RM-982: Normal user can File and Reject record they declared.

* FileUnfiledRecords and RejectRecords are now assignable capabilities
  * by default Admin, Records Manager, Security Manager and Power User have them
  * they can be added and removed from custom or default roles via the management UI
  * capability patch updated accordingly
  * extedned get roles ReST API to include/exclude system roles
  * In-Place Reader and In-Place Writer roles capabilities are configurable again, but their users and groups are not (as intended)



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@55935 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-group-context.xml

@@ -101,7 +101,7 @@
             <ref bean="rmMoveRecordCategoryCapability"/>
             <ref bean="rmMoveRecordFolderCapability"/>
             <ref bean="rmMoveRecordsCapability"/>
-            <ref bean="rmFileToRecordsCapability"/>
+            <ref bean="rmFileUnfiledRecordsCapability"/>
          </list>
       </property>
    </bean>

rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-record-context.xml

@@ -117,10 +117,10 @@
       <property name="targetCapability" ref="rmFileRecordsCapability" />
    </bean>
 
-   <bean id="rmFileToRecordsCapability"
+   <bean id="rmFileUnfiledRecordsCapability"                              
       parent="declarativeCapability">
-      <property name="name" value="FileToRecords"/>
+      <property name="name" value="FileUnfiledRecords"/>						
-      <property name="private" value="true" />								<!-- This is an unasingable capability, we reference an assignable one in the target -->
+      <property name="permission" value="FileUnfiledRecords"/>
       <property name="conditions">
          <map>
             <entry key="capabilityCondition.filling" value="true"/>  		<!--  Checks if the user has the filling capability -->
@@ -128,7 +128,9 @@
             <entry key="capabilityCondition.recordFiled" value="false"/>	<!--  Checks that the node hasn't been filed -->
          </map>
       </property>
-      <property name="targetCapability" ref="rmFileRecordsCapability" />  <!--  Checks that the user has the correct capability on the destination folder -->
+      <property name="targetCapability" ref="rmFileRecordsCapability" />  <!--  Checks that the user has the correct capability on the destination folder -->      
+      <property name="group"><ref bean="recordsGroup"/></property>
+      <property name="index" value="41" />
    </bean>
 
    <bean id="rmDeclareRecordsCapability"
@@ -254,7 +256,7 @@
    <bean id="rmRejectRecordsCapability"
       parent="declarativeCapability">
       <property name="name" value="RejectRecords"/>
-      <property name="private" value="true" />
+      <property name="permission" value="RejectRecords"/>
       <property name="conditions">
          <map>
             <entry key="capabilityCondition.filling" value="true"/>
@@ -265,6 +267,8 @@
             <entry key="capabilityCondition.recordFiled" value="false"/>
          </map>
       </property>
+      <property name="group"><ref bean="recordsGroup"/></property>
+      <property name="index" value="42" />
    </bean>
    
    <bean id="rmHideRecordsCapability" 

rm-server/config/alfresco/module/org_alfresco_module_rm/messages/capability-service.properties

@@ -5,6 +5,8 @@ capability.ViewRecords.title=View Records
 capability.UndeclareRecords.title=Reopen Records
 capability.CreateRecords.title=Create Records
 capability.RequestRecordInformation.title=Request Record Information
+capability.RejectRecords=Reject Records
+capability.FileUnfiledRecords=File Unfiled Records
 
 # Metadata Control
 capability.group.metadataControl.title=Metadata Control

rm-server/config/alfresco/module/org_alfresco_module_rm/model/recordsPermissionModel.xml

@@ -84,6 +84,8 @@
             <includePermissionGroup type="rma:filePlanComponent" permissionGroup="ManageRules"/>
             <includePermissionGroup type="rma:filePlanComponent" permissionGroup="RequestRecordInformation"/>
             <includePermissionGroup type="rma:filePlanComponent" permissionGroup="FileDestructionReport"/>
+            <includePermissionGroup type="rma:filePlanComponent" permissionGroup="FileUnfiledRecords"/>
+            <includePermissionGroup type="rma:filePlanComponent" permissionGroup="RejectRecords"/>
         </permissionGroup>
         
