mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-31 17:39:05 +00:00
RM Move Capabilities:
* Added Record Folder, Record Category and composite Move capabilities (all private and based on exisiting capabilities) * Added RM UI actions for record, folder and category move wired up to new capabilities .. this means the UI actions correctly reflect the capabilities of the user * Unit tests * Started to move the capabilitiy spring def's into logically seperate files * Rewrote origional RecordsMove capability (replaced with spring config) * Added TargetCapability configuration to declarative capability implementation .. provides a way to evaluate capability when a target node reference is being taken into consideration * Added title and description to declarative capability (for future use) * Removed unwated 'old' doclib overrides (where confussing the issue) * Clean up the security service which was duplicating methods now found on the capability service * Remove capability set support ... old work around used before updated evaluators where used * Fixes RM-203, RM-328, RM-165, RM-204 (and possibly some others I've yet to find!) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.0@36338 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
@@ -20,6 +20,7 @@ package org.alfresco.module.org_alfresco_module_rm;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementActionService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.disposition.DispositionService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.event.RecordsManagementEventService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService;
|
||||
@@ -43,6 +44,7 @@ public interface RecordsManagementServiceRegistry extends ServiceRegistry
|
||||
static final QName RECORDS_MANAGEMENT_EVENT_SERVICE = QName.createQName(NamespaceService.ALFRESCO_URI, "RecordsManagementEventService");
|
||||
static final QName RECORDS_MANAGEMENT_SECURITY_SERVICE = QName.createQName(NamespaceService.ALFRESCO_URI, "RecordsManagementSecurityService");
|
||||
static final QName RECORDS_MANAGEMENT_AUDIT_SERVICE = QName.createQName(NamespaceService.ALFRESCO_URI, "RecordsManagementAuditService");
|
||||
static final QName CAPABILITY_SERVICE = QName.createQName(NamespaceService.ALFRESCO_URI, "CapabilityService");
|
||||
|
||||
/**
|
||||
* @return records management service
|
||||
@@ -85,4 +87,10 @@ public interface RecordsManagementServiceRegistry extends ServiceRegistry
|
||||
*/
|
||||
@NotAuditable
|
||||
RecordsManagementAuditService getRecordsManagementAuditService();
|
||||
|
||||
/**
|
||||
* @return capability service
|
||||
*/
|
||||
@NotAuditable
|
||||
CapabilityService getCapabilityService();
|
||||
}
|
||||
|
||||
@@ -20,6 +20,7 @@ package org.alfresco.module.org_alfresco_module_rm;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementActionService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.disposition.DispositionService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.event.RecordsManagementEventService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService;
|
||||
@@ -89,4 +90,13 @@ public class RecordsManagementServiceRegistryImpl extends ServiceDescriptorRegis
|
||||
{
|
||||
return (DispositionService)getService(DISPOSITION_SERVICE);
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.RecordsManagementServiceRegistry#getCapabilityService()
|
||||
*/
|
||||
@Override
|
||||
public CapabilityService getCapabilityService()
|
||||
{
|
||||
return (CapabilityService)getService(CAPABILITY_SERVICE);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -29,6 +29,7 @@ import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.springframework.extensions.surf.util.I18NUtil;
|
||||
|
||||
/**
|
||||
* Abstract capability implementation.
|
||||
@@ -52,6 +53,10 @@ public abstract class AbstractCapability extends RMSecurityCommon
|
||||
/** Capability name */
|
||||
protected String name;
|
||||
|
||||
/** Capability title and description */
|
||||
protected String title;
|
||||
protected String description;
|
||||
|
||||
/** Indicates whether this is a private capability or not */
|
||||
protected boolean isPrivate = false;
|
||||
|
||||
@@ -114,6 +119,56 @@ public abstract class AbstractCapability extends RMSecurityCommon
|
||||
{
|
||||
return name;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param title capability title
|
||||
*/
|
||||
public void setTitle(String title)
|
||||
{
|
||||
this.title = title;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param titleId message id
|
||||
*/
|
||||
public void setTitleId(String titleId)
|
||||
{
|
||||
this.title = I18NUtil.getMessage(titleId);
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.capability.Capability#getTitle()
|
||||
*/
|
||||
@Override
|
||||
public String getTitle()
|
||||
{
|
||||
return title;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param description capability description
|
||||
*/
|
||||
public void setDescription(String description)
|
||||
{
|
||||
this.description = description;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param descriptionId message id
|
||||
*/
|
||||
public void setDescriptionId(String descriptionId)
|
||||
{
|
||||
this.description = I18NUtil.getMessage(descriptionId);
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.capability.Capability#getDescription()
|
||||
*/
|
||||
@Override
|
||||
public String getDescription()
|
||||
{
|
||||
return description;
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.capability.Capability#isPrivate()
|
||||
@@ -183,11 +238,22 @@ public abstract class AbstractCapability extends RMSecurityCommon
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.capability.Capability#hasPermission(org.alfresco.service.cmr.repository.NodeRef)
|
||||
*/
|
||||
public AccessStatus hasPermission(NodeRef nodeRef)
|
||||
{
|
||||
return translate(hasPermissionRaw(nodeRef));
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines whether the current user has permission on this capability.
