inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

RM-802: Errors if user doesn't have read and file permissions on root-node

Browse Source 
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@54413 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
2013-08-23 01:43:11 +00:00
parent a2f61d5358
commit 4ba3d15af5
2 changed files with 52 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMAfterInvocationProvider.java
View File

@@ -744,7 +744,9 @@ public class RMAfterInvocationProvider extends RMSecurityCommon
continue; // Continue to next ConfigAttributeDefintion continue; // Continue to next ConfigAttributeDefintion
} }
if (allowed && (testNodeRef != null) && (checkRead(testNodeRef) != AccessDecisionVoter.ACCESS_GRANTED)) if (allowed &&
testNodeRef != null &&
checkRead(testNodeRef) != AccessDecisionVoter.ACCESS_GRANTED)
{ {
allowed = false; allowed = false;
break; // No point evaluating more ConfigAttributeDefintions break; // No point evaluating more ConfigAttributeDefintions

59
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMSecurityCommon.java
View File

@@ -24,6 +24,7 @@ import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService; import org.alfresco.module.org_alfresco_module_rm.RecordsManagementService;
import org.alfresco.module.org_alfresco_module_rm.caveat.RMCaveatConfigComponent; import org.alfresco.module.org_alfresco_module_rm.caveat.RMCaveatConfigComponent;
import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService; import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.repo.security.authentication.AuthenticationUtil; import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.transaction.AlfrescoTransactionSupport; import org.alfresco.repo.transaction.AlfrescoTransactionSupport;
import org.alfresco.service.cmr.repository.AssociationRef; import org.alfresco.service.cmr.repository.AssociationRef;
@@ -36,6 +37,9 @@ import org.alfresco.service.cmr.security.PermissionService;
import org.aopalliance.intercept.MethodInvocation; import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
/** /**
* Common security functions. * Common security functions.
@@ -45,12 +49,17 @@ import org.apache.commons.logging.LogFactory;
* @author Roy Wetherall * @author Roy Wetherall
* @since 2.0 * @since 2.0
*/ */
public class RMSecurityCommon public class RMSecurityCommon implements ApplicationContextAware
{ {
/** No set value */
protected int NOSET_VALUE = -100; protected int NOSET_VALUE = -100;
/** Logger */
private static Log logger = LogFactory.getLog(RMSecurityCommon.class); private static Log logger = LogFactory.getLog(RMSecurityCommon.class);
/** Application Context */
private ApplicationContext applicationContext;
/** Services */ /** Services */
protected NodeService nodeService; protected NodeService nodeService;
protected PermissionService permissionService; protected PermissionService permissionService;
@@ -58,32 +67,57 @@ public class RMSecurityCommon
protected RMCaveatConfigComponent caveatConfigComponent; protected RMCaveatConfigComponent caveatConfigComponent;
protected FilePlanService filePlanService; protected FilePlanService filePlanService;
/**
* @param applicationContext application context
*/
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException
{
this.applicationContext = applicationContext;
}
/**
* @param nodeService node service
*/
public void setNodeService(NodeService nodeService) public void setNodeService(NodeService nodeService)
{ {
this.nodeService = nodeService; this.nodeService = nodeService;
} }
/**
* @param permissionService permission service
*/
public void setPermissionService(PermissionService permissionService) public void setPermissionService(PermissionService permissionService)
{ {
this.permissionService = permissionService; this.permissionService = permissionService;
} }
/**
* @param rmService records management service
*/
public void setRecordsManagementService(RecordsManagementService rmService) public void setRecordsManagementService(RecordsManagementService rmService)
{ {
this.rmService = rmService; this.rmService = rmService;
} }
/**
* @param caveatConfigComponent caveat config service
*/
public void setCaveatConfigComponent(RMCaveatConfigComponent caveatConfigComponent) public void setCaveatConfigComponent(RMCaveatConfigComponent caveatConfigComponent)
{ {
this.caveatConfigComponent = caveatConfigComponent; this.caveatConfigComponent = caveatConfigComponent;
} }
/**
* @param filePlanService file plan service
*/
public void setFilePlanService(FilePlanService filePlanService) public void setFilePlanService(FilePlanService filePlanService)
{ {
this.filePlanService = filePlanService; this.filePlanService = filePlanService;
} }
/** /**
* Sets a value into the transaction cache
* *
* @param prefix * @param prefix
* @param nodeRef * @param nodeRef
@@ -98,6 +132,7 @@ public class RMSecurityCommon
} }
/** /**
* Gets a value from the transaction cache
* *
* @param prefix * @param prefix
* @param nodeRef * @param nodeRef
@@ -116,6 +151,7 @@ public class RMSecurityCommon
} }
/** /**
* Check for RM read
* *
* @param nodeRef * @param nodeRef
* @return * @return
@@ -133,6 +169,7 @@ public class RMSecurityCommon
} }
/** /**
* Check for RM read
* *
* @param nodeRef * @param nodeRef
* @param allowDMRead * @param allowDMRead
@@ -142,7 +179,9 @@ public class RMSecurityCommon
{ {
int result = AccessDecisionVoter.ACCESS_ABSTAIN; int result = AccessDecisionVoter.ACCESS_ABSTAIN;
if (filePlanService.isFilePlanComponent(nodeRef) == true) // use the internal node service to avoid duplication of method permission checks
NodeService internalNodeService = (NodeService)applicationContext.getBean("nodeService");
if (internalNodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT)== true)
{ {
result = checkRmRead(nodeRef); result = checkRmRead(nodeRef);
} }
@@ -185,14 +224,14 @@ public class RMSecurityCommon
NodeRef filePlan = filePlanService.getFilePlan(nodeRef); NodeRef filePlan = filePlanService.getFilePlan(nodeRef);
// Admin role // Admin role
if (permissionService.hasPermission(filePlan, RMPermissionModel.ROLE_ADMINISTRATOR) == AccessStatus.ALLOWED) //if (permissionService.hasPermission(filePlan, RMPermissionModel.ROLE_ADMINISTRATOR) == AccessStatus.ALLOWED)
{ //{
if (logger.isDebugEnabled()) // if (logger.isDebugEnabled())
{ // {
logger.debug("\t\tAdmin user, access granted. (nodeRef=" + nodeRef.toString() + ", user=" + AuthenticationUtil.getRunAsUser() + ")"); // logger.debug("\t\tAdmin user, access granted. (nodeRef=" + nodeRef.toString() + ", user=" + AuthenticationUtil.getRunAsUser() + ")");
} // }
return setTransactionCache("checkRmRead", nodeRef, AccessDecisionVoter.ACCESS_GRANTED); // return setTransactionCache("checkRmRead", nodeRef, AccessDecisionVoter.ACCESS_GRANTED);
} // }
if (permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS) == AccessStatus.DENIED) if (permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS) == AccessStatus.DENIED)
{ {