The ACL class for maintaining permission to nodes. More...
#include <VFS_acl.h>
Public Slots | |
| virtual void | receiveResponse (VFS_request *r) |
| A request has been completed, respond to the results. More... | |
 Public Slots inherited from VFS_node | |
| virtual void | applyDiff (VFS_request *r) |
| Apply a diff received via subscription. More... | |
| virtual void | executeRequest (VFS_request *t) |
| Based on the VFS_request::requestType, execute the function associated with an operation. More... | |
| void | notifySubscribers (VFS_node *origin, VFS_request *t) |
| Propagate a diff to subscribers. More... | |
| virtual void | receiveResponse (VFS_request *t) |
| Once a VFS_request has been completed, a response will be issued back to its _origin. More... | |
| void | remove (bool andDelete) |
| Remove a child node. More... | |
| virtual void | remove (VFS_node *node=nullptr, QString *name=nullptr, QString user="server") |
| Remove a child node from this node. More... | |
| virtual void | subtreeRequest (VFS_request *t) |
| find() the target of a VFS_request, and execute the request More... | |
| virtual void | unsubscribeAll (VFS_node *n) |
| Remove all references to a subscriber from this node. More... | |
Public Member Functions | |
| Q_INVOKABLE | VFS_acl (QString vfspath, QString path, bool defaultAllow=true, QString superadmin="") |
| Construct a VFS_acl object. More... | |
| virtual | ~VFS_acl () |
| virtual VFS_node * | find (VFS_request *r) |
| Find a child based on a VFS_request::_path. More... | |
| virtual bool | isContainer () |
| VFS_acl nodes cannot contain children. More... | |
| virtual QString | reportDetails () |
| Report data about an ACL. More... | |
| Public Member Functions inherited from VFS_node | |
| Q_INVOKABLE | VFS_node () |
| The VFS_node constructor will add its instance to the VFS_node::__allNodes global node registry, observing thread safety rules. More... | |
| virtual | ~VFS_node () |
| VFS_node destructor. More... | |
| virtual VFS_node * | append (QString name, VFS_node *node, bool containerCheck=true, QString user="server") |
| Append a VFS_node as a child of this node. More... | |
| QString | className () |
| Return the class name of a node. More... | |
| virtual VFS_request * | createRequest (VFS_request::requestType type, QString path, QString user="unknown", QJsonDocument data=QJsonDocument(), QJsonObject metadata=QJsonObject(), bool dontDelete=false) |
| Create a new VFS_request with this object as _origin. More... | |
| VFS_node * | find (QString path) |
| Find a node by string path. More... | |
| VFS_node * | findChildWithName (QString name) |
| Check if a child with a given name exists. More... | |
| virtual VFS_node * | mount () |
| Mount this node. More... | |
| QString | uniqueChildName (QString name) |
| Generate a unique child name. More... | |
| virtual VFS_node * | unmount () |
| Unmount this node. More... | |
| virtual bool | validChildName (QString name) |
| Check if a node name is valid. More... | |
Static Public Member Functions | |
| static bool | checkAllowAccess (VFS_request *r, QString feature="") |
| Check if a request has access to a resource. More... | |
| static bool | checkAllowAccess (VFS_session *s, QString path, QString feature="") |
| Check if a session has access to a resource. More... | |
| static QStringList | fetchACLPaths () |
| Fetch the VFS path to each registered ACL file. More... | |
| Static Public Member Functions inherited from VFS_node | |
| static bool | __isNode (VFS_node *) |
| Check to see if a node is in the global registry. More... | |
| static QString | code (QString nodename, QString libname, QString &error) |
| Fetch code or any other resource from a node. More... | |
Protected Slots | |
| virtual void | initialize () |
| Initialize the ACL by subscribing to its data file. More... | |
Private Member Functions | |
| bool | privateCheckAllowAccess (VFS_session *s, QString path, QString feature, bool &wasDefault) |
| Check if a request has access to a resource. More... | |
| virtual void | read (VFS_request *r) |
| Read the ACL entries. More... | |
| virtual void | submit (VFS_request *r) |
| Submit features or settings to the ACL. More... | |
| virtual void | subscribe (VFS_request *r) |
| Perform a normal VFS_node::subscribe, unless the path is "browse". More... | |
| virtual void | unsubscribe (VFS_request *r) |
| Perform a normal VFS_node::unsubscribe, unless the path is "browse". More... | |
Static Private Member Functions | |
| static void | registerACL (VFS_acl *acl) |
| Add an acl to the _accessControlLists list. More... | |
| static void | unregisterACL (VFS_acl *acl) |
| Remove an acl from the _accessControlLists list. More... | |
Private Attributes | |
| QJsonObject | _accessControlList |
| The ACL entries. More... | |
| bool | _defaultAllow |
| The default value if an entry is not found. More... | |
| bool | _initialized |
| Whether or not the settings file has been loaded. More... | |
| QString | _path |
| The VFS path to an ACL settings file. More... | |
| QString | _superadmin |
