diff --git a/config/alfresco/authentication-services-context.xml b/config/alfresco/authentication-services-context.xml index c038bb6e38..76eb6276c6 100644 --- a/config/alfresco/authentication-services-context.xml +++ b/config/alfresco/authentication-services-context.xml @@ -208,17 +208,17 @@ --> - - + + - + - + - + @@ -228,23 +228,23 @@ ${spaces.store} - + - - - - + + + + ${user.name.caseSensitive} - + ${domain.name.caseSensitive} ${domain.separator} - - + + @@ -278,9 +278,12 @@ - + + + + @@ -319,11 +322,30 @@ false - + + + + + + + + + + + All + + + + + All + + + + @@ -334,9 +356,9 @@ - + - ${home.folder.creation.eager} + ${home.folder.creation.eager} @@ -361,41 +383,92 @@ + + + + + + + + + + Consumer + + + + + + + + /${spaces.company_home.childname}/${spaces.guest_home.childname} ${spaces.store} - - - Consumer - + + + + + - + + + + + + + + + false + + + + All + + + + + All + + + + + + + + + + + + + + All + + + + + + + + /${spaces.company_home.childname} ${spaces.store} - - false + + - - - All - - - - - All - + + @@ -406,18 +479,11 @@ ${spaces.store} - - false + + - - - All - - - - - All - + + @@ -441,10 +507,10 @@ false - - - - + + + + AFTER_FIXED_TIME diff --git a/config/alfresco/bootstrap-context.xml b/config/alfresco/bootstrap-context.xml index 8aab2ec0b0..3b7b380c85 100644 --- a/config/alfresco/bootstrap-context.xml +++ b/config/alfresco/bootstrap-context.xml @@ -438,8 +438,14 @@ + + + + + + - + @@ -457,12 +463,6 @@ - - - - - - diff --git a/config/alfresco/bootstrap/system.xml b/config/alfresco/bootstrap/system.xml index 93e3ccab7e..2e8e23bb79 100644 --- a/config/alfresco/bootstrap/system.xml +++ b/config/alfresco/bootstrap/system.xml @@ -27,11 +27,25 @@ GROUP_EVERYONE Read - + + + + ${alfresco_user_store.adminusername} + All + + + ROLE_OWNER + All + + + + + + ${alfresco_user_store.adminusername} ${alfresco_user_store.adminusername} Administrator diff --git a/source/java/org/alfresco/repo/security/authentication/ldap/LDAPPersonExportSource.java b/source/java/org/alfresco/repo/security/authentication/ldap/LDAPPersonExportSource.java index 966ac08c18..975be0a5e8 100644 --- a/source/java/org/alfresco/repo/security/authentication/ldap/LDAPPersonExportSource.java +++ b/source/java/org/alfresco/repo/security/authentication/ldap/LDAPPersonExportSource.java @@ -218,27 +218,6 @@ public class LDAPPersonExportSource implements ExportSource writer.startElement(ContentModel.TYPE_PERSON.getNamespaceURI(), ContentModel.TYPE_PERSON .getLocalName(), ContentModel.TYPE_PERSON.toPrefixString(namespaceService), attrs); - // permissions - - // owner - - writer.startElement(ContentModel.ASPECT_OWNABLE.getNamespaceURI(), ContentModel.ASPECT_OWNABLE - .getLocalName(), ContentModel.ASPECT_OWNABLE.toPrefixString(namespaceService), - new AttributesImpl()); - - writer.endElement(ContentModel.ASPECT_OWNABLE.getNamespaceURI(), ContentModel.ASPECT_OWNABLE - .getLocalName(), ContentModel.ASPECT_OWNABLE.toPrefixString(namespaceService)); - - writer.startElement(ContentModel.PROP_OWNER.getNamespaceURI(), ContentModel.PROP_OWNER - .getLocalName(), ContentModel.PROP_OWNER.toPrefixString(namespaceService), - new AttributesImpl()); - - writer.characters(uid.toCharArray(), 0, uid.length()); - - writer.endElement(ContentModel.PROP_OWNER.getNamespaceURI(), - ContentModel.PROP_OWNER.getLocalName(), ContentModel.PROP_OWNER - .toPrefixString(namespaceService)); - for (String key : attributeMapping.keySet()) { QName keyQName = QName.createQName(key, namespaceService); diff --git a/source/java/org/alfresco/repo/security/person/AbstractHomeFolderProvider.java b/source/java/org/alfresco/repo/security/person/AbstractHomeFolderProvider.java index 3d4281e232..c760707b17 100644 --- a/source/java/org/alfresco/repo/security/person/AbstractHomeFolderProvider.java +++ b/source/java/org/alfresco/repo/security/person/AbstractHomeFolderProvider.java @@ -26,7 +26,6 @@ package org.alfresco.repo.security.person; import java.util.List; import java.util.Map; -import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import org.alfresco.model.ContentModel; @@ -37,13 +36,13 @@ import