Merged V3.2 to HEAD

17398: Merged V3.1 to V3.2
        17396: Merged V2.2 to V3.1
            17393: Fix ETHREEOH-2912 / ETWOONE-243 - Permissions issue with Versioning enabled


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@17402 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007 Alfresco Software Limited.
+ * Copyright (C) 2005-2009 Alfresco Software Limited.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -53,6 +53,7 @@ import org.alfresco.repo.security.permissions.PermissionEntry;
 import org.alfresco.repo.security.permissions.PermissionReference;
 import org.alfresco.repo.security.permissions.PermissionServiceSPI;
 import org.alfresco.repo.tenant.TenantService;
+import org.alfresco.repo.version.Version2Model;
 import org.alfresco.repo.version.VersionModel;
 import org.alfresco.repo.version.common.VersionUtil;
 import org.alfresco.service.cmr.dictionary.DictionaryService;
@@ -418,24 +419,18 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
             return doAvmCan(passedNodeRef, permIn);
         }
         
+        // Note: if we're directly accessing a frozen state (version) node (ie. in the 'version' store) we need to check permissions for the versioned node (ie. in the 'live' store)
+        if (isVersionNodeRef(passedNodeRef))
+        {
+            passedNodeRef = convertVersionNodeRefToVersionedNodeRef(VersionUtil.convertNodeRef(passedNodeRef));
+        }
+        
         // Allow permissions for nodes that do not exist
         if (!nodeService.exists(passedNodeRef))
         {
             return AccessStatus.ALLOWED;
         }
         
-        // Because of VersionedNodeRef has no any inherited from source Frozen NodeRef permissions (it has only default permissions),
-        // it is necessary to avoid cases when some user without appropriate permissions trying to receive any resource from its any version link etc.
-        // That could be proceed through receiving Frozen NodeRef instance for this VersionedNodeRef instance. There is appears a possibility to get
-        // access to specified for Frozen NodeRef instance permissions
-        
-        // NOTE: maybe in future there will appear situation when changing Node permissions will be a cause for creating new Node version. In other words,
-        // VersionedNodeRefs will contain their own permissions (whose, probably, will differ from version to version). In this case you should delete/comment this code!!!
-        if (isVersionedNodeRefInstance(passedNodeRef))
-        {
-            passedNodeRef = convertVersionedNodeRefToFrozenNodeRef(VersionUtil.convertNodeRef(passedNodeRef));
-        }
-        
         final NodeRef nodeRef = tenantService.getName(passedNodeRef);
 
         final PermissionReference perm;
@@ -1910,29 +1905,42 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
     }
     
     /**
-     * This methods checks weather the specified NodeRef instance is an VersionedNodeRef
+     * This methods checks whether the specified nodeRef instance is a version nodeRef (ie. in the 'version' store)
      * 
-     * @param nodeRef - probably VersionedNodeRef
+     * @param nodeRef - version nodeRef
-     * @return <b>true</b> if NodeRef if Versioned and <b>false</b> in other case
+     * @return <b>true</b> if version nodeRef <b>false</b> otherwise
      */
-    private boolean isVersionedNodeRefInstance(NodeRef nodeRef)
+    private boolean isVersionNodeRef(NodeRef nodeRef)
     {
     	return nodeRef.getStoreRef().getProtocol().equals(VersionModel.STORE_PROTOCOL);
     }
 
     /**
-     * Converts specified VersionedNodeRef to Frozen NodeRef (from SpacesStore store, accessed by workspace protocol)
+     * Converts specified version nodeRef (eg. versionStore://...) to versioned nodeRef (eg. workspace://SpacesStore/...)
      * 
-     * @param nodeRef - <b>always</b> VersionedNodeRef
+     * @param nodeRef - <b>always</b> version nodeRef (ie. in the 'version' store)
-     * @return Frozen NodeRef instance (source for this VersionedNodeRef instance)
+     * @return versioned nodeRef (ie.in the 'live' store)
      */
-    private NodeRef convertVersionedNodeRefToFrozenNodeRef(NodeRef nodeRef)
+    private NodeRef convertVersionNodeRefToVersionedNodeRef(NodeRef versionNodeRef)
     {
+        Map<QName, Serializable> properties = nodeService.getProperties(versionNodeRef);
         
-    	Map<QName, Serializable> properties = nodeService.getProperties(nodeRef);
+        NodeRef nodeRef = null;
         
-       return new NodeRef((String) properties.get(ContentModel.PROP_STORE_PROTOCOL),
+        // Switch VersionStore depending on configured impl
-                          (String) properties.get(ContentModel.PROP_STORE_IDENTIFIER),
+        if (versionNodeRef.getStoreRef().getIdentifier().equals(Version2Model.STORE_ID))
-                          (String) properties.get(ContentModel.PROP_NODE_UUID));
+        {
+            // V2 version store (eg. workspace://version2Store)
+            nodeRef = (NodeRef)properties.get(Version2Model.PROP_QNAME_FROZEN_NODE_REF);
+        } 
+        else if (versionNodeRef.getStoreRef().getIdentifier().equals(VersionModel.STORE_ID))
+        {
+            // Deprecated V1 version store (eg. workspace://lightWeightVersionStore)
+            nodeRef = new NodeRef((String) properties.get(VersionModel.PROP_QNAME_FROZEN_NODE_STORE_PROTOCOL),
+                                  (String) properties.get(VersionModel.PROP_QNAME_FROZEN_NODE_STORE_ID),
+                                  (String) properties.get(VersionModel.PROP_QNAME_FROZEN_NODE_ID));
+        }
+        
+        return nodeRef;
     }
 }