|
||||
* <p>
|
||||
* Returns the raw permission value.
|
||||
*
|
||||
* @param nodeRef node reference
|
||||
* @return raw permission value
|
||||
*/
|
||||
public int hasPermissionRaw(NodeRef nodeRef)
|
||||
{
|
||||
String prefix = "hasPermissionRaw" + getName();
|
||||
@@ -232,16 +298,25 @@ public abstract class AbstractCapability extends RMSecurityCommon
|
||||
return AccessDecisionVoter.ACCESS_ABSTAIN;
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.capability.Capability#getActionNames()
|
||||
*/
|
||||
public List<String> getActionNames()
|
||||
{
|
||||
return actionNames;
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.capability.Capability#getActions()
|
||||
*/
|
||||
public List<RecordsManagementAction> getActions()
|
||||
{
|
||||
return actions;
|
||||
}
|
||||
|
||||
/**
|
||||
* @see java.lang.Object#hashCode()
|
||||
*/
|
||||
@Override
|
||||
public int hashCode()
|
||||
{
|
||||
@@ -251,6 +326,9 @@ public abstract class AbstractCapability extends RMSecurityCommon
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* @see java.lang.Object#equals(java.lang.Object)
|
||||
*/
|
||||
@Override
|
||||
public boolean equals(Object obj)
|
||||
{
|
||||
|
||||
@@ -28,6 +28,7 @@ import org.alfresco.service.cmr.security.AccessStatus;
|
||||
* Capability Interface.
|
||||
*
|
||||
* @author andyh
|
||||
* @author Roy Wetherall
|
||||
*/
|
||||
public interface Capability
|
||||
{
|
||||
@@ -54,10 +55,11 @@ public interface Capability
|
||||
int evaluate(NodeRef nodeRef);
|
||||
|
||||
/**
|
||||
* Evaluates the capability, taking into account a target.
|
||||
*
|
||||
* @param source
|
||||
* @param target
|
||||
* @return
|
||||
* @param source source node reference
|
||||
* @param target target node reference
|
||||
* @return int permission value
|
||||
*/
|
||||
int evaluate(NodeRef source, NodeRef target);
|
||||
|
||||
@@ -65,16 +67,31 @@ public interface Capability
|
||||
* Indicates whether this is a private capability or not. Private capabilities are used internally, otherwise
|
||||
* they are made available to the user to assign to roles.
