From 058d52387fd69847f1ca9ec1997bd900e134033f Mon Sep 17 00:00:00 2001 From: Jamal Kaabi-Mofrad Date: Thu, 2 Jun 2016 21:26:40 +0000 Subject: [PATCH] Merged API-STRIKES-BACK (5.2.0) to HEAD (5.2) 125609 jvonka: RA-952: If relative path cannot be resolved due to a permissionn error, return 404 (rather than 403) - when listing children or getting node info git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@127557 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- source/java/org/alfresco/rest/api/impl/NodesImpl.java | 5 +++++ .../org/alfresco/rest/api/tests/NodeApiTest.java | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/source/java/org/alfresco/rest/api/impl/NodesImpl.java b/source/java/org/alfresco/rest/api/impl/NodesImpl.java index 13f66f9749..a2c94de9b9 100644 --- a/source/java/org/alfresco/rest/api/impl/NodesImpl.java +++ b/source/java/org/alfresco/rest/api/impl/NodesImpl.java @@ -685,6 +685,11 @@ public class NodesImpl implements Nodes // convert checked exception throw new NotFoundException("The entity with relativePath: " + path + " was not found."); } + catch (AccessDeniedException ade) + { + // return 404 instead of 403 (as per security review - uuid vs path) + throw new NotFoundException("The entity with relativePath: " + path + " was not found."); + } return fileInfo.getNodeRef(); } diff --git a/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java b/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java index a69b918aee..ba20dda18f 100644 --- a/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java +++ b/source/test-java/org/alfresco/rest/api/tests/NodeApiTest.java @@ -529,9 +529,9 @@ public class NodeApiTest extends AbstractBaseApiTest params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "User Homes/" + user1 + "/unknown"); getAll(rootChildrenUrl, user1, paging, params, 404); - // -ve test - try to list children using relative path to node for which user does not have read permission + // -ve test - try to list children using relative path to node for which user does not have read permission (expect 404 instead of 403) params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "User Homes/" + user2); - getAll(rootChildrenUrl, user1, paging, params, 403); + getAll(rootChildrenUrl, user1, paging, params, 404); // -ve test - try to list children using relative path to node that is of wrong type (ie. not a folder/container) params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, folder1 + "/" + contentF1); @@ -749,9 +749,9 @@ public class NodeApiTest extends AbstractBaseApiTest params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, folderA+"/unknown"); getSingle(NodesEntityResource.class, user1, Nodes.PATH_MY, params, 404); - // -ve test - try to get node info using relative path to node for which user does not have read permission + // -ve test - try to get node info using relative path to node for which user does not have read permission (expect 404 instead of 403) params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "User Homes/"+user2); - getSingle(NodesEntityResource.class, user1, Nodes.PATH_ROOT, params, 403); + getSingle(NodesEntityResource.class, user1, Nodes.PATH_ROOT, params, 404); // -ve test - attempt to get node info for non-folder node with relative path should return 400 params = Collections.singletonMap(Nodes.PARAM_RELATIVE_PATH, "/unknown");