From 2d6b51ee89c86c06ed88823168a45319b37e0d18 Mon Sep 17 00:00:00 2001
From: Ancuta Morarasu <ancuta.morarasu@ness.com>
Date: Thu, 5 Sep 2019 20:06:23 +0300
Subject: [PATCH] REPO-4612 / MNT-20833: Enforce permissions checks for methods
 related to associations at the NodeService level  (#571)

---
 .../public-services-security-context.xml      | 12 ++--
 .../alfresco/repo/jscript/ScriptNodeTest.java | 65 ++++++++++++++++++-
 2 files changed, 70 insertions(+), 7 deletions(-)

diff --git a/src/main/resources/alfresco/public-services-security-context.xml b/src/main/resources/alfresco/public-services-security-context.xml
index e91973e4b6..8903236ca7 100644
--- a/src/main/resources/alfresco/public-services-security-context.xml
+++ b/src/main/resources/alfresco/public-services-security-context.xml
@@ -413,12 +413,12 @@
                org.alfresco.service.cmr.repository.NodeService.getChildAssocsByPropertyValue=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.repository.NodeService.getChildrenByName=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.repository.NodeService.getPrimaryParent=ACL_NODE.0.sys:base.ReadProperties
-               org.alfresco.service.cmr.repository.NodeService.createAssociation=ACL_ALLOW
-               org.alfresco.service.cmr.repository.NodeService.removeAssociation=ACL_ALLOW
-               org.alfresco.service.cmr.repository.NodeService.setAssociations=ACL_ALLOW
-               org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=ACL_ALLOW
-               org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=ACL_ALLOW
-               org.alfresco.service.cmr.repository.NodeService.getAssoc=ACL_ALLOW
+               org.alfresco.service.cmr.repository.NodeService.createAssociation=ACL_NODE.0.sys:base.WriteProperties,ACL_NODE.1.sys:base.ReadProperties
+               org.alfresco.service.cmr.repository.NodeService.removeAssociation=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.ReadProperties
+               org.alfresco.service.cmr.repository.NodeService.setAssociations=ACL_NODE.0.sys:base.WriteProperties,ACL_NODE.2.sys:base.ReadProperties
+               org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties
+               org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_PARENT.sys:base.ReadProperties
+               org.alfresco.service.cmr.repository.NodeService.getAssoc=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
                org.alfresco.service.cmr.repository.NodeService.getPath=ACL_NODE.0.sys:base.ReadProperties
                org.alfresco.service.cmr.repository.NodeService.getPaths=ACL_NODE.0.sys:base.ReadProperties
                org.alfresco.service.cmr.repository.NodeService.getStoreArchiveNode=ACL_NODE.0.sys:base.Read
diff --git a/src/test/java/org/alfresco/repo/jscript/ScriptNodeTest.java b/src/test/java/org/alfresco/repo/jscript/ScriptNodeTest.java
index 81a9b673a4..e90b30a1b3 100644
--- a/src/test/java/org/alfresco/repo/jscript/ScriptNodeTest.java
+++ b/src/test/java/org/alfresco/repo/jscript/ScriptNodeTest.java
@@ -2,7 +2,7 @@
  * #%L
  * Alfresco Repository
  * %%
- * Copyright (C) 2005 - 2017 Alfresco Software Limited
+ * Copyright (C) 2005 - 2019 Alfresco Software Limited
  * %%
  * This file is part of the Alfresco software. 
  * If the software was purchased under a paid Alfresco license, the terms of 
@@ -28,6 +28,7 @@ package org.alfresco.repo.jscript;
 
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.fail;
@@ -678,6 +679,68 @@ public class ScriptNodeTest
         NODE_SERVICE.removeProperty(newNode2, ContentModel.PROP_CONTENT);
     }
     
+    /**
+     * Test associations related script api, after the permissions checks have been pushed to the NodeService level (MNT-20833).
+     */
+    @Test 
+    public void testCreateRemoveAssociation() throws Exception
+    {
+        Repository repositoryHelper = (Repository) APP_CONTEXT_INIT.getApplicationContext().getBean("repositoryHelper");
+        NodeRef companyHome = repositoryHelper.getCompanyHome();
+
+        AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE_NAME);
+        NodeRef newNode1 = testNodes.createNode(companyHome, "theTestFolder", ContentModel.TYPE_FOLDER, AuthenticationUtil.getFullyAuthenticatedUser()); 
+        NodeRef newNode2 = testNodes.createNode(companyHome, "theTestContent", ContentModel.TYPE_CONTENT, AuthenticationUtil.getFullyAuthenticatedUser()); 
+        
+        // Give USER_TWO READ permission similar to the Consumer role
+        PERMISSION_SERVICE.setPermission(newNode1, USER_TWO_NAME, PermissionService.READ, true);
+        PERMISSION_SERVICE.setPermission(newNode2, USER_TWO_NAME, PermissionService.READ, true);
+        
+        AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO_NAME);
+        ScriptNode sourceScriptNode = SEARCH_SCRIPT.findNode(newNode1);
+        assertNotNull(sourceScriptNode);
+        ScriptNode targetScriptNode = SEARCH_SCRIPT.findNode(newNode2);
+        assertNotNull(targetScriptNode);
+        
+        // Create associations
+        String assocType = "cm:contains";
+        try
+        {
+            sourceScriptNode.createAssociation(targetScriptNode, assocType);
+            fail("Creating associations without write permission on source is not allowed.");
+        }
+        catch (AccessDeniedException ade)
+        {
+            // expected
+        }
+        
+        // Give USER_TWO WRITE permission to be able to successfully create an association from sourceScriptNode to targetScriptNode
+        AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE_NAME);
+        PERMISSION_SERVICE.setPermission(newNode1, USER_TWO_NAME, PermissionService.WRITE, true);
+        
+        AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO_NAME);
+        assertTrue(sourceScriptNode.hasPermission(PermissionService.WRITE_PROPERTIES));
+        assertNotNull(sourceScriptNode.createAssociation(targetScriptNode, assocType));
+        
+        // Remove associations
+        try
+        {
+            sourceScriptNode.removeAssociation(targetScriptNode, assocType);
+            fail("Removing associations without delete permission on source is not allowed.");
+        }
+        catch (AccessDeniedException ade)
+        {
+            // expected
+        }
+        
+        // Give USER_TWO DELETE permission to be able to successfully remove an association from sourceScriptNode to targetScriptNode
+        AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE_NAME);
+        PERMISSION_SERVICE.setPermission(newNode1, USER_TWO_NAME, PermissionService.DELETE, true);
+        
+        AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO_NAME);
+        sourceScriptNode.removeAssociation(targetScriptNode, assocType);
+    }
+    
     @Test
     public void testCreateFolderPath()
     {