|
||||
*
|
||||
* @return
|
||||
* @return boolean true if private, false otherwise
|
||||
*/
|
||||
boolean isPrivate();
|
||||
|
||||
/**
|
||||
* Get the name of the capability
|
||||
* @return
|
||||
*
|
||||
* @return String capability name
|
||||
*/
|
||||
String getName();
|
||||
|
||||
/**
|
||||
* Get the title of the capability
|
||||
*
|
||||
* @return String capability title
|
||||
*/
|
||||
String getTitle();
|
||||
|
||||
/**
|
||||
* Get the description of the capability
|
||||
*
|
||||
* @return String capability description
|
||||
*/
|
||||
String getDescription();
|
||||
|
||||
/**
|
||||
* Get the name of optional actions tied to this capability
|
||||
* @return
|
||||
|
||||
@@ -54,6 +54,13 @@ public interface CapabilityService
|
||||
*/
|
||||
Set<Capability> getCapabilities();
|
||||
|
||||
/**
|
||||
*
|
||||
* @param includePrivate
|
||||
* @return
|
||||
*/
|
||||
Set<Capability> getCapabilities(boolean includePrivate);
|
||||
|
||||
/**
|
||||
*
|
||||
* @param nodeRef
|
||||
|
||||
@@ -60,7 +60,33 @@ public class CapabilityServiceImpl implements CapabilityService
|
||||
@Override
|
||||
public Set<Capability> getCapabilities()
|
||||
{
|
||||
return new HashSet<Capability>(capabilities.values());
|
||||
return getCapabilities(true);
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService#getCapabilities(boolean)
|
||||
*/
|
||||
@Override
|
||||
public Set<Capability> getCapabilities(boolean includePrivate)
|
||||
{
|
||||
Set<Capability> result = null;
|
||||
if (includePrivate == true)
|
||||
{
|
||||
result = new HashSet<Capability>(capabilities.values());
|
||||
}
|
||||
else
|
||||
{
|
||||
result = new HashSet<Capability>(capabilities.size());
|
||||
for (Capability capability : capabilities.values())
|
||||
{
|
||||
if (capability.isPrivate() == false)
|
||||
{
|
||||
result.add(capability);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -38,7 +38,6 @@ import net.sf.acegisecurity.vote.AccessDecisionVoter;
|
||||
import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.impl.CreateCapability;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.impl.MoveRecordsCapability;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.impl.UpdateCapability;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.impl.UpdatePropertiesCapability;
|
||||
import org.alfresco.module.org_alfresco_module_rm.caveat.RMCaveatConfigComponent;
|
||||
@@ -880,7 +879,7 @@ public class RMEntryVoter extends RMSecurityCommon
|
||||
|
||||
if ((movee != null) && (destination != null))
|
||||
{
|
||||
return ((MoveRecordsCapability)capabilityService.getCapability(RMPermissionModel.MOVE_RECORDS)).evaluate(movee, destination);
|
||||
return capabilityService.getCapability("Move").evaluate(movee, destination);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@@ -52,14 +52,47 @@ public class CompositeCapability extends DeclarativeCapability
|
||||
for (Capability capability : capabilities)
|
||||
{
|
||||
int capabilityResult = capability.evaluate(nodeRef);
|
||||
if (capabilityResult == AccessDecisionVoter.ACCESS_GRANTED)
|
||||
if (capabilityResult != AccessDecisionVoter.ACCESS_DENIED)
|
||||
{
|
||||
result = AccessDecisionVoter.ACCESS_GRANTED;
|
||||
result = AccessDecisionVoter.ACCESS_ABSTAIN;
|
||||
if (isUndetermined() == false && capabilityResult == AccessDecisionVoter.ACCESS_GRANTED)
|
||||
{
|
||||
result = AccessDecisionVoter.ACCESS_GRANTED;
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public int evaluate(NodeRef source, NodeRef target)
|
||||
{
|
||||
int result = AccessDecisionVoter.ACCESS_ABSTAIN;
|
||||
|
||||
if (targetCapability != null)
|
||||
{
|
||||
result = super.evaluate(source, target);
|
||||
}
|
||||
else
|
||||
{
|
||||
// Check each capability using 'OR' logic
|
||||
for (Capability capability : capabilities)
|
||||
{
|
||||
int capabilityResult = capability.evaluate(source, target);
|
||||
if (capabilityResult != AccessDecisionVoter.ACCESS_DENIED)
|
||||
{
|
||||
result = AccessDecisionVoter.ACCESS_ABSTAIN;
|
||||
if (isUndetermined() == false && capabilityResult == AccessDecisionVoter.ACCESS_GRANTED)
|
||||
{
|
||||
result = AccessDecisionVoter.ACCESS_GRANTED;
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -19,6 +19,7 @@
|
||||
package org.alfresco.module.org_alfresco_module_rm.capability.declarative;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
@@ -27,6 +28,7 @@ import net.sf.acegisecurity.vote.AccessDecisionVoter;
|
||||
import org.alfresco.error.AlfrescoRuntimeException;
|
||||
import org.alfresco.module.org_alfresco_module_rm.FilePlanComponentKind;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.AbstractCapability;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.springframework.beans.BeansException;
|
||||
@@ -38,19 +40,26 @@ import org.springframework.context.ApplicationContextAware;
|
||||
*
|
||||
* @author Roy Wetherall
|
||||
*/
|
||||
public class DeclarativeCapability extends AbstractCapability implements ApplicationContextAware
|
||||
public class DeclarativeCapability extends AbstractCapability
|
||||
implements ApplicationContextAware
|
||||
{
|
||||
/** Application Context */
|
||||
protected ApplicationContext applicationContext;
|
||||
|
||||
/** Required permissions */
|
||||
private List<String> permissions;
|
||||
protected List<String> permissions;
|
||||
|
||||
/** Map of conditions and expected evaluation result */
|
||||
private Map<String, Boolean> conditions;
|
||||
protected Map<String, Boolean> conditions;
|
||||
|
||||
/** List of file plan component kinds one of which must be satisfied */
|
||||
private List<String> kinds;
|
||||
protected List<String> kinds;
|
||||
|
||||
/** Capability to be evaluated against the target node reference */
|
||||
protected Capability targetCapability;
|
||||
|
||||
/** Indicates whether to return an undetermined result */
|
||||
protected boolean isUndetermined = false;
|
||||
|
||||
@Override
|
||||
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
|
||||
@@ -83,7 +92,7 @@ public class DeclarativeCapability extends AbstractCapability implements Applica
|
||||
}
|
||||
|
||||
/**
|
||||
* @param kinds list of file plan component kinds that the
|
||||
* @param kinds list of file plan component kinds
|
||||
*/
|
||||
public void setKinds(List<String> kinds)
|
||||
{
|
||||
@@ -98,6 +107,32 @@ public class DeclarativeCapability extends AbstractCapability implements Applica
|
||||
return kinds;
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper method to set a single kind.