| A single user who these ACLs will not apply to regardless of ACL file. More... | |
| QString | _vfspath |
| The VFS path of this node. More... | |
Static Private Attributes | |
| static QList< VFS_acl * > | _accessControlLists |
| The ACLs that have been registered to the VFS. More... | |
| static QMutex | _accessControlLock |
| A mutex used to modify the _accessControlFeatures. More... | |
Additional Inherited Members | |
| Signals inherited from VFS_node | |
| void | diff (VFS_node *origin, VFS_request *t) |
| Emit a diff, which will trigger notifySubscribers() for a mounted node. More... | |
| void | finished (bool andDelete=false) |
Emitted if a thread fails to create its node, or a node is rm()'d, or any other reason a node has completed its lifecycle. It is deleted if andDelete==true. More... | |
| void | mounted () |
| Emitted when a node is mount()ed. More... | |
| void | unmounted (VFS_node *self) |
| Emitted when a node is unmount()ed. More... | |
| Protected Member Functions inherited from VFS_node | |
| virtual void | aclDefaults (VFS_request *r) |
| Return default values and features associated wth this node. More... | |
| void | addACLDefault (QJsonObject &acl, bool value, QString description="") |
| Add a default value to the acl object. More... | |
| void | addACLFeature (QJsonObject &acl, QString feature, bool value, QString description="") |
| Add a feature to the acl object. More... | |
| void | addACLFeatureGroup (QJsonObject &acl, QString feature, QString group, bool value) |
| Add a feature group to the acl object. More... | |
| void | addACLFeatureUser (QJsonObject &acl, QString feature, QString user, bool value) |
| Add a feature user to the acl object. More... | |
| void | addACLGroup (QJsonObject &acl, QString group, bool value) |
| Add a group to the acl object. More... | |
| void | addACLUser (QJsonObject &acl, QString user, bool value) |
| Add a user to the acl object. More... | |
| virtual QByteArray | icon () |
| Fetch the icon for a node. More... | |
| virtual void | issueRequest (VFS_node *target, VFS_request *t) |
| Issue a VFS_request to its target. More... | |
| virtual void | issueRequest (VFS_request *t) |
| A convenience function. More... | |
| virtual void | issueResponse (VFS_request *t) |
| Once a request has been completed, issue a response. More... | |
| virtual void | ls (VFS_request *r) |
| List the contents of this node. More... | |
| virtual void | metadata (VFS_request *r) |
| Fetch the metadata of this node. More... | |
| virtual void | releaseLock (VFS_request *r) |
| Release a lock on this node. More... | |
| virtual void | report (VFS_request *r) |
| Report debugging information about the current state of this node. More... | |
| virtual void | requestLock (VFS_request *r) |
| Request a lock on this node. More... | |
| virtual void | rm (VFS_request *r) |
| Remove a child entry from a node, or the node itself. More... | |
| virtual void | unsubscribePath (QString path) |
| Unsubscribe all references to a subpath. More... | |
| virtual void | write (VFS_request *r) |
| Write data to this node. More... | |
| Protected Attributes inherited from VFS_node | |
| VFS_children | _children |
| This node's children. More... | |
| QMutex | _lock |
| A recursive mutex that is local to this node. More... | |
| VFS_subscriptionType | _subscribers |
| This node's subscribers. These subscribers will receive diff notifications. More... | |
Detailed Description
The ACL class for maintaining permission to nodes.
A VFS implementation can have multiple ACL files if desired, however in practice a single master is easiest to maintain.
ACLs can grant or deny access based on group membership or by username or feature. Applications may want to enable certain features based on ACL values.
The ACL file format is:
Each interesting path is added as a key, and each entry can contain "default", "groups", and/or "users".
Additionally, features can be identified for an application the same way.
Access is calculated based on:
- Let D be the _default
- If the path is found, load acl values and update D if default is set
- If a session is not present, return D
- If the user's group is present, set D
- If the user is present, set D
- If the feature is found, the same checks are performed for that feature
- return D
A superadmin user can be provided in a config file. That user acts as a safeguard for mistakes made when creating ACLs. It is very easy to accidentally lock yourself out when editing the ACL list. The superadmin is not affected by any ACL settings; access is always granted to this user for all nodes.
If more than one ACL is being used, each can have a different superadmin, but it will be confusing and is not recommended.
Constructor & Destructor Documentation
◆ VFS_acl()
|
explicit |
Construct a VFS_acl object.
- Parameters
-
vfspath The VFS path of this node path The VFS path to an ACL file defaultAllow The default access allowance superadmin The superadmin user for this ACL
Definition at line 112 of file VFS_acl.cpp.
◆ ~VFS_acl()
|
virtual |
Definition at line 125 of file VFS_acl.cpp.
