diff --git a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/AssocPolicy.java b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/AssocPolicy.java
index e22a04afd0..3ec8a3f0a6 100644
--- a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/AssocPolicy.java
+++ b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/AssocPolicy.java
@@ -27,8 +27,12 @@
package org.alfresco.module.org_alfresco_module_rm.capability.policy;
+import net.sf.acegisecurity.vote.AccessDecisionVoter;
import org.alfresco.module.org_alfresco_module_rm.capability.impl.ViewRecordsCapability;
+import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.PermissionService;
import org.aopalliance.intercept.MethodInvocation;
public class AssocPolicy extends AbstractBasePolicy
@@ -40,8 +44,48 @@ public class AssocPolicy extends AbstractBasePolicy
Class[] params,
ConfigAttributeDefinition cad)
{
- NodeRef testNodeRef = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
- return getCapabilityService().getCapability(ViewRecordsCapability.NAME).evaluate(testNodeRef);
+ NodeRef source = null;
+ if (cad.getParameters().get(0) > -1)
+ {
+ source = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
+ }
+
+ NodeRef target = null;
+ if (cad.getParameters().get(1) > -1)
+ {
+ target = getTestNode(invocation, params, cad.getParameters().get(1), cad.isParent());
+ }
+
+ if (source != null && target != null)
+ {
+ // check the source node ref is a file plan component
+ if (nodeService.hasAspect(source, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
+ {
+ return getCapabilityService().getCapability(ViewRecordsCapability.NAME).evaluate(source);
+ }
+ else
+ {
+ final boolean isFilePlanComponent = nodeService.hasAspect(target, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT);
+ final boolean hasViewRecordCapability = getCapabilityService().hasCapability(target, ViewRecordsCapability.NAME);
+ // allow association between a source non rm node and an rm node if the user
+ // has ViewRecordsCapability on the RM target node and write properties on the dm node
+ if ( isFilePlanComponent &&
+ hasViewRecordCapability &&
+ permissionService.hasPermission(source, PermissionService.WRITE_PROPERTIES).equals(AccessStatus.ALLOWED))
+ {
+ return AccessDecisionVoter.ACCESS_GRANTED;
+ }
+ else
+ {
+ return AccessDecisionVoter.ACCESS_DENIED;
+ }
+ }
+ }
+ else
+ {
+ return AccessDecisionVoter.ACCESS_DENIED;
+ }
}
}
+
diff --git a/rm-community/rm-community-repo/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/DownloadAsZipRecordTest.java b/rm-community/rm-community-repo/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/DownloadAsZipRecordTest.java
new file mode 100644
index 0000000000..adf592188b
--- /dev/null
+++ b/rm-community/rm-community-repo/test/java/org/alfresco/module/org_alfresco_module_rm/test/integration/record/DownloadAsZipRecordTest.java
@@ -0,0 +1,143 @@
+/*
+ * #%L
+ * Alfresco Records Management Module
+ * %%
+ * Copyright (C) 2005 - 2020 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * -
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail. Otherwise, the software is
+ * provided under the following open source license terms:
+ * -
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * -
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ * -
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see .
+ * #L%
+ */
+
+package org.alfresco.module.org_alfresco_module_rm.test.integration.record;
+
+import net.sf.acegisecurity.Authentication;
+import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
+import org.alfresco.repo.security.permissions.AccessDeniedException;
+import org.alfresco.service.cmr.download.DownloadService;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.util.GUID;
+
+/**
+ * Download as zip record test.
+ * Tests for MNT-21292
+ * @author Rodica Sutu
+ * @since 3.2.0.1
+ */
+public class DownloadAsZipRecordTest extends BaseRMTestCase
+{
+ private DownloadService downloadService;
+
+ @Override
+ protected boolean isCollaborationSiteTest()
+ {
+ return true;
+ }
+
+ /**
+ * @see BaseRMTestCase#initServices()
+ */
+ @Override
+ protected void initServices()
+ {
+ super.initServices();
+ downloadService = (DownloadService) applicationContext.getBean("DownloadService");
+ }
+
+ /**
+ * Given a record and a user without view record capability
+ * When the user downloads the record
+ * Then Access Denied exception is thrown
+ */
+ public void testDownloadRecordUserNoReadCapability()
+ {
+
+ doBehaviourDrivenTest(new BehaviourDrivenTest(AccessDeniedException.class)
+ {
+ /** user with no view record capability */
+ String userDownload;
+ Authentication previousAuthentication;
+
+ public void given()
+ {
+ // create an inplace record
+ AuthenticationUtil.runAs((RunAsWork) () -> {
+ recordService.createRecord(filePlan, dmDocument);
+ return null;
+ }, AuthenticationUtil.getAdminUserName());
+ // create user
+ userDownload = GUID.generate();
+ createPerson(userDownload);
+ }
+
+ public void when()
+ {
+ previousAuthentication = AuthenticationUtil.getFullAuthentication();
+ AuthenticationUtil.setFullyAuthenticatedUser(userDownload);
+ downloadService.createDownload(new NodeRef[] { dmDocument }, true);
+ }
+
+ public void after()
+ {
+ AuthenticationUtil.setFullAuthentication(previousAuthentication);
+ personService.deletePerson(userDownload);
+ }
+ });
+ }
+
+ /**
+ * Given a record and a user with view record capability
+ * When the user downloads the record
+ * Then download node is created
+ */
+ public void testDownloadRecordUserWithReadCapability()
+ {
+ doBehaviourDrivenTest(new BehaviourDrivenTest()
+ {
+ NodeRef downloadStorageNode;
+
+ public void given()
+ {
+ // Create an inplace record
+ AuthenticationUtil.runAs((RunAsWork) () -> {
+ // Declare record
+ recordService.createRecord(filePlan, dmDocument);
+ return null;
+ }, dmCollaborator);
+ }
+
+ public void when()
+ {
+ Authentication previousAuthentication = AuthenticationUtil.getFullAuthentication();
+ AuthenticationUtil.setFullyAuthenticatedUser(dmCollaborator);
+ // request to download the record
+ downloadStorageNode = downloadService.createDownload(new NodeRef[] { dmDocument }, true);
+ AuthenticationUtil.setFullAuthentication(previousAuthentication);
+ }
+
+ public void then()
+ {
+ // check the download storage node is created
+ assertTrue(nodeService.exists(downloadStorageNode));
+ }
+ });
+ }
+}