mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-31 17:39:05 +00:00
REPO-4612 / MNT-20833: Enforce permissions checks for methods related to associations at the NodeService level (#571)
This commit is contained in:
Ancuta Morarasu
GitHub
@@ -413,12 +413,12 @@
|
|||||||
org.alfresco.service.cmr.repository.NodeService.getChildAssocsByPropertyValue=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties
|
org.alfresco.service.cmr.repository.NodeService.getChildAssocsByPropertyValue=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.getChildrenByName=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties
|
org.alfresco.service.cmr.repository.NodeService.getChildrenByName=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.getPrimaryParent=ACL_NODE.0.sys:base.ReadProperties
|
org.alfresco.service.cmr.repository.NodeService.getPrimaryParent=ACL_NODE.0.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.createAssociation=ACL_ALLOW
|
org.alfresco.service.cmr.repository.NodeService.createAssociation=ACL_NODE.0.sys:base.WriteProperties,ACL_NODE.1.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.removeAssociation=ACL_ALLOW
|
org.alfresco.service.cmr.repository.NodeService.removeAssociation=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.setAssociations=ACL_ALLOW
|
org.alfresco.service.cmr.repository.NodeService.setAssociations=ACL_NODE.0.sys:base.WriteProperties,ACL_NODE.2.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=ACL_ALLOW
|
org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=ACL_ALLOW
|
org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_PARENT.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.getAssoc=ACL_ALLOW
|
org.alfresco.service.cmr.repository.NodeService.getAssoc=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.getPath=ACL_NODE.0.sys:base.ReadProperties
|
org.alfresco.service.cmr.repository.NodeService.getPath=ACL_NODE.0.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.getPaths=ACL_NODE.0.sys:base.ReadProperties
|
org.alfresco.service.cmr.repository.NodeService.getPaths=ACL_NODE.0.sys:base.ReadProperties
|
||||||
org.alfresco.service.cmr.repository.NodeService.getStoreArchiveNode=ACL_NODE.0.sys:base.Read
|
org.alfresco.service.cmr.repository.NodeService.getStoreArchiveNode=ACL_NODE.0.sys:base.Read
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
* #%L
|
* #%L
|
||||||
* Alfresco Repository
|
* Alfresco Repository
|
||||||
* %%
|
* %%
|
||||||
* Copyright (C) 2005 - 2017 Alfresco Software Limited
|
* Copyright (C) 2005 - 2019 Alfresco Software Limited
|
||||||
* %%
|
* %%
|
||||||
* This file is part of the Alfresco software.
|
* This file is part of the Alfresco software.
|
||||||
* If the software was purchased under a paid Alfresco license, the terms of
|
* If the software was purchased under a paid Alfresco license, the terms of
|
||||||
@@ -28,6 +28,7 @@ package org.alfresco.repo.jscript;
|
|||||||
|
|
||||||
|
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
|
import static org.junit.Assert.assertTrue;
|
||||||
import static org.junit.Assert.assertNotNull;
|
import static org.junit.Assert.assertNotNull;
|
||||||
import static org.junit.Assert.assertNull;
|
import static org.junit.Assert.assertNull;
|
||||||
import static org.junit.Assert.fail;
|
import static org.junit.Assert.fail;
|
||||||
@@ -678,6 +679,68 @@ public class ScriptNodeTest
|
|||||||
NODE_SERVICE.removeProperty(newNode2, ContentModel.PROP_CONTENT);
|
NODE_SERVICE.removeProperty(newNode2, ContentModel.PROP_CONTENT);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test associations related script api, after the permissions checks have been pushed to the NodeService level (MNT-20833).
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testCreateRemoveAssociation() throws Exception
|
||||||
|
{
|
||||||
|
Repository repositoryHelper = (Repository) APP_CONTEXT_INIT.getApplicationContext().getBean("repositoryHelper");
|
||||||
|
NodeRef companyHome = repositoryHelper.getCompanyHome();
|
||||||
|
|
||||||
|
AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE_NAME);
|
||||||
|
NodeRef newNode1 = testNodes.createNode(companyHome, "theTestFolder", ContentModel.TYPE_FOLDER, AuthenticationUtil.getFullyAuthenticatedUser());
|
||||||
|
NodeRef newNode2 = testNodes.createNode(companyHome, "theTestContent", ContentModel.TYPE_CONTENT, AuthenticationUtil.getFullyAuthenticatedUser());
|
||||||
|
|
||||||
|
// Give USER_TWO READ permission similar to the Consumer role
|
||||||
|
PERMISSION_SERVICE.setPermission(newNode1, USER_TWO_NAME, PermissionService.READ, true);
|
||||||
|
PERMISSION_SERVICE.setPermission(newNode2, USER_TWO_NAME, PermissionService.READ, true);
|
||||||
|
|
||||||
|
AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO_NAME);
|
||||||
|
ScriptNode sourceScriptNode = SEARCH_SCRIPT.findNode(newNode1);
|
||||||
|
assertNotNull(sourceScriptNode);
|
||||||
|
ScriptNode targetScriptNode = SEARCH_SCRIPT.findNode(newNode2);
|
||||||
|
assertNotNull(targetScriptNode);
|
||||||
|
|
||||||
|
// Create associations
|
||||||
|
String assocType = "cm:contains";
|
||||||
|
try
|
||||||
|
{
|
||||||
|
sourceScriptNode.createAssociation(targetScriptNode, assocType);
|
||||||
|
fail("Creating associations without write permission on source is not allowed.");
|
||||||
|
}
|
||||||
|
catch (AccessDeniedException ade)
|
||||||
|
{
|
||||||
|
// expected
|
||||||
|
}
|
||||||
|
|
||||||
|
// Give USER_TWO WRITE permission to be able to successfully create an association from sourceScriptNode to targetScriptNode
|
||||||
|
AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE_NAME);
|
||||||
|
PERMISSION_SERVICE.setPermission(newNode1, USER_TWO_NAME, PermissionService.WRITE, true);
|
||||||
|
|
||||||
|
AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO_NAME);
|
||||||
|
assertTrue(sourceScriptNode.hasPermission(PermissionService.WRITE_PROPERTIES));
|
||||||
|
assertNotNull(sourceScriptNode.createAssociation(targetScriptNode, assocType));
|
||||||
|
|
||||||
|
// Remove associations
|
||||||
|
try
|
||||||
|
{
|
||||||
|
sourceScriptNode.removeAssociation(targetScriptNode, assocType);
|
||||||
|
fail("Removing associations without delete permission on source is not allowed.");
|
||||||
|
}
|
||||||
|
catch (AccessDeniedException ade)
|
||||||
|
{
|
||||||
|
// expected
|
||||||
|
}
|
||||||
|
|
||||||
|
// Give USER_TWO DELETE permission to be able to successfully remove an association from sourceScriptNode to targetScriptNode
|
||||||
|
AuthenticationUtil.setFullyAuthenticatedUser(USER_ONE_NAME);
|
||||||
|
PERMISSION_SERVICE.setPermission(newNode1, USER_TWO_NAME, PermissionService.DELETE, true);
|
||||||
|
|
||||||
|
AuthenticationUtil.setFullyAuthenticatedUser(USER_TWO_NAME);
|
||||||
|
sourceScriptNode.removeAssociation(targetScriptNode, assocType);
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testCreateFolderPath()
|
public void testCreateFolderPath()
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user