|
||||
*
|
||||
* @param kind file plan component kind
|
||||
*/
|
||||
public void setKind(String kind)
|
||||
{
|
||||
this.kinds = Collections.singletonList(kind);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets whether the capability will return an undetermined result when evaluating permissions
|
||||
* for a single node reference or not. The default is to return grant.
|
||||
*
|
||||
* @param isUndetermined true if undetermined result, false otherwise
|
||||
*/
|
||||
public void setUndetermined(boolean isUndetermined)
|
||||
{
|
||||
this.isUndetermined = isUndetermined;
|
||||
}
|
||||
|
||||
public boolean isUndetermined()
|
||||
{
|
||||
return isUndetermined;
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper @see #setPermissions(List)
|
||||
*
|
||||
@@ -110,6 +145,14 @@ public class DeclarativeCapability extends AbstractCapability implements Applica
|
||||
this.permissions = permissions;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param targetCapability target capability
|
||||
*/
|
||||
public void setTargetCapability(Capability targetCapability)
|
||||
{
|
||||
this.targetCapability = targetCapability;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check the permissions passed.
|
||||
*
|
||||
@@ -261,6 +304,21 @@ public class DeclarativeCapability extends AbstractCapability implements Applica
|
||||
return result;
|
||||
}
|
||||
|
||||
@Override
|
||||
public int evaluate(NodeRef source, NodeRef target)
|
||||
{
|
||||
int result = AccessDecisionVoter.ACCESS_ABSTAIN;
|
||||
if (targetCapability != null)
|
||||
{
|
||||
result = evaluate(source);
|
||||
if (result != AccessDecisionVoter.ACCESS_DENIED)
|
||||
{
|
||||
result = targetCapability.evaluate(target);
|
||||
}
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Default implementation. Given extending classes a hook point for further checks.
|
||||
*
|
||||
@@ -269,7 +327,12 @@ public class DeclarativeCapability extends AbstractCapability implements Applica
|
||||
*/
|
||||
protected int evaluateImpl(NodeRef nodeRef)
|
||||
{
|
||||
return AccessDecisionVoter.ACCESS_GRANTED;
|
||||
int result = AccessDecisionVoter.ACCESS_GRANTED;
|
||||
if (isUndetermined == true)
|
||||
{
|
||||
result = AccessDecisionVoter.ACCESS_ABSTAIN;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -1,91 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2005-2011 Alfresco Software Limited.
|
||||
*
|
||||
* This file is part of Alfresco
|
||||
*
|
||||
* Alfresco is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* Alfresco is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public License
|
||||
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
package org.alfresco.module.org_alfresco_module_rm.capability.impl;
|
||||
|
||||
import net.sf.acegisecurity.vote.AccessDecisionVoter;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.declarative.DeclarativeCapability;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.security.PermissionService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
|
||||
public class MoveRecordsCapability extends DeclarativeCapability
|
||||
{
|
||||
@Override
|
||||
public int evaluate(NodeRef nodeRef)
|
||||
{
|
||||
// no way to know ...
