mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-31 17:39:05 +00:00
Fix/repo 2880 move to perm fix (#18)
* REPO-2880: MNT-18014 Site Managers cannot view content of folders with inheritance off after a Move Operation * REPO-2880: fix compilation error, add missing import
This commit is contained in:
Andrei Rebegea
GitHub
@@ -31,6 +31,7 @@ import org.alfresco.repo.domain.node.NodeDAO;
|
||||
import org.alfresco.repo.domain.node.NodeIdAndAclId;
|
||||
import org.alfresco.repo.domain.permissions.Acl;
|
||||
import org.alfresco.repo.domain.permissions.AclDAO;
|
||||
import org.alfresco.repo.security.authentication.AuthenticationUtil;
|
||||
import org.alfresco.repo.security.permissions.ACLType;
|
||||
import org.alfresco.repo.security.permissions.AccessControlEntry;
|
||||
import org.alfresco.repo.security.permissions.AccessControlList;
|
||||
@@ -99,62 +100,70 @@ public class SitesPermissionCleaner
|
||||
|
||||
public void cleanSitePermissions(final NodeRef targetNode, SiteInfo containingSite)
|
||||
{
|
||||
if (nodeDAO.exists(targetNode))
|
||||
if (!nodeDAO.exists(targetNode))
|
||||
{
|
||||
// We can calculate the containing site at the start of a recursive call & then reuse it on subsequent calls.
|
||||
if (containingSite == null)
|
||||
{
|
||||
containingSite = siteServiceImpl.getSite(targetNode);
|
||||
}
|
||||
return;
|
||||
}
|
||||
// We can calculate the containing site at the start of a recursive call & then reuse it on subsequent calls.
|
||||
if (containingSite == null)
|
||||
{
|
||||
containingSite = siteServiceImpl.getSite(targetNode);
|
||||
}
|
||||
|
||||
// Short-circuit at this point if the node is not in a Site.
|
||||
if (containingSite != null)
|
||||
{
|
||||
// For performance reasons we navigate down the containment hierarchy using the DAOs
|
||||
// rather than the NodeService. Note: direct use of NodeDAO requires tenantService (ALF-12732).
|
||||
final Long targetNodeID = nodeDAO.getNodePair(tenantService.getName(targetNode)).getFirst();
|
||||
final Long targetNodeAclID = nodeDAO.getNodeAclId(targetNodeID);
|
||||
Acl targetNodeAcl = aclDAO.getAcl(targetNodeAclID);
|
||||
// Short-circuit at this point if the node is not in a Site.
|
||||
if (containingSite == null)
|
||||
{
|
||||
return;
|
||||
}
|
||||
// For performance reasons we navigate down the containment hierarchy using the DAOs
|
||||
// rather than the NodeService. Note: direct use of NodeDAO requires tenantService (ALF-12732).
|
||||
final Long targetNodeID = nodeDAO.getNodePair(tenantService.getName(targetNode)).getFirst();
|
||||
final Long targetNodeAclID = nodeDAO.getNodeAclId(targetNodeID);
|
||||
Acl targetNodeAcl = aclDAO.getAcl(targetNodeAclID);
|
||||
|
||||
// Nodes that don't have defining ACLs do not need to be considered.
|
||||
if (targetNodeAcl.getAclType() == ACLType.DEFINING)
|
||||
// Nodes that don't have defining ACLs do not need to be considered.
