ACS-3291 Permission checks when linking and unlinking to rule sets.

packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/rules/RuleSetLinksTests.java

@@ -26,8 +26,15 @@
 package org.alfresco.rest.rules;
 
 import static org.alfresco.rest.rules.RulesTestsUtils.createRuleModel;
+import static org.alfresco.rest.rules.RulesTestsUtils.createRuleModelWithDefaultValues;
+import static org.alfresco.utility.constants.UserRole.SiteConsumer;
 import static org.alfresco.utility.report.log.Step.STEP;
-import static org.springframework.http.HttpStatus.*;
+import static org.springframework.http.HttpStatus.BAD_REQUEST;
+import static org.springframework.http.HttpStatus.CREATED;
+import static org.springframework.http.HttpStatus.FORBIDDEN;
+import static org.springframework.http.HttpStatus.NOT_FOUND;
+import static org.springframework.http.HttpStatus.NO_CONTENT;
+import static org.springframework.http.HttpStatus.OK;
 
 import org.alfresco.dataprep.CMISUtil;
 import org.alfresco.rest.RestTest;
@@ -167,7 +174,6 @@ public class RuleSetLinksTests extends RestTest
                 .get(0).onModel().assertThat().isEqualTo(expectedRuleSet);
     }
 
-
     /**
      * Check we get 404 when linking to a non-existing rule set/folder.
      */
@@ -308,6 +314,51 @@ public class RuleSetLinksTests extends RestTest
                 .get(0).onModel().assertThat().isEqualTo(expectedRuleSet);
     }
 
+    /**
+     * Check we get an error when trying to link to a rule set that we can't view.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void linkToRuleSetWithoutPermission()
+    {
+        STEP("Use admin to create a private site with a folder containing a rule.");
+        SiteModel privateSite = dataSite.usingAdmin().createPrivateRandomSite();
+        FolderModel privateFolder = dataContent.usingAdmin().usingSite(privateSite).createFolder();
+        restClient.authenticateUser(dataUser.getAdminUser()).withCoreAPI().usingNode(privateFolder).usingDefaultRuleSet()
+                  .createSingleRule(createRuleModelWithDefaultValues());
+
+        STEP("Use a normal user to try to link to the rule.");
+        FolderModel publicFolder = dataContent.usingUser(user).usingSite(site).createFolder();
+        RestRuleSetLinkModel request = new RestRuleSetLinkModel();
+        request.setId(privateFolder.getNodeRef());
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).createRuleLink(request);
+
+        restClient.assertStatusCodeIs(FORBIDDEN);
+    }
+
+    /**
+     * Check we are able to link to a rule set with only read permission.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void linkToRuleSetWithOnlyReadPermission()
+    {
+        STEP("Use admin to create a private site with a folder containing a rule.");
+        SiteModel privateSite = dataSite.usingAdmin().createPrivateRandomSite();
+        FolderModel privateFolder = dataContent.usingAdmin().usingSite(privateSite).createFolder();
+        restClient.authenticateUser(dataUser.getAdminUser()).withCoreAPI().usingNode(privateFolder).usingDefaultRuleSet()
+                  .createSingleRule(createRuleModelWithDefaultValues());
+
+        STEP("Add the normal user as a consumer.");
+        dataUser.usingAdmin().addUserToSite(user, privateSite, SiteConsumer);
+
+        STEP("Use a normal user to try to link to the rule.");
+        FolderModel publicFolder = dataContent.usingUser(user).usingSite(site).createFolder();
+        RestRuleSetLinkModel request = new RestRuleSetLinkModel();
+        request.setId(privateFolder.getNodeRef());
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).createRuleLink(request);
+
+        restClient.assertStatusCodeIs(CREATED);
+    }
+
     /**
      * Check we can DELETE/unlink a ruleset
      *
@@ -391,4 +442,63 @@ public class RuleSetLinksTests extends RestTest
         restClient.assertStatusCodeIs(NOT_FOUND)
                 .assertLastError().containsSummary("The entity with id:");
     }
+
+    /**
+     * Check we cannot unlink from a rule set that we can't view.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void unlinkFromRuleSetWithoutPermission()
+    {
+        STEP("Use admin to create a private site with a folder containing a rule.");
+        SiteModel privateSite = dataSite.usingAdmin().createPrivateRandomSite();
+        FolderModel privateFolder = dataContent.usingAdmin().usingSite(privateSite).createFolder();
+        restClient.authenticateUser(dataUser.getAdminUser()).withCoreAPI().usingNode(privateFolder).usingDefaultRuleSet()
+                  .createSingleRule(createRuleModelWithDefaultValues());
+
+        STEP("Add the user as a consumer.");
+        dataUser.usingAdmin().addUserToSite(user, privateSite, SiteConsumer);
+
+        STEP("Use the consumer to create a folder with a link to the private rule set.");
+        FolderModel publicFolder = dataContent.usingUser(user).usingSite(site).createFolder();
+        RestRuleSetLinkModel request = new RestRuleSetLinkModel();
+        request.setId(privateFolder.getNodeRef());
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).createRuleLink(request);
+        restClient.assertStatusCodeIs(CREATED);
+
+        STEP("Remove the user from the private site.");
+        dataUser.usingAdmin().removeUserFromSite(user, privateSite);
+
+        STEP("Use the user to try to unlink from the rule set.");
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).unlinkRuleSet("-default-");
+
+        restClient.assertStatusCodeIs(FORBIDDEN);
+    }
+
+    /**
+     * Check we can unlink from a rule set if we only have read permission for it.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void unlinkFromRuleSetWithOnlyReadPermission()
+    {
+        STEP("Use admin to create a private site with a folder containing a rule.");
+        SiteModel privateSite = dataSite.usingAdmin().createPrivateRandomSite();
+        FolderModel privateFolder = dataContent.usingAdmin().usingSite(privateSite).createFolder();
+        restClient.authenticateUser(dataUser.getAdminUser()).withCoreAPI().usingNode(privateFolder).usingDefaultRuleSet()
+                  .createSingleRule(createRuleModelWithDefaultValues());
+
+        STEP("Add the user as a consumer.");
+        dataUser.usingAdmin().addUserToSite(user, privateSite, SiteConsumer);
+
+        STEP("Use the consumer to create a folder with a link to the private rule set.");
+        FolderModel publicFolder = dataContent.usingUser(user).usingSite(site).createFolder();
+        RestRuleSetLinkModel request = new RestRuleSetLinkModel();
+        request.setId(privateFolder.getNodeRef());
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).createRuleLink(request);
+        restClient.assertStatusCodeIs(CREATED);
+
+        STEP("Use the consumer to try to unlink from the rule set.");
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).unlinkRuleSet("-default-");
+
+        restClient.assertStatusCodeIs(NO_CONTENT);
+    }
 }

