Added code so that 'start invite' throws Web Script Exception (http Status 'forbidden') when inviter tries to invite someone to a site that he/she is not the Site Manager of (and added supporting code to Invite Service Unit Tests)

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@10841 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2008-09-07 16:48:42 +00:00
parent 01a5a7edf4
commit 07f84b3914
2 changed files with 91 additions and 47 deletions
--- a/source/java/org/alfresco/repo/web/scripts/invite/Invite.java
+++ b/source/java/org/alfresco/repo/web/scripts/invite/Invite.java
@@ -34,6 +34,7 @@ import org.alfresco.model.ContentModel;
 import org.alfresco.repo.security.authentication.MutableAuthenticationDao;
 import org.alfresco.repo.security.authentication.PasswordGenerator;
 import org.alfresco.repo.security.authentication.UserNameGenerator;
+import org.alfresco.repo.site.SiteModel;
 import org.alfresco.repo.site.SiteService;
 import org.alfresco.repo.workflow.WorkflowModel;
 import org.alfresco.service.cmr.repository.NodeRef;
@@ -495,6 +496,16 @@ public class Invite extends DeclarativeWebScript
        // - odd reason
        String inviterUserName = this.authenticationService.getCurrentUserName();
        
+        // if inviter is not the site manager then throw web script exception
+        String inviterRole = this.siteService.getMembersRole(siteShortName, inviterUserName);
+        if ((inviterRole == null) || (inviterRole.equals(SiteModel.SITE_MANAGER) == false))
+        {
+            throw new WebScriptException(Status.STATUS_FORBIDDEN,
+                    "Cannot proceed with invitation. Inviter with user name : '" + inviterUserName
+                    + "' is not the Site Manager of site: '" + siteShortName + "'. Inviter's role on that site is: '"
+                    + inviterRole + "'");
+        }
+        
        //
        // if a person already exists who has the given invitee email address
        //
--- a/source/java/org/alfresco/repo/web/scripts/invite/InviteServiceTest.java
+++ b/source/java/org/alfresco/repo/web/scripts/invite/InviteServiceTest.java
@@ -80,16 +80,18 @@ public class InviteServiceTest extends BaseWebScriptTest

    private static final String WF_DEFINITION_INVITE = "jbpm$wf:invite";

-    private static final String USER_ADMIN = "admin";
    private static final String USER_INVITER = "InviterUser";
+    private static final String USER_INVITER_2 = "InviterUser2";
    private static final String INVITEE_FIRSTNAME = "InviteeFirstName";
    private static final String INVITEE_LASTNAME = "InviteeLastName";
    private static final String INVITER_EMAIL = "FirstName123.LastName123@email.com";
+    private static final String INVITER_EMAIL_2 = "FirstNameabc.LastNameabc@email.com";
    private static final String INVITEE_EMAIL_DOMAIN = "alfrescotesting.com";
    private static final String INVITEE_EMAIL_PREFIX = "invitee";
    private static final String INVITEE_SITE_ROLE = SiteModel.SITE_COLLABORATOR;
-    private static final String SITE_SHORT_NAME_INVITE_1 = "BananaMilkshakeSite";
-    private static final String SITE_SHORT_NAME_INVITE_2 = "DoubleScoopSite";
+    private static final String SITE_SHORT_NAME_INVITE_1 = "SiteOneInviteTest";
+    private static final String SITE_SHORT_NAME_INVITE_2 = "SiteTwoInviteTest";
+    private static final String SITE_SHORT_NAME_INVITE_3 = "SiteThreeInviteTest";

    private static final String URL_INVITE = "/api/invite";
    private static final String URL_INVITES = "/api/invites";
@@ -103,65 +105,80 @@ public class InviteServiceTest extends BaseWebScriptTest
        super.setUp();