Member Function Documentation
◆ checkAllowAccess() [1/2]
|
static |
Check if a request has access to a resource.
- Parameters
-
r The VFS_request object feature The feature to check
- Returns
- bool if access is granted.
This is a convenience method that will break out session and path from a VFS_request and pass them on to the other form of checkAllowAccess().
- See also
- VFS_session
Definition at line 440 of file VFS_acl.cpp.
◆ checkAllowAccess() [2/2]
|
static |
Check if a session has access to a resource.
- Parameters
-
s The VFS_session to check against path The VFS path of a resource feature The feature to check
- Returns
- bool if access is granted.
This will check each ACL for a mention of the provided path. The first ACL to mention a path will return the value of its access check.
If no ACL mentions the path, the default value of the last ACL checked will be returned.
- See also
- VFS_session
Definition at line 407 of file VFS_acl.cpp.
◆ fetchACLPaths()
|
static |
Fetch the VFS path to each registered ACL file.
- Returns
- The retrieved paths
Definition at line 597 of file VFS_acl.cpp.
◆ find()
|
virtual |
Find a child based on a VFS_request::_path.
- Parameters
-
r The VFS_request object
- Returns
- A VFS_node, or null if not found
This method is overridden to allow for a "browse" virtual entry, which will allow a master VFS to browse a sub-VFS with its native pathing
Reimplemented from VFS_node.
Definition at line 176 of file VFS_acl.cpp.
◆ initialize
|
protectedvirtualslot |
Initialize the ACL by subscribing to its data file.
Definition at line 134 of file VFS_acl.cpp.
◆ isContainer()
|
virtual |
VFS_acl nodes cannot contain children.
- Returns
- false
Reimplemented from VFS_node.
Definition at line 162 of file VFS_acl.cpp.
◆ privateCheckAllowAccess()
|
private |
Check if a request has access to a resource.
- Parameters
-
s The VFS_session to check against path The VFS path of a resource feature The feature to check wasDefault A pointer back to a bool for the caller. This is used to determine if a default value was returned.
- Returns
- bool if access is granted.
The check is peformed in this way:
- Let D be the _default
- If the path is found, load acl values and update D if default is set
- If a session is not present, return D
- If the user's group is present, set D
- If the user is present, set D
- If the feature is found, the same checks are performed for that feature
- return D
Definition at line 465 of file VFS_acl.cpp.
◆ read()
|
privatevirtual |
Read the ACL entries.
- Parameters
-
r The VFS_request object
Because the ACL data may be accessed at any time from any other thread, we need to protect this with a mutex lock.
Reimplemented from VFS_node.
Definition at line 191 of file VFS_acl.cpp.
◆ receiveResponse
|
virtualslot |
A request has been completed, respond to the results.
- Parameters
-
r The VFS_request object
If the request was to subscribe to the ACL file, record the results.
Definition at line 348 of file VFS_acl.cpp.
◆ registerACL()
|
staticprivate |
Add an acl to the _accessControlLists list.
- Parameters
-
acl The ACL to add
An acl can only be added once to the list.
Definition at line 573 of file VFS_acl.cpp.
◆ reportDetails()
|
virtual |
Report data about an ACL.
- Returns
- A string containing the details.
Reimplemented from VFS_node.
Definition at line 147 of file VFS_acl.cpp.
◆ submit()
|
privatevirtual |
Submit features or settings to the ACL.
- Parameters
-
r The VFS_request object
Any incoming entry that is boolean (ie, not an object) will be treated as a request to create a new ACL entry.
Reimplemented from VFS_node.
Definition at line 226 of file VFS_acl.cpp.
◆ subscribe()
|
privatevirtual |
Perform a normal VFS_node::subscribe, unless the path is "browse".
- Parameters
-
r The VFS_request
If the path starts with "browse", send a callback to the root of the filesystem
Reimplemented from VFS_node.
Definition at line 304 of file VFS_acl.cpp.
◆ unregisterACL()
|
staticprivate |
Remove an acl from the _accessControlLists list.
- Parameters
-
acl The ACL to remove
Definition at line 585 of file VFS_acl.cpp.
◆ unsubscribe()
|
privatevirtual |
Perform a normal VFS_node::unsubscribe, unless the path is "browse".
- Parameters
-
r The VFS_request
If the path starts with "browse", send a callback to the root of the filesystem
Reimplemented from VFS_node.
Definition at line 326 of file VFS_acl.cpp.
Member Data Documentation
◆ _accessControlList
|
private |
◆ _accessControlLists
|
staticprivate |
◆ _accessControlLock
|
staticprivate |
◆ _defaultAllow
|
private |
◆ _initialized
|
private |
◆ _path
|
private |
◆ _superadmin
|
private |
◆ _vfspath
|
private |
The documentation for this class was generated from the following files:
