diff --git a/source/java/org/alfresco/filesys/server/config/ServerConfiguration.java b/source/java/org/alfresco/filesys/server/config/ServerConfiguration.java index c0cb174ec5..9f62249764 100644 --- a/source/java/org/alfresco/filesys/server/config/ServerConfiguration.java +++ b/source/java/org/alfresco/filesys/server/config/ServerConfiguration.java @@ -1748,6 +1748,8 @@ public class ServerConfiguration implements ApplicationListener setAuthenticator(auth, authElem, allowGuest); auth.setMapToGuest( mapGuest); } + else + throw new AlfrescoRuntimeException("Authenticator not specified"); } /** diff --git a/source/java/org/alfresco/repo/ownable/impl/OwnableServiceTest.java b/source/java/org/alfresco/repo/ownable/impl/OwnableServiceTest.java index 1d84a9bc70..79b87c0336 100644 --- a/source/java/org/alfresco/repo/ownable/impl/OwnableServiceTest.java +++ b/source/java/org/alfresco/repo/ownable/impl/OwnableServiceTest.java @@ -139,16 +139,41 @@ public class OwnableServiceTest extends TestCase assertFalse(nodeService.hasAspect(testNode, ContentModel.ASPECT_OWNABLE)); assertTrue(dynamicAuthority.hasAuthority(testNode, "andy")); + permissionService.setInheritParentPermissions(testNode, false); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rootNodeRef, PermissionService.TAKE_OWNERSHIP)); assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rootNodeRef, PermissionService.SET_OWNER)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(testNode, PermissionService.TAKE_OWNERSHIP)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(testNode, PermissionService.SET_OWNER)); + + + + ownableService.setOwner(testNode, "woof"); + assertEquals("woof", ownableService.getOwner(testNode)); + assertTrue(dynamicAuthority.hasAuthority(testNode, "woof")); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(testNode, PermissionService.TAKE_OWNERSHIP)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(testNode, PermissionService.SET_OWNER)); + ownableService.setOwner(testNode, "muppet"); assertEquals("muppet", ownableService.getOwner(testNode)); + assertTrue(dynamicAuthority.hasAuthority(testNode, "muppet")); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(testNode, PermissionService.TAKE_OWNERSHIP)); + assertEquals(AccessStatus.DENIED, permissionService.hasPermission(testNode, PermissionService.SET_OWNER)); + + ownableService.takeOwnership(testNode); assertEquals("andy", ownableService.getOwner(testNode)); + assertTrue(dynamicAuthority.hasAuthority(testNode, "andy")); assertTrue(nodeService.hasAspect(testNode, ContentModel.ASPECT_AUDITABLE)); assertTrue(nodeService.hasAspect(testNode, ContentModel.ASPECT_OWNABLE)); - assertTrue(dynamicAuthority.hasAuthority(testNode, "andy")); + + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rootNodeRef, PermissionService.TAKE_OWNERSHIP)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rootNodeRef, PermissionService.SET_OWNER)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(testNode, PermissionService.TAKE_OWNERSHIP)); + assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(testNode, PermissionService.SET_OWNER)); + + } public void testContainer() diff --git a/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java b/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java index b16324a41d..a396d535fe 100644 --- a/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java +++ b/source/java/org/alfresco/repo/security/authentication/AbstractAuthenticationComponent.java @@ -180,11 +180,14 @@ public abstract class AbstractAuthenticationComponent implements AuthenticationC */ private String getUserName(Authentication authentication) { - String username = authentication.getPrincipal().toString(); - + String username; if (authentication.getPrincipal() instanceof UserDetails) { - username = ((UserDetails) authentication.getPrincipal()).getUsername(); + username = ((UserDetails)authentication.getPrincipal()).getUsername(); + } + else + { + username = authentication.getPrincipal().toString(); } return username; diff --git a/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java b/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java index 1e0eb9f23d..70b7d714fd 100644 --- a/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java +++ b/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceImpl.java @@ -37,6 +37,7 @@ import org.alfresco.service.cmr.dictionary.DictionaryService; import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeService; +import org.alfresco.service.cmr.repository.Path; import org.alfresco.service.cmr.security.AccessPermission; import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.AuthorityService; @@ -371,7 +372,7 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing Set authorisations = getAuthorisations(auth, nodeRef); Serializable key = generateKey( authorisations, - nodeRef, + nodeService.getPath(nodeRef), perm); AccessStatus status = accessCache.get(key); if (status != null) @@ -426,11 +427,12 @@ public class PermissionServiceImpl implements PermissionServiceSPI, Initializing * dynamically so they must all be used) the NodeRef ID and the permission reference itself. * This gives a unique key for each permission test. */ - static Serializable generateKey(Set auths, NodeRef ref, PermissionReference perm) + static Serializable generateKey(Set auths, Path path, PermissionReference perm) { - HashSet key = new HashSet(auths); - key.add(ref.getId()); + LinkedHashSet key = new LinkedHashSet(); key.add(perm.toString()); + key.addAll(auths); + key.add(path); return key; } diff --git a/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java b/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java index 1ab06558ec..e1dd4be3f0 100644 --- a/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java +++ b/source/java/org/alfresco/repo/security/permissions/impl/PermissionServiceTest.java @@ -59,10 +59,7 @@ public class PermissionServiceTest extends AbstractPermissionTest Authentication auth = authenticationComponent.getCurrentAuthentication(); for (GrantedAuthority authority : auth.getAuthorities()) { - if (authority.getAuthority().equals(ROLE_AUTHENTICATED)) - { - return; - } + if (authority.getAuthority().equals(ROLE_AUTHENTICATED)) { return; } } fail("Missing role ROLE_AUTHENTICATED "); } @@ -142,6 +139,32 @@ public class PermissionServiceTest extends AbstractPermissionTest } + public void testPermissionCacheOnMove() + { + runAs("admin"); + + NodeRef n1 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, + QName.createQName("{namespace}one"), ContentModel.TYPE_FOLDER).getChildRef(); + NodeRef n2 = nodeService.createNode(n1, ContentModel.ASSOC_CONTAINS, QName.createQName("{namespace}two"), + ContentModel.TYPE_FOLDER).getChildRef(); + + permissionService.setPermission(new SimplePermissionEntry(n1, getPermission(PermissionService.READ), "andy", + AccessStatus.ALLOWED)); + + runAs("andy"); + + assertTrue(permissionService.hasPermission(n1, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED); + assertTrue(permissionService.hasPermission(n2, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED); + + runAs("admin"); + nodeService.moveNode(n2, rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{namespace}oneMoved")); + + runAs("andy"); + + assertTrue(permissionService.hasPermission(n1, getPermission(PermissionService.READ)) == AccessStatus.ALLOWED); + assertTrue(permissionService.hasPermission(n2, getPermission(PermissionService.READ)) == AccessStatus.DENIED); + } + public void testSetInheritFalse() { runAs("andy"); @@ -618,6 +641,9 @@ public class PermissionServiceTest extends AbstractPermissionTest assertTrue(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED); // Changed ny not enfocing READ // assertFalse(permissionService.hasPermission(n1, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED); + // assertFalse(permissionService.hasPermission(n1, + // getPermission(PermissionService.READ_PROPERTIES)) == + // AccessStatus.ALLOWED); assertTrue(permissionService.hasPermission(n1, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED); runAs("lemur"); assertFalse(permissionService.hasPermission(rootNodeRef, getPermission(PermissionService.READ_PROPERTIES)) == AccessStatus.ALLOWED); diff --git a/source/java/org/alfresco/repo/security/permissions/impl/model/PermissionModel.java b/source/java/org/alfresco/repo/security/permissions/impl/model/PermissionModel.java index c8c97061ea..a204abd7f4 100644 --- a/source/java/org/alfresco/repo/security/permissions/impl/model/PermissionModel.java +++ b/source/java/org/alfresco/repo/security/permissions/impl/model/PermissionModel.java @@ -97,13 +97,16 @@ public class PermissionModel implements ModelDAO, InitializingBean private AccessStatus defaultPermission; // Cache granting permissions - private HashMap> grantingPermissions = new HashMap>(); + private HashMap> grantingPermissions = + new HashMap>(); // Cache grantees - private HashMap> granteePermissions = new HashMap>(); + private HashMap> granteePermissions = + new HashMap>(); // Cache the mapping of extended groups to the base - private HashMap groupsToBaseGroup = new HashMap(); + private HashMap groupsToBaseGroup = + new HashMap(); private HashMap uniqueMap; @@ -112,7 +115,13 @@ public class PermissionModel implements ModelDAO, InitializingBean private HashMap permissionGroupMap; private HashMap permissionReferenceMap; - + + private Map> cachedTypePermissionsExposed = + new HashMap>(128, 1.0f); + + private Map> cachedTypePermissionsUnexposed = + new HashMap>(128, 1.0f); + public PermissionModel() { super(); @@ -207,7 +216,6 @@ public class PermissionModel implements ModelDAO, InitializingBean globalPermissions.add(globalPermission); } - } /* @@ -275,20 +283,34 @@ public class PermissionModel implements ModelDAO, InitializingBean { return getAllPermissionsImpl(type, true); } - + private Set getAllPermissionsImpl(QName type, boolean exposedOnly) { - Set permissions = new LinkedHashSet(); - if (dictionaryService.getClass(type).isAspect()) + Map> cache; + if (exposedOnly) { - addAspectPermissions(type, permissions, exposedOnly); + cache = this.cachedTypePermissionsExposed; } else { - mergeGeneralAspectPermissions(permissions, exposedOnly); - addTypePermissions(type, permissions, exposedOnly); + cache = this.cachedTypePermissionsUnexposed; } - return permissions; + Set permissions = cache.get(type); + if (permissions == null) + { + permissions = new LinkedHashSet(); + if (dictionaryService.getClass(type).isAspect()) + { + addAspectPermissions(type, permissions, exposedOnly); + } + else + { + mergeGeneralAspectPermissions(permissions, exposedOnly); + addTypePermissions(type, permissions, exposedOnly); + } + cache.put(type, permissions); + } + return (Set)((LinkedHashSet)permissions).clone(); } /** @@ -379,7 +401,6 @@ public class PermissionModel implements ModelDAO, InitializingBean } } - private void mergeGeneralAspectPermissions(Set target, boolean exposedOnly) { for(QName aspect : dictionaryService.getAllAspects()) @@ -400,11 +421,15 @@ public class PermissionModel implements ModelDAO, InitializingBean public Set getExposedPermissionsImpl(NodeRef nodeRef, boolean exposedOnly) { - + // + // TODO: cache permissions based on type and exposed flag + // create JMeter test to see before/after effect! + // QName typeName = nodeService.getType(nodeRef); + Set permissions = getAllPermissions(typeName); mergeGeneralAspectPermissions(permissions, exposedOnly); - // Add non mandatory aspects.. + // Add non mandatory aspects... Set defaultAspects = new HashSet(); for (AspectDefinition aspDef : dictionaryService.getType(typeName).getDefaultAspects()) { @@ -418,7 +443,6 @@ public class PermissionModel implements ModelDAO, InitializingBean } } return permissions; - } public synchronized Set getGrantingPermissions(PermissionReference permissionReference) diff --git a/source/java/org/alfresco/repo/security/permissions/impl/model/PermissionSet.java b/source/java/org/alfresco/repo/security/permissions/impl/model/PermissionSet.java index 6afb8a7bc8..69af17d35c 100644 --- a/source/java/org/alfresco/repo/security/permissions/impl/model/PermissionSet.java +++ b/source/java/org/alfresco/repo/security/permissions/impl/model/PermissionSet.java @@ -31,7 +31,7 @@ import org.dom4j.Element; * Store and read the definition of a permission set * @author andyh */ -public class PermissionSet implements XMLModelInitialisable +public final class PermissionSet implements XMLModelInitialisable { private static final String TYPE = "type"; private static final String PERMISSION_GROUP = "permissionGroup"; @@ -105,7 +105,4 @@ public class PermissionSet implements XMLModelInitialisable { return exposeAll; } - - - }