RM-2391 - Added capability checking to the AuditLog Get REST API. Added a unit test. Minor changes on the Share side to forward the forbidden status.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.2@109401 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/AuditLogGet.java

@@ -21,9 +21,17 @@ package org.alfresco.module.org_alfresco_module_rm.script;
 import java.io.File;
 import java.io.IOException;
 
+import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditQueryParameters;
+import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService.ReportFormat;
+import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
+import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
 import org.alfresco.repo.web.scripts.content.ContentStreamer;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.AccessStatus;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.extensions.webscripts.Status;
+import org.springframework.extensions.webscripts.WebScriptException;
 import org.springframework.extensions.webscripts.WebScriptRequest;
 import org.springframework.extensions.webscripts.WebScriptResponse;
 
@@ -39,9 +47,16 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
     private static Log logger = LogFactory.getLog(AuditLogGet.class);
 
     private static final String PARAM_EXPORT = "export";
+    private static final String ACCESS_AUDIT_CAPABILITY = "AccessAudit";
 
     /** Content Streamer */
     protected ContentStreamer contentStreamer;
+    
+    /** Capability service */
+    protected CapabilityService capabilityService;
+
+    /** File plan service */
+    protected FilePlanService filePlanService;
 
     /**
      * @param contentStreamer
@@ -50,6 +65,24 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
     {
         this.contentStreamer = contentStreamer;
     }
+    
+    /**
+     * 
+     * @param capabilityService Capability Service
+     */
+    public void setCapabilityService(CapabilityService capabilityService)
+    {
+        this.capabilityService = capabilityService;
+    }
+    
+    /**
+     * 
+     * @param capabilityService Capability Service
+     */
+    public void setFilePlanService(FilePlanService filePlanService)
+    {
+        this.filePlanService = filePlanService;
+    }
 
     @Override
     public void execute(WebScriptRequest req, WebScriptResponse res) throws IOException
@@ -58,8 +91,16 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
 
         try
         {
+            
+            RecordsManagementAuditQueryParameters queryParams = parseQueryParameters(req);
+            ReportFormat reportFormat = parseReportFormat(req);
+
+            if( !userCanAccessAudit(queryParams) )
+            {
+                throw new WebScriptException(Status.STATUS_FORBIDDEN, "Access denied because the user does not have the Access Audit capability");
+            }
             // parse the parameters and get a file containing the audit trail
-            auditTrail = this.rmAuditService.getAuditTrailFile(parseQueryParameters(req), parseReportFormat(req));
+            auditTrail = this.rmAuditService.getAuditTrailFile(queryParams, reportFormat);
 
             if (logger.isDebugEnabled())
             {
@@ -101,4 +142,15 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
             }
         }
     }
+
+    private boolean userCanAccessAudit(RecordsManagementAuditQueryParameters queryParams) 
+    {
+        NodeRef targetNode = queryParams.getNodeRef();
+        if( targetNode == null )
+        {
+            targetNode = filePlanService.getFilePlanBySiteId(FilePlanService.DEFAULT_RM_SITE_ID);
+        }
+        return AccessStatus.ALLOWED.equals(
+                capabilityService.getCapabilityAccessState(targetNode, ACCESS_AUDIT_CAPABILITY));
+    }
 }