        // get references to services
-        this.authorityService = (AuthorityService) getServer()
-                .getApplicationContext().getBean("AuthorityService");
-        this.authenticationService = (AuthenticationService) getServer()
-                .getApplicationContext().getBean("AuthenticationService");
-        this.authenticationComponent = (AuthenticationComponent) getServer()
-                .getApplicationContext().getBean("AuthenticationComponent");
-        this.personService = (PersonService) getServer()
-                .getApplicationContext().getBean("PersonService");
-        this.siteService = (SiteService) getServer().getApplicationContext()
-                .getBean("siteService");
-        this.nodeService = (NodeService) getServer().getApplicationContext()
-                .getBean("NodeService");
-        this.workflowService = (WorkflowService) getServer()
-                .getApplicationContext().getBean("WorkflowService");
-        this.mutableAuthenticationDao = (MutableAuthenticationDao) getServer()
-                .getApplicationContext().getBean("authenticationDao");
+        this.authorityService = (AuthorityService) getServer().getApplicationContext().getBean("AuthorityService");
+        this.authenticationService = (AuthenticationService) getServer().getApplicationContext()
+                .getBean("AuthenticationService");
+        this.authenticationComponent = (AuthenticationComponent) getServer().getApplicationContext()
+                .getBean("AuthenticationComponent");
+        this.personService = (PersonService) getServer().getApplicationContext().getBean("PersonService");
+        this.siteService = (SiteService) getServer().getApplicationContext().getBean("SiteService");
+        this.nodeService = (NodeService) getServer().getApplicationContext().getBean("NodeService");
+        this.workflowService = (WorkflowService) getServer().getApplicationContext().getBean("WorkflowService");
+        this.mutableAuthenticationDao = (MutableAuthenticationDao) getServer().getApplicationContext()
+                .getBean("authenticationDao");

        // Create new invitee email address list
        this.inviteeEmailAddrs = new ArrayList<String>();

        //
-        // various setup operations which need to be run as 'admin'
+        // various setup operations which need to be run as system user
        //
-        RunAsWork<Object> runAsWork = new RunAsWork<Object>()
+        AuthenticationUtil.runAs(new RunAsWork<Object>()
        {
            public Object doWork() throws Exception
            {
-                // Create inviter
+                // Create inviter person
                createPerson(USER_INVITER, INVITER_EMAIL);
                
-                // Create sites for Inviter to invite Invitee to
-                SiteInfo siteInfo1 = InviteServiceTest.this.siteService
-                                        .getSite(SITE_SHORT_NAME_INVITE_1);
-                if (siteInfo1 == null)
-                {
-                    InviteServiceTest.this.siteService.createSite(
-                            "InviteSitePreset", SITE_SHORT_NAME_INVITE_1,
-                            "InviteSiteTitle", "InviteSiteDescription", true);
+                // Create inviter2 person
+                createPerson(USER_INVITER_2, INVITER_EMAIL_2);
                
-                    InviteServiceTest.this.siteService.setMembership(
-                            SITE_SHORT_NAME_INVITE_1, USER_INVITER, SiteModel.SITE_MANAGER);
+                return null;
+            }
+        }, AuthenticationUtil.getSystemUserName());
+        
+        //
+        // various setup operations which need to be run as inviter user
+        //
+        AuthenticationUtil.runAs(new RunAsWork<Object>()
+        {
+            public Object doWork() throws Exception
+            {
+                // Create first site for Inviter to invite Invitee to
+                SiteInfo siteInfo = siteService.getSite(SITE_SHORT_NAME_INVITE_1);
+                if (siteInfo == null)
+                {
+                    siteService.createSite("InviteSitePreset", SITE_SHORT_NAME_INVITE_1,
+                            "InviteSiteTitle", "InviteSiteDescription", true);
                }
                
-                SiteInfo siteInfo2 = InviteServiceTest.this.siteService
-                                        .getSite(SITE_SHORT_NAME_INVITE_2);
-                if (siteInfo2 == null)
+                // Create second site for inviter to invite invitee to
+                siteInfo = siteService.getSite(SITE_SHORT_NAME_INVITE_2);
+                if (siteInfo == null)
                {
-                    InviteServiceTest.this.siteService.createSite(
-                            "InviteSitePreset", SITE_SHORT_NAME_INVITE_2,
+                    siteService.createSite("InviteSitePreset", SITE_SHORT_NAME_INVITE_2,
                            "InviteSiteTitle", "InviteSiteDescription", true);
+                }