org.alfresco.service.cmr.repository.ChildAssociationRef; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.StoreRef; import org.alfresco.service.cmr.repository.datatype.DefaultTypeConverter; -import org.alfresco.service.cmr.security.PermissionService; +import org.alfresco.util.PropertyCheck; import org.springframework.beans.factory.BeanNameAware; import org.springframework.beans.factory.InitializingBean; /** - * Common support for creating home folders This is hooked into node creation events from Person type objects via the homeFolderManager. Provider must all be wired up to the - * homeFolderManager. + * Common support for creating home folders This is hooked into node creation events from Person type objects via the + * homeFolderManager. Provider must all be wired up to the homeFolderManager. * * @author Andy Hind */ @@ -89,30 +88,9 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, */ private String ownerOnCreate; - /** - * Set if permissions are inherited when nodes are created. - */ - private boolean inheritsPermissionsOnCreate = false; + private PermissionsManager onCreatePermissionsManager; - /** - * A set of permissions to set for the owner when a home folder is created - */ - private Set ownerPermissionsToSetOnCreate; - - /** - * General permissions to set on the node Map<(String)uid, Set<(String)permission>>. - */ - private Map> permissionsToSetOnCreate; - - /** - * Permissions to set for the user - on create and reference. - */ - private Set userPermissions; - - /** - * Clear existing permissions on new home folders (useful of created from a template. - */ - private boolean clearExistingPermissionsOnCreate = false; + private PermissionsManager onReferencePermissionsManager; public AbstractHomeFolderProvider() { @@ -126,6 +104,7 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, */ public void afterPropertiesSet() throws Exception { + PropertyCheck.mandatory(this, "homeFolderManager", homeFolderManager); homeFolderManager.addProvider(this); } @@ -169,8 +148,6 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, /** * Get the path - * - * @return */ protected String getPath() { @@ -179,8 +156,6 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, /** * Set the path - * - * @param path */ public void setPath(String path) { @@ -189,8 +164,6 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, /** * Get the store ref - * - * @return */ protected StoreRef getStoreRef() { @@ -199,8 +172,6 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, /** * Set the store ref - * - * @param storeRef */ public void setStoreRef(StoreRef storeRef) { @@ -209,8 +180,6 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, /** * Set the store from the string url. - * - * @param storeUrl */ public void setStoreUrl(String storeUrl) { @@ -219,8 +188,6 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, /** * Get the service registry. - * - * @return */ protected ServiceRegistry getServiceRegistry() { @@ -229,8 +196,6 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, /** * Set the service registry. - * - * @param serviceRegistry */ public void setServiceRegistry(ServiceRegistry serviceRegistry) { @@ -239,8 +204,6 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, /** * Set the tenant service - * - * @param tenantService */ public void setTenantService(TenantService tenantService) { @@ -248,69 +211,28 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, } /** - * Inherit permissions when home folder are created? - * - * @param inheritsPermissionsOnCreate + * Set the permission manager */ - public void setInheritsPermissionsOnCreate(boolean inheritsPermissionsOnCreate) + public void setOnCreatePermissionsManager(PermissionsManager onCreatePermissionsManager) { - this.inheritsPermissionsOnCreate = inheritsPermissionsOnCreate; + this.onCreatePermissionsManager = onCreatePermissionsManager; } + public void setOnReferencePermissionsManager(PermissionsManager onReferencePermissionsManager) + { + this.onReferencePermissionsManager = onReferencePermissionsManager; + } + /** - * The owner to set on create. - * - * @param ownerOnCreate + * Set the authority to use as the owner of all home folder nodes. */ public void setOwnerOnCreate(String ownerOnCreate) { this.ownerOnCreate = ownerOnCreate; } - /** - * The owner permissions to set on create. - * - * @param ownerPermissionsToSetOnCreate - */ - public void setOwnerPermissionsToSetOnCreate(Set ownerPermissionsToSetOnCreate) - { - this.ownerPermissionsToSetOnCreate = ownerPermissionsToSetOnCreate; - } - - /** - * General permissions to set on create. - * - * @param permissionsToSetOnCreate - */ - public void setPermissionsToSetOnCreate(Map> permissionsToSetOnCreate) - { - this.permissionsToSetOnCreate = permissionsToSetOnCreate; - } - - /** - * User permissions to set on create and on reference. - * - * @param userPermissions - */ - public void setUserPermissions(Set userPermissions) - { - this.userPermissions = userPermissions; - } - - /** - * Clear exising permissions on create. Useful to clear permissions from a template. - * - * @param clearExistingPermissionsOnCreate - */ - public void setClearExistingPermissionsOnCreate(boolean clearExistingPermissionsOnCreate) - { - this.clearExistingPermissionsOnCreate = clearExistingPermissionsOnCreate; - } - /** * Cache path to node resolution - * - * @return */ protected NodeRef getPathNodeRef() { @@ -327,14 +249,10 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, /** * Utility metho to resolve paths to nodes. - * - * @param pathToResolve - * @return */ protected NodeRef resolvePath(String pathToResolve) { - List refs = serviceRegistry.getSearchService().selectNodes( - serviceRegistry.getNodeService().getRootNode(storeRef), pathToResolve, null, + List refs = serviceRegistry.getSearchService().selectNodes(serviceRegistry.getNodeService().getRootNode(storeRef), pathToResolve, null, serviceRegistry.getNamespaceService(), false); if (refs.size() != 1) { @@ -354,9 +272,6 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, /** * Abstract implementation to find/create the approriate home space. - * - * @param person - * @return */ protected abstract HomeSpaceNodeRef getHomeFolder(NodeRef person); @@ -385,82 +300,31 @@ public abstract class AbstractHomeFolderProvider implements HomeFolderProvider, if (homeFolder.getNodeRef() != null) { // Get uid and keep - String uid = DefaultTypeConverter.INSTANCE.convert(String.class, serviceRegistry.getNodeService() - .getProperty(personNodeRef, ContentModel.PROP_USERNAME)); + String uid = DefaultTypeConverter.INSTANCE.convert(String.class, serviceRegistry.getNodeService().getProperty(personNodeRef, ContentModel.PROP_USERNAME)); // If created or found then set (other wise it was already set correctly) if (homeFolder.getStatus() != HomeSpaceNodeRef.Status.VALID) { - serviceRegistry.getNodeService().setProperty(personNodeRef, ContentModel.PROP_HOMEFOLDER, - homeFolder.getNodeRef()); + serviceRegistry.getNodeService().setProperty(personNodeRef, ContentModel.PROP_HOMEFOLDER, homeFolder.getNodeRef()); } + String ownerToSet = ownerOnCreate == null ? uid : ownerOnCreate; // If created.. if (homeFolder.getStatus() == HomeSpaceNodeRef.Status.CREATED) { - // Set to a specified owner or make owned by the person. - if (ownerOnCreate != null) + if (onCreatePermissionsManager != null) { - serviceRegistry.getOwnableService().setOwner(homeFolder.getNodeRef(), ownerOnCreate); - } - else - { - - serviceRegistry.getOwnableService().setOwner(homeFolder.getNodeRef(), uid); - } - - // clear permissions - useful of not required from a template - - if (clearExistingPermissionsOnCreate) - { - serviceRegistry.getPermissionService().deletePermissions(homeFolder.getNodeRef()); - } - - // inherit permissions - - serviceRegistry.getPermissionService().setInheritParentPermissions(homeFolder.getNodeRef(), - inheritsPermissionsOnCreate); - - // Set owner permissions - - if (ownerPermissionsToSetOnCreate != null) - { - for (String permission : ownerPermissionsToSetOnCreate) - { - serviceRegistry.getPermissionService().setPermission(homeFolder.getNodeRef(), - PermissionService.OWNER_AUTHORITY, permission, true); - } - } - - // Add other permissions - - if (permissionsToSetOnCreate != null) - { - for (String user : permissionsToSetOnCreate.keySet()) - { - Set set = permissionsToSetOnCreate.get(user); - if (set != null) - { - for (String permission : set) - { - serviceRegistry.getPermissionService().setPermission(homeFolder.getNodeRef(), user, - permission, true); - } - } - } + onCreatePermissionsManager.setPermissions(homeFolder.getNodeRef(), ownerToSet, uid); } } - - // Add user permissions on create and reference - - if (userPermissions != null) + else { - for (String permission : userPermissions) + if (onReferencePermissionsManager != null) { - serviceRegistry.getPermissionService().setPermission(homeFolder.getNodeRef(), uid, permission, - true); + onReferencePermissionsManager.setPermissions(homeFolder.getNodeRef(), ownerToSet, uid); } } + } return homeFolder.getNodeRef(); diff --git a/source/java/org/alfresco/repo/security/person/CheckAndFixPersonPermissionsBootstrapBean.java b/source/java/org/alfresco/repo/security/person/CheckAndFixPersonPermissionsBootstrapBean.java new file mode 100644 index 0000000000..d8a96f4829 --- /dev/null +++ b/source/java/org/alfresco/repo/security/person/CheckAndFixPersonPermissionsBootstrapBean.java @@ -0,0 +1,120 @@ +/* + * Copyright (C) 2005-2007 Alfresco Software Limited. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + * As a special exception to the terms and conditions of version 2.0 of + * the GPL, you may redistribute this Program in connection with Free/Libre + * and Open Source Software ("FLOSS") applications as described in Alfresco's + * FLOSS exception. You should have recieved a copy of the text describing + * the FLOSS exception, and it is also available here: + * http://www.alfresco.com/legal/licensing" + */ +package org.alfresco.repo.security.person; + +import java.util.Set; + +import org.alfresco.model.ContentModel; +import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback; +import org.alfresco.service.cmr.repository.NodeRef; +import org.alfresco.service.cmr.repository.NodeService; +import org.alfresco.service.cmr.repository.datatype.DefaultTypeConverter; +import org.alfresco.service.cmr.security.PersonService; +import org.alfresco.service.transaction.TransactionService; +import org.alfresco.util.AbstractLifecycleBean; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.springframework.context.ApplicationEvent; + +/** + * Check and fix permission for people. For each person check the permission config matches that configured for the + * person service. + * + * @author andyh + */ +public class CheckAndFixPersonPermissionsBootstrapBean extends AbstractLifecycleBean +{ + protected final static Log log = LogFactory.getLog(CheckAndFixPersonPermissionsBootstrapBean.class); + + private NodeService nodeService; + + private PersonService personService; + + private TransactionService transactionService; + + private PermissionsManager permissionsManager; + + public void setNodeService(NodeService nodeService) + { + this.nodeService = nodeService; + } + + public void setPersonService(PersonService personService) + { + this.personService = personService; + } + + public void setTransactionService(TransactionService transactionService) + { + this.transactionService = transactionService; + } + + public void setPermissionsManager(PermissionsManager permissionsManager) + { + this.permissionsManager = permissionsManager; + } + + @Override + protected void onBootstrap(ApplicationEvent event) + { + log.info("Checking person permissions ..."); + int count = checkandFixPermissions(); + log.info("... updated " + count); + } + + private int checkandFixPermissions() + { + Integer count = transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback() + { + public Integer execute() throws Exception + { + int count = 0; + + Set people = personService.getAllPeople(); + for (NodeRef person : people) + { + String uid = DefaultTypeConverter.INSTANCE.convert(String.class, nodeService.getProperty(person, ContentModel.PROP_USERNAME)); + if(!permissionsManager.validatePermissions(person, uid, uid)) + { + permissionsManager.setPermissions(person, uid, uid); + count++; + } + } + return count; + } + + }); + return count.intValue(); + + } + + @Override + protected void onShutdown(ApplicationEvent event) + { + // TODO Auto-generated method stub + + } + +} diff --git a/source/java/org/alfresco/repo/security/person/PermissionsManager.java b/source/java/org/alfresco/repo/security/person/PermissionsManager.java new file mode 100644 index 0000000000..d13e2d7c7a --- /dev/null +++ b/source/java/org/alfresco/repo/security/person/PermissionsManager.java @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2005-2007 Alfresco Software Limited. