com.atlassian.bitbucket.permission

Interface PermissionService

public interface PermissionService

Reads the permissions of users and groups. IMPORTANT: This should not be restricted by permissions, and is not intended for querying access levels of users, but rather checking access of the current user at runtime

See Also:

PermissionAdminService

Method Summary

Modifier and Type	Method and Description
Page<String>	getGrantedGroups(Permission permission, PageRequest request) Get the groups which are granted a permission
Page<ApplicationUser>	getGrantedUsers(Permission permission, PageRequest request) Get the users which are granted a permission
Permission	getHighestGlobalGroupPermission(String groupName) Get the highest global permission for a group.
Permission	getHighestGlobalPermission(ApplicationUser user) Get the highest global permission for a user.
Permission	getHighestGlobalPermission(String username) Get the highest global permission for a user.
Set<String>	getUsersWithPermission(Permission permission) Get the usernames of the users with the given permission (whether directly or though permission inheritance) This includes users granted the permission directly and those who have the permission through their group membership.
boolean	hasAnyUserPermission(ApplicationUser user, Permission permission)
boolean	hasAnyUserPermission(Permission permission)
boolean	hasDirectGlobalUserPermission(Permission permission)
boolean	hasDirectProjectUserPermission(Project project, Permission permission)
boolean	hasDirectRepositoryUserPermission(Repository repository, Permission permission)
boolean	hasGlobalGroupPermission(Permission permission, String group)
boolean	hasGlobalPermission(ApplicationUser user, Permission permission) Will return true if the user is active and one of the following conditions is met: permission is granted directly for the given user permission is granted to a group the given user is a member of
boolean	hasGlobalPermission(Permission permission)
boolean	hasGlobalPermission(String username, Permission permission) Will return true if the user is active and one of the following conditions is met: permission is granted directly for the given user permission is granted to a group the given user is a member of
boolean	hasGlobalPermissionThroughGroupMembership(Permission permission, Set<String> excludedGroups)
boolean	hasProjectPermission(ApplicationUser user, int projectId, Permission permission)
boolean	hasProjectPermission(ApplicationUser user, Project project, Permission permission) Will return true if the user is active and one of the following conditions is met: permission is granted directly for the given user on the given project permission is granted for all logged in users on the given project permission is granted to a group the given user is a member of on the given project The given user is directly granted a permission on at least one repository within the given project and the given permission is implied as a result A group the given user is a member of is granted a permission on at least one repository within the given project and the given permission is implied as a result The given project is publicly accessible and the permission is implied as a result the given user is directly granted administration rights A group the given user is a member of is granted administration rights
boolean	hasProjectPermission(int projectId, Permission permission)
boolean	hasProjectPermission(Project project, Permission permission)
boolean	hasProjectPermissionThroughGroupMembership(Project project, Permission permission, Set<String> excludedGroups)
boolean	hasRepositoryPermission(ApplicationUser user, int repositoryId, Permission permission)
boolean	hasRepositoryPermission(ApplicationUser user, Repository repository, Permission permission) Will return true if the user is active and one of the following conditions is met: permission is granted directly for the given user on the given repository permission is granted to a group the given user is a member of on the given repository The given user is directly granted a permission on the containing project and the given permission is implied as a result A group the given user is a member of is granted a permission on the containing project and the given permission is implied as a result All logged in users are granted a permission to the containing project and the given permission is implied as a result The given repository is publicly accessible and the permission is implied as a result the given user is directly granted administration rights A group the given user is a member of is granted administration rights This method will always return false if the user given is null as anonymous users cannot be granted permissions by definition.
boolean	hasRepositoryPermission(int repositoryId, Permission permission)
boolean	hasRepositoryPermission(Repository repository, Permission permission)
boolean	hasRepositoryPermissionThroughGroupMembership(Repository repository, Permission permission, Set<String> excludedGroups)
boolean	hasUserPermission(ApplicationUser user, ApplicationUser targetUser, Permission permission)
boolean	hasUserPermission(ApplicationUser user, int targetUserId, Permission permission)
boolean	hasUserPermission(ApplicationUser targetUser, Permission permission)
boolean	hasUserPermission(int targetUserId, Permission permission)
boolean	hasUserPermission(Permission permission)
boolean	isProjectAccessible(int projectId)
boolean	isProjectAccessible(Project project) Retrieve whether the current user (authenticated or not) has access to the given project.
boolean	isPubliclyAccessible(Project project) Retrieves whether the project is publicly accessible.
boolean	isPubliclyAccessible(Repository repository) Retrieves whether the repository is publicly accessible.
boolean	isRepositoryAccessible(int repositoryId)
boolean	isRepositoryAccessible(Repository repository) Retrieve whether the current user (authenticated or not) has access to the given repository.