|
||||
if (targetNodeAcl.getAclType() == ACLType.DEFINING)
|
||||
{
|
||||
AccessControlList targetNodeAccessControlList = aclDAO.getAccessControlList(targetNodeAclID);
|
||||
List<AccessControlEntry> targetNodeAclEntries = targetNodeAccessControlList.getEntries();
|
||||
for (AccessControlEntry entry : targetNodeAclEntries)
|
||||
{
|
||||
String authority = entry.getAuthority();
|
||||
|
||||
String thisSiteGroupPrefix = siteServiceImpl.getSiteGroup(containingSite.getShortName(), true);
|
||||
|
||||
// If it's a group site permission for a site other than the current site
|
||||
if (authority.startsWith(PermissionService.GROUP_PREFIX) &&
|
||||
// And it's not GROUP_EVERYONE
|
||||
!authority.startsWith(PermissionService.ALL_AUTHORITIES) && !authority.startsWith(thisSiteGroupPrefix) &&
|
||||
// And if the current user has permissions to do it
|
||||
publicServiceAccessService.hasAccess("PermissionService", "clearPermission", targetNode, authority) == AccessStatus.ALLOWED)
|
||||
{
|
||||
AccessControlList targetNodeAccessControlList = aclDAO.getAccessControlList(targetNodeAclID);
|
||||
List<AccessControlEntry> targetNodeAclEntries = targetNodeAccessControlList.getEntries();
|
||||
for (AccessControlEntry entry : targetNodeAclEntries)
|
||||
{
|
||||
String authority = entry.getAuthority();
|
||||
|
||||
String thisSiteGroupPrefix = siteServiceImpl.getSiteGroup(containingSite.getShortName(), true);
|
||||
|
||||
// If it's a group site permission for a site other than the current site
|
||||
if (authority.startsWith(PermissionService.GROUP_PREFIX) &&
|
||||
!authority.startsWith(PermissionService.ALL_AUTHORITIES) && // And it's not GROUP_EVERYONE
|
||||
!authority.startsWith(thisSiteGroupPrefix))
|
||||
{
|
||||
// And if the current user has permissions to do it
|
||||
if (publicServiceAccessService.hasAccess("PermissionService", "clearPermission", targetNode, authority) == AccessStatus.ALLOWED)
|
||||
{
|
||||
// Then remove it.
|
||||
permissionService.clearPermission(targetNode, authority);
|
||||
}
|
||||
if (publicServiceAccessService.hasAccess("PermissionService", "setInheritParentPermissions", targetNode, true) == AccessStatus.ALLOWED)
|
||||
{
|
||||
// And reenable permission inheritance.
|
||||
permissionService.setInheritParentPermissions(targetNode, true);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
// Then remove it.
|
||||
permissionService.clearPermission(targetNode, authority);
|
||||
}
|
||||
|
||||
// Recurse
|
||||
List<NodeIdAndAclId> childNodeIds = nodeDAO.getPrimaryChildrenAcls(targetNodeID);
|
||||
for (NodeIdAndAclId nextChild : childNodeIds)
|
||||
if (!permissionService.getInheritParentPermissions(targetNode))
|
||||
{
|
||||
cleanSitePermissions(nodeDAO.getNodePair(nextChild.getId()).getSecond(), containingSite);
|
||||
// The site manager from the new site, where this node was moved to, has to have permission to this node
|
||||
String siteManagerAuthority = thisSiteGroupPrefix + "_" + SiteModel.SITE_MANAGER;
|
||||
AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<Void>()
|
||||
{
|
||||
public Void doWork() throws Exception
|
||||
{
|
||||
permissionService.setPermission(targetNode, siteManagerAuthority, SiteModel.SITE_MANAGER, true);
|
||||
return null;
|
||||
}
|
||||
}, AuthenticationUtil.getSystemUserName());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Recurse
|
||||
List<NodeIdAndAclId> childNodeIds = nodeDAO.getPrimaryChildrenAcls(targetNodeID);
|
||||
for (NodeIdAndAclId nextChild : childNodeIds)
|
||||
{
|
||||