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + * As a special exception to the terms and conditions of version 2.0 of + * the GPL, you may redistribute this Program in connection with Free/Libre + * and Open Source Software ("FLOSS") applications as described in Alfresco's + * FLOSS exception. You should have recieved a copy of the text describing + * the FLOSS exception, and it is also available here: + * http://www.alfresco.com/legal/licensing" + */ +package org.alfresco.repo.security.person; + +import org.alfresco.service.cmr.repository.NodeRef; + +/** + * Utility bean to set/check permissions on a node + * @author andyh + * + */ +public interface PermissionsManager +{ + /** + * Set the permission as defined on the given node + * + * @param nodeRef - the nodeRef + * @param owner - which should be set as the owner of the node (if configured to be set) + */ + public void setPermissions(NodeRef nodeRef, String owner, String user); + + /** + * Validate that permissions are set on a node as defined. + * + * @param nodeRef + * @param owner + * @return - true if correct, false if they are not set as defined. + */ + public boolean validatePermissions(NodeRef nodeRef, String owner, String user); +} diff --git a/source/java/org/alfresco/repo/security/person/PermissionsManagerImpl.java b/source/java/org/alfresco/repo/security/person/PermissionsManagerImpl.java new file mode 100644 index 0000000000..33e9edf396 --- /dev/null +++ b/source/java/org/alfresco/repo/security/person/PermissionsManagerImpl.java @@ -0,0 +1,264 @@ +/* + * Copyright (C) 2005-2007 Alfresco Software Limited. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + * As a special exception to the terms and conditions of version 2.0 of + * the GPL, you may redistribute this Program in connection with Free/Libre + * and Open Source Software ("FLOSS") applications as described in Alfresco's + * FLOSS exception. You should have recieved a copy of the text describing + * the FLOSS exception, and it is also available here: + * http://www.alfresco.com/legal/licensing" + */ +package org.alfresco.repo.security.person; + +import java.util.Map; +import java.util.Set; + +import org.alfresco.repo.security.permissions.impl.AccessPermissionImpl; +import org.alfresco.service.ServiceRegistry; +import org.alfresco.service.cmr.repository.NodeRef; +import org.alfresco.service.cmr.security.AccessPermission; +import org.alfresco.service.cmr.security.AccessStatus; +import org.alfresco.service.cmr.security.OwnableService; +import org.alfresco.service.cmr.security.PermissionService; + +public class PermissionsManagerImpl implements PermissionsManager +{ + + /** + * Set if permissions are inherited when nodes are created. + */ + private Boolean inheritPermissions = false; + + /** + * A set of permissions to set for the owner when a home folder is created + */ + private Set ownerPermissions; + + /** + * General permissions to set on the node Map<(String)uid, Set<(String)permission>>. + */ + private Map> permissions; + + /** + * Permissions to set for the user - on create and reference. + */ + private Set userPermissions; + + /** + * Clear existing permissions on new home folders (useful of created from a template. + */ + private Boolean clearExistingPermissions = false; + + private OwnableService ownableService; + + private PermissionService permissionService; + + public boolean getInheritPermissions() + { + return inheritPermissions; + } + + public void setInheritPermissions(boolean inheritPermissions) + { + this.inheritPermissions = inheritPermissions; + } + + public Set getOwnerPermissions() + { + return ownerPermissions; + } + + public void setOwnerPermissions(Set ownerPermissions) + { + this.ownerPermissions = ownerPermissions; + } + + public Map> getPermissions() + { + return permissions; + } + + public void setPermissions(Map> permissions) + { + this.permissions = permissions; + } + + public Set getUserPermissions() + { + return userPermissions; + } + + public void setUserPermissions(Set userPermissions) + { + this.userPermissions = userPermissions; + } + + public boolean getClearExistingPermissions() + { + return clearExistingPermissions; + } + + public void setClearExistingPermissions(boolean clearExistingPermissions) + { + this.clearExistingPermissions = clearExistingPermissions; + } + + public void setOwnableService(OwnableService ownableService) + { + this.ownableService = ownableService; + } + + public void setPermissionService(PermissionService permissionService) + { + this.permissionService = permissionService; + } + + public void setPermissions(NodeRef nodeRef, String owner, String user) + { + // Set to a specified owner + if (owner != null) + { + ownableService.setOwner(nodeRef, owner); + } + + // clear permissions - useful of not required from a template + + if ((clearExistingPermissions != null) && clearExistingPermissions.booleanValue()) + { + permissionService.deletePermissions(nodeRef); + } + + // inherit permissions + + if (inheritPermissions != null) + { + permissionService.setInheritParentPermissions(nodeRef, inheritPermissions.booleanValue()); + } + + // Set owner permissions + + if (ownerPermissions != null) + { + for (String permission : ownerPermissions) + { + permissionService.setPermission(nodeRef, PermissionService.OWNER_AUTHORITY, permission, true); + } + } + + // Add other permissions + + if (permissions != null) + { + for (String userForPermission : permissions.keySet()) + { + Set set = permissions.get(user); + if (set != null) + { + for (String permission : set) + { + permissionService.setPermission(nodeRef, userForPermission, permission, true); + } + } + } + } + + // Add user permissions on create and reference + + if (userPermissions != null) + { + for (String permission : userPermissions) + { + permissionService.setPermission(nodeRef, user, permission, true); + } + } + + } + + public boolean validatePermissions(NodeRef nodeRef, String owner, String user) + { + if (owner != null) + { + String setOwner = ownableService.getOwner(nodeRef); + if (!owner.equals(setOwner)) + { + return false; + } + } + + // inherit permissions + + if (inheritPermissions != null) + { + if (inheritPermissions != permissionService.getInheritParentPermissions(nodeRef)) + { + return false; + } + } + + Set setPermissions = permissionService.getAllSetPermissions(nodeRef); + + if (ownerPermissions != null) + { + for (String permission : ownerPermissions) + { + AccessPermission required = new AccessPermissionImpl(permission, AccessStatus.ALLOWED, PermissionService.OWNER_AUTHORITY, 0); + if (!setPermissions.contains(required)) + { + return false; + } + } + } + + // Add other permissions + + if (permissions != null) + { + for (String userForPermission : permissions.keySet()) + { + Set set = permissions.get(user); + if (set != null) + { + for (String permission : set) + { + AccessPermission required = new AccessPermissionImpl(permission, AccessStatus.ALLOWED, userForPermission, 0); + if (!setPermissions.contains(required)) + { + return false; + } + } + } + } + } + + if (userPermissions != null) + { + for (String permission : userPermissions) + { + AccessPermission required = new AccessPermissionImpl(permission, AccessStatus.ALLOWED, user, 0); + if (!setPermissions.contains(required)) + { + return false; + } + } + } + + // TODO: Check we have no extras if we should have cleared permissions ... ?? + + return true; + } + +} diff --git a/source/java/org/alfresco/repo/security/person/PersonServiceImpl.java b/source/java/org/alfresco/repo/security/person/PersonServiceImpl.java index 8772e3942b..8568f4b7ad 100644 --- a/source/java/org/alfresco/repo/security/person/PersonServiceImpl.java +++ b/source/java/org/alfresco/repo/security/person/PersonServiceImpl.java @@ -105,7 +105,7 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per private PermissionServiceSPI permissionServiceSPI; private NamespacePrefixResolver namespacePrefixResolver; - + private HomeFolderManager homeFolderManager; private PolicyComponent policyComponent; @@ -113,7 +113,7 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per private boolean createMissingPeople; private static Set mutableProperties; - + private String defaultHomeFolderProvider; private boolean processDuplicates = true; @@ -126,6 +126,8 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per private PersonDao personDao; + private PermissionsManager permissionsManager; + /** a transactionally-safe cache to be injected */ private SimpleCache personCache; @@ -171,11 +173,12 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per PropertyCheck.mandatory(this, "personCache", personCache); PropertyCheck.mandatory(this, "personDao", personDao); - // Avoid clash with home folder registration - //this.policyComponent - // .bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "onCreateNode"), ContentModel.TYPE_PERSON, new JavaBehaviour(this, "onCreateNode")); + + this.policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "onCreateNode"), ContentModel.TYPE_PERSON, new JavaBehaviour(this, "onCreateNode")); this.policyComponent.bindClassBehaviour(QName.createQName(NamespaceService.ALFRESCO_URI, "beforeDeleteNode"), ContentModel.TYPE_PERSON, new JavaBehaviour(this, "beforeDeleteNode")); + + } public UserNameMatcher getUserNameMatcher() @@ -217,12 +220,17 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per { this.homeFolderManager = homeFolderManager; } - + public void setPersonDao(PersonDao personDao) { this.personDao = personDao; } + public void setPermissionsManager(PermissionsManager permissionsManager) + { + this.permissionsManager = permissionsManager; + } + /** * Set the username to person cache. * @@ -326,13 +334,13 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per } else { - String userNameSensitivity = " (user name is case-" + (userNameMatcher.getUserNamesAreCaseSensitive() ? "sensitive" : "insensitive") + ")"; + String userNameSensitivity = " (user name is case-" + (userNameMatcher.getUserNamesAreCaseSensitive() ? "sensitive" : "insensitive") + ")"; String domainNameSensitivity = ""; - if (! userNameMatcher.getDomainSeparator().equals("")) + if (!userNameMatcher.getDomainSeparator().equals("")) { domainNameSensitivity = " (domain name is case-" + (userNameMatcher.getDomainNamesAreCaseSensitive() ? "sensitive" : "insensitive") + ")"; } - + throw new AlfrescoRuntimeException("Found more than one user for " + searchUserName + userNameSensitivity + domainNameSensitivity); } } @@ -556,7 +564,7 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per } } } - + private HashMap getDefaultProperties(String userName) { HashMap properties = new HashMap(); @@ -582,8 +590,9 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per properties.put(ContentModel.PROP_USERNAME, userName); properties.put(ContentModel.PROP_SIZE_CURRENT, 0L); - return nodeService.createNode(getPeopleContainer(), ContentModel.ASSOC_CHILDREN, QName.createQName("cm", userName, namespacePrefixResolver), ContentModel.TYPE_PERSON, + NodeRef personRef = nodeService.createNode(getPeopleContainer(), ContentModel.ASSOC_CHILDREN, QName.createQName("cm", userName, namespacePrefixResolver), ContentModel.TYPE_PERSON, properties).getChildRef(); + return personRef; } public NodeRef getPeopleContainer() @@ -695,6 +704,7 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per NodeRef personRef = childAssocRef.getChildRef(); String username = (String) this.nodeService.getProperty(personRef, ContentModel.PROP_USERNAME); this.personCache.put(username, personRef); + permissionsManager.setPermissions(personRef, username, username); } /* @@ -824,5 +834,4 @@ public class PersonServiceImpl extends TransactionListenerAdapter implements Per return userNameMatcher.getUserNamesAreCaseSensitive(); } - }