Method Detail

hasGlobalPermission

boolean hasGlobalPermission(@Nullable
                            String username,
                            @Nonnull
                            Permission permission)

Will return true if the user is active and one of the following conditions is met:

• permission is granted directly for the given user
• permission is granted to a group the given user is a member of

Parameters:

username - the user in question

permission - the requested permission. Must be global.

Returns:

true if the given user identified by username has the requested Permission

hasGlobalPermission

boolean hasGlobalPermission(@Nullable
                            ApplicationUser user,
                            @Nonnull
                            Permission permission)

Will return true if the user is active and one of the following conditions is met:

• permission is granted directly for the given user
• permission is granted to a group the given user is a member of

Parameters:

user - the user in question

permission - the requested permission. Must be global.

Returns:

true if the given ApplicationUser has the requested Permission

hasGlobalPermission

boolean hasGlobalPermission(@Nonnull
                            Permission permission)

Parameters:

permission - the requested permission. Must be global.

Returns:

true if the current authentication session has the requested Permission

See Also:

hasGlobalPermission(ApplicationUser, Permission)

hasProjectPermission

boolean hasProjectPermission(@Nullable
                             ApplicationUser user,
                             @Nonnull
                             Project project,
                             @Nonnull
                             Permission permission)

Will return true if the user is active and one of the following conditions is met:

• permission is granted directly for the given user on the given project
• permission is granted for all logged in users on the given project
• permission is granted to a group the given user is a member of on the given project
• The given user is directly granted a permission on at least one repository within the given project and the given permission is implied as a result
• A group the given user is a member of is granted a permission on at least one repository within the given project and the given permission is implied as a result
• The given project is publicly accessible and the permission is implied as a result
• the given user is directly granted administration rights
• A group the given user is a member of is granted administration rights

Parameters:

user - the user in question

project - the project in question

permission - the requested permission. Must be non-global.

Returns:

true if the given ApplicationUser has the requested Permission for the given Project

hasProjectPermission

boolean hasProjectPermission(@Nonnull
                             Project project,
                             @Nonnull
                             Permission permission)

Parameters:

project - the project in question

permission - the requested permission. Must be non-global.

Returns:

true if the current authentication token has the requested Permission for the given Project

See Also:

hasProjectPermission(ApplicationUser, Project, Permission)

hasProjectPermission

boolean hasProjectPermission(@Nullable
                             ApplicationUser user,
                             int projectId,
                             @Nonnull
                             Permission permission)

Parameters:

user - the user in question

projectId - the ID of project

permission - the requested permission. Must be non-global.

Returns:

true if the given ApplicationUser has the requested Permission for the Project identified by projectId

See Also:

hasProjectPermission(ApplicationUser, Project, Permission)

hasProjectPermission

boolean hasProjectPermission(int projectId,
                             @Nonnull
                             Permission permission)

Parameters:

projectId - the ID project in question

permission - the requested permission. Must be non-global.

