close

Filter

loading table of contents...

Unified API Developer Manual / Version 2010

Table Of Contents

5.4 Access Control

The AccessControl service of the content repository is responsible for maintaining the set of rights rules and for evaluating the rules to determine whether a user is allowed to perform a certain operation on content objects or not.

Overview Of Rights

The following rights are defined for the Unified API:

Right Affected Operations
READ read content
WRITE write content
DELETE move content to or from the recycle bin; destroy content; mark or unmark content for deletion or withdrawal
APPROVE approve places and versions
PUBLISH publish content
SUPERVISE assign rights rules to content

Table 5.1. Rights for the Unified API


Instances of the class com.coremedia.cap.content.authorization.Right represent the rights defined here. Right objects are readily provided as constants, but also be created from shorthand characters. The rights SET_TO_BE_WITHDRAWN and SET_TO_BE_DELETED are aliases for the DELETE right.

Please have a look at the Content Server Manual for a more detailed discussion of rights and for a specification of how rights are derived from rules. That manual refers to the so-called folder right, which is represented in the Unified API as a combination of the write right and the delete right in rules that apply to the folder document type.

Checking Rights

The rights checks are performed by the methods mayRead(Content), mayApprove(Content), and the like. While most checks depend only on the given content object, the mayCreate(...) method must also be informed about the document type to be created.

Some of the methods also take the content's current state into account when computing the rights. For example, mayCheckIn(Content) will only return true when the content in question is actually checked-out and it takes into account that the user who checked out the content has special rights when it comes to checking it in.

There are convenience methods for checking an entire collection of content objects with one call. Such methods only grant a right if it would be granted on each individual content. There are generic mayPerform(...) methods, which are passed a Right object that denotes the actual operation to check.

Normally, the rights are checked for the user of the current session, but it is possible to specify a set of groups and compute the rights assuming the user is a member of exactly these groups.

Setting Rights Rules

Rights checks are based on rules. The AccessControl service offers methods for retrieving all rules or a subset thereof as a collection of Rule objects. Rule objects are a compact representation of all parameters that make up a rule: a content, a type, a group, and a rights mask. They do not provide modifying operations themselves. Instead, the AccessControl service provides methods for creating, modifying, and deleting rules.

Using the AccessControl service, it is also possible to check whether a rule already exists. Furthermore, you can retrieve all rules that apply to a certain content or group, respectively.

Search Results

Table Of Contents