mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-24 17:32:48 +00:00
Fix AR-279: Enforce permissions at FileFolderService entry
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@3083 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Derek Hulley
@@ -6,12 +6,11 @@
|
|||||||
<bean name="fileFolderService" class="org.alfresco.repo.model.filefolder.FileFolderServiceImpl" init-method="init">
|
<bean name="fileFolderService" class="org.alfresco.repo.model.filefolder.FileFolderServiceImpl" init-method="init">
|
||||||
<property name="namespaceService"><ref bean="namespaceService" /></property>
|
<property name="namespaceService"><ref bean="namespaceService" /></property>
|
||||||
<property name="dictionaryService"><ref bean="dictionaryService" /></property>
|
<property name="dictionaryService"><ref bean="dictionaryService" /></property>
|
||||||
<property name="nodeService"><ref bean="NodeService" /></property>
|
<property name="nodeService"><ref bean="nodeService" /></property>
|
||||||
<property name="copyService"><ref bean="CopyService" /></property>
|
<property name="copyService"><ref bean="copyService" /></property>
|
||||||
<!-- NOTE: using Big SearchService until AR-279 is completed -->
|
<property name="searchService"><ref bean="searchService" /></property>
|
||||||
<property name="searchService"><ref bean="SearchService" /></property>
|
<property name="contentService"><ref bean="contentService" /></property>
|
||||||
<property name="contentService"><ref bean="ContentService" /></property>
|
<property name="mimetypeService"><ref bean="mimetypeService" /></property>
|
||||||
<property name="mimetypeService"><ref bean="MimetypeService" /></property>
|
|
||||||
|
|
||||||
<property name="systemPaths">
|
<property name="systemPaths">
|
||||||
<list>
|
<list>
|
||||||
|
|||||||
@@ -915,6 +915,7 @@
|
|||||||
<list>
|
<list>
|
||||||
<idref local="FileFolderService_transaction" />
|
<idref local="FileFolderService_transaction" />
|
||||||
<idref local="exceptionTranslator" />
|
<idref local="exceptionTranslator" />
|
||||||
|
<idref bean="FileFolderService_security" />
|
||||||
</list>
|
</list>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|||||||
@@ -353,6 +353,35 @@
|
|||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
|
<!-- ============================== -->
|
||||||
|
<!-- FileFolder Service Permissions -->
|
||||||
|
<!-- ============================== -->
|
||||||
|
|
||||||
|
<bean id="FileFolderService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
||||||
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||||
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
||||||
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
||||||
|
<property name="objectDefinitionSource">
|
||||||
|
<value>
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.list=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.listFiles=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.listFolders=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.search=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.rename=ACL_PARENT.0.sys:base.CreateChildren,AFTER_ACL_NODE.0.sys:base.WriteProperties
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.move=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.copy=ACL_NODE.0.sys:base.Read,ACL_NODE.1.sys:base.CreateChildren
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.create=ACL_PARENT.0.sys:base.CreateChildren
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.delete=ACL_NODE.0.sys:base.DeleteNode
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.makeFolders=AFTER_ACL_PARENT.0.sys:base.CreateChildren
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.getNamePath=ACL_NODE.1.sys:base.ReadProperties
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.resolveNamePath=AFTER_ACL_NODE.0.sys:base.ReadProperties
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.getFileInfo=ACL_NODE.0.sys:base.ReadProperties
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.getReader=ACL_NODE.0.sys:base.ReadContent
|
||||||
|
org.alfresco.service.cmr.model.FileFolderService.getWriter=ACL_NODE.0.sys:base.WriteContent
|
||||||
|
</value>
|
||||||
|
</property>
|
||||||
|
</bean>
|
||||||
|
|
||||||
<!-- =========================== -->
|
<!-- =========================== -->
|
||||||
<!-- Content Service Permissions -->
|
<!-- Content Service Permissions -->
|
||||||
<!-- =========================== -->
|
<!-- =========================== -->
|
||||||
|
|||||||
@@ -33,6 +33,7 @@ import net.sf.acegisecurity.afterinvocation.AfterInvocationProvider;
|
|||||||
|
|
||||||
import org.alfresco.repo.search.SimpleResultSetMetaData;
|
import org.alfresco.repo.search.SimpleResultSetMetaData;
|
||||||
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
|