|
||||
return AccessDecisionVoter.ACCESS_ABSTAIN;
|
||||
}
|
||||
|
||||
public int evaluate(NodeRef movee, NodeRef destination)
|
||||
{
|
||||
int state = AccessDecisionVoter.ACCESS_ABSTAIN;
|
||||
|
||||
if (rmService.isFilePlanComponent(destination))
|
||||
{
|
||||
state = checkRead(movee, true);
|
||||
if (state != AccessDecisionVoter.ACCESS_GRANTED)
|
||||
{
|
||||
return AccessDecisionVoter.ACCESS_DENIED;
|
||||
}
|
||||
|
||||
if (rmService.isFilePlanComponent(movee) == true)
|
||||
{
|
||||
state = capabilityService.getCapability("Delete").evaluate(movee);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (checkPermissionsImpl(movee, PermissionService.DELETE) == true)
|
||||
{
|
||||
state = AccessDecisionVoter.ACCESS_GRANTED;
|
||||
}
|
||||
}
|
||||
|
||||
if (state == AccessDecisionVoter.ACCESS_GRANTED)
|
||||
{
|
||||
QName type = nodeService.getType(movee);
|
||||
// now we know the node - we can abstain for certain types and aspects (eg, rm)
|
||||
CreateCapability createCapability = (CreateCapability)capabilityService.getCapability("Create");
|
||||
state = createCapability.evaluate(destination, movee, type, null);
|
||||
|
||||
if (state == AccessDecisionVoter.ACCESS_GRANTED)
|
||||
{
|
||||
if (rmService.isFilePlanComponent(movee) == true)
|
||||
{
|
||||
if (checkPermissionsImpl(movee, MOVE_RECORDS) == true)
|
||||
{
|
||||
return AccessDecisionVoter.ACCESS_GRANTED;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
return AccessDecisionVoter.ACCESS_GRANTED;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return AccessDecisionVoter.ACCESS_DENIED;
|
||||
}
|
||||
else
|
||||
{
|
||||
return AccessDecisionVoter.ACCESS_ABSTAIN;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -18,20 +18,21 @@
|
||||
*/
|
||||
package org.alfresco.module.org_alfresco_module_rm.jscript;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.RecordsManagementServiceRegistry;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
||||
import org.alfresco.repo.jscript.ScriptNode;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.mozilla.javascript.Scriptable;
|
||||
|
||||
/**
|
||||
* Base records managment script node
|
||||
* Base records management script node
|
||||
*
|
||||
* NOTE: this could be removed, but is being kept as a place holder for future development
|
||||
*
|
||||
* @author Roy Wetherall
|
||||
*/
|
||||
@@ -52,39 +53,26 @@ public class ScriptRecordsManagmentNode extends ScriptNode
|
||||
super(nodeRef, services);
|
||||
rmServices = services;
|
||||
}
|
||||
|
||||
public ScriptCapability[] getCapabilities()
|
||||
{
|
||||
return capabilitiesSet(null);
|
||||
}
|
||||
|
||||
public ScriptCapability[] capabilitiesSet(String capabilitiesSet)
|
||||
public boolean hasCapability(String capabilityName)
|
||||
{
|
||||
RecordsManagementSecurityService rmSecurity = rmServices.getRecordsManagementSecurityService();
|
||||
Map<Capability, AccessStatus> cMap = null;
|
||||
if (capabilitiesSet == null)
|
||||
boolean result = false;
|
||||
|
||||
CapabilityService capabilityService = (CapabilityService)rmServices.getCapabilityService();
|
||||
Capability capability = capabilityService.getCapability(capabilityName);
|
||||
if (capability != null)
|
||||
{
|
||||
// Get all capabilities
|
||||
cMap = rmSecurity.getCapabilities(this.nodeRef);
|
||||
}
|
||||
else
|
||||
{
|
||||
cMap = rmSecurity.getCapabilities(this.nodeRef, capabilitiesSet);
|
||||
}
|
||||
|
||||
List<ScriptCapability> list = new ArrayList<ScriptCapability>(cMap.size());
|
||||
for (Map.Entry<Capability, AccessStatus> entry : cMap.entrySet())
|
||||
{
|
||||
if (AccessStatus.ALLOWED.equals(entry.getValue()) == true ||
|
||||
AccessStatus.UNDETERMINED.equals(entry.getValue()) == true)
|
||||
Map<Capability, AccessStatus> map = capabilityService.getCapabilitiesAccessState(nodeRef, Collections.singletonList(capabilityName));
|
||||
if (map.containsKey(capability) == true)
|
||||
{
|
||||
Capability cap = entry.getKey();
|
||||
String[] actions = (String[])cap.getActionNames().toArray(new String[cap.getActionNames().size()]);
|
||||