remote-api/src/main/java/org/alfresco/rest/api/impl/rules/RuleSetsImpl.java

@@ -129,8 +129,8 @@ public class RuleSetsImpl implements RuleSets
         final NodeRef folderNodeRef = validator.validateFolderNode(folderNodeId,true);
         final boolean isRuleSetNode = validator.isRuleSetNode(linkToNodeId);
         final NodeRef linkToNodeRef = isRuleSetNode
-                ? validator.validateRuleSetNode(linkToNodeId, true)
+                ? validator.validateRuleSetNode(linkToNodeId, false)
-                : validator.validateFolderNode(linkToNodeId, true);
+                : validator.validateFolderNode(linkToNodeId, false);
 
         //The target node should have pre-existing rules to link to
         if (!ruleService.hasRules(linkToNodeRef)) {

remote-api/src/test/java/org/alfresco/rest/api/impl/rules/RuleSetsImplTest.java

@@ -98,7 +98,7 @@ public class RuleSetsImplTest extends TestCase
         MockitoAnnotations.openMocks(this);
 
         given(nodeValidatorMock.validateFolderNode(eq(LINK_TO_NODE_ID), anyBoolean())).willReturn(LINK_TO_NODE);
-        given(nodeValidatorMock.validateRuleSetNode(LINK_TO_NODE_ID,true)).willReturn(LINK_TO_NODE);
+        given(nodeValidatorMock.validateRuleSetNode(LINK_TO_NODE_ID,false)).willReturn(LINK_TO_NODE);
         given(nodeValidatorMock.validateFolderNode(eq(FOLDER_ID), anyBoolean())).willReturn(FOLDER_NODE);
         given(nodeValidatorMock.validateRuleSetNode(RULE_SET_ID, FOLDER_NODE)).willReturn(RULE_SET_NODE);
 
@@ -252,7 +252,7 @@ public class RuleSetsImplTest extends TestCase
 
         then(nodeValidatorMock).should().validateFolderNode(FOLDER_ID,true);
         then(nodeValidatorMock).should().isRuleSetNode(LINK_TO_NODE_ID);
-        then(nodeValidatorMock).should().validateRuleSetNode(LINK_TO_NODE_ID,true);
+        then(nodeValidatorMock).should().validateRuleSetNode(LINK_TO_NODE_ID,false);
         then(nodeValidatorMock).shouldHaveNoMoreInteractions();
         then(ruleServiceMock).should().hasRules(LINK_TO_NODE);
         then(ruleServiceMock).should().hasRules(FOLDER_NODE);