Merged V2.3 to V2.1.1:

96823: RM-1903 (Can't manage permissions without "Manage Access Controls" capability)
   97435: RM-1903: Can't manage permissions without "Manage Access Controls" capability
   97436: RM-1903 - updates to unit tests
   97595: RM-1903 (Can't manage permissions without "Manage Access Controls" capability)



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.2@99374 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-security-context.xml

@@ -5,6 +5,7 @@
 
    <!--  Assignable Capabilities -->
    
+   <!-- controls user and group creation/destruction -->
    <bean id="rmCreateModifyDestroyUsersAndGroupsCapability"
       parent="declarativeCapability">
       <property name="name" value="CreateModifyDestroyUsersAndGroups" />
@@ -21,6 +22,7 @@
       <property name="index" value="30" />
    </bean>
 
+   <!--  controls user and gropus role assignments -->
    <bean id="rmManageAccessControlsCapability"
       parent="declarativeCapability">
       <property name="name" value="ManageAccessControls" />

rm-server/config/alfresco/module/org_alfresco_module_rm/messages/capability-service.properties

@@ -84,8 +84,8 @@ capability.CreateModifyDestroyRoles.title=Create Modify Destroy Roles
 capability.CreateModifyDestroyUsersAndGroups.title=Create Modify Destroy Users and Groups
 capability.PasswordControl.title=Password Control
 capability.DisplayRightsReport.title=Display Rights Report
-capability.ManageAccessControls.title=Manage Access Controls
-capability.ManageAccessRights.title=Manage Access Rights
+capability.ManageAccessControls.title=Group and User Role Assignment
+capability.ManageAccessRights.title=Manage Permissions
 
 # Configuration
 capability.group.config.title=Configuration

rm-server/config/alfresco/module/org_alfresco_module_rm/rm-service-context.xml

@@ -551,8 +551,8 @@
                 org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getUsersAssignedToRole=RM.Read.0
                 org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getGroupsAssignedToRole=RM.Read.0
                 org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getAllAssignedToRole=RM.Read.0
-                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.assignRoleToAuthority=RM_CAP.0.rma:filePlanComponent.CreateModifyDestroyUsersAndGroups
-                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.unassignRoleFromAuthority=RM_CAP.0.rma:filePlanComponent.CreateModifyDestroyUsersAndGroups
+                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.assignRoleToAuthority=RM_CAP.0.rma:filePlanComponent.ManageAccessControls
+                org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.unassignRoleFromAuthority=RM_CAP.0.rma:filePlanComponent.ManageAccessControls
                 org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.getAllRolesContainerGroup=RM_ALLOW
                 org.alfresco.module.org_alfresco_module_rm.role.FilePlanRoleService.*=RM_DENY
                 ]]>

rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties

@@ -173,12 +173,12 @@ rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getPermiss
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getAllSetPermissions=RM.Read.0
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getSettablePermissions=RM_ALLOW
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.hasPermission=RM_ALLOW
-rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.deletePermissions=RM.Capability.0
-rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.deletePermission=RM.Capability.0
-rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setPermission=RM.Capability.0
-rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=RM.Capability.0
+rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.deletePermissions=RM_CAP.0.rma:filePlanComponent.ManageAccessRights
+rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.deletePermission=RM_CAP.0.rma:filePlanComponent.ManageAccessRights
+rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setPermission=RM_CAP.0.rma:filePlanComponent.ManageAccessRights
+rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=RM_CAP.0.rma:filePlanComponent.ManageAccessRights
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=RM_ALLOW
-rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.clearPermission=RM.Capability.0
+rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.clearPermission=RM_CAP.0.rma:filePlanComponent.ManageAccessRights
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.*=RM_DENY
 
 ## Site service

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/policy/CapabilityPolicy.java

@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2005-2014 Alfresco Software Limited.
- *
- * This file is part of Alfresco
- *
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- */
-package org.alfresco.module.org_alfresco_module_rm.capability.policy;
-
-import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
-import org.alfresco.service.cmr.repository.NodeRef;
-import org.aopalliance.intercept.MethodInvocation;
-
-/**
- *
- * @author Roy Wetherall
- * @since 2.1
- */
-public class CapabilityPolicy extends AbstractBasePolicy
-{
-    /**
-     * @see org.alfresco.module.org_alfresco_module_rm.capability.policy.Policy#evaluate(org.aopalliance.intercept.MethodInvocation, java.lang.Class[], org.alfresco.module.org_alfresco_module_rm.capability.policy.ConfigAttributeDefinition)
-     */
-    @Override
-    @SuppressWarnings("rawtypes")
-	public int evaluate(
-            MethodInvocation invocation,
-            Class[] params,
-            ConfigAttributeDefinition cad)
-    {
-        NodeRef testNodeRef = getTestNode(invocation, params, cad.getParameters().get(0), cad.isParent());
-        return getCapabilityService().getCapability(RMPermissionModel.MANAGE_ACCESS_CONTROLS).evaluate(testNodeRef);
-    }
-
-}

rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/legacy/webscript/RmAuthoritiesRestApiTest.java

@@ -81,7 +81,7 @@ public class RmAuthoritiesRestApiTest extends BaseRMWebScriptTestCase
                 // Create test role
                 Set<Capability> capabilities = new HashSet<Capability>(2);
                 capabilities.add(capabilityService.getCapability(RMPermissionModel.VIEW_RECORDS));
-                capabilities.add(capabilityService.getCapability(RMPermissionModel.CREATE_MODIFY_DESTROY_USERS_AND_GROUPS));
+                capabilities.add(capabilityService.getCapability(RMPermissionModel.MANAGE_ACCESS_CONTROLS));
                 filePlanRoleService.createRole(filePlan, ROLE_INCLUDING_CAPABILITY, ROLE_INCLUDING_CAPABILITY, capabilities);
                 // Add user to the role
                 filePlanRoleService.assignRoleToAuthority(filePlan, ROLE_INCLUDING_CAPABILITY, USER_WITH_CAPABILITY);