From 050ab580eebb471203cf516dd3b27c64a59f804b Mon Sep 17 00:00:00 2001 From: Sara Aspery Date: Thu, 5 Dec 2019 05:11:53 +0000 Subject: [PATCH] RM-7062 Check hold permission for view audit event --- .../rm-service-context.xml | 2 +- .../RecordsManagementAuditServiceImpl.java | 79 +++++++++++++++++-- .../hold/HoldServiceImpl.java | 12 --- 3 files changed, 73 insertions(+), 20 deletions(-) diff --git a/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml b/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml index ccaba88ffc..3b5c7eee06 100644 --- a/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml +++ b/rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml @@ -941,6 +941,7 @@ + cm:lastThumbnailModification @@ -1533,7 +1534,6 @@ - diff --git a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditServiceImpl.java b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditServiceImpl.java index 770d05d3b1..9d191de947 100644 --- a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditServiceImpl.java +++ b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditServiceImpl.java @@ -47,6 +47,7 @@ import java.util.Calendar; import java.util.Collections; import java.util.Date; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Locale; import java.util.Map; @@ -60,10 +61,14 @@ import org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction import org.alfresco.module.org_alfresco_module_rm.audit.event.AuditEvent; import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; +import org.alfresco.module.org_alfresco_module_rm.hold.HoldService; +import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.repo.audit.AuditComponent; import org.alfresco.repo.audit.model.AuditApplication; import org.alfresco.repo.content.MimetypeMap; import org.alfresco.repo.policy.PolicyComponent; +import org.alfresco.repo.security.authentication.AuthenticationUtil; +import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; import org.alfresco.repo.transaction.AlfrescoTransactionSupport; import org.alfresco.repo.transaction.RetryingTransactionHelper; import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback; @@ -194,6 +199,8 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean private static final String AUDIT_EVENT_VIEW = "audit.view"; private static final String MSG_AUDIT_VIEW = "rm.audit.audit-view"; + private static final QName PROPERTY_HOLD_NAME = QName.createQName(RecordsManagementModel.RM_URI, "Hold Name"); + private PolicyComponent policyComponent; private DictionaryService dictionaryService; private TransactionService transactionService; @@ -207,6 +214,7 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean private NamespaceService namespaceService; protected CapabilityService capabilityService; protected PermissionService permissionService; + protected HoldService holdService; private boolean shutdown = false; @@ -332,6 +340,15 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean this.permissionService = permissionService; } + /** + * + * @param holdService + */ + public void setHoldService(HoldService holdService) + { + this.holdService = holdService; + } + /** * @see org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService#registerAuditEvent(java.lang.String, java.lang.String) */ @@ -686,7 +703,8 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean /** * Helper method to remove system properties from maps * - * @param properties + * @param before + * @param after */ private void removeAuditProperties(Map before, Map after) { @@ -997,13 +1015,33 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean return true; } - if (nodeRef != null && nodeService.exists(nodeRef) && - ((filePlanService.isFilePlanComponent(nodeRef) && - !AccessStatus.ALLOWED.equals( - capabilityService.getCapabilityAccessState(nodeRef, ACCESS_AUDIT_CAPABILITY))) - || (!AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.READ))))) + if (nodeRef != null && nodeService.exists(nodeRef)) { - return true; + if ((filePlanService.isFilePlanComponent(nodeRef) && + !AccessStatus.ALLOWED.equals( + capabilityService.getCapabilityAccessState(nodeRef, ACCESS_AUDIT_CAPABILITY))) || + (!AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.READ)))) + { + return true; + } + // must have read permission on hold to see hold events + else + { + // get hold names, if any, from event properties + Set holdNames = new HashSet<>(2); + addHoldNameFromProperties(holdNames, beforeProperties); + addHoldNameFromProperties(holdNames, afterProperties); + + // check permission for all hold names found in event properties + for (String holdName: holdNames) + { + if (!AccessStatus.ALLOWED.equals(permissionService.hasPermission(getHold(holdName), + PermissionService.READ))) + { + return true; + } + } + } } // TODO: Refactor this to use the builder pattern @@ -1039,6 +1077,33 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean return true; } + /** + * Helper method to extract the hold name, if any, from the given event properties + * @param holdNames set of hold names + * @param eventProperties event properties + */ + private void addHoldNameFromProperties(Set holdNames, Map eventProperties) + { + String name = eventProperties != null ? (String) eventProperties.get(PROPERTY_HOLD_NAME) : null; + if (name != null) + { + holdNames.add(name); + } + } + + /** + * Helper method to get the hold for a given hold name + * @param holdName hold name + * @return node ref of hold + */ + private NodeRef getHold(String holdName) + { + return AuthenticationUtil.runAsSystem(() -> { + NodeRef filePlan = filePlanService.getFilePlanBySiteId(FilePlanService.DEFAULT_RM_SITE_ID); + return holdService.getHold(filePlan, holdName); + }); + } + private void writeEntryToFile(RecordsManagementAuditEntry entry) { if (writer == null) diff --git a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/hold/HoldServiceImpl.java b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/hold/HoldServiceImpl.java index 756dda7b85..1eea10cee3 100644 --- a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/hold/HoldServiceImpl.java +++ b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/hold/HoldServiceImpl.java @@ -43,7 +43,6 @@ import java.util.stream.Stream; import org.alfresco.error.AlfrescoRuntimeException; import org.alfresco.model.ContentModel; -import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService; import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; @@ -119,9 +118,6 @@ public class HoldServiceImpl extends ServiceBaseImpl /** Permission service */ private PermissionService permissionService; - /** records management audit service */ - private RecordsManagementAuditService recordsManagementAuditService; - /** Capability service */ private CapabilityService capabilityService; @@ -168,14 +164,6 @@ public class HoldServiceImpl extends ServiceBaseImpl this.permissionService = permissionService; } - /** - * @param recordsManagementAuditService records management audit service - */ - public void setRecordsManagementAuditService(RecordsManagementAuditService recordsManagementAuditService) - { - this.recordsManagementAuditService = recordsManagementAuditService; - } - /** * @param capabilityService capability service */