cleanSitePermissions(nodeDAO.getNodePair(nextChild.getId()).getSecond(), containingSite);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -64,6 +64,7 @@ import org.alfresco.service.cmr.dictionary.DictionaryService;
|
||||
import org.alfresco.service.cmr.dictionary.TypeDefinition;
|
||||
import org.alfresco.service.cmr.model.FileFolderService;
|
||||
import org.alfresco.service.cmr.model.FileInfo;
|
||||
import org.alfresco.service.cmr.repository.ChildAssociationRef;
|
||||
import org.alfresco.service.cmr.repository.ContentService;
|
||||
import org.alfresco.service.cmr.repository.ContentWriter;
|
||||
import org.alfresco.service.cmr.repository.CopyService;
|
||||
@@ -91,7 +92,6 @@ import org.alfresco.test_category.BaseSpringTestsCategory;
|
||||
import org.alfresco.util.ApplicationContextHelper;
|
||||
import org.alfresco.util.BaseAlfrescoSpringTest;
|
||||
import org.alfresco.util.GUID;
|
||||
import org.alfresco.util.PropertyMap;
|
||||
import org.junit.experimental.categories.Category;
|
||||
import org.springframework.extensions.surf.util.I18NUtil;
|
||||
|
||||
@@ -1168,6 +1168,114 @@ public class SiteServiceImplTest extends BaseAlfrescoSpringTest
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* This is an integration test for MNT-18014
|
||||
*/
|
||||
public void testMoveFolderStructureWithNonInheritedPermission()
|
||||
{
|
||||
//Login to share as the admin user
|
||||
AuthenticationUtil.setAdminUserAsFullyAuthenticatedUser();
|
||||
|
||||
// Create 2 sites test1, test2 as admin
|
||||
String test1SiteShortName = "test1" + GUID.generate();
|
||||
String test2SiteShortName = "test2" + GUID.generate();
|
||||
createSite(test1SiteShortName, SiteService.DOCUMENT_LIBRARY, SiteVisibility.PUBLIC);
|
||||
createSite(test2SiteShortName, SiteService.DOCUMENT_LIBRARY, SiteVisibility.PUBLIC);
|
||||
|
||||
SiteInfo test1SiteInfo = this.siteService.getSite(test1SiteShortName);
|
||||
assertNotNull(test1SiteInfo);
|
||||
SiteInfo test2SiteInfo = this.siteService.getSite(test2SiteShortName);
|
||||
assertNotNull(test2SiteInfo);
|
||||
|
||||
// add user1 (USER_ONE) and user2 (USER_TWO) as managers on test1 site (test1SiteInfo)
|
||||
siteService.setMembership(test1SiteShortName, USER_ONE, SiteModel.SITE_MANAGER);
|
||||
siteService.setMembership(test1SiteShortName, USER_TWO, SiteModel.SITE_MANAGER);
|
||||
|
||||
// Give manager role to user1 to test2
|
||||
siteService.setMembership(test2SiteShortName, USER_ONE, SiteModel.SITE_MANAGER);
|
||||
|
||||
// Log in as user2
|
||||
AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO);
|
||||
|
||||
// In document library of test1, create fol1 containing fol2 containing fol3
|
||||
NodeRef documentLibraryTest1Site = siteService.getContainer(test1SiteShortName, SiteService.DOCUMENT_LIBRARY);
|
||||
assertNotNull(documentLibraryTest1Site);
|
||||
NodeRef fol1 = this.fileFolderService.create(documentLibraryTest1Site, "fol1-" + GUID.generate(), ContentModel.TYPE_FOLDER).getNodeRef();
|
||||
NodeRef fol2 = this.fileFolderService.create(fol1, "fol2-" + GUID.generate(), ContentModel.TYPE_FOLDER).getNodeRef();
|
||||
NodeRef fol3 = this.fileFolderService.create(fol2, "fol3-" + GUID.generate(), ContentModel.TYPE_FOLDER).getNodeRef();
|
||||
|
||||
// Cut inheritance on fol2
|
||||
permissionService.setInheritParentPermissions(fol2, false);
|
||||
|
||||
// this is what happens when called from Share : permissions.post:
|
||||
// var siteManagerAuthority = "GROUP_site_" + location.site + "_SiteManager";
|
||||
// // Insure Site Managers can still manage content.