ScriptCapability scriptCap = new ScriptCapability(cap.getName(), cap.getName(), actions);
|
||||
list.add(scriptCap);
|
||||
AccessStatus accessStatus = map.get(capability);
|
||||
if (accessStatus.equals(AccessStatus.DENIED) == false)
|
||||
{
|
||||
result = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return (ScriptCapability[])list.toArray(new ScriptCapability[list.size()]);
|
||||
|
||||
return result;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -27,20 +27,21 @@ import java.util.Set;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.Role;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.springframework.extensions.webscripts.Cache;
|
||||
import org.springframework.extensions.webscripts.DeclarativeWebScript;
|
||||
import org.springframework.extensions.webscripts.Status;
|
||||
import org.springframework.extensions.webscripts.WebScriptException;
|
||||
import org.springframework.extensions.webscripts.WebScriptRequest;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.json.JSONArray;
|
||||
import org.json.JSONException;
|
||||
import org.json.JSONObject;
|
||||
import org.json.JSONTokener;
|
||||
import org.springframework.extensions.webscripts.Cache;
|
||||
import org.springframework.extensions.webscripts.DeclarativeWebScript;
|
||||
import org.springframework.extensions.webscripts.Status;
|
||||
import org.springframework.extensions.webscripts.WebScriptException;
|
||||
import org.springframework.extensions.webscripts.WebScriptRequest;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -54,6 +55,7 @@ public class RmRolePut extends DeclarativeWebScript
|
||||
|
||||
private RecordsManagementService rmService;
|
||||
private RecordsManagementSecurityService rmSecurityService;
|
||||
private CapabilityService capabilityService;
|
||||
|
||||
public void setRecordsManagementSecurityService(RecordsManagementSecurityService rmSecurityService)
|
||||
{
|
||||
@@ -64,6 +66,11 @@ public class RmRolePut extends DeclarativeWebScript
|
||||
{
|
||||
this.rmService = rmService;
|
||||
}
|
||||
|
||||
public void setCapabilityService(CapabilityService capabilityService)
|
||||
{
|
||||
this.capabilityService = capabilityService;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Map<String, Object> executeImpl(WebScriptRequest req, Status status, Cache cache)
|
||||
@@ -90,7 +97,7 @@ public class RmRolePut extends DeclarativeWebScript
|
||||
Set<Capability> capabilites = new HashSet<Capability>(capabilitiesArray.length());
|
||||
for (int i = 0; i < capabilitiesArray.length(); i++)
|
||||
{
|
||||
Capability capability = rmSecurityService.getCapability(capabilitiesArray.getString(i));
|
||||
Capability capability = capabilityService.getCapability(capabilitiesArray.getString(i));
|
||||
capabilites.add(capability);
|
||||
}
|
||||
|
||||
|
||||
@@ -27,23 +27,24 @@ import java.util.Set;
|
||||
|
||||
import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
|
||||
import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService;
|
||||
import org.alfresco.module.org_alfresco_module_rm.security.Role;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.springframework.extensions.webscripts.Cache;
|
||||
import org.springframework.extensions.webscripts.DeclarativeWebScript;
|
||||
import org.springframework.extensions.webscripts.Status;
|
||||
import org.springframework.extensions.webscripts.WebScriptException;
|
||||
import org.springframework.extensions.webscripts.WebScriptRequest;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.json.JSONArray;
|
||||
import org.json.JSONException;
|
||||
import org.json.JSONObject;
|
||||
import org.json.JSONTokener;
|
||||
import org.springframework.extensions.webscripts.Cache;
|
||||
import org.springframework.extensions.webscripts.DeclarativeWebScript;
|
||||
import org.springframework.extensions.webscripts.Status;
|
||||
import org.springframework.extensions.webscripts.WebScriptException;
|
||||
import org.springframework.extensions.webscripts.WebScriptRequest;
|
||||
|
||||
/**
|
||||
*
|
||||
* RM Roles Post implementation
|
||||
*
|
||||
* @author Roy Wetherall