Returns:

true if the current authentication token has the requested Permission for the given Project

See Also:

hasProjectPermission(ApplicationUser, int, Permission)

hasRepositoryPermission

boolean hasRepositoryPermission(@Nullable
                                ApplicationUser user,
                                @Nonnull
                                Repository repository,
                                @Nonnull
                                Permission permission)

Will return true if the user is active and one of the following conditions is met:

• permission is granted directly for the given user on the given repository
• permission is granted to a group the given user is a member of on the given repository
• The given user is directly granted a permission on the containing project and the given permission is implied as a result
• A group the given user is a member of is granted a permission on the containing project and the given permission is implied as a result
• All logged in users are granted a permission to the containing project and the given permission is implied as a result
• The given repository is publicly accessible and the permission is implied as a result
• the given user is directly granted administration rights
• A group the given user is a member of is granted administration rights

This method will always return false if the user given is null as anonymous users cannot be granted permissions by definition.

Parameters:

user - the user in question

repository - the repository in question

permission - the requested permission. Must be non-global.

Returns:

true if the given ApplicationUser has the requested Permission for the given Repository

hasRepositoryPermission

boolean hasRepositoryPermission(@Nullable
                                ApplicationUser user,
                                int repositoryId,
                                @Nonnull
                                Permission permission)

Parameters:

user - the user in question

repositoryId - the repository in question

permission - the requested permission. Must be non-global.

Returns:

true if the given ApplicationUser has the requested Permission for the given Repository

See Also:

hasRepositoryPermission(ApplicationUser, Repository, Permission)

hasRepositoryPermission

boolean hasRepositoryPermission(@Nonnull
                                Repository repository,
                                @Nonnull
                                Permission permission)

Parameters:

repository - the repository in question

permission - the requested permission. Must be non-global.

Returns:

true if the current authentication token has the requested Permission for the given Repository

See Also:

hasRepositoryPermission(ApplicationUser, Repository, Permission)

hasRepositoryPermission

boolean hasRepositoryPermission(int repositoryId,
                                @Nonnull
                                Permission permission)

Parameters:

repositoryId - the repository in question

permission - the requested permission. Must be non-global.

Returns:

true if the current authentication token has the requested Permission for the given Repository identified by repositoryId

See Also:

hasRepositoryPermission(ApplicationUser, Repository, Permission)

hasUserPermission

boolean hasUserPermission(@Nonnull
                          ApplicationUser user,
                          @Nonnull
                          ApplicationUser targetUser,
                          @Nonnull
                          Permission permission)

Parameters:

user - the user requesting the permission

targetUser - the user that the permission applies to

permission - the requested permission. Must be non-global.

Returns:

true if the provided user has the requested Permission with respect to targetUser's settings

Since:

5.5

See Also:

hasUserPermission(int, Permission)

hasUserPermission

boolean hasUserPermission(@Nonnull
                          ApplicationUser user,
                          int targetUserId,
                          @Nonnull
                          Permission permission)

Parameters:

user - the user requesting the permission

targetUserId - the ID of the user that the permission applies to

permission - the requested permission. Must be non-global.

Returns:

true if the provided user has the requested Permission with respect to of the ApplicationUser identified by targetUserId

Since:

5.5

See Also:

hasUserPermission(ApplicationUser, Permission)

hasUserPermission

boolean hasUserPermission(@Nonnull
                          ApplicationUser targetUser,
                          @Nonnull
                          Permission permission)

Parameters:

targetUser - the user that the permission applies to

permission - the requested permission. Must be non-global.

Returns:

true if the current authentication token has the requested Permission with respect to targetUser's settings

Since:

5.5

See Also:

hasUserPermission(int, Permission)

hasUserPermission

boolean hasUserPermission(int targetUserId,
                          @Nonnull
                          Permission permission)

Parameters:

targetUserId - the ID of the user that the permission applies to

permission - the requested permission. Must be non-global.

