From 151127b342357c19080dd76fc1f22f7ccea9d0cc Mon Sep 17 00:00:00 2001 From: Will Abson Date: Wed, 25 Jun 2014 16:07:29 +0000 Subject: [PATCH] Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (4.3/Cloud) 73689: Merged V4.2-BUG-FIX (4.2.3) to HEAD-BUG-FIX (4.3/Cloud) 73592: Merged DEV to V4.2-BUG-FIX 73341 : MNT-11595 : Downgrading permission from Manager to Consumer, user still allowed to create WIKI pages Add the changes - for wiki container we will get site permission. Add unit test. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@74804 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../repo/web/scripts/wiki/WikiPageGet.java | 13 +--- .../web/scripts/wiki/WikiRestApiTest.java | 66 +++++++++++++++++++ 2 files changed, 68 insertions(+), 11 deletions(-) diff --git a/source/java/org/alfresco/repo/web/scripts/wiki/WikiPageGet.java b/source/java/org/alfresco/repo/web/scripts/wiki/WikiPageGet.java index 51bac0612d..ffe3b3af19 100644 --- a/source/java/org/alfresco/repo/web/scripts/wiki/WikiPageGet.java +++ b/source/java/org/alfresco/repo/web/scripts/wiki/WikiPageGet.java @@ -67,18 +67,9 @@ public class WikiPageGet extends AbstractWikiWebScript status.setMessage(message); status.setRedirect(true); - // Grab the container, used in permissions checking - NodeRef container = siteService.getContainer( - site.getShortName(), WikiServiceImpl.WIKI_COMPONENT); - - // If there's no container yet, the site will do for permissions - if (container == null) - { - container = site.getNodeRef(); - } - + // MNT-11595 Downgrading permission from Manager to Consumer, user still allowed to create WIKI pages // Record these - model.put("container", container); + model.put("container", site.getNodeRef()); model.put("error", rb.getString(MSG_NOT_FOUND)); // Bail out diff --git a/source/test-java/org/alfresco/repo/web/scripts/wiki/WikiRestApiTest.java b/source/test-java/org/alfresco/repo/web/scripts/wiki/WikiRestApiTest.java index 403044faf9..170ef046d1 100644 --- a/source/test-java/org/alfresco/repo/web/scripts/wiki/WikiRestApiTest.java +++ b/source/test-java/org/alfresco/repo/web/scripts/wiki/WikiRestApiTest.java @@ -34,6 +34,7 @@ import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.security.MutableAuthenticationService; import org.alfresco.service.cmr.security.PersonService; import org.alfresco.service.cmr.site.SiteInfo; +import org.alfresco.service.cmr.site.SiteRole; import org.alfresco.service.cmr.site.SiteService; import org.alfresco.service.cmr.site.SiteVisibility; import org.alfresco.service.cmr.wiki.WikiPageInfo; @@ -910,4 +911,69 @@ public class WikiRestApiTest extends BaseWebScriptTest sendRequest(new GetRequest(URL_WIKI_LIST), Status.STATUS_NOT_FOUND); } + + public void test_MNT11595() throws Exception + { + final String user = "wikiUser"; + + try + { + // admin authentication + this.authenticationComponent.setCurrentUser(AuthenticationUtil.getAdminUserName()); + + MutableAuthenticationService mas = (MutableAuthenticationService) getServer().getApplicationContext().getBean("authenticationService"); + + // create user + createUser(user, SiteModel.SITE_MANAGER); + + assertTrue(personService.personExists(user)); + + // invite user to a site with 'Manager' role + siteService.setMembership(SITE_SHORT_NAME_WIKI, user, SiteRole.SiteManager.toString()); + + // user authentication + this.authenticationComponent.setCurrentUser(user); + + // create wiki page by user ('Manager' role) + WikiPageInfo wikiPage = this.wikiService.createWikiPage(SITE_SHORT_NAME_WIKI, "test wiki page", + "I like pigs. Dogs look up to us. Cats look down on us. Pigs treat us as equals. Sir Winston Churchill"); + + String uri = "/slingshot/wiki/page/" + SITE_SHORT_NAME_WIKI + "/Main_Page?alf_ticket=" + mas.getCurrentTicket() + "application/json"; + + Response responseManagerRole = sendRequest(new GetRequest(uri), 404); + JSONObject resultManagerRole = new JSONObject(responseManagerRole.getContentAsString()); + JSONObject permissionsManagerRole = resultManagerRole.getJSONObject("permissions"); + assertTrue(permissionsManagerRole.getBoolean("create")); + assertTrue(permissionsManagerRole.getBoolean("edit")); + + // admin authentication + this.authenticationComponent.setCurrentUser(AuthenticationUtil.getAdminUserName()); + + // change user role - 'Consumer' role + siteService.setMembership(SITE_SHORT_NAME_WIKI, user, SiteRole.SiteConsumer.toString()); + + // user authentication + this.authenticationComponent.setCurrentUser(user); + + Response responseConsumerRole = sendRequest(new GetRequest(uri), 404); + JSONObject resultConsumerRole = new JSONObject(responseConsumerRole.getContentAsString()); + JSONObject permissionsConsumerRole = resultConsumerRole.getJSONObject("permissions"); + assertFalse(permissionsConsumerRole.getBoolean("create")); + assertFalse(permissionsConsumerRole.getBoolean("edit")); + } + finally + { + this.authenticationComponent.setCurrentUser(AuthenticationUtil.getAdminUserName()); + + if (personService.personExists(user)) + { + personService.deletePerson(user); + } + + if (this.authenticationService.authenticationExists(user)) + { + this.authenticationService.deleteAuthentication(user); + } + } + } } \ No newline at end of file