-                    InviteServiceTest.this.siteService.setMembership(
-                            SITE_SHORT_NAME_INVITE_2, USER_INVITER, SiteModel.SITE_MANAGER);
+                // Create third site for inviter to invite invitee to
+                siteInfo = InviteServiceTest.this.siteService.getSite(SITE_SHORT_NAME_INVITE_3);
+                if (siteInfo == null)
+                {
+                    siteService.createSite(
+                        "InviteSitePreset", SITE_SHORT_NAME_INVITE_3,
+                        "InviteSiteTitle", "InviteSiteDescription", true);
+                }
+                
+                // set inviter2's role on third site to collaborator
+                String inviterSiteRole = siteService.getMembersRole(SITE_SHORT_NAME_INVITE_3, USER_INVITER_2);
+                if ((inviterSiteRole == null) || (inviterSiteRole.equals(SiteModel.SITE_COLLABORATOR) == false))
+                {
+                    siteService.setMembership(SITE_SHORT_NAME_INVITE_3, USER_INVITER_2, SiteModel.SITE_COLLABORATOR);
                }

                return null;
            }
-        };
-        AuthenticationUtil.runAs(runAsWork, USER_ADMIN);
+        }, USER_INVITER);

        // Do tests as inviter user
        this.authenticationComponent.setCurrentUser(USER_INVITER);
@@ -210,7 +227,7 @@ public class InviteServiceTest extends BaseWebScriptTest
                return null;
            }
        };
-        AuthenticationUtil.runAs(runAsWork, USER_ADMIN);
+        AuthenticationUtil.runAs(runAsWork, AuthenticationUtil.getSystemUserName());

        // cancel all active invite workflows
        WorkflowDefinition wfDef = InviteServiceTest.this.workflowService
@@ -422,22 +439,30 @@ public class InviteServiceTest extends BaseWebScriptTest
        final String inviteeEmailAddr = INVITEE_EMAIL_PREFIX + randomStr
            + "@" + INVITEE_EMAIL_DOMAIN;
        
+        // create person with invitee user name and invitee email address 
        AuthenticationUtil.runAs(new RunAsWork<Object>()
        {
            public Object doWork() throws Exception
            {
-                // create person with invitee user name and invitee email address 
                createPerson(inviteeUserName, inviteeEmailAddr);
-                
-                // add invitee person to site: SITE_SHORT_NAME_INVITE
-                InviteServiceTest.this.siteService.setMembership(
-                        SITE_SHORT_NAME_INVITE_1, inviteeUserName,
-                        INVITEE_SITE_ROLE);
-                
                return null;
            }
    
-        }, USER_ADMIN);
+        }, AuthenticationUtil.getSystemUserName());
+        
+        // add invitee person to site: SITE_SHORT_NAME_INVITE
+        AuthenticationUtil.runAs(new RunAsWork<Object>()
+        {
+            public Object doWork() throws Exception
+            {
+                
+                InviteServiceTest.this.siteService.setMembership(
+                        SITE_SHORT_NAME_INVITE_1, inviteeUserName,
+                        INVITEE_SITE_ROLE);
+                return null;
+            }
+            
+        }, USER_INVITER);
        
        JSONObject result = startInvite(INVITEE_FIRSTNAME, INVITEE_LASTNAME, inviteeEmailAddr, INVITEE_SITE_ROLE, 
                SITE_SHORT_NAME_INVITE_1, Status.STATUS_CONFLICT);
@@ -631,4 +656,12 @@ public class InviteServiceTest extends BaseWebScriptTest

        assertEquals(siteShortName, inviteJSONObj.getJSONObject("site").get("shortName"));
    }
+    
+    public void testInviteForbiddenWhenInviterNotSiteManager() throws Exception
+    {
+        // inviter2 starts invite workflow, but he/she is not the site manager of the given site
+        AuthenticationUtil.setCurrentUser(USER_INVITER_2);
+        startInvite(INVITEE_FIRSTNAME,
+                INVITEE_LASTNAME, INVITEE_SITE_ROLE, SITE_SHORT_NAME_INVITE_3, Status.STATUS_FORBIDDEN);
+    }
 }