inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

REPO-4612 / MNT-20833: Enforce permissions checks for methods related to associations at the NodeService level (#571)

Browse Source
This commit is contained in:
Ancuta Morarasu
2019-09-05 20:06:23 +03:00
committed by GitHub
parent 7f6cdc3ce3
commit 2d6b51ee89
2 changed files with 70 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/main/resources/alfresco/public-services-security-context.xml
View File

@@ -413,12 +413,12 @@
org.alfresco.service.cmr.repository.NodeService.getChildAssocsByPropertyValue=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getChildrenByName=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getPrimaryParent=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.createAssociation=ACL_ALLOW
org.alfresco.service.cmr.repository.NodeService.removeAssociation=ACL_ALLOW
org.alfresco.service.cmr.repository.NodeService.setAssociations=ACL_ALLOW
org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=ACL_ALLOW
org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=ACL_ALLOW
org.alfresco.service.cmr.repository.NodeService.getAssoc=ACL_ALLOW
org.alfresco.service.cmr.repository.NodeService.createAssociation=ACL_NODE.0.sys:base.WriteProperties,ACL_NODE.1.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.removeAssociation=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.setAssociations=ACL_NODE.0.sys:base.WriteProperties,ACL_NODE.2.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_PARENT.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getAssoc=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getPath=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getPaths=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getStoreArchiveNode=ACL_NODE.0.sys:base.Read

65
src/test/java/org/alfresco/repo/jscript/ScriptNodeTest.java
View File

@@ -2,7 +2,7 @@
* #%L
* Alfresco Repository
* %%
* Copyright (C) 2005 - 2017 Alfresco Software Limited
* Copyright (C) 2005 - 2019 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
@@ -28,6 +28,7 @@ package org.alfresco.repo.jscript;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.fail;
@@ -678,6 +679,68 @@ public class ScriptNodeTest
NODE_SERVICE.removeProperty(newNode2, ContentModel.PROP_CONTENT);
}
/**
* Test associations related script api, after the permissions checks have been pushed to the NodeService level (MNT-20833).
*/
@Test
public void testCreateRemoveAssociation() throws Exception
{
Repository repositoryHelper = (Repository) APP_CONTEXT_INIT.getApplicationContext().getBean("repositoryHelper");
NodeRef companyHome = repositoryHelper.getCompanyHome();
AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE_NAME);
NodeRef newNode1 = testNodes.createNode(companyHome, "theTestFolder", ContentModel.TYPE_FOLDER, AuthenticationUtil.getFullyAuthenticatedUser());
NodeRef newNode2 = testNodes.createNode(companyHome, "theTestContent", ContentModel.TYPE_CONTENT, AuthenticationUtil.getFullyAuthenticatedUser());
// Give USER_TWO READ permission similar to the Consumer role
PERMISSION_SERVICE.setPermission(newNode1, USER_TWO_NAME, PermissionService.READ, true);
PERMISSION_SERVICE.setPermission(newNode2, USER_TWO_NAME, PermissionService.READ, true);
AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO_NAME);
ScriptNode sourceScriptNode = SEARCH_SCRIPT.findNode(newNode1);
assertNotNull(sourceScriptNode);
ScriptNode targetScriptNode = SEARCH_SCRIPT.findNode(newNode2);
assertNotNull(targetScriptNode);
// Create associations
String assocType = "cm:contains";
try
{
sourceScriptNode.createAssociation(targetScriptNode, assocType);
fail("Creating associations without write permission on source is not allowed.");
}
catch (AccessDeniedException ade)
{
// expected
}
// Give USER_TWO WRITE permission to be able to successfully create an association from sourceScriptNode to targetScriptNode
AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE_NAME);
PERMISSION_SERVICE.setPermission(newNode1, USER_TWO_NAME, PermissionService.WRITE, true);
AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO_NAME);
assertTrue(sourceScriptNode.hasPermission(PermissionService.WRITE_PROPERTIES));
assertNotNull(sourceScriptNode.createAssociation(targetScriptNode, assocType));
// Remove associations
try
{
sourceScriptNode.removeAssociation(targetScriptNode, assocType);
fail("Removing associations without delete permission on source is not allowed.");
}
catch (AccessDeniedException ade)
{
// expected
}
// Give USER_TWO DELETE permission to be able to successfully remove an association from sourceScriptNode to targetScriptNode
AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE_NAME);
PERMISSION_SERVICE.setPermission(newNode1, USER_TWO_NAME, PermissionService.DELETE, true);
AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO_NAME);
sourceScriptNode.removeAssociation(targetScriptNode, assocType);
}
@Test
public void testCreateFolderPath()
{