Added check for filling permission on destination record folder

2025-07-31 17:39:05 +00:00 · 2019-05-20 17:02:05 +03:00
parent a6fb2f1cbc
commit 189f250ec7
2 changed files with 71 additions and 29 deletions
--- a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/record/RecordServiceImpl.java
+++ b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/record/RecordServiceImpl.java
@@ -886,7 +886,7 @@ public class RecordServiceImpl extends BaseBehaviourBean
        ParameterCheck.mandatory("isLinked", isLinked);

        recordCreationSanityCheckOnNode(nodeRef);
-        final NodeRef checkedFilePlan = recordCreationSanityCheckOnFilePlan(filePlan);
+        final NodeRef newRecordContainer = recordCreationSanityCheckOnDestinationNode(destinationNodeRef, filePlan);

        invokeBeforeRecordDeclaration(nodeRef);
        // do the work of creating the record as the system user
@@ -901,34 +901,6 @@ public class RecordServiceImpl extends BaseBehaviourBean
                    ruleService.disableRuleType("outbound");
                    try
                    {
-                        NodeRef newRecordContainer = destinationNodeRef;
-                        // if optional location not specified, use the unfiledContainer
-                        if (newRecordContainer == null)
-                        {
-                            // get the new record container for the file plan
-                            newRecordContainer = filePlanService.getUnfiledContainer(checkedFilePlan);
-                            if (newRecordContainer == null)
-                            {
-                                throw new AlfrescoRuntimeException("Unable to create record, because record container could not be found.");
-                            }
-                        }
-                        // if optional location supplied, check that it is a valid record folder
-                        else
-                        {
-                            QName nodeType = nodeService.getType(newRecordContainer);
-                            if(!(nodeType.equals(RecordsManagementModel.TYPE_RECORD_FOLDER) ||
-                                        nodeType.equals(RecordsManagementModel.TYPE_UNFILED_RECORD_FOLDER)))
-                            {
-                                throw new AlfrescoRuntimeException("Unable to create record, because container is not a valid type for new record.");
-                            }
-
-                            Boolean isClosed = (Boolean) nodeService.getProperty(newRecordContainer, PROP_IS_CLOSED);
-                            if (isClosed != null && isClosed)
-                            {
-                                throw new AlfrescoRuntimeException("Unable to create record, because container is closed.");
-                            }
-                        }
-
                        // get the documents readers and writers
                        Pair<Set<String>, Set<String>> readersAndWriters = extendedPermissionService.getReadersAndWriters(nodeRef);

@@ -1051,6 +1023,59 @@ public class RecordServiceImpl extends BaseBehaviourBean
        return result;
    }

+    /**
+     * Helper method to check the given destination before trying to declare a record in it.
+     *
+     * @param destinationNodeRef The reference of the container in which the record will be created
+     * @param filePlan           The reference of the file plan node
+     */
+    private NodeRef recordCreationSanityCheckOnDestinationNode(NodeRef destinationNodeRef, final NodeRef filePlan)
+    {
+        final NodeRef checkedFilePlan = recordCreationSanityCheckOnFilePlan(filePlan);
+        NodeRef newRecordContainer = destinationNodeRef;
+        // if optional location not specified, use the unfiledContainer
+        if (newRecordContainer == null)
+        {
+            // get the new record container for the file plan
+            newRecordContainer = AuthenticationUtil.runAs(new RunAsWork<NodeRef>()
+            {
+                @Override
+                public NodeRef doWork()
+                {
+                    return filePlanService.getUnfiledContainer(checkedFilePlan);
+                }
+            }, AuthenticationUtil.getAdminUserName());
+
+            if (newRecordContainer == null)
+            {
+                throw new AlfrescoRuntimeException("Unable to create record, because record container could not be found.");
+            }
+        }
+        // if optional location supplied, check that it is a valid record folder
+        else
+        {
+            QName nodeType = nodeService.getType(newRecordContainer);
+            if(!(nodeType.equals(RecordsManagementModel.TYPE_RECORD_FOLDER) ||
+                        nodeType.equals(RecordsManagementModel.TYPE_UNFILED_RECORD_FOLDER)))
+            {
+                throw new AlfrescoRuntimeException("Unable to create record, because container is not a valid type for new record.");
+            }
+
+            Boolean isClosed = (Boolean) nodeService.getProperty(newRecordContainer, PROP_IS_CLOSED);
+            if (isClosed != null && isClosed)
+            {
+                throw new AlfrescoRuntimeException("Unable to create record, because container is closed.");
+            }
+
+            if (extendedPermissionService.hasPermission(newRecordContainer, RMPermissionModel.FILING) == AccessStatus.DENIED)
+            {
+                throw new AccessDeniedException(I18NUtil.getMessage("permissions.err_access_denied"));
+            }
+        }
+
+        return newRecordContainer;
+    }
+
    /**
     * Helper method to check the given node before trying to declare it as record
     *