From 60833cb131082acff4c4bd00f97969f7232c5380 Mon Sep 17 00:00:00 2001 From: David Webster Date: Thu, 6 Oct 2016 21:59:11 +0100 Subject: [PATCH 01/11] MNT-16852: First pass at Write Properties permission handling --- .../security/permissions/impl/RMPermissionServiceImpl.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java index 8b43417fc4..75b96eaec0 100644 --- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java @@ -100,6 +100,13 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl { return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS); } + // Add WRITE_PROPERTIES check in for MNT-16852. + else if (AccessStatus.DENIED.equals(acs) && + PermissionService.WRITE_PROPERTIES.equals(perm) && + nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) + { + return super.hasPermission(nodeRef, RMPermissionModel.EDIT_RECORD_METADATA); + } return acs; } From 60dd571153f1d6d3a4430cd008458406e5335f86 Mon Sep 17 00:00:00 2001 From: David Webster Date: Tue, 11 Oct 2016 12:51:25 +0100 Subject: [PATCH 02/11] MNT-16852: Give write properties permission to file records --- .../permissions/impl/RMPermissionServiceImpl.java | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java index 75b96eaec0..f641a487cd 100644 --- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java @@ -93,20 +93,13 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl { return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS); } - // Added ADD_CHILDREN check in for MNT-16852. + // Added ADD_CHILDREN and WRITE_PROPERTIES check in for MNT-16852. else if (AccessStatus.DENIED.equals(acs) && - (PermissionService.WRITE.equals(perm) || PermissionService.ADD_CHILDREN.equals(perm)) && + (PermissionService.WRITE.equals(perm) || PermissionService.ADD_CHILDREN.equals(perm) || PermissionService.WRITE_PROPERTIES.equals(perm)) && nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) { return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS); } - // Add WRITE_PROPERTIES check in for MNT-16852. - else if (AccessStatus.DENIED.equals(acs) && - PermissionService.WRITE_PROPERTIES.equals(perm) && - nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) - { - return super.hasPermission(nodeRef, RMPermissionModel.EDIT_RECORD_METADATA); - } return acs; } From 674f929acf85b09afa366288e88b0e9ac583a268 Mon Sep 17 00:00:00 2001 From: David Webster Date: Tue, 11 Oct 2016 12:57:38 +0100 Subject: [PATCH 03/11] MNT-16852: Refactor hasPermission method for readability --- .../impl/RMPermissionServiceImpl.java | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java index f641a487cd..bda4d1ade5 100644 --- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java @@ -87,18 +87,20 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl public AccessStatus hasPermission(NodeRef nodeRef, String perm) { AccessStatus acs = super.hasPermission(nodeRef, perm); + if (AccessStatus.DENIED.equals(acs) && - PermissionService.READ.equals(perm) && nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) { - return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS); - } - // Added ADD_CHILDREN and WRITE_PROPERTIES check in for MNT-16852. - else if (AccessStatus.DENIED.equals(acs) && - (PermissionService.WRITE.equals(perm) || PermissionService.ADD_CHILDREN.equals(perm) || PermissionService.WRITE_PROPERTIES.equals(perm)) && - nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) - { - return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS); + if (PermissionService.READ.equals(perm)) + { + return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS); + } + else if (PermissionService.WRITE.equals(perm) || + PermissionService.ADD_CHILDREN.equals(perm) || + PermissionService.WRITE_PROPERTIES.equals(perm)) + { + return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS); + } } return acs; From 0eaa927b38ece49409b39efaff4220a3af68c795 Mon Sep 17 00:00:00 2001 From: David Webster Date: Wed, 12 Oct 2016 09:22:14 +0100 Subject: [PATCH 04/11] MNT-16852: Fix issue reading properties in Outlook Integration --- .../repo/security/permissions/impl/RMPermissionServiceImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java index bda4d1ade5..63c8e95254 100644 --- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java @@ -91,7 +91,7 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl if (AccessStatus.DENIED.equals(acs) && nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) { - if (PermissionService.READ.equals(perm)) + if (PermissionService.READ.equals(perm) || PermissionService.READ_PROPERTIES.equals(perm)) { return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS); } From fa2d37f37b69af8655abb14e3b0166f79f217cfc Mon Sep 17 00:00:00 2001 From: David Webster Date: Wed, 12 Oct 2016 15:08:17 +0100 Subject: [PATCH 05/11] MNT-16852: First pass at extracting permission mapping to properties file. --- .../alfresco-global.properties | 6 +++ .../extended-repository-context.xml | 6 +++ .../impl/RMPermissionServiceImpl.java | 37 +++++++++++++++++-- 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties b/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties index 46e84685b0..41a1f5aa9c 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/alfresco-global.properties @@ -47,3 +47,9 @@ rm.autocompletesuggestion.nodeParameterSuggester.aspectsAndTypes=rma:record,cm:c # Global RM disposition lifecycle trigger cron job expression # rm.dispositionlifecycletrigger.cronexpression=0 0/5 * * * ? + +# Permission mapping +# these take a comma separated string of permissions from org.alfresco.service.cmr.security.PermissionService +# read maps to ReadRecords and write to FileRecords +rm.haspermissionmap.read=ReadProperties,ReadChildren +rm.haspermissionmap.write=WriteProperties,AddChildren diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml index bd74307107..0218d2d22c 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml @@ -134,6 +134,12 @@ + + {rm.haspermissionmap.read} + + + {rm.haspermissionmap.write} + diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java index 63c8e95254..b4bb8166d9 100644 --- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java @@ -19,21 +19,28 @@ package org.alfresco.repo.security.permissions.impl; import java.io.Serializable; +import java.util.ArrayList; +import java.util.Arrays; import java.util.Collections; import java.util.HashSet; +import java.util.List; import java.util.Set; import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel; import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel; import org.alfresco.repo.cache.SimpleCache; + import org.alfresco.repo.security.permissions.AccessControlEntry; import org.alfresco.repo.security.permissions.AccessControlList; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.util.PropertyCheck; +import org.apache.commons.collections.ArrayStack; +import org.apache.commons.lang.StringUtils; import org.springframework.context.ApplicationEvent; + /** * Extends the core permission service implementation allowing the consideration of the read records * permission. @@ -48,6 +55,10 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl /** Writers simple cache */ protected SimpleCache> writersCache; + /** Permission maps*/ + protected String readMapping; + protected String fileMapping; + /** * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean) */ @@ -66,6 +77,22 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl this.writersCache = writersCache; } + /** + * @param readMapping the mapping of permissions to ReadRecord + */ + public void setReadMapping(String readMapping) + { + this.readMapping = readMapping; + } + + /** + * @param fileMapping the mapping of permissions to ReadRecord + */ + public void setFileMapping(String fileMapping) + { + this.fileMapping = fileMapping; + } + /** * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#onBootstrap(org.springframework.context.ApplicationEvent) */ @@ -91,13 +118,15 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl if (AccessStatus.DENIED.equals(acs) && nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) { - if (PermissionService.READ.equals(perm) || PermissionService.READ_PROPERTIES.equals(perm)) + + List configuredReadPermissions = Arrays.asList(this.readMapping.split(",")); + List configuredFilePermissions = Arrays.asList(this.fileMapping.split(",")); + + if (PermissionService.READ.equals(perm) || configuredReadPermissions.contains(perm)) { return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS); } - else if (PermissionService.WRITE.equals(perm) || - PermissionService.ADD_CHILDREN.equals(perm) || - PermissionService.WRITE_PROPERTIES.equals(perm)) + else if (PermissionService.WRITE.equals(perm) || configuredFilePermissions.contains(perm)) { return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS); } From 40135eb34e5e368e63e1295705c587d0f7681a77 Mon Sep 17 00:00:00 2001 From: David Webster Date: Wed, 12 Oct 2016 15:25:06 +0100 Subject: [PATCH 06/11] MNT-16852: Remove unnecessary imports --- .../security/permissions/impl/RMPermissionServiceImpl.