source/java/org/alfresco/repo/version/BaseVersionStoreTest.java

@@ -52,12 +52,12 @@ import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.security.AuthenticationService;
+import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.version.Version;
 import org.alfresco.service.cmr.version.VersionService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.BaseSpringTest;
-import org.alfresco.util.TestWithUserUtils;
 
 public abstract class BaseVersionStoreTest extends BaseSpringTest
 {
@@ -75,6 +75,7 @@ public abstract class BaseVersionStoreTest extends BaseSpringTest
     protected MutableAuthenticationDao authenticationDAO;
     protected NodeArchiveService nodeArchiveService;
     protected NodeService nodeService;
+    protected PermissionService permissionService;
 	
     /*
      * Data used by tests
@@ -164,6 +165,7 @@ public abstract class BaseVersionStoreTest extends BaseSpringTest
         this.authenticationDAO = (MutableAuthenticationDao) applicationContext.getBean("authenticationDao");
         this.nodeArchiveService = (NodeArchiveService) applicationContext.getBean("nodeArchiveService");
         this.nodeService = (NodeService)applicationContext.getBean("nodeService");
+        this.permissionService = (PermissionService)this.applicationContext.getBean("permissionService");
         
         setVersionService((VersionService)applicationContext.getBean("versionService"));
         
@@ -197,14 +199,14 @@ public abstract class BaseVersionStoreTest extends BaseSpringTest
         // Get a reference to the root node
         this.rootNodeRef = this.dbNodeService.getRootNode(this.testStoreRef);
         
-        // Create an authenticate the user
+        // Create and authenticate the user
         
         if(!authenticationDAO.userExists(AuthenticationUtil.getAdminUserName()))
         {
             authenticationService.createAuthentication(AuthenticationUtil.getAdminUserName(), PWD.toCharArray());
         }
         
-        TestWithUserUtils.authenticateUser(AuthenticationUtil.getAdminUserName(), PWD, this.rootNodeRef, this.authenticationService);
+        AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getAdminUserName());
     }
     
     /**

source/java/org/alfresco/repo/version/VersionServiceImplTest.java

@@ -37,6 +37,7 @@ import java.util.Set;
 import org.alfresco.model.ApplicationModel;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
 import org.alfresco.service.ServiceRegistry;
 import org.alfresco.service.cmr.model.FileFolderService;
@@ -47,6 +48,8 @@ import org.alfresco.service.cmr.repository.ContentWriter;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.repository.NodeService;
 import org.alfresco.service.cmr.repository.StoreRef;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.version.Version;
 import org.alfresco.service.cmr.version.VersionHistory;
 import org.alfresco.service.cmr.version.VersionService;
@@ -74,6 +77,9 @@ public class VersionServiceImplTest extends BaseVersionStoreTest
     private static final String UPDATED_CONTENT_1 = "updatedContent1";
     private static final String UPDATED_CONTENT_2 = "updatedContent2";
     
+    private static final String PWD_A = "passA";
+    private static final String USER_NAME_A = "userA";
+    
     public void testSetup()
     {
         // NOOP
@@ -1127,6 +1133,46 @@ public class VersionServiceImplTest extends BaseVersionStoreTest
         Object editionCodeArchive = nodeService.getProperty(versionNodeRef, prop);
         assertEquals(editionCodeArchive.getClass(), Integer.class);
     }
+    
+    /**
+     * Check read permission for the frozen node
+     */
+    public void testHasPermission()
+    {
+        AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getAdminUserName());
+        
+        if(!authenticationDAO.userExists(USER_NAME_A))
+        {
+            authenticationService.createAuthentication(USER_NAME_A, PWD_A.toCharArray());
+        }
+        
+        permissionService.setPermission(rootNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.READ, true);
+        permissionService.setInheritParentPermissions(rootNodeRef, true);
+        
+        // Create a new versionable node
+        NodeRef versionableNode = createNewVersionableNode();
+        
+        // Create a new version
+        Version version = createVersion(versionableNode, versionProperties);
+        NodeRef versionNodeRef = version.getFrozenStateNodeRef();
+        
+        assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(versionNodeRef, PermissionService.READ));
+        
+        AuthenticationUtil.setFullyAuthenticatedUser(USER_NAME_A);
+        
+        assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(versionNodeRef, PermissionService.READ));
+        
+        AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getAdminUserName());
+        
+        permissionService.setInheritParentPermissions(versionableNode, false);
+        
+        assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(versionNodeRef, PermissionService.READ));
+        
+        AuthenticationUtil.setFullyAuthenticatedUser(USER_NAME_A);
+        
+        assertEquals(AccessStatus.DENIED, permissionService.hasPermission(versionNodeRef, PermissionService.READ));
+    }
+    
     public static void main(String ... args)
     {
         try