[Home] [Help]
109: is
110: ret varchar2(1);
111: begin
112: -- first check the folder itself
113: ret := bism_access_control.check_del_access(fid,null,'Y',null,myid);
114:
115: -- now check its children
116: for i in (select object_id from bism_objects where folder_id = fid and user_visible = 'Y')
117: loop
134: -- check WRITE privilege on object and READ privilege on parent folder
135: -- or
136: -- check READ privilege on object and FULL CONTROL privilege on parent folder
137: begin
138: ret := bism_access_control.check_del_access(null,oid,'n',null,myid);
139: if ret = 'y' then
140: have_del_access := 'y';
141: end if;
142: exception
141: end if;
142: exception
143: when insufficient_privileges then
144: begin
145: ret := bism_access_control.check_read_access(null,oid,'n',myid);
146: if ret = 'y' then
147: ret := bism_access_control.check_fullcontrol_access(fid,myid);
148: end if;
149: end;
143: when insufficient_privileges then
144: begin
145: ret := bism_access_control.check_read_access(null,oid,'n',myid);
146: if ret = 'y' then
147: ret := bism_access_control.check_fullcontrol_access(fid,myid);
148: end if;
149: end;
150: end;
151:
149: end;
150: end;
151:
152: if have_del_access = 'y' then
153: ret := bism_access_control.check_read_access(null,fid,'n',myid);
154: end if;
155:
156: return ret;
157: end check_obj_del_access;
213: when no_data_found then
214: raise_application_error(BISM_ERRORCODES.PRIVILEGE_NOT_UNDERSTOOD,'Privilege not understood');
215: end;
216:
217: ret := bism_access_control.check_fullcontrol_access(fid,grantor);
218: if ret = 'y' then
219: select subject_id into sub_id from bism_subjects where subject_name = grantee_name;
220: insert into bism_permissions (subject_id,object_id,privilege) values(sub_id,fid,priv);
221: if bism_core.v_auto_commit = TRUE then
252: -- (and NOT list) to show folders and if folder only has LIST access
253: -- getObject/lookup on that folder will fail
254: -- Henry and I decided to change this behavior
255: if objtype = 100 then
256: return bism_access_control.check_list_access(oid,myid);
257: else
258: -- modified to check access of object instead of folder
259: return bism_access_control.check_read_access(null,fid,'n',myid);
260: end if;
255: if objtype = 100 then
256: return bism_access_control.check_list_access(oid,myid);
257: else
258: -- modified to check access of object instead of folder
259: return bism_access_control.check_read_access(null,fid,'n',myid);
260: end if;
261: end;
262:
263: -- new check_lookup_access for object level security (ccchow)
269: return 'y';
270: end if;
271:
272: if objtype = 100 then
273: return bism_access_control.check_list_access(oid,myid);
274: else
275: return bism_access_control.check_read_access(null,oid,'n',myid);
276: end if;
277: end check_lookup_access;
271:
272: if objtype = 100 then
273: return bism_access_control.check_list_access(oid,myid);
274: else
275: return bism_access_control.check_read_access(null,oid,'n',myid);
276: end if;
277: end check_lookup_access;
278:
279: function prepare_rebind(fid raw,oname varchar2,myid raw,ids out nocopy bism_object_ids, current_time out nocopy date,num number,status out nocopy integer)
291: begin
292:
293: select object_id into oid from bism_objects where object_id = fid;
294: --OK, now check the privilege
295: ret := bism_access_control.check_del_access(null,fid,'n',null,myid);
296: exception
297: when no_data_found then
298: status := BISM_CONSTANTS.PARENT_FOLDER_NOT_FOUND;
299: return null;
381: begin
382:
383: select object_id into oid from bism_objects where object_id = fid;
384: --OK, now check the privilege
385: ret := bism_access_control.check_del_access(null,fid,'n',null,myid);
386: exception
387: when no_data_found then
388: status := BISM_CONSTANTS.PARENT_FOLDER_NOT_FOUND;
389: return null;
679: -- parent folder
