inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

RM-7062 Check hold permission for view audit event

Browse Source
This commit is contained in:
Sara Aspery
2019-12-05 05:11:53 +00:00
parent fb6ca169a0
commit 050ab580ee
3 changed files with 73 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml
View File

@@ -941,6 +941,7 @@
<property name="namespaceService" ref="NamespaceService" />
<property name="capabilityService" ref="CapabilityService" />
<property name="permissionService" ref="PermissionService" />
<property name="holdService" ref="HoldService" />
<property name="ignoredAuditProperties">
<list>
<value>cm:lastThumbnailModification</value>
@@ -1533,7 +1534,6 @@
<property name="recordService" ref="RecordService" />
<property name="recordFolderService" ref="RecordFolderService" />
<property name="permissionService" ref="PermissionService"/>
<property name="recordsManagementAuditService" ref="RecordsManagementAuditService" />
<property name="capabilityService" ref="CapabilityService"/>
<property name="policyComponent" ref="policyComponent"/>
</bean>

79
rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditServiceImpl.java
View File

@@ -47,6 +47,7 @@ import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
@@ -60,10 +61,14 @@ import org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction
import org.alfresco.module.org_alfresco_module_rm.audit.event.AuditEvent;
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
import org.alfresco.module.org_alfresco_module_rm.hold.HoldService;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.repo.audit.AuditComponent;
import org.alfresco.repo.audit.model.AuditApplication;
import org.alfresco.repo.content.MimetypeMap;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
@@ -194,6 +199,8 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
private static final String AUDIT_EVENT_VIEW = "audit.view";
private static final String MSG_AUDIT_VIEW = "rm.audit.audit-view";
private static final QName PROPERTY_HOLD_NAME = QName.createQName(RecordsManagementModel.RM_URI, "Hold Name");
private PolicyComponent policyComponent;
private DictionaryService dictionaryService;
private TransactionService transactionService;
@@ -207,6 +214,7 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
private NamespaceService namespaceService;
protected CapabilityService capabilityService;
protected PermissionService permissionService;
protected HoldService holdService;
private boolean shutdown = false;
@@ -332,6 +340,15 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
this.permissionService = permissionService;
}
/**
*
* @param holdService
*/
public void setHoldService(HoldService holdService)
{
this.holdService = holdService;
}
/**
* @see org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService#registerAuditEvent(java.lang.String, java.lang.String)
*/
@@ -686,7 +703,8 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
/**
* Helper method to remove system properties from maps
*
* @param properties
* @param before
* @param after
*/
private void removeAuditProperties(Map<QName, Serializable> before, Map<QName, Serializable> after)
{
@@ -997,13 +1015,33 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
return true;
}
if (nodeRef != null && nodeService.exists(nodeRef) &&
((filePlanService.isFilePlanComponent(nodeRef) &&
!AccessStatus.ALLOWED.equals(
capabilityService.getCapabilityAccessState(nodeRef, ACCESS_AUDIT_CAPABILITY)))
|| (!AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.READ)))))
if (nodeRef != null && nodeService.exists(nodeRef))
{
return true;
if ((filePlanService.isFilePlanComponent(nodeRef) &&
!AccessStatus.ALLOWED.equals(
capabilityService.getCapabilityAccessState(nodeRef, ACCESS_AUDIT_CAPABILITY))) ||
(!AccessStatus.ALLOWED.equals(permissionService.hasPermission(nodeRef, PermissionService.READ))))
{
return true;
}
// must have read permission on hold to see hold events
else
{
// get hold names, if any, from event properties
Set<String> holdNames = new HashSet<>(2);
addHoldNameFromProperties(holdNames, beforeProperties);
addHoldNameFromProperties(holdNames, afterProperties);
// check permission for all hold names found in event properties
for (String holdName: holdNames)
{
if (!AccessStatus.ALLOWED.equals(permissionService.hasPermission(getHold(holdName),
PermissionService.READ)))
{
return true;
}
}
}
}
// TODO: Refactor this to use the builder pattern
@@ -1039,6 +1077,33 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
return true;
}
/**
* Helper method to extract the hold name, if any, from the given event properties
* @param holdNames set of hold names
* @param eventProperties event properties
*/
private void addHoldNameFromProperties(Set<String> holdNames, Map<QName, Serializable> eventProperties)
{
String name = eventProperties != null ? (String) eventProperties.get(PROPERTY_HOLD_NAME) : null;
if (name != null)
{
holdNames.add(name);
}
}
/**
* Helper method to get the hold for a given hold name
* @param holdName hold name
* @return node ref of hold
*/
private NodeRef getHold(String holdName)
{
return AuthenticationUtil.runAsSystem(() -> {
NodeRef filePlan = filePlanService.getFilePlanBySiteId(FilePlanService.DEFAULT_RM_SITE_ID);
return holdService.getHold(filePlan, holdName);
});
}
private void writeEntryToFile(RecordsManagementAuditEntry entry)
{
if (writer == null)

12
rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/hold/HoldServiceImpl.java
View File

@@ -43,7 +43,6 @@ import java.util.stream.Stream;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.model.ContentModel;
import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService;
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
@@ -119,9 +118,6 @@ public class HoldServiceImpl extends ServiceBaseImpl
/** Permission service */
private PermissionService permissionService;
/** records management audit service */
private RecordsManagementAuditService recordsManagementAuditService;
/** Capability service */
private CapabilityService capabilityService;
@@ -168,14 +164,6 @@ public class HoldServiceImpl extends ServiceBaseImpl
this.permissionService = permissionService;
}
/**
* @param recordsManagementAuditService records management audit service
*/
public void setRecordsManagementAuditService(RecordsManagementAuditService recordsManagementAuditService)
{
this.recordsManagementAuditService = recordsManagementAuditService;
}
/**
* @param capabilityService capability service
*/