Package ubic.gemma.persistence.util

Class AclQueryUtils

java.lang.Object

ubic.gemma.persistence.util.AclQueryUtils

public class AclQueryUtils
extends Object

Utilities for integrating ACL into Query.

To build a query, sequentially proceed as follows:

1. form your select clause and your jointures
2. concatenate formAclRestrictionClause(String) or formNativeAclJoinClause(String) in the jointure section
3. form where clause and add your constraints
4. concatenate formNativeAclRestrictionClause(SessionFactoryImplementor) in the clause section (only for native queries)
5. bind all your parameters
6. bind ACL-specific parameters with addAclParameters(Query, Class) to the query object

Author:

poirigui

Field Summary

Fields

Modifier and Type	Field	Description
static final String	AOI_ALIAS	Alias used by formAclRestrictionClause(String, int) and formNativeAclJoinClause(String) for the object identity AclObjectIdentity and the owner identity AclSid.
static final String	SID_ALIAS	Alias used by formAclRestrictionClause(String, int) and formNativeAclJoinClause(String) for the object identity AclObjectIdentity and the owner identity AclSid.

Constructor Summary

Constructors

Constructor	Description
AclQueryUtils()

Method Summary

Modifier and Type	Method	Description
static void	addAclParameters(Query query, Class<? extends Securable> aoiType)	Bind Query parameters to a join clause generated with formAclRestrictionClause(String) and add ACL restriction parameters defined in formAclRestrictionClause(String).
static String	formAclRestrictionClause(String aoiIdColumn)	Create a HQL restriction clause with the BasePermission.READ permission.
static String	formAclRestrictionClause(String aoiIdColumn, int mask)	Create an HQL join clause for AclObjectIdentity, AclGrantedAuthoritySid and a restriction clause to limit the result only to objects the current user can access.
static String	formNativeAclJoinClause(String aoiIdColumn)	Native SQL flavour of the ACL jointure.
static String	formNativeAclRestrictionClause(SessionFactoryImplementor sessionFactoryImplementor)	Native flavour of the ACL restriction clause with a BasePermission.READ permission.
static String	formNativeAclRestrictionClause(SessionFactoryImplementor sessionFactoryImplementor, int mask)	Native flavour of the ACL restriction clause.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

AOI_ALIAS

public static final String AOI_ALIAS

Alias used by formAclRestrictionClause(String, int) and formNativeAclJoinClause(String) for the object identity AclObjectIdentity and the owner identity AclSid.

See Also:

• Constant Field Values

SID_ALIAS

public static final String SID_ALIAS

Alias used by formAclRestrictionClause(String, int) and formNativeAclJoinClause(String) for the object identity AclObjectIdentity and the owner identity AclSid.

See Also:

• Constant Field Values

Constructor Details

AclQueryUtils

public AclQueryUtils()

Method Details

formAclRestrictionClause

public static String formAclRestrictionClause(String aoiIdColumn)

Create a HQL restriction clause with the BasePermission.READ permission.

See Also:

• formAclRestrictionClause(String, int)

formAclRestrictionClause

public static String formAclRestrictionClause(String aoiIdColumn,
 int mask)

Create an HQL join clause for AclObjectIdentity, AclGrantedAuthoritySid and a restriction clause to limit the result only to objects the current user can access.

Ensure that you use addAclParameters(Query, Class) afterward to bind the query parameters.

Important note: when using this, ensure that you have a group by clause in your query, otherwise entities with multiple ACL entries will be duplicated in the results.

FIXME: this ACL jointure is really annoying because it is one-to-many, maybe handling everything in a sub-query would be preferable?

Parameters:

aoiIdColumn - column name to match against the ACL object identity, the object class is passed via addAclParameters(Query, Class) afterward

mask - a mask with requested permissions

Returns:

clause to add to the query after any jointure

formNativeAclJoinClause

public static String formNativeAclJoinClause(String aoiIdColumn)

Native SQL flavour of the ACL jointure.

Note: unlike the HQL version, this query uses on to restrict the jointure, so you can define the where clause yourself.

Important note: when using this, ensure that you have a group by clause in your query, otherwise entities with multiple ACL entries will be duplicated in the results.

Parameters:

aoiIdColumn - column name to match against the ACL object identity, the object class is passed via addAclParameters(Query, Class) afterward

See Also:

• formAclRestrictionClause(String)

formNativeAclRestrictionClause

public static String formNativeAclRestrictionClause(SessionFactoryImplementor sessionFactoryImplementor)

Native flavour of the ACL restriction clause with a BasePermission.READ permission.

See Also:

• formNativeAclRestrictionClause(SessionFactoryImplementor, int)

formNativeAclRestrictionClause

public static String formNativeAclRestrictionClause(SessionFactoryImplementor sessionFactoryImplementor,
 int mask)

Native flavour of the ACL restriction clause.

Parameters:

sessionFactoryImplementor - a session factory implementor that will be used to adjust the SQL generated based on the dialect

mask - a mask with requested permissions

See Also:

• formAclRestrictionClause(String, int)

addAclParameters

public static void addAclParameters(Query query,
 Class<? extends Securable> aoiType)
                             throws QueryParameterException

Bind Query parameters to a join clause generated with formAclRestrictionClause(String) and add ACL restriction parameters defined in formAclRestrictionClause(String).

This method also work for native queries formed with formNativeAclJoinClause(String) and formNativeAclRestrictionClause(SessionFactoryImplementor).

Parameters:

query - a Query object that contains the join and restriction clauses

aoiType - the AOI type to be bound in the query

Throws:

QueryParameterException - if any defined parameters are missing, which is typically due to a missing prior formAclRestrictionClause(String).