inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged HEAD-BUG-FIX (4.3/Cloud) to HEAD (4.3/Cloud)

Browse Source 
59121: Merged V4.2-BUG-FIX (4.2.1) to HEAD-BUG-FIX (Cloud/4.3)
      59106: Merged DEV to V4.2-BUG-FIX (4.2.1)
         57540: MNT-9883: Consumer can add document comments via API, bypasses UI security checks
          - Only users with 'AddChildren' permission can start discussions. 
         58305: MNT-9883: Consumer can add document comments via API, bypasses UI security checks
          - Add unit test 


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@62101 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
2014-02-12 01:04:42 +00:00
parent 6abd0b0857
commit 1da4e0056a
2 changed files with 107 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
source/java/org/alfresco/repo/web/scripts/comment/ScriptCommentService.java
View File

@@ -29,10 +29,13 @@ import org.alfresco.repo.jscript.Scopeable;
import org.alfresco.repo.jscript.ScriptNode;
import org.alfresco.repo.policy.BehaviourFilter;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.alfresco.service.namespace.RegexQNamePattern;
@@ -51,11 +54,13 @@ public class ScriptCommentService extends BaseScopableProcessorExtension
private ServiceRegistry serviceRegistry;
private NodeService nodeService;
private BehaviourFilter behaviourFilter;
private PermissionService permissionService;
public void setServiceRegistry(ServiceRegistry serviceRegistry)
{
this.serviceRegistry = serviceRegistry;
this.nodeService = serviceRegistry.getNodeService();
this.permissionService = serviceRegistry.getPermissionService();
}
public void setBehaviourFilter(BehaviourFilter behaviourFilter)
@@ -66,7 +71,12 @@ public class ScriptCommentService extends BaseScopableProcessorExtension
public ScriptNode createCommentsFolder(ScriptNode node)
{
final NodeRef nodeRef = node.getNodeRef();
if (permissionService.hasPermission(nodeRef, PermissionService.ADD_CHILDREN) == AccessStatus.DENIED)
{
throw new AccessDeniedException("User '" + AuthenticationUtil.getFullyAuthenticatedUser() + "' doesn't have permission to create discussion on node '" + nodeRef + "'");
}
//Run as system user to allow Contributor create discussions
NodeRef commentsFolder = AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<NodeRef>()
{
public NodeRef doWork() throws Exception