|
||||
// node.setPermission("SiteManager", siteManagerAuthority);
|
||||
String test1SiteGroupPrefix = siteServiceImpl.getSiteGroup(test1SiteShortName, true);
|
||||
String test1SiteManagerAuthority = test1SiteGroupPrefix + "_" + SiteModel.SITE_MANAGER;
|
||||
permissionService.setPermission(fol2, test1SiteManagerAuthority, SiteModel.SITE_MANAGER, true);
|
||||
|
||||
// Log in as user1, go to site test1
|
||||
AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE);
|
||||
|
||||
// Check that user1 can see fol1 fol2 fol3
|
||||
List<ChildAssociationRef> childAssocs = nodeService.getChildAssocs(documentLibraryTest1Site);
|
||||
assertEquals("Size should be 1", 1, childAssocs.size());
|
||||
assertTrue("Folder name should start with fol1", getFirstName(childAssocs).startsWith("fol1"));
|
||||
childAssocs = nodeService.getChildAssocs(childAssocs.get(0).getChildRef());
|
||||
assertEquals("Size should be 1", 1, childAssocs.size());
|
||||
assertTrue("Folder name should start with fol2", getFirstName(childAssocs).startsWith("fol2"));
|
||||
childAssocs = nodeService.getChildAssocs(childAssocs.get(0).getChildRef());
|
||||
assertEquals("Size should be 1", 1, childAssocs.size());
|
||||
assertTrue("Folder name should start with fol3", getFirstName(childAssocs).startsWith("fol3"));
|
||||
|
||||
NodeRef documentLibraryTest2Site = siteService.getContainer(test2SiteShortName, SiteService.DOCUMENT_LIBRARY);
|
||||
assertNotNull(documentLibraryTest2Site);
|
||||
childAssocs = nodeService.getChildAssocs(documentLibraryTest2Site);
|
||||
assertTrue("Folder should be empty.", childAssocs.isEmpty());
|
||||
|
||||
// Move fol1 to site test2
|
||||
ChildAssociationRef childAssociationRef = nodeService.moveNode(fol1, documentLibraryTest2Site, ContentModel.ASSOC_CONTAINS,
|
||||
QName.createQName(NamespaceService.CONTENT_MODEL_1_0_URI, GUID.generate()));
|
||||
|
||||
// This is what Share does:
|
||||
// move the node
|
||||
//result.success = fileNode.move(parent, destNode);
|
||||
//
|
||||
//if (result.success)
|
||||
//{
|
||||
// // If this was an inter-site move, we'll need to clean up the permissions on the node
|
||||
// if ((fromSite) && (String(fromSite) !== String(fileNode.siteShortName)))
|
||||
// {
|
||||
// siteService.cleanSitePermissions(fileNode);
|
||||
// }
|
||||
//}
|
||||
siteService.cleanSitePermissions(fol1, test2SiteInfo);
|
||||
|
||||
childAssocs = nodeService.getChildAssocs(documentLibraryTest1Site);
|
||||
assertTrue("test1Site document library should be empty.", childAssocs.isEmpty());
|
||||
|
||||
assertFalse("After the move the folder should keep the inherit permission value(false).",
|
||||
permissionService.getInheritParentPermissions(fol2));
|
||||
|
||||
// Go to the site test2's document library and click on fol1
|
||||
// user1 is able to see the contents of fol1
|
||||
childAssocs = nodeService.getChildAssocs(documentLibraryTest2Site);
|
||||
assertEquals("Size should be 1", 1, childAssocs.size());
|
||||
assertTrue("Folder name should start with fol1", getFirstName(childAssocs).startsWith("fol1"));
|
||||
childAssocs = nodeService.getChildAssocs(childAssocs.get(0).getChildRef());
|
||||
assertEquals("Size should be 1", 1, childAssocs.size());
|
||||
assertTrue("Folder name should start with fol2", getFirstName(childAssocs).startsWith("fol2"));
|
||||
childAssocs = nodeService.getChildAssocs(childAssocs.get(0).getChildRef());
|
||||
assertEquals("Size should be 1", 1, childAssocs.size());
|
||||
assertTrue("Folder name should start with fol3", getFirstName(childAssocs).startsWith("fol3"));
|
||||
}
|
||||
|
||||
private String getFirstName(List<ChildAssociationRef> childAssocs)
|
||||
{
|
||||
return nodeService.getProperties(childAssocs.get(0).getChildRef()).get(ContentModel.PROP_NAME).toString();
|
||||
}
|
||||
|
||||
public void testDeleteSite()
|
||||
{
|
||||
@SuppressWarnings("deprecation")
|
||||
|
||||
Reference in New Issue
Block a user