         <permissionGroup name="Filing" allowFullControl="false" expose="true">
@@ -160,6 +162,8 @@
         <permissionGroup name="ManageRules" expose="false" allowFullControl="false"/>
         <permissionGroup name="RequestRecordInformation" expose="false" allowFullControl="false"/>
         <permissionGroup name="FileDestructionReport" expose="false" allowFullControl="false"/>
+        <permissionGroup name="RejectRecords" expose="false" allowFullControl="false"/>
+        <permissionGroup name="FileUnfiledRecords" expose="false" allowFullControl="false"/>
         
         <!--  End -->
         
@@ -421,6 +425,14 @@
             <grantedToGroup permissionGroup="FileDestructionReport"/>
         </permission>
         
+        <permission name="_FileUnfiledRecords" expose="false">
+            <grantedToGroup permissionGroup="FileUnfiledRecords"/>
+        </permission>
+        
+        <permission name="_RejectRecords" expose="false">
+            <grantedToGroup permissionGroup="RejectRecords"/>
+        </permission>
+        
     </permissionSet>
     
 </permissions>

rm-server/config/alfresco/module/org_alfresco_module_rm/rm-action-context.xml

@@ -807,10 +807,20 @@
       <property name="target" ref="reject"/>
       <property name="interceptorNames">
          <list>
-            <idref bean="allow_security"/>
+            <idref bean="reject_security"/>
          </list>
       </property>
    </bean>
+   
+   <bean id="reject_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" parent="actionSecurity">
+      <property name="objectDefinitionSource">
+         <value>
+            org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.execute=RM_CAP.0.rma:filePlanComponent.RejectRecords
+            org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.*=RM_ALLOW
+            org.alfresco.repo.action.executer.ActionExecuter.*=RM_ALLOW
+         </value>
+      </property>
+   </bean>
 
    <bean id="reject" class="org.alfresco.module.org_alfresco_module_rm.action.impl.RejectAction" parent="rmAction">
       <property name="publicAction" value="true"/>
@@ -822,10 +832,20 @@
       <property name="target" ref="fileTo"/>
         <property name="interceptorNames">
             <list>
-               <idref bean="allow_security"/>
+               <idref bean="fileTo_security"/>
             </list>
          </property>
    </bean>
+   
+   <bean id="fileTo_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor" parent="actionSecurity">
+      <property name="objectDefinitionSource">
+         <value>
+            org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.execute=RM_CAP.0.rma:filePlanComponent.FileUnfiledRecords
+            org.alfresco.module.org_alfresco_module_rm.action.RecordsManagementAction.*=RM_ALLOW
+            org.alfresco.repo.action.executer.ActionExecuter.*=RM_ALLOW
+         </value>
+      </property>
+   </bean>
 
    <bean id="fileTo" class="org.alfresco.module.org_alfresco_module_rm.action.impl.FileToAction" parent="rmAction">
       <property name="fileFolderService" ref="FileFolderService"/>

rm-server/config/alfresco/module/org_alfresco_module_rm/rm-ui-evaluators-context.xml

@@ -308,7 +308,7 @@
             <value>RECORD</value>
          </set>
       </property>
-      <property name="capability" value="FileToRecords" />
+      <property name="capability" value="FileUnfiledRecords" />
    </bean>
 
    <bean id="jsonConversionComponent.file"

rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-default-roles-bootstrap.json

@@ -46,7 +46,9 @@
          "ReOpenFolders",
          "CycleVitalRecords",
          "PlanningReviewCycles",
-         "RequestRecordInformation"
+         "RequestRecordInformation",
+         "FileUnfiledRecords",
+         "RejectRecords"
       ]
    },
    {
@@ -67,7 +69,9 @@
           "ReOpenFolders",
           "CycleVitalRecords",
           "PlanningReviewCycles",
-          "RequestRecordInformation"
+          "RequestRecordInformation",
+          "FileUnfiledRecords",
+          "RejectRecords"
       ]
    },
    {
@@ -128,7 +132,9 @@
           "ExportAudit",
           "CreateModifyDestroyReferenceTypes",
           "RequestRecordInformation",
-          "FileDestructionReport"
+          "FileDestructionReport",
+          "FileUnfiledRecords",
+          "RejectRecords"
       ]
    },
    {
@@ -191,7 +197,9 @@
           "ManageAccessControls",
           "ManageRules",
           "RequestRecordInformation",
-          "FileDestructionReport"
+          "FileDestructionReport",
+          "FileUnfiledRecords",
+          "RejectRecords"
       ]
    }
 ]

rm-server/config/alfresco/templates/webscripts/org/alfresco/rma/admin/rmrole/rmroles.get.desc.xml