Returns:

true if the current authentication token has the requested Permission with respect to the user identified by targetUserId

Since:

5.5

See Also:

hasUserPermission(ApplicationUser, Permission)

hasUserPermission

boolean hasUserPermission(@Nonnull
                          Permission permission)

Parameters:

permission - the requested permission. Must be non-global.

Returns:

true if the current authentication token has the requested Permission for the account of the currently authenticated user

Since:

5.5

See Also:

hasUserPermission(ApplicationUser, Permission)

hasAnyUserPermission

boolean hasAnyUserPermission(@Nonnull
                             ApplicationUser user,
                             @Nonnull
                             Permission permission)

Parameters:

user - the user in question

permission - the requested permission. Must be non-global.

Returns:

true if the given ApplicationUser has the requested Permission for any project / repository

hasAnyUserPermission

boolean hasAnyUserPermission(@Nonnull
                             Permission permission)

Parameters:

permission - the requested permission. Must be non-global.

Returns:

true if the current user has the requested Permission for any project / repository

hasGlobalPermissionThroughGroupMembership

boolean hasGlobalPermissionThroughGroupMembership(@Nonnull
                                                  Permission permission,
                                                  @Nonnull
                                                  Set<String> excludedGroups)

Parameters:

permission - The permission required.

excludedGroups - A Set of groups to be excluded from consideration.

Returns:

true if the current user has the given global permission through its membership of a group

hasProjectPermissionThroughGroupMembership

boolean hasProjectPermissionThroughGroupMembership(@Nonnull
                                                   Project project,
                                                   @Nonnull
                                                   Permission permission,
                                                   @Nonnull
                                                   Set<String> excludedGroups)

Parameters:

project - The project on which permission is being checked

permission - The permission required

excludedGroups - A Set of groups to be excluded from consideration

Returns:

true if the current user has the given project permission through its membership of a group

hasRepositoryPermissionThroughGroupMembership

boolean hasRepositoryPermissionThroughGroupMembership(@Nonnull
                                                      Repository repository,
                                                      @Nonnull
                                                      Permission permission,
                                                      @Nonnull
                                                      Set<String> excludedGroups)

Parameters:

repository - the repository on which permission is being checked

permission - the permission required

excludedGroups - a Set of groups to be excluded from consideration

Returns:

true if the current user has the given repository permission through its membership of a group

hasDirectGlobalUserPermission

boolean hasDirectGlobalUserPermission(@Nonnull
                                      Permission permission)

Parameters:

permission - the permission required

Returns:

true if the current user has the given global permission directly granted (i.e. not through their group membership)

hasDirectProjectUserPermission

boolean hasDirectProjectUserPermission(@Nonnull
                                       Project project,
                                       @Nonnull
                                       Permission permission)

Parameters:

project - the project on which permission is being checked

permission - the permission required

Returns:

true if the current user has the given project permission directly granted (i.e. not through their group membership)

hasDirectRepositoryUserPermission

boolean hasDirectRepositoryUserPermission(@Nonnull
                                          Repository repository,
                                          @Nonnull
                                          Permission permission)

Parameters:

repository - the repository on which permission is being checked

permission - the permission required

Returns:

true if the current user has the given repository permission directly granted (i.e. not through their group membership)

hasGlobalGroupPermission

boolean hasGlobalGroupPermission(@Nonnull
                                 Permission permission,
                                 @Nonnull
                                 String group)

Parameters:

permission - the permission required

group - the group to be checked

Returns:

true if the given group has the given permission

isProjectAccessible

boolean isProjectAccessible(@Nonnull
                            Project project)

Retrieve whether the current user (authenticated or not) has access to the given project.