|
||||
*/
|
||||
@@ -54,6 +55,7 @@ public class RmRolesPost extends DeclarativeWebScript
|
||||
|
||||
private RecordsManagementService rmService;
|
||||
private RecordsManagementSecurityService rmSecurityService;
|
||||
private CapabilityService capabilityService;
|
||||
|
||||
public void setRecordsManagementSecurityService(RecordsManagementSecurityService rmSecurityService)
|
||||
{
|
||||
@@ -64,6 +66,11 @@ public class RmRolesPost extends DeclarativeWebScript
|
||||
{
|
||||
this.rmService = rmService;
|
||||
}
|
||||
|
||||
public void setCapabilityService(CapabilityService capabilityService)
|
||||
{
|
||||
this.capabilityService = capabilityService;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Map<String, Object> executeImpl(WebScriptRequest req, Status status, Cache cache)
|
||||
@@ -82,7 +89,7 @@ public class RmRolesPost extends DeclarativeWebScript
|
||||
Set<Capability> capabilites = new HashSet<Capability>(capabilitiesArray.length());
|
||||
for (int i = 0; i < capabilitiesArray.length(); i++)
|
||||
{
|
||||
Capability capability = rmSecurityService.getCapability(capabilitiesArray.getString(i));
|
||||
Capability capability = capabilityService.getCapability(capabilitiesArray.getString(i));
|
||||
capabilites.add(capability);
|
||||
}
|
||||
|
||||
@@ -91,7 +98,7 @@ public class RmRolesPost extends DeclarativeWebScript
|
||||
|
||||
Role role = rmSecurityService.createRole(root, name, displayString, capabilites);
|
||||
|
||||
Set<Role> roles = rmSecurityService.getRoles(root);
|
||||
//Set<Role> roles = rmSecurityService.getRoles(root);
|
||||
model.put("role", role);
|
||||
|
||||
}
|
||||
|
||||
@@ -33,35 +33,6 @@ import org.alfresco.service.namespace.QName;
|
||||
*/
|
||||
public interface RecordsManagementSecurityService
|
||||
{
|
||||
/**
|
||||
* Get a list of the capabilities available
|
||||
*
|
||||
* @return List<Capability> list of capabilities available
|
||||
*/
|
||||
Set<Capability> getCapabilities();
|
||||
|
||||
/**
|
||||
* Get the full set of capabilities for the current user.
|
||||
* @param nodeRef
|
||||
* @return
|
||||
*/
|
||||
Map<Capability, AccessStatus> getCapabilities(NodeRef nodeRef);
|
||||
|
||||
/**
|
||||
*
|
||||
* @param nodeRef
|
||||
* @param capabilitySet
|
||||
* @return
|
||||
*/
|
||||
Map<Capability, AccessStatus> getCapabilities(NodeRef nodeRef, String capabilitySet);
|
||||
|
||||
/**
|
||||
* Get a capability by name
|
||||
* @param name
|
||||
* @return
|
||||
*/
|
||||
Capability getCapability(String name);
|
||||
|
||||
/**
|
||||
* Get the set of aspect QNames which can not be added direct via the public node service;
|
||||
* they must be managed via the appropriate actions.
|
||||
|
||||
@@ -22,11 +22,8 @@ import java.io.BufferedReader;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.InputStreamReader;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import org.alfresco.error.AlfrescoRuntimeException;
|
||||
@@ -51,7 +48,6 @@ import org.alfresco.service.cmr.security.AccessPermission;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.alfresco.service.cmr.security.AuthorityService;
|
||||
import org.alfresco.service.cmr.security.AuthorityType;
|
||||
import org.alfresco.service.cmr.security.OwnableService;
|
||||
import org.alfresco.service.cmr.security.PermissionService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
import org.alfresco.service.namespace.RegexQNamePattern;
|
||||
@@ -83,9 +79,6 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
|
||||
/** Policy component */
|
||||
private PolicyComponent policyComponent;
|
||||
|
||||
/** Owner service */
|
||||
private OwnableService ownableService;
|
||||
|
||||
/** Records management service */
|
||||
private RecordsManagementService recordsManagementService;
|
||||
|
||||
@@ -95,12 +88,6 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
|
||||
/** RM Entry voter */
|
||||
private RMEntryVoter voter;
|
||||
|
||||
/**
|
||||
* Capability sets. Allow sub-sets of capabilities to be defined enhancing performance when
|
||||
* only a sub-set need be evaluated.
