Index: oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java
===================================================================
--- oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java (revision 1658909)
+++ oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java (working copy)
@@ -127,7 +127,7 @@
return new ExecutionContext(
rootTree.getNodeState(), ImmutableRoot.this,
new QueryEngineSettings(),
- new PropertyIndexProvider());
+ new PropertyIndexProvider(), null);
}
};
}
Index: oak-core/src/main/java/org/apache/jackrabbit/oak/core/MutableRoot.java
===================================================================
--- oak-core/src/main/java/org/apache/jackrabbit/oak/core/MutableRoot.java (revision 1658909)
+++ oak-core/src/main/java/org/apache/jackrabbit/oak/core/MutableRoot.java (working copy)
@@ -306,7 +306,7 @@
provider, getBaseState(), getRootState());
}
return new ExecutionContext(
- getBaseState(), MutableRoot.this, queryEngineSettings, provider);
+ getBaseState(), MutableRoot.this, queryEngineSettings, provider, permissionProvider.get());
}
};
}
Index: oak-core/src/main/java/org/apache/jackrabbit/oak/query/ExecutionContext.java
===================================================================
--- oak-core/src/main/java/org/apache/jackrabbit/oak/query/ExecutionContext.java (revision 1658909)
+++ oak-core/src/main/java/org/apache/jackrabbit/oak/query/ExecutionContext.java (working copy)
@@ -19,10 +19,12 @@
package org.apache.jackrabbit.oak.query;
+import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.state.NodeState;
/**
@@ -43,14 +45,17 @@
private final QueryIndexProvider indexProvider;
+ private final PermissionProvider permissionProvider;
+
public ExecutionContext(
NodeState baseState, Root root,
QueryEngineSettings settings,
- QueryIndexProvider indexProvider) {
+ QueryIndexProvider indexProvider, PermissionProvider permissionProvider) {
this.baseState = baseState;
this.root = root;
this.settings = settings;
this.indexProvider = indexProvider;
+ this.permissionProvider = permissionProvider;
}
/**
@@ -87,5 +92,9 @@
public QueryEngineSettings getSettings() {
return settings;
}
-
+
+ @CheckForNull
+ public PermissionProvider getPermissionProvider() {
+ return permissionProvider;
+ }
}
Index: oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryImpl.java
===================================================================
--- oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryImpl.java (revision 1658909)
+++ oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryImpl.java (working copy)
@@ -22,6 +22,8 @@
import java.util.List;
import java.util.Set;
+import javax.annotation.CheckForNull;
+
import org.apache.jackrabbit.oak.api.PropertyValue;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
@@ -77,6 +79,7 @@
import org.apache.jackrabbit.oak.spi.query.QueryIndex.OrderEntry;
import org.apache.jackrabbit.oak.spi.query.QueryIndex.OrderEntry.Order;
import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.slf4j.Logger;
@@ -987,6 +990,11 @@
public QueryEngineSettings getSettings() {
return settings;
}
+
+ @CheckForNull
+ public PermissionProvider getPermissionProvider() {
+ return context.getPermissionProvider();
+ }
@Override
public void setInternal(boolean isInternal) {
Index: oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/SelectorImpl.java
===================================================================
--- oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/SelectorImpl.java (revision 1658909)
+++ oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/SelectorImpl.java (working copy)
@@ -37,7 +37,9 @@
import java.util.List;
import java.util.Set;
+import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
+import javax.jcr.Session;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.PropertyValue;
@@ -57,6 +59,7 @@
import org.apache.jackrabbit.oak.spi.query.QueryIndex;
import org.apache.jackrabbit.oak.spi.query.QueryIndex.AdvancedQueryIndex;
import org.apache.jackrabbit.oak.spi.query.QueryIndex.IndexPlan;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -635,13 +638,9 @@
} else if (oakPropertyName.equals(QueryImpl.REP_EXCERPT)) {
result = currentRow.getValue(QueryImpl.REP_EXCERPT);
} else if (oakPropertyName.equals(QueryImpl.REP_SPELLCHECK)) {
- // TODO : filter spellcheck corrections by ACLs ?
result = currentRow.getValue(QueryImpl.REP_SPELLCHECK);
} else if (oakPropertyName.equals(QueryImpl.REP_SUGGEST)) {
- // TODO : filter suggestions by ACLs
- PropertyValue value = currentRow.getValue(QueryImpl.REP_SUGGEST);
-
- result = value;
+ result = currentRow.getValue(QueryImpl.REP_SUGGEST);
} else {
result = PropertyValues.create(t.getProperty(oakPropertyName));
}
@@ -752,4 +751,18 @@
return this.outerJoinRightHandSide;
}
+ @CheckForNull
+ public PermissionProvider getPermissionProvider() {
+ return query.getPermissionProvider();
+ }
+
+ /**
+ * check whether a certain (valid) path is accessible (can be read) from the user associated with the query Session
+ * @param path a valid JCR path
+ * @return true if path can be read by the calling user, false otherwise.
+ */
+ public boolean isAccessible(String path) {
+ return query.getPermissionProvider().isGranted(path, Session.ACTION_READ);
+ }
+
}