mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-31 17:39:05 +00:00
RM-7062 Check hold permission for view audit event
This commit is contained in:
Sara Aspery
@@ -941,6 +941,7 @@
|
|||||||
<property name="namespaceService" ref="NamespaceService" />
|
<property name="namespaceService" ref="NamespaceService" />
|
||||||
<property name="capabilityService" ref="CapabilityService" />
|
<property name="capabilityService" ref="CapabilityService" />
|
||||||
<property name="permissionService" ref="PermissionService" />
|
<property name="permissionService" ref="PermissionService" />
|
||||||
|
<property name="holdService" ref="HoldService" />
|
||||||
<property name="ignoredAuditProperties">
|
<property name="ignoredAuditProperties">
|
||||||
<list>
|
<list>
|
||||||
<value>cm:lastThumbnailModification</value>
|
<value>cm:lastThumbnailModification</value>
|
||||||
@@ -1533,7 +1534,6 @@
|
|||||||
<property name="recordService" ref="RecordService" />
|
<property name="recordService" ref="RecordService" />
|
||||||
<property name="recordFolderService" ref="RecordFolderService" />
|
<property name="recordFolderService" ref="RecordFolderService" />
|
||||||
<property name="permissionService" ref="PermissionService"/>
|
<property name="permissionService" ref="PermissionService"/>
|
||||||
<property name="recordsManagementAuditService" ref="RecordsManagementAuditService" />
|
|
||||||
<property name="capabilityService" ref="CapabilityService"/>
|
<property name="capabilityService" ref="CapabilityService"/>
|
||||||
<property name="policyComponent" ref="policyComponent"/>
|
<property name="policyComponent" ref="policyComponent"/>
|
||||||
</bean>
|
</bean>
|
||||||
|
|||||||
@@ -47,6 +47,7 @@ import java.util.Calendar;
|
|||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
|
import java.util.HashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Locale;
|
import java.util.Locale;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
@@ -60,10 +61,14 @@ import org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction
|
|||||||
import org.alfresco.module.org_alfresco_module_rm.audit.event.AuditEvent;
|
import org.alfresco.module.org_alfresco_module_rm.audit.event.AuditEvent;
|
||||||
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
||||||
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
|
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
|
||||||
|
import org.alfresco.module.org_alfresco_module_rm.hold.HoldService;
|
||||||
|
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
|
||||||
import org.alfresco.repo.audit.AuditComponent;
|
import org.alfresco.repo.audit.AuditComponent;
|
||||||
import org.alfresco.repo.audit.model.AuditApplication;
|
import org.alfresco.repo.audit.model.AuditApplication;
|
||||||
import org.alfresco.repo.content.MimetypeMap;
|
import org.alfresco.repo.content.MimetypeMap;
|
||||||
import org.alfresco.repo.policy.PolicyComponent;
|
import org.alfresco.repo.policy.PolicyComponent;
|
||||||
|
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
||||||
|
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
|
||||||
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
|
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
|
||||||
import org.alfresco.repo.transaction.RetryingTransactionHelper;
|
import org.alfresco.repo.transaction.RetryingTransactionHelper;
|
||||||
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
|
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
|
||||||
@@ -194,6 +199,8 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
|
|||||||
private static final String AUDIT_EVENT_VIEW = "audit.view";
|
private static final String AUDIT_EVENT_VIEW = "audit.view";
|
||||||
private static final String MSG_AUDIT_VIEW = "rm.audit.audit-view";
|
private static final String MSG_AUDIT_VIEW = "rm.audit.audit-view";
|
||||||
|
|
||||||
|
private static final QName PROPERTY_HOLD_NAME = QName.createQName(RecordsManagementModel.RM_URI, "Hold Name");
|
||||||
|
|
||||||
private PolicyComponent policyComponent;
|
private PolicyComponent policyComponent;
|
||||||
private DictionaryService dictionaryService;
|
private DictionaryService dictionaryService;
|
||||||
private TransactionService transactionService;
|
private TransactionService transactionService;
|
||||||
@@ -207,6 +214,7 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
|
|||||||
private NamespaceService namespaceService;
|
private NamespaceService namespaceService;
|
||||||
protected CapabilityService capabilityService;
|
protected CapabilityService capabilityService;
|
||||||
protected PermissionService permissionService;
|
protected PermissionService permissionService;
|
||||||
|
protected HoldService holdService;
|
||||||
|
|
||||||
private boolean shutdown = false;
|
private boolean shutdown = false;
|
||||||
|
|
||||||
@@ -332,6 +340,15 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
|
|||||||
this.permissionService = permissionService;
|
this.permissionService = permissionService;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
* @param holdService
|
||||||
|
*/
|
||||||
|
public void setHoldService(HoldService holdService)
|
||||||
|
{
|
||||||
|
this.holdService = holdService;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @see org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService#registerAuditEvent(java.lang.String, java.lang.String)
|
* @see org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService#registerAuditEvent(java.lang.String, java.lang.String)
