From 28b9fab6aa87e173d356f4e81a383f0b6fa4ca25 Mon Sep 17 00:00:00 2001 From: David Caruana Date: Wed, 31 Mar 2010 14:07:50 +0000 Subject: [PATCH] Fix ALF-2287: getChangeLog should only be available to admins - lock down AtomPub and Web Service getContentChanges() git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@19697 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- config/alfresco/cmis-ws-context.xml | 1 + .../webscripts/org/alfresco/cmis/changes.get.desc.xml | 2 +- .../org/alfresco/repo/cmis/ws/DMAbstractServicePort.java | 7 +++++++ .../org/alfresco/repo/cmis/ws/DMDiscoveryServicePort.java | 6 ++++++ 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/config/alfresco/cmis-ws-context.xml b/config/alfresco/cmis-ws-context.xml index 19435d3d8d..7db644b6dd 100644 --- a/config/alfresco/cmis-ws-context.xml +++ b/config/alfresco/cmis-ws-context.xml @@ -351,6 +351,7 @@ + diff --git a/config/alfresco/templates/webscripts/org/alfresco/cmis/changes.get.desc.xml b/config/alfresco/templates/webscripts/org/alfresco/cmis/changes.get.desc.xml index 4fe2a65ab2..78a639397a 100644 --- a/config/alfresco/templates/webscripts/org/alfresco/cmis/changes.get.desc.xml +++ b/config/alfresco/templates/webscripts/org/alfresco/cmis/changes.get.desc.xml @@ -33,7 +33,7 @@ - guest + admin CMIS public_api diff --git a/source/java/org/alfresco/repo/cmis/ws/DMAbstractServicePort.java b/source/java/org/alfresco/repo/cmis/ws/DMAbstractServicePort.java index ba1700bafe..18593cc805 100644 --- a/source/java/org/alfresco/repo/cmis/ws/DMAbstractServicePort.java +++ b/source/java/org/alfresco/repo/cmis/ws/DMAbstractServicePort.java @@ -65,6 +65,7 @@ import org.alfresco.service.cmr.repository.AssociationRef; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.search.SearchService; +import org.alfresco.service.cmr.security.AuthorityService; import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.service.cmr.version.Version; import org.alfresco.service.descriptor.DescriptorService; @@ -132,6 +133,7 @@ public class DMAbstractServicePort protected SearchService searchService; protected PropertyUtil propertiesUtil; protected PermissionService permissionService; + protected AuthorityService authorityService; public void setCmisService(CMISServices cmisService) { @@ -188,6 +190,11 @@ public class DMAbstractServicePort this.permissionService = permissionService; } + public void setAuthorityService(AuthorityService authorityService) + { + this.authorityService = authorityService; + } + protected PropertyFilter createPropertyFilter(String filter) throws CmisException { try diff --git a/source/java/org/alfresco/repo/cmis/ws/DMDiscoveryServicePort.java b/source/java/org/alfresco/repo/cmis/ws/DMDiscoveryServicePort.java index 6593e07f2c..41c8e7b1cb 100644 --- a/source/java/org/alfresco/repo/cmis/ws/DMDiscoveryServicePort.java +++ b/source/java/org/alfresco/repo/cmis/ws/DMDiscoveryServicePort.java @@ -40,6 +40,7 @@ import org.alfresco.cmis.CMISResultSetRow; import org.alfresco.cmis.CMISServiceException; import org.alfresco.cmis.PropertyFilter; import org.alfresco.repo.cmis.ws.utils.ExceptionUtil; +import org.alfresco.repo.security.permissions.AccessDeniedException; import org.alfresco.service.cmr.repository.NodeRef; /** @@ -172,6 +173,11 @@ public class DMDiscoveryServicePort extends DMAbstractServicePort implements Dis public void getContentChanges(String repositoryId, Holder changeLogToken, Boolean includeProperties, String filter, Boolean includePolicyIds, Boolean includeACL, BigInteger maxItems, CmisExtensionType extension, Holder objects) throws CmisException { + if (!authorityService.hasAdminAuthority()) + { + throw ExceptionUtil.createCmisException("Cannot retrieve content changes", new AccessDeniedException("Requires admin authority")); + } + // TODO: includePolicyIds checkRepositoryId(repositoryId); String changeToken = (null != changeLogToken) ? (changeLogToken.value) : (null);