@@ -9,11 +9,12 @@
      siteid - id of a RM site to take the file plan from
      user - only returns roles that this user is assigned to
      auths - if true, returns details of authorites directly assigned to the role.  false by default.	
+     is - if true includes system roles in the results, otherwise excludes them.  false by default.
   ]]>
   </description>
-  <url>/api/rma/admin/rmroles?user={user?}&amp;auths={auths?}</url>  <!--  NOTE: this URL should be considered as deprecated -->
+  <url>/api/rma/admin/rmroles?user={user?}&amp;auths={auths?}&amp;is={is?}</url>  <!--  NOTE: this URL should be considered as deprecated -->
-  <url>/api/rma/admin/{store_type}/{store_id}/{id}/rmroles?user={user?}&amp;auths={auths?}</url>
+  <url>/api/rma/admin/{store_type}/{store_id}/{id}/rmroles?user={user?}&amp;auths={auths?}&amp;is={is?}</url>
-  <url>/api/rma/admin/{siteid}/rmroles?user={user?}&amp;auths={auths?}</url>
+  <url>/api/rma/admin/{siteid}/rmroles?user={user?}&amp;auths={auths?}&amp;is={is?}</url>
   <format default="json">argument</format>
   <authentication>user</authentication>
   <transaction allow="readonly">required</transaction>

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/patch/RMv21CapabilityPatch.java

@@ -122,7 +122,19 @@ public class RMv21CapabilityPatch extends ModulePatchComponent
             addCapability(filePlan,
                           "FileDestructionReport", 
                           FilePlanRoleService.ROLE_ADMIN, 
-                          FilePlanRoleService.ROLE_RECORDS_MANAGER);            
+                          FilePlanRoleService.ROLE_RECORDS_MANAGER); 
+            addCapability(filePlan,
+                          "RejectRecords", 
+                          FilePlanRoleService.ROLE_ADMIN, 
+                          FilePlanRoleService.ROLE_POWER_USER, 
+                          FilePlanRoleService.ROLE_RECORDS_MANAGER,
+                          FilePlanRoleService.ROLE_SECURITY_OFFICER);    
+            addCapability(filePlan,
+                          "FileUnfiledRecords", 
+                          FilePlanRoleService.ROLE_ADMIN, 
+                          FilePlanRoleService.ROLE_POWER_USER, 
+                          FilePlanRoleService.ROLE_RECORDS_MANAGER,
+                          FilePlanRoleService.ROLE_SECURITY_OFFICER);         
         }
         
         if (logger.isDebugEnabled() == true)

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/admin/RmRolesGet.java

@@ -57,16 +57,24 @@ public class RmRolesGet extends RoleDeclarativeWebScript
         {
             throw new WebScriptException(Status.STATUS_FOUND, "File plan does not exist.");
         }
+        
+        // get the includesystem parameter
+        boolean includeSystem = false;
+        String includeSystemValue = req.getParameter("is");
+        if (includeSystemValue != null && includeSystemValue.length() != 0)
+        {
+            includeSystem = Boolean.parseBoolean(includeSystemValue);
+        }
 
         // get the user filter
         String user = req.getParameter("user");
         if (user != null && user.length() != 0)
         {
-            roles = filePlanRoleService.getRolesByUser(filePlan, user, false);
+            roles = filePlanRoleService.getRolesByUser(filePlan, user, includeSystem);
         }
         else
         {
-            roles = filePlanRoleService.getRoles(filePlan, false);
+            roles = filePlanRoleService.getRoles(filePlan, includeSystem);
         }
 
         // get the auths parameter

rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/action/FileToActionTest.java

@@ -83,7 +83,7 @@ public class FileToActionTest extends BaseRMTestCase
                 assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(unfiledContainer, RMPermissionModel.FILING));
                 assertEquals(AccessStatus.ALLOWED, permissionService.hasPermission(rmFolder, RMPermissionModel.FILING));
 
-                Capability capability = capabilityService.getCapability("FileToRecords");
+                Capability capability = capabilityService.getCapability("FileUnfiledRecords");
                 assertNotNull(capability);
                 assertEquals(AccessStatus.ALLOWED, capability.hasPermission(dmDocument));