|
||||||
*/
|
*/
|
||||||
@@ -686,7 +703,8 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
|
|||||||
/**
|
/**
|
||||||
* Helper method to remove system properties from maps
|
* Helper method to remove system properties from maps
|
||||||
*
|
*
|
||||||
* @param properties
|
* @param before
|
||||||
|
* @param after
|
||||||
*/
|
*/
|
||||||
private void removeAuditProperties(Map<QName, Serializable> before, Map<QName, Serializable> after)
|
private void removeAuditProperties(Map<QName, Serializable> before, Map<QName, Serializable> after)
|
||||||
{
|
{
|
||||||
@@ -997,13 +1015,33 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (nodeRef != null && nodeService.exists(nodeRef) &&
|
if (nodeRef != null && nodeService.exists(nodeRef))
|
||||||
((filePlanService.isFilePlanComponent(nodeRef) &&
|
|
||||||
!AccessStatus.ALLOWED.equals(
|
|
||||||
capabilityService.getCapabilityAccessState(nodeRef, ACCESS_AUDIT_CAPABILITY)))
|
|
||||||
|| (!AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.READ)))))
|
|
||||||
{
|
{
|
||||||
return true;
|
if ((filePlanService.isFilePlanComponent(nodeRef) &&
|
||||||
|
!AccessStatus.ALLOWED.equals(
|
||||||
|
capabilityService.getCapabilityAccessState(nodeRef, ACCESS_AUDIT_CAPABILITY))) ||
|
||||||
|
(!AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.READ))))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
// must have read permission on hold to see hold events
|
||||||
|
else
|
||||||
|
{
|
||||||
|
// get hold names, if any, from event properties
|
||||||
|
Set<String> holdNames = new HashSet<>(2);
|
||||||
|
addHoldNameFromProperties(holdNames, beforeProperties);
|
||||||
|
addHoldNameFromProperties(holdNames, afterProperties);
|
||||||
|
|
||||||
|
// check permission for all hold names found in event properties
|
||||||
|
for (String holdName: holdNames)
|
||||||
|
{
|
||||||
|
if (!AccessStatus.ALLOWED.equals(permissionService.hasPermission(getHold(holdName),
|
||||||
|
PermissionService.READ)))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Refactor this to use the builder pattern
|
// TODO: Refactor this to use the builder pattern
|
||||||
@@ -1039,6 +1077,33 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Helper method to extract the hold name, if any, from the given event properties
|
||||||
|
* @param holdNames set of hold names
|
||||||
|
* @param eventProperties event properties
|
||||||
|
*/
|
||||||
|
private void addHoldNameFromProperties(Set<String> holdNames, Map<QName, Serializable> eventProperties)
|
||||||
|
{
|
||||||
|
String name = eventProperties != null ? (String) eventProperties.get(PROPERTY_HOLD_NAME) : null;
|
||||||
|
if (name != null)
|
||||||
|
{
|
||||||
|
holdNames.add(name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Helper method to get the hold for a given hold name
|
||||||
|
* @param holdName hold name
|
||||||
|
* @return node ref of hold
|
||||||
|
*/
|
||||||
|
private NodeRef getHold(String holdName)
|
||||||
|
{
|
||||||
|
return AuthenticationUtil.runAsSystem(() -> {
|
||||||
|
NodeRef filePlan = filePlanService.getFilePlanBySiteId(FilePlanService.DEFAULT_RM_SITE_ID);
|
||||||
|
return holdService.getHold(filePlan, holdName);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
private void writeEntryToFile(RecordsManagementAuditEntry entry)
|
private void writeEntryToFile(RecordsManagementAuditEntry entry)
|
||||||
{
|
{
|
||||||
if (writer == null)
|
if (writer == null)
|
||||||
|
|||||||
@@ -43,7 +43,6 @@ import java.util.stream.Stream;
|
|||||||
|
|
||||||
import org.alfresco.error.AlfrescoRuntimeException;
|
import org.alfresco.error.AlfrescoRuntimeException;
|
||||||
import org.alfresco.model.ContentModel;
|
import org.alfresco.model.ContentModel;
|
||||||
import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService;
|
|
||||||
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
||||||
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
|
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
|
||||||
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
|
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
|
||||||
@@ -119,9 +118,6 @@ public class HoldServiceImpl extends ServiceBaseImpl
|
|||||||
/** Permission service */
|
/** Permission service */
|
||||||
private PermissionService permissionService;
|
private PermissionService permissionService;
|
||||||
|
|
||||||
/** records management audit service */
|
|
||||||
private RecordsManagementAuditService recordsManagementAuditService;
|
|
||||||
|
|
||||||
/** Capability service */
|
/** Capability service */
|
||||||
private CapabilityService capabilityService;
|
private CapabilityService capabilityService;
|
||||||
|
|
||||||
@@ -168,14 +164,6 @@ public class HoldServiceImpl extends ServiceBaseImpl
|
|||||||
this.permissionService = permissionService;
|
this.permissionService = permissionService;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* @param recordsManagementAuditService records management audit service
|
|
||||||
*/
|
|
||||||
public void setRecordsManagementAuditService(RecordsManagementAuditService recordsManagementAuditService)
|
|
||||||
{
|
|
||||||
this.recordsManagementAuditService = recordsManagementAuditService;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param capabilityService capability service
|
* @param capabilityService capability service
|
||||||
*/
|
*/
|
||||||
|
|||||||
Reference in New Issue
Block a user