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java index b4bb8166d9..dfb293d89c 100644 --- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java @@ -19,7 +19,6 @@ package org.alfresco.repo.security.permissions.impl; import java.io.Serializable; -import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.HashSet; @@ -36,8 +35,6 @@ import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.security.AccessStatus; import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.util.PropertyCheck; -import org.apache.commons.collections.ArrayStack; -import org.apache.commons.lang.StringUtils; import org.springframework.context.ApplicationEvent; From 30831aa221e875e3bfeae24c6c229fb924d28333 Mon Sep 17 00:00:00 2001 From: David Webster Date: Wed, 12 Oct 2016 15:31:12 +0100 Subject: [PATCH 07/11] MNT-16852: Add comment explaining reason behind extracting mapping to properties file --- .../security/permissions/impl/RMPermissionServiceImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java index dfb293d89c..a686397b51 100644 --- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java @@ -115,7 +115,8 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl if (AccessStatus.DENIED.equals(acs) && nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) { - + // These strings come from alfresco-global.properties and allow fine tuning of the how permissions are mapped. + // This was added as a fix for MNT-16852 to enhance compatibility for our Outlook Integration. List configuredReadPermissions = Arrays.asList(this.readMapping.split(",")); List configuredFilePermissions = Arrays.asList(this.fileMapping.split(",")); From 34dfa8a6480b6146b3d2c28695e50a326fb56ea0 Mon Sep 17 00:00:00 2001 From: David Webster Date: Thu, 13 Oct 2016 11:06:11 +0100 Subject: [PATCH 08/11] MNT-16852: Optimise list conversion as per code review comment --- .../extended-repository-context.xml | 4 +- .../impl/RMPermissionServiceImpl.java | 37 +++++++++++-------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml index 0218d2d22c..b9135668c5 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml @@ -134,10 +134,10 @@ - + {rm.haspermissionmap.read} - + {rm.haspermissionmap.write} diff --git a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java index a686397b51..6f3aa88294 100644 --- a/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java +++ b/rm-server/source/java/org/alfresco/repo/security/permissions/impl/RMPermissionServiceImpl.java @@ -52,9 +52,15 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl /** Writers simple cache */ protected SimpleCache> writersCache; - /** Permission maps*/ - protected String readMapping; - protected String fileMapping; + /** + * Configured Permission mapping. + * + * These strings come from alfresco-global.properties and allow fine tuning of the how permissions are mapped. + * This was added as a fix for MNT-16852 to enhance compatibility with our Outlook Integration. + * + **/ + protected List configuredReadPermissions; + protected List configuredFilePermissions; /** * @see org.alfresco.repo.security.permissions.impl.PermissionServiceImpl#setAnyDenyDenies(boolean) @@ -75,19 +81,25 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl } /** + * Maps the string from the properties file (rm.haspermissionmap.read) + * to the list used in the hasPermission method + * * @param readMapping the mapping of permissions to ReadRecord */ - public void setReadMapping(String readMapping) + public void setConfiguredReadPermissions(String readMapping) { - this.readMapping = readMapping; + this.configuredReadPermissions = Arrays.asList(readMapping.split(",")); } /** - * @param fileMapping the mapping of permissions to ReadRecord + * Maps the string set in the properties file (rm.haspermissionmap.write) + * to the list used in the hasPermission method + * + * @param fileMapping the mapping of permissions to FileRecord */ - public void setFileMapping(String fileMapping) + public void setConfiguredFilePermissions(String fileMapping) { - this.fileMapping = fileMapping; + this.configuredFilePermissions = Arrays.asList(fileMapping.split(",")); } /** @@ -115,16 +127,11 @@ public class RMPermissionServiceImpl extends PermissionServiceImpl if (AccessStatus.DENIED.equals(acs) && nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)) { - // These strings come from alfresco-global.properties and allow fine tuning of the how permissions are mapped. - // This was added as a fix for MNT-16852 to enhance compatibility for our Outlook Integration. - List configuredReadPermissions = Arrays.asList(this.readMapping.split(",")); - List configuredFilePermissions = Arrays.asList(this.fileMapping.split(",")); - - if (PermissionService.READ.equals(perm) || configuredReadPermissions.contains(perm)) + if (PermissionService.READ.equals(perm) || this.configuredReadPermissions.contains(perm)) { return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS); } - else if (PermissionService.WRITE.equals(perm) || configuredFilePermissions.contains(perm)) + else if (PermissionService.WRITE.equals(perm) || this.configuredFilePermissions.contains(perm)) { return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS); } From c9fdd7f0503ea76271b229075d79ec7855145a2b Mon Sep 17 00:00:00 2001 From: David Webster Date: Thu, 13 Oct 2016 11:36:47 +0100 Subject: [PATCH 09/11] MNT-16852: Fix typo in XML --- .../org_alfresco_module_rm/extended-repository-context.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml index b9135668c5..44dacc7b89 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml @@ -135,10 +135,10 @@ - {rm.haspermissionmap.read} + ${rm.haspermissionmap.read} - {rm.haspermissionmap.write} + ${rm.haspermissionmap.write} From 2df396a7e1d58b95f5daa2812c7ad427a8cda108 Mon Sep 17 00:00:00 2001 From: David Webster Date: Mon, 17 Oct 2016 22:01:17 +0100 Subject: [PATCH 10/11] MNT-16852: HF 2.2.0.2 release, remove snapshot version number --- pom.xml | 2 +- rm-server/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index a27d0c4f86..11f13d7269 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ org.alfresco alfresco-rm-parent pom - 2.2.0.2-SNAPSHOT + 2.2.0.2 Alfresco Records Management http://www.alfresco.org/ diff --git a/rm-server/pom.xml b/rm-server/pom.xml index 0b2bb42160..bc5cbfa882 100644 --- a/rm-server/pom.xml +++ b/rm-server/pom.xml @@ -5,7 +5,7 @@ org.alfresco alfresco-rm-parent - 2.2.0.2-SNAPSHOT + 2.2.0.2 4.0.0 alfresco-rm-server From fbb55126d7543a6c0795183e43520a028a51f7f3 Mon Sep 17 00:00:00 2001 From: David Webster Date: Tue, 18 Oct 2016 16:23:46 +0100 Subject: [PATCH 11/11] Set up 2.2.0.x HF branch ready for next release --- pom.xml | 2 +- .../alfresco/module/org_alfresco_module_rm/module.properties | 2 +- rm-server/pom.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 11f13d7269..197172d10a 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ org.alfresco alfresco-rm-parent pom - 2.2.0.2 + 2.2.0.3-SNAPSHOT Alfresco Records Management http://www.alfresco.org/ diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/module.properties b/rm-server/config/alfresco/module/org_alfresco_module_rm/module.properties index 43284b32f3..f5c791e7ba 100644 --- a/rm-server/config/alfresco/module/org_alfresco_module_rm/module.properties +++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/module.properties @@ -6,6 +6,6 @@ module.aliases=org_alfresco_module_dod5015 module.title=Records Management module.description=Alfresco Record Management Extension -module.version=2.2.0.2 +module.version=2.2.0.3 module.repo.version.min=4.2 \ No newline at end of file diff --git a/rm-server/pom.xml b/rm-server/pom.xml index bc5cbfa882..48e289188b 100644 --- a/rm-server/pom.xml +++ b/rm-server/pom.xml @@ -5,7 +5,7 @@ org.alfresco alfresco-rm-parent - 2.2.0.2 + 2.2.0.3-SNAPSHOT 4.0.0 alfresco-rm-server