mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
Merged V3.2 to HEAD
17398: Merged V3.1 to V3.2
17396: Merged V2.2 to V3.1
17393: Fix ETHREEOH-2912 / ETWOONE-243 - Permissions issue with Versioning enabled
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@17402 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Jan Vonka
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (C) 2005-2007 Alfresco Software Limited.
|
||||
* Copyright (C) 2005-2009 Alfresco Software Limited.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
@@ -53,6 +53,7 @@ import org.alfresco.repo.security.permissions.PermissionEntry;
|
||||
import org.alfresco.repo.security.permissions.PermissionReference;
|
||||
import org.alfresco.repo.security.permissions.PermissionServiceSPI;
|
||||
import org.alfresco.repo.tenant.TenantService;
|
||||
import org.alfresco.repo.version.Version2Model;
|
||||
import org.alfresco.repo.version.VersionModel;
|
||||
import org.alfresco.repo.version.common.VersionUtil;
|
||||
import org.alfresco.service.cmr.dictionary.DictionaryService;
|
||||
@@ -418,24 +419,18 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
|
||||
return doAvmCan(passedNodeRef, permIn);
|
||||
}
|
||||
|
||||
// Note: if we're directly accessing a frozen state (version) node (ie. in the 'version' store) we need to check permissions for the versioned node (ie. in the 'live' store)
|
||||
if (isVersionNodeRef(passedNodeRef))
|
||||
{
|
||||
passedNodeRef = convertVersionNodeRefToVersionedNodeRef(VersionUtil.convertNodeRef(passedNodeRef));
|
||||
}
|
||||
|
||||
// Allow permissions for nodes that do not exist
|
||||
if (!nodeService.exists(passedNodeRef))
|
||||
{
|
||||
return AccessStatus.ALLOWED;
|
||||
}
|
||||
|
||||
// Because of VersionedNodeRef has no any inherited from source Frozen NodeRef permissions (it has only default permissions),
|
||||
// it is necessary to avoid cases when some user without appropriate permissions trying to receive any resource from its any version link etc.
|
||||
// That could be proceed through receiving Frozen NodeRef instance for this VersionedNodeRef instance. There is appears a possibility to get
|
||||
// access to specified for Frozen NodeRef instance permissions
|
||||
|
||||
// NOTE: maybe in future there will appear situation when changing Node permissions will be a cause for creating new Node version. In other words,
|
||||
// VersionedNodeRefs will contain their own permissions (whose, probably, will differ from version to version). In this case you should delete/comment this code!!!
|
||||
if (isVersionedNodeRefInstance(passedNodeRef))
|
||||
{
|
||||
passedNodeRef = convertVersionedNodeRefToFrozenNodeRef(VersionUtil.convertNodeRef(passedNodeRef));
|
||||
}
|
||||
|
||||
final NodeRef nodeRef = tenantService.getName(passedNodeRef);
|
||||
|
||||
final PermissionReference perm;
|
||||
@@ -1910,29 +1905,42 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing
|
||||
}
|
||||
|
||||
/**
|
||||
* This methods checks weather the specified NodeRef instance is an VersionedNodeRef
|
||||
* This methods checks whether the specified nodeRef instance is a version nodeRef (ie. in the 'version' store)
|
||||
*
|
||||
* @param nodeRef - probably VersionedNodeRef
|
||||
* @return <b>true</b> if NodeRef if Versioned and <b>false</b> in other case
|
||||
* @param nodeRef - version nodeRef
|
||||
* @return <b>true</b> if version nodeRef <b>false</b> otherwise
|
||||
*/
|
||||
private boolean isVersionedNodeRefInstance(NodeRef nodeRef)
|
||||
private boolean isVersionNodeRef(NodeRef nodeRef)
|
||||
{
|
||||
return nodeRef.getStoreRef().getProtocol().equals(VersionModel.STORE_PROTOCOL);
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts specified VersionedNodeRef to Frozen NodeRef (from SpacesStore store, accessed by workspace protocol)
|
||||
* Converts specified version nodeRef (eg. versionStore://...) to versioned nodeRef (eg. workspace://SpacesStore/...)
