mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-10-01 14:41:46 +00:00
RM: Edit capability fixes and inplace capability roles
* capability for inplace user no longer defined by dynamic authorities (inheritance was incorrect) * default roles added to allow capabilities of reader and writer inplace users * record permission inheritance broken .. was on the todo list for a long time, but needed to be done now to ensure the correct inplace permissions where evaluated at the record level * unit tests * TODO ... patches to migrate to 2.1 for new roles and record permission inheritance change git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@49215 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
@@ -25,7 +25,9 @@ import java.util.Set;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.ExtendedSecurityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.util.GUID;
|
||||
|
||||
/**
|
||||
* Records management security service test.
|
||||
@@ -67,8 +69,25 @@ public class ExtendedSecurityServiceImplTest extends BaseRMTestCase
|
||||
moveRecordFolder = rmService.createRecordFolder(moveRecordCategory, "moveRecordFolder");
|
||||
}
|
||||
|
||||
private String createTestUser()
|
||||
{
|
||||
return doTestInTransaction(new Test<String>()
|
||||
{
|
||||
public String run()
|
||||
{
|
||||
String userName = GUID.generate();
|
||||
createPerson(userName);
|
||||
return userName;
|
||||
}
|
||||
}, AuthenticationUtil.getSystemUserName());
|
||||
}
|
||||
|
||||
public void testExtendedSecurity()
|
||||
{
|
||||
final String monkey = createTestUser();
|
||||
final String elephant = createTestUser();
|
||||
final String snake = createTestUser();
|
||||
|
||||
doTestInTransaction(new Test<Void>()
|
||||
{
|
||||
public Void run()
|
||||
@@ -79,16 +98,17 @@ public class ExtendedSecurityServiceImplTest extends BaseRMTestCase
|
||||
assertFalse(extendedSecurityService.hasExtendedSecurity(record));
|
||||
|
||||
assertNull(extendedSecurityService.getExtendedReaders(record));
|
||||
assertNull(extendedSecurityService.getExtendedWriters(record));
|
||||
|
||||
Set<String> extendedReaders = new HashSet<String>(2);
|
||||
extendedReaders.add("monkey");
|
||||
extendedReaders.add("elephant");
|
||||
extendedReaders.add(monkey);
|
||||
extendedReaders.add(elephant);
|
||||
|
||||
extendedSecurityService.addExtendedSecurity(record, extendedReaders, null);
|
||||
|
||||
Map<String, Integer> testMap = new HashMap<String, Integer>(2);
|
||||
testMap.put("monkey", Integer.valueOf(1));
|
||||
testMap.put("elephant", Integer.valueOf(1));
|
||||
testMap.put(monkey, Integer.valueOf(1));
|
||||
testMap.put(elephant, Integer.valueOf(1));
|
||||
|
||||
checkExtendedReaders(filePlan, testMap);
|
||||
checkExtendedReaders(rmContainer, testMap);
|
||||
@@ -96,19 +116,19 @@ public class ExtendedSecurityServiceImplTest extends BaseRMTestCase
|
||||
checkExtendedReaders(record, testMap);
|
||||
|
||||
Set<String> extendedReadersToo = new HashSet<String>(2);
|
||||
extendedReadersToo.add("monkey");
|
||||
extendedReadersToo.add("snake");
|
||||
extendedReadersToo.add(monkey);
|
||||
extendedReadersToo.add(snake);
|
||||
|
||||
extendedSecurityService.addExtendedSecurity(recordToo, extendedReadersToo, null);
|
||||
|
||||
Map<String, Integer> testMapToo = new HashMap<String, Integer>(2);
|
||||
testMapToo.put("monkey", Integer.valueOf(1));
|
||||
testMapToo.put("snake", Integer.valueOf(1));
|
||||
testMapToo.put(monkey, Integer.valueOf(1));
|
||||
testMapToo.put(snake, Integer.valueOf(1));
|
||||
|
||||
Map<String, Integer> testMapThree = new HashMap<String, Integer>(3);
|
||||
testMapThree.put("monkey", Integer.valueOf(2));
|
||||
testMapThree.put("elephant", Integer.valueOf(1));
|
||||
testMapThree.put("snake", Integer.valueOf(1));
|
||||
testMapThree.put(monkey, Integer.valueOf(2));
|
||||
testMapThree.put(elephant, Integer.valueOf(1));
|
||||
