Merged HEAD-BUG-FIX (4.3/Cloud) to HEAD (4.3/Cloud)

64416: Merged WAT1 (4.3/Cloud) to HEAD-BUG-FIX (4.3/Cloud)
      61735: ACE-493: Made Sites Public REST API Get method callable by Admins or by users that are made members of the new "Site Admin" group.
      ACE-503: Created a new PUT method in Sites Public REST API, such that it is possible to modify the visibility of a site.
      ACE-511: Created a new DELETE method in Sites Public REST API, such that it is possible to delete a site.


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@64562 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

config/alfresco/public-services-security-context.xml

@@ -1003,6 +1003,7 @@
                org.alfresco.service.cmr.site.SiteService.setMembership=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.updateSite=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.countAuthoritiesWithRole=ACL_ALLOW
+               org.alfresco.service.cmr.site.SiteService.isSiteAdmin=ACL_ALLOW
                org.alfresco.service.cmr.site.SiteService.*=ACL_DENY
             </value>
         </property>

source/java/org/alfresco/repo/site/SiteServiceImpl.java

@@ -132,6 +132,12 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic
     private static final int GROUP_PREFIX_LENGTH = PermissionService.GROUP_PREFIX.length();
     private static final int GROUP_SITE_PREFIX_LENGTH = GROUP_SITE_PREFIX.length();
     
+    /**
+     * The authority that needs to contain the users who are allowed to administer the site.
+     */
+    private static final String SITE_ADMINISTRATORS_AUTHORITY = "SITE_ADMINISTRATORS";
+    private static final String GROUP_SITE_ADMINISTRATORS_AUTHORITY = PermissionService.GROUP_PREFIX + SITE_ADMINISTRATORS_AUTHORITY;
+    
     // note: caches are tenant-aware (if using EhCacheAdapter shared cache)
     
     private SimpleCache<String, Object> singletonCache; // eg. for siteHomeNodeRef
@@ -1338,8 +1344,9 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic
         if (enforcePermissions)
         {
             return siteNodeRef == null
-                    || !this.permissionService.hasPermission(siteNodeRef, PermissionService.READ_PROPERTIES).equals(
+                        || !(this.permissionService.hasPermission(siteNodeRef,
-                            AccessStatus.ALLOWED) ? null : siteNodeRef;
+                                    PermissionService.READ_PROPERTIES).equals(AccessStatus.ALLOWED) || isSiteAdmin(AuthenticationUtil
+                                    .getFullyAuthenticatedUser())) ? null : siteNodeRef;
         }
         else
         {
@@ -2213,7 +2220,7 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic
             // -- the current user has change permissions rights on the site
             // or
             // -- the user is ourselves
-            if ((currentUserName.equals(authorityName) == true) ||
+            if ((currentUserName.equals(authorityName) == true) || isSiteAdmin(currentUserName) ||
                 (permissionService.hasPermission(siteNodeRef, PermissionService.CHANGE_PERMISSIONS) == AccessStatus.ALLOWED))
             {
                 // Run as system user
@@ -2268,7 +2275,7 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic
         final NodeRef siteNodeRef = getSiteNodeRef(shortName);
         if (siteNodeRef == null)
         {
-           throw new SiteDoesNotExistException(shortName);
+            throw new SiteDoesNotExistException(shortName);
         }
 
         // Get the user's current role
@@ -2286,11 +2293,11 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic
         // -- the member does not already have permissions
         // ... then we can set the permissions as system user
         final String currentUserName = AuthenticationUtil.getFullyAuthenticatedUser();
-        return((permissionService.hasPermission(siteNodeRef, PermissionService.CHANGE_PERMISSIONS) == AccessStatus.ALLOWED) || 
+        return (isSiteAdmin(currentUserName)
-            (SiteVisibility.PUBLIC.equals(visibility) &&
+                    || (permissionService.hasPermission(siteNodeRef, PermissionService.CHANGE_PERMISSIONS) == AccessStatus.ALLOWED)
-             role.equals(SiteModel.SITE_CONSUMER) &&
+                    || (SiteVisibility.PUBLIC.equals(visibility)
-             authorityName.equals(currentUserName) &&
+                    && role.equals(SiteModel.SITE_CONSUMER)
-             currentRole == null));
+                    && authorityName.equals(currentUserName) && currentRole == null));
     }
     
     /**
@@ -2967,4 +2974,18 @@ public class SiteServiceImpl extends AbstractLifecycleBean implements SiteServic
         this.permissionService.setInheritParentPermissions(containerNodeRef, false);
     }
     
+    /**
+     * {@inheritDoc}
+     */
+    public boolean isSiteAdmin(String userName)
+    {
+        if (userName == null)
+        {
+            return false;
+        }
+        return this.authorityService.isAdminAuthority(userName)
+                    || this.authorityService.getAuthoritiesForUser(userName).contains(
+                                GROUP_SITE_ADMINISTRATORS_AUTHORITY);
+    }
+
 }

source/java/org/alfresco/service/cmr/site/SiteService.java

@@ -510,4 +510,15 @@ public interface SiteService
 
     @NotAuditable
     int countAuthoritiesWithRole(String shortName, String role);
+    
+    /**
+     * Indicates whether the specified user is a site administrator or not.
+     * <p>
+     * Note: The super/repo admin is considered to be a site administrator too.
+     * 
+     * @param userName The user name
+     * @return true if the specified user is a 'site administrator', false otherwise
+     */
+    @NotAuditable
+    boolean isSiteAdmin(String userName);
 }