680: -- note : ADD_FOLDER privilege is the minimum privilege required
681: -- on parent folder for this operation to succeed, if this throws
682: -- exception, let it bubble up
683: ret := bism_access_control.check_ins_access(fid,myid);
684: begin
685: -- OK, if user has ADD_FOLDER on parent, check to see if subfolder has
686: -- at least WRITE (scenario 1 described above)
687: -- if subfolder does not have WRITE, then test scenario 2
688: -- which is checking parent folder for FULL CONTROL,
689: -- and sub folder for at least LIST privilege
690: -- scenario 2 handled in exception handler
691: if ret = 'y' then
692: have_upd_access := bism_access_control.check_upd_access(oid,null,'Y',myid) ;
693: return have_upd_access;
694: end if;
695: exception
696: when insufficient_privileges then
694: end if;
695: exception
696: when insufficient_privileges then
697: -- check if the user has full control on parent folder
698: ret := bism_access_control.check_fullcontrol_access(fid,myid) ;
699: -- if so, then as long as he has at least LIST privilege on subfolder,
700: -- he can rename the sub folder
701: if ret = 'y' then
702: return bism_access_control.check_list_access(oid,myid);
698: ret := bism_access_control.check_fullcontrol_access(fid,myid) ;
699: -- if so, then as long as he has at least LIST privilege on subfolder,
700: -- he can rename the sub folder
701: if ret = 'y' then
702: return bism_access_control.check_list_access(oid,myid);
703: end if;
704: end;
705: end if;
706: if callerid = 1 then
705: end if;
706: if callerid = 1 then
707: -- if it is a folder, then user needs INSERT priv on that folder
708: -- parent folder priv do not play a role
709: return bism_access_control.check_ins_access(oid,myid) ;
710: end if;
711: else
712: if callerid = 0 then
713: -- renaming of an object
715: -- check WRITE privilege on object and INSERT privilege on parent folder
716: -- or
717: -- check READ privilege on object and FULL CONTROL privilege on parent folder
718: begin
719: ret := bism_access_control.check_upd_access(null,oid,'n',myid);
720: if ret = 'y' then
721: have_upd_access := 'y';
722: end if;
723: exception
722: end if;
723: exception
724: when insufficient_privileges then
725: begin
726: ret := bism_access_control.check_read_access(null,oid,'n',myid);
727: if ret = 'y' then
728: ret := bism_access_control.check_fullcontrol_access(fid,myid);
729: end if;
730: end;
724: when insufficient_privileges then
725: begin
726: ret := bism_access_control.check_read_access(null,oid,'n',myid);
727: if ret = 'y' then
728: ret := bism_access_control.check_fullcontrol_access(fid,myid);
729: end if;
730: end;
731: end;
732:
730: end;
731: end;
732:
733: if have_upd_access = 'y' then
734: ret := bism_access_control.check_ins_access(fid,myid);
735: end if;
736: end if;
737:
738: if callerid = 1 then
741: -- check WRITE privilege on object and READ privilege on parent folder
742: -- or
743: -- check READ privilege on object and FULL CONTROL privilege on parent folder
744: begin
745: ret := bism_access_control.check_upd_access(null,oid,'n',myid);
746: if ret = 'y' then
747: have_upd_access := 'y';
748: end if;
749: exception
748: end if;
749: exception
750: when insufficient_privileges then
751: begin
752: ret := bism_access_control.check_read_access(null,oid,'n',myid);
753: if ret = 'y' then
754: ret := bism_access_control.check_fullcontrol_access(fid,myid);
755: end if;
756: end;
750: when insufficient_privileges then
751: begin
752: ret := bism_access_control.check_read_access(null,oid,'n',myid);
753: if ret = 'y' then
754: ret := bism_access_control.check_fullcontrol_access(fid,myid);
755: end if;
756: end;
757: end;
758:
756: end;
757: end;
758:
759: if have_upd_access = 'y' then
760: ret := bism_access_control.check_read_access(null,fid,'n',myid);
761: end if;
762: end if;
763:
764: return ret;
