Merged HEAD (5.2) to 5.2.N (5.2.1)

126486 jkaabimofrad: Merged FILE-FOLDER-API (5.2.0) to HEAD (5.2) 122626 jvonka: Nodes (FileFolder) API - add "permanent" option to delete node (to optionally bypass archive/trashcan) - follow-on such that user cannot delete permanently (even with delete permission) unless they're owner or admin of node (for hierarchy, only checks parent folder node) RA-837, RA-642 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@126830 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2016-05-11 11:42:25 +00:00
parent a489a4708e
commit 22f901e0dd
3 changed files with 97 additions and 28 deletions
--- a/source/java/org/alfresco/rest/api/impl/NodesImpl.java
+++ b/source/java/org/alfresco/rest/api/impl/NodesImpl.java
@@ -49,6 +49,7 @@ import org.alfresco.repo.content.ContentLimitViolationException;
 import org.alfresco.repo.model.Repository;
 import org.alfresco.repo.model.filefolder.FileFolderServiceImpl;
 import org.alfresco.repo.node.getchildren.GetChildrenCannedQuery;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.permissions.AccessDeniedException;
 import org.alfresco.rest.antlr.WhereClauseParser;
 import org.alfresco.rest.api.Nodes;
@@ -104,6 +105,8 @@ import org.alfresco.service.cmr.repository.Path;
 import org.alfresco.service.cmr.repository.Path.Element;
 import org.alfresco.service.cmr.repository.StoreRef;
 import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.AuthorityService;
+import org.alfresco.service.cmr.security.OwnableService;
 import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.cmr.usage.ContentQuotaException;
@@ -161,6 +164,8 @@ public class NodesImpl implements Nodes
    private ActionService actionService;
    private VersionService versionService;
    private PersonService personService;
+    private OwnableService ownableService;
+    private AuthorityService authorityService;

    // note: circular - Nodes/QuickShareLinks currently use each other (albeit for different methods)
    private QuickShareLinks quickShareLinks;
@@ -191,6 +196,8 @@ public class NodesImpl implements Nodes
        this.actionService = sr.getActionService();
        this.versionService = sr.getVersionService();
        this.personService = sr.getPersonService();
+        this.ownableService = sr.getOwnableService();
+        this.authorityService = sr.getAuthorityService();

        if (defaultIgnoreTypesAndAspects != null)
        {
@@ -1144,6 +1151,17 @@ public class NodesImpl implements Nodes

        if (permanentDelete == true)
        {
+            boolean isAdmin = authorityService.hasAdminAuthority();
+            if (! isAdmin)
+            {
+                String owner = ownableService.getOwner(nodeRef);
+                if (! AuthenticationUtil.getRunAsUser().equals(owner))
+                {
+                    // non-owner/non-admin cannot permanently delete (even if they have delete permission)
+                    throw new PermissionDeniedException("Non-owner/non-admin cannot permanently delete: " + nodeId);
+                }
+            }
+
            // Set as temporary to delete node instead of archiving.
            nodeService.addAspect(nodeRef, ContentModel.ASPECT_TEMPORARY, null);
        }