User's Manual

ManualsBrandsRed Hat ManualsTV ReceiverRed Hat Red Hat Web Application Framework 6.1

111

112

113

114

115

116

117

118

119

120

Chapter 10. Kernel Tutorial 105

OID party = new OID("com.arsdigita.kernel.User", new BigDecimal(100));

PermissionDescriptor perm =

new PermissionDescriptor(PrivilegeDescriptor.READ,

acsObject, party);

if (PermissionService.checkPermission(perm)) {

// user 100 has read access on object 50

} else {

// user 100 does NOT have read access on object 50.

// You might handle this case by displaying an

// "access forbidden" message.

}

As the previous examples have shown, operations performed on PermissionDescriptor can also

be performed on UniversalPermissionDescriptor when dealing with universal access control

(that is, access to all objects). The same applies for PermissionService.checkPermission().

The following example checks whether user 100 has admin privilege universally:

import com.arsdigita.kernel.permissions.PermissionService;

import com.arsdigita.kernel.permissions.UniversalPermissionDescriptor;

import com.arsdigita.kernel.permissions.PrivilegeDescriptor;

import com.arsdigita.persistence.OID;

OID party = new OID("com.arsdigita.kernel.User", new BigDecimal(100));

PermissionDescriptor perm =

new PermissionDescriptor(PrivilegeDescriptor.ADMIN,

party);

if (PermissionService.checkPermission(perm)) {

// user 100 has admin access universally (that is, on all objects).

} else {

// user 100 does not universal admin access universally.

// You might handle this case by displaying an

// "access forbidden" message.

}

10.1.4. Allowed Targets Check

The allowed targets check is performed on a DomainCollection or DataCollection in order to

ﬁlter the result set of domain/data objects to only those on which a given user has a given privilege.

The rules for determining whether a given user has a given privilege on an object are described in

Section 10.1.3 Basic Access Check.

You can be perform this ﬁltering by using either PermissionSer-

vice.filterObjects(DomainCollection, PrivilegeDescriptor, Party) or

PermissionService.filterObjects(DataCollection, PrivilegeDescriptor,

Party). The following example retrieves all MyACSObjects on which User 100 has read

privilege:

import com.arsdigita.kernel.permissions.PermissionService;

import com.arsdigita.kernel.permissions.PermissionDescriptor;

import com.arsdigita.kernel.permissions.PrivilegeDescriptor;

import com.arsdigita.persistence.OID;

import com.arsdigita.persistence.DataCollection;

import com.arsdigita.persistence.SessionManager;