|
||||
*
|
||||
* @param nodeRef - <b>always</b> VersionedNodeRef
|
||||
* @return Frozen NodeRef instance (source for this VersionedNodeRef instance)
|
||||
* @param nodeRef - <b>always</b> version nodeRef (ie. in the 'version' store)
|
||||
* @return versioned nodeRef (ie.in the 'live' store)
|
||||
*/
|
||||
private NodeRef convertVersionedNodeRefToFrozenNodeRef(NodeRef nodeRef)
|
||||
private NodeRef convertVersionNodeRefToVersionedNodeRef(NodeRef versionNodeRef)
|
||||
{
|
||||
Map<QName, Serializable> properties = nodeService.getProperties(versionNodeRef);
|
||||
|
||||
Map<QName, Serializable> properties = nodeService.getProperties(nodeRef);
|
||||
NodeRef nodeRef = null;
|
||||
|
||||
return new NodeRef((String) properties.get(ContentModel.PROP_STORE_PROTOCOL),
|
||||
(String) properties.get(ContentModel.PROP_STORE_IDENTIFIER),
|
||||
(String) properties.get(ContentModel.PROP_NODE_UUID));
|
||||
// Switch VersionStore depending on configured impl
|
||||
if (versionNodeRef.getStoreRef().getIdentifier().equals(Version2Model.STORE_ID))
|
||||
{
|
||||
// V2 version store (eg. workspace://version2Store)
|
||||
nodeRef = (NodeRef)properties.get(Version2Model.PROP_QNAME_FROZEN_NODE_REF);
|
||||
}
|
||||
else if (versionNodeRef.getStoreRef().getIdentifier().equals(VersionModel.STORE_ID))
|
||||
{
|
||||
// Deprecated V1 version store (eg. workspace://lightWeightVersionStore)
|
||||
nodeRef = new NodeRef((String) properties.get(VersionModel.PROP_QNAME_FROZEN_NODE_STORE_PROTOCOL),
|
||||
(String) properties.get(VersionModel.PROP_QNAME_FROZEN_NODE_STORE_ID),
|
||||
(String) properties.get(VersionModel.PROP_QNAME_FROZEN_NODE_ID));
|
||||
}
|
||||
|
||||
return nodeRef;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -52,12 +52,12 @@ import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.repository.NodeService;
|
||||
import org.alfresco.service.cmr.repository.StoreRef;
|
||||
import org.alfresco.service.cmr.security.AuthenticationService;
|
||||
import org.alfresco.service.cmr.security.PermissionService;
|
||||
import org.alfresco.service.cmr.version.Version;
|
||||
import org.alfresco.service.cmr.version.VersionService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
import org.alfresco.service.transaction.TransactionService;
|
||||
import org.alfresco.util.BaseSpringTest;
|
||||
import org.alfresco.util.TestWithUserUtils;
|
||||
|
||||
public abstract class BaseVersionStoreTest extends BaseSpringTest
|
||||
{
|
||||
@@ -75,6 +75,7 @@ public abstract class BaseVersionStoreTest extends BaseSpringTest
|
||||
protected MutableAuthenticationDao authenticationDAO;
|
||||
protected NodeArchiveService nodeArchiveService;
|
||||
protected NodeService nodeService;
|
||||
protected PermissionService permissionService;
|
||||
|
||||
/*
|
||||
* Data used by tests
|
||||
@@ -164,6 +165,7 @@ public abstract class BaseVersionStoreTest extends BaseSpringTest
|
||||
this.authenticationDAO = (MutableAuthenticationDao) applicationContext.getBean("authenticationDao");
|
||||
this.nodeArchiveService = (NodeArchiveService) applicationContext.getBean("nodeArchiveService");
|
||||
this.nodeService = (NodeService)applicationContext.getBean("nodeService");
|
||||
this.permissionService = (PermissionService)this.applicationContext.getBean("permissionService");
|
||||
|
||||
setVersionService((VersionService)applicationContext.getBean("versionService"));
|
||||
|
||||
@@ -197,14 +199,14 @@ public abstract class BaseVersionStoreTest extends BaseSpringTest
|
||||
// Get a reference to the root node
|
||||
this.rootNodeRef = this.dbNodeService.getRootNode(this.testStoreRef);
|
||||
|
||||
// Create an authenticate the user
|
||||
// Create and authenticate the user
|
||||
|
||||
if(!authenticationDAO.userExists(AuthenticationUtil.getAdminUserName()))