testMapThree.put(snake, Integer.valueOf(1));
|
||||
|
||||
checkExtendedReaders(filePlan, testMapThree);
|
||||
checkExtendedReaders(rmContainer, testMapThree);
|
||||
@@ -118,14 +138,14 @@ public class ExtendedSecurityServiceImplTest extends BaseRMTestCase
|
||||
// test remove (with no parent inheritance)
|
||||
|
||||
Set<String> removeMap1 = new HashSet<String>(2);
|
||||
removeMap1.add("elephant");
|
||||
removeMap1.add("monkey");
|
||||
removeMap1.add(elephant);
|
||||
removeMap1.add(monkey);
|
||||
|
||||
extendedSecurityService.removeExtendedSecurity(rmFolder, removeMap1, null, false);
|
||||
|
||||
Map<String, Integer> testMapFour = new HashMap<String, Integer>(2);
|
||||
testMapFour.put("monkey", Integer.valueOf(1));
|
||||
testMapFour.put("snake", Integer.valueOf(1));
|
||||
testMapFour.put(monkey, Integer.valueOf(1));
|
||||
testMapFour.put(snake, Integer.valueOf(1));
|
||||
|
||||
checkExtendedReaders(filePlan, testMapThree);
|
||||
checkExtendedReaders(rmContainer, testMapThree);
|
||||
@@ -135,13 +155,13 @@ public class ExtendedSecurityServiceImplTest extends BaseRMTestCase
|
||||
// test remove (apply to parents)
|
||||
|
||||
Set<String> removeMap2 = new HashSet<String>(1);
|
||||
removeMap2.add("snake");
|
||||
removeMap2.add(snake);
|
||||
|
||||
extendedSecurityService.removeExtendedSecurity(recordToo, removeMap2, null, true);
|
||||
|
||||
testMapThree.remove("snake");
|
||||
testMapFour.remove("snake");
|
||||
testMapToo.remove("snake");
|
||||
testMapThree.remove(snake);
|
||||
testMapFour.remove(snake);
|
||||
testMapToo.remove(snake);
|
||||
|
||||
checkExtendedReaders(filePlan, testMapThree);
|
||||
checkExtendedReaders(rmContainer, testMapThree);
|
||||
@@ -155,14 +175,17 @@ public class ExtendedSecurityServiceImplTest extends BaseRMTestCase
|
||||
|
||||
public void testMove()
|
||||
{
|
||||
final String monkey = createTestUser();
|
||||
final String elephant = createTestUser();
|
||||
|
||||
doTestInTransaction(new Test<Void>()
|
||||
{
|
||||
Map<String, Integer> testMap = new HashMap<String, Integer>(2);
|
||||
|
||||
public Void run() throws Exception
|
||||
{
|
||||
testMap.put("monkey", Integer.valueOf(1));
|
||||
testMap.put("elephant", Integer.valueOf(1));
|
||||
testMap.put(monkey, Integer.valueOf(1));
|
||||
testMap.put(elephant, Integer.valueOf(1));
|
||||
|
||||
assertFalse(extendedSecurityService.hasExtendedSecurity(filePlan));
|
||||
assertFalse(extendedSecurityService.hasExtendedSecurity(rmContainer));
|
||||
@@ -174,8 +197,8 @@ public class ExtendedSecurityServiceImplTest extends BaseRMTestCase
|
||||
assertNull(extendedSecurityService.getExtendedReaders(record));
|
||||
|
||||
Set<String> extendedReaders = new HashSet<String>(2);
|
||||
extendedReaders.add("monkey");
|
||||
extendedReaders.add("elephant");
|
||||
extendedReaders.add(monkey);
|
||||
extendedReaders.add(elephant);
|
||||
|
||||
extendedSecurityService.addExtendedSecurity(record, extendedReaders, null);
|
||||
|
||||
|
||||
@@ -19,6 +19,7 @@
|
||||
package org.alfresco.module.org_alfresco_module_rm.test.service;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
@@ -27,8 +28,11 @@ import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
|
||||
import org.alfresco.module.org_alfresco_module_rm.dod5015.DOD5015Model;
|
||||
import org.alfresco.module.org_alfresco_module_rm.record.RecordService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.role.Role;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.ExtendedReaderDynamicAuthority;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.ExtendedSecurityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.ExtendedWriterDynamicAuthority;
|
||||
import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase;
|
||||
import org.alfresco.repo.content.MimetypeMap;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
||||
