecimal(50));