|
||||
{
|
||||
authenticationService.createAuthentication(AuthenticationUtil.getAdminUserName(), PWD.toCharArray());
|
||||
}
|
||||
|
||||
TestWithUserUtils.authenticateUser(AuthenticationUtil.getAdminUserName(), PWD, this.rootNodeRef, this.authenticationService);
|
||||
AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getAdminUserName());
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -37,6 +37,7 @@ import java.util.Set;
|
||||
import org.alfresco.model.ApplicationModel;
|
||||
import org.alfresco.model.ContentModel;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationComponent;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
||||
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
|
||||
import org.alfresco.service.ServiceRegistry;
|
||||
import org.alfresco.service.cmr.model.FileFolderService;
|
||||
@@ -47,6 +48,8 @@ import org.alfresco.service.cmr.repository.ContentWriter;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.repository.NodeService;
|
||||
import org.alfresco.service.cmr.repository.StoreRef;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.alfresco.service.cmr.security.PermissionService;
|
||||
import org.alfresco.service.cmr.version.Version;
|
||||
import org.alfresco.service.cmr.version.VersionHistory;
|
||||
import org.alfresco.service.cmr.version.VersionService;
|
||||
@@ -74,6 +77,9 @@ public class VersionServiceImplTest extends BaseVersionStoreTest
|
||||
private static final String UPDATED_CONTENT_1 = "updatedContent1";
|
||||
private static final String UPDATED_CONTENT_2 = "updatedContent2";
|
||||
|
||||
private static final String PWD_A = "passA";
|
||||
private static final String USER_NAME_A = "userA";
|
||||
|
||||
public void testSetup()
|
||||
{
|
||||
// NOOP
|
||||
@@ -1127,6 +1133,46 @@ public class VersionServiceImplTest extends BaseVersionStoreTest
|
||||
Object editionCodeArchive = nodeService.getProperty(versionNodeRef, prop);
|
||||
assertEquals(editionCodeArchive.getClass(), Integer.class);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check read permission for the frozen node
|
||||
*/
|
||||
public void testHasPermission()
|
||||
{
|
||||
AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getAdminUserName());
|
||||
|
||||
if(!authenticationDAO.userExists(USER_NAME_A))
|
||||
{
|
||||
authenticationService.createAuthentication(USER_NAME_A, PWD_A.toCharArray());
|
||||
}
|
||||
|
||||
permissionService.setPermission(rootNodeRef, PermissionService.ALL_AUTHORITIES, PermissionService.READ, true);
|
||||
permissionService.setInheritParentPermissions(rootNodeRef, true);
|
||||
|
||||
// Create a new versionable node
|
||||
NodeRef versionableNode = createNewVersionableNode();
|
||||
|
||||
// Create a new version
|
||||
Version version = createVersion(versionableNode, versionProperties);
|
||||
NodeRef versionNodeRef = version.getFrozenStateNodeRef();
|
||||
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(versionNodeRef, PermissionService.READ));
|
||||
|
||||
AuthenticationUtil.setFullyAuthenticatedUser(USER_NAME_A);
|
||||
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(versionNodeRef, PermissionService.READ));
|
||||
|
||||
AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil.getAdminUserName());
|
||||
|
||||
permissionService.setInheritParentPermissions(versionableNode, false);
|
||||
|
||||
assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(versionNodeRef, PermissionService.READ));
|
||||
|
||||
AuthenticationUtil.setFullyAuthenticatedUser(USER_NAME_A);
|
||||
|
||||
assertEquals(AccessStatus.DENIED, permissionService.hasPermission(versionNodeRef, PermissionService.READ));
|
||||
}
|
||||
|
||||
public static void main(String ... args)
|
||||
{
|
||||
try
|
||||
|
||||
Reference in New Issue
Block a user