815: -- NT allows users with LIST access see the props of folder as well
816: -- as props of object within the folder)
817:
818: if type_id <> 100 then
819: return bism_access_control.check_list_access(fid,myid) ;
820: else
821: -- this is an important change, according to NT, if the object is a folder
822: -- DO NOT CHECK for any privileges, every user is allowed to see the attribs
823: -- on a folder whether or not they have any prvbs on that folder
866: t1.privilege,
867: t2.subject_type
868: from bism_permissions t1,
869: bism_subjects t2
870: where 'y' = bism_access_control.check_show_entries_access(p_oid,p_myid)
871: and t1.object_id = p_oid
872: and t2.subject_id = t1.subject_id;
873: return v_rc;
874: end;
2039: select object_name,object_type_id
2040: from bism_objects
2041: where folder_id = p_fid and
2042: user_visible = 'Y' and
2043: 'y' = bism_access_control.check_list_access(p_fid,p_subid);
2044: return rc;
2045: exception
2046: when no_data_found then
2047: raise_application_error(BISM_ERRORCODES.OBJECT_NOT_FOUND,'Object not found');
2136: when no_data_found then
2137: raise_application_error(-20503,'User not found');
2138: end;
2139:
2140: ret := bism_access_control.check_ins_access(p_fid, p_subid);
2141: if ret = 'y' then
2142: if tempTimeC is not null then
2143: timeC := tempTimeC;
2144: else
2214: when no_data_found then
2215: raise_application_error(-20503,'User not found');
2216: end;
2217:
2218: ret := bism_access_control.check_ins_access(p_fid, p_subid);
2219: -- if caller provides id for this folderr, use it
2220: IF p_oid is not null then
2221: oid := p_oid;
2222: ELSE
2300: /* let other exceptions bubble up */
2301: end;
2302:
2303: begin
2304: ret := bism_access_control.check_ins_access(p_fid,p_subject_id);
2305: end;
2306:
2307: if ret = 'y' then
2308: if p_ext_attrs_clob is not null then
2370: /* let other exceptions bubble up */
2371: end;
2372:
2373: begin
2374: ret := bism_access_control.check_ins_access(p_fid,p_subject_id);
2375: end;
2376:
2377: if ret = 'y' then
2378: insert into BISM_OBJECTS (USER_VISIBLE,OBJECT_TYPE_ID,VERSION,TIME_DATE_CREATED,TIME_DATE_MODIFIED,OBJECT_ID,CONTAINER_ID,FOLDER_ID,
2403: return myrctype
2404: is
2405: rc myrctype;
2406: begin
2407: open rc for select object_name,object_type_id,object_id from bism_objects where folder_id = p_fid and user_visible = 'Y' and 'y' = bism_access_control.check_list_access(p_fid,p_subid);
2408: return rc;
2409: end list_bindings;
2410:
2411: procedure rebind
2453: -- if the object is top level, we update the row, otherwise, we insert
2454: if p_obj_is_top_level = 'Y' then
2455: -- object level security, rebind requires WRITE privilege on the object ONLY
2456: -- nothing to do with parent folder
2457: ret := bism_access_control.check_upd_access(null,p_oid,'n',p_subject_id);
2458: if ret = 'y' then
2459: if p_ext_attrs_clob is not null then
2460: -- convert CLOB representation of extensible attributes into XMLType representation
2461: p_ext_attrs := sys.xmltype.createXML(p_ext_attrs_clob);
2548: end;
2549:
2550: -- object level security, rebind requires WRITE privilege on the object ONLY
2551: -- nothing to do with parent folder
2552: ret := bism_access_control.check_upd_access(null,p_oid,'n',p_subject_id);
2553: if ret = 'y' then
2554: update bism_objects set USER_VISIBLE=p_visible,OBJECT_TYPE_ID=p_obj_type_id,VERSION=p_version,TIME_DATE_CREATED=p_time_created,
2555: TIME_DATE_MODIFIED=p_time_modified,OBJECT_ID=p_oid,CONTAINER_ID=p_container_id,FOLDER_ID=p_fid,
2556: CREATED_BY=created_subid,LAST_MODIFIED_BY=modified_subid,OBJECT_NAME=p_obj_name,TITLE=p_title,
3271: where
3272: folder_id = p_fid
3273: and
3274: object_name = p_objname
3275: and 'y' = bism_access_control.check_read_access(object_id, p_fid,'n', p_myid)
3276: )
3277: and container_id <> '30'
3278: )
3279: )