From 412880e8d90f55c013542de62206ddec875f7dad Mon Sep 17 00:00:00 2001
From: Jamal Kaabi-Mofrad <Jamal.kaabimofrad@alfresco.com>
Date: Tue, 10 May 2016 10:56:49 +0000
Subject: [PATCH] Merged FILE-FOLDER-API (5.2.0) to HEAD (5.2)    122008
 jvonka: (Quick) Shared Links API - limit @WebApiNoAuth to specific GET
 methods (not complete resource)    RA-775, RA-750

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@126448 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../rest/api/impl/QuickShareLinksImpl.java    | 14 ++++++++--
 .../framework/core/ResourceInspector.java     | 26 ++++++++++++++++---
 2 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java b/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java
index 363e21dcdd..c342ba6594 100644
--- a/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java
+++ b/source/java/org/alfresco/rest/api/impl/QuickShareLinksImpl.java
@@ -125,11 +125,20 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean
      * <p>
      * Note: does *not* require authenticated access for (public) shared link.
      */
-    public QuickShareLink readById(String sharedId, Parameters parameters)
+    public QuickShareLink readById(final String sharedId, Parameters parameters)
     {
         checkEnabled();
 
-        return getQuickShareInfo(sharedId);
+        Pair<String, NodeRef> pair = quickShareService.getTenantNodeRefFromSharedId(sharedId);
+        String networkTenantDomain = pair.getFirst();
+
+        return TenantUtil.runAsSystemTenant(new TenantUtil.TenantRunAsWork<QuickShareLink>()
+        {
+            public QuickShareLink doWork() throws Exception
+            {
+                return getQuickShareInfo(sharedId);
+            }
+        }, networkTenantDomain);
     }
 
     /**
@@ -254,6 +263,7 @@ public class QuickShareLinksImpl implements QuickShareLinks, InitializingBean
             {
                 // Note: this throws AccessDeniedException (=> 403) via QuickShareService (when NodeService tries to getAspects)
                 QuickShareDTO qsDto = quickShareService.shareContent(nodeRef);
+
                 result.add(getQuickShareInfo(qsDto.getId()));
             }
             catch (AccessDeniedException ade)
diff --git a/source/java/org/alfresco/rest/framework/core/ResourceInspector.java b/source/java/org/alfresco/rest/framework/core/ResourceInspector.java
index 40b600ebe3..826ec05d44 100644
--- a/source/java/org/alfresco/rest/framework/core/ResourceInspector.java
+++ b/source/java/org/alfresco/rest/framework/core/ResourceInspector.java
@@ -62,6 +62,7 @@ import org.springframework.util.ReflectionUtils;
  * Looks at resources to see what they can do
  * 
  * @author Gethin James
+ * @author janv
  */
 public class ResourceInspector
 {
@@ -117,7 +118,12 @@ public class ResourceInspector
         findOperation(MultiPartResourceAction.Create.class,   HttpMethod.POST, helper);
 
         boolean noAuth = resource.isAnnotationPresent(WebApiNoAuth.class);
-        Set<Class<? extends ResourceAction>> apiNoAuth = (noAuth ? ALL_ENTITY_RESOURCE_INTERFACES : helper.apiNoAuth);
+        if (noAuth)
+        {
+            throw new IllegalArgumentException("@WebApiNoAuth should not be on all (entity resource class) - only on individual methods: "+urlPath);
+        }
+
+        Set<Class<? extends ResourceAction>> apiNoAuth = helper.apiNoAuth;
 
         if (resource.isAnnotationPresent(WebApiDeleted.class))
         {
@@ -156,7 +162,12 @@ public class ResourceInspector
         findOperation(BinaryResourceAction.Update.class, HttpMethod.PUT, helperForAddressProps);
 
         boolean noAuth = resource.isAnnotationPresent(WebApiNoAuth.class);
-        Set<Class<? extends ResourceAction>> apiNoAuth = (noAuth ? ALL_PROPERTY_RESOURCE_INTERFACES : helperForAddressProps.apiNoAuth);
+        if (noAuth)
+        {
+            throw new IllegalArgumentException("@WebApiNoAuth should not be on all (address properties) - only on individual methods: "+entityPath);
+        }
+
+        Set<Class<? extends ResourceAction>> apiNoAuth = helperForAddressProps.apiNoAuth;
 
         if (resource.isAnnotationPresent(WebApiDeleted.class))
         {
@@ -194,7 +205,12 @@ public class ResourceInspector
         findOperation(MultiPartRelationshipResourceAction.Create.class, HttpMethod.POST, helper);
 
         boolean noAuth = resource.isAnnotationPresent(WebApiNoAuth.class);
-        Set<Class<? extends ResourceAction>> apiNoAuth = (noAuth ? ALL_RELATIONSHIP_RESOURCE_INTERFACES : helper.apiNoAuth);
+        if (noAuth)
+        {
+            throw new IllegalArgumentException("@WebApiNoAuth should not be on all (relationship resource class) - only on methods: "+urlPath);
+        }
+
+        Set<Class<? extends ResourceAction>> apiNoAuth = helper.apiNoAuth;
 
         if (resource.isAnnotationPresent(WebApiDeleted.class))
         {
@@ -231,6 +247,10 @@ public class ResourceInspector
 
             if (isNoAuth(aMethod))
             {
+                if (! httpMethod.equals(HttpMethod.GET))
+                {
+                    throw new IllegalArgumentException("@WebApiNoAuth should only be on GET methods: "+operation.getTitle());
+                }
                 helper.whenOperationNoAuth(resourceInterfaceWithOneMethod, aMethod);
             }
         }