@@ -36,6 +40,7 @@ import org.alfresco.repo.security.permissions.AccessDeniedException;
|
||||
import org.alfresco.service.cmr.action.ActionService;
|
||||
import org.alfresco.service.cmr.repository.ContentWriter;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.security.AccessPermission;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.alfresco.service.cmr.security.PermissionService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
@@ -188,6 +193,86 @@ public class RecordServiceImplTest extends BaseRMTestCase
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
public void testExtendedWriters() throws Exception
|
||||
{
|
||||
final ExtendedReaderDynamicAuthority readerDy = (ExtendedReaderDynamicAuthority)applicationContext.getBean("extendedReaderDynamicAuthority");
|
||||
final ExtendedWriterDynamicAuthority writerDy = (ExtendedWriterDynamicAuthority)applicationContext.getBean("extendedWriterDynamicAuthority");
|
||||
|
||||
doTestInTransaction(new Test<Void>()
|
||||
{
|
||||
@Override
|
||||
public Void run()
|
||||
{
|
||||
assertNull(extendedSecurityService.getExtendedReaders(recordOne));
|
||||
assertNull(extendedSecurityService.getExtendedWriters(recordOne));
|
||||
|
||||
assertFalse(readerDy.hasAuthority(recordOne, dmCollaborator));
|
||||
assertFalse(writerDy.hasAuthority(recordOne, dmCollaborator));
|
||||
|
||||
assertFalse(readerDy.hasAuthority(filePlan, dmCollaborator));
|
||||
assertFalse(writerDy.hasAuthority(filePlan, dmCollaborator));
|
||||
|
||||
return null;
|
||||
}
|
||||
}, dmCollaborator);
|
||||
|
||||
doTestInTransaction(new Test<Void>()
|
||||
{
|
||||
@Override
|
||||
public Void run()
|
||||
{
|
||||
assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS));
|
||||
assertEquals(AccessStatus.DENIED, permissionService.hasPermission(recordOne, RMPermissionModel.FILING));
|
||||
|
||||
assertFalse(readerDy.hasAuthority(recordOne, dmCollaborator));
|
||||
assertFalse(writerDy.hasAuthority(recordOne, dmCollaborator));
|
||||
|
||||
assertEquals(AccessStatus.DENIED, permissionService.hasPermission(filePlan, RMPermissionModel.VIEW_RECORDS));
|
||||
assertEquals(AccessStatus.DENIED, permissionService.hasPermission(filePlan, RMPermissionModel.EDIT_NON_RECORD_METADATA));
|
||||
|
||||
assertFalse(readerDy.hasAuthority(filePlan, dmCollaborator));
|
||||
assertFalse(writerDy.hasAuthority(filePlan, dmCollaborator));
|
||||
|
||||
return null;
|
||||
}
|
||||
}, dmCollaborator);
|
||||
|
||||
doTestInTransaction(new Test<Void>()
|
||||
{
|
||||
@Override
|
||||
public Void run()
|
||||
{
|
||||
Set<String> writers = new HashSet<String>(1);
|
||||
writers.add(dmCollaborator);
|
||||
extendedSecurityService.addExtendedSecurity(recordOne, null, writers);
|
||||
|
||||
assertNull(extendedSecurityService.getExtendedReaders(recordOne));
|
||||
assertFalse(extendedSecurityService.getExtendedWriters(recordOne).isEmpty());
|
||||
|
||||
return null;
|
||||
}
|
||||
});
|
||||
|
||||
doTestInTransaction(new Test<Void>()
|
||||
{
|
||||
@Override
|
||||
public Void run()
|
||||
{
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS));
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(recordOne, RMPermissionModel.FILING));
|
||||
|
||||
assertFalse(readerDy.hasAuthority(recordOne, dmCollaborator));
|
||||
assertTrue(writerDy.hasAuthority(recordOne, dmCollaborator));
|
||||
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.VIEW_RECORDS));
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan, RMPermissionModel.EDIT_NON_RECORD_METADATA));
|
||||
|
||||
return null;
|
||||
}
|
||||
}, dmCollaborator);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* @see RecordService#createRecord(org.alfresco.service.cmr.repository.NodeRef,
|
||||
@@ -240,6 +325,8 @@ public class RecordServiceImplTest extends BaseRMTestCase
|
||||
AccessStatus.DENIED, // record category
|
||||
AccessStatus.DENIED, // record folder
|
||||
AccessStatus.ALLOWED); // doc/record
