From 20e1ef205953968c855edfcb1cf4445d932c252b Mon Sep 17 00:00:00 2001 From: Alan Davis Date: Sat, 15 Mar 2014 01:29:23 +0000 Subject: [PATCH] Merged HEAD-BUG-FIX (4.3/Cloud) to HEAD (4.3/Cloud) 64416: Merged WAT1 (4.3/Cloud) to HEAD-BUG-FIX (4.3/Cloud) 61735: ACE-493: Made Sites Public REST API Get method callable by Admins or by users that are made members of the new "Site Admin" group. ACE-503: Created a new PUT method in Sites Public REST API, such that it is possible to modify the visibility of a site. ACE-511: Created a new DELETE method in Sites Public REST API, such that it is possible to delete a site. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@64562 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../public-services-security-context.xml | 1 + .../alfresco/repo/site/SiteServiceImpl.java | 41 ++++++++++++++----- .../service/cmr/site/SiteService.java | 11 +++++ 3 files changed, 43 insertions(+), 10 deletions(-) diff --git a/config/alfresco/public-services-security-context.xml b/config/alfresco/public-services-security-context.xml index 5c9b7597d1..942475a3cb 100644 --- a/config/alfresco/public-services-security-context.xml +++ b/config/alfresco/public-services-security-context.xml @@ -1003,6 +1003,7 @@ org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW + org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW org.alfresco.service.cmr.site.SiteService.*=ACL_DENY diff --git a/source/java/org/alfresco/repo/site/SiteServiceImpl.java b/source/java/org/alfresco/repo/site/SiteServiceImpl.java index b6600e41b4..f240ef8083 100644 --- a/source/java/org/alfresco/repo/site/SiteServiceImpl.java +++ b/source/java/org/alfresco/repo/site/SiteServiceImpl.java @@ -132,6 +132,12 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic private static final int GROUP_PREFIX_LENGTH = PermissionService.GROUP_PREFIX.length(); private static final int GROUP_SITE_PREFIX_LENGTH = GROUP_SITE_PREFIX.length(); + /** + * The authority that needs to contain the users who are allowed to administer the site. + */ + private static final String SITE_ADMINISTRATORS_AUTHORITY = "SITE_ADMINISTRATORS"; + private static final String GROUP_SITE_ADMINISTRATORS_AUTHORITY = PermissionService.GROUP_PREFIX + SITE_ADMINISTRATORS_AUTHORITY; + // note: caches are tenant-aware (if using EhCacheAdapter shared cache) private SimpleCache singletonCache; // eg. for siteHomeNodeRef @@ -1338,8 +1344,9 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic if (enforcePermissions) { return siteNodeRef == null - || !this.permissionService.hasPermission(siteNodeRef, PermissionService.READ_PROPERTIES).equals( - AccessStatus.ALLOWED) ? null : siteNodeRef; + || !(this.permissionService.hasPermission(siteNodeRef, + PermissionService.READ_PROPERTIES).equals(AccessStatus.ALLOWED) || isSiteAdmin(AuthenticationUtil + .getFullyAuthenticatedUser())) ? null : siteNodeRef; } else { @@ -2213,7 +2220,7 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic // -- the current user has change permissions rights on the site // or // -- the user is ourselves - if ((currentUserName.equals(authorityName) == true) || + if ((currentUserName.equals(authorityName) == true) || isSiteAdmin(currentUserName) || (permissionService.hasPermission(siteNodeRef, PermissionService.CHANGE_PERMISSIONS) == AccessStatus.ALLOWED)) { // Run as system user @@ -2268,9 +2275,9 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic final NodeRef siteNodeRef = getSiteNodeRef(shortName); if (siteNodeRef == null) { - throw new SiteDoesNotExistException(shortName); + throw new SiteDoesNotExistException(shortName); } - + // Get the user's current role final String currentRole = getMembersRole(shortName, authorityName); @@ -2286,11 +2293,11 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic // -- the member does not already have permissions // ... then we can set the permissions as system user final String currentUserName = AuthenticationUtil.getFullyAuthenticatedUser(); - return((permissionService.hasPermission(siteNodeRef, PermissionService.CHANGE_PERMISSIONS) == AccessStatus.ALLOWED) || - (SiteVisibility.PUBLIC.equals(visibility) && - role.equals(SiteModel.SITE_CONSUMER) && - authorityName.equals(currentUserName) && - currentRole == null)); + return (isSiteAdmin(currentUserName) + || (permissionService.hasPermission(siteNodeRef, PermissionService.CHANGE_PERMISSIONS) == AccessStatus.ALLOWED) + || (SiteVisibility.PUBLIC.equals(visibility) + && role.equals(SiteModel.SITE_CONSUMER) + && authorityName.equals(currentUserName) && currentRole == null)); } /** @@ -2966,5 +2973,19 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic this.permissionService.setInheritParentPermissions(containerNodeRef, false); } + + /** + * {@inheritDoc} + */ + public boolean isSiteAdmin(String userName) + { + if (userName == null) + { + return false; + } + return this.authorityService.isAdminAuthority(userName) + || this.authorityService.getAuthoritiesForUser(userName).contains( + GROUP_SITE_ADMINISTRATORS_AUTHORITY); + } } diff --git a/source/java/org/alfresco/service/cmr/site/SiteService.java b/source/java/org/alfresco/service/cmr/site/SiteService.java index a40b492ff4..598f5a0d60 100644 --- a/source/java/org/alfresco/service/cmr/site/SiteService.java +++ b/source/java/org/alfresco/service/cmr/site/SiteService.java @@ -510,4 +510,15 @@ public interface SiteService @NotAuditable int countAuthoritiesWithRole(String shortName, String role); + + /** + * Indicates whether the specified user is a site administrator or not. + *

+ * Note: The super/repo admin is considered to be a site administrator too. + * + * @param userName The user name + * @return true if the specified user is a 'site administrator', false otherwise + */ + @NotAuditable + boolean isSiteAdmin(String userName); }