The user may have access as a result of the following:

• The current authenticated user has Permission.PROJECT_VIEW permission for the given project; or
• The current thread is SecurityService.withPermission(Permission, String) running with} Permission.PROJECT_VIEW permission; or
• Public access is enabled for the system; and
  • The given project is public; or
  • At least one of the repositories contained within the project are public

Parameters:

project - the project on which to check

Returns:

true if the current user has access to the given project, false otherwise

isProjectAccessible

boolean isProjectAccessible(int projectId)

Parameters:

projectId - the ID of the project on which to check

Returns:

true if the current user has access to the given project, false otherwise

See Also:

isProjectAccessible(Project)

isRepositoryAccessible

boolean isRepositoryAccessible(@Nonnull
                               Repository repository)

Retrieve whether the current user (authenticated or not) has access to the given repository.

The user may have access as a result of the following:

• The current authenticated user has Permission.REPO_READ permission for the given repository; or
• The current thread is SecurityService.withPermission(Permission, String) running with} Permission.REPO_READ permission; or
• Public access is enabled for the system; and
  • The given repository is public; or
  • The containing project for the given repository is public

Parameters:

repository - the repository on which to check

Returns:

true if the current user has access to the given repository, false otherwise

isRepositoryAccessible

boolean isRepositoryAccessible(int repositoryId)

Parameters:

repositoryId - the ID of the repository on which to check

Returns:

true if the current user has access to the given repository, false otherwise

See Also:

isRepositoryAccessible(Repository)

isPubliclyAccessible

boolean isPubliclyAccessible(@Nonnull
                             Repository repository)

Retrieves whether the repository is publicly accessible.

Note that a repository will be public if:

• public access is enabled for the instance; and
  • the repository itself is public; or
  • the containing project for the repository is public

To check whether the current user (authenticated or not) can access the repository, use isRepositoryAccessible(Repository) instead.

Parameters:

repository - the repository on which to check

Returns:

true if unauthenticated users can access the given repository, false otherwise

isPubliclyAccessible

boolean isPubliclyAccessible(@Nonnull
                             Project project)

Retrieves whether the project is publicly accessible.

Note: to check whether the current user (authenticated or not) can access the project, use isProjectAccessible(Project) instead.

Parameters:

project - the project on which to check

Returns:

true if unauthenticated users can access the given project, false otherwise

getGrantedUsers

@Nonnull
Page<ApplicationUser> getGrantedUsers(@Nonnull
                                               Permission permission,
                                               @Nonnull
                                               PageRequest request)

Get the users which are granted a permission

Parameters:

permission - the permission in question

request - a page request

Returns:

the page of users who have been granted a permission or an inheriting permission

getGrantedGroups

@Nonnull
Page<String> getGrantedGroups(@Nonnull
                                       Permission permission,
                                       @Nonnull
                                       PageRequest request)

Get the groups which are granted a permission

Parameters:

permission - the permission in question

request - a page request

Returns:

the page of group names which have been granted a permission or an inheriting permission

getUsersWithPermission

@Nonnull
Set<String> getUsersWithPermission(@Nonnull
                                            Permission permission)

Get the usernames of the users with the given permission (whether directly or though permission inheritance) This includes users granted the permission directly and those who have the permission through their group membership.

Parameters:

permission - the permission for which the users are being fetched. It must be global.

Returns:

the lowercase usernames of all the users who currently have the given permission

getHighestGlobalPermission

@Nullable
Permission getHighestGlobalPermission(@Nullable
                                                ApplicationUser user)

Get the highest global permission for a user.

Parameters:

user - the user

Returns:

the highest global permission for the user or null if they have no permissions

getHighestGlobalPermission

@Nullable
Permission getHighestGlobalPermission(@Nullable
                                                String username)

Get the highest global permission for a user.

Parameters:

username - the user name

Returns:

the highest global permission for the user or null if they have no permissions

getHighestGlobalGroupPermission

@Nullable
Permission getHighestGlobalGroupPermission(@Nullable
                                                     String groupName)

Get the highest global permission for a group.

Parameters:

groupName - the group name

Returns:

the highest global permission for the group or null if the group has no permissions