Red Hat Web Application Framework 6.1 用户手册
104
Chapter 10. Kernel Tutorial
10.1.2. Revoking Access
Revoking a privilege on an object from a party is accomplished by creating a
PermissionDescrip-
tor
and passing it to
PermissionService.revokePermission
. The following example revokes
read
privilege on
MyACSObject 50
from
Group 5
:
import com.arsdigita.kernel.permissions.PermissionService;
import com.arsdigita.kernel.permissions.PermissionDescriptor;
import com.arsdigita.kernel.permissions.PrivilegeDescriptor;
import com.arsdigita.persistence.OID;
import com.arsdigita.kernel.permissions.PermissionDescriptor;
import com.arsdigita.kernel.permissions.PrivilegeDescriptor;
import com.arsdigita.persistence.OID;
OID acsObject = new OID("example.MyACSObject",
new BigDecimal(50));
new BigDecimal(50));
OID party = new OID("com.arsdigita.kernel.Group", new BigDecimal(5));
PermissionDescriptor perm =
new PermissionDescriptor(PrivilegeDescriptor.READ,
acsObject, party);
new PermissionDescriptor(PrivilegeDescriptor.READ,
acsObject, party);
PermissionService.revokePermission(perm);
The next example revokes
admin
privilege on all objects from
User 100
:
import com.arsdigita.kernel.permissions.PermissionService;
import com.arsdigita.kernel.permissions.UniversalPermissionDescriptor;
import com.arsdigita.kernel.permissions.PrivilegeDescriptor;
import com.arsdigita.persistence.OID;
import com.arsdigita.kernel.permissions.UniversalPermissionDescriptor;
import com.arsdigita.kernel.permissions.PrivilegeDescriptor;
import com.arsdigita.persistence.OID;
OID party = new OID("com.arsdigita.kernel.User", new BigDecimal(100));
PermissionDescriptor perm =
new UniversalPermissionDescriptor(PrivilegeDescriptor.ADMIN,
party);
new UniversalPermissionDescriptor(PrivilegeDescriptor.ADMIN,
party);
PermissionService.revokePermission(perm);
10.1.3. Basic Access Check
The basic access check indicate whether a user has a privilege on an object. User X has privilege Y
on object Z if either of the following is true:
•
Privilege Y or
admin
has been granted universally to user X or some group to which X belongs.
•
Privilege Y or
admin
has been granted on object Z or some object from which Z inherits permis-
sions (via Z’s context) to user X or some group to which X belongs.
To perform this check, you create a
PermissionDescriptor
and pass it to
PermissionSer-
vice.checkPermission
. The following example checks
read
privilege on
MyACSObject 50
for
User 100
:
import com.arsdigita.kernel.permissions.PermissionService;
import com.arsdigita.kernel.permissions.PermissionDescriptor;
import com.arsdigita.kernel.permissions.PrivilegeDescriptor;
import com.arsdigita.persistence.OID;
import com.arsdigita.kernel.permissions.PermissionDescriptor;
import com.arsdigita.kernel.permissions.PrivilegeDescriptor;
import com.arsdigita.persistence.OID;
OID acsObject = new OID("example.MyACSObject",
new BigDecimal(50));
new BigDecimal(50));