ACS-3291 Permission checks when linking and unlinking to rule sets.

2025-07-24 17:32:48 +00:00 · 2022-10-05 14:22:05 +01:00
parent 67f7fff0b7
commit 440f0568e3
3 changed files with 116 additions and 6 deletions
--- a/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/rules/RuleSetLinksTests.java
+++ b/packaging/tests/tas-restapi/src/test/java/org/alfresco/rest/rules/RuleSetLinksTests.java
@@ -26,8 +26,15 @@
 package org.alfresco.rest.rules;

 import static org.alfresco.rest.rules.RulesTestsUtils.createRuleModel;
+import static org.alfresco.rest.rules.RulesTestsUtils.createRuleModelWithDefaultValues;
+import static org.alfresco.utility.constants.UserRole.SiteConsumer;
 import static org.alfresco.utility.report.log.Step.STEP;
-import static org.springframework.http.HttpStatus.*;
+import static org.springframework.http.HttpStatus.BAD_REQUEST;
+import static org.springframework.http.HttpStatus.CREATED;
+import static org.springframework.http.HttpStatus.FORBIDDEN;
+import static org.springframework.http.HttpStatus.NOT_FOUND;
+import static org.springframework.http.HttpStatus.NO_CONTENT;
+import static org.springframework.http.HttpStatus.OK;

 import org.alfresco.dataprep.CMISUtil;
 import org.alfresco.rest.RestTest;
@@ -167,7 +174,6 @@ public class RuleSetLinksTests extends RestTest
                .get(0).onModel().assertThat().isEqualTo(expectedRuleSet);
    }

-
    /**
     * Check we get 404 when linking to a non-existing rule set/folder.
     */
@@ -308,6 +314,51 @@ public class RuleSetLinksTests extends RestTest
                .get(0).onModel().assertThat().isEqualTo(expectedRuleSet);
    }

+    /**
+     * Check we get an error when trying to link to a rule set that we can't view.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void linkToRuleSetWithoutPermission()
+    {
+        STEP("Use admin to create a private site with a folder containing a rule.");
+        SiteModel privateSite = dataSite.usingAdmin().createPrivateRandomSite();
+        FolderModel privateFolder = dataContent.usingAdmin().usingSite(privateSite).createFolder();
+        restClient.authenticateUser(dataUser.getAdminUser()).withCoreAPI().usingNode(privateFolder).usingDefaultRuleSet()
+                  .createSingleRule(createRuleModelWithDefaultValues());
+
+        STEP("Use a normal user to try to link to the rule.");
+        FolderModel publicFolder = dataContent.usingUser(user).usingSite(site).createFolder();
+        RestRuleSetLinkModel request = new RestRuleSetLinkModel();
+        request.setId(privateFolder.getNodeRef());
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).createRuleLink(request);
+
+        restClient.assertStatusCodeIs(FORBIDDEN);
+    }
+
+    /**
+     * Check we are able to link to a rule set with only read permission.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void linkToRuleSetWithOnlyReadPermission()
+    {
+        STEP("Use admin to create a private site with a folder containing a rule.");
+        SiteModel privateSite = dataSite.usingAdmin().createPrivateRandomSite();
+        FolderModel privateFolder = dataContent.usingAdmin().usingSite(privateSite).createFolder();
+        restClient.authenticateUser(dataUser.getAdminUser()).withCoreAPI().usingNode(privateFolder).usingDefaultRuleSet()
+                  .createSingleRule(createRuleModelWithDefaultValues());
+
+        STEP("Add the normal user as a consumer.");
+        dataUser.usingAdmin().addUserToSite(user, privateSite, SiteConsumer);
+
+        STEP("Use a normal user to try to link to the rule.");
+        FolderModel publicFolder = dataContent.usingUser(user).usingSite(site).createFolder();
+        RestRuleSetLinkModel request = new RestRuleSetLinkModel();
+        request.setId(privateFolder.getNodeRef());
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).createRuleLink(request);
+
+        restClient.assertStatusCodeIs(CREATED);
+    }
+
    /**
     * Check we can DELETE/unlink a ruleset
     *
@@ -391,4 +442,63 @@ public class RuleSetLinksTests extends RestTest
        restClient.assertStatusCodeIs(NOT_FOUND)
                .assertLastError().containsSummary("The entity with id:");
    }
+
+    /**
+     * Check we cannot unlink from a rule set that we can't view.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void unlinkFromRuleSetWithoutPermission()
+    {
+        STEP("Use admin to create a private site with a folder containing a rule.");
+        SiteModel privateSite = dataSite.usingAdmin().createPrivateRandomSite();
+        FolderModel privateFolder = dataContent.usingAdmin().usingSite(privateSite).createFolder();
+        restClient.authenticateUser(dataUser.getAdminUser()).withCoreAPI().usingNode(privateFolder).usingDefaultRuleSet()
+                  .createSingleRule(createRuleModelWithDefaultValues());
+
+        STEP("Add the user as a consumer.");
+        dataUser.usingAdmin().addUserToSite(user, privateSite, SiteConsumer);
+
+        STEP("Use the consumer to create a folder with a link to the private rule set.");
+        FolderModel publicFolder = dataContent.usingUser(user).usingSite(site).createFolder();
+        RestRuleSetLinkModel request = new RestRuleSetLinkModel();
+        request.setId(privateFolder.getNodeRef());
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).createRuleLink(request);
+        restClient.assertStatusCodeIs(CREATED);
+
+        STEP("Remove the user from the private site.");
+        dataUser.usingAdmin().removeUserFromSite(user, privateSite);
+
+        STEP("Use the user to try to unlink from the rule set.");
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).unlinkRuleSet("-default-");
+
+        restClient.assertStatusCodeIs(FORBIDDEN);
+    }
+
+    /**
+     * Check we can unlink from a rule set if we only have read permission for it.
+     */
+    @Test (groups = { TestGroup.REST_API, TestGroup.RULES })
+    public void unlinkFromRuleSetWithOnlyReadPermission()
+    {
+        STEP("Use admin to create a private site with a folder containing a rule.");
+        SiteModel privateSite = dataSite.usingAdmin().createPrivateRandomSite();
+        FolderModel privateFolder = dataContent.usingAdmin().usingSite(privateSite).createFolder();
+        restClient.authenticateUser(dataUser.getAdminUser()).withCoreAPI().usingNode(privateFolder).usingDefaultRuleSet()
+                  .createSingleRule(createRuleModelWithDefaultValues());
+
+        STEP("Add the user as a consumer.");
+        dataUser.usingAdmin().addUserToSite(user, privateSite, SiteConsumer);
+
+        STEP("Use the consumer to create a folder with a link to the private rule set.");
+        FolderModel publicFolder = dataContent.usingUser(user).usingSite(site).createFolder();
+        RestRuleSetLinkModel request = new RestRuleSetLinkModel();
+        request.setId(privateFolder.getNodeRef());
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).createRuleLink(request);
+        restClient.assertStatusCodeIs(CREATED);
+
+        STEP("Use the consumer to try to unlink from the rule set.");
+        restClient.authenticateUser(user).withCoreAPI().usingNode(publicFolder).unlinkRuleSet("-default-");
+
+        restClient.assertStatusCodeIs(NO_CONTENT);
+    }
 }
--- a/remote-api/src/main/java/org/alfresco/rest/api/impl/rules/RuleSetsImpl.java
+++ b/remote-api/src/main/java/org/alfresco/rest/api/impl/rules/RuleSetsImpl.java
@@ -129,8 +129,8 @@ public class RuleSetsImpl implements RuleSets
        final NodeRef folderNodeRef = validator.validateFolderNode(folderNodeId,true);
        final boolean isRuleSetNode = validator.isRuleSetNode(linkToNodeId);
        final NodeRef linkToNodeRef = isRuleSetNode
-                ? validator.validateRuleSetNode(linkToNodeId, true)
-                : validator.validateFolderNode(linkToNodeId, true);
+                ? validator.validateRuleSetNode(linkToNodeId, false)
+                : validator.validateFolderNode(linkToNodeId, false);

