Unified API Developer Manual / Version 2107
Table Of ContentsThe AccessControl service of the content repository is responsible for maintaining the set of rights rules and for evaluating the rules to determine whether a user is allowed to perform a certain operation on content objects or not.
Overview Of Rights
The following rights are defined for the Unified API:
| Right | Affected Operations |
|---|---|
| READ | read content |
| WRITE | write content |
| DELETE | move content to or from the recycle bin; destroy content; mark or unmark content for deletion or withdrawal |
| APPROVE | approve places and versions |
| PUBLISH | publish content |
| SUPERVISE | assign rights rules to content |
Table 5.1. Rights for the Unified API
Instances of the class
com.coremedia.cap.content.authorization.Right
represent the rights defined here.
Right
objects are readily provided as constants, but also be created from shorthand characters. The
rights SET_TO_BE_WITHDRAWN and SET_TO_BE_DELETED are aliases for the
DELETE right.
Please have a look at the Content Server Manual for a more detailed discussion of rights and for a specification of how rights are derived from rules. That manual refers to the so-called folder right, which is represented in the Unified API as a combination of the write right and the delete right in rules that apply to the folder document type.
Checking Rights
The rights checks are performed by the methods mayRead(Content),
mayApprove(Content), and the like. While most checks depend only on the given
content object, the mayCreate(...) method must also be informed about the
document type to be created.
Some of the methods also take the content's current state into account when computing the
rights. For example, mayCheckIn(Content) will only return true when the content
in question is actually checked-out and it takes into account that the user who checked out
the content has special rights when it comes to checking it in.
There are convenience methods for checking an entire collection of content objects with one
call. Such methods only grant a right if it would be granted on each individual content. There
are generic mayPerform(...) methods, which are passed a
Right
object that denotes the actual operation to check.
Normally, the rights are checked for the user of the current session, but it is possible to specify a set of groups and compute the rights assuming the user is a member of exactly these groups.
Setting Rights Rules
Rights checks are based on rules. The AccessControl service offers methods for retrieving all rules or a subset thereof as a collection of Rule objects. Rule objects are a compact representation of all parameters that make up a rule: a content, a type, a group, and a rights mask. They do not provide modifying operations themselves. Instead, the AccessControl service provides methods for creating, modifying, and deleting rules.
Using the AccessControl service, it is also possible to check whether a rule already exists. Furthermore, you can retrieve all rules that apply to a certain content or group, respectively.