|
||||
*/
|
||||
private Map<String, List<String>> capabilitySets;
|
||||
|
||||
/** Records management role zone */
|
||||
public static final String RM_ROLE_ZONE_PREFIX = "rmRoleZone";
|
||||
|
||||
@@ -147,16 +134,6 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
|
||||
this.policyComponent = policyComponent;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the ownable service
|
||||
*
|
||||
* @param ownableService ownable service
|
||||
*/
|
||||
public void setOwnableService(OwnableService ownableService)
|
||||
{
|
||||
this.ownableService = ownableService;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set records management service
|
||||
*
|
||||
@@ -177,15 +154,6 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
|
||||
this.nodeService = nodeService;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the capability sets
|
||||
* @param capabilitySets map of capability sets (configured in Spring)
|
||||
*/
|
||||
public void setCapabilitySets(Map<String, List<String>> capabilitySets)
|
||||
{
|
||||
this.capabilitySets = capabilitySets;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the RM voter
|
||||
*
|
||||
@@ -217,7 +185,11 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
|
||||
|
||||
public void beforeDeleteFrozenNode(NodeRef nodeRef)
|
||||
{
|
||||
throw new AccessDeniedException("Frozen nodes can not be deleted");
|
||||
if (nodeService.exists(nodeRef) && recordsManagementService.isFrozen(nodeRef) == true)
|
||||
{
|
||||
// Never allowed to delete a frozen node
|
||||
throw new AccessDeniedException("Frozen nodes can not be deleted");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -344,63 +316,6 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
|
||||
}, AuthenticationUtil.getAdminUserName());
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getCapabilities()
|
||||
*/
|
||||
public Set<Capability> getCapabilities()
|
||||
{
|
||||
Collection<Capability> caps = capabilityService.getCapabilities();
|
||||
Set<Capability> result = new HashSet<Capability>(caps.size());
|
||||
for (Capability cap : caps)
|
||||
{
|
||||
if (cap.isPrivate() == false)
|
||||
{
|
||||
result.add(cap);
|
||||
}
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getCapabilities(org.alfresco.service.cmr.repository.NodeRef)
|
||||
*/
|
||||
public Map<Capability, AccessStatus> getCapabilities(NodeRef nodeRef)
|
||||
{
|
||||
return capabilityService.getCapabilitiesAccessState(nodeRef);
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getCapabilities(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
|
||||
*/
|
||||
public Map<Capability, AccessStatus> getCapabilities(NodeRef nodeRef, String capabilitySet)
|
||||
{
|
||||
List<String> capabilities = capabilitySets.get(capabilitySet);
|
||||
if (capabilities == null)
|
||||
{
|
||||
if (getCapability(capabilitySet) != null)
|
||||
{
|
||||
// If the capability set is the name of a capability assume we just want that single
|
||||
// capability
|
||||
capabilities = new ArrayList<String>(1);
|
||||
capabilities.add(capabilitySet);
|
||||
}
|
||||
else
|
||||
{
|
||||
throw new AlfrescoRuntimeException("Unable to find the capability set '" + capabilitySet + "'");
|
||||
}
|
||||
}
|
||||
|
||||
return capabilityService.getCapabilitiesAccessState(nodeRef, capabilities);
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getCapability(java.lang.String)
|
||||
*/
|
||||
public Capability getCapability(String name)
|
||||
{
|
||||
return capabilityService.getCapability(name);
|
||||
}
|
||||
|
||||
/**
|
||||
* @see org.alfresco.module.org_alfresco_module_rm.security.RecordsManagementSecurityService#getProtectedAspects()
|
||||
@@ -488,7 +403,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
|
||||
for (int index = 0; index < arrCaps.length(); index++)
|
||||
{
|
||||
String capName = arrCaps.getString(index);
|
||||
Capability capability = getCapability(capName);
|
||||
Capability capability = capabilityService.getCapability(capName);
|
||||
if (capability == null)
|
||||
{
|
||||
throw new AlfrescoRuntimeException("The capability '" + capName + "' configured for the deafult boostrap role '" + name + "' is invalid.");
|
||||
@@ -675,7 +590,7 @@ public class RecordsManagementSecurityServiceImpl implements RecordsManagementSe
|
||||
if (permission.getAuthority().equals(roleAuthority) == true)
|
||||
{
|
||||
String capabilityName = permission.getPermission();
|
||||
if (getCapability(capabilityName) != null)
|
||||
if (capabilityService.getCapability(capabilityName) != null)
|
||||
{
|
||||
capabilities.add(permission.getPermission());
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user