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
|
||||||
|
import org.alfresco.service.cmr.model.FileInfo;
|
||||||
import org.alfresco.service.cmr.repository.ChildAssociationRef;
|
import org.alfresco.service.cmr.repository.ChildAssociationRef;
|
||||||
import org.alfresco.service.cmr.repository.NodeRef;
|
import org.alfresco.service.cmr.repository.NodeRef;
|
||||||
import org.alfresco.service.cmr.repository.NodeService;
|
import org.alfresco.service.cmr.repository.NodeService;
|
||||||
@@ -175,6 +176,10 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
|
|||||||
}
|
}
|
||||||
return decide(authentication, object, config, (NodeRef) returnedObject);
|
return decide(authentication, object, config, (NodeRef) returnedObject);
|
||||||
}
|
}
|
||||||
|
else if (FileInfo.class.isAssignableFrom(returnedObject.getClass()))
|
||||||
|
{
|
||||||
|
return decide(authentication, object, config, (FileInfo) returnedObject);
|
||||||
|
}
|
||||||
else if (ChildAssociationRef.class.isAssignableFrom(returnedObject.getClass()))
|
else if (ChildAssociationRef.class.isAssignableFrom(returnedObject.getClass()))
|
||||||
{
|
{
|
||||||
if (log.isDebugEnabled())
|
if (log.isDebugEnabled())
|
||||||
@@ -237,7 +242,10 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public NodeRef decide(Authentication authentication, Object object, ConfigAttributeDefinition config,
|
public NodeRef decide(
|
||||||
|
Authentication authentication,
|
||||||
|
Object object,
|
||||||
|
ConfigAttributeDefinition config,
|
||||||
NodeRef returnedObject) throws AccessDeniedException
|
NodeRef returnedObject) throws AccessDeniedException
|
||||||
|
|
||||||
{
|
{
|
||||||
@@ -277,6 +285,20 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
|
|||||||
return returnedObject;
|
return returnedObject;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public FileInfo decide(
|
||||||
|
Authentication authentication,
|
||||||
|
Object object,
|
||||||
|
ConfigAttributeDefinition config,
|
||||||
|
FileInfo returnedObject) throws AccessDeniedException
|
||||||
|
|
||||||
|
{
|
||||||
|
NodeRef nodeRef = returnedObject.getNodeRef();
|
||||||
|
// this is virtually equivalent to the noderef
|
||||||
|
decide(authentication, object, config, nodeRef);
|
||||||
|
// the noderef was allowed
|
||||||
|
return returnedObject;
|
||||||
|
}
|
||||||
|
|
||||||
private List<ConfigAttributeDefintion> extractSupportedDefinitions(ConfigAttributeDefinition config)
|
private List<ConfigAttributeDefintion> extractSupportedDefinitions(ConfigAttributeDefinition config)
|
||||||
{
|
{
|
||||||
List<ConfigAttributeDefintion> definitions = new ArrayList<ConfigAttributeDefintion>();
|
List<ConfigAttributeDefintion> definitions = new ArrayList<ConfigAttributeDefintion>();
|
||||||
@@ -455,31 +477,23 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
|
|||||||
if (StoreRef.class.isAssignableFrom(nextObject.getClass()))
|
if (StoreRef.class.isAssignableFrom(nextObject.getClass()))
|
||||||
{
|
{
|
||||||
testNodeRef = nodeService.getRootNode((StoreRef) nextObject);
|
testNodeRef = nodeService.getRootNode((StoreRef) nextObject);
|
||||||
if (log.isDebugEnabled())
|
|
||||||
{
|
|
||||||
log.debug("\tNode Test on store " + nodeService.getPath(testNodeRef));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
else if (NodeRef.class.isAssignableFrom(nextObject.getClass()))
|
else if (NodeRef.class.isAssignableFrom(nextObject.getClass()))
|
||||||
{
|
{
|
||||||
testNodeRef = (NodeRef) nextObject;
|
testNodeRef = (NodeRef) nextObject;
|
||||||
if (log.isDebugEnabled())
|
|
||||||
{
|
|
||||||
log.debug("\tNode Test on node " + nodeService.getPath(testNodeRef));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
else if (ChildAssociationRef.class.isAssignableFrom(nextObject.getClass()))
|
else if (ChildAssociationRef.class.isAssignableFrom(nextObject.getClass()))
|
||||||
{
|
{
|
||||||
testNodeRef = ((ChildAssociationRef) nextObject).getChildRef();
|
testNodeRef = ((ChildAssociationRef) nextObject).getChildRef();
|
||||||
if (log.isDebugEnabled())
|
}
|
||||||
{
|
else if (FileInfo.class.isAssignableFrom(nextObject.getClass()))
|
||||||
log.debug("\tNode Test on child association ref using " + nodeService.getPath(testNodeRef));
|
{
|
||||||
}
|
testNodeRef = ((FileInfo) nextObject).getNodeRef();
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
throw new ACLEntryVoterException(
|
throw new ACLEntryVoterException(
|
||||||
"The specified parameter is not a collection of NodeRefs or ChildAssociationRefs");
|
"The specified parameter is not a collection of NodeRefs, ChildAssociationRefs or FileInfos");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if (cad.typeString.equals(AFTER_ACL_PARENT))
|
else if (cad.typeString.equals(AFTER_ACL_PARENT))
|
||||||
