Better protect access to Jackrabbit user manager

[lgpl/argeo-commons.git] / server / runtime / org.argeo.server.jcr / src / main / java / org / argeo / jcr / JcrUtils.java

diff --git a/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/JcrUtils.java b/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/JcrUtils.java
index 6f5765ed5c9672c1cdf12909613a069db73a4803..9f3d761cafd79e8bdb51a7ae481fc9cfb32c847e 100644 (file)
--- a/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/JcrUtils.java
+++ b/server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/JcrUtils.java
@@ -1229,7 +1229,7 @@ public class JcrUtils implements ArgeoJcrConstants {
         * Convenience method for adding a single privilege to a principal (user or
         * role), typically jcr:all
         */
-       public static void addPrivilege(Session session, String path,
+       public synchronized static void addPrivilege(Session session, String path,
                        String principal, String privilege) throws RepositoryException {
                List<Privilege> privileges = new ArrayList<Privilege>();
                privileges.add(session.getAccessControlManager().privilegeFromName(
@@ -1239,11 +1239,14 @@ public class JcrUtils implements ArgeoJcrConstants {
 
        /**
         * Add privileges on a path to a {@link Principal}. The path must already
-        * exist. Session is saved.
+        * exist. Session is saved. Synchronized to prevent concurrent modifications
+        * of the same node.
         */
-       public static void addPrivileges(Session session, String path,
+       public synchronized static void addPrivileges(Session session, String path,
                        Principal principal, List<Privilege> privs)
                        throws RepositoryException {
+               // make sure the session is in line with the persisted state
+               session.refresh(false);
                AccessControlManager acm = session.getAccessControlManager();
                AccessControlList acl = getAccessControlList(acm, path);
                acl.addAccessControlEntry(principal,
@@ -1256,11 +1259,12 @@ public class JcrUtils implements ArgeoJcrConstants {
                        log.debug("Added privileges " + privBuf + " to " + principal
                                        + " on " + path);
                }
+               session.refresh(true);
                session.save();
        }
 
        /** Gets access control list for this path, throws exception if not found */
-       public static AccessControlList getAccessControlList(
+       public synchronized static AccessControlList getAccessControlList(
                        AccessControlManager acm, String path) throws RepositoryException {
                // search for an access control list
                AccessControlList acl = null;
@@ -1287,8 +1291,8 @@ public class JcrUtils implements ArgeoJcrConstants {
        }
 
        /** Clear authorizations for a user at this path */
-       public static void clearAccessControList(Session session, String path,
-                       String username) throws RepositoryException {
+       public synchronized static void clearAccessControList(Session session,
+                       String path, String username) throws RepositoryException {
                AccessControlManager acm = session.getAccessControlManager();
                AccessControlList acl = getAccessControlList(acm, path);
                for (AccessControlEntry ace : acl.getAccessControlEntries()) {