|
||||
|
||||
permissionReport();
|
||||
|
||||
assertEquals(AccessStatus.ALLOWED, dmPermissionService.hasPermission(filePlan,
|
||||
RMPermissionModel.VIEW_RECORDS));
|
||||
@@ -266,9 +353,9 @@ public class RecordServiceImplTest extends BaseRMTestCase
|
||||
// ****
|
||||
// Capability Tests
|
||||
// ****
|
||||
|
||||
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan,
|
||||
RMPermissionModel.VIEW_RECORDS));
|
||||
RMPermissionModel.VIEW_RECORDS));
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan,
|
||||
RMPermissionModel.EDIT_NON_RECORD_METADATA));
|
||||
|
||||
@@ -307,7 +394,7 @@ public class RecordServiceImplTest extends BaseRMTestCase
|
||||
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan,
|
||||
RMPermissionModel.VIEW_RECORDS));
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(filePlan,
|
||||
assertEquals(AccessStatus.DENIED, permissionService.hasPermission(filePlan,
|
||||
RMPermissionModel.EDIT_NON_RECORD_METADATA));
|
||||
|
||||
Capability filling = capabilityService.getCapability("FileRecords");
|
||||
@@ -323,6 +410,40 @@ public class RecordServiceImplTest extends BaseRMTestCase
|
||||
}
|
||||
}, dmConsumer);
|
||||
}
|
||||
|
||||
private void permissionReport()
|
||||
{
|
||||
Set<String> writers = extendedSecurityService.getExtendedWriters(dmDocument);
|
||||
for (String writer : writers)
|
||||
{
|
||||
System.out.println("writer: " + writer);
|
||||
}
|
||||
|
||||
System.out.println("Users assigned to extended writers role:");
|
||||
Set<String> assignedUsers = filePlanRoleService.getUsersAssignedToRole(filePlan, FilePlanRoleService.ROLE_EXTENDED_WRITERS);
|
||||
for (String assignedUser : assignedUsers)
|
||||
{
|
||||
System.out.println(" ... " + assignedUser);
|
||||
}
|
||||
|
||||
PermissionService ps = (PermissionService)applicationContext.getBean("permissionService");
|
||||
|
||||
Set<AccessPermission> perms = ps.getAllSetPermissions(filePlan);
|
||||
for (AccessPermission perm : perms)
|
||||
{
|
||||
if (perm.getPermission().contains(RMPermissionModel.EDIT_NON_RECORD_METADATA))
|
||||
{
|
||||
System.out.println(" ... " + perm.getAuthority() + " - " + perm.getPermission() + " - " + perm.getAccessStatus().toString());
|
||||
}
|
||||
}
|
||||
for (AccessPermission perm : perms)
|
||||
{
|
||||
if (perm.getPermission().contains(RMPermissionModel.VIEW_RECORDS))
|
||||
{
|
||||
System.out.println(" ... " + perm.getAuthority() + " - " + perm.getPermission() + " - " + perm.getAccessStatus().toString());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void testCreateRecordNoLink() throws Exception
|
||||
{
|
||||
@@ -565,6 +686,8 @@ public class RecordServiceImplTest extends BaseRMTestCase
|
||||
@Override
|
||||
public void runImpl() throws Exception
|
||||
{
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(recordOne, RMPermissionModel.READ_RECORDS));
|
||||
|
||||
assertFalse(recordService.isPropertyEditable(recordOne, PROP_ORIGINATING_ORGANIZATION));
|
||||
assertFalse(recordService.isPropertyEditable(recordOne, PROP_DESCRIPTION));
|
||||
assertFalse(recordService.isPropertyEditable(recordDeclaredOne, PROP_ORIGINATING_ORGANIZATION));
|
||||
@@ -674,24 +797,6 @@ public class RecordServiceImplTest extends BaseRMTestCase
|
||||
|
||||
}
|
||||
|
||||
public abstract class CommitPropertyFailTest extends Test<Void>
|
||||
{
|
||||
@Override
|
||||
public Void run() throws Exception
|
||||
{
|
||||
// TODO Auto-generated method stub
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void test(Void result) throws Exception
|
||||
{
|
||||
// TODO Auto-generated method stub
|
||||
super.test(result);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
private void cantEditProperty(final NodeRef nodeRef, final QName property, String user) throws Exception
|
||||
{
|
||||
boolean failure = false;
|
||||
|
||||
Reference in New Issue
Block a user