diff --git a/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java b/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java index 95815b639a..690c3b9cad 100644 --- a/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java +++ b/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java @@ -176,13 +176,12 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean Pair pair = quickShareService.getTenantNodeRefFromSharedId(sharedId); String networkTenantDomain = pair.getFirst(); - final boolean noAuth = (AuthenticationUtil.getRunAsUser() == null); - return TenantUtil.runAsSystemTenant(new TenantUtil.TenantRunAsWork() { public QuickShareLink doWork() throws Exception { - return getQuickShareInfo(sharedId, noAuth, parameters.getInclude()); + // note: assume noAuth here (rather than rely on getRunAsUser which will be null in non-MT) + return getQuickShareInfo(sharedId, true, parameters.getInclude()); } }, networkTenantDomain); } @@ -305,8 +304,6 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean List result = new ArrayList<>(nodeIds.size()); - boolean noAuth = (AuthenticationUtil.getRunAsUser() == null); - List includeParam = parameters.getInclude(); for (QuickShareLink qs : nodeIds) @@ -334,7 +331,7 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean try { QuickShareDTO qsDto = quickShareService.shareContent(nodeRef); - result.add(getQuickShareInfo(qsDto.getId(), noAuth, includeParam)); + result.add(getQuickShareInfo(qsDto.getId(), false, includeParam)); } catch (InvalidNodeRefException inre) { @@ -486,7 +483,7 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean Map mapUserInfo = new HashMap<>(2); - // note: if not authenticated then we do not currently return userids (to be consistent with v0 internal - limited disclosure) + // note: if noAuth mode then don't return userids (to limit disclosure and be consistent with v0 internal) boolean displayNameOnly = noAuth; UserInfo modifiedByUser = Node.lookupUserInfo((String)nodeProps.get(ContentModel.PROP_MODIFIER), mapUserInfo, personService, displayNameOnly); @@ -495,13 +492,14 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean String sharedByUserId = (String)nodeProps.get(QuickShareModel.PROP_QSHARE_SHAREDBY); UserInfo sharedByUser = Node.lookupUserInfo(sharedByUserId, mapUserInfo, personService, displayNameOnly); - QuickShareLink qs = new QuickShareLink(sharedId, (noAuth ? null : nodeRef.getId())); + QuickShareLink qs = new QuickShareLink(sharedId, nodeRef.getId()); qs.setName((String) map.get("name")); qs.setContent(contentInfo); qs.setModifiedAt((Date) map.get("modified")); qs.setModifiedByUser(modifiedByUser); qs.setSharedByUser(sharedByUser); + // note: if noAuth mode then do not return allowable operations (eg. but can be optionally returned when finding shared links) if ((! noAuth) && includeParam.contains(PARAM_INCLUDE_ALLOWABLEOPERATIONS)) { if (canDeleteSharedLink(nodeRef, sharedByUserId)) diff --git a/source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java b/source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java index 8926d2a61c..8b9e594ba1 100644 --- a/source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java +++ b/source/test-java/org/alfresco/rest/api/tests/SharedLinkApiTest.java @@ -208,7 +208,9 @@ public class SharedLinkApiTest extends AbstractBaseApiTest String shared2Id = resp.getId(); - // auth access to get shared link info - as user1 + // currently passing auth should make no difference (irrespective of MT vs non-MY enb) + + // access to get shared link info - pass user1 (but ignore in non-MT) Map params = Collections.singletonMap("include", "allowableOperations"); response = getSingle(QuickShareLinkEntityResource.class, user1, shared1Id, params, 200); resp = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), QuickShareLink.class); @@ -216,13 +218,14 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertEquals(shared1Id, resp.getId()); assertEquals(fileName1, resp.getName()); assertEquals(d1Id, resp.getNodeId()); + assertNull(resp.getAllowableOperations()); // include is ignored - assertEquals(user1, resp.getModifiedByUser().getId()); // returned if authenticated - assertEquals(user2, resp.getSharedByUser().getId()); // returned if authenticated + assertNull(resp.getModifiedByUser().getId()); // userId not returned + assertEquals(user1+" "+user1, resp.getModifiedByUser().getDisplayName()); + assertNull(resp.getSharedByUser().getId()); // userId not returned + assertEquals(user2+" "+user2, resp.getSharedByUser().getDisplayName()); - assertNull(resp.getAllowableOperations()); - - // auth access to get shared link info - as user2 + // access to get shared link info - pass user2 (but ignore in non-MT) params = Collections.singletonMap("include", "allowableOperations"); response = getSingle(QuickShareLinkEntityResource.class, user2, shared1Id, params, 200); resp = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), QuickShareLink.class); @@ -230,14 +233,15 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertEquals(shared1Id, resp.getId()); assertEquals(fileName1, resp.getName()); assertEquals(d1Id, resp.getNodeId()); + assertNull(resp.getAllowableOperations()); // include is ignored - assertEquals(user1, resp.getModifiedByUser().getId()); // returned if authenticated - assertEquals(user2, resp.getSharedByUser().getId()); // returned if authenticated + assertNull(resp.getModifiedByUser().getId()); // userId not returned + assertEquals(user1+" "+user1, resp.getModifiedByUser().getDisplayName()); + assertNull(resp.getSharedByUser().getId()); // userId not returned + assertEquals(user2+" "+user2, resp.getSharedByUser().getDisplayName()); - assertEquals(1, resp.getAllowableOperations().size()); - assertEquals("delete", resp.getAllowableOperations().get(0)); - // allowable operations not included + // allowable operations not included - no params response = getSingle(QuickShareLinkEntityResource.class, user2, shared1Id, null, 200); resp = RestApiUtil.parseRestApiEntry(response.getJsonResponse(), QuickShareLink.class); assertNull(resp.getAllowableOperations()); @@ -250,7 +254,7 @@ public class SharedLinkApiTest extends AbstractBaseApiTest assertEquals(shared1Id, resp.getId()); assertEquals(fileName1, resp.getName()); - assertNull(resp.getNodeId()); // nodeId not returned + assertEquals(d1Id, resp.getNodeId()); assertNull(resp.getAllowableOperations()); // include is ignored assertNull(resp.getModifiedByUser().getId()); // userId not returned