        //The target node should have pre-existing rules to link to
        if (!ruleService.hasRules(linkToNodeRef)) {
--- a/remote-api/src/test/java/org/alfresco/rest/api/impl/rules/RuleSetsImplTest.java
+++ b/remote-api/src/test/java/org/alfresco/rest/api/impl/rules/RuleSetsImplTest.java
@@ -98,7 +98,7 @@ public class RuleSetsImplTest extends TestCase
        MockitoAnnotations.openMocks(this);

        given(nodeValidatorMock.validateFolderNode(eq(LINK_TO_NODE_ID), anyBoolean())).willReturn(LINK_TO_NODE);
-        given(nodeValidatorMock.validateRuleSetNode(LINK_TO_NODE_ID,true)).willReturn(LINK_TO_NODE);
+        given(nodeValidatorMock.validateRuleSetNode(LINK_TO_NODE_ID,false)).willReturn(LINK_TO_NODE);
        given(nodeValidatorMock.validateFolderNode(eq(FOLDER_ID), anyBoolean())).willReturn(FOLDER_NODE);
        given(nodeValidatorMock.validateRuleSetNode(RULE_SET_ID, FOLDER_NODE)).willReturn(RULE_SET_NODE);

@@ -252,7 +252,7 @@ public class RuleSetsImplTest extends TestCase

        then(nodeValidatorMock).should().validateFolderNode(FOLDER_ID,true);
        then(nodeValidatorMock).should().isRuleSetNode(LINK_TO_NODE_ID);
-        then(nodeValidatorMock).should().validateRuleSetNode(LINK_TO_NODE_ID,true);
+        then(nodeValidatorMock).should().validateRuleSetNode(LINK_TO_NODE_ID,false);
        then(nodeValidatorMock).shouldHaveNoMoreInteractions();
        then(ruleServiceMock).should().hasRules(LINK_TO_NODE);
        then(ruleServiceMock).should().hasRules(FOLDER_NODE);