@@ -488,27 +502,18 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
|
|||||||
{
|
{
|
||||||
// Will be allowed
|
// Will be allowed
|
||||||
testNodeRef = null;
|
testNodeRef = null;
|
||||||
if (log.isDebugEnabled())
|
|
||||||
{
|
|
||||||
log.debug("\tParent Test on store ");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
else if (NodeRef.class.isAssignableFrom(nextObject.getClass()))
|
else if (NodeRef.class.isAssignableFrom(nextObject.getClass()))
|
||||||
{
|
{
|
||||||
testNodeRef = nodeService.getPrimaryParent((NodeRef) nextObject).getParentRef();
|
testNodeRef = nodeService.getPrimaryParent((NodeRef) nextObject).getParentRef();
|
||||||
if (log.isDebugEnabled())
|
|
||||||
{
|
|
||||||
log.debug("\tParent test on node " + nodeService.getPath(testNodeRef));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
else if (ChildAssociationRef.class.isAssignableFrom(nextObject.getClass()))
|
else if (ChildAssociationRef.class.isAssignableFrom(nextObject.getClass()))
|
||||||
{
|
{
|
||||||
testNodeRef = ((ChildAssociationRef) nextObject).getParentRef();
|
testNodeRef = ((ChildAssociationRef) nextObject).getParentRef();
|
||||||
if (log.isDebugEnabled())
|
}
|
||||||
{
|
else if (FileInfo.class.isAssignableFrom(nextObject.getClass()))
|
||||||
log.debug("\tParent Test on child association ref using "
|
{
|
||||||
+ nodeService.getPath(testNodeRef));
|
testNodeRef = ((FileInfo) nextObject).getNodeRef();
|
||||||
}
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@@ -516,7 +521,12 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
|
|||||||
"The specified parameter is not a collection of NodeRefs or ChildAssociationRefs");
|
"The specified parameter is not a collection of NodeRefs or ChildAssociationRefs");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (log.isDebugEnabled())
|
||||||
|
{
|
||||||
|
log.debug("\t" + cad.typeString + " test on " + testNodeRef + " from " + nextObject.getClass().getName());
|
||||||
|
}
|
||||||
|
|
||||||
if (allowed
|
if (allowed
|
||||||
&& (testNodeRef != null)
|
&& (testNodeRef != null)
|
||||||
&& (permissionService.hasPermission(testNodeRef, cad.required.toString()) == AccessStatus.DENIED))
|
&& (permissionService.hasPermission(testNodeRef, cad.required.toString()) == AccessStatus.DENIED))
|
||||||
@@ -576,6 +586,10 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
|
|||||||
{
|
{
|
||||||
testNodeRef = ((ChildAssociationRef) current).getChildRef();
|
testNodeRef = ((ChildAssociationRef) current).getChildRef();
|
||||||
}
|
}
|
||||||
|
else if (FileInfo.class.isAssignableFrom(current.getClass()))
|
||||||
|
{
|
||||||
|
testNodeRef = ((FileInfo) current).getNodeRef();
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
throw new ACLEntryVoterException("The specified array is not of NodeRef or ChildAssociationRef");
|
throw new ACLEntryVoterException("The specified array is not of NodeRef or ChildAssociationRef");
|
||||||
@@ -596,12 +610,21 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
|
|||||||
{
|
{
|
||||||
testNodeRef = ((ChildAssociationRef) current).getParentRef();
|
testNodeRef = ((ChildAssociationRef) current).getParentRef();
|
||||||
}
|
}
|
||||||
|
else if (FileInfo.class.isAssignableFrom(current.getClass()))
|
||||||
|
{
|
||||||
|
testNodeRef = ((FileInfo) current).getNodeRef();
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
throw new ACLEntryVoterException("The specified array is not of NodeRef or ChildAssociationRef");
|
throw new ACLEntryVoterException("The specified array is not of NodeRef or ChildAssociationRef");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (log.isDebugEnabled())
|
||||||
|
{
|
||||||
|
log.debug("\t" + cad.typeString + " test on " + testNodeRef + " from " + current.getClass().getName());
|
||||||
|
}
|
||||||
|
|
||||||
if (incudedSet.get(i)
|
if (incudedSet.get(i)
|
||||||
&& (testNodeRef != null)
|
&& (testNodeRef != null)
|
||||||
&& (permissionService.hasPermission(testNodeRef, cad.required.toString()) == AccessStatus.DENIED))
|
&& (permissionService.hasPermission(testNodeRef, cad.required.toString()) == AccessStatus.DENIED))
|
||||||
|
|||||||
@@ -153,8 +153,8 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
|
|||||||
if ((attribute.getAttribute() != null)
|
if ((attribute.getAttribute() != null)
|
||||||
&& (attribute.getAttribute().startsWith(ACL_NODE)
|
&& (attribute.getAttribute().startsWith(ACL_NODE)
|
||||||
|| attribute.getAttribute().startsWith(ACL_PARENT)
|
|| attribute.getAttribute().startsWith(ACL_PARENT)
|
||||||
|| attribute.getAttribute().startsWith(ACL_ALLOW) || attribute.getAttribute().startsWith(
|
|| attribute.getAttribute().startsWith(ACL_ALLOW)
|
||||||
ACL_METHOD)))
|
|| attribute.getAttribute().startsWith(ACL_METHOD)))
|
||||||
{
|
{
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user